Ensure admin role is retained on update
							parent
							
								
									292dbf7e07
								
							
						
					
					
						commit
						7fa175a852
					
				|  | @ -59,7 +59,7 @@ exports.checkAccess = (req, res, next) => { | ||||||
|     const routeCheck = _.find(restrictedRoutes, {'route': req.route.path}); |     const routeCheck = _.find(restrictedRoutes, {'route': req.route.path}); | ||||||
| 
 | 
 | ||||||
|     // If the user is not an admin and route is restricted, show message and redirect to /admin
 |     // If the user is not an admin and route is restricted, show message and redirect to /admin
 | ||||||
|     if(req.session.isAdmin === 'false' && routeCheck){ |     if(req.session.isAdmin === false && routeCheck){ | ||||||
|         if(routeCheck.response === 'redirect'){ |         if(routeCheck.response === 'redirect'){ | ||||||
|             req.session.message = 'Unauthorised. Please refer to administrator.'; |             req.session.message = 'Unauthorised. Please refer to administrator.'; | ||||||
|             req.session.messageType = 'danger'; |             req.session.messageType = 'danger'; | ||||||
|  |  | ||||||
|  | @ -97,6 +97,12 @@ router.post('/admin/user/update', common.restrict, (req, res) => { | ||||||
|         if(err){ |         if(err){ | ||||||
|             console.info(err.stack); |             console.info(err.stack); | ||||||
|         } |         } | ||||||
|  | 
 | ||||||
|  |         // If the current user changing own account ensure isAdmin retains existing
 | ||||||
|  |         if(user.userEmail === req.session.user){ | ||||||
|  |             isAdmin = user.isAdmin; | ||||||
|  |         } | ||||||
|  | 
 | ||||||
|         // if the user we want to edit is not the current logged in user and the current user is not
 |         // if the user we want to edit is not the current logged in user and the current user is not
 | ||||||
|         // an admin we render an access denied message
 |         // an admin we render an access denied message
 | ||||||
|         if(user.userEmail !== req.session.user && req.session.isAdmin === false){ |         if(user.userEmail !== req.session.user && req.session.isAdmin === false){ | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue