expressCart/routes/user.js

246 lines
7.3 KiB
JavaScript
Raw Normal View History

2018-02-05 23:20:44 +10:00
const express = require('express');
const common = require('../lib/common');
2019-06-15 14:46:08 +10:00
const { restrict } = require('../lib/auth');
2018-02-05 23:20:44 +10:00
const colors = require('colors');
const bcrypt = require('bcryptjs');
2019-11-16 19:37:48 +10:00
const { validateJson } = require('../lib/schema');
2018-02-05 23:20:44 +10:00
const router = express.Router();
2019-11-09 09:18:32 +10:00
router.get('/admin/users', restrict, async (req, res) => {
2018-02-05 23:20:44 +10:00
const db = req.app.db;
2019-11-09 09:18:32 +10:00
const users = await db.users.find({}, { projection: { userPassword: 0 } }).toArray();
if(req.apiAuthenticated){
res.status(200).json(users);
return;
}
res.render('users', {
title: 'Users',
users: users,
admin: true,
config: req.app.config,
isAdmin: req.session.isAdmin,
helpers: req.handlebars.helpers,
session: req.session,
message: common.clearSessionValue(req.session, 'message'),
messageType: common.clearSessionValue(req.session, 'messageType')
2018-02-05 23:20:44 +10:00
});
});
// edit user
2019-11-09 09:18:32 +10:00
router.get('/admin/user/edit/:id', restrict, async (req, res) => {
2018-02-05 23:20:44 +10:00
const db = req.app.db;
2019-11-09 09:18:32 +10:00
const user = await db.users.findOne({ _id: common.getId(req.params.id) });
2019-11-06 20:57:00 +10:00
2019-11-09 09:18:32 +10:00
// Check user is found
if(!user){
if(req.apiAuthenticated){
res.status(400).json({ message: 'User not found' });
2019-11-06 20:57:00 +10:00
return;
2019-11-07 16:36:20 +10:00
}
2019-11-09 09:18:32 +10:00
req.session.message = 'User not found';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return;
}
// if the user we want to edit is not the current logged in user and the current user is not
// an admin we render an access denied message
if(user.userEmail !== req.session.user && req.session.isAdmin === false){
if(req.apiAuthenticated){
res.status(400).json({ message: 'Access denied' });
2018-02-05 23:20:44 +10:00
return;
}
2019-11-09 09:18:32 +10:00
req.session.message = 'Access denied';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return;
}
2020-01-01 19:26:21 +10:00
res.render('user-edit', {
2019-11-09 09:18:32 +10:00
title: 'User edit',
user: user,
admin: true,
session: req.session,
message: common.clearSessionValue(req.session, 'message'),
messageType: common.clearSessionValue(req.session, 'messageType'),
helpers: req.handlebars.helpers,
config: req.app.config
2018-02-05 23:20:44 +10:00
});
});
// users new
2019-06-15 14:46:08 +10:00
router.get('/admin/user/new', restrict, (req, res) => {
2020-01-01 19:26:21 +10:00
res.render('user-new', {
2018-02-05 23:20:44 +10:00
title: 'User - New',
admin: true,
session: req.session,
helpers: req.handlebars.helpers,
message: common.clearSessionValue(req.session, 'message'),
messageType: common.clearSessionValue(req.session, 'messageType'),
2018-02-23 03:41:24 +10:00
config: req.app.config
2018-02-05 23:20:44 +10:00
});
});
2019-12-30 12:48:45 +10:00
// delete a user
2019-12-16 14:45:02 +10:00
router.post('/admin/user/delete', restrict, async (req, res) => {
2018-02-05 23:20:44 +10:00
const db = req.app.db;
2019-11-06 20:57:00 +10:00
// userId
2019-11-07 16:36:20 +10:00
if(req.session.isAdmin !== true){
2019-12-16 14:45:02 +10:00
res.status(400).json({ message: 'Access denied' });
2019-11-07 16:36:20 +10:00
return;
}
2019-11-06 20:57:00 +10:00
2019-11-07 16:36:20 +10:00
// Cannot delete your own account
2019-12-16 14:45:02 +10:00
if(req.session.userId === req.body.userId){
res.status(400).json({ message: 'Unable to delete own user account' });
2019-11-07 16:36:20 +10:00
return;
}
2019-12-16 14:45:02 +10:00
const user = await db.users.findOne({ _id: common.getId(req.body.userId) });
2019-11-07 16:36:20 +10:00
// If user is not found
if(!user){
2019-12-16 14:45:02 +10:00
res.status(400).json({ message: 'User not found.' });
2019-11-07 16:36:20 +10:00
return;
}
// Cannot delete the original user/owner
if(user.isOwner){
2019-12-16 14:45:02 +10:00
res.status(400).json({ message: 'Access denied.' });
2019-11-07 16:36:20 +10:00
return;
2018-02-05 23:20:44 +10:00
}
2019-11-07 16:36:20 +10:00
2019-11-09 09:18:32 +10:00
try{
2019-12-16 14:45:02 +10:00
await db.users.deleteOne({ _id: common.getId(req.body.userId) }, {});
res.status(200).json({ message: 'User deleted.' });
return;
2019-11-09 09:18:32 +10:00
}catch(ex){
console.log('Failed to delete user', ex);
2019-12-16 14:45:02 +10:00
res.status(200).json({ message: 'Cannot delete user' });
return;
2019-11-09 09:18:32 +10:00
};
2018-02-05 23:20:44 +10:00
});
// update a user
2019-11-09 09:18:32 +10:00
router.post('/admin/user/update', restrict, async (req, res) => {
2018-02-05 23:20:44 +10:00
const db = req.app.db;
let isAdmin = req.body.userAdmin === 'on';
2018-02-05 23:20:44 +10:00
// get the user we want to update
2019-11-09 09:18:32 +10:00
const user = await db.users.findOne({ _id: common.getId(req.body.userId) });
2019-11-09 09:18:32 +10:00
// If user not found
if(!user){
res.status(400).json({ message: 'User not found' });
2019-11-09 09:18:32 +10:00
return;
}
// If the current user changing own account ensure isAdmin retains existing
if(user.userEmail === req.session.user){
isAdmin = user.isAdmin;
}
// if the user we want to edit is not the current logged in user and the current user is not
// an admin we render an access denied message
if(user.userEmail !== req.session.user && req.session.isAdmin === false){
res.status(400).json({ message: 'Access denied' });
2019-11-09 09:18:32 +10:00
return;
}
// create the update doc
const updateDoc = {};
updateDoc.isAdmin = isAdmin;
2019-11-16 19:57:50 +10:00
if(req.body.usersName){
updateDoc.usersName = req.body.usersName;
}
if(req.body.userEmail){
updateDoc.userEmail = req.body.userEmail;
}
2019-11-09 09:18:32 +10:00
if(req.body.userPassword){
updateDoc.userPassword = bcrypt.hashSync(req.body.userPassword);
}
2018-02-05 23:20:44 +10:00
2019-11-16 19:37:48 +10:00
// Validate update user
const schemaResult = validateJson('editUser', updateDoc);
if(!schemaResult.result){
res.status(400).json({
message: 'Failed to create user. Check inputs.',
error: schemaResult.errors
});
2019-11-16 19:37:48 +10:00
return;
}
2019-11-09 09:18:32 +10:00
try{
2019-11-16 19:57:50 +10:00
const updatedUser = await db.users.findOneAndUpdate(
2019-11-09 09:18:32 +10:00
{ _id: common.getId(req.body.userId) },
2018-02-05 23:20:44 +10:00
{
$set: updateDoc
2019-11-16 19:57:50 +10:00
}, { multi: false, returnOriginal: false }
2019-11-09 09:18:32 +10:00
);
const returnUser = updatedUser.value;
delete returnUser.userPassword;
delete returnUser.apiKey;
res.status(200).json({ message: 'User account updated', user: updatedUser.value });
return;
2019-11-09 09:18:32 +10:00
}catch(ex){
2019-11-16 19:57:50 +10:00
console.error(colors.red('Failed updating user: ' + ex));
res.status(400).json({ message: 'Failed to update user' });
2019-11-09 09:18:32 +10:00
}
2018-02-05 23:20:44 +10:00
});
// insert a user
2019-11-09 09:18:32 +10:00
router.post('/admin/user/insert', restrict, async (req, res) => {
2018-02-05 23:20:44 +10:00
const db = req.app.db;
// Check number of users
2019-11-09 09:18:32 +10:00
const userCount = await db.users.countDocuments({});
let isAdmin = false;
// if no users, setup user as admin
if(userCount === 0){
isAdmin = true;
}
2019-11-16 19:37:48 +10:00
const userObj = {
2019-11-09 09:18:32 +10:00
usersName: req.body.usersName,
userEmail: req.body.userEmail,
userPassword: bcrypt.hashSync(req.body.userPassword, 10),
isAdmin: isAdmin
};
2019-11-16 19:37:48 +10:00
// Validate new user
const schemaResult = validateJson('newUser', userObj);
if(!schemaResult.result){
res.status(400).json({ message: 'Failed to create user. Check inputs.', error: schemaResult.errors });
2019-11-16 19:37:48 +10:00
return;
}
2019-11-09 09:18:32 +10:00
// check for existing user
const user = await db.users.findOne({ userEmail: req.body.userEmail });
if(user){
2019-11-09 10:21:07 +10:00
console.error(colors.red('Failed to insert user, possibly already exists'));
res.status(400).json({ message: 'A user with that email address already exists' });
2019-11-09 09:18:32 +10:00
return;
}
// email is ok to be used.
try{
const newUser = await db.users.insertOne(userObj);
res.status(200).json({
message: 'User account inserted',
userId: newUser.insertedId
});
2019-11-09 09:18:32 +10:00
}catch(ex){
2019-11-16 19:37:48 +10:00
console.error(colors.red('Failed to insert user: ' + ex));
res.status(400).json({ message: 'New user creation failed' });
2019-11-09 09:18:32 +10:00
}
2018-02-05 23:20:44 +10:00
});
module.exports = router;