Merge pull request #103 from tracim/feature/612_user_account_endpoint

tracim/__init__.py

@@ -32,6 +32,7 @@ from tracim.views.contents_api.comment_controller import CommentController
 from tracim.views.contents_api.file_controller import FileController
 from tracim.views.errors import ErrorSchema
 from tracim.exceptions import NotAuthenticated
+from tracim.exceptions import UserNotActive
 from tracim.exceptions import InvalidId
 from tracim.exceptions import InsufficientUserProfile
 from tracim.exceptions import InsufficientUserRoleInWorkspace
@@ -97,6 +98,7 @@ def web(global_config, **local_settings):
     context.handle_exception(InvalidId, HTTPStatus.BAD_REQUEST)
     # Auth exception
     context.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED)
+    context.handle_exception(UserNotActive, HTTPStatus.FORBIDDEN)
     context.handle_exception(AuthenticationFailed, HTTPStatus.FORBIDDEN)
     context.handle_exception(InsufficientUserRoleInWorkspace, HTTPStatus.FORBIDDEN)  # nopep8
     context.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)

tracim/exceptions.py

@@ -140,6 +140,7 @@ class InvalidWorkspaceId(InvalidId):
 class InvalidUserId(InvalidId):
     pass
 
+
 class ContentNotFound(TracimException):
     pass
 
@@ -152,6 +153,10 @@ class WorkspacesDoNotMatch(TracimException):
     pass
 
 
+class PasswordDoNotMatch(TracimException):
+    pass
+
+
 class EmptyValueNotAllowed(TracimException):
     pass
 
@@ -164,6 +169,14 @@ class EmptyCommentContentNotAllowed(EmptyValueNotAllowed):
     pass
 
 
+class UserNotActive(TracimException):
+    pass
+
+
+class NoUserSetted(TracimException):
+    pass
+
+
 class RoleDoesNotExist(TracimException):
     pass
 

tracim/lib/core/user.py

@@ -1,23 +1,24 @@
 # -*- coding: utf-8 -*-
-import threading
 from smtplib import SMTPException
 
 import transaction
 import typing as typing
-
-from tracim.exceptions import NotificationNotSend
-from tracim.exceptions import EmailValidationFailed
-from tracim.lib.mail_notifier.notifier import get_email_manager
 from sqlalchemy.orm import Session
+from sqlalchemy.orm.exc import NoResultFound
 
 from tracim import CFG
 from tracim.models.auth import User
 from tracim.models.auth import Group
-from sqlalchemy.orm.exc import NoResultFound
+from tracim.exceptions import NoUserSetted
+from tracim.exceptions import PasswordDoNotMatch
+from tracim.exceptions import EmailValidationFailed
 from tracim.exceptions import UserDoesNotExist
 from tracim.exceptions import WrongUserPassword
 from tracim.exceptions import AuthenticationFailed
+from tracim.exceptions import NotificationNotSend
+from tracim.exceptions import UserNotActive
 from tracim.models.context_models import UserInContext
+from tracim.lib.mail_notifier.notifier import get_email_manager
 from tracim.models.context_models import TypeUser
 
 
@@ -150,6 +151,8 @@ class UserApi(object):
         """
         try:
             user = self.get_one_by_email(email)
+            if not user.is_active:
+                raise UserNotActive('User "{}" is not active'.format(email))
             if user.validate_password(password):
                 return user
             else:
@@ -158,6 +161,72 @@ class UserApi(object):
             raise AuthenticationFailed('User "{}" authentication failed'.format(email)) from exc  # nopep8
 
     # Actions
+    def set_password(
+            self,
+            user: User,
+            loggedin_user_password: str,
+            new_password: str,
+            new_password2: str,
+            do_save: bool=True
+    ):
+        """
+        Set User password if loggedin user password is correct
+        and both new_password are the same.
+        :param user: User who need password changed
+        :param loggedin_user_password: cleartext password of logged user (not
+        same as user)
+        :param new_password: new password for user
+        :param new_password2: should be same as new_password
+        :param do_save: should we save new user password ?
+        :return:
+        """
+        if not self._user:
+            raise NoUserSetted('Current User should be set in UserApi to use this method')  # nopep8
+        if not self._user.validate_password(loggedin_user_password):  # nopep8
+            raise WrongUserPassword(
+                'Wrong password for authenticated user {}'. format(self._user.user_id)  # nopep8
+            )
+        if new_password != new_password2:
+            raise PasswordDoNotMatch('Passwords given are different')
+
+        self.update(
+            user=user,
+            password=new_password,
+            do_save=do_save,
+        )
+        if do_save:
+            # TODO - G.M - 2018-07-24 - Check why commit is needed here
+            transaction.commit()
+        return user
+
+    def set_email(
+            self,
+            user: User,
+            loggedin_user_password: str,
+            email: str,
+            do_save: bool = True
+    ):
+        """
+        Set email address of user if loggedin user password is correct
+        :param user: User who need email changed
+        :param loggedin_user_password: cleartext password of logged user (not
+        same as user)
+        :param email:
+        :param do_save:
+        :return:
+        """
+        if not self._user:
+            raise NoUserSetted('Current User should be set in UserApi to use this method')  # nopep8
+        if not self._user.validate_password(loggedin_user_password):  # nopep8
+            raise WrongUserPassword(
+                'Wrong password for authenticated user {}'. format(self._user.user_id)  # nopep8
+            )
+        self.update(
+            user=user,
+            email=email,
+            do_save=do_save,
+        )
+        return user
 
     def _check_email(self, email: str) -> bool:
         # TODO - G.M - 2018-07-05 - find a better way to check email
@@ -174,9 +243,10 @@ class UserApi(object):
             name: str=None,
             email: str=None,
             password: str=None,
-            timezone: str='',
+            timezone: str=None,
+            groups: typing.Optional[typing.List[Group]]=None,
             do_save=True,
-    ) -> None:
+    ) -> User:
         if name is not None:
             user.display_name = name
 
@@ -189,11 +259,24 @@ class UserApi(object):
         if password is not None:
             user.password = password
 
-        user.timezone = timezone
+        if timezone is not None:
+            user.timezone = timezone
+
+        if groups is not None:
+            # INFO - G.M - 2018-07-18 - Delete old groups
+            for group in user.groups:
+                if group not in groups:
+                    user.groups.remove(group)
+            # INFO - G.M - 2018-07-18 - add new groups
+            for group in groups:
+                if group not in user.groups:
+                    user.groups.append(group)
 
         if do_save:
             self.save(user)
 
+        return user
+
     def create_user(
         self,
         email,
@@ -251,6 +334,16 @@ class UserApi(object):
 
         return user
 
+    def enable(self, user: User, do_save=False):
+        user.is_active = True
+        if do_save:
+            self.save(user)
+
+    def disable(self, user:User, do_save=False):
+        user.is_active = False
+        if do_save:
+            self.save(user)
+
     def save(self, user: User):
         self._session.flush()
 

tracim/lib/utils/authentification.py

@@ -32,6 +32,7 @@ def basic_auth_check_credentials(
     user = _get_basic_auth_unsafe_user(request)
     if not user \
             or user.email != login \
+            or not user.is_active \
             or not user.validate_password(cleartext_password):
         return None
     return []

tracim/lib/utils/request.py

@@ -3,6 +3,7 @@ from pyramid.request import Request
 from sqlalchemy.orm.exc import NoResultFound
 
 from tracim.exceptions import NotAuthenticated
+from tracim.exceptions import UserNotActive
 from tracim.exceptions import ContentNotFound
 from tracim.exceptions import InvalidUserId
 from tracim.exceptions import InvalidWorkspaceId
@@ -321,6 +322,8 @@ class TracimRequest(Request):
             if not login:
                 raise UserNotFoundInTracimRequest('You request a current user but the context not permit to found one')  # nopep8
             user = uapi.get_one_by_email(login)
+            if not user.is_active:
+                raise UserNotActive('User {} is not active'.format(login))
         except (UserDoesNotExist, UserNotFoundInTracimRequest) as exc:
             raise NotAuthenticated('User {} not found'.format(login)) from exc
         return user

tracim/models/context_models.py

@@ -49,6 +49,67 @@ class LoginCredentials(object):
         self.password = password
 
 
+class SetEmail(object):
+    """
+    Just an email
+    """
+    def __init__(self, loggedin_user_password: str, email: str) -> None:
+        self.loggedin_user_password = loggedin_user_password
+        self.email = email
+
+
+class SetPassword(object):
+    """
+    Just an password
+    """
+    def __init__(self,
+        loggedin_user_password: str,
+        new_password: str,
+        new_password2: str
+    ) -> None:
+        self.loggedin_user_password = loggedin_user_password
+        self.new_password = new_password
+        self.new_password2 = new_password2
+
+
+class UserInfos(object):
+    """
+    Just some user infos
+    """
+    def __init__(self, timezone: str, public_name: str) -> None:
+        self.timezone = timezone
+        self.public_name = public_name
+
+
+class UserProfile(object):
+    """
+    Just some user infos
+    """
+    def __init__(self, profile: str) -> None:
+        self.profile = profile
+
+
+class UserCreation(object):
+    """
+    Just some user infos
+    """
+    def __init__(
+            self,
+            email: str,
+            password: str,
+            public_name: str,
+            timezone: str,
+            profile: str,
+            email_notification: str,
+    ) -> None:
+        self.email = email
+        self.password = password
+        self.public_name = public_name
+        self.timezone = timezone
+        self.profile = profile
+        self.email_notification = email_notification
+
+
 class WorkspaceAndContentPath(object):
     """
     Paths params with workspace id and content_id model

tracim/tests/functional/test_session.py

@@ -1,8 +1,13 @@
 # coding=utf-8
 import datetime
 import pytest
+import transaction
 from sqlalchemy.exc import OperationalError
 
+from tracim import models
+from tracim.lib.core.group import GroupApi
+from tracim.lib.core.user import UserApi
+from tracim.models import get_tm_session
 from tracim.tests import FunctionalTest
 from tracim.tests import FunctionalTestNoDB
 
@@ -59,6 +64,45 @@ class TestLoginEndpoint(FunctionalTest):
         assert res.json_body['caldav_url'] is None
         assert res.json_body['avatar_url'] is None
 
+    def test_api__try_login_enpoint__err_401__user_not_activated(self):
+        dbsession = get_tm_session(self.session_factory, transaction.manager)
+        admin = dbsession.query(models.User) \
+            .filter(models.User.email == 'admin@admin.admin') \
+            .one()
+        uapi = UserApi(
+            current_user=admin,
+            session=dbsession,
+            config=self.app_config,
+        )
+        gapi = GroupApi(
+            current_user=admin,
+            session=dbsession,
+            config=self.app_config,
+        )
+        groups = [gapi.get_one_with_name('users')]
+        test_user = uapi.create_user(
+            email='test@test.test',
+            password='pass',
+            name='bob',
+            groups=groups,
+            timezone='Europe/Paris',
+            do_save=True,
+            do_notify=False,
+        )
+        uapi.save(test_user)
+        uapi.disable(test_user)
+        transaction.commit()
+
+        params = {
+            'email': 'test@test.test',
+            'password': 'test@test.test',
+        }
+        res = self.testapp.post_json(
+            '/api/v2/sessions/login',
+            params=params,
+            status=403,
+        )
+
     def test_api__try_login_enpoint__err_403__bad_password(self):
         params = {
             'email': 'admin@admin.admin',
@@ -117,6 +161,44 @@ class TestWhoamiEndpoint(FunctionalTest):
         assert res.json_body['caldav_url'] is None
         assert res.json_body['avatar_url'] is None
 
+    def test_api__try_whoami_enpoint__err_401__user_is_not_active(self):
+        dbsession = get_tm_session(self.session_factory, transaction.manager)
+        admin = dbsession.query(models.User) \
+            .filter(models.User.email == 'admin@admin.admin') \
+            .one()
+        uapi = UserApi(
+            current_user=admin,
+            session=dbsession,
+            config=self.app_config,
+        )
+        gapi = GroupApi(
+            current_user=admin,
+            session=dbsession,
+            config=self.app_config,
+        )
+        groups = [gapi.get_one_with_name('users')]
+        test_user = uapi.create_user(
+            email='test@test.test',
+            password='pass',
+            name='bob',
+            groups=groups,
+            timezone='Europe/Paris',
+            do_save=True,
+            do_notify=False,
+        )
+        uapi.save(test_user)
+        uapi.disable(test_user)
+        transaction.commit()
+        self.testapp.authorization = (
+            'Basic',
+            (
+                'test@test.test',
+                'pass'
+            )
+        )
+
+        res = self.testapp.get('/api/v2/sessions/whoami', status=401)
+
     def test_api__try_whoami_enpoint__err_401__unauthenticated(self):
         self.testapp.authorization = (
             'Basic',

tracim/tests/library/test_user_api.py

@@ -1,10 +1,11 @@
 # -*- coding: utf-8 -*-
 import pytest
-from sqlalchemy.orm.exc import NoResultFound
-
 import transaction
 
-from tracim.exceptions import UserDoesNotExist, AuthenticationFailed
+from tracim.exceptions import AuthenticationFailed
+from tracim.exceptions import UserDoesNotExist
+from tracim.exceptions import UserNotActive
+from tracim.lib.core.group import GroupApi
 from tracim.lib.core.user import UserApi
 from tracim.models import User
 from tracim.models.context_models import UserInContext
@@ -171,6 +172,31 @@ class TestUserApi(DefaultTest):
         assert isinstance(user, User)
         assert user.email == 'admin@admin.admin'
 
+    def test_unit__authenticate_user___err__user_not_active(self):
+        api = UserApi(
+            current_user=None,
+            session=self.session,
+            config=self.config,
+        )
+        gapi = GroupApi(
+            current_user=None,
+            session=self.session,
+            config=self.config,
+        )
+        groups = [gapi.get_one_with_name('users')]
+        user = api.create_user(
+            email='test@test.test',
+            password='pass',
+            name='bob',
+            groups=groups,
+            timezone='Europe/Paris',
+            do_save=True,
+            do_notify=False,
+        )
+        api.disable(user)
+        with pytest.raises(UserNotActive):
+            api.authenticate_user('test@test.test', 'test@test.test')
+
     def test_unit__authenticate_user___err__wrong_password(self):
         api = UserApi(
             current_user=None,

tracim/views/core_api/schemas.py

@@ -14,6 +14,11 @@ from tracim.models.context_models import ActiveContentFilter
 from tracim.models.context_models import ContentIdsQuery
 from tracim.models.context_models import UserWorkspaceAndContentPath
 from tracim.models.context_models import ContentCreation
+from tracim.models.context_models import UserCreation
+from tracim.models.context_models import SetEmail
+from tracim.models.context_models import SetPassword
+from tracim.models.context_models import UserInfos
+from tracim.models.context_models import UserProfile
 from tracim.models.context_models import ContentPreviewSizedPath
 from tracim.models.context_models import RevisionPreviewSizedPath
 from tracim.models.context_models import PageQuery
@@ -65,11 +70,11 @@ class UserSchema(UserDigestSchema):
     )
     is_active = marshmallow.fields.Bool(
         example=True,
-         # TODO - G.M - Explains this value.
+        description='Is user account activated ?'
     )
     # TODO - G.M - 17-04-2018 - Restrict timezone values
     timezone = marshmallow.fields.String(
-        example="Paris/Europe",
+        example="Europe/Paris",
     )
     # TODO - G.M - 17-04-2018 - check this, relative url allowed ?
     caldav_url = marshmallow.fields.Url(
@@ -88,9 +93,78 @@ class UserSchema(UserDigestSchema):
     class Meta:
         description = 'User account of Tracim'
 
-# Path Schemas
+
+class LoggedInUserPasswordSchema(marshmallow.Schema):
+    loggedin_user_password = marshmallow.fields.String(
+        required=True,
+    )
+
+
+class SetEmailSchema(LoggedInUserPasswordSchema):
+    email = marshmallow.fields.Email(
+        required=True,
+        example='suri.cate@algoo.fr'
+    )
+
+    @post_load
+    def create_set_email_object(self, data):
+        return SetEmail(**data)
+
+
+class SetPasswordSchema(LoggedInUserPasswordSchema):
+    new_password = marshmallow.fields.String(
+        example='8QLa$<w',
+        required=True
+    )
+    new_password2 = marshmallow.fields.String(
+        example='8QLa$<w',
+        required=True
+    )
+
+    @post_load
+    def create_set_password_object(self, data):
+        return SetPassword(**data)
+
+
+class UserInfosSchema(marshmallow.Schema):
+    timezone = marshmallow.fields.String(
+        example="Europe/Paris",
+        required=True,
+    )
+    public_name = marshmallow.fields.String(
+        example='Suri Cate',
+        required=True,
+    )
+
+    @post_load
+    def create_user_info_object(self, data):
+        return UserInfos(**data)
+
+
+class UserProfileSchema(marshmallow.Schema):
+    profile = marshmallow.fields.String(
+        attribute='profile',
+        validate=OneOf(Profile._NAME),
+        example='managers',
+    )
+    @post_load
+    def create_user_profile(self, data):
+        return UserProfile(**data)
+
+
+class UserCreationSchema(
+    SetEmailSchema,
+    SetPasswordSchema,
+    UserInfosSchema,
+    UserProfileSchema
+):
+    @post_load
+    def create_user(self, data):
+        return UserCreation(**data)
 
 
+# Path Schemas
+
 class UserIdPathSchema(marshmallow.Schema):
     user_id = marshmallow.fields.Int(
         example=3,
@@ -306,6 +380,7 @@ class ContentIdsQuerySchema(marshmallow.Schema):
     def make_contents_ids(self, data):
         return ContentIdsQuery(**data)
 
+
 ###
 
 

tracim/views/core_api/user_controller.py

@@ -1,27 +1,36 @@
 from pyramid.config import Configurator
-
-from tracim.lib.core.content import ContentApi
-from tracim.lib.utils.authorization import require_same_user_or_profile
-from tracim.models import Group
-
 try:  # Python 3.5+
     from http import HTTPStatus
 except ImportError:
     from http import client as HTTPStatus
 
-from tracim import hapic, TracimRequest
-
+from tracim import hapic
+from tracim import TracimRequest
+from tracim.models import Group
+from tracim.lib.core.group import GroupApi
+from tracim.lib.core.user import UserApi
 from tracim.lib.core.workspace import WorkspaceApi
+from tracim.lib.core.content import ContentApi
 from tracim.views.controllers import Controller
-from tracim.views.core_api.schemas import UserIdPathSchema, ReadStatusSchema, \
-    ContentIdsQuerySchema
+from tracim.lib.utils.authorization import require_same_user_or_profile
+from tracim.lib.utils.authorization import require_profile
+from tracim.exceptions import WrongUserPassword
+from tracim.exceptions import PasswordDoNotMatch
+from tracim.views.core_api.schemas import UserSchema
+from tracim.views.core_api.schemas import SetEmailSchema
+from tracim.views.core_api.schemas import SetPasswordSchema
+from tracim.views.core_api.schemas import UserInfosSchema
+from tracim.views.core_api.schemas import UserCreationSchema
+from tracim.views.core_api.schemas import UserProfileSchema
+from tracim.views.core_api.schemas import UserIdPathSchema
+from tracim.views.core_api.schemas import ReadStatusSchema
+from tracim.views.core_api.schemas import ContentIdsQuerySchema
 from tracim.views.core_api.schemas import NoContentSchema
 from tracim.views.core_api.schemas import UserWorkspaceIdPathSchema
 from tracim.views.core_api.schemas import UserWorkspaceAndContentIdPathSchema
 from tracim.views.core_api.schemas import ContentDigestSchema
 from tracim.views.core_api.schemas import ActiveContentFilterQuerySchema
 from tracim.views.core_api.schemas import WorkspaceDigestSchema
-from tracim.models.contents import ContentTypeLegacy as ContentType
 
 USER_ENDPOINTS_TAG = 'Users'
 
@@ -51,6 +60,189 @@ class UserController(Controller):
 
     @hapic.with_api_doc(tags=[USER_ENDPOINTS_TAG])
     @require_same_user_or_profile(Group.TIM_ADMIN)
+    @hapic.input_path(UserIdPathSchema())
+    @hapic.output_body(UserSchema())
+    def user(self, context, request: TracimRequest, hapic_data=None):
+        """
+        Get user infos.
+        """
+        app_config = request.registry.settings['CFG']
+        uapi = UserApi(
+            current_user=request.current_user,  # User
+            session=request.dbsession,
+            config=app_config,
+        )
+        return uapi.get_user_with_context(request.candidate_user)
+
+    @hapic.with_api_doc(tags=[USER_ENDPOINTS_TAG])
+    @hapic.handle_exception(WrongUserPassword, HTTPStatus.FORBIDDEN)
+    @require_same_user_or_profile(Group.TIM_ADMIN)
+    @hapic.input_body(SetEmailSchema())
+    @hapic.input_path(UserIdPathSchema())
+    @hapic.output_body(UserSchema())
+    def set_user_email(self, context, request: TracimRequest, hapic_data=None):
+        """
+        Set user Email
+        """
+        app_config = request.registry.settings['CFG']
+        uapi = UserApi(
+            current_user=request.current_user,  # User
+            session=request.dbsession,
+            config=app_config,
+        )
+        user = uapi.set_email(
+            request.candidate_user,
+            hapic_data.body.loggedin_user_password,
+            hapic_data.body.email,
+            do_save=True
+        )
+        return uapi.get_user_with_context(user)
+
+    @hapic.with_api_doc(tags=[USER_ENDPOINTS_TAG])
+    @hapic.handle_exception(WrongUserPassword, HTTPStatus.FORBIDDEN)
+    @hapic.handle_exception(PasswordDoNotMatch, HTTPStatus.BAD_REQUEST)
+    @require_same_user_or_profile(Group.TIM_ADMIN)
+    @hapic.input_body(SetPasswordSchema())
+    @hapic.input_path(UserIdPathSchema())
+    @hapic.output_body(NoContentSchema(), default_http_code=HTTPStatus.NO_CONTENT)  # nopep8
+    def set_user_password(self, context, request: TracimRequest, hapic_data=None):  # nopep8
+        """
+        Set user password
+        """
+        app_config = request.registry.settings['CFG']
+        uapi = UserApi(
+            current_user=request.current_user,  # User
+            session=request.dbsession,
+            config=app_config,
+        )
+        uapi.set_password(
+            request.candidate_user,
+            hapic_data.body.loggedin_user_password,
+            hapic_data.body.new_password,
+            hapic_data.body.new_password2,
+            do_save=True
+        )
+        return
+
+    @hapic.with_api_doc(tags=[USER_ENDPOINTS_TAG])
+    @require_same_user_or_profile(Group.TIM_ADMIN)
+    @hapic.input_body(UserInfosSchema())
+    @hapic.input_path(UserIdPathSchema())
+    @hapic.output_body(UserSchema())
+    def set_user_infos(self, context, request: TracimRequest, hapic_data=None):
+        """
+        Set user info data
+        """
+        app_config = request.registry.settings['CFG']
+        uapi = UserApi(
+            current_user=request.current_user,  # User
+            session=request.dbsession,
+            config=app_config,
+        )
+        user = uapi.update(
+            request.candidate_user,
+            name=hapic_data.body.public_name,
+            timezone=hapic_data.body.timezone,
+            do_save=True
+        )
+        return uapi.get_user_with_context(user)
+
+    @hapic.with_api_doc(tags=[USER_ENDPOINTS_TAG])
+    @require_profile(Group.TIM_ADMIN)
+    @hapic.input_path(UserIdPathSchema())
+    @hapic.input_body(UserCreationSchema())
+    @hapic.output_body(UserSchema())
+    def create_user(self, context, request: TracimRequest, hapic_data=None):
+        """
+        Create new user
+        """
+        app_config = request.registry.settings['CFG']
+        uapi = UserApi(
+            current_user=request.current_user,  # User
+            session=request.dbsession,
+            config=app_config,
+        )
+        gapi = GroupApi(
+            current_user=request.current_user,  # User
+            session=request.dbsession,
+            config=app_config,
+        )
+        groups = [gapi.get_one_with_name(hapic_data.body.profile)]
+        user = uapi.create_user(
+            email=hapic_data.body.email,
+            password=hapic_data.body.password,
+            timezone=hapic_data.body.timezone,
+            name=hapic_data.body.public_name,
+            do_notify=hapic_data.body.email_notification,
+            groups=groups,
+            do_save=True
+        )
+        return uapi.get_user_with_context(user)
+
+    @hapic.with_api_doc(tags=[USER_ENDPOINTS_TAG])
+    @require_profile(Group.TIM_ADMIN)
+    @hapic.input_path(UserIdPathSchema())
+    @hapic.output_body(NoContentSchema(), default_http_code=HTTPStatus.NO_CONTENT)  # nopep8
+    def enable_user(self, context, request: TracimRequest, hapic_data=None):
+        """
+        enable user
+        """
+        app_config = request.registry.settings['CFG']
+        uapi = UserApi(
+            current_user=request.current_user,  # User
+            session=request.dbsession,
+            config=app_config,
+        )
+        uapi.enable(user=request.candidate_user, do_save=True)
+        return
+
+    @hapic.with_api_doc(tags=[USER_ENDPOINTS_TAG])
+    @require_profile(Group.TIM_ADMIN)
+    @hapic.input_path(UserIdPathSchema())
+    @hapic.output_body(NoContentSchema(), default_http_code=HTTPStatus.NO_CONTENT)  # nopep8
+    def disable_user(self, context, request: TracimRequest, hapic_data=None):
+        """
+        disable user
+        """
+        app_config = request.registry.settings['CFG']
+        uapi = UserApi(
+            current_user=request.current_user,  # User
+            session=request.dbsession,
+            config=app_config,
+        )
+        uapi.disable(user=request.candidate_user, do_save=True)
+        return
+
+    @hapic.with_api_doc(tags=[USER_ENDPOINTS_TAG])
+    @require_profile(Group.TIM_ADMIN)
+    @hapic.input_path(UserIdPathSchema())
+    @hapic.input_body(UserProfileSchema())
+    @hapic.output_body(NoContentSchema(), default_http_code=HTTPStatus.NO_CONTENT)  # nopep8
+    def set_profile(self, context, request: TracimRequest, hapic_data=None):
+        """
+        set user profile
+        """
+        app_config = request.registry.settings['CFG']
+        uapi = UserApi(
+            current_user=request.current_user,  # User
+            session=request.dbsession,
+            config=app_config,
+        )
+        gapi = GroupApi(
+            current_user=request.current_user,  # User
+            session=request.dbsession,
+            config=app_config,
+        )
+        groups = [gapi.get_one_with_name(hapic_data.body.profile)]
+        uapi.update(
+            user=request.candidate_user,
+            groups=groups,
+            do_save=True,
+        )
+        return
+
+    @hapic.with_api_doc(tags=[USER_ENDPOINTS_TAG])
+    @require_same_user_or_profile(Group.TIM_ADMIN)
     @hapic.input_path(UserWorkspaceIdPathSchema())
     @hapic.input_query(ActiveContentFilterQuerySchema())
     @hapic.output_body(ContentDigestSchema(many=True))
@@ -175,10 +367,42 @@ class UserController(Controller):
         for this controller
         """
 
-        # user worskpace
+        # user workspace
         configurator.add_route('user_workspace', '/users/{user_id}/workspaces', request_method='GET')  # nopep8
         configurator.add_view(self.user_workspace, route_name='user_workspace')
 
+        # user info
+        configurator.add_route('user', '/users/{user_id}', request_method='GET')  # nopep8
+        configurator.add_view(self.user, route_name='user')
+
+        # set user email
+        configurator.add_route('set_user_email', '/users/{user_id}/email', request_method='PUT')  # nopep8
+        configurator.add_view(self.set_user_email, route_name='set_user_email')
+
+        # set user password
+        configurator.add_route('set_user_password', '/users/{user_id}/password', request_method='PUT')  # nopep8
+        configurator.add_view(self.set_user_password, route_name='set_user_password')  # nopep8
+
+        # set user_info
+        configurator.add_route('set_user_info', '/users/{user_id}', request_method='PUT')  # nopep8
+        configurator.add_view(self.set_user_infos, route_name='set_user_info')
+
+        # create user
+        configurator.add_route('create_user', '/users', request_method='POST')
+        configurator.add_view(self.create_user, route_name='create_user')
+
+        # enable user
+        configurator.add_route('enable_user', '/users/{user_id}/enable', request_method='PUT')  # nopep8
+        configurator.add_view(self.enable_user, route_name='enable_user')
+
+        # disable user
+        configurator.add_route('disable_user', '/users/{user_id}/disable', request_method='PUT')  # nopep8
+        configurator.add_view(self.disable_user, route_name='disable_user')
+
+        # set user profile
+        configurator.add_route('set_user_profile', '/users/{user_id}/profile', request_method='PUT')  # nopep8
+        configurator.add_view(self.set_profile, route_name='set_user_profile')
+
         # user content
         configurator.add_route('contents_read_status', '/users/{user_id}/workspaces/{workspace_id}/contents/read_status', request_method='GET')  # nopep8
         configurator.add_view(self.contents_read_status, route_name='contents_read_status')  # nopep8
@@ -194,4 +418,4 @@ class UserController(Controller):
 
         # set workspace as read
         configurator.add_route('read_workspace', '/users/{user_id}/workspaces/{workspace_id}/read', request_method='PUT')  # nopep8
-        configurator.add_view(self.set_workspace_as_read, route_name='read_workspace')  # nopep8
+        configurator.add_view(self.set_workspace_as_read, route_name='read_workspace')  # nopep8