restrict admin access level
This commit is contained in:
parent
8e5cb9dfcc
commit
3a1b0d9dbc
GPG Key ID:
14546221E3595D0C
|
|
@ -66,6 +66,20 @@ class User extends Model {
|
|||
session.secret = crypto.randomBytes(256).toString('base64');
|
||||
return session;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a user object from express session
|
||||
* @param {*} session
|
||||
* @returns User
|
||||
*/
|
||||
static async bySession(session) {
|
||||
if (!session.user.user_id) return;
|
||||
const user = await User.findOne({where: {id: session.user.user_id}});
|
||||
if (!user) {
|
||||
return false;
|
||||
}
|
||||
return user;
|
||||
}
|
||||
}
|
||||
|
||||
const structure = {
|
||||
|
|
|
|||
|
|
@ -14,9 +14,14 @@
|
|||
color: blue;
|
||||
font-size: 100%;
|
||||
}
|
||||
.cp_panel_panel p {
|
||||
margin: 2px 0;
|
||||
padding: 0;
|
||||
}
|
||||
.cp_gb_entry_hidden {
|
||||
filter: opacity(0.7)
|
||||
}
|
||||
|
||||
input[type=submit] {
|
||||
cursor: pointer;
|
||||
}
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
const handler = require('express-async-handler')
|
||||
const Helpers = require('../helpers');
|
||||
const db = require('../models');
|
||||
const express = require('express');
|
||||
|
||||
async function login(req, res) {
|
||||
res.send(await Helpers.ViewLoader.load('admin/login.pug', {
|
||||
|
|
@ -28,13 +29,20 @@ async function apiLogin(req, res) {
|
|||
|
||||
async function panel(req, res) {
|
||||
|
||||
const user = await db.User.bySession(req.session);
|
||||
if (!user) {
|
||||
res.status(401).send('Forbidden');
|
||||
return;
|
||||
}
|
||||
|
||||
const gb_records = await db.Guestbook.findAll({
|
||||
order: [['id', 'DESC']]
|
||||
});
|
||||
|
||||
res.send(await Helpers.ViewLoader.load('admin/panel.pug', {
|
||||
current_route: req.originalUrl,
|
||||
gb_records
|
||||
gb_records,
|
||||
access_level: user.accessLevel
|
||||
}));
|
||||
return;
|
||||
}
|
||||
|
|
@ -42,6 +50,11 @@ async function panel(req, res) {
|
|||
async function gb_api(req, res) {
|
||||
let action = false;
|
||||
const id = req.body.id;
|
||||
const user = await db.User.bySession(req.session);
|
||||
if (!user) {
|
||||
res.status(401).send('Forbidden');
|
||||
return;
|
||||
}
|
||||
|
||||
if (req.body.hide) action = 'hide';
|
||||
|
||||
|
|
@ -65,8 +78,30 @@ module.exports = (router) => {
|
|||
router.get('/admin/login', handler(login));
|
||||
router.post('/admin/login', handler(apiLogin));
|
||||
|
||||
// level 4 access routes
|
||||
/** @type {express.Router} */
|
||||
const l4_router = new express.Router();
|
||||
l4_router.use(handler(async (req, res, next) => {
|
||||
const user = await db.User.bySession(req.session);
|
||||
if (!user) {
|
||||
res.status(401).send('Forbidden');
|
||||
return;
|
||||
}
|
||||
|
||||
if (user.accessLevel < 4 || true) {
|
||||
res.status(401).send('Forbidden');
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
req.user = user;
|
||||
return next();
|
||||
}));
|
||||
l4_router.post('/admin/panel/gb_api', handler(gb_api));
|
||||
|
||||
router.use('/admin/panel/*', l4_router);
|
||||
|
||||
|
||||
// panel
|
||||
router.get('/admin/panel', handler(panel));
|
||||
router.post('/admin/panel/gb_api', handler(gb_api));
|
||||
|
||||
}
|
||||
|
|
@ -19,28 +19,41 @@ block content
|
|||
h5 Guestbook panel
|
||||
hr
|
||||
p
|
||||
a(href='/admin/panel/guestbook.editor') Edit data
|
||||
if (access_level >= 3)
|
||||
a(href='/admin/panel/guestbook.editor') Edit data
|
||||
br
|
||||
a(href='/admin/panel/guestbook.csv') Download data (.CSV)
|
||||
br
|
||||
a(href='/admin/panel/guestbook.csv') Download data (SQL)
|
||||
form(action='/admin/panel/gb_api')
|
||||
h5 Import from file
|
||||
label(for='filetype') File type:
|
||||
select(name='filetype')
|
||||
option(value='csv') .CSV
|
||||
option(value='sql') SQL
|
||||
br
|
||||
a(href='/admin/panel/guestbook.csv') Download data (.CSV)
|
||||
input(type='file' name='file')
|
||||
br
|
||||
a(href='/admin/panel/guestbook.csv') Download data (SQL)
|
||||
input(type='submit' name='import' value='Send')
|
||||
hr
|
||||
table
|
||||
each record of gb_records
|
||||
tr(class='' + (record.hidden ? 'cp_gb_entry_hidden' : ''))
|
||||
form(action='/admin/panel/gb_api' method='POST')
|
||||
input(type='hidden' name='id' value=record.id)
|
||||
td
|
||||
a(href='/guestbook#gb_entry_' + record.id)= record.id
|
||||
| : #{record.name}
|
||||
td
|
||||
if (record.text.length > 40)
|
||||
| #{record.text.substr(0, 40)}...
|
||||
else
|
||||
| #{record.text}
|
||||
td
|
||||
if (!record.hidden)
|
||||
input(type='submit' name='hide' value='Hide')
|
||||
else
|
||||
input(type='submit' name='hide' value='Unhide')
|
||||
div(style='max-height:160px;overflow-y:scroll')
|
||||
table
|
||||
each record of gb_records
|
||||
tr(class='' + (record.hidden ? 'cp_gb_entry_hidden' : ''))
|
||||
form(action='/admin/panel/gb_api' method='POST')
|
||||
input(type='hidden' name='id' value=record.id)
|
||||
td
|
||||
a(href='/guestbook#gb_entry_' + record.id)= record.id
|
||||
| : #{record.name}
|
||||
td
|
||||
if (record.text.length > 40)
|
||||
| #{record.text.substr(0, 40)}...
|
||||
else
|
||||
| #{record.text}
|
||||
td
|
||||
if (access_level >= 3)
|
||||
if (!record.hidden)
|
||||
input(type='submit' name='hide' value='Hide')
|
||||
else
|
||||
input(type='submit' name='hide' value='Unhide')
|
||||
|
||||
Loading…
Reference in New Issue