From 7fa175a852283859f4625e427734fa9be6545f1d Mon Sep 17 00:00:00 2001
From: Mark Moffat <hi@markmoffat.com>
Date: Mon, 5 Feb 2018 22:43:22 +0100
Subject: [PATCH] Ensure admin role is retained on update

---
 lib/common.js  | 2 +-
 routes/user.js | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/common.js b/lib/common.js
index 1ace6ea..8f896b2 100644
--- a/lib/common.js
+++ b/lib/common.js
@@ -59,7 +59,7 @@ exports.checkAccess = (req, res, next) => {
     const routeCheck = _.find(restrictedRoutes, {'route': req.route.path});
 
     // If the user is not an admin and route is restricted, show message and redirect to /admin
-    if(req.session.isAdmin === 'false' && routeCheck){
+    if(req.session.isAdmin === false && routeCheck){
         if(routeCheck.response === 'redirect'){
             req.session.message = 'Unauthorised. Please refer to administrator.';
             req.session.messageType = 'danger';
diff --git a/routes/user.js b/routes/user.js
index 2f2c684..30eca95 100644
--- a/routes/user.js
+++ b/routes/user.js
@@ -97,6 +97,12 @@ router.post('/admin/user/update', common.restrict, (req, res) => {
         if(err){
             console.info(err.stack);
         }
+
+        // If the current user changing own account ensure isAdmin retains existing
+        if(user.userEmail === req.session.user){
+            isAdmin = user.isAdmin;
+        }
+
         // if the user we want to edit is not the current logged in user and the current user is not
         // an admin we render an access denied message
         if(user.userEmail !== req.session.user && req.session.isAdmin === false){