Refactor user route
Mark Moffat
parent
f43005de8b
commit
1deb54d525
171
routes/user.js
171
routes/user.js
|
|
@ -5,12 +5,15 @@ const colors = require('colors');
|
||||||
const bcrypt = require('bcryptjs');
|
const bcrypt = require('bcryptjs');
|
||||||
const router = express.Router();
|
const router = express.Router();
|
||||||
|
|
||||||
router.get('/admin/users', restrict, (req, res) => {
|
router.get('/admin/users', restrict, async (req, res) => {
|
||||||
const db = req.app.db;
|
const db = req.app.db;
|
||||||
db.users.find({}).toArray((err, users) => {
|
const users = await db.users.find({}, { projection: { userPassword: 0 } }).toArray();
|
||||||
if(err){
|
|
||||||
console.info(err.stack);
|
if(req.apiAuthenticated){
|
||||||
|
res.status(200).json(users);
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
res.render('users', {
|
res.render('users', {
|
||||||
title: 'Users',
|
title: 'Users',
|
||||||
users: users,
|
users: users,
|
||||||
|
|
@ -22,19 +25,20 @@ router.get('/admin/users', restrict, (req, res) => {
|
||||||
message: common.clearSessionValue(req.session, 'message'),
|
message: common.clearSessionValue(req.session, 'message'),
|
||||||
messageType: common.clearSessionValue(req.session, 'messageType')
|
messageType: common.clearSessionValue(req.session, 'messageType')
|
||||||
});
|
});
|
||||||
});
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// edit user
|
// edit user
|
||||||
router.get('/admin/user/edit/:id', restrict, (req, res) => {
|
router.get('/admin/user/edit/:id', restrict, async (req, res) => {
|
||||||
const db = req.app.db;
|
const db = req.app.db;
|
||||||
db.users.findOne({ _id: common.getId(req.params.id) }, (err, user) => {
|
const user = await db.users.findOne({ _id: common.getId(req.params.id) });
|
||||||
if(err){
|
|
||||||
console.info(err.stack);
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check user is found
|
// Check user is found
|
||||||
if(!user){
|
if(!user){
|
||||||
|
if(req.apiAuthenticated){
|
||||||
|
res.status(400).json({ message: 'User not found' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
req.session.message = 'User not found';
|
req.session.message = 'User not found';
|
||||||
req.session.messageType = 'danger';
|
req.session.messageType = 'danger';
|
||||||
res.redirect('/admin/users');
|
res.redirect('/admin/users');
|
||||||
|
|
@ -44,6 +48,11 @@ router.get('/admin/user/edit/:id', restrict, (req, res) => {
|
||||||
// if the user we want to edit is not the current logged in user and the current user is not
|
// if the user we want to edit is not the current logged in user and the current user is not
|
||||||
// an admin we render an access denied message
|
// an admin we render an access denied message
|
||||||
if(user.userEmail !== req.session.user && req.session.isAdmin === false){
|
if(user.userEmail !== req.session.user && req.session.isAdmin === false){
|
||||||
|
if(req.apiAuthenticated){
|
||||||
|
res.status(400).json({ message: 'Access denied' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
req.session.message = 'Access denied';
|
req.session.message = 'Access denied';
|
||||||
req.session.messageType = 'danger';
|
req.session.messageType = 'danger';
|
||||||
res.redirect('/admin/users');
|
res.redirect('/admin/users');
|
||||||
|
|
@ -60,7 +69,6 @@ router.get('/admin/user/edit/:id', restrict, (req, res) => {
|
||||||
helpers: req.handlebars.helpers,
|
helpers: req.handlebars.helpers,
|
||||||
config: req.app.config
|
config: req.app.config
|
||||||
});
|
});
|
||||||
});
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// users new
|
// users new
|
||||||
|
|
@ -82,6 +90,11 @@ router.get('/admin/user/delete/:id', restrict, async (req, res) => {
|
||||||
|
|
||||||
// userId
|
// userId
|
||||||
if(req.session.isAdmin !== true){
|
if(req.session.isAdmin !== true){
|
||||||
|
if(req.apiAuthenticated){
|
||||||
|
res.status(400).json({ message: 'Access denied' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
req.session.message = 'Access denied.';
|
req.session.message = 'Access denied.';
|
||||||
req.session.messageType = 'danger';
|
req.session.messageType = 'danger';
|
||||||
res.redirect('/admin/users');
|
res.redirect('/admin/users');
|
||||||
|
|
@ -90,6 +103,11 @@ router.get('/admin/user/delete/:id', restrict, async (req, res) => {
|
||||||
|
|
||||||
// Cannot delete your own account
|
// Cannot delete your own account
|
||||||
if(req.session.userId === req.params.id){
|
if(req.session.userId === req.params.id){
|
||||||
|
if(req.apiAuthenticated){
|
||||||
|
res.status(400).json({ message: 'Unable to delete own user account' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
req.session.message = 'Unable to delete own user account.';
|
req.session.message = 'Unable to delete own user account.';
|
||||||
req.session.messageType = 'danger';
|
req.session.messageType = 'danger';
|
||||||
res.redirect('/admin/users');
|
res.redirect('/admin/users');
|
||||||
|
|
@ -100,6 +118,11 @@ router.get('/admin/user/delete/:id', restrict, async (req, res) => {
|
||||||
|
|
||||||
// If user is not found
|
// If user is not found
|
||||||
if(!user){
|
if(!user){
|
||||||
|
if(req.apiAuthenticated){
|
||||||
|
res.status(400).json({ message: 'User not found.' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
req.session.message = 'User not found.';
|
req.session.message = 'User not found.';
|
||||||
req.session.messageType = 'danger';
|
req.session.messageType = 'danger';
|
||||||
res.redirect('/admin/users');
|
res.redirect('/admin/users');
|
||||||
|
|
@ -108,32 +131,58 @@ router.get('/admin/user/delete/:id', restrict, async (req, res) => {
|
||||||
|
|
||||||
// Cannot delete the original user/owner
|
// Cannot delete the original user/owner
|
||||||
if(user.isOwner){
|
if(user.isOwner){
|
||||||
|
if(req.apiAuthenticated){
|
||||||
|
res.status(400).json({ message: 'Access denied.' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
req.session.message = 'Access denied.';
|
req.session.message = 'Access denied.';
|
||||||
req.session.messageType = 'danger';
|
req.session.messageType = 'danger';
|
||||||
res.redirect('/admin/users');
|
res.redirect('/admin/users');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
db.users.deleteOne({ _id: common.getId(req.params.id) }, {}, (err, numRemoved) => {
|
try{
|
||||||
if(err){
|
await db.users.deleteOne({ _id: common.getId(req.params.id) }, {});
|
||||||
console.info(err.stack);
|
if(req.apiAuthenticated){
|
||||||
|
res.status(200).json({ message: 'User deleted.' });
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
req.session.message = 'User deleted.';
|
req.session.message = 'User deleted.';
|
||||||
req.session.messageType = 'success';
|
req.session.messageType = 'success';
|
||||||
res.redirect('/admin/users');
|
res.redirect('/admin/users');
|
||||||
});
|
}catch(ex){
|
||||||
|
console.log('Failed to delete user', ex);
|
||||||
|
if(req.apiAuthenticated){
|
||||||
|
res.status(200).json({ message: 'Cannot delete user' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
req.session.message = 'Cannot delete user';
|
||||||
|
req.session.messageType = 'danger';
|
||||||
|
res.redirect('/admin/users');
|
||||||
|
};
|
||||||
});
|
});
|
||||||
|
|
||||||
// update a user
|
// update a user
|
||||||
router.post('/admin/user/update', restrict, (req, res) => {
|
router.post('/admin/user/update', restrict, async (req, res) => {
|
||||||
const db = req.app.db;
|
const db = req.app.db;
|
||||||
|
|
||||||
let isAdmin = req.body.user_admin === 'on';
|
let isAdmin = req.body.user_admin === 'on';
|
||||||
|
|
||||||
// get the user we want to update
|
// get the user we want to update
|
||||||
db.users.findOne({ _id: common.getId(req.body.userId) }, (err, user) => {
|
const user = await db.users.findOne({ _id: common.getId(req.body.userId) });
|
||||||
if(err){
|
|
||||||
console.info(err.stack);
|
// If user not found
|
||||||
|
if(!user){
|
||||||
|
if(req.apiAuthenticated){
|
||||||
|
res.status(400).json({ message: 'User not found' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
req.session.message = 'User not found';
|
||||||
|
req.session.messageType = 'danger';
|
||||||
|
res.redirect('/admin/users');
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If the current user changing own account ensure isAdmin retains existing
|
// If the current user changing own account ensure isAdmin retains existing
|
||||||
|
|
@ -144,6 +193,11 @@ router.post('/admin/user/update', restrict, (req, res) => {
|
||||||
// if the user we want to edit is not the current logged in user and the current user is not
|
// if the user we want to edit is not the current logged in user and the current user is not
|
||||||
// an admin we render an access denied message
|
// an admin we render an access denied message
|
||||||
if(user.userEmail !== req.session.user && req.session.isAdmin === false){
|
if(user.userEmail !== req.session.user && req.session.isAdmin === false){
|
||||||
|
if(req.apiAuthenticated){
|
||||||
|
res.status(400).json({ message: 'Access denied' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
req.session.message = 'Access denied';
|
req.session.message = 'Access denied';
|
||||||
req.session.messageType = 'danger';
|
req.session.messageType = 'danger';
|
||||||
res.redirect('/admin/users');
|
res.redirect('/admin/users');
|
||||||
|
|
@ -158,34 +212,42 @@ router.post('/admin/user/update', restrict, (req, res) => {
|
||||||
updateDoc.userPassword = bcrypt.hashSync(req.body.userPassword);
|
updateDoc.userPassword = bcrypt.hashSync(req.body.userPassword);
|
||||||
}
|
}
|
||||||
|
|
||||||
db.users.updateOne({ _id: common.getId(req.body.userId) },
|
try{
|
||||||
|
await db.users.updateOne(
|
||||||
|
{ _id: common.getId(req.body.userId) },
|
||||||
{
|
{
|
||||||
$set: updateDoc
|
$set: updateDoc
|
||||||
}, { multi: false }, (err, numReplaced) => {
|
}, { multi: false }
|
||||||
if(err){
|
);
|
||||||
console.error(colors.red('Failed updating user: ' + err));
|
if(req.apiAuthenticated){
|
||||||
req.session.message = 'Failed to update user';
|
res.status(200).json({ message: 'User account updated.' });
|
||||||
req.session.messageType = 'danger';
|
return;
|
||||||
res.redirect('/admin/user/edit/' + req.body.userId);
|
}
|
||||||
}else{
|
|
||||||
// show the view
|
// show the view
|
||||||
req.session.message = 'User account updated.';
|
req.session.message = 'User account updated.';
|
||||||
req.session.messageType = 'success';
|
req.session.messageType = 'success';
|
||||||
res.redirect('/admin/user/edit/' + req.body.userId);
|
res.redirect('/admin/user/edit/' + req.body.userId);
|
||||||
|
}catch(ex){
|
||||||
|
if(req.apiAuthenticated){
|
||||||
|
res.status(400).json({ message: 'Failed to update user' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
console.error(colors.red('Failed updating user: ' + ex));
|
||||||
|
req.session.message = 'Failed to update user';
|
||||||
|
req.session.messageType = 'danger';
|
||||||
|
res.redirect('/admin/user/edit/' + req.body.userId);
|
||||||
}
|
}
|
||||||
});
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// insert a user
|
// insert a user
|
||||||
router.post('/admin/user/insert', restrict, (req, res) => {
|
router.post('/admin/user/insert', restrict, async (req, res) => {
|
||||||
const db = req.app.db;
|
const db = req.app.db;
|
||||||
|
|
||||||
// set the account to admin if using the setup form. Eg: First user account
|
// set the account to admin if using the setup form. Eg: First user account
|
||||||
const urlParts = new URL(req.header('Referer'));
|
const urlParts = new URL(req.header('Referer'));
|
||||||
|
|
||||||
// Check number of users
|
// Check number of users
|
||||||
db.users.countDocuments({}, (err, userCount) => {
|
const userCount = await db.users.countDocuments({});
|
||||||
let isAdmin = false;
|
let isAdmin = false;
|
||||||
|
|
||||||
// if no users, setup user as admin
|
// if no users, setup user as admin
|
||||||
|
|
@ -201,8 +263,12 @@ router.post('/admin/user/insert', restrict, (req, res) => {
|
||||||
};
|
};
|
||||||
|
|
||||||
// check for existing user
|
// check for existing user
|
||||||
db.users.findOne({ userEmail: req.body.userEmail }, (err, user) => {
|
const user = await db.users.findOne({ userEmail: req.body.userEmail });
|
||||||
if(user){
|
if(user){
|
||||||
|
if(req.apiAuthenticated){
|
||||||
|
res.status(400).json({ message: 'A user with that email address already exists' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
// user already exists with that email address
|
// user already exists with that email address
|
||||||
console.error(colors.red('Failed to insert user, possibly already exists: ' + err));
|
console.error(colors.red('Failed to insert user, possibly already exists: ' + err));
|
||||||
req.session.message = 'A user with that email address already exists';
|
req.session.message = 'A user with that email address already exists';
|
||||||
|
|
@ -211,25 +277,8 @@ router.post('/admin/user/insert', restrict, (req, res) => {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
// email is ok to be used.
|
// email is ok to be used.
|
||||||
db.users.insertOne(doc, (err, doc) => {
|
try{
|
||||||
// show the view
|
await db.users.insertOne(doc);
|
||||||
if(err){
|
|
||||||
if(doc){
|
|
||||||
console.error(colors.red('Failed to insert user: ' + err));
|
|
||||||
req.session.message = 'User exists';
|
|
||||||
req.session.messageType = 'danger';
|
|
||||||
res.redirect('/admin/user/edit/' + doc._id);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
console.error(colors.red('Failed to insert user: ' + err));
|
|
||||||
req.session.message = 'New user creation failed';
|
|
||||||
req.session.messageType = 'danger';
|
|
||||||
res.redirect('/admin/user/new');
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
req.session.message = 'User account inserted';
|
|
||||||
req.session.messageType = 'success';
|
|
||||||
|
|
||||||
// if from setup we add user to session and redirect to login.
|
// if from setup we add user to session and redirect to login.
|
||||||
// Otherwise we show users screen
|
// Otherwise we show users screen
|
||||||
if(urlParts.path === '/admin/setup'){
|
if(urlParts.path === '/admin/setup'){
|
||||||
|
|
@ -237,10 +286,24 @@ router.post('/admin/user/insert', restrict, (req, res) => {
|
||||||
res.redirect('/admin/login');
|
res.redirect('/admin/login');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
if(req.apiAuthenticated){
|
||||||
|
res.status(200).json({ message: 'User account inserted' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
req.session.message = 'User account inserted';
|
||||||
|
req.session.messageType = 'success';
|
||||||
res.redirect('/admin/users');
|
res.redirect('/admin/users');
|
||||||
});
|
}catch(ex){
|
||||||
});
|
if(req.apiAuthenticated){
|
||||||
});
|
res.status(400).json({ message: 'New user creation failed' });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
console.error(colors.red('Failed to insert user: ' + ex));
|
||||||
|
req.session.message = 'New user creation failed';
|
||||||
|
req.session.messageType = 'danger';
|
||||||
|
res.redirect('/admin/user/new');
|
||||||
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
module.exports = router;
|
module.exports = router;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue