Umbraco-CMS/src/Umbraco.Web.BackOffice/Controllers/UsersController.cs

using System.Globalization;
using System.Net;
using System.Runtime.Serialization;
using System.Security.Cryptography;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Routing;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using MimeKit;
using Umbraco.Cms.Core;
using Umbraco.Cms.Core.Cache;
using Umbraco.Cms.Core.Configuration.Models;
using Umbraco.Cms.Core.Editors;
using Umbraco.Cms.Core.Hosting;
using Umbraco.Cms.Core.IO;
using Umbraco.Cms.Core.Mail;
using Umbraco.Cms.Core.Mapping;
using Umbraco.Cms.Core.Media;
using Umbraco.Cms.Core.Models;
using Umbraco.Cms.Core.Models.ContentEditing;
using Umbraco.Cms.Core.Models.Email;
using Umbraco.Cms.Core.Models.Membership;
using Umbraco.Cms.Core.Persistence.Querying;
using Umbraco.Cms.Core.Security;
using Umbraco.Cms.Core.Services;
using Umbraco.Cms.Core.Strings;
using Umbraco.Cms.Infrastructure.Persistence;
using Umbraco.Cms.Web.BackOffice.Filters;
using Umbraco.Cms.Web.BackOffice.ModelBinders;
using Umbraco.Cms.Web.BackOffice.Security;
using Umbraco.Cms.Web.Common.ActionsResults;
using Umbraco.Cms.Web.Common.Attributes;
using Umbraco.Cms.Web.Common.Authorization;
using Umbraco.Cms.Web.Common.Security;
using Umbraco.Extensions;

namespace Umbraco.Cms.Web.BackOffice.Controllers;

[PluginController(Constants.Web.Mvc.BackOfficeApiArea)]
[Authorize(Policy = AuthorizationPolicies.SectionAccessUsers)]
[PrefixlessBodyModelValidator]
[IsCurrentUserModelFilter]
public class UsersController : BackOfficeNotificationsController
{
    private readonly AppCaches _appCaches;
    private readonly IBackOfficeSecurityAccessor _backofficeSecurityAccessor;
    private readonly ContentSettings _contentSettings;
    private readonly IEmailSender _emailSender;
    private readonly IBackOfficeExternalLoginProviders _externalLogins;
    private readonly GlobalSettings _globalSettings;
    private readonly IHostingEnvironment _hostingEnvironment;
    private readonly IHttpContextAccessor _httpContextAccessor;
    private readonly IImageUrlGenerator _imageUrlGenerator;
    private readonly LinkGenerator _linkGenerator;
    private readonly ILocalizedTextService _localizedTextService;
    private readonly ILogger<UsersController> _logger;
    private readonly ILoggerFactory _loggerFactory;
    private readonly MediaFileManager _mediaFileManager;
    private readonly IPasswordChanger<BackOfficeIdentityUser> _passwordChanger;
    private readonly SecuritySettings _securitySettings;
    private readonly IShortStringHelper _shortStringHelper;
    private readonly ISqlContext _sqlContext;
    private readonly IUmbracoMapper _umbracoMapper;
    private readonly UserEditorAuthorizationHelper _userEditorAuthorizationHelper;
    private readonly IBackOfficeUserManager _userManager;
    private readonly IUserService _userService;
    private readonly WebRoutingSettings _webRoutingSettings;

    [ActivatorUtilitiesConstructor]
    public UsersController(
        MediaFileManager mediaFileManager,
        IOptionsSnapshot<ContentSettings> contentSettings,
        IHostingEnvironment hostingEnvironment,
        ISqlContext sqlContext,
        IImageUrlGenerator imageUrlGenerator,
        IOptionsSnapshot<SecuritySettings> securitySettings,
        IEmailSender emailSender,
        IBackOfficeSecurityAccessor backofficeSecurityAccessor,
        AppCaches appCaches,
        IShortStringHelper shortStringHelper,
        IUserService userService,
        ILocalizedTextService localizedTextService,
        IUmbracoMapper umbracoMapper,
        IOptionsSnapshot<GlobalSettings> globalSettings,
        IBackOfficeUserManager backOfficeUserManager,
        ILoggerFactory loggerFactory,
        LinkGenerator linkGenerator,
        IBackOfficeExternalLoginProviders externalLogins,
        UserEditorAuthorizationHelper userEditorAuthorizationHelper,
        IPasswordChanger<BackOfficeIdentityUser> passwordChanger,
        IHttpContextAccessor httpContextAccessor,
        IOptions<WebRoutingSettings> webRoutingSettings)
    {
        _mediaFileManager = mediaFileManager;
        _contentSettings = contentSettings.Value;
        _hostingEnvironment = hostingEnvironment;
        _sqlContext = sqlContext;
        _imageUrlGenerator = imageUrlGenerator;
        _securitySettings = securitySettings.Value;
        _emailSender = emailSender;
        _backofficeSecurityAccessor = backofficeSecurityAccessor;
        _appCaches = appCaches;
        _shortStringHelper = shortStringHelper;
        _userService = userService;
        _localizedTextService = localizedTextService;
        _umbracoMapper = umbracoMapper;
        _globalSettings = globalSettings.Value;
        _userManager = backOfficeUserManager;
        _loggerFactory = loggerFactory;
        _linkGenerator = linkGenerator;
        _externalLogins = externalLogins;
        _userEditorAuthorizationHelper = userEditorAuthorizationHelper;
        _passwordChanger = passwordChanger;
        _logger = _loggerFactory.CreateLogger<UsersController>();
        _httpContextAccessor = httpContextAccessor;
        _webRoutingSettings = webRoutingSettings.Value;
    }

    /// <summary>
    ///     Returns a list of the sizes of gravatar URLs for the user or null if the gravatar server cannot be reached
    /// </summary>
    /// <returns></returns>
    public ActionResult<string[]> GetCurrentUserAvatarUrls()
    {
        var urls = _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser?.GetUserAvatarUrls(
            _appCaches.RuntimeCache, _mediaFileManager, _imageUrlGenerator);
        if (urls == null)
        {
            return ValidationProblem("Could not access Gravatar endpoint");
        }

        return urls;
    }

    [AppendUserModifiedHeader("id")]
    [Authorize(Policy = AuthorizationPolicies.AdminUserEditsRequireAdmin)]
    public IActionResult PostSetAvatar(int id, IList<IFormFile> file) => PostSetAvatarInternal(file, _userService,
        _appCaches.RuntimeCache, _mediaFileManager, _shortStringHelper, _contentSettings, _hostingEnvironment,
        _imageUrlGenerator, id);

    internal static IActionResult PostSetAvatarInternal(IList<IFormFile> files, IUserService userService,
        IAppCache cache, MediaFileManager mediaFileManager, IShortStringHelper shortStringHelper,
        ContentSettings contentSettings, IHostingEnvironment hostingEnvironment, IImageUrlGenerator imageUrlGenerator,
        int id)
    {
        if (files is null)
        {
            return new UnsupportedMediaTypeResult();
        }

        var root = hostingEnvironment.MapPathContentRoot(Constants.SystemDirectories.TempFileUploads);
        //ensure it exists
        Directory.CreateDirectory(root);

        //must have a file
        if (files.Count == 0)
        {
            return new NotFoundResult();
        }

        IUser? user = userService.GetUserById(id);
        if (user == null)
        {
            return new NotFoundResult();
        }

        if (files.Count > 1)
        {
            return new ValidationErrorResult(
                "The request was not formatted correctly, only one file can be attached to the request");
        }

        //get the file info
        IFormFile file = files.First();
        var fileName = file.FileName.Trim(new[] { '\"' }).TrimEnd();
        var safeFileName = fileName.ToSafeFileName(shortStringHelper);
        var ext = safeFileName.Substring(safeFileName.LastIndexOf('.') + 1).ToLower();
        const string allowedAvatarFileTypes = "jpeg,jpg,gif,bmp,png,tiff,tif,webp";

        if (allowedAvatarFileTypes.Contains(ext) == true && contentSettings.DisallowedUploadFiles.Contains(ext) == false)
        {
            //generate a path of known data, we don't want this path to be guessable
            user.Avatar = "UserAvatars/" + (user.Id + safeFileName).GenerateHash<SHA1>() + "." + ext;

            using (Stream fs = file.OpenReadStream())
            {
                mediaFileManager.FileSystem.AddFile(user.Avatar, fs, true);
            }

            userService.Save(user);
        }

        return new OkObjectResult(user.GetUserAvatarUrls(cache, mediaFileManager, imageUrlGenerator));
    }

    [AppendUserModifiedHeader("id")]
    [Authorize(Policy = AuthorizationPolicies.AdminUserEditsRequireAdmin)]
    public ActionResult<string[]> PostClearAvatar(int id)
    {
        IUser? found = _userService.GetUserById(id);
        if (found == null)
        {
            return NotFound();
        }

        var filePath = found.Avatar;

        //if the filePath is already null it will mean that the user doesn't have a custom avatar and their gravatar is currently
        //being used (if they have one). This means they want to remove their gravatar too which we can do by setting a special value
        //for the avatar.
        if (filePath.IsNullOrWhiteSpace() == false)
        {
            found.Avatar = null;
        }
        else
        {
            //set a special value to indicate to not have any avatar
            found.Avatar = "none";
        }

        _userService.Save(found);

        if (filePath.IsNullOrWhiteSpace() == false)
        {
            if (_mediaFileManager.FileSystem.FileExists(filePath!))
            {
                _mediaFileManager.FileSystem.DeleteFile(filePath!);
            }
        }

        return found.GetUserAvatarUrls(_appCaches.RuntimeCache, _mediaFileManager, _imageUrlGenerator);
    }

    /// <summary>
    ///     Gets a user by Id
    /// </summary>
    /// <param name="id"></param>
    /// <returns></returns>
    [OutgoingEditorModelEvent]
    [Authorize(Policy = AuthorizationPolicies.AdminUserEditsRequireAdmin)]
    public ActionResult<UserDisplay?> GetById(int id)
    {
        IUser? user = _userService.GetUserById(id);
        if (user == null)
        {
            return NotFound();
        }

        UserDisplay? result = _umbracoMapper.Map<IUser, UserDisplay>(user);
        return result;
    }

    /// <summary>
    ///     Get users by integer ids
    /// </summary>
    /// <param name="ids"></param>
    /// <returns></returns>
    [OutgoingEditorModelEvent]
    [Authorize(Policy = AuthorizationPolicies.AdminUserEditsRequireAdmin)]
    public ActionResult<IEnumerable<UserDisplay?>> GetByIds([FromJsonPath] int[] ids)
    {
        if (ids == null)
        {
            return NotFound();
        }

        if (ids.Length == 0)
        {
            return Enumerable.Empty<UserDisplay>().ToList();
        }

        IEnumerable<IUser>? users = _userService.GetUsersById(ids);
        if (users == null)
        {
            return NotFound();
        }

        List<UserDisplay> result = _umbracoMapper.MapEnumerable<IUser, UserDisplay>(users);
        return result;
    }

    /// <summary>
    ///     Returns a paged users collection
    /// </summary>
    /// <param name="pageNumber"></param>
    /// <param name="pageSize"></param>
    /// <param name="orderBy"></param>
    /// <param name="orderDirection"></param>
    /// <param name="userGroups"></param>
    /// <param name="userStates"></param>
    /// <param name="filter"></param>
    /// <returns></returns>
    public PagedUserResult GetPagedUsers(
        int pageNumber = 1,
        int pageSize = 10,
        string orderBy = "username",
        Direction orderDirection = Direction.Ascending,
        [FromQuery] string[]? userGroups = null,
        [FromQuery] UserState[]? userStates = null,
        string filter = "")
    {
        //following the same principle we had in previous versions, we would only show admins to admins, see
        // https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/umbraco.presentation/umbraco/Trees/loadUsers.cs#L91
        // so to do that here, we'll need to check if this current user is an admin and if not we should exclude all user who are
        // also admins

        var hideDisabledUsers = _securitySettings.HideDisabledUsersInBackOffice;
        var excludeUserGroups = new string[0];
        var isAdmin = _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser?.IsAdmin();
        if (isAdmin == false)
        {
            //this user is not an admin so in that case we need to exclude all admin users
            excludeUserGroups = new[] { Constants.Security.AdminGroupAlias };
        }

        IQuery<IUser> filterQuery = _sqlContext.Query<IUser>();

        if (!_backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser?.IsSuper() ?? false)
        {
            // only super can see super - but don't use IsSuper, cannot be mapped to SQL
            //filterQuery.Where(x => !x.IsSuper());
            filterQuery.Where(x => x.Id != Constants.Security.SuperUserId);
        }

        if (filter.IsNullOrWhiteSpace() == false)
        {
            filterQuery.Where(x => x.Name!.Contains(filter) || x.Username.Contains(filter));
        }

        if (hideDisabledUsers)
        {
            if (userStates == null || userStates.Any() == false)
            {
                userStates = new[] { UserState.Active, UserState.Invited, UserState.LockedOut, UserState.Inactive };
            }
        }

        long pageIndex = pageNumber - 1;
        IEnumerable<IUser> result = _userService.GetAll(pageIndex, pageSize, out long total, orderBy, orderDirection,
            userStates, userGroups, excludeUserGroups, filterQuery);

        var paged = new PagedUserResult(total, pageNumber, pageSize)
        {
            Items = _umbracoMapper.MapEnumerable<IUser, UserBasic>(result).WhereNotNull(),
            UserStates = _userService.GetUserStates()
        };

        return paged;
    }

    /// <summary>
    ///     Creates a new user
    /// </summary>
    /// <param name="userSave"></param>
    /// <returns></returns>
    public async Task<ActionResult<UserDisplay?>> PostCreateUser(UserInvite userSave)
    {
        if (userSave == null)
        {
            throw new ArgumentNullException("userSave");
        }

        if (ModelState.IsValid == false)
        {
            return ValidationProblem(ModelState);
        }

        if (_securitySettings.UsernameIsEmail)
        {
            //ensure they are the same if we're using it
            userSave.Username = userSave.Email;
        }
        else
        {
            //first validate the username if were showing it
            CheckUniqueUsername(userSave.Username, null);
        }

        CheckUniqueEmail(userSave.Email, null);

        if (ModelState.IsValid == false)
        {
            return ValidationProblem(ModelState);
        }

        //Perform authorization here to see if the current user can actually save this user with the info being requested
        Attempt<string?> canSaveUser = _userEditorAuthorizationHelper.IsAuthorized(
            _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser, null, null, null, userSave.UserGroups);
        if (canSaveUser == false)
        {
            return Unauthorized(canSaveUser.Result);
        }

        //we want to create the user with the UserManager, this ensures the 'empty' (special) password
        //format is applied without us having to duplicate that logic
        var identityUser = BackOfficeIdentityUser.CreateNew(_globalSettings, userSave.Username, userSave.Email,
            _globalSettings.DefaultUILanguage);
        identityUser.Name = userSave.Name;

        IdentityResult created = await _userManager.CreateAsync(identityUser);
        if (created.Succeeded == false)
        {
            return ValidationProblem(created.Errors.ToErrorMessage());
        }

        string resetPassword;
        var password = _userManager.GeneratePassword();

        IdentityResult result = await _userManager.AddPasswordAsync(identityUser, password);
        if (result.Succeeded == false)
        {
            return ValidationProblem(created.Errors.ToErrorMessage());
        }

        resetPassword = password;

        //now re-look the user back up which will now exist
        IUser? user = _userService.GetByEmail(userSave.Email);

        //map the save info over onto the user
        user = _umbracoMapper.Map(userSave, user);

        if (user is not null)
        {
            // Since the back office user is creating this user, they will be set to approved
            user.IsApproved = true;

            _userService.Save(user);
        }

        UserDisplay? display = _umbracoMapper.Map<UserDisplay>(user);

        if (display is not null)
        {
            display.ResetPasswordValue = resetPassword;
        }

        return display;
    }

    /// <summary>
    ///     Invites a user
    /// </summary>
    /// <param name="userSave"></param>
    /// <returns></returns>
    /// <remarks>
    ///     This will email the user an invite and generate a token that will be validated in the email
    /// </remarks>
    public async Task<ActionResult<UserDisplay?>> PostInviteUser(UserInvite userSave)
    {
        if (userSave == null)
        {
            throw new ArgumentNullException(nameof(userSave));
        }

        if (userSave.Message.IsNullOrWhiteSpace())
        {
            ModelState.AddModelError("Message", "Message cannot be empty");
        }

        if (_securitySettings.UsernameIsEmail)
        {
            // ensure it's the same
            userSave.Username = userSave.Email;
        }
        else
        {
            // first validate the username if we're showing it
            ActionResult<IUser?> userResult = CheckUniqueUsername(userSave.Username,
                u => u.LastLoginDate != default || u.EmailConfirmedDate.HasValue);
            if (userResult.Result is not null)
            {
                return userResult.Result;
            }
        }

        IUser? user = CheckUniqueEmail(userSave.Email,
            u => u.LastLoginDate != default || u.EmailConfirmedDate.HasValue);

        if (ModelState.IsValid == false)
        {
            return ValidationProblem(ModelState);
        }

        if (!_emailSender.CanSendRequiredEmail())
        {
            return ValidationProblem("No Email server is configured");
        }

        // Perform authorization here to see if the current user can actually save this user with the info being requested
        Attempt<string?> canSaveUser = _userEditorAuthorizationHelper.IsAuthorized(
            _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser, user, null, null, userSave.UserGroups);
        if (canSaveUser == false)
        {
            return ValidationProblem(canSaveUser.Result, StatusCodes.Status401Unauthorized);
        }

        if (user == null)
        {
            // we want to create the user with the UserManager, this ensures the 'empty' (special) password
            // format is applied without us having to duplicate that logic
            var identityUser = BackOfficeIdentityUser.CreateNew(_globalSettings, userSave.Username, userSave.Email,
                _globalSettings.DefaultUILanguage);
            identityUser.Name = userSave.Name;

            IdentityResult created = await _userManager.CreateAsync(identityUser);
            if (created.Succeeded == false)
            {
                return ValidationProblem(created.Errors.ToErrorMessage());
            }

            // now re-look the user back up
            user = _userService.GetByEmail(userSave.Email);
        }

        // map the save info over onto the user
        user = _umbracoMapper.Map(userSave, user);

        if (user is not null)
        {
            // ensure the invited date is set
            user.InvitedDate = DateTime.Now;

            // Save the updated user (which will process the user groups too)
            _userService.Save(user);
        }

        UserDisplay? display = _umbracoMapper.Map<UserDisplay>(user);

        // send the email
        await SendUserInviteEmailAsync(display, _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser?.Name,
            _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser?.Email, user, userSave.Message);

        display?.AddSuccessNotification(_localizedTextService.Localize("speechBubbles", "resendInviteHeader"),
            _localizedTextService.Localize("speechBubbles", "resendInviteSuccess", new[] { user?.Name }));
        return display;
    }

    private IUser? CheckUniqueEmail(string email, Func<IUser, bool>? extraCheck)
    {
        IUser? user = _userService.GetByEmail(email);
        if (user != null && (extraCheck == null || extraCheck(user)))
        {
            ModelState.AddModelError("Email", "A user with the email already exists");
        }

        return user;
    }

    private ActionResult<IUser?> CheckUniqueUsername(string? username, Func<IUser, bool>? extraCheck)
    {
        IUser? user = _userService.GetByUsername(username);
        if (user != null && (extraCheck == null || extraCheck(user)))
        {
            ModelState.AddModelError(
                _securitySettings.UsernameIsEmail ? "Email" : "Username",
                "A user with the username already exists");
            return ValidationProblem(ModelState);
        }

        return new ActionResult<IUser?>(user);
    }

    private async Task SendUserInviteEmailAsync(UserBasic? userDisplay, string? from, string? fromEmail, IUser? to, string? message)
    {
        var userId = userDisplay?.Id?.ToString();
        if (userId is null)
        {
            throw new InvalidOperationException("Could not find user Id");
        }
        var user = await _userManager.FindByIdAsync(userId);

        if (user is null)
        {
            throw new InvalidOperationException("Could not find user");
        }

        var token = await _userManager.GenerateEmailConfirmationTokenAsync(user);

        // Use info from SMTP Settings if configured, otherwise set fromEmail as fallback
        var senderEmail = !string.IsNullOrEmpty(_globalSettings.Smtp?.From) ? _globalSettings.Smtp.From : fromEmail;

        var inviteToken = string.Format("{0}{1}{2}",
            (int?)userDisplay?.Id,
            WebUtility.UrlEncode("|"),
            token.ToUrlBase64());

        // Get an mvc helper to get the URL
        var action = _linkGenerator.GetPathByAction(
            nameof(BackOfficeController.VerifyInvite),
            ControllerExtensions.GetControllerName<BackOfficeController>(),
            new { area = Constants.Web.Mvc.BackOfficeArea, invite = inviteToken });

        // Construct full URL using configured application URL (which will fall back to request)
        Uri applicationUri = _httpContextAccessor.GetRequiredHttpContext().Request
            .GetApplicationUri(_webRoutingSettings);
        var inviteUri = new Uri(applicationUri, action);

        var emailSubject = _localizedTextService.Localize("user", "inviteEmailCopySubject",
            // Ensure the culture of the found user is used for the email!
            UmbracoUserExtensions.GetUserCulture(to?.Language, _localizedTextService, _globalSettings));
        var emailBody = _localizedTextService.Localize("user", "inviteEmailCopyFormat",
            // Ensure the culture of the found user is used for the email!
            UmbracoUserExtensions.GetUserCulture(to?.Language, _localizedTextService, _globalSettings),
            new[] { userDisplay?.Name, from, message, inviteUri.ToString(), senderEmail });

        // This needs to be in the correct mailto format including the name, else
        // the name cannot be captured in the email sending notification.
        // i.e. "Some Person" <hello@example.com>
        var toMailBoxAddress = new MailboxAddress(to?.Name, to?.Email);

        var mailMessage = new EmailMessage(senderEmail, toMailBoxAddress.ToString(), emailSubject, emailBody, true);

        await _emailSender.SendAsync(mailMessage, Constants.Web.EmailTypes.UserInvite, true);
    }

    /// <summary>
    ///     Saves a user
    /// </summary>
    /// <param name="userSave"></param>
    /// <returns></returns>
    [OutgoingEditorModelEvent]
    public ActionResult<UserDisplay?> PostSaveUser(UserSave userSave)
    {
        if (userSave == null)
        {
            throw new ArgumentNullException(nameof(userSave));
        }

        if (ModelState.IsValid == false)
        {
            return ValidationProblem(ModelState);
        }

        IUser? found = _userService.GetUserById(userSave.Id);
        if (found == null)
        {
            return NotFound();
        }

        //Perform authorization here to see if the current user can actually save this user with the info being requested
        Attempt<string?> canSaveUser = _userEditorAuthorizationHelper.IsAuthorized(
            _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser, found, userSave.StartContentIds,
            userSave.StartMediaIds, userSave.UserGroups);
        if (canSaveUser == false)
        {
            return Unauthorized(canSaveUser.Result);
        }

        var hasErrors = false;

        // we need to check if there's any Deny Local login providers present, if so we need to ensure that the user's email address cannot be changed
        var hasDenyLocalLogin = _externalLogins.HasDenyLocalLogin();
        if (hasDenyLocalLogin)
        {
            userSave.Email =
                found.Email; // it cannot change, this would only happen if people are mucking around with the request
        }

        IUser? existing = _userService.GetByEmail(userSave.Email);
        if (existing != null && existing.Id != userSave.Id)
        {
            ModelState.AddModelError("Email", "A user with the email already exists");
            hasErrors = true;
        }

        existing = _userService.GetByUsername(userSave.Username);
        if (existing != null && existing.Id != userSave.Id)
        {
            ModelState.AddModelError("Username", "A user with the username already exists");
            hasErrors = true;
        }

        // going forward we prefer to align usernames with email, so we should cross-check to make sure
        // the email or username isn't somehow being used by anyone.
        existing = _userService.GetByEmail(userSave.Username);
        if (existing != null && existing.Id != userSave.Id)
        {
            ModelState.AddModelError("Username", "A user using this as their email already exists");
            hasErrors = true;
        }

        existing = _userService.GetByUsername(userSave.Email);
        if (existing != null && existing.Id != userSave.Id)
        {
            ModelState.AddModelError("Email", "A user using this as their username already exists");
            hasErrors = true;
        }

        // if the found user has their email for username, we want to keep this synced when changing the email.
        // we have already cross-checked above that the email isn't colliding with anything, so we can safely assign it here.
        if (_securitySettings.UsernameIsEmail && found.Username == found.Email && userSave.Username != userSave.Email)
        {
            userSave.Username = userSave.Email;
        }

        if (hasErrors)
        {
            return ValidationProblem(ModelState);
        }

        //merge the save data onto the user
        IUser user = _umbracoMapper.Map(userSave, found);

        _userService.Save(user);

        UserDisplay? display = _umbracoMapper.Map<UserDisplay>(user);

        // determine if the user has changed their own language;
        IUser? currentUser = _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser;
        var userHasChangedOwnLanguage =
            user.Id == currentUser?.Id && currentUser.Language != user.Language;

        var textToLocalise = userHasChangedOwnLanguage ? "operationSavedHeaderReloadUser" : "operationSavedHeader";
        CultureInfo culture = userHasChangedOwnLanguage
            ? CultureInfo.GetCultureInfo(user.Language!)
            : Thread.CurrentThread.CurrentUICulture;
        display?.AddSuccessNotification(_localizedTextService.Localize("speechBubbles", textToLocalise, culture),
            _localizedTextService.Localize("speechBubbles", "editUserSaved", culture));
        return display;
    }

    /// <summary>
    /// </summary>
    /// <param name="changingPasswordModel"></param>
    /// <returns></returns>
    public async Task<ActionResult<ModelWithNotifications<string?>>> PostChangePassword(
        ChangingPasswordModel changingPasswordModel)
    {
        changingPasswordModel = changingPasswordModel ?? throw new ArgumentNullException(nameof(changingPasswordModel));

        if (ModelState.IsValid == false)
        {
            return ValidationProblem(ModelState);
        }

        IUser? found = _userService.GetUserById(changingPasswordModel.Id);
        if (found == null)
        {
            return NotFound();
        }

        IUser? currentUser = _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser;

        // if it's the current user, the current user cannot reset their own password without providing their old password
        if (currentUser?.Username == found.Username && string.IsNullOrEmpty(changingPasswordModel.OldPassword))
        {
            return ValidationProblem("Password reset is not allowed without providing old password");
        }

        if ((!currentUser?.IsAdmin() ?? false) && found.IsAdmin())
        {
            return ValidationProblem("The current user cannot change the password for the specified user");
        }

        Attempt<PasswordChangedModel?> passwordChangeResult =
            await _passwordChanger.ChangePasswordWithIdentityAsync(changingPasswordModel, _userManager);

        if (passwordChangeResult.Success)
        {
            var result = new ModelWithNotifications<string?>(passwordChangeResult.Result?.ResetPassword);
            result.AddSuccessNotification(_localizedTextService.Localize("general", "success"),
                _localizedTextService.Localize("user", "passwordChangedGeneric"));
            return result;
        }

        if (passwordChangeResult.Result?.ChangeError is not null)
        {
            foreach (var memberName in passwordChangeResult.Result.ChangeError.MemberNames)
            {
                ModelState.AddModelError(memberName,
                    passwordChangeResult.Result.ChangeError.ErrorMessage ?? string.Empty);
            }
        }

        return ValidationProblem(ModelState);
    }


    /// <summary>
    ///     Disables the users with the given user ids
    /// </summary>
    /// <param name="userIds"></param>
    [Authorize(Policy = AuthorizationPolicies.AdminUserEditsRequireAdmin)]
    public IActionResult PostDisableUsers([FromQuery] int[] userIds)
    {
        Attempt<int> tryGetCurrentUserId =
            _backofficeSecurityAccessor.BackOfficeSecurity?.GetUserId() ?? Attempt<int>.Fail();
        if (tryGetCurrentUserId.Success && userIds.Contains(tryGetCurrentUserId.Result))
        {
            return ValidationProblem("The current user cannot disable itself");
        }

        IUser[] users = _userService.GetUsersById(userIds).ToArray();
        foreach (IUser u in users)
        {
            u.IsApproved = false;
            u.InvitedDate = null;
        }

        _userService.Save(users);

        if (users.Length > 1)
        {
            return Ok(_localizedTextService.Localize("speechBubbles", "disableUsersSuccess",
                new[] { userIds.Length.ToString() }));
        }

        return Ok(_localizedTextService.Localize("speechBubbles", "disableUserSuccess", new[] { users[0].Name }));
    }

    /// <summary>
    ///     Enables the users with the given user ids
    /// </summary>
    /// <param name="userIds"></param>
    [Authorize(Policy = AuthorizationPolicies.AdminUserEditsRequireAdmin)]
    public IActionResult PostEnableUsers([FromQuery] int[] userIds)
    {
        IUser[] users = _userService.GetUsersById(userIds).ToArray();
        foreach (IUser u in users)
        {
            u.IsApproved = true;
        }

        _userService.Save(users);

        if (users.Length > 1)
        {
            return Ok(
                _localizedTextService.Localize("speechBubbles", "enableUsersSuccess",
                    new[] { userIds.Length.ToString() }));
        }

        return Ok(
            _localizedTextService.Localize("speechBubbles", "enableUserSuccess", new[] { users[0].Name }));
    }

    /// <summary>
    ///     Unlocks the users with the given user ids
    /// </summary>
    /// <param name="userIds"></param>
    [Authorize(Policy = AuthorizationPolicies.AdminUserEditsRequireAdmin)]
    public async Task<IActionResult> PostUnlockUsers([FromQuery] int[] userIds)
    {
        if (userIds.Length <= 0)
        {
            return Ok();
        }

        var notFound = new List<int>();

        foreach (var u in userIds)
        {
            BackOfficeIdentityUser? user = await _userManager.FindByIdAsync(u.ToString());
            if (user == null)
            {
                notFound.Add(u);
                continue;
            }

            IdentityResult unlockResult =
                await _userManager.SetLockoutEndDateAsync(user, DateTimeOffset.Now.AddMinutes(-1));
            if (unlockResult.Succeeded == false)
            {
                return ValidationProblem(
                    $"Could not unlock for user {u} - error {unlockResult.Errors.ToErrorMessage()}");
            }

            if (userIds.Length == 1)
            {
                return Ok(
                    _localizedTextService.Localize("speechBubbles", "unlockUserSuccess", new[] { user.Name }));
            }
        }

        return Ok(
            _localizedTextService.Localize("speechBubbles", "unlockUsersSuccess",
                new[] { (userIds.Length - notFound.Count).ToString() }));
    }

    [Authorize(Policy = AuthorizationPolicies.AdminUserEditsRequireAdmin)]
    public IActionResult PostSetUserGroupsOnUsers([FromQuery] string[] userGroupAliases, [FromQuery] int[] userIds)
    {
        IUser[] users = _userService.GetUsersById(userIds).ToArray();
        IReadOnlyUserGroup[] userGroups = _userService.GetUserGroupsByAlias(userGroupAliases)
            .Select(x => x.ToReadOnlyGroup()).ToArray();
        foreach (IUser u in users)
        {
            u.ClearGroups();
            foreach (IReadOnlyUserGroup userGroup in userGroups)
            {
                u.AddGroup(userGroup);
            }
        }

        _userService.Save(users);
        return Ok(
            _localizedTextService.Localize("speechBubbles", "setUserGroupOnUsersSuccess"));
    }

    /// <summary>
    ///     Deletes the non-logged in user provided id
    /// </summary>
    /// <param name="id">User Id</param>
    /// <remarks>
    ///     Limited to users that haven't logged in to avoid issues with related records constrained
    ///     with a foreign key on the user Id
    /// </remarks>
    [Authorize(Policy = AuthorizationPolicies.AdminUserEditsRequireAdmin)]
    public IActionResult PostDeleteNonLoggedInUser(int id)
    {
        IUser? user = _userService.GetUserById(id);
        if (user == null)
        {
            return NotFound();
        }

        // Check user hasn't logged in.  If they have they may have made content changes which will mean
        // the Id is associated with audit trails, versions etc. and can't be removed.
        if (user.LastLoginDate is not null && user.LastLoginDate != default(DateTime))
        {
            return BadRequest();
        }

        var userName = user.Name;
        _userService.Delete(user, true);

        return Ok(
            _localizedTextService.Localize("speechBubbles", "deleteUserSuccess", new[] { userName }));
    }

    public class PagedUserResult : PagedResult<UserBasic>
    {
        public PagedUserResult(long totalItems, long pageNumber, long pageSize) :
            base(totalItems, pageNumber, pageSize) => UserStates = new Dictionary<UserState, int>();

        /// <summary>
        ///     This is basically facets of UserStates key = state, value = count
        /// </summary>
        [DataMember(Name = "userStates")]
        public IDictionary<UserState, int> UserStates { get; set; }
    }
}