Stopped deleting of own user account

master
Mark Moffat 2019-11-06 21:27:00 +10:30
parent 060e2a74f9
commit 001c015c36
1 changed files with 20 additions and 2 deletions

View File

@ -32,12 +32,21 @@ router.get('/admin/user/edit/:id', restrict, (req, res) => {
if(err){ if(err){
console.info(err.stack); console.info(err.stack);
} }
// Check user is found
if(!user){
req.session.message = 'User not found';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return;
}
// if the user we want to edit is not the current logged in user and the current user is not // if the user we want to edit is not the current logged in user and the current user is not
// an admin we render an access denied message // an admin we render an access denied message
if(user.userEmail !== req.session.user && req.session.isAdmin === false){ if(user.userEmail !== req.session.user && req.session.isAdmin === false){
req.session.message = 'Access denied'; req.session.message = 'Access denied';
req.session.messageType = 'danger'; req.session.messageType = 'danger';
res.redirect('/Users/'); res.redirect('/admin/users');
return; return;
} }
@ -70,7 +79,16 @@ router.get('/admin/user/new', restrict, (req, res) => {
// delete user // delete user
router.get('/admin/user/delete/:id', restrict, (req, res) => { router.get('/admin/user/delete/:id', restrict, (req, res) => {
const db = req.app.db; const db = req.app.db;
// userId
if(req.session.isAdmin === true){ if(req.session.isAdmin === true){
if(req.session.userId === req.params.id){
req.session.message = 'You can\'t delete your own user account.';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return;
}
db.users.deleteOne({ _id: common.getId(req.params.id) }, {}, (err, numRemoved) => { db.users.deleteOne({ _id: common.getId(req.params.id) }, {}, (err, numRemoved) => {
if(err){ if(err){
console.info(err.stack); console.info(err.stack);
@ -108,7 +126,7 @@ router.post('/admin/user/update', restrict, (req, res) => {
if(user.userEmail !== req.session.user && req.session.isAdmin === false){ if(user.userEmail !== req.session.user && req.session.isAdmin === false){
req.session.message = 'Access denied'; req.session.message = 'Access denied';
req.session.messageType = 'danger'; req.session.messageType = 'danger';
res.redirect('/admin/users/'); res.redirect('/admin/users');
return; return;
} }