Fixed delete user account api

master
Mark Moffat 2019-12-16 15:15:02 +10:30
parent 1f84f77089
commit 7e6d6e9b8c
4 changed files with 43 additions and 57 deletions

View File

@ -133,6 +133,24 @@ $(document).ready(function (){
} }
}); });
$('.userDelete').on('click', function(){
if(confirm('Are you sure you want to delete?')){
$.ajax({
method: 'POST',
url: '/admin/user/delete',
data: {
userId: $(this).attr('data-id')
}
})
.done(function(msg){
showNotification(msg.message, 'success', true);
})
.fail(function(msg){
showNotification(msg.responseJSON.message, 'danger');
});
}
});
$('#userEditForm').validator().on('submit', function(e){ $('#userEditForm').validator().on('submit', function(e){
if(!e.isDefaultPrevented()){ if(!e.isDefaultPrevented()){
e.preventDefault(); e.preventDefault();

View File

@ -86,81 +86,43 @@ router.get('/admin/user/new', restrict, (req, res) => {
}); });
// delete user // delete user
router.get('/admin/user/delete/:id', restrict, async (req, res) => { router.post('/admin/user/delete', restrict, async (req, res) => {
const db = req.app.db; const db = req.app.db;
// userId // userId
if(req.session.isAdmin !== true){ if(req.session.isAdmin !== true){
if(req.apiAuthenticated){ res.status(400).json({ message: 'Access denied' });
res.status(400).json({ message: 'Access denied' });
return;
}
req.session.message = 'Access denied.';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return; return;
} }
// Cannot delete your own account // Cannot delete your own account
if(req.session.userId === req.params.id){ if(req.session.userId === req.body.userId){
if(req.apiAuthenticated){ res.status(400).json({ message: 'Unable to delete own user account' });
res.status(400).json({ message: 'Unable to delete own user account' });
return;
}
req.session.message = 'Unable to delete own user account.';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return; return;
} }
const user = await db.users.findOne({ _id: common.getId(req.params.id) }); const user = await db.users.findOne({ _id: common.getId(req.body.userId) });
// If user is not found // If user is not found
if(!user){ if(!user){
if(req.apiAuthenticated){ res.status(400).json({ message: 'User not found.' });
res.status(400).json({ message: 'User not found.' });
return;
}
req.session.message = 'User not found.';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return; return;
} }
// Cannot delete the original user/owner // Cannot delete the original user/owner
if(user.isOwner){ if(user.isOwner){
if(req.apiAuthenticated){ res.status(400).json({ message: 'Access denied.' });
res.status(400).json({ message: 'Access denied.' });
return;
}
req.session.message = 'Access denied.';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return; return;
} }
try{ try{
await db.users.deleteOne({ _id: common.getId(req.params.id) }, {}); await db.users.deleteOne({ _id: common.getId(req.body.userId) }, {});
if(req.apiAuthenticated){ res.status(200).json({ message: 'User deleted.' });
res.status(200).json({ message: 'User deleted.' }); return;
return;
}
req.session.message = 'User deleted.';
req.session.messageType = 'success';
res.redirect('/admin/users');
}catch(ex){ }catch(ex){
console.log('Failed to delete user', ex); console.log('Failed to delete user', ex);
if(req.apiAuthenticated){ res.status(200).json({ message: 'Cannot delete user' });
res.status(200).json({ message: 'Cannot delete user' }); return;
return;
}
req.session.message = 'Cannot delete user';
req.session.messageType = 'danger';
res.redirect('/admin/users');
}; };
}); });

View File

@ -49,16 +49,22 @@ test('[Fail] Incorrect user password', async t => {
test('[Fail] Delete own user account', async t => { test('[Fail] Delete own user account', async t => {
const res = await g.request const res = await g.request
.get(`/admin/user/delete/${g.users[0]._id}`) .post('/admin/user/delete')
.expect(302); .send({
t.deepEqual(res.header['location'], '/admin/users'); userId: g.users[0]._id
})
.expect(400);
t.deepEqual(res.body.message, 'Unable to delete own user account');
}); });
test('[Fail] Delete invalid user ID', async t => { test('[Fail] Delete invalid user ID', async t => {
const res = await g.request const res = await g.request
.get('/admin/user/delete/invalid_user_id') .post('/admin/user/delete')
.expect(302); .send({
t.deepEqual(res.header['location'], '/admin/users'); userId: 'invalid_user_id'
})
.expect(400);
t.deepEqual(res.body.message, 'User not found.');
}); });
test('[Success] Create new user', async t => { test('[Success] Create new user', async t => {

View File

@ -19,7 +19,7 @@
{{/isAnAdmin}} {{/isAnAdmin}}
{{#isAnAdmin ../session.isAdmin}} {{#isAnAdmin ../session.isAdmin}}
<a href="/admin/user/edit/{{../this._id}}"><span class="glyphicon glyphicon-pencil" aria-hidden="true"></a> <a href="/admin/user/edit/{{../this._id}}"><span class="glyphicon glyphicon-pencil" aria-hidden="true"></a>
<a href="/admin/user/delete/{{../this._id}}" onclick="return confirm('Are you sure you want to delete?')"><span class="glyphicon glyphicon-trash" aria-hidden="true"></a> <a href="#" class="userDelete" data-id="{{../this._id}}"><span class="glyphicon glyphicon-trash" aria-hidden="true"></a>
{{/isAnAdmin}} {{/isAnAdmin}}
</span> </span>
</li> </li>