Home Explore Help
Register Sign In
Apq
/
sftpgo
mirror of https://github.com/drakkan/sftpgo.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: a6fe802370
Branches Tags
sftpgo
/
httpd
/
webadmin.go

webadmin.go 61 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964 
  1. package httpd
    2. 

  2. 

  3. import (
    4. 

  4. 	"errors"
    5. 

  5. 	"fmt"
    6. 

  6. 	"html/template"
    7. 

  7. 	"io"
    8. 

  8. 	"net/http"
    9. 

  9. 	"net/url"
    10. 

  10. 	"path/filepath"
    11. 

  11. 	"strconv"
    12. 

  12. 	"strings"
    13. 

  13. 	"time"
    14. 

  14. 

  15. 	"github.com/go-chi/render"
    16. 

  16. 

  17. 	"github.com/drakkan/sftpgo/v2/common"
    18. 

  18. 	"github.com/drakkan/sftpgo/v2/dataprovider"
    19. 

  19. 	"github.com/drakkan/sftpgo/v2/mfa"
    20. 

  20. 	"github.com/drakkan/sftpgo/v2/sdk"
    21. 

  21. 	"github.com/drakkan/sftpgo/v2/sdk/kms"
    22. 

  22. 	"github.com/drakkan/sftpgo/v2/smtp"
    23. 

  23. 	"github.com/drakkan/sftpgo/v2/util"
    24. 

  24. 	"github.com/drakkan/sftpgo/v2/version"
    25. 

  25. 	"github.com/drakkan/sftpgo/v2/vfs"
    26. 

  26. )
    27. 

  27. 

  28. type userPageMode int
    29. 

  29. 

  30. const (
    31. 

  31. 	userPageModeAdd userPageMode = iota + 1
    32. 

  32. 	userPageModeUpdate
    33. 

  33. 	userPageModeTemplate
    34. 

  34. )
    35. 

  35. 

  36. type folderPageMode int
    37. 

  37. 

  38. const (
    39. 

  39. 	folderPageModeAdd folderPageMode = iota + 1
    40. 

  40. 	folderPageModeUpdate
    41. 

  41. 	folderPageModeTemplate
    42. 

  42. )
    43. 

  43. 

  44. const (
    45. 

  45. 	templateAdminDir     = "webadmin"
    46. 

  46. 	templateBase         = "base.html"
    47. 

  47. 	templateBaseLogin    = "baselogin.html"
    48. 

  48. 	templateFsConfig     = "fsconfig.html"
    49. 

  49. 	templateUsers        = "users.html"
    50. 

  50. 	templateUser         = "user.html"
    51. 

  51. 	templateAdmins       = "admins.html"
    52. 

  52. 	templateAdmin        = "admin.html"
    53. 

  53. 	templateConnections  = "connections.html"
    54. 

  54. 	templateFolders      = "folders.html"
    55. 

  55. 	templateFolder       = "folder.html"
    56. 

  56. 	templateMessage      = "message.html"
    57. 

  57. 	templateStatus       = "status.html"
    58. 

  58. 	templateLogin        = "login.html"
    59. 

  59. 	templateDefender     = "defender.html"
    60. 

  60. 	templateProfile      = "profile.html"
    61. 

  61. 	templateChangePwd    = "changepassword.html"
    62. 

  62. 	templateMaintenance  = "maintenance.html"
    63. 

  63. 	templateMFA          = "mfa.html"
    64. 

  64. 	templateSetup        = "adminsetup.html"
    65. 

  65. 	pageUsersTitle       = "Users"
    66. 

  66. 	pageAdminsTitle      = "Admins"
    67. 

  67. 	pageConnectionsTitle = "Connections"
    68. 

  68. 	pageStatusTitle      = "Status"
    69. 

  69. 	pageFoldersTitle     = "Folders"
    70. 

  70. 	pageProfileTitle     = "My profile"
    71. 

  71. 	pageChangePwdTitle   = "Change password"
    72. 

  72. 	pageMaintenanceTitle = "Maintenance"
    73. 

  73. 	pageDefenderTitle    = "Defender"
    74. 

  74. 	pageForgotPwdTitle   = "SFTPGo Admin - Forgot password"
    75. 

  75. 	pageResetPwdTitle    = "SFTPGo Admin - Reset password"
    76. 

  76. 	pageSetupTitle       = "Create first admin user"
    77. 

  77. 	defaultQueryLimit    = 500
    78. 

  78. )
    79. 

  79. 

  80. var (
    81. 

  81. 	adminTemplates = make(map[string]*template.Template)
    82. 

  82. )
    83. 

  83. 

  84. type basePage struct {
    85. 

  85. 	Title              string
    86. 

  86. 	CurrentURL         string
    87. 

  87. 	UsersURL           string
    88. 

  88. 	UserURL            string
    89. 

  89. 	UserTemplateURL    string
    90. 

  90. 	AdminsURL          string
    91. 

  91. 	AdminURL           string
    92. 

  92. 	QuotaScanURL       string
    93. 

  93. 	ConnectionsURL     string
    94. 

  94. 	FoldersURL         string
    95. 

  95. 	FolderURL          string
    96. 

  96. 	FolderTemplateURL  string
    97. 

  97. 	DefenderURL        string
    98. 

  98. 	LogoutURL          string
    99. 

  99. 	ProfileURL         string
    100. 

  100. 	ChangePwdURL       string
    101. 

  101. 	MFAURL             string
    102. 

  102. 	FolderQuotaScanURL string
    103. 

  103. 	StatusURL          string
    104. 

  104. 	MaintenanceURL     string
    105. 

  105. 	StaticURL          string
    106. 

  106. 	UsersTitle         string
    107. 

  107. 	AdminsTitle        string
    108. 

  108. 	ConnectionsTitle   string
    109. 

  109. 	FoldersTitle       string
    110. 

  110. 	StatusTitle        string
    111. 

  111. 	MaintenanceTitle   string
    112. 

  112. 	DefenderTitle      string
    113. 

  113. 	Version            string
    114. 

  114. 	CSRFToken          string
    115. 

  115. 	HasDefender        bool
    116. 

  116. 	LoggedAdmin        *dataprovider.Admin
    117. 

  117. }
    118. 

  118. 

  119. type usersPage struct {
    120. 

  120. 	basePage
    121. 

  121. 	Users []dataprovider.User
    122. 

  122. }
    123. 

  123. 

  124. type adminsPage struct {
    125. 

  125. 	basePage
    126. 

  126. 	Admins []dataprovider.Admin
    127. 

  127. }
    128. 

  128. 

  129. type foldersPage struct {
    130. 

  130. 	basePage
    131. 

  131. 	Folders []vfs.BaseVirtualFolder
    132. 

  132. }
    133. 

  133. 

  134. type connectionsPage struct {
    135. 

  135. 	basePage
    136. 

  136. 	Connections []*common.ConnectionStatus
    137. 

  137. }
    138. 

  138. 

  139. type statusPage struct {
    140. 

  140. 	basePage
    141. 

  141. 	Status ServicesStatus
    142. 

  142. }
    143. 

  143. 

  144. type userPage struct {
    145. 

  145. 	basePage
    146. 

  146. 	User              *dataprovider.User
    147. 

  147. 	RootPerms         []string
    148. 

  148. 	Error             string
    149. 

  149. 	ValidPerms        []string
    150. 

  150. 	ValidLoginMethods []string
    151. 

  151. 	ValidProtocols    []string
    152. 

  152. 	WebClientOptions  []string
    153. 

  153. 	RootDirPerms      []string
    154. 

  154. 	RedactedSecret    string
    155. 

  155. 	Mode              userPageMode
    156. 

  156. 	VirtualFolders    []vfs.BaseVirtualFolder
    157. 

  157. }
    158. 

  158. 

  159. type adminPage struct {
    160. 

  160. 	basePage
    161. 

  161. 	Admin *dataprovider.Admin
    162. 

  162. 	Error string
    163. 

  163. 	IsAdd bool
    164. 

  164. }
    165. 

  165. 

  166. type profilePage struct {
    167. 

  167. 	basePage
    168. 

  168. 	Error           string
    169. 

  169. 	AllowAPIKeyAuth bool
    170. 

  170. 	Email           string
    171. 

  171. 	Description     string
    172. 

  172. }
    173. 

  173. 

  174. type changePasswordPage struct {
    175. 

  175. 	basePage
    176. 

  176. 	Error string
    177. 

  177. }
    178. 

  178. 

  179. type mfaPage struct {
    180. 

  180. 	basePage
    181. 

  181. 	TOTPConfigs     []string
    182. 

  182. 	TOTPConfig      dataprovider.TOTPConfig
    183. 

  183. 	GenerateTOTPURL string
    184. 

  184. 	ValidateTOTPURL string
    185. 

  185. 	SaveTOTPURL     string
    186. 

  186. 	RecCodesURL     string
    187. 

  187. }
    188. 

  188. 

  189. type maintenancePage struct {
    190. 

  190. 	basePage
    191. 

  191. 	BackupPath  string
    192. 

  192. 	RestorePath string
    193. 

  193. 	Error       string
    194. 

  194. }
    195. 

  195. 

  196. type defenderHostsPage struct {
    197. 

  197. 	basePage
    198. 

  198. 	DefenderHostsURL string
    199. 

  199. }
    200. 

  200. 

  201. type setupPage struct {
    202. 

  202. 	basePage
    203. 

  203. 	Username string
    204. 

  204. 	Error    string
    205. 

  205. }
    206. 

  206. 

  207. type folderPage struct {
    208. 

  208. 	basePage
    209. 

  209. 	Folder vfs.BaseVirtualFolder
    210. 

  210. 	Error  string
    211. 

  211. 	Mode   folderPageMode
    212. 

  212. }
    213. 

  213. 

  214. type messagePage struct {
    215. 

  215. 	basePage
    216. 

  216. 	Error   string
    217. 

  217. 	Success string
    218. 

  218. }
    219. 

  219. 

  220. type userTemplateFields struct {
    221. 

  221. 	Username  string
    222. 

  222. 	Password  string
    223. 

  223. 	PublicKey string
    224. 

  224. }
    225. 

  225. 

  226. func loadAdminTemplates(templatesPath string) {
    227. 

  227. 	usersPaths := []string{
    228. 

  228. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    229. 

  229. 		filepath.Join(templatesPath, templateAdminDir, templateUsers),
    230. 

  230. 	}
    231. 

  231. 	userPaths := []string{
    232. 

  232. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    233. 

  233. 		filepath.Join(templatesPath, templateAdminDir, templateFsConfig),
    234. 

  234. 		filepath.Join(templatesPath, templateAdminDir, templateUser),
    235. 

  235. 	}
    236. 

  236. 	adminsPaths := []string{
    237. 

  237. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    238. 

  238. 		filepath.Join(templatesPath, templateAdminDir, templateAdmins),
    239. 

  239. 	}
    240. 

  240. 	adminPaths := []string{
    241. 

  241. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    242. 

  242. 		filepath.Join(templatesPath, templateAdminDir, templateAdmin),
    243. 

  243. 	}
    244. 

  244. 	profilePaths := []string{
    245. 

  245. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    246. 

  246. 		filepath.Join(templatesPath, templateAdminDir, templateProfile),
    247. 

  247. 	}
    248. 

  248. 	changePwdPaths := []string{
    249. 

  249. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    250. 

  250. 		filepath.Join(templatesPath, templateAdminDir, templateChangePwd),
    251. 

  251. 	}
    252. 

  252. 	connectionsPaths := []string{
    253. 

  253. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    254. 

  254. 		filepath.Join(templatesPath, templateAdminDir, templateConnections),
    255. 

  255. 	}
    256. 

  256. 	messagePaths := []string{
    257. 

  257. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    258. 

  258. 		filepath.Join(templatesPath, templateAdminDir, templateMessage),
    259. 

  259. 	}
    260. 

  260. 	foldersPaths := []string{
    261. 

  261. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    262. 

  262. 		filepath.Join(templatesPath, templateAdminDir, templateFolders),
    263. 

  263. 	}
    264. 

  264. 	folderPaths := []string{
    265. 

  265. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    266. 

  266. 		filepath.Join(templatesPath, templateAdminDir, templateFsConfig),
    267. 

  267. 		filepath.Join(templatesPath, templateAdminDir, templateFolder),
    268. 

  268. 	}
    269. 

  269. 	statusPaths := []string{
    270. 

  270. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    271. 

  271. 		filepath.Join(templatesPath, templateAdminDir, templateStatus),
    272. 

  272. 	}
    273. 

  273. 	loginPaths := []string{
    274. 

  274. 		filepath.Join(templatesPath, templateAdminDir, templateBaseLogin),
    275. 

  275. 		filepath.Join(templatesPath, templateAdminDir, templateLogin),
    276. 

  276. 	}
    277. 

  277. 	maintenancePaths := []string{
    278. 

  278. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    279. 

  279. 		filepath.Join(templatesPath, templateAdminDir, templateMaintenance),
    280. 

  280. 	}
    281. 

  281. 	defenderPaths := []string{
    282. 

  282. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    283. 

  283. 		filepath.Join(templatesPath, templateAdminDir, templateDefender),
    284. 

  284. 	}
    285. 

  285. 	mfaPaths := []string{
    286. 

  286. 		filepath.Join(templatesPath, templateAdminDir, templateBase),
    287. 

  287. 		filepath.Join(templatesPath, templateAdminDir, templateMFA),
    288. 

  288. 	}
    289. 

  289. 	twoFactorPaths := []string{
    290. 

  290. 		filepath.Join(templatesPath, templateAdminDir, templateBaseLogin),
    291. 

  291. 		filepath.Join(templatesPath, templateAdminDir, templateTwoFactor),
    292. 

  292. 	}
    293. 

  293. 	twoFactorRecoveryPaths := []string{
    294. 

  294. 		filepath.Join(templatesPath, templateAdminDir, templateBaseLogin),
    295. 

  295. 		filepath.Join(templatesPath, templateAdminDir, templateTwoFactorRecovery),
    296. 

  296. 	}
    297. 

  297. 	setupPaths := []string{
    298. 

  298. 		filepath.Join(templatesPath, templateAdminDir, templateBaseLogin),
    299. 

  299. 		filepath.Join(templatesPath, templateAdminDir, templateSetup),
    300. 

  300. 	}
    301. 

  301. 	forgotPwdPaths := []string{
    302. 

  302. 		filepath.Join(templatesPath, templateCommonDir, templateForgotPassword),
    303. 

  303. 	}
    304. 

  304. 	resetPwdPaths := []string{
    305. 

  305. 		filepath.Join(templatesPath, templateCommonDir, templateResetPassword),
    306. 

  306. 	}
    307. 

  307. 

  308. 	fsBaseTpl := template.New("fsBaseTemplate").Funcs(template.FuncMap{
    309. 

  309. 		"ListFSProviders": sdk.ListProviders,
    310. 

  310. 	})
    311. 

  311. 	usersTmpl := util.LoadTemplate(nil, usersPaths...)
    312. 

  312. 	userTmpl := util.LoadTemplate(fsBaseTpl, userPaths...)
    313. 

  313. 	adminsTmpl := util.LoadTemplate(nil, adminsPaths...)
    314. 

  314. 	adminTmpl := util.LoadTemplate(nil, adminPaths...)
    315. 

  315. 	connectionsTmpl := util.LoadTemplate(nil, connectionsPaths...)
    316. 

  316. 	messageTmpl := util.LoadTemplate(nil, messagePaths...)
    317. 

  317. 	foldersTmpl := util.LoadTemplate(nil, foldersPaths...)
    318. 

  318. 	folderTmpl := util.LoadTemplate(fsBaseTpl, folderPaths...)
    319. 

  319. 	statusTmpl := util.LoadTemplate(nil, statusPaths...)
    320. 

  320. 	loginTmpl := util.LoadTemplate(nil, loginPaths...)
    321. 

  321. 	profileTmpl := util.LoadTemplate(nil, profilePaths...)
    322. 

  322. 	changePwdTmpl := util.LoadTemplate(nil, changePwdPaths...)
    323. 

  323. 	maintenanceTmpl := util.LoadTemplate(nil, maintenancePaths...)
    324. 

  324. 	defenderTmpl := util.LoadTemplate(nil, defenderPaths...)
    325. 

  325. 	mfaTmpl := util.LoadTemplate(nil, mfaPaths...)
    326. 

  326. 	twoFactorTmpl := util.LoadTemplate(nil, twoFactorPaths...)
    327. 

  327. 	twoFactorRecoveryTmpl := util.LoadTemplate(nil, twoFactorRecoveryPaths...)
    328. 

  328. 	setupTmpl := util.LoadTemplate(nil, setupPaths...)
    329. 

  329. 	forgotPwdTmpl := util.LoadTemplate(nil, forgotPwdPaths...)
    330. 

  330. 	resetPwdTmpl := util.LoadTemplate(nil, resetPwdPaths...)
    331. 

  331. 

  332. 	adminTemplates[templateUsers] = usersTmpl
    333. 

  333. 	adminTemplates[templateUser] = userTmpl
    334. 

  334. 	adminTemplates[templateAdmins] = adminsTmpl
    335. 

  335. 	adminTemplates[templateAdmin] = adminTmpl
    336. 

  336. 	adminTemplates[templateConnections] = connectionsTmpl
    337. 

  337. 	adminTemplates[templateMessage] = messageTmpl
    338. 

  338. 	adminTemplates[templateFolders] = foldersTmpl
    339. 

  339. 	adminTemplates[templateFolder] = folderTmpl
    340. 

  340. 	adminTemplates[templateStatus] = statusTmpl
    341. 

  341. 	adminTemplates[templateLogin] = loginTmpl
    342. 

  342. 	adminTemplates[templateProfile] = profileTmpl
    343. 

  343. 	adminTemplates[templateChangePwd] = changePwdTmpl
    344. 

  344. 	adminTemplates[templateMaintenance] = maintenanceTmpl
    345. 

  345. 	adminTemplates[templateDefender] = defenderTmpl
    346. 

  346. 	adminTemplates[templateMFA] = mfaTmpl
    347. 

  347. 	adminTemplates[templateTwoFactor] = twoFactorTmpl
    348. 

  348. 	adminTemplates[templateTwoFactorRecovery] = twoFactorRecoveryTmpl
    349. 

  349. 	adminTemplates[templateSetup] = setupTmpl
    350. 

  350. 	adminTemplates[templateForgotPassword] = forgotPwdTmpl
    351. 

  351. 	adminTemplates[templateResetPassword] = resetPwdTmpl
    352. 

  352. }
    353. 

  353. 

  354. func getBasePageData(title, currentURL string, r *http.Request) basePage {
    355. 

  355. 	var csrfToken string
    356. 

  356. 	if currentURL != "" {
    357. 

  357. 		csrfToken = createCSRFToken()
    358. 

  358. 	}
    359. 

  359. 	return basePage{
    360. 

  360. 		Title:              title,
    361. 

  361. 		CurrentURL:         currentURL,
    362. 

  362. 		UsersURL:           webUsersPath,
    363. 

  363. 		UserURL:            webUserPath,
    364. 

  364. 		UserTemplateURL:    webTemplateUser,
    365. 

  365. 		AdminsURL:          webAdminsPath,
    366. 

  366. 		AdminURL:           webAdminPath,
    367. 

  367. 		FoldersURL:         webFoldersPath,
    368. 

  368. 		FolderURL:          webFolderPath,
    369. 

  369. 		FolderTemplateURL:  webTemplateFolder,
    370. 

  370. 		DefenderURL:        webDefenderPath,
    371. 

  371. 		LogoutURL:          webLogoutPath,
    372. 

  372. 		ProfileURL:         webAdminProfilePath,
    373. 

  373. 		ChangePwdURL:       webChangeAdminPwdPath,
    374. 

  374. 		MFAURL:             webAdminMFAPath,
    375. 

  375. 		QuotaScanURL:       webQuotaScanPath,
    376. 

  376. 		ConnectionsURL:     webConnectionsPath,
    377. 

  377. 		StatusURL:          webStatusPath,
    378. 

  378. 		FolderQuotaScanURL: webScanVFolderPath,
    379. 

  379. 		MaintenanceURL:     webMaintenancePath,
    380. 

  380. 		StaticURL:          webStaticFilesPath,
    381. 

  381. 		UsersTitle:         pageUsersTitle,
    382. 

  382. 		AdminsTitle:        pageAdminsTitle,
    383. 

  383. 		ConnectionsTitle:   pageConnectionsTitle,
    384. 

  384. 		FoldersTitle:       pageFoldersTitle,
    385. 

  385. 		StatusTitle:        pageStatusTitle,
    386. 

  386. 		MaintenanceTitle:   pageMaintenanceTitle,
    387. 

  387. 		DefenderTitle:      pageDefenderTitle,
    388. 

  388. 		Version:            version.GetAsString(),
    389. 

  389. 		LoggedAdmin:        getAdminFromToken(r),
    390. 

  390. 		HasDefender:        common.Config.DefenderConfig.Enabled,
    391. 

  391. 		CSRFToken:          csrfToken,
    392. 

  392. 	}
    393. 

  393. }
    394. 

  394. 

  395. func renderAdminTemplate(w http.ResponseWriter, tmplName string, data interface{}) {
    396. 

  396. 	err := adminTemplates[tmplName].ExecuteTemplate(w, tmplName, data)
    397. 

  397. 	if err != nil {
    398. 

  398. 		http.Error(w, err.Error(), http.StatusInternalServerError)
    399. 

  399. 	}
    400. 

  400. }
    401. 

  401. 

  402. func renderMessagePage(w http.ResponseWriter, r *http.Request, title, body string, statusCode int, err error, message string) {
    403. 

  403. 	var errorString string
    404. 

  404. 	if body != "" {
    405. 

  405. 		errorString = body + " "
    406. 

  406. 	}
    407. 

  407. 	if err != nil {
    408. 

  408. 		errorString += err.Error()
    409. 

  409. 	}
    410. 

  410. 	data := messagePage{
    411. 

  411. 		basePage: getBasePageData(title, "", r),
    412. 

  412. 		Error:    errorString,
    413. 

  413. 		Success:  message,
    414. 

  414. 	}
    415. 

  415. 	w.WriteHeader(statusCode)
    416. 

  416. 	renderAdminTemplate(w, templateMessage, data)
    417. 

  417. }
    418. 

  418. 

  419. func renderInternalServerErrorPage(w http.ResponseWriter, r *http.Request, err error) {
    420. 

  420. 	renderMessagePage(w, r, page500Title, page500Body, http.StatusInternalServerError, err, "")
    421. 

  421. }
    422. 

  422. 

  423. func renderBadRequestPage(w http.ResponseWriter, r *http.Request, err error) {
    424. 

  424. 	renderMessagePage(w, r, page400Title, "", http.StatusBadRequest, err, "")
    425. 

  425. }
    426. 

  426. 

  427. func renderForbiddenPage(w http.ResponseWriter, r *http.Request, body string) {
    428. 

  428. 	renderMessagePage(w, r, page403Title, "", http.StatusForbidden, nil, body)
    429. 

  429. }
    430. 

  430. 

  431. func renderNotFoundPage(w http.ResponseWriter, r *http.Request, err error) {
    432. 

  432. 	renderMessagePage(w, r, page404Title, page404Body, http.StatusNotFound, err, "")
    433. 

  433. }
    434. 

  434. 

  435. func renderForgotPwdPage(w http.ResponseWriter, error string) {
    436. 

  436. 	data := forgotPwdPage{
    437. 

  437. 		CurrentURL: webAdminForgotPwdPath,
    438. 

  438. 		Error:      error,
    439. 

  439. 		CSRFToken:  createCSRFToken(),
    440. 

  440. 		StaticURL:  webStaticFilesPath,
    441. 

  441. 		Title:      pageForgotPwdTitle,
    442. 

  442. 	}
    443. 

  443. 	renderAdminTemplate(w, templateForgotPassword, data)
    444. 

  444. }
    445. 

  445. 

  446. func renderResetPwdPage(w http.ResponseWriter, error string) {
    447. 

  447. 	data := resetPwdPage{
    448. 

  448. 		CurrentURL: webAdminResetPwdPath,
    449. 

  449. 		Error:      error,
    450. 

  450. 		CSRFToken:  createCSRFToken(),
    451. 

  451. 		StaticURL:  webStaticFilesPath,
    452. 

  452. 		Title:      pageResetPwdTitle,
    453. 

  453. 	}
    454. 

  454. 	renderAdminTemplate(w, templateResetPassword, data)
    455. 

  455. }
    456. 

  456. 

  457. func renderTwoFactorPage(w http.ResponseWriter, error string) {
    458. 

  458. 	data := twoFactorPage{
    459. 

  459. 		CurrentURL:  webAdminTwoFactorPath,
    460. 

  460. 		Version:     version.Get().Version,
    461. 

  461. 		Error:       error,
    462. 

  462. 		CSRFToken:   createCSRFToken(),
    463. 

  463. 		StaticURL:   webStaticFilesPath,
    464. 

  464. 		RecoveryURL: webAdminTwoFactorRecoveryPath,
    465. 

  465. 	}
    466. 

  466. 	renderAdminTemplate(w, templateTwoFactor, data)
    467. 

  467. }
    468. 

  468. 

  469. func renderTwoFactorRecoveryPage(w http.ResponseWriter, error string) {
    470. 

  470. 	data := twoFactorPage{
    471. 

  471. 		CurrentURL: webAdminTwoFactorRecoveryPath,
    472. 

  472. 		Version:    version.Get().Version,
    473. 

  473. 		Error:      error,
    474. 

  474. 		CSRFToken:  createCSRFToken(),
    475. 

  475. 		StaticURL:  webStaticFilesPath,
    476. 

  476. 	}
    477. 

  477. 	renderAdminTemplate(w, templateTwoFactorRecovery, data)
    478. 

  478. }
    479. 

  479. 

  480. func renderMFAPage(w http.ResponseWriter, r *http.Request) {
    481. 

  481. 	data := mfaPage{
    482. 

  482. 		basePage:        getBasePageData(pageMFATitle, webAdminMFAPath, r),
    483. 

  483. 		TOTPConfigs:     mfa.GetAvailableTOTPConfigNames(),
    484. 

  484. 		GenerateTOTPURL: webAdminTOTPGeneratePath,
    485. 

  485. 		ValidateTOTPURL: webAdminTOTPValidatePath,
    486. 

  486. 		SaveTOTPURL:     webAdminTOTPSavePath,
    487. 

  487. 		RecCodesURL:     webAdminRecoveryCodesPath,
    488. 

  488. 	}
    489. 

  489. 	admin, err := dataprovider.AdminExists(data.LoggedAdmin.Username)
    490. 

  490. 	if err != nil {
    491. 

  491. 		renderInternalServerErrorPage(w, r, err)
    492. 

  492. 		return
    493. 

  493. 	}
    494. 

  494. 	data.TOTPConfig = admin.Filters.TOTPConfig
    495. 

  495. 	renderAdminTemplate(w, templateMFA, data)
    496. 

  496. }
    497. 

  497. 

  498. func renderProfilePage(w http.ResponseWriter, r *http.Request, error string) {
    499. 

  499. 	data := profilePage{
    500. 

  500. 		basePage: getBasePageData(pageProfileTitle, webAdminProfilePath, r),
    501. 

  501. 		Error:    error,
    502. 

  502. 	}
    503. 

  503. 	admin, err := dataprovider.AdminExists(data.LoggedAdmin.Username)
    504. 

  504. 	if err != nil {
    505. 

  505. 		renderInternalServerErrorPage(w, r, err)
    506. 

  506. 		return
    507. 

  507. 	}
    508. 

  508. 	data.AllowAPIKeyAuth = admin.Filters.AllowAPIKeyAuth
    509. 

  509. 	data.Email = admin.Email
    510. 

  510. 	data.Description = admin.Description
    511. 

  511. 

  512. 	renderAdminTemplate(w, templateProfile, data)
    513. 

  513. }
    514. 

  514. 

  515. func renderChangePasswordPage(w http.ResponseWriter, r *http.Request, error string) {
    516. 

  516. 	data := changePasswordPage{
    517. 

  517. 		basePage: getBasePageData(pageChangePwdTitle, webChangeAdminPwdPath, r),
    518. 

  518. 		Error:    error,
    519. 

  519. 	}
    520. 

  520. 

  521. 	renderAdminTemplate(w, templateChangePwd, data)
    522. 

  522. }
    523. 

  523. 

  524. func renderMaintenancePage(w http.ResponseWriter, r *http.Request, error string) {
    525. 

  525. 	data := maintenancePage{
    526. 

  526. 		basePage:    getBasePageData(pageMaintenanceTitle, webMaintenancePath, r),
    527. 

  527. 		BackupPath:  webBackupPath,
    528. 

  528. 		RestorePath: webRestorePath,
    529. 

  529. 		Error:       error,
    530. 

  530. 	}
    531. 

  531. 

  532. 	renderAdminTemplate(w, templateMaintenance, data)
    533. 

  533. }
    534. 

  534. 

  535. func renderAdminSetupPage(w http.ResponseWriter, r *http.Request, username, error string) {
    536. 

  536. 	data := setupPage{
    537. 

  537. 		basePage: getBasePageData(pageSetupTitle, webAdminSetupPath, r),
    538. 

  538. 		Username: username,
    539. 

  539. 		Error:    error,
    540. 

  540. 	}
    541. 

  541. 

  542. 	renderAdminTemplate(w, templateSetup, data)
    543. 

  543. }
    544. 

  544. 

  545. func renderAddUpdateAdminPage(w http.ResponseWriter, r *http.Request, admin *dataprovider.Admin,
    546. 

  546. 	error string, isAdd bool) {
    547. 

  547. 	currentURL := webAdminPath
    548. 

  548. 	title := "Add a new admin"
    549. 

  549. 	if !isAdd {
    550. 

  550. 		currentURL = fmt.Sprintf("%v/%v", webAdminPath, url.PathEscape(admin.Username))
    551. 

  551. 		title = "Update admin"
    552. 

  552. 	}
    553. 

  553. 	data := adminPage{
    554. 

  554. 		basePage: getBasePageData(title, currentURL, r),
    555. 

  555. 		Admin:    admin,
    556. 

  556. 		Error:    error,
    557. 

  557. 		IsAdd:    isAdd,
    558. 

  558. 	}
    559. 

  559. 

  560. 	renderAdminTemplate(w, templateAdmin, data)
    561. 

  561. }
    562. 

  562. 

  563. func renderUserPage(w http.ResponseWriter, r *http.Request, user *dataprovider.User, mode userPageMode, error string) {
    564. 

  564. 	folders, err := getWebVirtualFolders(w, r, defaultQueryLimit)
    565. 

  565. 	if err != nil {
    566. 

  566. 		return
    567. 

  567. 	}
    568. 

  568. 	user.SetEmptySecretsIfNil()
    569. 

  569. 	var title, currentURL string
    570. 

  570. 	switch mode {
    571. 

  571. 	case userPageModeAdd:
    572. 

  572. 		title = "Add a new user"
    573. 

  573. 		currentURL = webUserPath
    574. 

  574. 	case userPageModeUpdate:
    575. 

  575. 		title = "Update user"
    576. 

  576. 		currentURL = fmt.Sprintf("%v/%v", webUserPath, url.PathEscape(user.Username))
    577. 

  577. 	case userPageModeTemplate:
    578. 

  578. 		title = "User template"
    579. 

  579. 		currentURL = webTemplateUser
    580. 

  580. 	}
    581. 

  581. 	if user.Password != "" && user.IsPasswordHashed() && mode == userPageModeUpdate {
    582. 

  582. 		user.Password = redactedSecret
    583. 

  583. 	}
    584. 

  584. 	user.FsConfig.RedactedSecret = redactedSecret
    585. 

  585. 	data := userPage{
    586. 

  586. 		basePage:          getBasePageData(title, currentURL, r),
    587. 

  587. 		Mode:              mode,
    588. 

  588. 		Error:             error,
    589. 

  589. 		User:              user,
    590. 

  590. 		ValidPerms:        dataprovider.ValidPerms,
    591. 

  591. 		ValidLoginMethods: dataprovider.ValidLoginMethods,
    592. 

  592. 		ValidProtocols:    dataprovider.ValidProtocols,
    593. 

  593. 		WebClientOptions:  sdk.WebClientOptions,
    594. 

  594. 		RootDirPerms:      user.GetPermissionsForPath("/"),
    595. 

  595. 		VirtualFolders:    folders,
    596. 

  596. 	}
    597. 

  597. 	renderAdminTemplate(w, templateUser, data)
    598. 

  598. }
    599. 

  599. 

  600. func renderFolderPage(w http.ResponseWriter, r *http.Request, folder vfs.BaseVirtualFolder, mode folderPageMode, error string) {
    601. 

  601. 	var title, currentURL string
    602. 

  602. 	switch mode {
    603. 

  603. 	case folderPageModeAdd:
    604. 

  604. 		title = "Add a new folder"
    605. 

  605. 		currentURL = webFolderPath
    606. 

  606. 	case folderPageModeUpdate:
    607. 

  607. 		title = "Update folder"
    608. 

  608. 		currentURL = fmt.Sprintf("%v/%v", webFolderPath, url.PathEscape(folder.Name))
    609. 

  609. 	case folderPageModeTemplate:
    610. 

  610. 		title = "Folder template"
    611. 

  611. 		currentURL = webTemplateFolder
    612. 

  612. 	}
    613. 

  613. 	folder.FsConfig.RedactedSecret = redactedSecret
    614. 

  614. 	folder.FsConfig.SetEmptySecretsIfNil()
    615. 

  615. 

  616. 	data := folderPage{
    617. 

  617. 		basePage: getBasePageData(title, currentURL, r),
    618. 

  618. 		Error:    error,
    619. 

  619. 		Folder:   folder,
    620. 

  620. 		Mode:     mode,
    621. 

  621. 	}
    622. 

  622. 	renderAdminTemplate(w, templateFolder, data)
    623. 

  623. }
    624. 

  624. 

  625. func getFoldersForTemplate(r *http.Request) []string {
    626. 

  626. 	var res []string
    627. 

  627. 	folderNames := r.Form["tpl_foldername"]
    628. 

  628. 	folders := make(map[string]bool)
    629. 

  629. 	for _, name := range folderNames {
    630. 

  630. 		name = strings.TrimSpace(name)
    631. 

  631. 		if name == "" {
    632. 

  632. 			continue
    633. 

  633. 		}
    634. 

  634. 		if _, ok := folders[name]; ok {
    635. 

  635. 			continue
    636. 

  636. 		}
    637. 

  637. 		folders[name] = true
    638. 

  638. 		res = append(res, name)
    639. 

  639. 	}
    640. 

  640. 	return res
    641. 

  641. }
    642. 

  642. 

  643. func getUsersForTemplate(r *http.Request) []userTemplateFields {
    644. 

  644. 	var res []userTemplateFields
    645. 

  645. 	tplUsernames := r.Form["tpl_username"]
    646. 

  646. 	tplPasswords := r.Form["tpl_password"]
    647. 

  647. 	tplPublicKeys := r.Form["tpl_public_keys"]
    648. 

  648. 

  649. 	users := make(map[string]bool)
    650. 

  650. 	for idx, username := range tplUsernames {
    651. 

  651. 		username = strings.TrimSpace(username)
    652. 

  652. 		password := ""
    653. 

  653. 		publicKey := ""
    654. 

  654. 		if len(tplPasswords) > idx {
    655. 

  655. 			password = strings.TrimSpace(tplPasswords[idx])
    656. 

  656. 		}
    657. 

  657. 		if len(tplPublicKeys) > idx {
    658. 

  658. 			publicKey = strings.TrimSpace(tplPublicKeys[idx])
    659. 

  659. 		}
    660. 

  660. 		if username == "" || (password == "" && publicKey == "") {
    661. 

  661. 			continue
    662. 

  662. 		}
    663. 

  663. 		if _, ok := users[username]; ok {
    664. 

  664. 			continue
    665. 

  665. 		}
    666. 

  666. 

  667. 		users[username] = true
    668. 

  668. 		res = append(res, userTemplateFields{
    669. 

  669. 			Username:  username,
    670. 

  670. 			Password:  password,
    671. 

  671. 			PublicKey: publicKey,
    672. 

  672. 		})
    673. 

  673. 	}
    674. 

  674. 

  675. 	return res
    676. 

  676. }
    677. 

  677. 

  678. func getVirtualFoldersFromPostFields(r *http.Request) []vfs.VirtualFolder {
    679. 

  679. 	var virtualFolders []vfs.VirtualFolder
    680. 

  680. 	folderPaths := r.Form["vfolder_path"]
    681. 

  681. 	folderNames := r.Form["vfolder_name"]
    682. 

  682. 	folderQuotaSizes := r.Form["vfolder_quota_size"]
    683. 

  683. 	folderQuotaFiles := r.Form["vfolder_quota_files"]
    684. 

  684. 	for idx, p := range folderPaths {
    685. 

  685. 		p = strings.TrimSpace(p)
    686. 

  686. 		name := ""
    687. 

  687. 		if len(folderNames) > idx {
    688. 

  688. 			name = folderNames[idx]
    689. 

  689. 		}
    690. 

  690. 		if p != "" && name != "" {
    691. 

  691. 			vfolder := vfs.VirtualFolder{
    692. 

  692. 				BaseVirtualFolder: vfs.BaseVirtualFolder{
    693. 

  693. 					Name: name,
    694. 

  694. 				},
    695. 

  695. 				VirtualPath: p,
    696. 

  696. 				QuotaFiles:  -1,
    697. 

  697. 				QuotaSize:   -1,
    698. 

  698. 			}
    699. 

  699. 			if len(folderQuotaSizes) > idx {
    700. 

  700. 				quotaSize, err := strconv.ParseInt(strings.TrimSpace(folderQuotaSizes[idx]), 10, 64)
    701. 

  701. 				if err == nil {
    702. 

  702. 					vfolder.QuotaSize = quotaSize
    703. 

  703. 				}
    704. 

  704. 			}
    705. 

  705. 			if len(folderQuotaFiles) > idx {
    706. 

  706. 				quotaFiles, err := strconv.Atoi(strings.TrimSpace(folderQuotaFiles[idx]))
    707. 

  707. 				if err == nil {
    708. 

  708. 					vfolder.QuotaFiles = quotaFiles
    709. 

  709. 				}
    710. 

  710. 			}
    711. 

  711. 			virtualFolders = append(virtualFolders, vfolder)
    712. 

  712. 		}
    713. 

  713. 	}
    714. 

  714. 

  715. 	return virtualFolders
    716. 

  716. }
    717. 

  717. 

  718. func getUserPermissionsFromPostFields(r *http.Request) map[string][]string {
    719. 

  719. 	permissions := make(map[string][]string)
    720. 

  720. 	permissions["/"] = r.Form["permissions"]
    721. 

  721. 

  722. 	for k := range r.Form {
    723. 

  723. 		if strings.HasPrefix(k, "sub_perm_path") {
    724. 

  724. 			p := strings.TrimSpace(r.Form.Get(k))
    725. 

  725. 			if p != "" {
    726. 

  726. 				idx := strings.TrimPrefix(k, "sub_perm_path")
    727. 

  727. 				permissions[p] = r.Form[fmt.Sprintf("sub_perm_permissions%v", idx)]
    728. 

  728. 			}
    729. 

  729. 		}
    730. 

  730. 	}
    731. 

  731. 

  732. 	return permissions
    733. 

  733. }
    734. 

  734. 

  735. func getBandwidthLimitsFromPostFields(r *http.Request) ([]sdk.BandwidthLimit, error) {
    736. 

  736. 	var result []sdk.BandwidthLimit
    737. 

  737. 

  738. 	for k := range r.Form {
    739. 

  739. 		if strings.HasPrefix(k, "bandwidth_limit_sources") {
    740. 

  740. 			sources := getSliceFromDelimitedValues(r.Form.Get(k), ",")
    741. 

  741. 			if len(sources) > 0 {
    742. 

  742. 				bwLimit := sdk.BandwidthLimit{
    743. 

  743. 					Sources: sources,
    744. 

  744. 				}
    745. 

  745. 				idx := strings.TrimPrefix(k, "bandwidth_limit_sources")
    746. 

  746. 				ul := r.Form.Get(fmt.Sprintf("upload_bandwidth_source%v", idx))
    747. 

  747. 				dl := r.Form.Get(fmt.Sprintf("download_bandwidth_source%v", idx))
    748. 

  748. 				if ul != "" {
    749. 

  749. 					bandwidthUL, err := strconv.ParseInt(ul, 10, 64)
    750. 

  750. 					if err != nil {
    751. 

  751. 						return result, fmt.Errorf("invalid upload_bandwidth_source%v %#v: %w", idx, ul, err)
    752. 

  752. 					}
    753. 

  753. 					bwLimit.UploadBandwidth = bandwidthUL
    754. 

  754. 				}
    755. 

  755. 				if dl != "" {
    756. 

  756. 					bandwidthDL, err := strconv.ParseInt(dl, 10, 64)
    757. 

  757. 					if err != nil {
    758. 

  758. 						return result, fmt.Errorf("invalid download_bandwidth_source%v %#v: %w", idx, ul, err)
    759. 

  759. 					}
    760. 

  760. 					bwLimit.DownloadBandwidth = bandwidthDL
    761. 

  761. 				}
    762. 

  762. 				result = append(result, bwLimit)
    763. 

  763. 			}
    764. 

  764. 		}
    765. 

  765. 	}
    766. 

  766. 

  767. 	return result, nil
    768. 

  768. }
    769. 

  769. 

  770. func getFilePatternsFromPostField(r *http.Request) []sdk.PatternsFilter {
    771. 

  771. 	var result []sdk.PatternsFilter
    772. 

  772. 

  773. 	allowedPatterns := make(map[string][]string)
    774. 

  774. 	deniedPatterns := make(map[string][]string)
    775. 

  775. 

  776. 	for k := range r.Form {
    777. 

  777. 		if strings.HasPrefix(k, "pattern_path") {
    778. 

  778. 			p := strings.TrimSpace(r.Form.Get(k))
    779. 

  779. 			idx := strings.TrimPrefix(k, "pattern_path")
    780. 

  780. 			filters := strings.TrimSpace(r.Form.Get(fmt.Sprintf("patterns%v", idx)))
    781. 

  781. 			filters = strings.ReplaceAll(filters, " ", "")
    782. 

  782. 			patternType := r.Form.Get(fmt.Sprintf("pattern_type%v", idx))
    783. 

  783. 			if p != "" && filters != "" {
    784. 

  784. 				if patternType == "allowed" {
    785. 

  785. 					allowedPatterns[p] = append(allowedPatterns[p], strings.Split(filters, ",")...)
    786. 

  786. 				} else {
    787. 

  787. 					deniedPatterns[p] = append(deniedPatterns[p], strings.Split(filters, ",")...)
    788. 

  788. 				}
    789. 

  789. 			}
    790. 

  790. 		}
    791. 

  791. 	}
    792. 

  792. 

  793. 	for dirAllowed, allowPatterns := range allowedPatterns {
    794. 

  794. 		filter := sdk.PatternsFilter{
    795. 

  795. 			Path:            dirAllowed,
    796. 

  796. 			AllowedPatterns: util.RemoveDuplicates(allowPatterns),
    797. 

  797. 		}
    798. 

  798. 		for dirDenied, denPatterns := range deniedPatterns {
    799. 

  799. 			if dirAllowed == dirDenied {
    800. 

  800. 				filter.DeniedPatterns = util.RemoveDuplicates(denPatterns)
    801. 

  801. 				break
    802. 

  802. 			}
    803. 

  803. 		}
    804. 

  804. 		result = append(result, filter)
    805. 

  805. 	}
    806. 

  806. 	for dirDenied, denPatterns := range deniedPatterns {
    807. 

  807. 		found := false
    808. 

  808. 		for _, res := range result {
    809. 

  809. 			if res.Path == dirDenied {
    810. 

  810. 				found = true
    811. 

  811. 				break
    812. 

  812. 			}
    813. 

  813. 		}
    814. 

  814. 		if !found {
    815. 

  815. 			result = append(result, sdk.PatternsFilter{
    816. 

  816. 				Path:           dirDenied,
    817. 

  817. 				DeniedPatterns: denPatterns,
    818. 

  818. 			})
    819. 

  819. 		}
    820. 

  820. 	}
    821. 

  821. 	return result
    822. 

  822. }
    823. 

  823. 

  824. func getFiltersFromUserPostFields(r *http.Request) (sdk.UserFilters, error) {
    825. 

  825. 	var filters sdk.UserFilters
    826. 

  826. 	bwLimits, err := getBandwidthLimitsFromPostFields(r)
    827. 

  827. 	if err != nil {
    828. 

  828. 		return filters, err
    829. 

  829. 	}
    830. 

  830. 	filters.BandwidthLimits = bwLimits
    831. 

  831. 	filters.AllowedIP = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",")
    832. 

  832. 	filters.DeniedIP = getSliceFromDelimitedValues(r.Form.Get("denied_ip"), ",")
    833. 

  833. 	filters.DeniedLoginMethods = r.Form["ssh_login_methods"]
    834. 

  834. 	filters.DeniedProtocols = r.Form["denied_protocols"]
    835. 

  835. 	filters.FilePatterns = getFilePatternsFromPostField(r)
    836. 

  836. 	filters.TLSUsername = sdk.TLSUsername(r.Form.Get("tls_username"))
    837. 

  837. 	filters.WebClient = r.Form["web_client_options"]
    838. 

  838. 	hooks := r.Form["hooks"]
    839. 

  839. 	if util.IsStringInSlice("external_auth_disabled", hooks) {
    840. 

  840. 		filters.Hooks.ExternalAuthDisabled = true
    841. 

  841. 	}
    842. 

  842. 	if util.IsStringInSlice("pre_login_disabled", hooks) {
    843. 

  843. 		filters.Hooks.PreLoginDisabled = true
    844. 

  844. 	}
    845. 

  845. 	if util.IsStringInSlice("check_password_disabled", hooks) {
    846. 

  846. 		filters.Hooks.CheckPasswordDisabled = true
    847. 

  847. 	}
    848. 

  848. 	filters.DisableFsChecks = len(r.Form.Get("disable_fs_checks")) > 0
    849. 

  849. 	filters.AllowAPIKeyAuth = len(r.Form.Get("allow_api_key_auth")) > 0
    850. 

  850. 	return filters, nil
    851. 

  851. }
    852. 

  852. 

  853. func getSecretFromFormField(r *http.Request, field string) *kms.Secret {
    854. 

  854. 	secret := kms.NewPlainSecret(r.Form.Get(field))
    855. 

  855. 	if strings.TrimSpace(secret.GetPayload()) == redactedSecret {
    856. 

  856. 		secret.SetStatus(kms.SecretStatusRedacted)
    857. 

  857. 	}
    858. 

  858. 	if strings.TrimSpace(secret.GetPayload()) == "" {
    859. 

  859. 		secret.SetStatus("")
    860. 

  860. 	}
    861. 

  861. 	return secret
    862. 

  862. }
    863. 

  863. 

  864. func getS3Config(r *http.Request) (vfs.S3FsConfig, error) {
    865. 

  865. 	var err error
    866. 

  866. 	config := vfs.S3FsConfig{}
    867. 

  867. 	config.Bucket = r.Form.Get("s3_bucket")
    868. 

  868. 	config.Region = r.Form.Get("s3_region")
    869. 

  869. 	config.AccessKey = r.Form.Get("s3_access_key")
    870. 

  870. 	config.AccessSecret = getSecretFromFormField(r, "s3_access_secret")
    871. 

  871. 	config.Endpoint = r.Form.Get("s3_endpoint")
    872. 

  872. 	config.StorageClass = r.Form.Get("s3_storage_class")
    873. 

  873. 	config.ACL = r.Form.Get("s3_acl")
    874. 

  874. 	config.KeyPrefix = r.Form.Get("s3_key_prefix")
    875. 

  875. 	config.UploadPartSize, err = strconv.ParseInt(r.Form.Get("s3_upload_part_size"), 10, 64)
    876. 

  876. 	if err != nil {
    877. 

  877. 		return config, err
    878. 

  878. 	}
    879. 

  879. 	config.UploadConcurrency, err = strconv.Atoi(r.Form.Get("s3_upload_concurrency"))
    880. 

  880. 	if err != nil {
    881. 

  881. 		return config, err
    882. 

  882. 	}
    883. 

  883. 	config.DownloadPartSize, err = strconv.ParseInt(r.Form.Get("s3_download_part_size"), 10, 64)
    884. 

  884. 	if err != nil {
    885. 

  885. 		return config, err
    886. 

  886. 	}
    887. 

  887. 	config.DownloadConcurrency, err = strconv.Atoi(r.Form.Get("s3_download_concurrency"))
    888. 

  888. 	if err != nil {
    889. 

  889. 		return config, err
    890. 

  890. 	}
    891. 

  891. 	config.ForcePathStyle = r.Form.Get("s3_force_path_style") != ""
    892. 

  892. 	config.DownloadPartMaxTime, err = strconv.Atoi(r.Form.Get("s3_download_part_max_time"))
    893. 

  893. 	return config, err
    894. 

  894. }
    895. 

  895. 

  896. func getGCSConfig(r *http.Request) (vfs.GCSFsConfig, error) {
    897. 

  897. 	var err error
    898. 

  898. 	config := vfs.GCSFsConfig{}
    899. 

  899. 

  900. 	config.Bucket = r.Form.Get("gcs_bucket")
    901. 

  901. 	config.StorageClass = r.Form.Get("gcs_storage_class")
    902. 

  902. 	config.ACL = r.Form.Get("gcs_acl")
    903. 

  903. 	config.KeyPrefix = r.Form.Get("gcs_key_prefix")
    904. 

  904. 	autoCredentials := r.Form.Get("gcs_auto_credentials")
    905. 

  905. 	if autoCredentials != "" {
    906. 

  906. 		config.AutomaticCredentials = 1
    907. 

  907. 	} else {
    908. 

  908. 		config.AutomaticCredentials = 0
    909. 

  909. 	}
    910. 

  910. 	credentials, _, err := r.FormFile("gcs_credential_file")
    911. 

  911. 	if err == http.ErrMissingFile {
    912. 

  912. 		return config, nil
    913. 

  913. 	}
    914. 

  914. 	if err != nil {
    915. 

  915. 		return config, err
    916. 

  916. 	}
    917. 

  917. 	defer credentials.Close()
    918. 

  918. 	fileBytes, err := io.ReadAll(credentials)
    919. 

  919. 	if err != nil || len(fileBytes) == 0 {
    920. 

  920. 		if len(fileBytes) == 0 {
    921. 

  921. 			err = errors.New("credentials file size must be greater than 0")
    922. 

  922. 		}
    923. 

  923. 		return config, err
    924. 

  924. 	}
    925. 

  925. 	config.Credentials = kms.NewPlainSecret(string(fileBytes))
    926. 

  926. 	config.AutomaticCredentials = 0
    927. 

  927. 	return config, err
    928. 

  928. }
    929. 

  929. 

  930. func getSFTPConfig(r *http.Request) (vfs.SFTPFsConfig, error) {
    931. 

  931. 	var err error
    932. 

  932. 	config := vfs.SFTPFsConfig{}
    933. 

  933. 	config.Endpoint = r.Form.Get("sftp_endpoint")
    934. 

  934. 	config.Username = r.Form.Get("sftp_username")
    935. 

  935. 	config.Password = getSecretFromFormField(r, "sftp_password")
    936. 

  936. 	config.PrivateKey = getSecretFromFormField(r, "sftp_private_key")
    937. 

  937. 	fingerprintsFormValue := r.Form.Get("sftp_fingerprints")
    938. 

  938. 	config.Fingerprints = getSliceFromDelimitedValues(fingerprintsFormValue, "\n")
    939. 

  939. 	config.Prefix = r.Form.Get("sftp_prefix")
    940. 

  940. 	config.DisableCouncurrentReads = len(r.Form.Get("sftp_disable_concurrent_reads")) > 0
    941. 

  941. 	config.BufferSize, err = strconv.ParseInt(r.Form.Get("sftp_buffer_size"), 10, 64)
    942. 

  942. 	return config, err
    943. 

  943. }
    944. 

  944. 

  945. func getAzureConfig(r *http.Request) (vfs.AzBlobFsConfig, error) {
    946. 

  946. 	var err error
    947. 

  947. 	config := vfs.AzBlobFsConfig{}
    948. 

  948. 	config.Container = r.Form.Get("az_container")
    949. 

  949. 	config.AccountName = r.Form.Get("az_account_name")
    950. 

  950. 	config.AccountKey = getSecretFromFormField(r, "az_account_key")
    951. 

  951. 	config.SASURL = getSecretFromFormField(r, "az_sas_url")
    952. 

  952. 	config.Endpoint = r.Form.Get("az_endpoint")
    953. 

  953. 	config.KeyPrefix = r.Form.Get("az_key_prefix")
    954. 

  954. 	config.AccessTier = r.Form.Get("az_access_tier")
    955. 

  955. 	config.UseEmulator = len(r.Form.Get("az_use_emulator")) > 0
    956. 

  956. 	config.UploadPartSize, err = strconv.ParseInt(r.Form.Get("az_upload_part_size"), 10, 64)
    957. 

  957. 	if err != nil {
    958. 

  958. 		return config, err
    959. 

  959. 	}
    960. 

  960. 	config.UploadConcurrency, err = strconv.Atoi(r.Form.Get("az_upload_concurrency"))
    961. 

  961. 	return config, err
    962. 

  962. }
    963. 

  963. 

  964. func getFsConfigFromPostFields(r *http.Request) (vfs.Filesystem, error) {
    965. 

  965. 	var fs vfs.Filesystem
    966. 

  966. 	fs.Provider = sdk.GetProviderByName(r.Form.Get("fs_provider"))
    967. 

  967. 	switch fs.Provider {
    968. 

  968. 	case sdk.S3FilesystemProvider:
    969. 

  969. 		config, err := getS3Config(r)
    970. 

  970. 		if err != nil {
    971. 

  971. 			return fs, err
    972. 

  972. 		}
    973. 

  973. 		fs.S3Config = config
    974. 

  974. 	case sdk.AzureBlobFilesystemProvider:
    975. 

  975. 		config, err := getAzureConfig(r)
    976. 

  976. 		if err != nil {
    977. 

  977. 			return fs, err
    978. 

  978. 		}
    979. 

  979. 		fs.AzBlobConfig = config
    980. 

  980. 	case sdk.GCSFilesystemProvider:
    981. 

  981. 		config, err := getGCSConfig(r)
    982. 

  982. 		if err != nil {
    983. 

  983. 			return fs, err
    984. 

  984. 		}
    985. 

  985. 		fs.GCSConfig = config
    986. 

  986. 	case sdk.CryptedFilesystemProvider:
    987. 

  987. 		fs.CryptConfig.Passphrase = getSecretFromFormField(r, "crypt_passphrase")
    988. 

  988. 	case sdk.SFTPFilesystemProvider:
    989. 

  989. 		config, err := getSFTPConfig(r)
    990. 

  990. 		if err != nil {
    991. 

  991. 			return fs, err
    992. 

  992. 		}
    993. 

  993. 		fs.SFTPConfig = config
    994. 

  994. 	}
    995. 

  995. 	return fs, nil
    996. 

  996. }
    997. 

  997. 

  998. func getAdminFromPostFields(r *http.Request) (dataprovider.Admin, error) {
    999. 

  999. 	var admin dataprovider.Admin
    1000. 

  1000. 	err := r.ParseForm()
    1001. 

  1001. 	if err != nil {
    1002. 

  1002. 		return admin, err
    1003. 

  1003. 	}
    1004. 

  1004. 	status, err := strconv.Atoi(r.Form.Get("status"))
    1005. 

  1005. 	if err != nil {
    1006. 

  1006. 		return admin, err
    1007. 

  1007. 	}
    1008. 

  1008. 	admin.Username = r.Form.Get("username")
    1009. 

  1009. 	admin.Password = r.Form.Get("password")
    1010. 

  1010. 	admin.Permissions = r.Form["permissions"]
    1011. 

  1011. 	admin.Email = r.Form.Get("email")
    1012. 

  1012. 	admin.Status = status
    1013. 

  1013. 	admin.Filters.AllowList = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",")
    1014. 

  1014. 	admin.Filters.AllowAPIKeyAuth = len(r.Form.Get("allow_api_key_auth")) > 0
    1015. 

  1015. 	admin.AdditionalInfo = r.Form.Get("additional_info")
    1016. 

  1016. 	admin.Description = r.Form.Get("description")
    1017. 

  1017. 	return admin, nil
    1018. 

  1018. }
    1019. 

  1019. 

  1020. func replacePlaceholders(field string, replacements map[string]string) string {
    1021. 

  1021. 	for k, v := range replacements {
    1022. 

  1022. 		field = strings.ReplaceAll(field, k, v)
    1023. 

  1023. 	}
    1024. 

  1024. 	return field
    1025. 

  1025. }
    1026. 

  1026. 

  1027. func getFolderFromTemplate(folder vfs.BaseVirtualFolder, name string) vfs.BaseVirtualFolder {
    1028. 

  1028. 	folder.Name = name
    1029. 

  1029. 	replacements := make(map[string]string)
    1030. 

  1030. 	replacements["%name%"] = folder.Name
    1031. 

  1031. 

  1032. 	folder.MappedPath = replacePlaceholders(folder.MappedPath, replacements)
    1033. 

  1033. 	folder.Description = replacePlaceholders(folder.Description, replacements)
    1034. 

  1034. 	switch folder.FsConfig.Provider {
    1035. 

  1035. 	case sdk.CryptedFilesystemProvider:
    1036. 

  1036. 		folder.FsConfig.CryptConfig = getCryptFsFromTemplate(folder.FsConfig.CryptConfig, replacements)
    1037. 

  1037. 	case sdk.S3FilesystemProvider:
    1038. 

  1038. 		folder.FsConfig.S3Config = getS3FsFromTemplate(folder.FsConfig.S3Config, replacements)
    1039. 

  1039. 	case sdk.GCSFilesystemProvider:
    1040. 

  1040. 		folder.FsConfig.GCSConfig = getGCSFsFromTemplate(folder.FsConfig.GCSConfig, replacements)
    1041. 

  1041. 	case sdk.AzureBlobFilesystemProvider:
    1042. 

  1042. 		folder.FsConfig.AzBlobConfig = getAzBlobFsFromTemplate(folder.FsConfig.AzBlobConfig, replacements)
    1043. 

  1043. 	case sdk.SFTPFilesystemProvider:
    1044. 

  1044. 		folder.FsConfig.SFTPConfig = getSFTPFsFromTemplate(folder.FsConfig.SFTPConfig, replacements)
    1045. 

  1045. 	}
    1046. 

  1046. 

  1047. 	return folder
    1048. 

  1048. }
    1049. 

  1049. 

  1050. func getCryptFsFromTemplate(fsConfig vfs.CryptFsConfig, replacements map[string]string) vfs.CryptFsConfig {
    1051. 

  1051. 	if fsConfig.Passphrase != nil {
    1052. 

  1052. 		if fsConfig.Passphrase.IsPlain() {
    1053. 

  1053. 			payload := replacePlaceholders(fsConfig.Passphrase.GetPayload(), replacements)
    1054. 

  1054. 			fsConfig.Passphrase = kms.NewPlainSecret(payload)
    1055. 

  1055. 		}
    1056. 

  1056. 	}
    1057. 

  1057. 	return fsConfig
    1058. 

  1058. }
    1059. 

  1059. 

  1060. func getS3FsFromTemplate(fsConfig vfs.S3FsConfig, replacements map[string]string) vfs.S3FsConfig {
    1061. 

  1061. 	fsConfig.KeyPrefix = replacePlaceholders(fsConfig.KeyPrefix, replacements)
    1062. 

  1062. 	fsConfig.AccessKey = replacePlaceholders(fsConfig.AccessKey, replacements)
    1063. 

  1063. 	if fsConfig.AccessSecret != nil && fsConfig.AccessSecret.IsPlain() {
    1064. 

  1064. 		payload := replacePlaceholders(fsConfig.AccessSecret.GetPayload(), replacements)
    1065. 

  1065. 		fsConfig.AccessSecret = kms.NewPlainSecret(payload)
    1066. 

  1066. 	}
    1067. 

  1067. 	return fsConfig
    1068. 

  1068. }
    1069. 

  1069. 

  1070. func getGCSFsFromTemplate(fsConfig vfs.GCSFsConfig, replacements map[string]string) vfs.GCSFsConfig {
    1071. 

  1071. 	fsConfig.KeyPrefix = replacePlaceholders(fsConfig.KeyPrefix, replacements)
    1072. 

  1072. 	return fsConfig
    1073. 

  1073. }
    1074. 

  1074. 

  1075. func getAzBlobFsFromTemplate(fsConfig vfs.AzBlobFsConfig, replacements map[string]string) vfs.AzBlobFsConfig {
    1076. 

  1076. 	fsConfig.KeyPrefix = replacePlaceholders(fsConfig.KeyPrefix, replacements)
    1077. 

  1077. 	fsConfig.AccountName = replacePlaceholders(fsConfig.AccountName, replacements)
    1078. 

  1078. 	if fsConfig.AccountKey != nil && fsConfig.AccountKey.IsPlain() {
    1079. 

  1079. 		payload := replacePlaceholders(fsConfig.AccountKey.GetPayload(), replacements)
    1080. 

  1080. 		fsConfig.AccountKey = kms.NewPlainSecret(payload)
    1081. 

  1081. 	}
    1082. 

  1082. 	return fsConfig
    1083. 

  1083. }
    1084. 

  1084. 

  1085. func getSFTPFsFromTemplate(fsConfig vfs.SFTPFsConfig, replacements map[string]string) vfs.SFTPFsConfig {
    1086. 

  1086. 	fsConfig.Prefix = replacePlaceholders(fsConfig.Prefix, replacements)
    1087. 

  1087. 	fsConfig.Username = replacePlaceholders(fsConfig.Username, replacements)
    1088. 

  1088. 	if fsConfig.Password != nil && fsConfig.Password.IsPlain() {
    1089. 

  1089. 		payload := replacePlaceholders(fsConfig.Password.GetPayload(), replacements)
    1090. 

  1090. 		fsConfig.Password = kms.NewPlainSecret(payload)
    1091. 

  1091. 	}
    1092. 

  1092. 	return fsConfig
    1093. 

  1093. }
    1094. 

  1094. 

  1095. func getUserFromTemplate(user dataprovider.User, template userTemplateFields) dataprovider.User {
    1096. 

  1096. 	user.Username = template.Username
    1097. 

  1097. 	user.Password = template.Password
    1098. 

  1098. 	user.PublicKeys = nil
    1099. 

  1099. 	if template.PublicKey != "" {
    1100. 

  1100. 		user.PublicKeys = append(user.PublicKeys, template.PublicKey)
    1101. 

  1101. 	}
    1102. 

  1102. 	replacements := make(map[string]string)
    1103. 

  1103. 	replacements["%username%"] = user.Username
    1104. 

  1104. 	user.Password = replacePlaceholders(user.Password, replacements)
    1105. 

  1105. 	replacements["%password%"] = user.Password
    1106. 

  1106. 

  1107. 	user.HomeDir = replacePlaceholders(user.HomeDir, replacements)
    1108. 

  1108. 	var vfolders []vfs.VirtualFolder
    1109. 

  1109. 	for _, vfolder := range user.VirtualFolders {
    1110. 

  1110. 		vfolder.Name = replacePlaceholders(vfolder.Name, replacements)
    1111. 

  1111. 		vfolder.VirtualPath = replacePlaceholders(vfolder.VirtualPath, replacements)
    1112. 

  1112. 		vfolders = append(vfolders, vfolder)
    1113. 

  1113. 	}
    1114. 

  1114. 	user.VirtualFolders = vfolders
    1115. 

  1115. 	user.Description = replacePlaceholders(user.Description, replacements)
    1116. 

  1116. 	user.AdditionalInfo = replacePlaceholders(user.AdditionalInfo, replacements)
    1117. 

  1117. 

  1118. 	switch user.FsConfig.Provider {
    1119. 

  1119. 	case sdk.CryptedFilesystemProvider:
    1120. 

  1120. 		user.FsConfig.CryptConfig = getCryptFsFromTemplate(user.FsConfig.CryptConfig, replacements)
    1121. 

  1121. 	case sdk.S3FilesystemProvider:
    1122. 

  1122. 		user.FsConfig.S3Config = getS3FsFromTemplate(user.FsConfig.S3Config, replacements)
    1123. 

  1123. 	case sdk.GCSFilesystemProvider:
    1124. 

  1124. 		user.FsConfig.GCSConfig = getGCSFsFromTemplate(user.FsConfig.GCSConfig, replacements)
    1125. 

  1125. 	case sdk.AzureBlobFilesystemProvider:
    1126. 

  1126. 		user.FsConfig.AzBlobConfig = getAzBlobFsFromTemplate(user.FsConfig.AzBlobConfig, replacements)
    1127. 

  1127. 	case sdk.SFTPFilesystemProvider:
    1128. 

  1128. 		user.FsConfig.SFTPConfig = getSFTPFsFromTemplate(user.FsConfig.SFTPConfig, replacements)
    1129. 

  1129. 	}
    1130. 

  1130. 

  1131. 	return user
    1132. 

  1132. }
    1133. 

  1133. 

  1134. func getUserFromPostFields(r *http.Request) (dataprovider.User, error) {
    1135. 

  1135. 	var user dataprovider.User
    1136. 

  1136. 	err := r.ParseMultipartForm(maxRequestSize)
    1137. 

  1137. 	if err != nil {
    1138. 

  1138. 		return user, err
    1139. 

  1139. 	}
    1140. 

  1140. 	defer r.MultipartForm.RemoveAll() //nolint:errcheck
    1141. 

  1141. 	uid, err := strconv.Atoi(r.Form.Get("uid"))
    1142. 

  1142. 	if err != nil {
    1143. 

  1143. 		return user, err
    1144. 

  1144. 	}
    1145. 

  1145. 	gid, err := strconv.Atoi(r.Form.Get("gid"))
    1146. 

  1146. 	if err != nil {
    1147. 

  1147. 		return user, err
    1148. 

  1148. 	}
    1149. 

  1149. 	maxSessions, err := strconv.Atoi(r.Form.Get("max_sessions"))
    1150. 

  1150. 	if err != nil {
    1151. 

  1151. 		return user, err
    1152. 

  1152. 	}
    1153. 

  1153. 	quotaSize, err := strconv.ParseInt(r.Form.Get("quota_size"), 10, 64)
    1154. 

  1154. 	if err != nil {
    1155. 

  1155. 		return user, err
    1156. 

  1156. 	}
    1157. 

  1157. 	quotaFiles, err := strconv.Atoi(r.Form.Get("quota_files"))
    1158. 

  1158. 	if err != nil {
    1159. 

  1159. 		return user, err
    1160. 

  1160. 	}
    1161. 

  1161. 	bandwidthUL, err := strconv.ParseInt(r.Form.Get("upload_bandwidth"), 10, 64)
    1162. 

  1162. 	if err != nil {
    1163. 

  1163. 		return user, err
    1164. 

  1164. 	}
    1165. 

  1165. 	bandwidthDL, err := strconv.ParseInt(r.Form.Get("download_bandwidth"), 10, 64)
    1166. 

  1166. 	if err != nil {
    1167. 

  1167. 		return user, err
    1168. 

  1168. 	}
    1169. 

  1169. 	status, err := strconv.Atoi(r.Form.Get("status"))
    1170. 

  1170. 	if err != nil {
    1171. 

  1171. 		return user, err
    1172. 

  1172. 	}
    1173. 

  1173. 	expirationDateMillis := int64(0)
    1174. 

  1174. 	expirationDateString := r.Form.Get("expiration_date")
    1175. 

  1175. 	if strings.TrimSpace(expirationDateString) != "" {
    1176. 

  1176. 		expirationDate, err := time.Parse(webDateTimeFormat, expirationDateString)
    1177. 

  1177. 		if err != nil {
    1178. 

  1178. 			return user, err
    1179. 

  1179. 		}
    1180. 

  1180. 		expirationDateMillis = util.GetTimeAsMsSinceEpoch(expirationDate)
    1181. 

  1181. 	}
    1182. 

  1182. 	fsConfig, err := getFsConfigFromPostFields(r)
    1183. 

  1183. 	if err != nil {
    1184. 

  1184. 		return user, err
    1185. 

  1185. 	}
    1186. 

  1186. 	filters, err := getFiltersFromUserPostFields(r)
    1187. 

  1187. 	if err != nil {
    1188. 

  1188. 		return user, err
    1189. 

  1189. 	}
    1190. 

  1190. 	user = dataprovider.User{
    1191. 

  1191. 		BaseUser: sdk.BaseUser{
    1192. 

  1192. 			Username:          r.Form.Get("username"),
    1193. 

  1193. 			Email:             r.Form.Get("email"),
    1194. 

  1194. 			Password:          r.Form.Get("password"),
    1195. 

  1195. 			PublicKeys:        r.Form["public_keys"],
    1196. 

  1196. 			HomeDir:           r.Form.Get("home_dir"),
    1197. 

  1197. 			UID:               uid,
    1198. 

  1198. 			GID:               gid,
    1199. 

  1199. 			Permissions:       getUserPermissionsFromPostFields(r),
    1200. 

  1200. 			MaxSessions:       maxSessions,
    1201. 

  1201. 			QuotaSize:         quotaSize,
    1202. 

  1202. 			QuotaFiles:        quotaFiles,
    1203. 

  1203. 			UploadBandwidth:   bandwidthUL,
    1204. 

  1204. 			DownloadBandwidth: bandwidthDL,
    1205. 

  1205. 			Status:            status,
    1206. 

  1206. 			ExpirationDate:    expirationDateMillis,
    1207. 

  1207. 			Filters:           filters,
    1208. 

  1208. 			AdditionalInfo:    r.Form.Get("additional_info"),
    1209. 

  1209. 			Description:       r.Form.Get("description"),
    1210. 

  1210. 		},
    1211. 

  1211. 		VirtualFolders: getVirtualFoldersFromPostFields(r),
    1212. 

  1212. 		FsConfig:       fsConfig,
    1213. 

  1213. 	}
    1214. 

  1214. 	maxFileSize, err := strconv.ParseInt(r.Form.Get("max_upload_file_size"), 10, 64)
    1215. 

  1215. 	user.Filters.MaxUploadFileSize = maxFileSize
    1216. 

  1216. 	return user, err
    1217. 

  1217. }
    1218. 

  1218. 

  1219. func handleWebAdminForgotPwd(w http.ResponseWriter, r *http.Request) {
    1220. 

  1220. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1221. 

  1221. 	if !smtp.IsEnabled() {
    1222. 

  1222. 		renderNotFoundPage(w, r, errors.New("this page does not exist"))
    1223. 

  1223. 		return
    1224. 

  1224. 	}
    1225. 

  1225. 	renderForgotPwdPage(w, "")
    1226. 

  1226. }
    1227. 

  1227. 

  1228. func handleWebAdminForgotPwdPost(w http.ResponseWriter, r *http.Request) {
    1229. 

  1229. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1230. 

  1230. 	err := r.ParseForm()
    1231. 

  1231. 	if err != nil {
    1232. 

  1232. 		renderForgotPwdPage(w, err.Error())
    1233. 

  1233. 		return
    1234. 

  1234. 	}
    1235. 

  1235. 	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
    1236. 

  1236. 		renderForbiddenPage(w, r, err.Error())
    1237. 

  1237. 		return
    1238. 

  1238. 	}
    1239. 

  1239. 	username := r.Form.Get("username")
    1240. 

  1240. 	err = handleForgotPassword(r, username, true)
    1241. 

  1241. 	if err != nil {
    1242. 

  1242. 		if e, ok := err.(*util.ValidationError); ok {
    1243. 

  1243. 			renderForgotPwdPage(w, e.GetErrorString())
    1244. 

  1244. 			return
    1245. 

  1245. 		}
    1246. 

  1246. 		renderForgotPwdPage(w, err.Error())
    1247. 

  1247. 		return
    1248. 

  1248. 	}
    1249. 

  1249. 	http.Redirect(w, r, webAdminResetPwdPath, http.StatusFound)
    1250. 

  1250. }
    1251. 

  1251. 

  1252. func handleWebAdminPasswordReset(w http.ResponseWriter, r *http.Request) {
    1253. 

  1253. 	r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)
    1254. 

  1254. 	if !smtp.IsEnabled() {
    1255. 

  1255. 		renderNotFoundPage(w, r, errors.New("this page does not exist"))
    1256. 

  1256. 		return
    1257. 

  1257. 	}
    1258. 

  1258. 	renderResetPwdPage(w, "")
    1259. 

  1259. }
    1260. 

  1260. 

  1261. func handleWebAdminTwoFactor(w http.ResponseWriter, r *http.Request) {
    1262. 

  1262. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1263. 

  1263. 	renderTwoFactorPage(w, "")
    1264. 

  1264. }
    1265. 

  1265. 

  1266. func handleWebAdminTwoFactorRecovery(w http.ResponseWriter, r *http.Request) {
    1267. 

  1267. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1268. 

  1268. 	renderTwoFactorRecoveryPage(w, "")
    1269. 

  1269. }
    1270. 

  1270. 

  1271. func handleWebAdminMFA(w http.ResponseWriter, r *http.Request) {
    1272. 

  1272. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1273. 

  1273. 	renderMFAPage(w, r)
    1274. 

  1274. }
    1275. 

  1275. 

  1276. func handleWebAdminProfile(w http.ResponseWriter, r *http.Request) {
    1277. 

  1277. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1278. 

  1278. 	renderProfilePage(w, r, "")
    1279. 

  1279. }
    1280. 

  1280. 

  1281. func handleWebAdminChangePwd(w http.ResponseWriter, r *http.Request) {
    1282. 

  1282. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1283. 

  1283. 	renderChangePasswordPage(w, r, "")
    1284. 

  1284. }
    1285. 

  1285. 

  1286. func handleWebAdminChangePwdPost(w http.ResponseWriter, r *http.Request) {
    1287. 

  1287. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1288. 

  1288. 	err := r.ParseForm()
    1289. 

  1289. 	if err != nil {
    1290. 

  1290. 		renderChangePasswordPage(w, r, err.Error())
    1291. 

  1291. 		return
    1292. 

  1292. 	}
    1293. 

  1293. 	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
    1294. 

  1294. 		renderForbiddenPage(w, r, err.Error())
    1295. 

  1295. 		return
    1296. 

  1296. 	}
    1297. 

  1297. 	err = doChangeAdminPassword(r, r.Form.Get("current_password"), r.Form.Get("new_password1"),
    1298. 

  1298. 		r.Form.Get("new_password2"))
    1299. 

  1299. 	if err != nil {
    1300. 

  1300. 		renderChangePasswordPage(w, r, err.Error())
    1301. 

  1301. 		return
    1302. 

  1302. 	}
    1303. 

  1303. 	handleWebLogout(w, r)
    1304. 

  1304. }
    1305. 

  1305. 

  1306. func handleWebAdminProfilePost(w http.ResponseWriter, r *http.Request) {
    1307. 

  1307. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1308. 

  1308. 	err := r.ParseForm()
    1309. 

  1309. 	if err != nil {
    1310. 

  1310. 		renderProfilePage(w, r, err.Error())
    1311. 

  1311. 		return
    1312. 

  1312. 	}
    1313. 

  1313. 	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
    1314. 

  1314. 		renderForbiddenPage(w, r, err.Error())
    1315. 

  1315. 		return
    1316. 

  1316. 	}
    1317. 

  1317. 	claims, err := getTokenClaims(r)
    1318. 

  1318. 	if err != nil || claims.Username == "" {
    1319. 

  1319. 		renderProfilePage(w, r, "Invalid token claims")
    1320. 

  1320. 		return
    1321. 

  1321. 	}
    1322. 

  1322. 	admin, err := dataprovider.AdminExists(claims.Username)
    1323. 

  1323. 	if err != nil {
    1324. 

  1324. 		renderProfilePage(w, r, err.Error())
    1325. 

  1325. 		return
    1326. 

  1326. 	}
    1327. 

  1327. 	admin.Filters.AllowAPIKeyAuth = len(r.Form.Get("allow_api_key_auth")) > 0
    1328. 

  1328. 	admin.Email = r.Form.Get("email")
    1329. 

  1329. 	admin.Description = r.Form.Get("description")
    1330. 

  1330. 	err = dataprovider.UpdateAdmin(&admin, dataprovider.ActionExecutorSelf, util.GetIPFromRemoteAddress(r.RemoteAddr))
    1331. 

  1331. 	if err != nil {
    1332. 

  1332. 		renderProfilePage(w, r, err.Error())
    1333. 

  1333. 		return
    1334. 

  1334. 	}
    1335. 

  1335. 	renderMessagePage(w, r, "Profile updated", "", http.StatusOK, nil,
    1336. 

  1336. 		"Your profile has been successfully updated")
    1337. 

  1337. }
    1338. 

  1338. 

  1339. func handleWebLogout(w http.ResponseWriter, r *http.Request) {
    1340. 

  1340. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1341. 

  1341. 	c := jwtTokenClaims{}
    1342. 

  1342. 	c.removeCookie(w, r, webBaseAdminPath)
    1343. 

  1343. 

  1344. 	http.Redirect(w, r, webLoginPath, http.StatusFound)
    1345. 

  1345. }
    1346. 

  1346. 

  1347. func handleWebMaintenance(w http.ResponseWriter, r *http.Request) {
    1348. 

  1348. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1349. 

  1349. 	renderMaintenancePage(w, r, "")
    1350. 

  1350. }
    1351. 

  1351. 

  1352. func handleWebRestore(w http.ResponseWriter, r *http.Request) {
    1353. 

  1353. 	r.Body = http.MaxBytesReader(w, r.Body, MaxRestoreSize)
    1354. 

  1354. 	claims, err := getTokenClaims(r)
    1355. 

  1355. 	if err != nil || claims.Username == "" {
    1356. 

  1356. 		renderBadRequestPage(w, r, errors.New("invalid token claims"))
    1357. 

  1357. 		return
    1358. 

  1358. 	}
    1359. 

  1359. 	err = r.ParseMultipartForm(MaxRestoreSize)
    1360. 

  1360. 	if err != nil {
    1361. 

  1361. 		renderMaintenancePage(w, r, err.Error())
    1362. 

  1362. 		return
    1363. 

  1363. 	}
    1364. 

  1364. 	defer r.MultipartForm.RemoveAll() //nolint:errcheck
    1365. 

  1365. 	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
    1366. 

  1366. 		renderForbiddenPage(w, r, err.Error())
    1367. 

  1367. 		return
    1368. 

  1368. 	}
    1369. 

  1369. 	restoreMode, err := strconv.Atoi(r.Form.Get("mode"))
    1370. 

  1370. 	if err != nil {
    1371. 

  1371. 		renderMaintenancePage(w, r, err.Error())
    1372. 

  1372. 		return
    1373. 

  1373. 	}
    1374. 

  1374. 	scanQuota, err := strconv.Atoi(r.Form.Get("quota"))
    1375. 

  1375. 	if err != nil {
    1376. 

  1376. 		renderMaintenancePage(w, r, err.Error())
    1377. 

  1377. 		return
    1378. 

  1378. 	}
    1379. 

  1379. 	backupFile, _, err := r.FormFile("backup_file")
    1380. 

  1380. 	if err != nil {
    1381. 

  1381. 		renderMaintenancePage(w, r, err.Error())
    1382. 

  1382. 		return
    1383. 

  1383. 	}
    1384. 

  1384. 	defer backupFile.Close()
    1385. 

  1385. 

  1386. 	backupContent, err := io.ReadAll(backupFile)
    1387. 

  1387. 	if err != nil || len(backupContent) == 0 {
    1388. 

  1388. 		if len(backupContent) == 0 {
    1389. 

  1389. 			err = errors.New("backup file size must be greater than 0")
    1390. 

  1390. 		}
    1391. 

  1391. 		renderMaintenancePage(w, r, err.Error())
    1392. 

  1392. 		return
    1393. 

  1393. 	}
    1394. 

  1394. 

  1395. 	if err := restoreBackup(backupContent, "", scanQuota, restoreMode, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr)); err != nil {
    1396. 

  1396. 		renderMaintenancePage(w, r, err.Error())
    1397. 

  1397. 		return
    1398. 

  1398. 	}
    1399. 

  1399. 

  1400. 	renderMessagePage(w, r, "Data restored", "", http.StatusOK, nil, "Your backup was successfully restored")
    1401. 

  1401. }
    1402. 

  1402. 

  1403. func handleGetWebAdmins(w http.ResponseWriter, r *http.Request) {
    1404. 

  1404. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1405. 

  1405. 	limit := defaultQueryLimit
    1406. 

  1406. 	if _, ok := r.URL.Query()["qlimit"]; ok {
    1407. 

  1407. 		var err error
    1408. 

  1408. 		limit, err = strconv.Atoi(r.URL.Query().Get("qlimit"))
    1409. 

  1409. 		if err != nil {
    1410. 

  1410. 			limit = defaultQueryLimit
    1411. 

  1411. 		}
    1412. 

  1412. 	}
    1413. 

  1413. 	admins := make([]dataprovider.Admin, 0, limit)
    1414. 

  1414. 	for {
    1415. 

  1415. 		a, err := dataprovider.GetAdmins(limit, len(admins), dataprovider.OrderASC)
    1416. 

  1416. 		if err != nil {
    1417. 

  1417. 			renderInternalServerErrorPage(w, r, err)
    1418. 

  1418. 			return
    1419. 

  1419. 		}
    1420. 

  1420. 		admins = append(admins, a...)
    1421. 

  1421. 		if len(a) < limit {
    1422. 

  1422. 			break
    1423. 

  1423. 		}
    1424. 

  1424. 	}
    1425. 

  1425. 	data := adminsPage{
    1426. 

  1426. 		basePage: getBasePageData(pageAdminsTitle, webAdminsPath, r),
    1427. 

  1427. 		Admins:   admins,
    1428. 

  1428. 	}
    1429. 

  1429. 	renderAdminTemplate(w, templateAdmins, data)
    1430. 

  1430. }
    1431. 

  1431. 

  1432. func handleWebAdminSetupGet(w http.ResponseWriter, r *http.Request) {
    1433. 

  1433. 	r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)
    1434. 

  1434. 	if dataprovider.HasAdmin() {
    1435. 

  1435. 		http.Redirect(w, r, webLoginPath, http.StatusFound)
    1436. 

  1436. 		return
    1437. 

  1437. 	}
    1438. 

  1438. 	renderAdminSetupPage(w, r, "", "")
    1439. 

  1439. }
    1440. 

  1440. 

  1441. func handleWebAddAdminGet(w http.ResponseWriter, r *http.Request) {
    1442. 

  1442. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1443. 

  1443. 	admin := &dataprovider.Admin{Status: 1}
    1444. 

  1444. 	renderAddUpdateAdminPage(w, r, admin, "", true)
    1445. 

  1445. }
    1446. 

  1446. 

  1447. func handleWebUpdateAdminGet(w http.ResponseWriter, r *http.Request) {
    1448. 

  1448. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1449. 

  1449. 	username := getURLParam(r, "username")
    1450. 

  1450. 	admin, err := dataprovider.AdminExists(username)
    1451. 

  1451. 	if err == nil {
    1452. 

  1452. 		renderAddUpdateAdminPage(w, r, &admin, "", false)
    1453. 

  1453. 	} else if _, ok := err.(*util.RecordNotFoundError); ok {
    1454. 

  1454. 		renderNotFoundPage(w, r, err)
    1455. 

  1455. 	} else {
    1456. 

  1456. 		renderInternalServerErrorPage(w, r, err)
    1457. 

  1457. 	}
    1458. 

  1458. }
    1459. 

  1459. 

  1460. func handleWebAddAdminPost(w http.ResponseWriter, r *http.Request) {
    1461. 

  1461. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1462. 

  1462. 	claims, err := getTokenClaims(r)
    1463. 

  1463. 	if err != nil || claims.Username == "" {
    1464. 

  1464. 		renderBadRequestPage(w, r, errors.New("invalid token claims"))
    1465. 

  1465. 		return
    1466. 

  1466. 	}
    1467. 

  1467. 	admin, err := getAdminFromPostFields(r)
    1468. 

  1468. 	if err != nil {
    1469. 

  1469. 		renderAddUpdateAdminPage(w, r, &admin, err.Error(), true)
    1470. 

  1470. 		return
    1471. 

  1471. 	}
    1472. 

  1472. 	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
    1473. 

  1473. 		renderForbiddenPage(w, r, err.Error())
    1474. 

  1474. 		return
    1475. 

  1475. 	}
    1476. 

  1476. 	err = dataprovider.AddAdmin(&admin, claims.Username, util.GetIPFromRemoteAddress(r.Method))
    1477. 

  1477. 	if err != nil {
    1478. 

  1478. 		renderAddUpdateAdminPage(w, r, &admin, err.Error(), true)
    1479. 

  1479. 		return
    1480. 

  1480. 	}
    1481. 

  1481. 	http.Redirect(w, r, webAdminsPath, http.StatusSeeOther)
    1482. 

  1482. }
    1483. 

  1483. 

  1484. func handleWebUpdateAdminPost(w http.ResponseWriter, r *http.Request) {
    1485. 

  1485. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1486. 

  1486. 

  1487. 	username := getURLParam(r, "username")
    1488. 

  1488. 	admin, err := dataprovider.AdminExists(username)
    1489. 

  1489. 	if _, ok := err.(*util.RecordNotFoundError); ok {
    1490. 

  1490. 		renderNotFoundPage(w, r, err)
    1491. 

  1491. 		return
    1492. 

  1492. 	} else if err != nil {
    1493. 

  1493. 		renderInternalServerErrorPage(w, r, err)
    1494. 

  1494. 		return
    1495. 

  1495. 	}
    1496. 

  1496. 

  1497. 	updatedAdmin, err := getAdminFromPostFields(r)
    1498. 

  1498. 	if err != nil {
    1499. 

  1499. 		renderAddUpdateAdminPage(w, r, &updatedAdmin, err.Error(), false)
    1500. 

  1500. 		return
    1501. 

  1501. 	}
    1502. 

  1502. 	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
    1503. 

  1503. 		renderForbiddenPage(w, r, err.Error())
    1504. 

  1504. 		return
    1505. 

  1505. 	}
    1506. 

  1506. 	updatedAdmin.ID = admin.ID
    1507. 

  1507. 	updatedAdmin.Username = admin.Username
    1508. 

  1508. 	if updatedAdmin.Password == "" {
    1509. 

  1509. 		updatedAdmin.Password = admin.Password
    1510. 

  1510. 	}
    1511. 

  1511. 	updatedAdmin.Filters.TOTPConfig = admin.Filters.TOTPConfig
    1512. 

  1512. 	updatedAdmin.Filters.RecoveryCodes = admin.Filters.RecoveryCodes
    1513. 

  1513. 	claims, err := getTokenClaims(r)
    1514. 

  1514. 	if err != nil || claims.Username == "" {
    1515. 

  1515. 		renderAddUpdateAdminPage(w, r, &updatedAdmin, fmt.Sprintf("Invalid token claims: %v", err), false)
    1516. 

  1516. 		return
    1517. 

  1517. 	}
    1518. 

  1518. 	if username == claims.Username {
    1519. 

  1519. 		if claims.isCriticalPermRemoved(updatedAdmin.Permissions) {
    1520. 

  1520. 			renderAddUpdateAdminPage(w, r, &updatedAdmin, "You cannot remove these permissions to yourself", false)
    1521. 

  1521. 			return
    1522. 

  1522. 		}
    1523. 

  1523. 		if updatedAdmin.Status == 0 {
    1524. 

  1524. 			renderAddUpdateAdminPage(w, r, &updatedAdmin, "You cannot disable yourself", false)
    1525. 

  1525. 			return
    1526. 

  1526. 		}
    1527. 

  1527. 	}
    1528. 

  1528. 	err = dataprovider.UpdateAdmin(&updatedAdmin, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr))
    1529. 

  1529. 	if err != nil {
    1530. 

  1530. 		renderAddUpdateAdminPage(w, r, &admin, err.Error(), false)
    1531. 

  1531. 		return
    1532. 

  1532. 	}
    1533. 

  1533. 	http.Redirect(w, r, webAdminsPath, http.StatusSeeOther)
    1534. 

  1534. }
    1535. 

  1535. 

  1536. func handleWebDefenderPage(w http.ResponseWriter, r *http.Request) {
    1537. 

  1537. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1538. 

  1538. 	data := defenderHostsPage{
    1539. 

  1539. 		basePage:         getBasePageData(pageDefenderTitle, webDefenderPath, r),
    1540. 

  1540. 		DefenderHostsURL: webDefenderHostsPath,
    1541. 

  1541. 	}
    1542. 

  1542. 

  1543. 	renderAdminTemplate(w, templateDefender, data)
    1544. 

  1544. }
    1545. 

  1545. 

  1546. func handleGetWebUsers(w http.ResponseWriter, r *http.Request) {
    1547. 

  1547. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1548. 

  1548. 	limit := defaultQueryLimit
    1549. 

  1549. 	if _, ok := r.URL.Query()["qlimit"]; ok {
    1550. 

  1550. 		var err error
    1551. 

  1551. 		limit, err = strconv.Atoi(r.URL.Query().Get("qlimit"))
    1552. 

  1552. 		if err != nil {
    1553. 

  1553. 			limit = defaultQueryLimit
    1554. 

  1554. 		}
    1555. 

  1555. 	}
    1556. 

  1556. 	users := make([]dataprovider.User, 0, limit)
    1557. 

  1557. 	for {
    1558. 

  1558. 		u, err := dataprovider.GetUsers(limit, len(users), dataprovider.OrderASC)
    1559. 

  1559. 		if err != nil {
    1560. 

  1560. 			renderInternalServerErrorPage(w, r, err)
    1561. 

  1561. 			return
    1562. 

  1562. 		}
    1563. 

  1563. 		users = append(users, u...)
    1564. 

  1564. 		if len(u) < limit {
    1565. 

  1565. 			break
    1566. 

  1566. 		}
    1567. 

  1567. 	}
    1568. 

  1568. 	data := usersPage{
    1569. 

  1569. 		basePage: getBasePageData(pageUsersTitle, webUsersPath, r),
    1570. 

  1570. 		Users:    users,
    1571. 

  1571. 	}
    1572. 

  1572. 	renderAdminTemplate(w, templateUsers, data)
    1573. 

  1573. }
    1574. 

  1574. 

  1575. func handleWebTemplateFolderGet(w http.ResponseWriter, r *http.Request) {
    1576. 

  1576. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1577. 

  1577. 	if r.URL.Query().Get("from") != "" {
    1578. 

  1578. 		name := r.URL.Query().Get("from")
    1579. 

  1579. 		folder, err := dataprovider.GetFolderByName(name)
    1580. 

  1580. 		if err == nil {
    1581. 

  1581. 			renderFolderPage(w, r, folder, folderPageModeTemplate, "")
    1582. 

  1582. 		} else if _, ok := err.(*util.RecordNotFoundError); ok {
    1583. 

  1583. 			renderNotFoundPage(w, r, err)
    1584. 

  1584. 		} else {
    1585. 

  1585. 			renderInternalServerErrorPage(w, r, err)
    1586. 

  1586. 		}
    1587. 

  1587. 	} else {
    1588. 

  1588. 		folder := vfs.BaseVirtualFolder{}
    1589. 

  1589. 		renderFolderPage(w, r, folder, folderPageModeTemplate, "")
    1590. 

  1590. 	}
    1591. 

  1591. }
    1592. 

  1592. 

  1593. func handleWebTemplateFolderPost(w http.ResponseWriter, r *http.Request) {
    1594. 

  1594. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1595. 

  1595. 	templateFolder := vfs.BaseVirtualFolder{}
    1596. 

  1596. 	err := r.ParseMultipartForm(maxRequestSize)
    1597. 

  1597. 	if err != nil {
    1598. 

  1598. 		renderMessagePage(w, r, "Error parsing folders fields", "", http.StatusBadRequest, err, "")
    1599. 

  1599. 		return
    1600. 

  1600. 	}
    1601. 

  1601. 	defer r.MultipartForm.RemoveAll() //nolint:errcheck
    1602. 

  1602. 

  1603. 	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
    1604. 

  1604. 		renderForbiddenPage(w, r, err.Error())
    1605. 

  1605. 		return
    1606. 

  1606. 	}
    1607. 

  1607. 

  1608. 	templateFolder.MappedPath = r.Form.Get("mapped_path")
    1609. 

  1609. 	templateFolder.Description = r.Form.Get("description")
    1610. 

  1610. 	fsConfig, err := getFsConfigFromPostFields(r)
    1611. 

  1611. 	if err != nil {
    1612. 

  1612. 		renderMessagePage(w, r, "Error parsing folders fields", "", http.StatusBadRequest, err, "")
    1613. 

  1613. 		return
    1614. 

  1614. 	}
    1615. 

  1615. 	templateFolder.FsConfig = fsConfig
    1616. 

  1616. 

  1617. 	var dump dataprovider.BackupData
    1618. 

  1618. 	dump.Version = dataprovider.DumpVersion
    1619. 

  1619. 

  1620. 	foldersFields := getFoldersForTemplate(r)
    1621. 

  1621. 	for _, tmpl := range foldersFields {
    1622. 

  1622. 		f := getFolderFromTemplate(templateFolder, tmpl)
    1623. 

  1623. 		if err := dataprovider.ValidateFolder(&f); err != nil {
    1624. 

  1624. 			renderMessagePage(w, r, fmt.Sprintf("Error validating folder %#v", f.Name), "", http.StatusBadRequest, err, "")
    1625. 

  1625. 			return
    1626. 

  1626. 		}
    1627. 

  1627. 		dump.Folders = append(dump.Folders, f)
    1628. 

  1628. 	}
    1629. 

  1629. 

  1630. 	if len(dump.Folders) == 0 {
    1631. 

  1631. 		renderMessagePage(w, r, "No folders to export", "No valid folders found, export is not possible", http.StatusBadRequest, nil, "")
    1632. 

  1632. 		return
    1633. 

  1633. 	}
    1634. 

  1634. 

  1635. 	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=\"sftpgo-%v-folders-from-template.json\"", len(dump.Folders)))
    1636. 

  1636. 	render.JSON(w, r, dump)
    1637. 

  1637. }
    1638. 

  1638. 

  1639. func handleWebTemplateUserGet(w http.ResponseWriter, r *http.Request) {
    1640. 

  1640. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1641. 

  1641. 	if r.URL.Query().Get("from") != "" {
    1642. 

  1642. 		username := r.URL.Query().Get("from")
    1643. 

  1643. 		user, err := dataprovider.UserExists(username)
    1644. 

  1644. 		if err == nil {
    1645. 

  1645. 			user.SetEmptySecrets()
    1646. 

  1646. 			user.Email = ""
    1647. 

  1647. 			user.Description = ""
    1648. 

  1648. 			renderUserPage(w, r, &user, userPageModeTemplate, "")
    1649. 

  1649. 		} else if _, ok := err.(*util.RecordNotFoundError); ok {
    1650. 

  1650. 			renderNotFoundPage(w, r, err)
    1651. 

  1651. 		} else {
    1652. 

  1652. 			renderInternalServerErrorPage(w, r, err)
    1653. 

  1653. 		}
    1654. 

  1654. 	} else {
    1655. 

  1655. 		user := dataprovider.User{BaseUser: sdk.BaseUser{Status: 1}}
    1656. 

  1656. 		renderUserPage(w, r, &user, userPageModeTemplate, "")
    1657. 

  1657. 	}
    1658. 

  1658. }
    1659. 

  1659. 

  1660. func handleWebTemplateUserPost(w http.ResponseWriter, r *http.Request) {
    1661. 

  1661. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1662. 

  1662. 	templateUser, err := getUserFromPostFields(r)
    1663. 

  1663. 	if err != nil {
    1664. 

  1664. 		renderMessagePage(w, r, "Error parsing user fields", "", http.StatusBadRequest, err, "")
    1665. 

  1665. 		return
    1666. 

  1666. 	}
    1667. 

  1667. 	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
    1668. 

  1668. 		renderForbiddenPage(w, r, err.Error())
    1669. 

  1669. 		return
    1670. 

  1670. 	}
    1671. 

  1671. 

  1672. 	var dump dataprovider.BackupData
    1673. 

  1673. 	dump.Version = dataprovider.DumpVersion
    1674. 

  1674. 

  1675. 	userTmplFields := getUsersForTemplate(r)
    1676. 

  1676. 	for _, tmpl := range userTmplFields {
    1677. 

  1677. 		u := getUserFromTemplate(templateUser, tmpl)
    1678. 

  1678. 		if err := dataprovider.ValidateUser(&u); err != nil {
    1679. 

  1679. 			renderMessagePage(w, r, fmt.Sprintf("Error validating user %#v", u.Username), "", http.StatusBadRequest, err, "")
    1680. 

  1680. 			return
    1681. 

  1681. 		}
    1682. 

  1682. 		dump.Users = append(dump.Users, u)
    1683. 

  1683. 		for _, folder := range u.VirtualFolders {
    1684. 

  1684. 			if !dump.HasFolder(folder.Name) {
    1685. 

  1685. 				dump.Folders = append(dump.Folders, folder.BaseVirtualFolder)
    1686. 

  1686. 			}
    1687. 

  1687. 		}
    1688. 

  1688. 	}
    1689. 

  1689. 

  1690. 	if len(dump.Users) == 0 {
    1691. 

  1691. 		renderMessagePage(w, r, "No users to export", "No valid users found, export is not possible", http.StatusBadRequest, nil, "")
    1692. 

  1692. 		return
    1693. 

  1693. 	}
    1694. 

  1694. 

  1695. 	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=\"sftpgo-%v-users-from-template.json\"", len(dump.Users)))
    1696. 

  1696. 	render.JSON(w, r, dump)
    1697. 

  1697. }
    1698. 

  1698. 

  1699. func handleWebAddUserGet(w http.ResponseWriter, r *http.Request) {
    1700. 

  1700. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1701. 

  1701. 	if r.URL.Query().Get("clone-from") != "" {
    1702. 

  1702. 		username := r.URL.Query().Get("clone-from")
    1703. 

  1703. 		user, err := dataprovider.UserExists(username)
    1704. 

  1704. 		if err == nil {
    1705. 

  1705. 			user.ID = 0
    1706. 

  1706. 			user.Username = ""
    1707. 

  1707. 			user.Password = ""
    1708. 

  1708. 			user.SetEmptySecrets()
    1709. 

  1709. 			renderUserPage(w, r, &user, userPageModeAdd, "")
    1710. 

  1710. 		} else if _, ok := err.(*util.RecordNotFoundError); ok {
    1711. 

  1711. 			renderNotFoundPage(w, r, err)
    1712. 

  1712. 		} else {
    1713. 

  1713. 			renderInternalServerErrorPage(w, r, err)
    1714. 

  1714. 		}
    1715. 

  1715. 	} else {
    1716. 

  1716. 		user := dataprovider.User{BaseUser: sdk.BaseUser{Status: 1}}
    1717. 

  1717. 		renderUserPage(w, r, &user, userPageModeAdd, "")
    1718. 

  1718. 	}
    1719. 

  1719. }
    1720. 

  1720. 

  1721. func handleWebUpdateUserGet(w http.ResponseWriter, r *http.Request) {
    1722. 

  1722. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1723. 

  1723. 	username := getURLParam(r, "username")
    1724. 

  1724. 	user, err := dataprovider.UserExists(username)
    1725. 

  1725. 	if err == nil {
    1726. 

  1726. 		renderUserPage(w, r, &user, userPageModeUpdate, "")
    1727. 

  1727. 	} else if _, ok := err.(*util.RecordNotFoundError); ok {
    1728. 

  1728. 		renderNotFoundPage(w, r, err)
    1729. 

  1729. 	} else {
    1730. 

  1730. 		renderInternalServerErrorPage(w, r, err)
    1731. 

  1731. 	}
    1732. 

  1732. }
    1733. 

  1733. 

  1734. func handleWebAddUserPost(w http.ResponseWriter, r *http.Request) {
    1735. 

  1735. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1736. 

  1736. 	claims, err := getTokenClaims(r)
    1737. 

  1737. 	if err != nil || claims.Username == "" {
    1738. 

  1738. 		renderBadRequestPage(w, r, errors.New("invalid token claims"))
    1739. 

  1739. 		return
    1740. 

  1740. 	}
    1741. 

  1741. 	user, err := getUserFromPostFields(r)
    1742. 

  1742. 	if err != nil {
    1743. 

  1743. 		renderUserPage(w, r, &user, userPageModeAdd, err.Error())
    1744. 

  1744. 		return
    1745. 

  1745. 	}
    1746. 

  1746. 	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
    1747. 

  1747. 		renderForbiddenPage(w, r, err.Error())
    1748. 

  1748. 		return
    1749. 

  1749. 	}
    1750. 

  1750. 	err = dataprovider.AddUser(&user, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr))
    1751. 

  1751. 	if err == nil {
    1752. 

  1752. 		http.Redirect(w, r, webUsersPath, http.StatusSeeOther)
    1753. 

  1753. 	} else {
    1754. 

  1754. 		renderUserPage(w, r, &user, userPageModeAdd, err.Error())
    1755. 

  1755. 	}
    1756. 

  1756. }
    1757. 

  1757. 

  1758. func handleWebUpdateUserPost(w http.ResponseWriter, r *http.Request) {
    1759. 

  1759. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1760. 

  1760. 	claims, err := getTokenClaims(r)
    1761. 

  1761. 	if err != nil || claims.Username == "" {
    1762. 

  1762. 		renderBadRequestPage(w, r, errors.New("invalid token claims"))
    1763. 

  1763. 		return
    1764. 

  1764. 	}
    1765. 

  1765. 	username := getURLParam(r, "username")
    1766. 

  1766. 	user, err := dataprovider.UserExists(username)
    1767. 

  1767. 	if _, ok := err.(*util.RecordNotFoundError); ok {
    1768. 

  1768. 		renderNotFoundPage(w, r, err)
    1769. 

  1769. 		return
    1770. 

  1770. 	} else if err != nil {
    1771. 

  1771. 		renderInternalServerErrorPage(w, r, err)
    1772. 

  1772. 		return
    1773. 

  1773. 	}
    1774. 

  1774. 	updatedUser, err := getUserFromPostFields(r)
    1775. 

  1775. 	if err != nil {
    1776. 

  1776. 		renderUserPage(w, r, &user, userPageModeUpdate, err.Error())
    1777. 

  1777. 		return
    1778. 

  1778. 	}
    1779. 

  1779. 	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
    1780. 

  1780. 		renderForbiddenPage(w, r, err.Error())
    1781. 

  1781. 		return
    1782. 

  1782. 	}
    1783. 

  1783. 	updatedUser.ID = user.ID
    1784. 

  1784. 	updatedUser.Username = user.Username
    1785. 

  1785. 	updatedUser.Filters.RecoveryCodes = user.Filters.RecoveryCodes
    1786. 

  1786. 	updatedUser.Filters.TOTPConfig = user.Filters.TOTPConfig
    1787. 

  1787. 	updatedUser.SetEmptySecretsIfNil()
    1788. 

  1788. 	if updatedUser.Password == redactedSecret {
    1789. 

  1789. 		updatedUser.Password = user.Password
    1790. 

  1790. 	}
    1791. 

  1791. 	updateEncryptedSecrets(&updatedUser.FsConfig, user.FsConfig.S3Config.AccessSecret, user.FsConfig.AzBlobConfig.AccountKey,
    1792. 

  1792. 		user.FsConfig.AzBlobConfig.SASURL, user.FsConfig.GCSConfig.Credentials, user.FsConfig.CryptConfig.Passphrase,
    1793. 

  1793. 		user.FsConfig.SFTPConfig.Password, user.FsConfig.SFTPConfig.PrivateKey)
    1794. 

  1794. 

  1795. 	err = dataprovider.UpdateUser(&updatedUser, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr))
    1796. 

  1796. 	if err == nil {
    1797. 

  1797. 		if len(r.Form.Get("disconnect")) > 0 {
    1798. 

  1798. 			disconnectUser(user.Username)
    1799. 

  1799. 		}
    1800. 

  1800. 		http.Redirect(w, r, webUsersPath, http.StatusSeeOther)
    1801. 

  1801. 	} else {
    1802. 

  1802. 		renderUserPage(w, r, &user, userPageModeUpdate, err.Error())
    1803. 

  1803. 	}
    1804. 

  1804. }
    1805. 

  1805. 

  1806. func handleWebGetStatus(w http.ResponseWriter, r *http.Request) {
    1807. 

  1807. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1808. 

  1808. 	data := statusPage{
    1809. 

  1809. 		basePage: getBasePageData(pageStatusTitle, webStatusPath, r),
    1810. 

  1810. 		Status:   getServicesStatus(),
    1811. 

  1811. 	}
    1812. 

  1812. 	renderAdminTemplate(w, templateStatus, data)
    1813. 

  1813. }
    1814. 

  1814. 

  1815. func handleWebGetConnections(w http.ResponseWriter, r *http.Request) {
    1816. 

  1816. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1817. 

  1817. 	connectionStats := common.Connections.GetStats()
    1818. 

  1818. 	data := connectionsPage{
    1819. 

  1819. 		basePage:    getBasePageData(pageConnectionsTitle, webConnectionsPath, r),
    1820. 

  1820. 		Connections: connectionStats,
    1821. 

  1821. 	}
    1822. 

  1822. 	renderAdminTemplate(w, templateConnections, data)
    1823. 

  1823. }
    1824. 

  1824. 

  1825. func handleWebAddFolderGet(w http.ResponseWriter, r *http.Request) {
    1826. 

  1826. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1827. 

  1827. 	renderFolderPage(w, r, vfs.BaseVirtualFolder{}, folderPageModeAdd, "")
    1828. 

  1828. }
    1829. 

  1829. 

  1830. func handleWebAddFolderPost(w http.ResponseWriter, r *http.Request) {
    1831. 

  1831. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1832. 

  1832. 	folder := vfs.BaseVirtualFolder{}
    1833. 

  1833. 	err := r.ParseMultipartForm(maxRequestSize)
    1834. 

  1834. 	if err != nil {
    1835. 

  1835. 		renderFolderPage(w, r, folder, folderPageModeAdd, err.Error())
    1836. 

  1836. 		return
    1837. 

  1837. 	}
    1838. 

  1838. 	defer r.MultipartForm.RemoveAll() //nolint:errcheck
    1839. 

  1839. 

  1840. 	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
    1841. 

  1841. 		renderForbiddenPage(w, r, err.Error())
    1842. 

  1842. 		return
    1843. 

  1843. 	}
    1844. 

  1844. 	folder.MappedPath = r.Form.Get("mapped_path")
    1845. 

  1845. 	folder.Name = r.Form.Get("name")
    1846. 

  1846. 	folder.Description = r.Form.Get("description")
    1847. 

  1847. 	fsConfig, err := getFsConfigFromPostFields(r)
    1848. 

  1848. 	if err != nil {
    1849. 

  1849. 		renderFolderPage(w, r, folder, folderPageModeAdd, err.Error())
    1850. 

  1850. 		return
    1851. 

  1851. 	}
    1852. 

  1852. 	folder.FsConfig = fsConfig
    1853. 

  1853. 

  1854. 	err = dataprovider.AddFolder(&folder)
    1855. 

  1855. 	if err == nil {
    1856. 

  1856. 		http.Redirect(w, r, webFoldersPath, http.StatusSeeOther)
    1857. 

  1857. 	} else {
    1858. 

  1858. 		renderFolderPage(w, r, folder, folderPageModeAdd, err.Error())
    1859. 

  1859. 	}
    1860. 

  1860. }
    1861. 

  1861. 

  1862. func handleWebUpdateFolderGet(w http.ResponseWriter, r *http.Request) {
    1863. 

  1863. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1864. 

  1864. 	name := getURLParam(r, "name")
    1865. 

  1865. 	folder, err := dataprovider.GetFolderByName(name)
    1866. 

  1866. 	if err == nil {
    1867. 

  1867. 		renderFolderPage(w, r, folder, folderPageModeUpdate, "")
    1868. 

  1868. 	} else if _, ok := err.(*util.RecordNotFoundError); ok {
    1869. 

  1869. 		renderNotFoundPage(w, r, err)
    1870. 

  1870. 	} else {
    1871. 

  1871. 		renderInternalServerErrorPage(w, r, err)
    1872. 

  1872. 	}
    1873. 

  1873. }
    1874. 

  1874. 

  1875. func handleWebUpdateFolderPost(w http.ResponseWriter, r *http.Request) {
    1876. 

  1876. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1877. 

  1877. 	claims, err := getTokenClaims(r)
    1878. 

  1878. 	if err != nil || claims.Username == "" {
    1879. 

  1879. 		renderBadRequestPage(w, r, errors.New("invalid token claims"))
    1880. 

  1880. 		return
    1881. 

  1881. 	}
    1882. 

  1882. 	name := getURLParam(r, "name")
    1883. 

  1883. 	folder, err := dataprovider.GetFolderByName(name)
    1884. 

  1884. 	if _, ok := err.(*util.RecordNotFoundError); ok {
    1885. 

  1885. 		renderNotFoundPage(w, r, err)
    1886. 

  1886. 		return
    1887. 

  1887. 	} else if err != nil {
    1888. 

  1888. 		renderInternalServerErrorPage(w, r, err)
    1889. 

  1889. 		return
    1890. 

  1890. 	}
    1891. 

  1891. 

  1892. 	err = r.ParseMultipartForm(maxRequestSize)
    1893. 

  1893. 	if err != nil {
    1894. 

  1894. 		renderFolderPage(w, r, folder, folderPageModeUpdate, err.Error())
    1895. 

  1895. 		return
    1896. 

  1896. 	}
    1897. 

  1897. 	defer r.MultipartForm.RemoveAll() //nolint:errcheck
    1898. 

  1898. 

  1899. 	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
    1900. 

  1900. 		renderForbiddenPage(w, r, err.Error())
    1901. 

  1901. 		return
    1902. 

  1902. 	}
    1903. 

  1903. 	fsConfig, err := getFsConfigFromPostFields(r)
    1904. 

  1904. 	if err != nil {
    1905. 

  1905. 		renderFolderPage(w, r, folder, folderPageModeUpdate, err.Error())
    1906. 

  1906. 		return
    1907. 

  1907. 	}
    1908. 

  1908. 	updatedFolder := &vfs.BaseVirtualFolder{
    1909. 

  1909. 		MappedPath:  r.Form.Get("mapped_path"),
    1910. 

  1910. 		Description: r.Form.Get("description"),
    1911. 

  1911. 	}
    1912. 

  1912. 	updatedFolder.ID = folder.ID
    1913. 

  1913. 	updatedFolder.Name = folder.Name
    1914. 

  1914. 	updatedFolder.FsConfig = fsConfig
    1915. 

  1915. 	updatedFolder.FsConfig.SetEmptySecretsIfNil()
    1916. 

  1916. 	updateEncryptedSecrets(&updatedFolder.FsConfig, folder.FsConfig.S3Config.AccessSecret, folder.FsConfig.AzBlobConfig.AccountKey,
    1917. 

  1917. 		folder.FsConfig.AzBlobConfig.SASURL, folder.FsConfig.GCSConfig.Credentials, folder.FsConfig.CryptConfig.Passphrase,
    1918. 

  1918. 		folder.FsConfig.SFTPConfig.Password, folder.FsConfig.SFTPConfig.PrivateKey)
    1919. 

  1919. 

  1920. 	err = dataprovider.UpdateFolder(updatedFolder, folder.Users, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr))
    1921. 

  1921. 	if err != nil {
    1922. 

  1922. 		renderFolderPage(w, r, folder, folderPageModeUpdate, err.Error())
    1923. 

  1923. 		return
    1924. 

  1924. 	}
    1925. 

  1925. 	http.Redirect(w, r, webFoldersPath, http.StatusSeeOther)
    1926. 

  1926. }
    1927. 

  1927. 

  1928. func getWebVirtualFolders(w http.ResponseWriter, r *http.Request, limit int) ([]vfs.BaseVirtualFolder, error) {
    1929. 

  1929. 	folders := make([]vfs.BaseVirtualFolder, 0, limit)
    1930. 

  1930. 	for {
    1931. 

  1931. 		f, err := dataprovider.GetFolders(limit, len(folders), dataprovider.OrderASC)
    1932. 

  1932. 		if err != nil {
    1933. 

  1933. 			renderInternalServerErrorPage(w, r, err)
    1934. 

  1934. 			return folders, err
    1935. 

  1935. 		}
    1936. 

  1936. 		folders = append(folders, f...)
    1937. 

  1937. 		if len(f) < limit {
    1938. 

  1938. 			break
    1939. 

  1939. 		}
    1940. 

  1940. 	}
    1941. 

  1941. 	return folders, nil
    1942. 

  1942. }
    1943. 

  1943. 

  1944. func handleWebGetFolders(w http.ResponseWriter, r *http.Request) {
    1945. 

  1945. 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
    1946. 

  1946. 	limit := defaultQueryLimit
    1947. 

  1947. 	if _, ok := r.URL.Query()["qlimit"]; ok {
    1948. 

  1948. 		var err error
    1949. 

  1949. 		limit, err = strconv.Atoi(r.URL.Query().Get("qlimit"))
    1950. 

  1950. 		if err != nil {
    1951. 

  1951. 			limit = defaultQueryLimit
    1952. 

  1952. 		}
    1953. 

  1953. 	}
    1954. 

  1954. 	folders, err := getWebVirtualFolders(w, r, limit)
    1955. 

  1955. 	if err != nil {
    1956. 

  1956. 		return
    1957. 

  1957. 	}
    1958. 

  1958. 

  1959. 	data := foldersPage{
    1960. 

  1960. 		basePage: getBasePageData(pageFoldersTitle, webFoldersPath, r),
    1961. 

  1961. 		Folders:  folders,
    1962. 

  1962. 	}
    1963. 

  1963. 	renderAdminTemplate(w, templateFolders, data)
    1964. 

  1964. }
    1965.