t1meshift
/
expressCart
mirror of https://github.com/t1meshift/expressCart.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix issue with ability to create admin user by setting referrer

master
Mark Moffat 2018-05-30 18:35:17 +09:30
parent c674f86576
commit baccaae9b0
1 changed files with 48 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
routes/user.js
View File

@ -146,56 +146,61 @@ router.post('/admin/user/insert', common.restrict, (req, res) => {
// set the account to admin if using the setup form. Eg: First user account // set the account to admin if using the setup form. Eg: First user account
let urlParts = url.parse(req.header('Referer')); let urlParts = url.parse(req.header('Referer'));
let isAdmin = false; // Check number of users
if(urlParts.path === '/admin/setup'){ db.users.count({}, (err, userCount) => {
isAdmin = true; let isAdmin = false;
}
let doc = { // if no users, setup user as admin
usersName: req.body.usersName, if(userCount === 0){
userEmail: req.body.userEmail, isAdmin = true;
userPassword: bcrypt.hashSync(req.body.userPassword, 10),
isAdmin: isAdmin
};
// check for existing user
db.users.findOne({'userEmail': req.body.userEmail}, (err, user) => {
if(user){
// user already exists with that email address
console.error(colors.red('Failed to insert user, possibly already exists: ' + err));
req.session.message = 'A user with that email address already exists';
req.session.messageType = 'danger';
res.redirect('/admin/user/new');
return;
} }
// email is ok to be used.
db.users.insert(doc, (err, doc) => { let doc = {
// show the view usersName: req.body.usersName,
if(err){ userEmail: req.body.userEmail,
if(doc){ userPassword: bcrypt.hashSync(req.body.userPassword, 10),
console.error(colors.red('Failed to insert user: ' + err)); isAdmin: isAdmin
req.session.message = 'User exists'; };
req.session.messageType = 'danger';
res.redirect('/admin/user/edit/' + doc._id); // check for existing user
return; db.users.findOne({'userEmail': req.body.userEmail}, (err, user) => {
} if(user){
console.error(colors.red('Failed to insert user: ' + err)); // user already exists with that email address
req.session.message = 'New user creation failed'; console.error(colors.red('Failed to insert user, possibly already exists: ' + err));
req.session.message = 'A user with that email address already exists';
req.session.messageType = 'danger'; req.session.messageType = 'danger';
res.redirect('/admin/user/new'); res.redirect('/admin/user/new');
return; return;
} }
req.session.message = 'User account inserted'; // email is ok to be used.
req.session.messageType = 'success'; db.users.insert(doc, (err, doc) => {
// show the view
if(err){
if(doc){
console.error(colors.red('Failed to insert user: ' + err));
req.session.message = 'User exists';
req.session.messageType = 'danger';
res.redirect('/admin/user/edit/' + doc._id);
return;
}
console.error(colors.red('Failed to insert user: ' + err));
req.session.message = 'New user creation failed';
req.session.messageType = 'danger';
res.redirect('/admin/user/new');
return;
}
req.session.message = 'User account inserted';
req.session.messageType = 'success';
// if from setup we add user to session and redirect to login. // if from setup we add user to session and redirect to login.
// Otherwise we show users screen // Otherwise we show users screen
if(urlParts.path === '/admin/setup'){ if(urlParts.path === '/admin/setup'){
req.session.user = req.body.userEmail; req.session.user = req.body.userEmail;
res.redirect('/admin/login'); res.redirect('/admin/login');
return; return;
} }
res.redirect('/admin/users'); res.redirect('/admin/users');
});
}); });
}); });
}); });