digital-telepresence
/
dtp-base-v1
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

refactor admin user settings away from standard user settings 

It was possible for Users to grant themselves flags and permissions.
These operations now require Admin privileges, and are only implemented
by services.user.updateForAdmin. The services.user.update method no
longer has any logic to alter flags and/or permissions.
pull/1/head
Rob Colbert 3 years ago
parent
929a8875ef
commit
4f1c8cb245
5 changed files with 119 additions and 48 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 12
      app/controllers/admin/user.js
  2. 2
      app/models/user.js
  3. 30
      app/services/user.js
  4. 39
      app/views/admin/user/form.pug
  5. 14
      app/views/user/settings.pug

12
app/controllers/admin/user.js
View File

@ -47,15 +47,23 @@ class UserController extends SiteController {
async postUpdateUser (req, res, next) { async postUpdateUser (req, res, next) {
const { user: userService } = this.dtp.services; const { user: userService } = this.dtp.services;
try { try {
await userService.update(res.locals.userAccount, req.body); await userService.updateForAdmin(res.locals.userAccount, req.body);
res.redirect('/admin/user'); res.redirect('/admin/user');
} catch (error) { } catch (error) {
return next(error); return next(error);
} }
} }
async getUserView (req, res) { async getUserView (req, res, error) {
const { comment: commentService } = this.dtp.services;
try {
res.locals.pagination = this.getPaginationParameters(req, 20);
res.locals.recentComments = await commentService.getForAuthor(res.locals.userAccount, res.locals.pagination);
res.render('admin/user/form'); res.render('admin/user/form');
} catch (error) {
this.log.error('failed to produce user view', { error });
return next(error);
}
} }
async getHomeView (req, res, next) { async getHomeView (req, res, next) {

2
app/models/user.js
View File

@ -20,6 +20,8 @@ const UserPermissionsSchema = new Schema({
canChat: { type: Boolean, default: true, required: true }, canChat: { type: Boolean, default: true, required: true },
canComment: { type: Boolean, default: true, required: true }, canComment: { type: Boolean, default: true, required: true },
canReport: { type: Boolean, default: true, required: true }, canReport: { type: Boolean, default: true, required: true },
canAuthorPages: { type: Boolean, default: false, required: true },
canAuthorPosts: { type: Boolean, default: false, required: true },
}); });
const UserSchema = new Schema({ const UserSchema = new Schema({

30
app/services/user.js
View File

@ -99,6 +99,8 @@ class UserService {
canChat: true, canChat: true,
canComment: true, canComment: true,
canReport: true, canReport: true,
canAuthorPages: false,
canAuthorPosts: false,
}; };
this.log.info('creating new user account', { email: userDefinition.email }); this.log.info('creating new user account', { email: userDefinition.email });
@ -112,6 +114,10 @@ class UserService {
} }
async update (user, userDefinition) { async update (user, userDefinition) {
if (!user.flags.canLogin) {
throw SiteError(403, 'Invalid user account operation');
}
// strip characters we don't want to allow in username // strip characters we don't want to allow in username
userDefinition.username = striptags(userDefinition.username.trim().replace(/[^A-Za-z0-9\-_]/gi, '')); userDefinition.username = striptags(userDefinition.username.trim().replace(/[^A-Za-z0-9\-_]/gi, ''));
const username_lc = userDefinition.username.toLowerCase(); const username_lc = userDefinition.username.toLowerCase();
@ -120,6 +126,28 @@ class UserService {
userDefinition.bio = striptags(userDefinition.bio.trim()); userDefinition.bio = striptags(userDefinition.bio.trim());
this.log.info('updating user', { userDefinition }); this.log.info('updating user', { userDefinition });
await User.updateOne(
{ _id: user._id },
{
$set: {
username: userDefinition.username,
username_lc,
displayName: userDefinition.displayName,
bio: userDefinition.bio,
},
},
);
}
async updateForAdmin (user, userDefinition) {
// strip characters we don't want to allow in username
userDefinition.username = striptags(userDefinition.username.trim().replace(/[^A-Za-z0-9\-_]/gi, ''));
const username_lc = userDefinition.username.toLowerCase();
userDefinition.displayName = striptags(userDefinition.displayName.trim());
userDefinition.bio = striptags(userDefinition.bio.trim());
this.log.info('updating user for admin', { userDefinition });
await User.updateOne( await User.updateOne(
{ _id: user._id }, { _id: user._id },
{ {
@ -134,6 +162,8 @@ class UserService {
'permissions.canChat': userDefinition.canChat === 'on', 'permissions.canChat': userDefinition.canChat === 'on',
'permissions.canComment': userDefinition.canComment === 'on', 'permissions.canComment': userDefinition.canComment === 'on',
'permissions.canReport': userDefinition.canReport === 'on', 'permissions.canReport': userDefinition.canReport === 'on',
'permissions.canAuthorPages': userDefinition.canAuthorPages === 'on',
'permissions.canAuthorPosts': userDefinition.canAuthorPosts === 'on',
}, },
}, },
); );

39
app/views/admin/user/form.pug
View File

@ -1,13 +1,27 @@
extends ../layouts/main extends ../layouts/main
block content block content
.uk-margin include ../../comment/components/comment-review
.uk-text-large= userAccount.displayName || userAccount.email
div= userAccount.username
div(uk-grid).uk-grid-small
div(class="uk-width-1-1 uk-width-2-3@l")
form(method="POST", action=`/admin/user/${userAccount._id}`).uk-form form(method="POST", action=`/admin/user/${userAccount._id}`).uk-form
input(type="hidden", name="username", value= userAccount.username) input(type="hidden", name="username", value= userAccount.username)
input(type="hidden", name="displayName", value= userAccount.displayName) input(type="hidden", name="displayName", value= userAccount.displayName)
.uk-card.uk-card-secondary.uk-card-small
.uk-card-header
if userAccount.displayName
.uk-text-large= userAccount.displayName
div
a(href=`mailto:${userAccount.email}`)= userAccount.email
div
a(href=`/user/${userAccount._id}`) @#{userAccount.username}
.uk-card-body
.uk-margin
label(for="bio").uk-form-label.sr-only Bio
textarea(id="bio", name="bio", rows="4", placeholder= "Bio is empty", disabled= !userAccount.bio || (userAccount.bio.length === 0)).uk-textarea.uk-resize-vertical= userAccount.bio
.uk-margin .uk-margin
div(uk-grid) div(uk-grid)
div(class="uk-width-1-1 uk-width-1-2@m") div(class="uk-width-1-1 uk-width-1-2@m")
@ -39,5 +53,22 @@ block content
label label
input(id="can-report", name="canReport", type="checkbox", checked= userAccount.permissions.canReport) input(id="can-report", name="canReport", type="checkbox", checked= userAccount.permissions.canReport)
| Can Report | Can Report
label
input(id="can-author-pages", name="canAuthorPages", type="checkbox", checked= userAccount.permissions.canAuthorPages)
| Can Author Pages
label
input(id="can-author-posts", name="canAuthorPosts", type="checkbox", checked= userAccount.permissions.canAuthorPosts)
| Can Author Posts
button(type="submit").uk-button.dtp-button-primary.uk-display-block.uk-width-1-1 Update User
div(class="uk-width-1-1 uk-width-1-3@l")
button(type="submit").uk-button.uk-button-primary Update User .uk-card.uk-card-secondary.uk-card-small
.uk-card-header
h4.uk-card-title #{userAccount.displayName || userAccount.username}'s Comments
.uk-card-body
ul.uk-list.uk-list-divider
each comment in recentComments
li
+renderCommentReview(comment)

14
app/views/user/settings.pug
View File

@ -20,13 +20,13 @@ block content
} }
.uk-margin .uk-margin
+renderFileUploadImage( +renderFileUploadImage(
`/user/${user._id}/header-image`, `/user/${user._id}/profile-photo`,
'header-image-upload', 'profile-picture-upload',
'header-image-file', 'profile-picture-file',
'header-image-picture', 'site-profile-picture',
`/img/default-header.png`, `/img/default-member.png`,
user.header, currentProfile,
{ aspectRatio: 1400 / 400 }, { aspectRatio: 1 },
) )
div(class="uk-width-1-1 uk-width-expand@m") div(class="uk-width-1-1 uk-width-expand@m")

Write Preview
Loading…
Cancel
Save