From 3a1b0d9dbcf1b43f6c6f57f6cf60f8de7eb00843 Mon Sep 17 00:00:00 2001 From: b1ek Date: Mon, 27 Feb 2023 22:13:36 +1000 Subject: [PATCH] restrict admin access level --- models/user.js | 14 ++++++++ public/static/ui/control_panel.css | 5 +++ routes/admin.js | 41 +++++++++++++++++++-- view/admin/panel.pug | 57 ++++++++++++++++++------------ 4 files changed, 92 insertions(+), 25 deletions(-) diff --git a/models/user.js b/models/user.js index 055b5eb..d001c70 100644 --- a/models/user.js +++ b/models/user.js @@ -66,6 +66,20 @@ class User extends Model { session.secret = crypto.randomBytes(256).toString('base64'); return session; } + + /** + * Get a user object from express session + * @param {*} session + * @returns User + */ + static async bySession(session) { + if (!session.user.user_id) return; + const user = await User.findOne({where: {id: session.user.user_id}}); + if (!user) { + return false; + } + return user; + } } const structure = { diff --git a/public/static/ui/control_panel.css b/public/static/ui/control_panel.css index eac40f3..7689eee 100644 --- a/public/static/ui/control_panel.css +++ b/public/static/ui/control_panel.css @@ -14,9 +14,14 @@ color: blue; font-size: 100%; } +.cp_panel_panel p { + margin: 2px 0; + padding: 0; +} .cp_gb_entry_hidden { filter: opacity(0.7) } + input[type=submit] { cursor: pointer; } \ No newline at end of file diff --git a/routes/admin.js b/routes/admin.js index 97ef572..f673dbe 100644 --- a/routes/admin.js +++ b/routes/admin.js @@ -1,6 +1,7 @@ const handler = require('express-async-handler') const Helpers = require('../helpers'); const db = require('../models'); +const express = require('express'); async function login(req, res) { res.send(await Helpers.ViewLoader.load('admin/login.pug', { @@ -28,13 +29,20 @@ async function apiLogin(req, res) { async function panel(req, res) { + const user = await db.User.bySession(req.session); + if (!user) { + res.status(401).send('Forbidden'); + return; + } + const gb_records = await db.Guestbook.findAll({ order: [['id', 'DESC']] }); res.send(await Helpers.ViewLoader.load('admin/panel.pug', { current_route: req.originalUrl, - gb_records + gb_records, + access_level: user.accessLevel })); return; } @@ -42,6 +50,11 @@ async function panel(req, res) { async function gb_api(req, res) { let action = false; const id = req.body.id; + const user = await db.User.bySession(req.session); + if (!user) { + res.status(401).send('Forbidden'); + return; + } if (req.body.hide) action = 'hide'; @@ -65,8 +78,30 @@ module.exports = (router) => { router.get('/admin/login', handler(login)); router.post('/admin/login', handler(apiLogin)); + // level 4 access routes + /** @type {express.Router} */ + const l4_router = new express.Router(); + l4_router.use(handler(async (req, res, next) => { + const user = await db.User.bySession(req.session); + if (!user) { + res.status(401).send('Forbidden'); + return; + } + + if (user.accessLevel < 4 || true) { + res.status(401).send('Forbidden'); + return; + } + + + req.user = user; + return next(); + })); + l4_router.post('/admin/panel/gb_api', handler(gb_api)); + + router.use('/admin/panel/*', l4_router); + + // panel router.get('/admin/panel', handler(panel)); - router.post('/admin/panel/gb_api', handler(gb_api)); - } \ No newline at end of file diff --git a/view/admin/panel.pug b/view/admin/panel.pug index 60ea574..7df37ca 100644 --- a/view/admin/panel.pug +++ b/view/admin/panel.pug @@ -19,28 +19,41 @@ block content h5 Guestbook panel hr p - a(href='/admin/panel/guestbook.editor') Edit data + if (access_level >= 3) + a(href='/admin/panel/guestbook.editor') Edit data + br + a(href='/admin/panel/guestbook.csv') Download data (.CSV) + br + a(href='/admin/panel/guestbook.csv') Download data (SQL) + form(action='/admin/panel/gb_api') + h5 Import from file + label(for='filetype') File type: + select(name='filetype') + option(value='csv') .CSV + option(value='sql') SQL br - a(href='/admin/panel/guestbook.csv') Download data (.CSV) + input(type='file' name='file') br - a(href='/admin/panel/guestbook.csv') Download data (SQL) + input(type='submit' name='import' value='Send') hr - table - each record of gb_records - tr(class='' + (record.hidden ? 'cp_gb_entry_hidden' : '')) - form(action='/admin/panel/gb_api' method='POST') - input(type='hidden' name='id' value=record.id) - td - a(href='/guestbook#gb_entry_' + record.id)= record.id - | : #{record.name} - td - if (record.text.length > 40) - | #{record.text.substr(0, 40)}... - else - | #{record.text} - td - if (!record.hidden) - input(type='submit' name='hide' value='Hide') - else - input(type='submit' name='hide' value='Unhide') - \ No newline at end of file + div(style='max-height:160px;overflow-y:scroll') + table + each record of gb_records + tr(class='' + (record.hidden ? 'cp_gb_entry_hidden' : '')) + form(action='/admin/panel/gb_api' method='POST') + input(type='hidden' name='id' value=record.id) + td + a(href='/guestbook#gb_entry_' + record.id)= record.id + | : #{record.name} + td + if (record.text.length > 40) + | #{record.text.substr(0, 40)}... + else + | #{record.text} + td + if (access_level >= 3) + if (!record.hidden) + input(type='submit' name='hide' value='Hide') + else + input(type='submit' name='hide' value='Unhide') + \ No newline at end of file