From b471a886e30c11f767be8f44fc1e88478c3f5d4f Mon Sep 17 00:00:00 2001
From: Jordan <jmwright798@gmail.com>
Date: Sun, 9 Feb 2014 19:34:47 -0600
Subject: [PATCH] Updated angular ui to support adding group Updated POST
 /api/groups/ to successfully add group Fixed CSRF in API issue Moved PUT and
 DELETE to /api/groups/:id (TODO: Implement) Changed SQL to use user_id
 instead of API key It is now possible to add a new group! Will propagate
 logic to campaigns soon.

---
 controllers/api.go       | 37 +++++++++++++++++++++++--------------
 controllers/route.go     |  6 +++---
 db/db.go                 | 26 ++++++++++++++++++++------
 static/js/app/gophish.js | 15 ++++++++++++---
 templates/users.html     |  7 +------
 5 files changed, 59 insertions(+), 32 deletions(-)

diff --git a/controllers/api.go b/controllers/api.go
index 9a2a4ed3..9aaf85c0 100644
--- a/controllers/api.go
+++ b/controllers/api.go
@@ -50,13 +50,10 @@ func API_Reset(w http.ResponseWriter, r *http.Request) {
 func API_Campaigns(w http.ResponseWriter, r *http.Request) {
 	switch {
 	case r.Method == "GET":
-		cs, err := db.GetCampaigns(ctx.Get(r, "api_key"))
+		cs, err := db.GetCampaigns(ctx.Get(r, "user_id").(int64))
 		if err != nil {
 			fmt.Println(err)
 		}
-		/*for c := range cs {
-			_, err := db.Conn.Select(&cs.Results, "SELECT r.id ")
-		}*/
 		cj, err := json.MarshalIndent(cs, "", "  ")
 		if checkError(err, w, "Error looking up campaigns") {
 			return
@@ -96,7 +93,7 @@ func API_Campaigns_Id(w http.ResponseWriter, r *http.Request) {
 	switch {
 	case r.Method == "GET":
 		c := models.Campaign{}
-		c, err := db.GetCampaign(id, ctx.Get(r, "api_key"))
+		c, err := db.GetCampaign(id, ctx.Get(r, "user_id").(int64))
 		if checkError(err, w, "No campaign found") {
 			return
 		}
@@ -140,7 +137,7 @@ RESULT { "name" : "Test Group",
 func API_Groups(w http.ResponseWriter, r *http.Request) {
 	switch {
 	case r.Method == "GET":
-		gs, err := db.GetGroups(ctx.Get(r, "api_key"))
+		gs, err := db.GetGroups(ctx.Get(r, "user_id").(int64))
 		if checkError(err, w, "Cannot retrieve group information") {
 			return
 		}
@@ -172,9 +169,27 @@ func API_Groups(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		writeJSON(w, gj)
+	}
+}
+
+// API_Groups_Id returns details about the requested campaign. If the campaign is not
+// valid, API_Campaigns_Id returns null.
+func API_Groups_Id(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id, _ := strconv.ParseInt(vars["id"], 0, 64)
+	switch {
+	case r.Method == "GET":
+		g := models.Group{}
+		g, err := db.GetGroup(id, ctx.Get(r, "user_id").(int64))
+		if checkError(err, w, "No group found") {
+			return
+		}
+		gj, err := json.MarshalIndent(g, "", "  ")
+		if checkError(err, w, "Error creating JSON response") {
+			return
+		}
+		writeJSON(w, gj)
 	case r.Method == "DELETE":
-		vars := mux.Vars(r)
-		id, _ := strconv.ParseInt(vars["id"], 0, 64)
 		err := db.DeleteGroup(id)
 		if checkError(err, w, "Error creating JSON response") {
 			return
@@ -183,12 +198,6 @@ func API_Groups(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-// API_Campaigns_Id returns details about the requested campaign. If the campaign is not
-// valid, API_Campaigns_Id returns null.
-func API_Groups_Id(w http.ResponseWriter, r *http.Request) {
-	http.Redirect(w, r, "/", 302)
-}
-
 func writeJSON(w http.ResponseWriter, c []byte) {
 	w.Header().Set("Content-Type", "application/json")
 	fmt.Fprintf(w, "%s", c)
diff --git a/controllers/route.go b/controllers/route.go
index 85cd66a7..8ef5fd45 100644
--- a/controllers/route.go
+++ b/controllers/route.go
@@ -34,7 +34,7 @@ func CreateRouter() *nosurf.CSRFHandler {
 	api.HandleFunc("/reset", Use(API_Reset, mid.RequireLogin))
 	api.HandleFunc("/campaigns/", Use(API_Campaigns, mid.RequireAPIKey))
 	api.HandleFunc("/campaigns/{id:[0-9]+}", Use(API_Campaigns_Id, mid.RequireAPIKey))
-	api.HandleFunc("/campaigns/id:[0-9]+}", Use(API_Campaigns_Id_Launch, mid.RequireAPIKey))
+	//api.HandleFunc("/campaigns/id:[0-9]+}", Use(API_Campaigns_Id_Launch, mid.RequireAPIKey))
 	api.HandleFunc("/groups/", Use(API_Groups, mid.RequireAPIKey))
 	api.HandleFunc("/groups/{id:[0-9]+}", Use(API_Groups_Id, mid.RequireAPIKey))
 
@@ -44,8 +44,8 @@ func CreateRouter() *nosurf.CSRFHandler {
 	// Setup CSRF Protection
 	csrfHandler := nosurf.New(router)
 	// Exempt API routes and Static files
-	csrfHandler.ExemptGlob("/api/campaigns*")
-	csrfHandler.ExemptGlob("/api/groups*")
+	csrfHandler.ExemptGlob("/api/campaigns/*")
+	csrfHandler.ExemptGlob("/api/groups/*")
 	csrfHandler.ExemptGlob("/static/*")
 	return csrfHandler
 }
diff --git a/db/db.go b/db/db.go
index 8dbecf2d..bc54a9b6 100644
--- a/db/db.go
+++ b/db/db.go
@@ -114,15 +114,15 @@ func PutUser(u *models.User) error {
 	return err
 }
 
-func GetCampaigns(key interface{}) ([]models.Campaign, error) {
+func GetCampaigns(uid int64) ([]models.Campaign, error) {
 	cs := []models.Campaign{}
-	_, err := Conn.Select(&cs, "SELECT c.id, name, created_date, completed_date, status, template FROM campaigns c, users u WHERE c.uid=u.id AND u.api_key=?", key)
+	_, err := Conn.Select(&cs, "SELECT c.id, name, created_date, completed_date, status, template FROM campaigns c, users u WHERE c.uid=u.id AND u.id=?", uid)
 	return cs, err
 }
 
-func GetCampaign(id int64, key interface{}) (models.Campaign, error) {
+func GetCampaign(id int64, uid int64) (models.Campaign, error) {
 	c := models.Campaign{}
-	err := Conn.SelectOne(&c, "SELECT campaigns.id, name, created_date, completed_date, status, template FROM campaigns, users WHERE campaigns.uid=users.id AND campaigns.id =? AND users.api_key=?", id, key)
+	err := Conn.SelectOne(&c, "SELECT c.id, name, created_date, completed_date, status, template FROM campaigns c, users u WHERE c.uid=u.id AND c.id =? AND u.id=?", id, uid)
 	return c, err
 }
 
@@ -131,9 +131,9 @@ func PutCampaign(c *models.Campaign) error {
 	return err
 }
 
-func GetGroups(key interface{}) ([]models.Group, error) {
+func GetGroups(uid int64) ([]models.Group, error) {
 	gs := []models.Group{}
-	_, err := Conn.Select(&gs, "SELECT g.id, g.name, g.modified_date FROM groups g, user_groups ug, users u WHERE ug.uid=u.id AND ug.gid=g.id AND u.api_key=?", key)
+	_, err := Conn.Select(&gs, "SELECT g.id, g.name, g.modified_date FROM groups g, user_groups ug, users u WHERE ug.uid=u.id AND ug.gid=g.id AND u.id=?", uid)
 	if err != nil {
 		Logger.Println(err)
 		return gs, err
@@ -147,6 +147,20 @@ func GetGroups(key interface{}) ([]models.Group, error) {
 	return gs, nil
 }
 
+func GetGroup(id int64, uid int64) (models.Group, error) {
+	g := models.Group{}
+	err := Conn.SelectOne(&g, "SELECT g.id, g.name, g.modified_date FROM groups g, user_groups ug, users u WHERE ug.uid=u.id AND ug.gid=g.id AND g.id=? AND u.id=?", id, uid)
+	if err != nil {
+		Logger.Println(err)
+		return g, err
+	}
+	_, err = Conn.Select(&g.Targets, "SELECT t.id, t.email FROM targets t, group_targets gt WHERE gt.gid=? AND gt.tid=t.id", g.Id)
+	if err != nil {
+		Logger.Println(err)
+	}
+	return g, nil
+}
+
 func PostGroup(g *models.Group, uid int64) error {
 	// Insert into the DB
 	err = Conn.Insert(g)
diff --git a/static/js/app/gophish.js b/static/js/app/gophish.js
index 39ae9d86..3a254c52 100644
--- a/static/js/app/gophish.js
+++ b/static/js/app/gophish.js
@@ -11,9 +11,7 @@ app.factory('CampaignService', function($resource) {
 });
 
 app.factory('GroupService', function($resource) {
-    return $resource('/api/groups/:id?api_key=' + API_KEY, {
-        id: "@id"
-    }, {
+    return $resource('/api/groups/:id?api_key=' + API_KEY, {}, {
         update: {
             method: 'PUT'
         }
@@ -57,4 +55,15 @@ app.controller('GroupCtrl', function($scope, GroupService) {
     $scope.removeTarget = function(target) {
         $scope.group.targets.splice($scope.group.targets.indexOf(target), 1);
     };
+    $scope.saveGroup = function(group) {
+        var newGroup = new GroupService($scope.group);
+        if ($scope.newGroup) {
+            newGroup.$save(function() {
+                $scope.groups.push(newGroup);
+            });
+        }
+        else {
+            newGroup.$update()
+        }
+    }
 })
diff --git a/templates/users.html b/templates/users.html
index 5f737653..dca2f49b 100644
--- a/templates/users.html
+++ b/templates/users.html
@@ -90,11 +90,6 @@
                     </form>
                     <br />
                     <table ng-table class="table table-hover table-striped table-condensed">
-                        <thead>
-                            <tr>
-                                <th style="padding-left:0px; border:0;" class="col-sm-2">Members</th>
-                            </tr>
-                        </thead>
                         <tbody>
                             <tr ng-repeat="target in group.targets" class="editable-row">
                                 <td>{{target.email}}
@@ -107,7 +102,7 @@
                 </div>
                 <div class="modal-footer">
                     <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
-                    <button type="button" class="btn btn-primary" type="submit">Save Group</button>
+                    <button type="button" class="btn btn-primary" ng-click="saveGroup(group)" data-dismiss="modal">Save Group</button>
                 </div>
             </div>
         </div>