Refactor user route

master
Mark Moffat 2019-11-09 09:48:32 +10:30
parent f43005de8b
commit 1deb54d525
1 changed files with 200 additions and 137 deletions

View File

@ -5,12 +5,15 @@ const colors = require('colors');
const bcrypt = require('bcryptjs'); const bcrypt = require('bcryptjs');
const router = express.Router(); const router = express.Router();
router.get('/admin/users', restrict, (req, res) => { router.get('/admin/users', restrict, async (req, res) => {
const db = req.app.db; const db = req.app.db;
db.users.find({}).toArray((err, users) => { const users = await db.users.find({}, { projection: { userPassword: 0 } }).toArray();
if(err){
console.info(err.stack); if(req.apiAuthenticated){
res.status(200).json(users);
return;
} }
res.render('users', { res.render('users', {
title: 'Users', title: 'Users',
users: users, users: users,
@ -23,18 +26,19 @@ router.get('/admin/users', restrict, (req, res) => {
messageType: common.clearSessionValue(req.session, 'messageType') messageType: common.clearSessionValue(req.session, 'messageType')
}); });
}); });
});
// edit user // edit user
router.get('/admin/user/edit/:id', restrict, (req, res) => { router.get('/admin/user/edit/:id', restrict, async (req, res) => {
const db = req.app.db; const db = req.app.db;
db.users.findOne({ _id: common.getId(req.params.id) }, (err, user) => { const user = await db.users.findOne({ _id: common.getId(req.params.id) });
if(err){
console.info(err.stack);
}
// Check user is found // Check user is found
if(!user){ if(!user){
if(req.apiAuthenticated){
res.status(400).json({ message: 'User not found' });
return;
}
req.session.message = 'User not found'; req.session.message = 'User not found';
req.session.messageType = 'danger'; req.session.messageType = 'danger';
res.redirect('/admin/users'); res.redirect('/admin/users');
@ -44,6 +48,11 @@ router.get('/admin/user/edit/:id', restrict, (req, res) => {
// if the user we want to edit is not the current logged in user and the current user is not // if the user we want to edit is not the current logged in user and the current user is not
// an admin we render an access denied message // an admin we render an access denied message
if(user.userEmail !== req.session.user && req.session.isAdmin === false){ if(user.userEmail !== req.session.user && req.session.isAdmin === false){
if(req.apiAuthenticated){
res.status(400).json({ message: 'Access denied' });
return;
}
req.session.message = 'Access denied'; req.session.message = 'Access denied';
req.session.messageType = 'danger'; req.session.messageType = 'danger';
res.redirect('/admin/users'); res.redirect('/admin/users');
@ -61,7 +70,6 @@ router.get('/admin/user/edit/:id', restrict, (req, res) => {
config: req.app.config config: req.app.config
}); });
}); });
});
// users new // users new
router.get('/admin/user/new', restrict, (req, res) => { router.get('/admin/user/new', restrict, (req, res) => {
@ -82,6 +90,11 @@ router.get('/admin/user/delete/:id', restrict, async (req, res) => {
// userId // userId
if(req.session.isAdmin !== true){ if(req.session.isAdmin !== true){
if(req.apiAuthenticated){
res.status(400).json({ message: 'Access denied' });
return;
}
req.session.message = 'Access denied.'; req.session.message = 'Access denied.';
req.session.messageType = 'danger'; req.session.messageType = 'danger';
res.redirect('/admin/users'); res.redirect('/admin/users');
@ -90,6 +103,11 @@ router.get('/admin/user/delete/:id', restrict, async (req, res) => {
// Cannot delete your own account // Cannot delete your own account
if(req.session.userId === req.params.id){ if(req.session.userId === req.params.id){
if(req.apiAuthenticated){
res.status(400).json({ message: 'Unable to delete own user account' });
return;
}
req.session.message = 'Unable to delete own user account.'; req.session.message = 'Unable to delete own user account.';
req.session.messageType = 'danger'; req.session.messageType = 'danger';
res.redirect('/admin/users'); res.redirect('/admin/users');
@ -100,6 +118,11 @@ router.get('/admin/user/delete/:id', restrict, async (req, res) => {
// If user is not found // If user is not found
if(!user){ if(!user){
if(req.apiAuthenticated){
res.status(400).json({ message: 'User not found.' });
return;
}
req.session.message = 'User not found.'; req.session.message = 'User not found.';
req.session.messageType = 'danger'; req.session.messageType = 'danger';
res.redirect('/admin/users'); res.redirect('/admin/users');
@ -108,32 +131,58 @@ router.get('/admin/user/delete/:id', restrict, async (req, res) => {
// Cannot delete the original user/owner // Cannot delete the original user/owner
if(user.isOwner){ if(user.isOwner){
if(req.apiAuthenticated){
res.status(400).json({ message: 'Access denied.' });
return;
}
req.session.message = 'Access denied.'; req.session.message = 'Access denied.';
req.session.messageType = 'danger'; req.session.messageType = 'danger';
res.redirect('/admin/users'); res.redirect('/admin/users');
return; return;
} }
db.users.deleteOne({ _id: common.getId(req.params.id) }, {}, (err, numRemoved) => { try{
if(err){ await db.users.deleteOne({ _id: common.getId(req.params.id) }, {});
console.info(err.stack); if(req.apiAuthenticated){
res.status(200).json({ message: 'User deleted.' });
return;
} }
req.session.message = 'User deleted.'; req.session.message = 'User deleted.';
req.session.messageType = 'success'; req.session.messageType = 'success';
res.redirect('/admin/users'); res.redirect('/admin/users');
}); }catch(ex){
console.log('Failed to delete user', ex);
if(req.apiAuthenticated){
res.status(200).json({ message: 'Cannot delete user' });
return;
}
req.session.message = 'Cannot delete user';
req.session.messageType = 'danger';
res.redirect('/admin/users');
};
}); });
// update a user // update a user
router.post('/admin/user/update', restrict, (req, res) => { router.post('/admin/user/update', restrict, async (req, res) => {
const db = req.app.db; const db = req.app.db;
let isAdmin = req.body.user_admin === 'on'; let isAdmin = req.body.user_admin === 'on';
// get the user we want to update // get the user we want to update
db.users.findOne({ _id: common.getId(req.body.userId) }, (err, user) => { const user = await db.users.findOne({ _id: common.getId(req.body.userId) });
if(err){
console.info(err.stack); // If user not found
if(!user){
if(req.apiAuthenticated){
res.status(400).json({ message: 'User not found' });
return;
}
req.session.message = 'User not found';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return;
} }
// If the current user changing own account ensure isAdmin retains existing // If the current user changing own account ensure isAdmin retains existing
@ -144,6 +193,11 @@ router.post('/admin/user/update', restrict, (req, res) => {
// if the user we want to edit is not the current logged in user and the current user is not // if the user we want to edit is not the current logged in user and the current user is not
// an admin we render an access denied message // an admin we render an access denied message
if(user.userEmail !== req.session.user && req.session.isAdmin === false){ if(user.userEmail !== req.session.user && req.session.isAdmin === false){
if(req.apiAuthenticated){
res.status(400).json({ message: 'Access denied' });
return;
}
req.session.message = 'Access denied'; req.session.message = 'Access denied';
req.session.messageType = 'danger'; req.session.messageType = 'danger';
res.redirect('/admin/users'); res.redirect('/admin/users');
@ -158,34 +212,42 @@ router.post('/admin/user/update', restrict, (req, res) => {
updateDoc.userPassword = bcrypt.hashSync(req.body.userPassword); updateDoc.userPassword = bcrypt.hashSync(req.body.userPassword);
} }
db.users.updateOne({ _id: common.getId(req.body.userId) }, try{
await db.users.updateOne(
{ _id: common.getId(req.body.userId) },
{ {
$set: updateDoc $set: updateDoc
}, { multi: false }, (err, numReplaced) => { }, { multi: false }
if(err){ );
console.error(colors.red('Failed updating user: ' + err)); if(req.apiAuthenticated){
req.session.message = 'Failed to update user'; res.status(200).json({ message: 'User account updated.' });
req.session.messageType = 'danger'; return;
res.redirect('/admin/user/edit/' + req.body.userId); }
}else{
// show the view // show the view
req.session.message = 'User account updated.'; req.session.message = 'User account updated.';
req.session.messageType = 'success'; req.session.messageType = 'success';
res.redirect('/admin/user/edit/' + req.body.userId); res.redirect('/admin/user/edit/' + req.body.userId);
}catch(ex){
if(req.apiAuthenticated){
res.status(400).json({ message: 'Failed to update user' });
return;
}
console.error(colors.red('Failed updating user: ' + ex));
req.session.message = 'Failed to update user';
req.session.messageType = 'danger';
res.redirect('/admin/user/edit/' + req.body.userId);
} }
});
});
}); });
// insert a user // insert a user
router.post('/admin/user/insert', restrict, (req, res) => { router.post('/admin/user/insert', restrict, async (req, res) => {
const db = req.app.db; const db = req.app.db;
// set the account to admin if using the setup form. Eg: First user account // set the account to admin if using the setup form. Eg: First user account
const urlParts = new URL(req.header('Referer')); const urlParts = new URL(req.header('Referer'));
// Check number of users // Check number of users
db.users.countDocuments({}, (err, userCount) => { const userCount = await db.users.countDocuments({});
let isAdmin = false; let isAdmin = false;
// if no users, setup user as admin // if no users, setup user as admin
@ -201,8 +263,12 @@ router.post('/admin/user/insert', restrict, (req, res) => {
}; };
// check for existing user // check for existing user
db.users.findOne({ userEmail: req.body.userEmail }, (err, user) => { const user = await db.users.findOne({ userEmail: req.body.userEmail });
if(user){ if(user){
if(req.apiAuthenticated){
res.status(400).json({ message: 'A user with that email address already exists' });
return;
}
// user already exists with that email address // user already exists with that email address
console.error(colors.red('Failed to insert user, possibly already exists: ' + err)); console.error(colors.red('Failed to insert user, possibly already exists: ' + err));
req.session.message = 'A user with that email address already exists'; req.session.message = 'A user with that email address already exists';
@ -211,25 +277,8 @@ router.post('/admin/user/insert', restrict, (req, res) => {
return; return;
} }
// email is ok to be used. // email is ok to be used.
db.users.insertOne(doc, (err, doc) => { try{
// show the view await db.users.insertOne(doc);
if(err){
if(doc){
console.error(colors.red('Failed to insert user: ' + err));
req.session.message = 'User exists';
req.session.messageType = 'danger';
res.redirect('/admin/user/edit/' + doc._id);
return;
}
console.error(colors.red('Failed to insert user: ' + err));
req.session.message = 'New user creation failed';
req.session.messageType = 'danger';
res.redirect('/admin/user/new');
return;
}
req.session.message = 'User account inserted';
req.session.messageType = 'success';
// if from setup we add user to session and redirect to login. // if from setup we add user to session and redirect to login.
// Otherwise we show users screen // Otherwise we show users screen
if(urlParts.path === '/admin/setup'){ if(urlParts.path === '/admin/setup'){
@ -237,10 +286,24 @@ router.post('/admin/user/insert', restrict, (req, res) => {
res.redirect('/admin/login'); res.redirect('/admin/login');
return; return;
} }
if(req.apiAuthenticated){
res.status(200).json({ message: 'User account inserted' });
return;
}
req.session.message = 'User account inserted';
req.session.messageType = 'success';
res.redirect('/admin/users'); res.redirect('/admin/users');
}); }catch(ex){
}); if(req.apiAuthenticated){
}); res.status(400).json({ message: 'New user creation failed' });
return;
}
console.error(colors.red('Failed to insert user: ' + ex));
req.session.message = 'New user creation failed';
req.session.messageType = 'danger';
res.redirect('/admin/user/new');
}
}); });
module.exports = router; module.exports = router;