Enhancing user management
parent
001c015c36
commit
22c4362dc4
|
@ -101,7 +101,8 @@
|
|||
"usersName" : "test",
|
||||
"userEmail" : "test@test.com",
|
||||
"userPassword" : "$2a$10$7jQx/hQOWrRni531b/dHRuH8o1ZP8Yo8g..GpTOF4M7RrEH/pzTMy",
|
||||
"isAdmin" : true
|
||||
"isAdmin" : true,
|
||||
"isOwner": true
|
||||
}
|
||||
],
|
||||
"orders": [
|
||||
|
|
|
@ -107,7 +107,8 @@ router.post('/admin/setup_action', async (req, res) => {
|
|||
usersName: req.body.usersName,
|
||||
userEmail: req.body.userEmail,
|
||||
userPassword: bcrypt.hashSync(req.body.userPassword, 10),
|
||||
isAdmin: true
|
||||
isAdmin: true,
|
||||
isOwner: true
|
||||
};
|
||||
|
||||
// check for users
|
||||
|
|
|
@ -41,6 +41,14 @@ router.get('/admin/user/edit/:id', restrict, (req, res) => {
|
|||
return;
|
||||
}
|
||||
|
||||
// Cannot edit the original user/owner
|
||||
if(user._id !== req.session.userId && user.isOwner){
|
||||
req.session.message = 'Access denied.';
|
||||
req.session.messageType = 'danger';
|
||||
res.redirect('/admin/users');
|
||||
return;
|
||||
}
|
||||
|
||||
// if the user we want to edit is not the current logged in user and the current user is not
|
||||
// an admin we render an access denied message
|
||||
if(user.userEmail !== req.session.user && req.session.isAdmin === false){
|
||||
|
@ -77,13 +85,38 @@ router.get('/admin/user/new', restrict, (req, res) => {
|
|||
});
|
||||
|
||||
// delete user
|
||||
router.get('/admin/user/delete/:id', restrict, (req, res) => {
|
||||
router.get('/admin/user/delete/:id', restrict, async (req, res) => {
|
||||
const db = req.app.db;
|
||||
|
||||
// userId
|
||||
if(req.session.isAdmin === true){
|
||||
if(req.session.isAdmin !== true){
|
||||
req.session.message = 'Access denied.';
|
||||
req.session.messageType = 'danger';
|
||||
res.redirect('/admin/users');
|
||||
return;
|
||||
}
|
||||
|
||||
// Cannot delete your own account
|
||||
if(req.session.userId === req.params.id){
|
||||
req.session.message = 'You can\'t delete your own user account.';
|
||||
req.session.message = 'Unable to delete own user account.';
|
||||
req.session.messageType = 'danger';
|
||||
res.redirect('/admin/users');
|
||||
return;
|
||||
}
|
||||
|
||||
const user = await db.users.findOne({ _id: common.getId(req.params.id) });
|
||||
|
||||
// If user is not found
|
||||
if(!user){
|
||||
req.session.message = 'User not found.';
|
||||
req.session.messageType = 'danger';
|
||||
res.redirect('/admin/users');
|
||||
return;
|
||||
}
|
||||
|
||||
// Cannot delete the original user/owner
|
||||
if(user.isOwner){
|
||||
req.session.message = 'Access denied.';
|
||||
req.session.messageType = 'danger';
|
||||
res.redirect('/admin/users');
|
||||
return;
|
||||
|
@ -97,11 +130,6 @@ router.get('/admin/user/delete/:id', restrict, (req, res) => {
|
|||
req.session.messageType = 'success';
|
||||
res.redirect('/admin/users');
|
||||
});
|
||||
}else{
|
||||
req.session.message = 'Access denied.';
|
||||
req.session.messageType = 'danger';
|
||||
res.redirect('/admin/users');
|
||||
}
|
||||
});
|
||||
|
||||
// update a user
|
||||
|
|
30
test/test.js
30
test/test.js
|
@ -98,6 +98,17 @@ test.serial('[Success] User Login', async t => {
|
|||
t.deepEqual(res.body.message, 'Login successful');
|
||||
});
|
||||
|
||||
test.serial('[Fail] Incorrect user password', async t => {
|
||||
const res = await request
|
||||
.post('/admin/login_action')
|
||||
.send({
|
||||
email: users[0].userEmail,
|
||||
password: 'test1'
|
||||
})
|
||||
.expect(400);
|
||||
t.deepEqual(res.body.message, 'Access denied. Check password and try again.');
|
||||
});
|
||||
|
||||
test.serial('[Success] Create API key', async t => {
|
||||
const res = await request
|
||||
.post('/admin/createApiKey')
|
||||
|
@ -108,15 +119,18 @@ test.serial('[Success] Create API key', async t => {
|
|||
t.deepEqual(res.body.apiKey.length, 24);
|
||||
});
|
||||
|
||||
test.serial('[Fail] Incorrect user password', async t => {
|
||||
test.serial('[Fail] Delete own user account', async t => {
|
||||
const res = await request
|
||||
.post('/admin/login_action')
|
||||
.send({
|
||||
email: users[0].userEmail,
|
||||
password: 'test1'
|
||||
})
|
||||
.expect(400);
|
||||
t.deepEqual(res.body.message, 'Access denied. Check password and try again.');
|
||||
.get(`/admin/user/delete/${users[0]._id}`)
|
||||
.expect(302);
|
||||
t.deepEqual(res.header['location'], '/admin/users');
|
||||
});
|
||||
|
||||
test.serial('[Fail] Delete invalid user ID', async t => {
|
||||
const res = await request
|
||||
.get('/admin/user/delete/invalid_user_id')
|
||||
.expect(302);
|
||||
t.deepEqual(res.header['location'], '/admin/users');
|
||||
});
|
||||
|
||||
test.serial('[Fail] Customer login with incorrect email', async t => {
|
||||
|
|
|
@ -15,17 +15,17 @@
|
|||
</div>
|
||||
<div class="form-group">
|
||||
<label>{{ @root.__ "User password" }} {{#ifCond session.user '==' user.userEmail}}*{{/ifCond}}</label>
|
||||
<input type="password" class="form-control" name="userPassword" {{#ifCond session.user '==' user.userEmail}}required{{/ifCond}}>
|
||||
<input autocomplete="off" type="password" class="form-control" name="userPassword" {{#ifCond session.user '==' user.userEmail}}required{{/ifCond}}>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label>{{ @root.__ "Password confirm" }} {{#ifCond session.user '==' user.userEmail}}*{{/ifCond}}</label>
|
||||
<input type="password" data-validation-match-match="userPassword" data-validation-match-message="Password values to not match" class="form-control" name="frm_userPassword_confirm" {{#ifCond session.user '==' user.userEmail}}required{{/ifCond}}>
|
||||
<input autocomplete="off" type="password" data-validation-match-match="userPassword" data-validation-match-message="Password values to not match" class="form-control" name="frm_userPassword_confirm" {{#ifCond session.user '==' user.userEmail}}required{{/ifCond}}>
|
||||
</div>
|
||||
{{#isAnAdmin session.isAdmin}}
|
||||
{{#ifCond session.user '!=' user.userEmail}}
|
||||
{{#isAnAdmin @root.session.isAdmin}}
|
||||
{{#ifCond @root.session.user '!=' user.userEmail}}
|
||||
<div class="checkbox">
|
||||
<label>
|
||||
<input name="user_admin" {{#checkedState user.isAdmin}}{{/checkedState}} type="checkbox"> {{ @root.__ "User is admin?" }}
|
||||
<input name="user_admin" {{#checkedState @root.user.isAdmin}}{{/checkedState}} type="checkbox"> {{ @root.__ "User is admin?" }}
|
||||
</label>
|
||||
</div>
|
||||
{{/ifCond}}
|
||||
|
|
|
@ -11,6 +11,9 @@
|
|||
<strong>{{ @root.__ "Role" }}: </strong>
|
||||
{{#isAnAdmin this.isAdmin}}
|
||||
<span>Admin</span>
|
||||
{{#if ../this.isOwner}}
|
||||
(Owner)
|
||||
{{/if}}
|
||||
{{else}}
|
||||
<span>{{ @root.__ "User" }}</span>
|
||||
{{/isAnAdmin}}
|
||||
|
|
Loading…
Reference in New Issue