Ensure admin role is retained on update

react_convert
Mark Moffat 2018-02-05 22:43:22 +01:00
parent 292dbf7e07
commit 7fa175a852
2 changed files with 7 additions and 1 deletions

View File

@ -59,7 +59,7 @@ exports.checkAccess = (req, res, next) => {
const routeCheck = _.find(restrictedRoutes, {'route': req.route.path});
// If the user is not an admin and route is restricted, show message and redirect to /admin
if(req.session.isAdmin === 'false' && routeCheck){
if(req.session.isAdmin === false && routeCheck){
if(routeCheck.response === 'redirect'){
req.session.message = 'Unauthorised. Please refer to administrator.';
req.session.messageType = 'danger';

View File

@ -97,6 +97,12 @@ router.post('/admin/user/update', common.restrict, (req, res) => {
if(err){
console.info(err.stack);
}
// If the current user changing own account ensure isAdmin retains existing
if(user.userEmail === req.session.user){
isAdmin = user.isAdmin;
}
// if the user we want to edit is not the current logged in user and the current user is not
// an admin we render an access denied message
if(user.userEmail !== req.session.user && req.session.isAdmin === false){