Fixed delete user account api
Mark Moffat
parent
1f84f77089
commit
7e6d6e9b8c
|
|
@ -133,6 +133,24 @@ $(document).ready(function (){
|
|||
}
|
||||
});
|
||||
|
||||
$('.userDelete').on('click', function(){
|
||||
if(confirm('Are you sure you want to delete?')){
|
||||
$.ajax({
|
||||
method: 'POST',
|
||||
url: '/admin/user/delete',
|
||||
data: {
|
||||
userId: $(this).attr('data-id')
|
||||
}
|
||||
})
|
||||
.done(function(msg){
|
||||
showNotification(msg.message, 'success', true);
|
||||
})
|
||||
.fail(function(msg){
|
||||
showNotification(msg.responseJSON.message, 'danger');
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
$('#userEditForm').validator().on('submit', function(e){
|
||||
if(!e.isDefaultPrevented()){
|
||||
e.preventDefault();
|
||||
|
|
|
|||
|
|
@ -86,81 +86,43 @@ router.get('/admin/user/new', restrict, (req, res) => {
|
|||
});
|
||||
|
||||
// delete user
|
||||
router.get('/admin/user/delete/:id', restrict, async (req, res) => {
|
||||
router.post('/admin/user/delete', restrict, async (req, res) => {
|
||||
const db = req.app.db;
|
||||
|
||||
// userId
|
||||
if(req.session.isAdmin !== true){
|
||||
if(req.apiAuthenticated){
|
||||
res.status(400).json({ message: 'Access denied' });
|
||||
return;
|
||||
}
|
||||
|
||||
req.session.message = 'Access denied.';
|
||||
req.session.messageType = 'danger';
|
||||
res.redirect('/admin/users');
|
||||
res.status(400).json({ message: 'Access denied' });
|
||||
return;
|
||||
}
|
||||
|
||||
// Cannot delete your own account
|
||||
if(req.session.userId === req.params.id){
|
||||
if(req.apiAuthenticated){
|
||||
res.status(400).json({ message: 'Unable to delete own user account' });
|
||||
return;
|
||||
}
|
||||
|
||||
req.session.message = 'Unable to delete own user account.';
|
||||
req.session.messageType = 'danger';
|
||||
res.redirect('/admin/users');
|
||||
if(req.session.userId === req.body.userId){
|
||||
res.status(400).json({ message: 'Unable to delete own user account' });
|
||||
return;
|
||||
}
|
||||
|
||||
const user = await db.users.findOne({ _id: common.getId(req.params.id) });
|
||||
const user = await db.users.findOne({ _id: common.getId(req.body.userId) });
|
||||
|
||||
// If user is not found
|
||||
if(!user){
|
||||
if(req.apiAuthenticated){
|
||||
res.status(400).json({ message: 'User not found.' });
|
||||
return;
|
||||
}
|
||||
|
||||
req.session.message = 'User not found.';
|
||||
req.session.messageType = 'danger';
|
||||
res.redirect('/admin/users');
|
||||
res.status(400).json({ message: 'User not found.' });
|
||||
return;
|
||||
}
|
||||
|
||||
// Cannot delete the original user/owner
|
||||
if(user.isOwner){
|
||||
if(req.apiAuthenticated){
|
||||
res.status(400).json({ message: 'Access denied.' });
|
||||
return;
|
||||
}
|
||||
|
||||
req.session.message = 'Access denied.';
|
||||
req.session.messageType = 'danger';
|
||||
res.redirect('/admin/users');
|
||||
res.status(400).json({ message: 'Access denied.' });
|
||||
return;
|
||||
}
|
||||
|
||||
try{
|
||||
await db.users.deleteOne({ _id: common.getId(req.params.id) }, {});
|
||||
if(req.apiAuthenticated){
|
||||
res.status(200).json({ message: 'User deleted.' });
|
||||
return;
|
||||
}
|
||||
req.session.message = 'User deleted.';
|
||||
req.session.messageType = 'success';
|
||||
res.redirect('/admin/users');
|
||||
await db.users.deleteOne({ _id: common.getId(req.body.userId) }, {});
|
||||
res.status(200).json({ message: 'User deleted.' });
|
||||
return;
|
||||
}catch(ex){
|
||||
console.log('Failed to delete user', ex);
|
||||
if(req.apiAuthenticated){
|
||||
res.status(200).json({ message: 'Cannot delete user' });
|
||||
return;
|
||||
}
|
||||
req.session.message = 'Cannot delete user';
|
||||
req.session.messageType = 'danger';
|
||||
res.redirect('/admin/users');
|
||||
res.status(200).json({ message: 'Cannot delete user' });
|
||||
return;
|
||||
};
|
||||
});
|
||||
|
||||
|
|
|
|||
|
|
@ -49,16 +49,22 @@ test('[Fail] Incorrect user password', async t => {
|
|||
|
||||
test('[Fail] Delete own user account', async t => {
|
||||
const res = await g.request
|
||||
.get(`/admin/user/delete/${g.users[0]._id}`)
|
||||
.expect(302);
|
||||
t.deepEqual(res.header['location'], '/admin/users');
|
||||
.post('/admin/user/delete')
|
||||
.send({
|
||||
userId: g.users[0]._id
|
||||
})
|
||||
.expect(400);
|
||||
t.deepEqual(res.body.message, 'Unable to delete own user account');
|
||||
});
|
||||
|
||||
test('[Fail] Delete invalid user ID', async t => {
|
||||
const res = await g.request
|
||||
.get('/admin/user/delete/invalid_user_id')
|
||||
.expect(302);
|
||||
t.deepEqual(res.header['location'], '/admin/users');
|
||||
.post('/admin/user/delete')
|
||||
.send({
|
||||
userId: 'invalid_user_id'
|
||||
})
|
||||
.expect(400);
|
||||
t.deepEqual(res.body.message, 'User not found.');
|
||||
});
|
||||
|
||||
test('[Success] Create new user', async t => {
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
{{/isAnAdmin}}
|
||||
{{#isAnAdmin ../session.isAdmin}}
|
||||
<a href="/admin/user/edit/{{../this._id}}"><span class="glyphicon glyphicon-pencil" aria-hidden="true"></a>
|
||||
<a href="/admin/user/delete/{{../this._id}}" onclick="return confirm('Are you sure you want to delete?')"><span class="glyphicon glyphicon-trash" aria-hidden="true"></a>
|
||||
<a href="#" class="userDelete" data-id="{{../this._id}}"><span class="glyphicon glyphicon-trash" aria-hidden="true"></a>
|
||||
{{/isAnAdmin}}
|
||||
</span>
|
||||
</li>
|
||||
|
|
|
|||
Loading…
Reference in New Issue