summaryrefslogtreecommitdiffstats
path: root/server/api/users.js
blob: 33ad3d39f835921f969dd83341639974ee133c0d (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
/* global __appdir */
var path = require('path')
var db = require(path.join(__appdir, 'lib', 'sequelize'))
var express = require('express')
const { decorateApp } = require('@awaitjs/express')
var router = decorateApp(express.Router())
var authentication = require(path.join(__appdir, 'lib', 'authentication'))

// ############################################################################
// ###########################  GET requests  #################################

/*
 * @return: Returns a list of all users in the database and their given roles.
 */
router.getAsync('', async (req, res) => {
  const users = await db.user.findAll({ attributes: { exclude: ['password'] }, include: ['roles'], order: [['name', 'ASC']] })
  res.status(200).send(users)
})

/*
 * @return: Returns information about a specific user.
 */
router.getAsync('/:id', async (req, res) => {
  const id = req.params.id === 'current' ? req.user.id : req.params.id
  const user = await db.user.findOne({ where: { id }, attributes: { exclude: ['password'] } })
  if (user) {
    res.status(200).send(user)
  } else {
    res.status(404).end()
  }
})

// ############################################################################
// ##########################  POST requests  #################################

// Post request for adding roles to users.
router.postAsync('/roles', async (req, res) => {
  // if (!await req.user.hasPermission('permissions.grantrevoke')) return res.status(403).end()

  const userIds = req.body.users
  const roleIds = req.body.roles
  const users = await db.user.findAll({ where: { id: userIds } })
  if (users) {
    if (req.query.delete !== undefined && req.query.delete !== 'false') {
      users.forEach(user => { user.removeRoles(roleIds) })
    } else {
      users.forEach(user => { user.addRoles(roleIds) })
    }
    res.status(200).end()
  } else {
    res.status(404).end()
  }
})

// Post request for creating new user accounts.
router.postAsync(['/', '/:id'], async (req, res) => {
  const body = req.body
  if (req.params.id !== 'current') {
    // TODO: Check for permission to delete / create / update user
  }

  if (req.query.delete !== undefined && req.query.delete !== 'false') {
    const count = await db.user.destroy({ where: { id: body.ids } })
    return res.send({ count })
  }

  if (req.params.id === undefined) {
    const result = await authentication.signup(body)
    const code = result.code
    delete result.code
    return res.status(code).send(result)
  } else {
    const id = req.params.id === 'current' ? req.user.id : req.params.id

    let email = req.body.email
    if (!authentication.validateEmail(req.body.email)) return res.status(500).send({ error: 'EMAIL_INVALID', message: 'The provided email is invalid.' })

    let user
    user = await db.user.findOne({ where: { id: id } })

    if (user) {
      let userinfo = {
        name: body.name,
        email: email
      }

      // Check if the username is set and if it's valid.
      let username = body.username
      if (username && req.params.id !== 'current') {
        if (!authentication.validateUsername(username)) return res.status(400).send({ error: 'INVALID_USERNAME', message: 'Username does not fullfill the requirements. (No whitespaces)' })

        // Check if the username already exists.
        let userDb = await db.user.findOne({ where: { username: username, id: { [db.Op.not]: id } } })
        if (userDb) return res.status(400).send({ error: 'USER_ALREADY_EXISTS', message: 'The provided username already exists.' })
        userinfo.username = username
      }

      // Update the user.
      await user.update(userinfo)
      if (body.password) {
        const result = await authentication.changePassword(id, body.password, body.passwordCurrent)
        const code = result.code
        delete result.code
        res.status(code).send(result)
      }
    }
    res.status(200).end()
  }
})

// Post request for changing the password.
router.postAsync('/:id/password', async (req, res) => {
  const id = req.params.id
  const body = req.body
  // Check if passwords are set.
  if (body.passwordCurrent && body.password) {
    if (body.passwordCurrent === body.password) return res.status(500).send({ error: 'PASSWORD_ERROR', message: 'The provided password must be different than the old password.' })
    const result = await authentication.changePassword(id, body.password, body.passwordCurrent)
    const code = result.code
    delete result.code
    res.status(code).send(result)
  } else res.status(400).send({ error: 'PASSWORD_MISSING', message: 'This service requires the current and the new password.' })
})

// Function for deleting a single user
router.delete('/:id/', (req, res) => {
  // Check if the user has the permission for chaning those userdata. Else return.
  if (req.params.id !== 'current') {
    return res.status(500).end()
  }
  const id = req.params.id === 'current' ? req.user.id : req.params.id

  // Every user can delete his own account.
  db.user.destroy({ where: { id } }).then(() => {
    res.status(200).end()
  })
})

// ############################################################################
// ############################################################################

module.exports.router = router