From e277107b10fe0d01f72686ff876c044d26044f0a Mon Sep 17 00:00:00 2001 From: sudoer777 <78781902+sudoer777@users.noreply.github.com> Date: Fri, 26 Nov 2021 12:08:45 -0700 Subject: [PATCH] Add ability for non-admin users to manage their account --- public/scripts/manage/account.js | 16 ++++++++-- public/scripts/manage/manage-nonadmin.js | 7 ++++- public/stylesheets/submit.css | 4 +++ routes/data.js | 27 +++++++++++++--- routes/manage.js | 39 +++++++++++++++++++----- views/accounts/createuser.pug | 4 ++- 6 files changed, 79 insertions(+), 18 deletions(-) diff --git a/public/scripts/manage/account.js b/public/scripts/manage/account.js index 0ab23a3..40b252f 100644 --- a/public/scripts/manage/account.js +++ b/public/scripts/manage/account.js @@ -4,13 +4,14 @@ import * as Form from "../form.js"; const submissionForm = document.getElementById('submission-form'); const emailTextbox = document.getElementById('email-textbox'); const passwordTextbox = document.getElementById('password-textbox'); +const adminCheckboxSection = document.getElementById('admin-checkbox-section'); const adminCheckbox = document.getElementById('admin-checkbox'); const submitButton = document.getElementById('submit-button'); const deleteButton = document.getElementById('delete-button'); async function Initialize() { let params = new URLSearchParams(location.search); - let accountID = params.get('account'); + let accountID = params.get('account') || (document.getElementById('account-id') ? document.getElementById('account-id').value : null); if(accountID) { const account = await Data.getAccount(accountID); console.log(account); @@ -21,16 +22,25 @@ async function Initialize() { adminCheckbox.checked = account.isAdmin; - Form.addHiddenValue('account', accountID, submissionForm); + if(!document.getElementById('account-id')) { + adminCheckboxSection.style.visibility = "visible"; + adminCheckbox.disabled = false; + + Form.addHiddenValue('account', accountID, submissionForm); + } deleteButton.style.visibility = "visible"; deleteButton.disabled = false; } + else + { + adminCheckboxSection.style.visibility = "visible"; + adminCheckbox.disabled = false; + } emailTextbox.disabled = false; emailTextbox.addEventListener('keyup', checkDataValidity); passwordTextbox.disabled = false; passwordTextbox.addEventListener('keyup', checkDataValidity); - adminCheckbox.disabled = false; checkDataValidity(); } Initialize(); diff --git a/public/scripts/manage/manage-nonadmin.js b/public/scripts/manage/manage-nonadmin.js index d549030..86782aa 100644 --- a/public/scripts/manage/manage-nonadmin.js +++ b/public/scripts/manage/manage-nonadmin.js @@ -2,6 +2,8 @@ import * as Data from "./../data.js"; const gamesListTable = document.getElementById('games-list'); const addNewButton = document.getElementById('add-new-button'); +const manageAccountButton = document.getElementById('manage-account-button'); + function getGenderLetter(genderName) { @@ -124,4 +126,7 @@ async function listItems() { } listItems(); -addNewButton.addEventListener('click', () => addGame()); \ No newline at end of file +addNewButton.addEventListener('click', () => addGame()); +manageAccountButton.addEventListener('click', () => { + window.location.href = '/manage/account'; +}); \ No newline at end of file diff --git a/public/stylesheets/submit.css b/public/stylesheets/submit.css index af4e239..30e64a5 100644 --- a/public/stylesheets/submit.css +++ b/public/stylesheets/submit.css @@ -1,3 +1,7 @@ h1 { text-align: center; +} + +#admin-checkbox-section { + visibility: hidden; } \ No newline at end of file diff --git a/routes/data.js b/routes/data.js index 3d71892..5981784 100644 --- a/routes/data.js +++ b/routes/data.js @@ -10,13 +10,22 @@ var accounts = require('../database/accounts/accounts'); function adminLoggedIn(req, res, next) { if (req.user && req.user[2]) { + next(); + } + else { + req.flash('error', 'An admin account is required to access this page.'); + res.redirect('/auth/login'); + } +} + +function userLoggedIn(req, res, next) { + if (req.user) { next(); } else { - req.flash('error', 'An admin account is required to access this page.'); res.redirect('/auth/login'); } - } +} router.get('/sports', function(req, res, next) { sports.retrieveAll() @@ -77,9 +86,17 @@ router.get('/accounts', adminLoggedIn, function(req, res, next) { .then(data => res.json(data)); }) -router.get('/account', adminLoggedIn, function(req, res, next) { - accounts.getFromID(req.query.account) - .then(data => res.json(data)); +router.get('/account', userLoggedIn, function(req, res, next) { + const userIsAdmin = req.user[2]; + const loggedInAccountID = req.user[0]; + const requestedAccountID = req.query.account; + + if(!userIsAdmin && loggedInAccountID != requestedAccountID) { + res.status(403).send("ACCESS DENIED"); + } else { + accounts.getFromID(req.query.account) + .then(data => res.json(data)); + } }) module.exports = router; \ No newline at end of file diff --git a/routes/manage.js b/routes/manage.js index 0a9c16e..73bdfeb 100644 --- a/routes/manage.js +++ b/routes/manage.js @@ -149,23 +149,46 @@ router.post('/team', adminLoggedIn, function(req, res, next) { else teams.add(name, sport).then(res.redirect("/manage")); }); -router.get('/account', adminLoggedIn, (req, res, next) => { - let title = req.query.account ? 'Manage User' : 'Create User' +router.get('/account', userLoggedIn, (req, res, next) => { + const userIsAdmin = req.user[2]; + const accountID = req.user[0]; + + if(userIsAdmin) { + let title = req.query.account ? 'Manage User' : 'Create User' - res.render('accounts/createuser', { title }); + res.render('accounts/createuser', { title }); + } + else { + let title = 'Manage Account'; + + res.render('accounts/createuser', { title, accountID }); + } }); -router.post('/account', adminLoggedIn, (req, res, next) => { +router.post('/account', userLoggedIn, (req, res, next) => { const email = req.body.email; const password = req.body.password; - const isAdmin = !!req.body.admin; const accountID = req.body.account; const remove = req.body.remove; - if(remove) accounts.remove(accountID).then(res.redirect('/manage')); - if(accountID) accounts.edit(accountID, email, password, isAdmin).then(res.redirect('/manage')); - else accounts.create(req.body.email, req.body.password, !!req.body.admin).then(res.redirect('/manage')); + const loggedInAccountIsAdmin = req.user[2]; + const loggedInAccountID = req.user[0]; + + console.log(accountID); + console.log(loggedInAccountID); + + + if(!loggedInAccountIsAdmin && accountID != loggedInAccountID) { + res.status(403).send("ACCESS DENIED"); + } + else { + const isAdmin = loggedInAccountIsAdmin ? !!req.body.admin : false; + + if(remove) accounts.remove(accountID).then(res.redirect('/manage')); + if(accountID) accounts.edit(accountID, email, password, isAdmin).then(res.redirect('/manage')); + else accounts.create(req.body.email, req.body.password, !!req.body.admin).then(res.redirect('/manage')); + } }); module.exports = router; diff --git a/views/accounts/createuser.pug b/views/accounts/createuser.pug index 36e0acb..94a968b 100644 --- a/views/accounts/createuser.pug +++ b/views/accounts/createuser.pug @@ -8,6 +8,8 @@ block content div#mobile-view h1 #{title} form#submission-form(action='/manage/account', method='POST') + if accountID + input#account-id(type="hidden" name="account" value=accountID) span(class='form-section') label Email span(class='form-section-input') @@ -16,7 +18,7 @@ block content label Password span(class='form-section-input' ) input#password-textbox(type="password" name="password" disabled) - span(class='form-section') + span#admin-checkbox-section(class='form-section') span(class='form-section-checkbox') input#admin-checkbox(type="checkbox" name="admin" disabled) label(for="admin-checkbox") Grant admin privileges