2019-06-15 14:46:08 +10:00
|
|
|
const ObjectId = require('mongodb').ObjectID;
|
|
|
|
|
const _ = require('lodash');
|
|
|
|
|
|
|
|
|
|
const restrictedRoutes = [
|
|
|
|
|
{ route: '/admin/product/new', response: 'redirect' },
|
|
|
|
|
{ route: '/admin/product/insert', response: 'redirect' },
|
|
|
|
|
{ route: '/admin/product/edit/:id', response: 'redirect' },
|
|
|
|
|
{ route: '/admin/product/update', response: 'redirect' },
|
|
|
|
|
{ route: '/admin/product/delete/:id', response: 'redirect' },
|
2020-01-21 17:36:46 +10:00
|
|
|
{ route: '/admin/product/publishedState', response: 'json' },
|
2019-06-15 14:46:08 +10:00
|
|
|
{ route: '/admin/product/setasmainimage', response: 'json' },
|
|
|
|
|
{ route: '/admin/product/deleteimage', response: 'json' },
|
2019-10-26 11:08:53 +10:00
|
|
|
{ route: '/admin/product/removeoption', response: 'json' },
|
2019-06-15 14:46:08 +10:00
|
|
|
{ route: '/admin/order/statusupdate', response: 'json' },
|
|
|
|
|
{ route: '/admin/settings/update', response: 'json' },
|
|
|
|
|
{ route: '/admin/settings/pages/new', response: 'redirect' },
|
|
|
|
|
{ route: '/admin/settings/pages/edit/:page', response: 'redirect' },
|
2019-12-07 09:41:18 +10:00
|
|
|
{ route: '/admin/settings/pages', response: 'json' },
|
|
|
|
|
{ route: '/admin/settings/page/delete/:page', response: 'json' },
|
|
|
|
|
{ route: '/admin/settings/menu/new', response: 'json' },
|
|
|
|
|
{ route: '/admin/settings/menu/update', response: 'json' },
|
|
|
|
|
{ route: '/admin/settings/menu/delete', response: 'json' },
|
2020-01-21 17:36:46 +10:00
|
|
|
{ route: '/admin/settings/menu/saveOrder', response: 'json' },
|
2019-12-07 09:41:18 +10:00
|
|
|
{ route: '/admin/file/upload', response: 'json' }
|
2019-06-15 14:46:08 +10:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
const restrict = (req, res, next) => {
|
|
|
|
|
checkLogin(req, res, next);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const checkLogin = async (req, res, next) => {
|
|
|
|
|
const db = req.app.db;
|
|
|
|
|
// if not protecting we check for public pages and don't checkLogin
|
|
|
|
|
if(req.session.needsSetup === true){
|
|
|
|
|
res.redirect('/admin/setup');
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If API key, check for a user
|
|
|
|
|
if(req.headers.apikey){
|
|
|
|
|
try{
|
|
|
|
|
const user = await db.users.findOne({
|
|
|
|
|
apiKey: ObjectId(req.headers.apikey),
|
|
|
|
|
isAdmin: true
|
|
|
|
|
});
|
|
|
|
|
if(!user){
|
|
|
|
|
res.status(400).json({ message: 'Access denied' });
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
// Set API authenticated in the req
|
|
|
|
|
req.apiAuthenticated = true;
|
|
|
|
|
next();
|
|
|
|
|
return;
|
|
|
|
|
}catch(ex){
|
|
|
|
|
res.status(400).json({ message: 'Access denied' });
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(req.session.user){
|
|
|
|
|
next();
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
res.redirect('/admin/login');
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Middleware to check for admin access for certain route
|
|
|
|
|
const checkAccess = (req, res, next) => {
|
2019-07-12 18:06:34 +10:00
|
|
|
const routeCheck = _.find(restrictedRoutes, { route: req.route.path });
|
2019-06-15 14:46:08 +10:00
|
|
|
|
|
|
|
|
// If the user is not an admin and route is restricted, show message and redirect to /admin
|
|
|
|
|
if(req.session.isAdmin === false && routeCheck){
|
|
|
|
|
if(routeCheck.response === 'redirect'){
|
|
|
|
|
req.session.message = 'Unauthorised. Please refer to administrator.';
|
|
|
|
|
req.session.messageType = 'danger';
|
|
|
|
|
res.redirect('/admin');
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
if(routeCheck.response === 'json'){
|
|
|
|
|
res.status(400).json({ message: 'Unauthorised. Please refer to administrator.' });
|
|
|
|
|
}
|
|
|
|
|
}else{
|
|
|
|
|
next();
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
module.exports = {
|
|
|
|
|
restrict,
|
|
|
|
|
checkLogin,
|
|
|
|
|
checkAccess
|
|
|
|
|
};
|
