Fixed permissions
Mark Moffat
parent
4533e23993
commit
fe3a1c7c25
|
|
@ -34,7 +34,7 @@ router.get('/admin/user/edit/:id', common.restrict, (req, res) => {
|
||||||
}
|
}
|
||||||
// if the user we want to edit is not the current logged in user and the current user is not
|
// if the user we want to edit is not the current logged in user and the current user is not
|
||||||
// an admin we render an access denied message
|
// an admin we render an access denied message
|
||||||
if(user.userEmail !== req.session.user && req.session.isAdmin === 'false'){
|
if(user.userEmail !== req.session.user && req.session.isAdmin === false){
|
||||||
req.session.message = 'Access denied';
|
req.session.message = 'Access denied';
|
||||||
req.session.messageType = 'danger';
|
req.session.messageType = 'danger';
|
||||||
res.redirect('/Users/');
|
res.redirect('/Users/');
|
||||||
|
|
@ -70,7 +70,7 @@ router.get('/admin/user/new', common.restrict, (req, res) => {
|
||||||
// delete user
|
// delete user
|
||||||
router.get('/admin/user/delete/:id', common.restrict, (req, res) => {
|
router.get('/admin/user/delete/:id', common.restrict, (req, res) => {
|
||||||
const db = req.app.db;
|
const db = req.app.db;
|
||||||
if(req.session.isAdmin === 'true'){
|
if(req.session.isAdmin === true){
|
||||||
db.users.remove({_id: common.getId(req.params.id)}, {}, (err, numRemoved) => {
|
db.users.remove({_id: common.getId(req.params.id)}, {}, (err, numRemoved) => {
|
||||||
if(err){
|
if(err){
|
||||||
console.info(err.stack);
|
console.info(err.stack);
|
||||||
|
|
@ -90,7 +90,7 @@ router.get('/admin/user/delete/:id', common.restrict, (req, res) => {
|
||||||
router.post('/admin/user/update', common.restrict, (req, res) => {
|
router.post('/admin/user/update', common.restrict, (req, res) => {
|
||||||
const db = req.app.db;
|
const db = req.app.db;
|
||||||
|
|
||||||
let isAdmin = req.body.user_admin === 'on' ? 'true' : 'false';
|
let isAdmin = req.body.user_admin === 'on';
|
||||||
|
|
||||||
// get the user we want to update
|
// get the user we want to update
|
||||||
db.users.findOne({_id: common.getId(req.body.userId)}, (err, user) => {
|
db.users.findOne({_id: common.getId(req.body.userId)}, (err, user) => {
|
||||||
|
|
@ -99,7 +99,7 @@ router.post('/admin/user/update', common.restrict, (req, res) => {
|
||||||
}
|
}
|
||||||
// if the user we want to edit is not the current logged in user and the current user is not
|
// if the user we want to edit is not the current logged in user and the current user is not
|
||||||
// an admin we render an access denied message
|
// an admin we render an access denied message
|
||||||
if(user.userEmail !== req.session.user && req.session.isAdmin === 'false'){
|
if(user.userEmail !== req.session.user && req.session.isAdmin === false){
|
||||||
req.session.message = 'Access denied';
|
req.session.message = 'Access denied';
|
||||||
req.session.messageType = 'danger';
|
req.session.messageType = 'danger';
|
||||||
res.redirect('/admin/users/');
|
res.redirect('/admin/users/');
|
||||||
|
|
@ -140,9 +140,9 @@ router.post('/admin/user/insert', common.restrict, (req, res) => {
|
||||||
// set the account to admin if using the setup form. Eg: First user account
|
// set the account to admin if using the setup form. Eg: First user account
|
||||||
let urlParts = url.parse(req.header('Referer'));
|
let urlParts = url.parse(req.header('Referer'));
|
||||||
|
|
||||||
let isAdmin = 'false';
|
let isAdmin = false;
|
||||||
if(urlParts.path === '/admin/setup'){
|
if(urlParts.path === '/admin/setup'){
|
||||||
isAdmin = 'true';
|
isAdmin = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
let doc = {
|
let doc = {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue