Issue #15 fix: User update (patch) is not working for resource app=users&resource=user : without forcecreate

src/language/en-GB/en-GB.plg_api_users.ini

@@ -2,7 +2,7 @@ PLG_API_USERS="API - Users"
 PLG_API_USERS_DESCRIPTION="This plugin exposes users to the Joomla! API. Supports creation, listing and login for users."
 PLG_API_USERS_BAD_REQUEST_MESSAGE="Bad request"
 PLG_API_USERS_REQUIRED_DATA_EMPTY_MESSAGE="Required data is empty"
-PLG_API_USERS_ACCOUNT_CREATED_SUCCESSFULLY_MESSAGE="Congratulations! Your account has been created successfully"
+PLG_API_USERS_ACCOUNT_CREATED_SUCCESSFULLY_MESSAGE="Congratulations! Account has been created successfully"
 PLG_API_USERS_PROFILE_CREATED_SUCCESSFULLY_MESSAGE="profile created successfully"
 PLG_API_USERS_UNABLE_CREATE_PROFILE_MESSAGE="Unable to create profile"
 PLG_API_USERS_EASYSOCIAL_NOT_INSTALL_MESSAGE="Easysocial is not installed properly"
@@ -15,3 +15,7 @@ PLG_API_USERS_UNSUPPORTED_METHOD_POST="unsupported method,please use get method"
 PLG_API_USERS_USERS="users/"
 PLG_API_USERS_IN_DELETE="in delete"
 PLG_API_USERS_IN_POST="in post"
+
+; Since v2.0.1
+PLG_API_USERS_ACCOUNT_UPDATED_SUCCESSFULLY_MESSAGE="Account details updated successfully"
+PLG_API_USERS_USER_DELETE_MESSAGE="Account deleted successfully"

src/users/user.php

@@ -19,6 +19,14 @@
  */
 class UsersApiResourceUser extends ApiResource
 {
+	/**
+	 * Array of fields to be unset
+	 *
+	 * @var    array
+	 * @since  2.0.1
+	 */
+	private $fieldsToSanitize = array('password', 'password_clear', 'otpKey', 'otep');
+
 	/**
 	 * Function to create and edit user record.
 	 *
@@ -28,77 +36,43 @@ class UsersApiResourceUser extends ApiResource
 	 */
 	public function post()
 	{
-		$app = JFactory::getApplication();
-		$userIdentifier = $app->input->get('id', 0, 'String');
-		$formData = $app->input->getArray();
-		$params = JComponentHelper::getParams("com_users");
-		$response = new stdClass;
-
-		$xidentifier = $app->input->server->get('HTTP_X_IDENTIFIER');
-		$fidentifier = $app->input->server->get('HTTP_FORCECREATE');
+		$app            = JFactory::getApplication();
+		$params         = JComponentHelper::getParams("com_users");
+		$formData       = $app->input->getArray();
+		$userIdentifier = $app->input->get('id', 0, 'string');
 
-		if ($formData['username'] == '' || $formData['name'] == '' || $formData['email'] == '')
+		if (isset($formData['fields']))
 		{
-			ApiError::raiseError(400, JText::_('PLG_API_USERS_REQUIRED_DATA_EMPTY_MESSAGE'));
-
-			return;
+			$formData['com_fields'] = $formData['fields'];
+			unset($formData['fields']);
 		}
 
 		// Get current logged in user.
-		$my = JFactory::getUser();
-
-		// Check if $userIdentifier is not set
-		if (empty($userIdentifier))
-		{
-			if ($formData['password'] == '')
-			{
-				ApiError::raiseError(400, JText::_('PLG_API_USERS_REQUIRED_DATA_EMPTY_MESSAGE'));
-
-				return;
-			}
-
-			// Set default group if nothing is passed for group.
-			if (empty($formData['groups']))
-			{
-				$formData['groups'] = array($params->get("new_usertype", 2));
-			}
-
-			// Get a blank user object
-			$user = new JUser;
+		$me = $this->plugin->get('user');
+		$iAmSuperAdmin = $me->authorise('core.create');
 
-			// Create new user.
-			$response = $this->storeUser($user, $formData, 1);
-			$this->plugin->setResponse($response);
-
-			return;
-		}
-		else
+		if (!empty($userIdentifier))
 		{
-			// Get a user object
-			$user = $this->retriveUser($xidentifier, $userIdentifier);
-			$passedUserGroups = array();
+			$user = $this->retriveUser($userIdentifier);
 
-			// If user is already present then update it according to access.
 			if (!empty($user->id))
 			{
-				$iAmSuperAdmin	= $my->authorise('core.admin');
-
-				// Check if regular user is tring to update himself.
-				if ($my->id == $user->id || $iAmSuperAdmin)
+				// Check if regular user is trying to update his/her own profile OR if user is superadmin
+				if ($me->id == $user->id || $iAmSuperAdmin)
 				{
-					// If present then update or else dont include.
+					// If password present then update password2 or else dont include.
 					if (!empty($formData['password']))
 					{
 						$formData['password2'] = $formData['password'];
 					}
 
-					// Add newly added groups and keep the old one as it is.
+					/*// Add newly added groups and keep the old one as it is.
 					if (!empty($formData['groups']))
 					{
-						$passedUserGroups['groups'] = array_unique(array_merge($user->groups, $formData['groups']));
-					}
+						$formData['groups'] = array_unique(array_merge($user->groups, $formData['groups']));
+					}*/
 
-					$response = $this->storeUser($user, $passedUserGroups);
+					$response = $this->storeUser($user, $formData);
 					$this->plugin->setResponse($response);
 
 					return;
@@ -112,35 +86,62 @@ public function post()
 			}
 			else
 			{
-				if ($fidentifier)
-				{
-					$user = new JUser;
+				ApiError::raiseError(400, JText::_('PLG_API_USERS_USER_NOT_FOUND_MESSAGE'));
 
-					if ($formData['password'] == '')
-					{
-						ApiError::raiseError(400, JText::_('PLG_API_USERS_REQUIRED_DATA_EMPTY_MESSAGE'));
+				return;
+			}
+		}
+		// Check if $userIdentifier is not set - POST / CREATE user case
+		else
+		{
+			if (!$iAmSuperAdmin)
+			{
+				ApiError::raiseError(400, JText::_('JERROR_ALERTNOAUTHOR'));
 
-						return;
-					}
+				return;
+			}
 
-					// Set default group if nothing is passed for group.
-					if (empty($formData['groups']))
-					{
-						$formData['groups'] = array($params->get("new_usertype", 2));
-					}
+			// Validate required fields
+			if ($formData['username'] == '' || $formData['name'] == '' || $formData['email'] == '')
+			{
+				ApiError::raiseError(400, JText::_('PLG_API_USERS_REQUIRED_DATA_EMPTY_MESSAGE'));
 
-					// Create new user.
-					$response = $this->storeUser($user, $formData, 1);
-					$this->plugin->setResponse($response);
+				return;
+			}
 
-					return;
-				}
-				else
-				{
-					ApiError::raiseError(400, JText::_('PLG_API_USERS_USER_ABSENT_MESSAGE'));
+			// Set default group if nothing is passed for group.
+			if (empty($formData['groups']))
+			{
+				$formData['groups'] = array($params->get("new_usertype", 2));
+			}
 
-					return;
-				}
+			// Get a blank user object
+			$user = new JUser;
+
+			// Create new user.
+			$response = $this->storeUser($user, $formData, 1);
+			$this->plugin->setResponse($response);
+
+			return;
+		}
+	}
+
+	/**
+	 * Funtion to remove sensitive user info fields like password
+	 *
+	 * @param   Object  &$user  The user object.
+	 *
+	 * @return  object|void  $user
+	 *
+	 * @since   2.0.1
+	 */
+	protected function sanitizeUserFields(&$user)
+	{
+		foreach ($this->fieldsToSanitize as $f)
+		{
+			if (isset($user->{$f}))
+			{
+				unset($user->{$f});
 			}
 		}
 	}
@@ -154,27 +155,24 @@ public function post()
 	 */
 	public function get()
 	{
-		$input = JFactory::getApplication()->input;
-		$id = $input->get('id', 0, 'int');
-		$xidentifier	= $input->server->get('HTTP_X_IDENTIFIER', '', 'String');
+		$input       = JFactory::getApplication()->input;
+		$id          = $input->get('id', 0, 'string');
 
 		/*
 		 * If we have an id try to fetch the user
 		 * @TODO write user field mapping logic here
 		 */
 		if ($id)
 		{
-			// Get a user object
-			$user = $this->retriveUser($xidentifier, $id);
+			// Get user object
+			$user = $this->retriveUser($id);
 
-			if (! $user->id)
+			if (!$user->id)
 			{
 				ApiError::raiseError(400, JText::_('PLG_API_USERS_USER_NOT_FOUND_MESSAGE'));
 
 				return;
 			}
-
-			$this->plugin->setResponse($user);
 		}
 		else
 		{
@@ -184,9 +182,11 @@ public function get()
 			{
 				ApiError::raiseError(400, JText::_('JERROR_ALERTNOAUTHOR'));
 			}
-
-			$this->plugin->setResponse($user);
 		}
+
+		$this->sanitizeUserFields($user);
+
+		$this->plugin->setResponse($user);
 	}
 
 	/**
@@ -224,8 +224,22 @@ private function getUserId($email)
 	private function storeUser($user, $formData, $isNew = 0)
 	{
 		$response = new stdClass;
+		$ignore   = array();
+
+		// Ignore pasword field if not set to avoid warning on bind()
+		if (!isset($formData['password']))
+		{
+			$ignore[] = 'password';
+		}
 
-		if (!$user->bind($formData))
+		// In case of edit user, set formData->id as $user->id no matter what is passed in x-identifier
+		// Otherwise - it will try to create new user
+		if (!$isNew)
+		{
+			$formData['id'] = $user->id;
+		}
+
+		if (!$user->bind($formData, $ignore))
 		{
 			ApiError::raiseError(400, $user->getError());
 
@@ -239,6 +253,7 @@ private function storeUser($user, $formData, $isNew = 0)
 			return;
 		}
 
+		// Set user id to be returned
 		$response->id = $user->id;
 
 		if ($isNew)
@@ -262,16 +277,15 @@ private function storeUser($user, $formData, $isNew = 0)
 	 */
 	public function delete()
 	{
-		$app = JFactory::getApplication();
-		$userIdentifier = $app->input->get('id', 0, 'STRING');
-		$xidentifier = $app->input->server->get('HTTP_X_IDENTIFIER', '', 'String');
+		$app            = JFactory::getApplication();
+		$userIdentifier = $app->input->get('id', 0, 'string');
 
 		$loggedUser = JFactory::getUser();
 
 		// Check if I am a Super Admin
 		$iAmSuperAdmin = $loggedUser->authorise('core.admin');
 
-		$userToDelete = $this->retriveUser($xidentifier, $userIdentifier);
+		$userToDelete = $this->retriveUser($userIdentifier);
 
 		if (!$userToDelete->id)
 		{
@@ -319,19 +333,21 @@ public function delete()
 	/**
 	 * Function retriveUser for get user details depending upon the identifier.
 	 *
-	 * @param   string  $xidentifier     Flag to differentiate the column value.
-	 *
 	 * @param   string  $userIdentifier  username
 	 *
 	 * @return  object  $user  Juser object if user exist otherwise std class.
 	 *
 	 * @since   2.0
 	 */
-	private function retriveUser($xidentifier, $userIdentifier)
+	private function retriveUser($userIdentifier)
 	{
 		$user = new stdClass;
 
-		switch ($xidentifier)
+		// Flag to differentiate the column value
+		$app            = JFactory::getApplication();
+		$xIdentifier    = $app->input->server->get('HTTP_X_IDENTIFIER', '');
+
+		switch ($xIdentifier)
 		{
 			case 'username':
 				$userId = JUserHelper::getUserId($userIdentifier);