Fixed delete user account api

master
Mark Moffat 2019-12-16 15:15:02 +10:30
parent 1f84f77089
commit 7e6d6e9b8c
4 changed files with 43 additions and 57 deletions

View File

@ -133,6 +133,24 @@ $(document).ready(function (){
}
});
$('.userDelete').on('click', function(){
if(confirm('Are you sure you want to delete?')){
$.ajax({
method: 'POST',
url: '/admin/user/delete',
data: {
userId: $(this).attr('data-id')
}
})
.done(function(msg){
showNotification(msg.message, 'success', true);
})
.fail(function(msg){
showNotification(msg.responseJSON.message, 'danger');
});
}
});
$('#userEditForm').validator().on('submit', function(e){
if(!e.isDefaultPrevented()){
e.preventDefault();

View File

@ -86,81 +86,43 @@ router.get('/admin/user/new', restrict, (req, res) => {
});
// delete user
router.get('/admin/user/delete/:id', restrict, async (req, res) => {
router.post('/admin/user/delete', restrict, async (req, res) => {
const db = req.app.db;
// userId
if(req.session.isAdmin !== true){
if(req.apiAuthenticated){
res.status(400).json({ message: 'Access denied' });
return;
}
req.session.message = 'Access denied.';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return;
}
// Cannot delete your own account
if(req.session.userId === req.params.id){
if(req.apiAuthenticated){
if(req.session.userId === req.body.userId){
res.status(400).json({ message: 'Unable to delete own user account' });
return;
}
req.session.message = 'Unable to delete own user account.';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return;
}
const user = await db.users.findOne({ _id: common.getId(req.params.id) });
const user = await db.users.findOne({ _id: common.getId(req.body.userId) });
// If user is not found
if(!user){
if(req.apiAuthenticated){
res.status(400).json({ message: 'User not found.' });
return;
}
req.session.message = 'User not found.';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return;
}
// Cannot delete the original user/owner
if(user.isOwner){
if(req.apiAuthenticated){
res.status(400).json({ message: 'Access denied.' });
return;
}
req.session.message = 'Access denied.';
req.session.messageType = 'danger';
res.redirect('/admin/users');
return;
}
try{
await db.users.deleteOne({ _id: common.getId(req.params.id) }, {});
if(req.apiAuthenticated){
await db.users.deleteOne({ _id: common.getId(req.body.userId) }, {});
res.status(200).json({ message: 'User deleted.' });
return;
}
req.session.message = 'User deleted.';
req.session.messageType = 'success';
res.redirect('/admin/users');
}catch(ex){
console.log('Failed to delete user', ex);
if(req.apiAuthenticated){
res.status(200).json({ message: 'Cannot delete user' });
return;
}
req.session.message = 'Cannot delete user';
req.session.messageType = 'danger';
res.redirect('/admin/users');
};
});

View File

@ -49,16 +49,22 @@ test('[Fail] Incorrect user password', async t => {
test('[Fail] Delete own user account', async t => {
const res = await g.request
.get(`/admin/user/delete/${g.users[0]._id}`)
.expect(302);
t.deepEqual(res.header['location'], '/admin/users');
.post('/admin/user/delete')
.send({
userId: g.users[0]._id
})
.expect(400);
t.deepEqual(res.body.message, 'Unable to delete own user account');
});
test('[Fail] Delete invalid user ID', async t => {
const res = await g.request
.get('/admin/user/delete/invalid_user_id')
.expect(302);
t.deepEqual(res.header['location'], '/admin/users');
.post('/admin/user/delete')
.send({
userId: 'invalid_user_id'
})
.expect(400);
t.deepEqual(res.body.message, 'User not found.');
});
test('[Success] Create new user', async t => {

View File

@ -19,7 +19,7 @@
{{/isAnAdmin}}
{{#isAnAdmin ../session.isAdmin}}
<a href="/admin/user/edit/{{../this._id}}"><span class="glyphicon glyphicon-pencil" aria-hidden="true"></a>
<a href="/admin/user/delete/{{../this._id}}" onclick="return confirm('Are you sure you want to delete?')"><span class="glyphicon glyphicon-trash" aria-hidden="true"></a>
<a href="#" class="userDelete" data-id="{{../this._id}}"><span class="glyphicon glyphicon-trash" aria-hidden="true"></a>
{{/isAnAdmin}}
</span>
</li>