summaryrefslogtreecommitdiffstats
path: root/server/api/users.js
diff options
context:
space:
mode:
Diffstat (limited to 'server/api/users.js')
-rw-r--r--server/api/users.js40
1 files changed, 27 insertions, 13 deletions
diff --git a/server/api/users.js b/server/api/users.js
index d69c776..a4940e0 100644
--- a/server/api/users.js
+++ b/server/api/users.js
@@ -7,6 +7,28 @@ var router = decorateApp(express.Router())
var authentication = require(path.join(__appdir, 'lib', 'authentication'))
const log = require(path.join(__appdir, 'lib', 'log'))
+// Permission check middleware
+router.all(['', '/:id'], async (req, res, next) => {
+ // User is allowed to edit his own information even without any permissions.
+ let currentInfo = false
+ if (req.params.id && req.params.id === 'current') currentInfo = true
+
+ switch (req.method) {
+ case 'GET':
+ if (!await req.user.hasPermission('users.view') && !currentInfo) return res.status(403).send({ error: 'Missing permission', permission: 'users.view' })
+ break
+
+ case 'POST': case 'DELETE':
+ if (!await req.user.hasPermission('users.edit') && !currentInfo) return res.status(403).send({ error: 'Missing permission', permission: 'users.edit' })
+ break
+
+ default:
+ return res.status(400).send()
+ }
+
+ next()
+})
+
// ############################################################################
// ########################### GET requests #################################
@@ -36,8 +58,6 @@ router.getAsync('/:id', async (req, res) => {
// Post request for adding roles to users.
router.postAsync('/roles', async (req, res) => {
- // if (!await req.user.hasPermission('permissions.grantrevoke')) return res.status(403).end()
-
const userIds = req.body.users
const roleIds = req.body.roles
const users = await db.user.findAll({ where: { id: userIds }, include: ['roles'] })
@@ -52,7 +72,7 @@ router.postAsync('/roles', async (req, res) => {
if (count > 1) roleString += 's'
log({
category: 'USER_REVOKE_ROLE',
- description: '[' + user.id + '] ' + user.name + ': Successfully removed ' + count + ' ' + roleString + '.\n' +
+ description: '[' + user.id + '] ' + 'Successfully removed ' + count + ' ' + roleString + ' from' + user.name + '.\n' +
'ID: ' + user.id + '\n' +
'Name: ' + user.name + '\n' +
'Removed Roles: ' + roleIds.filter(y => { return roles.map(x => x.id).includes(y) }),
@@ -85,13 +105,9 @@ router.postAsync('/roles', async (req, res) => {
}
})
-// Post request for creating new user accounts.
+// Post request for creating / editing new user accounts.
router.postAsync(['/', '/:id'], async (req, res) => {
const body = req.body
- if (req.params.id !== 'current') {
- // TODO: Check for permission to delete / create / update user
- }
-
// Delete request
if (req.query.delete !== undefined && req.query.delete !== 'false') {
const user = await db.user.findOne({ where: { id: req.user.id } })
@@ -152,6 +168,7 @@ router.postAsync(['/', '/:id'], async (req, res) => {
return res.send({ deletionCounter })
}
+ // Create new user
if (req.params.id === undefined) {
const result = await authentication.signup(body)
const code = result.code
@@ -183,6 +200,7 @@ router.postAsync(['/', '/:id'], async (req, res) => {
delete result.code
return res.status(code).send(result)
} else {
+ // Edit user
const id = req.params.id === 'current' ? req.user.id : req.params.id
let user = await db.user.findOne({ where: { id: id } })
@@ -289,7 +307,7 @@ router.postAsync(['/', '/:id'], async (req, res) => {
// Post request for changing the password.
router.postAsync('/:id/password', async (req, res) => {
- const id = req.params.id
+ const id = req.params.id === 'current' ? req.user.id : req.params.id
const body = req.body
// Check if passwords are set.
if (body.passwordCurrent && body.password) {
@@ -317,10 +335,6 @@ router.postAsync('/:id/password', async (req, res) => {
// Function for deleting a single user
router.deleteAsync('/:id/', async (req, res) => {
- if (req.params.id !== 'current') {
- // Check if the user has the permission for changing those userdata. Else return.
- // return res.status(500).end()
- }
const id = req.params.id === 'current' ? req.user.id : req.params.id
const user = await db.user.findOne({ where: { id: id } })
// Every user can delete his own account.