Add ability for non-admin users to manage their account

public/scripts/manage/account.js

@@ -4,13 +4,14 @@ import * as Form from "../form.js";
 const submissionForm = document.getElementById('submission-form');
 const emailTextbox = document.getElementById('email-textbox');
 const passwordTextbox = document.getElementById('password-textbox');
+const adminCheckboxSection = document.getElementById('admin-checkbox-section');
 const adminCheckbox = document.getElementById('admin-checkbox');
 const submitButton = document.getElementById('submit-button');
 const deleteButton = document.getElementById('delete-button');
 
 async function Initialize() {
     let params = new URLSearchParams(location.search);
-    let accountID = params.get('account');
+    let accountID = params.get('account') || (document.getElementById('account-id') ? document.getElementById('account-id').value : null);
     if(accountID) {
         const account = await Data.getAccount(accountID);
         console.log(account);
@@ -21,16 +22,25 @@ async function Initialize() {
 
         adminCheckbox.checked = account.isAdmin;
 
-        Form.addHiddenValue('account', accountID, submissionForm);
+        if(!document.getElementById('account-id')) {
+            adminCheckboxSection.style.visibility = "visible";
+            adminCheckbox.disabled = false;    
+    
+            Form.addHiddenValue('account', accountID, submissionForm);
+        }
 
         deleteButton.style.visibility = "visible";
         deleteButton.disabled = false;
     }
+    else
+    {
+        adminCheckboxSection.style.visibility = "visible";
+        adminCheckbox.disabled = false;
+    }
     emailTextbox.disabled = false;
     emailTextbox.addEventListener('keyup', checkDataValidity);
     passwordTextbox.disabled = false;
     passwordTextbox.addEventListener('keyup', checkDataValidity);
-    adminCheckbox.disabled = false;
     checkDataValidity();
 }
 Initialize();

public/scripts/manage/manage-nonadmin.js

@@ -2,6 +2,8 @@ import * as Data from "./../data.js";
 
 const gamesListTable = document.getElementById('games-list');
 const addNewButton = document.getElementById('add-new-button');
+const manageAccountButton = document.getElementById('manage-account-button');
+
 
 
 function getGenderLetter(genderName) {
@@ -125,3 +127,6 @@ async function listItems() {
 listItems();
 
 addNewButton.addEventListener('click', () => addGame());
+manageAccountButton.addEventListener('click', () => {
+    window.location.href = '/manage/account';
+});

public/stylesheets/submit.css

@@ -1,3 +1,7 @@
 h1 {
     text-align: center;
 }
+
+#admin-checkbox-section {
+    visibility: hidden;
+}

routes/data.js

@@ -10,13 +10,22 @@ var accounts = require('../database/accounts/accounts');
 
 function adminLoggedIn(req, res, next) {
     if (req.user && req.user[2]) {
+        next();
+    }
+    else {
+        req.flash('error', 'An admin account is required to access this page.');
+        res.redirect('/auth/login');
+    }
+}
+
+function userLoggedIn(req, res, next) {
+    if (req.user) {
       next();
     }
     else {
-      req.flash('error', 'An admin account is required to access this page.');
       res.redirect('/auth/login');
     }
-  }
+}
 
 router.get('/sports', function(req, res, next) {
     sports.retrieveAll()
@@ -77,9 +86,17 @@ router.get('/accounts', adminLoggedIn, function(req, res, next) {
         .then(data => res.json(data));
 })
 
-router.get('/account', adminLoggedIn, function(req, res, next) {
+router.get('/account', userLoggedIn, function(req, res, next) {
-    accounts.getFromID(req.query.account)
+    const userIsAdmin = req.user[2];
-        .then(data => res.json(data));
+    const loggedInAccountID = req.user[0];
+    const requestedAccountID = req.query.account;
+
+    if(!userIsAdmin && loggedInAccountID != requestedAccountID) {
+        res.status(403).send("ACCESS DENIED");
+    } else {
+        accounts.getFromID(req.query.account)
+            .then(data => res.json(data));
+    }
 })
 
 module.exports = router;

routes/manage.js

@@ -149,23 +149,46 @@ router.post('/team', adminLoggedIn, function(req, res, next) {
   else teams.add(name, sport).then(res.redirect("/manage"));
 });
 
-router.get('/account', adminLoggedIn, (req, res, next) => {
+router.get('/account', userLoggedIn, (req, res, next) => {
-  let title = req.query.account ? 'Manage User' : 'Create User'
+  const userIsAdmin = req.user[2];
+  const accountID = req.user[0];
   
-  res.render('accounts/createuser', { title });
+  if(userIsAdmin) {
+    let title = req.query.account ? 'Manage User' : 'Create User'
+
+    res.render('accounts/createuser', { title });  
+  }
+  else {
+    let title = 'Manage Account';
+
+    res.render('accounts/createuser', { title, accountID });  
+  }
 });
 
-router.post('/account', adminLoggedIn, (req, res, next) => {
+router.post('/account', userLoggedIn, (req, res, next) => {
   const email = req.body.email;
   const password = req.body.password;
-  const isAdmin = !!req.body.admin;
 
   const accountID = req.body.account;
   const remove = req.body.remove;
 
-  if(remove) accounts.remove(accountID).then(res.redirect('/manage'));
+  const loggedInAccountIsAdmin = req.user[2];
-  if(accountID) accounts.edit(accountID, email, password, isAdmin).then(res.redirect('/manage'));
+  const loggedInAccountID = req.user[0];
-  else accounts.create(req.body.email, req.body.password, !!req.body.admin).then(res.redirect('/manage'));
+
+  console.log(accountID);
+  console.log(loggedInAccountID);
+
+
+  if(!loggedInAccountIsAdmin && accountID != loggedInAccountID) {
+    res.status(403).send("ACCESS DENIED");
+  }
+  else {
+    const isAdmin = loggedInAccountIsAdmin ? !!req.body.admin : false;
+
+    if(remove) accounts.remove(accountID).then(res.redirect('/manage'));
+    if(accountID) accounts.edit(accountID, email, password, isAdmin).then(res.redirect('/manage'));
+    else accounts.create(req.body.email, req.body.password, !!req.body.admin).then(res.redirect('/manage'));  
+  }
 });
 
 module.exports = router;

views/accounts/createuser.pug

@@ -8,6 +8,8 @@ block content
   div#mobile-view
     h1 #{title}
     form#submission-form(action='/manage/account', method='POST')
+      if accountID 
+        input#account-id(type="hidden" name="account" value=accountID)
       span(class='form-section')
         label Email
         span(class='form-section-input')
@@ -16,7 +18,7 @@ block content
         label Password 
         span(class='form-section-input' )
           input#password-textbox(type="password" name="password" disabled)
-      span(class='form-section')
+      span#admin-checkbox-section(class='form-section')
         span(class='form-section-checkbox')
           input#admin-checkbox(type="checkbox" name="admin" disabled)
           label(for="admin-checkbox") Grant admin privileges