restrict admin access level

This commit is contained in:
b1ek 2023-02-27 22:13:36 +10:00
parent 8e5cb9dfcc
commit 3a1b0d9dbc
Signed by: blek
GPG Key ID: 14546221E3595D0C
4 changed files with 92 additions and 25 deletions

View File

@ -66,6 +66,20 @@ class User extends Model {
session.secret = crypto.randomBytes(256).toString('base64');
return session;
}
/**
* Get a user object from express session
* @param {*} session
* @returns User
*/
static async bySession(session) {
if (!session.user.user_id) return;
const user = await User.findOne({where: {id: session.user.user_id}});
if (!user) {
return false;
}
return user;
}
}
const structure = {

View File

@ -14,9 +14,14 @@
color: blue;
font-size: 100%;
}
.cp_panel_panel p {
margin: 2px 0;
padding: 0;
}
.cp_gb_entry_hidden {
filter: opacity(0.7)
}
input[type=submit] {
cursor: pointer;
}

View File

@ -1,6 +1,7 @@
const handler = require('express-async-handler')
const Helpers = require('../helpers');
const db = require('../models');
const express = require('express');
async function login(req, res) {
res.send(await Helpers.ViewLoader.load('admin/login.pug', {
@ -28,13 +29,20 @@ async function apiLogin(req, res) {
async function panel(req, res) {
const user = await db.User.bySession(req.session);
if (!user) {
res.status(401).send('Forbidden');
return;
}
const gb_records = await db.Guestbook.findAll({
order: [['id', 'DESC']]
});
res.send(await Helpers.ViewLoader.load('admin/panel.pug', {
current_route: req.originalUrl,
gb_records
gb_records,
access_level: user.accessLevel
}));
return;
}
@ -42,6 +50,11 @@ async function panel(req, res) {
async function gb_api(req, res) {
let action = false;
const id = req.body.id;
const user = await db.User.bySession(req.session);
if (!user) {
res.status(401).send('Forbidden');
return;
}
if (req.body.hide) action = 'hide';
@ -65,8 +78,30 @@ module.exports = (router) => {
router.get('/admin/login', handler(login));
router.post('/admin/login', handler(apiLogin));
// level 4 access routes
/** @type {express.Router} */
const l4_router = new express.Router();
l4_router.use(handler(async (req, res, next) => {
const user = await db.User.bySession(req.session);
if (!user) {
res.status(401).send('Forbidden');
return;
}
if (user.accessLevel < 4 || true) {
res.status(401).send('Forbidden');
return;
}
req.user = user;
return next();
}));
l4_router.post('/admin/panel/gb_api', handler(gb_api));
router.use('/admin/panel/*', l4_router);
// panel
router.get('/admin/panel', handler(panel));
router.post('/admin/panel/gb_api', handler(gb_api));
}

View File

@ -19,28 +19,41 @@ block content
h5 Guestbook panel
hr
p
a(href='/admin/panel/guestbook.editor') Edit data
if (access_level >= 3)
a(href='/admin/panel/guestbook.editor') Edit data
br
a(href='/admin/panel/guestbook.csv') Download data (.CSV)
br
a(href='/admin/panel/guestbook.csv') Download data (SQL)
form(action='/admin/panel/gb_api')
h5 Import from file
label(for='filetype') File type:
select(name='filetype')
option(value='csv') .CSV
option(value='sql') SQL
br
a(href='/admin/panel/guestbook.csv') Download data (.CSV)
input(type='file' name='file')
br
a(href='/admin/panel/guestbook.csv') Download data (SQL)
input(type='submit' name='import' value='Send')
hr
table
each record of gb_records
tr(class='' + (record.hidden ? 'cp_gb_entry_hidden' : ''))
form(action='/admin/panel/gb_api' method='POST')
input(type='hidden' name='id' value=record.id)
td
a(href='/guestbook#gb_entry_' + record.id)= record.id
| : #{record.name}
td
if (record.text.length > 40)
| #{record.text.substr(0, 40)}...
else
| #{record.text}
td
if (!record.hidden)
input(type='submit' name='hide' value='Hide')
else
input(type='submit' name='hide' value='Unhide')
div(style='max-height:160px;overflow-y:scroll')
table
each record of gb_records
tr(class='' + (record.hidden ? 'cp_gb_entry_hidden' : ''))
form(action='/admin/panel/gb_api' method='POST')
input(type='hidden' name='id' value=record.id)
td
a(href='/guestbook#gb_entry_' + record.id)= record.id
| : #{record.name}
td
if (record.text.length > 40)
| #{record.text.substr(0, 40)}...
else
| #{record.text}
td
if (access_level >= 3)
if (!record.hidden)
input(type='submit' name='hide' value='Hide')
else
input(type='submit' name='hide' value='Unhide')