t1meshift
/
expressCart
mirror of https://github.com/t1meshift/expressCart.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Ensure admin role is retained on update

react_convert
Mark Moffat 2018-02-05 22:43:22 +01:00
parent 292dbf7e07
commit 7fa175a852
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/common.js
View File

@ -59,7 +59,7 @@ exports.checkAccess = (req, res, next) => {
const routeCheck = _.find(restrictedRoutes, {'route': req.route.path}); const routeCheck = _.find(restrictedRoutes, {'route': req.route.path});
// If the user is not an admin and route is restricted, show message and redirect to /admin // If the user is not an admin and route is restricted, show message and redirect to /admin
if(req.session.isAdmin === 'false' && routeCheck){ if(req.session.isAdmin === false && routeCheck){
if(routeCheck.response === 'redirect'){ if(routeCheck.response === 'redirect'){
req.session.message = 'Unauthorised. Please refer to administrator.'; req.session.message = 'Unauthorised. Please refer to administrator.';
req.session.messageType = 'danger'; req.session.messageType = 'danger';

6
routes/user.js
View File

@ -97,6 +97,12 @@ router.post('/admin/user/update', common.restrict, (req, res) => {
if(err){ if(err){
console.info(err.stack); console.info(err.stack);
} }
// If the current user changing own account ensure isAdmin retains existing
if(user.userEmail === req.session.user){
isAdmin = user.isAdmin;
}
// if the user we want to edit is not the current logged in user and the current user is not // if the user we want to edit is not the current logged in user and the current user is not
// an admin we render an access denied message // an admin we render an access denied message
if(user.userEmail !== req.session.user && req.session.isAdmin === false){ if(user.userEmail !== req.session.user && req.session.isAdmin === false){