restrict admin access level

This commit is contained in:
b1ek 2023-02-27 22:13:36 +10:00
parent 8e5cb9dfcc
commit 3a1b0d9dbc
Signed by: blek
GPG Key ID: 14546221E3595D0C
4 changed files with 92 additions and 25 deletions

View File

@ -66,6 +66,20 @@ class User extends Model {
session.secret = crypto.randomBytes(256).toString('base64'); session.secret = crypto.randomBytes(256).toString('base64');
return session; return session;
} }
/**
* Get a user object from express session
* @param {*} session
* @returns User
*/
static async bySession(session) {
if (!session.user.user_id) return;
const user = await User.findOne({where: {id: session.user.user_id}});
if (!user) {
return false;
}
return user;
}
} }
const structure = { const structure = {

View File

@ -14,9 +14,14 @@
color: blue; color: blue;
font-size: 100%; font-size: 100%;
} }
.cp_panel_panel p {
margin: 2px 0;
padding: 0;
}
.cp_gb_entry_hidden { .cp_gb_entry_hidden {
filter: opacity(0.7) filter: opacity(0.7)
} }
input[type=submit] { input[type=submit] {
cursor: pointer; cursor: pointer;
} }

View File

@ -1,6 +1,7 @@
const handler = require('express-async-handler') const handler = require('express-async-handler')
const Helpers = require('../helpers'); const Helpers = require('../helpers');
const db = require('../models'); const db = require('../models');
const express = require('express');
async function login(req, res) { async function login(req, res) {
res.send(await Helpers.ViewLoader.load('admin/login.pug', { res.send(await Helpers.ViewLoader.load('admin/login.pug', {
@ -28,13 +29,20 @@ async function apiLogin(req, res) {
async function panel(req, res) { async function panel(req, res) {
const user = await db.User.bySession(req.session);
if (!user) {
res.status(401).send('Forbidden');
return;
}
const gb_records = await db.Guestbook.findAll({ const gb_records = await db.Guestbook.findAll({
order: [['id', 'DESC']] order: [['id', 'DESC']]
}); });
res.send(await Helpers.ViewLoader.load('admin/panel.pug', { res.send(await Helpers.ViewLoader.load('admin/panel.pug', {
current_route: req.originalUrl, current_route: req.originalUrl,
gb_records gb_records,
access_level: user.accessLevel
})); }));
return; return;
} }
@ -42,6 +50,11 @@ async function panel(req, res) {
async function gb_api(req, res) { async function gb_api(req, res) {
let action = false; let action = false;
const id = req.body.id; const id = req.body.id;
const user = await db.User.bySession(req.session);
if (!user) {
res.status(401).send('Forbidden');
return;
}
if (req.body.hide) action = 'hide'; if (req.body.hide) action = 'hide';
@ -65,8 +78,30 @@ module.exports = (router) => {
router.get('/admin/login', handler(login)); router.get('/admin/login', handler(login));
router.post('/admin/login', handler(apiLogin)); router.post('/admin/login', handler(apiLogin));
// level 4 access routes
/** @type {express.Router} */
const l4_router = new express.Router();
l4_router.use(handler(async (req, res, next) => {
const user = await db.User.bySession(req.session);
if (!user) {
res.status(401).send('Forbidden');
return;
}
if (user.accessLevel < 4 || true) {
res.status(401).send('Forbidden');
return;
}
req.user = user;
return next();
}));
l4_router.post('/admin/panel/gb_api', handler(gb_api));
router.use('/admin/panel/*', l4_router);
// panel // panel
router.get('/admin/panel', handler(panel)); router.get('/admin/panel', handler(panel));
router.post('/admin/panel/gb_api', handler(gb_api));
} }

View File

@ -19,12 +19,24 @@ block content
h5 Guestbook panel h5 Guestbook panel
hr hr
p p
if (access_level >= 3)
a(href='/admin/panel/guestbook.editor') Edit data a(href='/admin/panel/guestbook.editor') Edit data
br br
a(href='/admin/panel/guestbook.csv') Download data (.CSV) a(href='/admin/panel/guestbook.csv') Download data (.CSV)
br br
a(href='/admin/panel/guestbook.csv') Download data (SQL) a(href='/admin/panel/guestbook.csv') Download data (SQL)
form(action='/admin/panel/gb_api')
h5 Import from file
label(for='filetype') File type:
select(name='filetype')
option(value='csv') .CSV
option(value='sql') SQL
br
input(type='file' name='file')
br
input(type='submit' name='import' value='Send')
hr hr
div(style='max-height:160px;overflow-y:scroll')
table table
each record of gb_records each record of gb_records
tr(class='' + (record.hidden ? 'cp_gb_entry_hidden' : '')) tr(class='' + (record.hidden ? 'cp_gb_entry_hidden' : ''))
@ -39,6 +51,7 @@ block content
else else
| #{record.text} | #{record.text}
td td
if (access_level >= 3)
if (!record.hidden) if (!record.hidden)
input(type='submit' name='hide' value='Hide') input(type='submit' name='hide' value='Hide')
else else