Invitation Pending changes

client/app/assets/less/redash/redash-newstyle.less

@@ -706,6 +706,11 @@ page-header, .page-header--new {
   height: 20px;
 }
 
+.user_list__user--invitation-pending {
+    color: fade(@alert-danger-bg, 75%);
+    font-weight: 500;
+}
+
 .btn__new {
   margin-left: 15px;
 }

client/app/pages/users/list.html

@@ -59,6 +59,9 @@
               <img ng-src="{{ user.profile_image_url }}" height="32px" class="profile__image--settings" />
               <a href="users/{{ user.id }}" ng-class="{'text-muted': user.is_disabled}">{{ user.name }}</a>
               <span class="text-muted"> ({{user.email}})</span>
+              <span class="user_list__user--invitation-pending" ng-if="user.is_invitation_pending">
+                  (Invitation Pending)
+              </span>
             </td>
             <td>
               <a ng-repeat="group in user.groups" class="label label-tag" href="groups/{{group.id}}">{{group.name}}</a>
@@ -72,7 +75,8 @@
             <td>
               <div ng-if="$ctrl.currentUser.hasPermission('admin') && (user.id != $ctrl.currentUser.id)">
                 <button type="button" class="btn btn-primary" ng-if="user.is_disabled" ng-click="$ctrl.enableUser(user)">Enable</button>
-                <button type="button" class="btn btn-default" ng-if="!user.is_disabled" ng-click="$ctrl.disableUser(user)">Disable</button>
+                <button type="button" class="btn btn-default" ng-if="!(user.is_invitation_pending || user.is_disabled)" ng-click="$ctrl.disableUser(user)">Disable</button>
+                <button type="button" class="btn btn-default" ng-if="user.is_invitation_pending" ng-click="$ctrl.deleteUser(user)">Delete</button>
               </div>
             </td>
           </tr>

client/app/pages/users/list.js

@@ -9,6 +9,7 @@ class UsersListCtrl extends ListCtrl {
     this.policy = Policy;
     this.enableUser = user => User.enableUser(user).then(this.update);
     this.disableUser = user => User.disableUser(user).then(this.update);
+    this.deleteUser = user => User.deleteUser(user).then(this.update);
   }
 
   getRequest(requestedPage, itemsPerPage, orderByField) {

client/app/pages/users/show.html

@@ -79,9 +79,10 @@ <h3 class="profile__h3">{{user.name}}</h3>
           <div ng-if="currentUser.isAdmin">
             <br>
             <div class="form-group">
-              <button class="btn btn-default" ng-click="sendPasswordReset()" ng-disabled="disablePasswordResetButton">Send
+              <button class="btn btn-default" ng-if="!user.is_invitation_pending" ng-click="sendPasswordReset()" ng-disabled="disablePasswordResetButton">Send
                 Password Reset Email
               </button>
+              <button class="btn btn-default" ng-if="user.is_invitation_pending" ng-click="resendInvitation()" ng-disabled="disablePasswordResetButton">Resend Invitation</button>
             </div>
 
             <div ng-if="passwordResetLink" class="alert alert-success">

client/app/pages/users/show.js

@@ -108,6 +108,16 @@ function UserCtrl(
     });
   };
 
+  $scope.resendInvitation = () => {
+    $http.post(`api/users/${$scope.user.id}/invite`).success((data) => {
+      const inviteLink = absoluteUrl(data.invite_link);
+      toastr.success(`You can use the following link to invite them yourself: <textarea class="form-control m-t-10" rows="3" readonly>${inviteLink}</textarea>`, 'Invitation sent.', {
+        allowHtml: true,
+        timeOut: 10000,
+      });
+    });
+  };
+
   $scope.enableUser = (user) => {
     User.enableUser(user);
   };

client/app/services/user.js

@@ -45,6 +45,24 @@ function disableUser(user, toastr, $sanitize) {
     });
 }
 
+function deleteUser(user, toastr, $sanitize) {
+  const userName = $sanitize(user.name);
+  return $http
+    .delete(`api/users/${user.id}`)
+    .then((data) => {
+      toastr.warning(`User <b>${userName}</b> has been deleted.`, { allowHtml: true });
+      return data;
+    })
+    .catch((response) => {
+      const message =
+        response.data && response.data.message
+          ? response.data.message
+          : `Cannot delete user <b>${userName}</b><br>${response.statusText}`;
+
+      toastr.error(message, { allowHtml: true });
+    });
+}
+
 function User($resource, $sanitize, toastr) {
   const actions = {
     get: { method: 'GET' },
@@ -59,6 +77,7 @@ function User($resource, $sanitize, toastr) {
 
   UserResource.enableUser = user => enableUser(user, toastr, $sanitize);
   UserResource.disableUser = user => disableUser(user, toastr, $sanitize);
+  UserResource.deleteUser = user => deleteUser(user, toastr, $sanitize);
 
   return UserResource;
 }

redash/authentication/__init__.py

@@ -156,7 +156,7 @@ def get_api_key_from_request(request):
 
 def api_key_load_user_from_request(request):
     api_key = get_api_key_from_request(request)
-    if request.view_args is not None: 
+    if request.view_args is not None:
         query_id = request.view_args.get('query_id', None)
         user = get_user_from_api_key(api_key, query_id)
     else:
@@ -259,14 +259,17 @@ def create_and_login_user(org, name, email, picture=None):
         user_object = models.User.get_by_email_and_org(email, org)
         if user_object.is_disabled:
             return None
+        if user_object.is_invitation_pending:
+            user_object.is_invitation_pending = False
+            models.db.session.commit()
         if user_object.name != name:
             logger.debug("Updating user name (%r -> %r)", user_object.name, name)
             user_object.name = name
             models.db.session.commit()
     except NoResultFound:
         logger.debug("Creating user object (%r)", name)
-        user_object = models.User(org=org, name=name, email=email, _profile_image_url=picture,
-                                  group_ids=[org.default_group.id])
+        user_object = models.User(org=org, name=name, email=email, is_invitation_pending=False,
+                                  _profile_image_url=picture, group_ids=[org.default_group.id])
         models.db.session.add(user_object)
         models.db.session.commit()
 

redash/handlers/authentication.py

@@ -36,6 +36,12 @@ def render_token_login_page(template, org_slug, token):
         logger.exception("Failed to verify invite token: %s, org=%s", token, org_slug)
         return render_template("error.html",
                                error_message="Your invite link has expired. Please ask for a new one."), 400
+
+    if not user.is_invitation_pending:
+        return render_template("error.html",
+                               error_message=("This invitation has already been accepted. "
+                                              "Please try resetting your password instead.")), 400
+
     status_code = 200
     if request.method == 'POST':
         if 'password' not in request.form:
@@ -48,7 +54,7 @@ def render_token_login_page(template, org_slug, token):
             flash('Password length is too short (<6).')
             status_code = 400
         else:
-            # TODO: set active flag
+            user.is_invitation_pending = False
             user.hash_password(request.form['password'])
             models.db.session.add(user)
             login_user(user)

redash/handlers/setup.py

@@ -27,7 +27,11 @@ def create_org(org_name, user_name, email, password):
     db.session.add_all([default_org, admin_group, default_group])
     db.session.commit()
 
-    user = User(org=default_org, name=user_name, email=email, group_ids=[admin_group.id, default_group.id])
+    user = User(org=default_org,
+                name=user_name,
+                email=email,
+                is_invitation_pending=False,
+                group_ids=[admin_group.id, default_group.id])
     user.hash_password(password)
 
     db.session.add(user)

redash/handlers/users.py

@@ -219,6 +219,22 @@ def post(self, user_id):
 
         return user.to_dict(with_api_key=is_admin_or_owner(user_id))
 
+    @require_admin
+    def delete(self, user_id):
+        user = models.User.get_by_id_and_org(user_id, self.current_org)
+        # admin cannot delete self; current user is an admin (`@require_admin`)
+        # so just check user id
+        if user.id == current_user.id:
+            abort(403, message="You cannot delete your own account. "
+                               "Please ask another admin to do this for you.")
+        elif not user.is_invitation_pending:
+            abort(403, message="You cannot delete activated users. "
+                               "Please disable the user instead.")
+        models.db.session.delete(user)
+        models.db.session.commit()
+
+        return user.to_dict(with_api_key=is_admin_or_owner(user_id))
+
 
 class UserDisableResource(BaseResource):
     @require_admin

redash/models/users.py

@@ -161,6 +161,7 @@ class User(TimestampMixin, db.Model, BelongsToOrgMixin, UserMixin, PermissionsCh
                      server_default='{}', default={})
     active_at = json_cast_property(db.DateTime(True), 'details', 'active_at',
                                    default=None)
+    is_invitation_pending = json_cast_property(db.Boolean(True), 'details', 'is_invitation_pending', default=True)
 
     __tablename__ = 'users'
     __table_args__ = (
@@ -203,6 +204,7 @@ def to_dict(self, with_api_key=False):
             'disabled_at': self.disabled_at,
             'is_disabled': self.is_disabled,
             'active_at': self.active_at,
+            'is_invitation_pending': self.is_invitation_pending,
         }
 
         if self.password_hash is None:
@@ -445,4 +447,4 @@ def permissions(self):
         return ['view_query']
 
     def has_access(self, obj, access_type):
-        return False
+        return False

tests/handlers/test_authentication.py

@@ -28,7 +28,10 @@ def test_valid_token(self):
         self.assertEqual(response.status_code, 200)
 
     def test_already_active_user(self):
-        pass
+        token = invite_token(self.factory.user)
+        self.post_request('/invite/{}'.format(token), data={'password': 'test1234'}, org=self.factory.org)
+        response = self.get_request('/invite/{}'.format(token), org=self.factory.org)
+        self.assertEqual(response.status_code, 400)
 
 
 class TestInvitePost(BaseTestCase):
@@ -47,7 +50,10 @@ def test_bad_token(self):
         self.assertEqual(response.status_code, 400)
 
     def test_already_active_user(self):
-        pass
+        token = invite_token(self.factory.user)
+        self.post_request('/invite/{}'.format(token), data={'password': 'test1234'}, org=self.factory.org)
+        response = self.post_request('/invite/{}'.format(token), data={'password': 'test1234'}, org=self.factory.org)
+        self.assertEqual(response.status_code, 400)
 
     def test_valid_password(self):
         token = invite_token(self.factory.user)
@@ -56,6 +62,7 @@ def test_valid_password(self):
         self.assertEqual(response.status_code, 302)
         user = User.query.get(self.factory.user.id)
         self.assertTrue(user.verify_password(password))
+        self.assertFalse(user.is_invitation_pending)
 
 
 class TestLogin(BaseTestCase):

tests/handlers/test_users.py

@@ -2,7 +2,6 @@
 from tests import BaseTestCase
 from mock import patch
 
-
 class TestUserListResourcePost(BaseTestCase):
     def test_returns_403_for_non_admin(self):
         rv = self.make_request('post', "/api/users")
@@ -193,6 +192,15 @@ def test_changing_email_does_not_end_current_session(self):
         # make sure the session's `user_id` has changed to reflect the new identity, thus not logging the user out
         self.assertNotEquals(previous, current)
 
+    def test_admin_can_delete_user(self):
+        admin_user = self.factory.create_admin()
+        other_user = self.factory.create_user()
+
+        rv = self.make_request('delete', "/api/users/{}".format(other_user.id), user=admin_user)
+
+        self.assertEqual(rv.status_code, 200)
+        self.assertEqual(models.User.query.get(other_user.id), None)
+
 
 class TestUserDisable(BaseTestCase):
     def test_non_admin_cannot_disable_user(self):