kaverti
/
cubash-archive
forked from kaverti/website
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Team admin role check when using Team Admin APIs 

(with terrible implementation because of my original terrible implementation of roles, you won't believe how many lines it is just to check whether a user has a role with admin, 56 lines!)
This commit is contained in:
Troplo 2020-11-23 01:28:50 +11:00
parent f37cd40068
commit 2fd6a371fc
4 changed files with 473 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
frontend/src/components/routes/TeamInvite.vue
View File

@ -1,6 +1,6 @@
<template>
<main>
<modal-window v-if="team.Role.name" v-model='showRoleInfo' :loading='loading' style='z-index: 99; '>
<modal-window v-if="team.Role" v-model='showRoleInfo' :loading='loading' style='z-index: 99; '>
<div slot="header">
Viewing {{team.Role.name}}&nbsp;<b-tooltip class="is-info" label="You are viewing the permissions that this Auto Role provides">
<b-tag class="is-info" rounded><i class="fas fa-info-circle"></i></b-tag>
@ -43,7 +43,7 @@
{{ team.Team.name }}
</h1>
<h2>by {{team.User.username}}</h2>
<h2 v-if="team.Role.name">and you will be assigned the {{team.Role.name}} role automatically. <b-button @click="showRoleInfo = true">View role info</b-button></h2>
<h2 v-if="team.Role">and you will be assigned the {{team.Role.name}} role automatically. <b-button @click="showRoleInfo = true">View role info</b-button></h2>
<b-button @click="joinTeam">Join {{team.Team.name}}</b-button>
</div>
<div class="container" v-if="expired && !loading">
@ -74,9 +74,6 @@ export default {
Team: {
name: '',
username: ''
},
Role: {
name: ''
}
},
showRoleInfo: false,
@ -144,13 +141,9 @@ export default {
},
joinTeam () {
this.axios
.put(process.env.VUE_APP_APIENDPOINT + process.env.VUE_APP_APIVERSION + '/' + 'teams/join/' + this.user.username)
.post(process.env.VUE_APP_APIENDPOINT + process.env.VUE_APP_APIVERSION + '/' + 'teams/invite/' + this.$route.params.code)
.then(() => {
this.axios
.get(process.env.VUE_APP_APIENDPOINT + process.env.VUE_APP_APIVERSION + '/' + 'teams/check/' + this.$route.params.username)
.then(res => {
this.joined = res.data.success
})
this.$router.push('/t/' + this.team.Team.username)
})
.catch(e => {
AjaxErrorHandler(this.$store)(e)

4
lib/errors.js
View File

@ -71,6 +71,10 @@ let Errors = {
'This Team is invite only',
401
],
unableToUpdateRole: [
'You cannot update this role',
400
],
invalidInvite: [
'This Team invite is invalid.',
401

32
routes/team.js
View File

@ -540,15 +540,16 @@ router.post('/invite/:code', auth, async(req, res, next) => {
if (teamJoinTest) {
throw Errors.joinedTeam
}
if(code.maxUses >= code.uses) {
throw Errors.inviteInvalid
if(code.maxUses > 0 && code.maxUses === code.uses) {
console.log('failed at maxUses over code.uses')
throw Errors.invalidInvite
} else if(code.maxUses === 0) {
let role = await TeamRoles.findOne({
where: {teamId: team.id, name: "Members"}
})
if(code.RoleId >= 0) {
let roleLookup = await TeamInvite.findOne({
where: {code: req.body.RoleId, TeamId: team.id}
if(code.RoleId > 0) {
let roleLookup = await TeamRoles.findOne({
where: {id: code.RoleId, TeamId: team.id}
})
if(roleLookup) {
let join = {
@ -556,13 +557,15 @@ router.post('/invite/:code', auth, async(req, res, next) => {
teamId: team.id,
roles: {"deprecated": "deprecated"}
}
console.log(role)
let roleUser = {
UserId: req.userData.UserId,
TeamId: team.id,
RoleId: role.id,
Role2Id: roleLookup.id
}
await TeamInvite.update({ uses: + 1}, {
where: {id: code.id, TeamId: team.id}
})
await TeamMembers.create(join)
await TeamMemberRole.create(roleUser)
res.status(200)
@ -579,6 +582,9 @@ router.post('/invite/:code', auth, async(req, res, next) => {
TeamId: team.id,
RoleId: role.id
}
await TeamInvite.update({ uses: + 1}, {
where: {id: code.id, TeamId: team.id}
})
await TeamMembers.create(join)
await TeamMemberRole.create(roleUser)
res.status(200)
@ -590,12 +596,14 @@ router.post('/invite/:code', auth, async(req, res, next) => {
teamId: team.id,
roles: {"deprecated": "deprecated"}
}
console.log(role)
let roleUser = {
UserId: req.userData.UserId,
TeamId: team.id,
RoleId: role.id
}
await TeamInvite.update({ uses: + 1}, {
where: {id: code.id, TeamId: team.id}
})
await TeamMembers.create(join)
await TeamMemberRole.create(roleUser)
res.status(200)
@ -610,21 +618,25 @@ router.post('/invite/:code', auth, async(req, res, next) => {
teamId: team.id,
roles: {"deprecated": "deprecated"}
}
console.log(role)
let roleUser = {
UserId: req.userData.UserId,
TeamId: team.id,
RoleId: role.id,
}
await TeamInvite.update({ uses: + 1}, {
where: {id: code.id, TeamId: team.id}
})
await TeamMembers.create(join)
await TeamMemberRole.create(roleUser)
res.status(200)
res.json({success: true})
} else {
throw Errors.inviteInvalid
console.log('failed at second last else')
throw Errors.invalidInvite
}
} else {
throw Errors.inviteInvalid
console.log('failed at last else')
throw Errors.invalidInvite
}
} catch (e) { next(e) }
})

461
routes/team_admin.js
View File

@ -41,7 +41,7 @@ var reCAPTCHASecret = "6LdlbrwZAAAAAKvtcVQhVl_QaNOqmQ4PgyW3SKHy";
const Errors = require('../lib/errors.js')
var format = require('date-format');
let {
User, Post, teamPicture, TeamInvite, userWall, StaffApplications, AdminToken, PassKey, Thread, Category, Sequelize, Ip, Ban, sequelize, Team, TeamMembers, TeamRoles
User, Post, teamPicture, TeamMemberRole, TeamInvite, userWall, StaffApplications, AdminToken, PassKey, Thread, Category, Sequelize, Ip, Ban, sequelize, Team, TeamMembers, TeamRoles
} = require('../models')
let pagination = require('../lib/pagination.js')
const sgMail = require('@sendgrid/mail');
@ -65,13 +65,71 @@ const emailLimiter = rateLimit({
router.post('/:username/picture', auth, upload.single('picture'), async (req, res, next) => {
try {
let user = await Team.findOne({
where: {
username: req.params.username
}
let team = await Team.findOne({
where: {username: req.params.username}
});
let isAuthMem = await TeamMembers.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
});
if(!isAuthMem) {
throw Errors.notInTeam
}
let isAuthRole = await TeamMemberRole.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
})
let picture = await teamPicture.findOne({
where: { TeamId: user.id }
let isAuth1 = await TeamRoles.findOne({
where: {id: isAuthRole.RoleId, administrator: true}
})
let isAuth2 = await TeamRoles.findOne({
where: {id: isAuthRole.Role2Id, administrator: true}
})
let isAuth3 = await TeamRoles.findOne({
where: {id: isAuthRole.Role3Id, administrator: true}
})
let isAuth4 = await TeamRoles.findOne({
where: {id: isAuthRole.Role4Id, administrator: true}
})
let isAuth5 = await TeamRoles.findOne({
where: {id: isAuthRole.Role5Id, administrator: true}
})
let isAuth6 = await TeamRoles.findOne({
where: {id: isAuthRole.Role6Id, administrator: true}
})
let isAuth7 = await TeamRoles.findOne({
where: {id: isAuthRole.Role7Id, administrator: true}
})
let isAuth8 = await TeamRoles.findOne({
where: {id: isAuthRole.Role8Id, administrator: true}
})
let isAuth9 = await TeamRoles.findOne({
where: {id: isAuthRole.Role9Id, administrator: true}
})
let isAuth10 = await TeamRoles.findOne({
where: {id: isAuthRole.Role10Id, administrator: true}
})
const allowArray = [
isAuth1,
isAuth2,
isAuth3,
isAuth4,
isAuth5,
isAuth6,
isAuth7,
isAuth8,
isAuth9,
isAuth10
]
let otherThanNull = allowArray.some(function (el) {
return el !== null;
});
if(otherThanNull) {
let user = await Team.findOne({
where: {
username: req.params.username
}
})
let picture = await teamPicture.findOne({
where: {TeamId: user.id}
})
let pictureObj = {
@ -81,7 +139,7 @@ router.post('/:username/picture', auth, upload.single('picture'), async (req, re
}
//No picture set yet
if(!picture) {
if (!picture) {
await teamPicture.create(pictureObj)
} else {
await picture.update(pictureObj)
@ -93,11 +151,69 @@ router.post('/:username/picture', auth, upload.single('picture'), async (req, re
})
res.json(user.toJSON())
}
} catch (e) { next(e) }
})
router.put('/modify/:username', auth, async(req, res, next) => {
try {
let team = await Team.findOne({
where: {username: req.params.username}
});
let isAuthMem = await TeamMembers.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
});
if(!isAuthMem) {
throw Errors.notInTeam
}
let isAuthRole = await TeamMemberRole.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
})
let isAuth1 = await TeamRoles.findOne({
where: {id: isAuthRole.RoleId, administrator: true}
})
let isAuth2 = await TeamRoles.findOne({
where: {id: isAuthRole.Role2Id, administrator: true}
})
let isAuth3 = await TeamRoles.findOne({
where: {id: isAuthRole.Role3Id, administrator: true}
})
let isAuth4 = await TeamRoles.findOne({
where: {id: isAuthRole.Role4Id, administrator: true}
})
let isAuth5 = await TeamRoles.findOne({
where: {id: isAuthRole.Role5Id, administrator: true}
})
let isAuth6 = await TeamRoles.findOne({
where: {id: isAuthRole.Role6Id, administrator: true}
})
let isAuth7 = await TeamRoles.findOne({
where: {id: isAuthRole.Role7Id, administrator: true}
})
let isAuth8 = await TeamRoles.findOne({
where: {id: isAuthRole.Role8Id, administrator: true}
})
let isAuth9 = await TeamRoles.findOne({
where: {id: isAuthRole.Role9Id, administrator: true}
})
let isAuth10 = await TeamRoles.findOne({
where: {id: isAuthRole.Role10Id, administrator: true}
})
const allowArray = [
isAuth1,
isAuth2,
isAuth3,
isAuth4,
isAuth5,
isAuth6,
isAuth7,
isAuth8,
isAuth9,
isAuth10
]
let otherThanNull = allowArray.some(function (el) {
return el !== null;
});
if(!req.userData.username) {
throw Errors.requestNotAuthorized
}
@ -109,7 +225,7 @@ router.put('/modify/:username', auth, async(req, res, next) => {
username: req.userData.username
}})
console.log(user1.OwnerId, user2.id)
if(user1 && user2.id === user1.OwnerId) {
if(otherThanNull) {
if(req.autosan.body.description !== undefined, req.autosan.body.name !== undefined) {
let user = await Team.update({description: req.autosan.body.description, name: req.autosan.body.name}, {
@ -133,7 +249,61 @@ router.post('/roles/create/:username', auth, async(req, res, next) => {
let team = await Team.findOne({
where: {username: req.params.username}
});
if(team) {
let isAuthMem = await TeamMembers.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
});
if(!isAuthMem) {
throw Errors.notInTeam
}
let isAuthRole = await TeamMemberRole.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
})
let isAuth1 = await TeamRoles.findOne({
where: {id: isAuthRole.RoleId, administrator: true}
})
let isAuth2 = await TeamRoles.findOne({
where: {id: isAuthRole.Role2Id, administrator: true}
})
let isAuth3 = await TeamRoles.findOne({
where: {id: isAuthRole.Role3Id, administrator: true}
})
let isAuth4 = await TeamRoles.findOne({
where: {id: isAuthRole.Role4Id, administrator: true}
})
let isAuth5 = await TeamRoles.findOne({
where: {id: isAuthRole.Role5Id, administrator: true}
})
let isAuth6 = await TeamRoles.findOne({
where: {id: isAuthRole.Role6Id, administrator: true}
})
let isAuth7 = await TeamRoles.findOne({
where: {id: isAuthRole.Role7Id, administrator: true}
})
let isAuth8 = await TeamRoles.findOne({
where: {id: isAuthRole.Role8Id, administrator: true}
})
let isAuth9 = await TeamRoles.findOne({
where: {id: isAuthRole.Role9Id, administrator: true}
})
let isAuth10 = await TeamRoles.findOne({
where: {id: isAuthRole.Role10Id, administrator: true}
})
const allowArray = [
isAuth1,
isAuth2,
isAuth3,
isAuth4,
isAuth5,
isAuth6,
isAuth7,
isAuth8,
isAuth9,
isAuth10
]
let otherThanNull = allowArray.some(function (el) {
return el !== null;
});
if(team && otherThanNull) {
let queryObj3 = {
where: {userId: req.userData.UserId, teamId: team.id},
}
@ -173,7 +343,61 @@ router.put('/roles/modify/:username/:id', auth, async(req, res, next) => {
let team = await Team.findOne({
where: {username: req.params.username}
});
if(team) {
let isAuthMem = await TeamMembers.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
});
if(!isAuthMem) {
throw Errors.notInTeam
}
let isAuthRole = await TeamMemberRole.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
})
let isAuth1 = await TeamRoles.findOne({
where: {id: isAuthRole.RoleId, administrator: true}
})
let isAuth2 = await TeamRoles.findOne({
where: {id: isAuthRole.Role2Id, administrator: true}
})
let isAuth3 = await TeamRoles.findOne({
where: {id: isAuthRole.Role3Id, administrator: true}
})
let isAuth4 = await TeamRoles.findOne({
where: {id: isAuthRole.Role4Id, administrator: true}
})
let isAuth5 = await TeamRoles.findOne({
where: {id: isAuthRole.Role5Id, administrator: true}
})
let isAuth6 = await TeamRoles.findOne({
where: {id: isAuthRole.Role6Id, administrator: true}
})
let isAuth7 = await TeamRoles.findOne({
where: {id: isAuthRole.Role7Id, administrator: true}
})
let isAuth8 = await TeamRoles.findOne({
where: {id: isAuthRole.Role8Id, administrator: true}
})
let isAuth9 = await TeamRoles.findOne({
where: {id: isAuthRole.Role9Id, administrator: true}
})
let isAuth10 = await TeamRoles.findOne({
where: {id: isAuthRole.Role10Id, administrator: true}
})
const allowArray = [
isAuth1,
isAuth2,
isAuth3,
isAuth4,
isAuth5,
isAuth6,
isAuth7,
isAuth8,
isAuth9,
isAuth10
]
let otherThanNull = allowArray.some(function (el) {
return el !== null;
});
if(team && otherThanNull) {
let queryObj3 = {
where: {userId: req.userData.UserId, teamId: team.id},
}
@ -190,8 +414,47 @@ router.put('/roles/modify/:username/:id', auth, async(req, res, next) => {
teamId: team.id
}
})
if(find) {
let update = await TeamRoles.update({
if(find.name === 'Members') {
await TeamRoles.update({
priority: req.body.priority,
administrator: req.body.administrator,
inviteUsers: req.body.inviteUsers,
changeTeamMeta: req.body.changeTeamMeta,
forumAdministrator: req.body.forumAdministrator,
moderateForumThreads: req.body.moderateForumThreads,
changeTeamPrivacy: req.body.changeTeamPrivacy,
submitTeamItems: req.body.submitTeamItems,
}, {
where: {
id: req.params.id,
teamId: team.id
}
})
res.status(200)
res.json({success: true})
}
if(find.name === 'Administrators') {
await TeamRoles.update({
priority: req.body.priority,
administrator: req.body.administrator,
inviteUsers: req.body.inviteUsers,
changeTeamMeta: req.body.changeTeamMeta,
forumAdministrator: req.body.forumAdministrator,
moderateForumThreads: req.body.moderateForumThreads,
changeTeamPrivacy: req.body.changeTeamPrivacy,
submitTeamItems: req.body.submitTeamItems,
}, {
where: {
id: req.params.id,
teamId: team.id
}
})
res.status(200)
res.json({success: true})
}
if(find && find.name !== 'Administrators' && find.name !== 'Members') {
await TeamRoles.update({
priority: req.body.priority,
name: req.body.name,
administrator: req.body.administrator,
@ -228,7 +491,7 @@ router.put('/roles/modify/:username/:id', auth, async(req, res, next) => {
}
})
res.status(200)
res.json({success:true})
res.json({success: true})
} else {
res.status(400)
res.json({success: false})
@ -252,7 +515,61 @@ try {
let team = await Team.findOne({
where: {username: req.params.username}
});
if(team) {
let isAuthMem = await TeamMembers.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
});
if(!isAuthMem) {
throw Errors.notInTeam
}
let isAuthRole = await TeamMemberRole.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
})
let isAuth1 = await TeamRoles.findOne({
where: {id: isAuthRole.RoleId, inviteUsers: true}
})
let isAuth2 = await TeamRoles.findOne({
where: {id: isAuthRole.Role2Id, inviteUsers: true}
})
let isAuth3 = await TeamRoles.findOne({
where: {id: isAuthRole.Role3Id, inviteUsers: true}
})
let isAuth4 = await TeamRoles.findOne({
where: {id: isAuthRole.Role4Id, inviteUsers: true}
})
let isAuth5 = await TeamRoles.findOne({
where: {id: isAuthRole.Role5Id, inviteUsers: true}
})
let isAuth6 = await TeamRoles.findOne({
where: {id: isAuthRole.Role6Id, inviteUsers: true}
})
let isAuth7 = await TeamRoles.findOne({
where: {id: isAuthRole.Role7Id, inviteUsers: true}
})
let isAuth8 = await TeamRoles.findOne({
where: {id: isAuthRole.Role8Id, inviteUsers: true}
})
let isAuth9 = await TeamRoles.findOne({
where: {id: isAuthRole.Role9Id, inviteUsers: true}
})
let isAuth10 = await TeamRoles.findOne({
where: {id: isAuthRole.Role10Id, inviteUsers: true}
})
const allowArray = [
isAuth1,
isAuth2,
isAuth3,
isAuth4,
isAuth5,
isAuth6,
isAuth7,
isAuth8,
isAuth9,
isAuth10
]
let otherThanNull = allowArray.some(function (el) {
return el !== null;
});
if(team && otherThanNull) {
let create = await TeamInvite.create({
maxUses: req.body.maxUses,
RoleId: req.body.RoleId,
@ -274,7 +591,61 @@ router.get('/:username/invites/list', auth, async(req, res, next) => {
let team = await Team.findOne({
where: {username: req.params.username}
});
if(team) {
let isAuthMem = await TeamMembers.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
});
if(!isAuthMem) {
throw Errors.notInTeam
}
let isAuthRole = await TeamMemberRole.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
})
let isAuth1 = await TeamRoles.findOne({
where: {id: isAuthRole.RoleId, administrator: true}
})
let isAuth2 = await TeamRoles.findOne({
where: {id: isAuthRole.Role2Id, administrator: true}
})
let isAuth3 = await TeamRoles.findOne({
where: {id: isAuthRole.Role3Id, administrator: true}
})
let isAuth4 = await TeamRoles.findOne({
where: {id: isAuthRole.Role4Id, administrator: true}
})
let isAuth5 = await TeamRoles.findOne({
where: {id: isAuthRole.Role5Id, administrator: true}
})
let isAuth6 = await TeamRoles.findOne({
where: {id: isAuthRole.Role6Id, administrator: true}
})
let isAuth7 = await TeamRoles.findOne({
where: {id: isAuthRole.Role7Id, administrator: true}
})
let isAuth8 = await TeamRoles.findOne({
where: {id: isAuthRole.Role8Id, administrator: true}
})
let isAuth9 = await TeamRoles.findOne({
where: {id: isAuthRole.Role9Id, administrator: true}
})
let isAuth10 = await TeamRoles.findOne({
where: {id: isAuthRole.Role10Id, administrator: true}
})
const allowArray = [
isAuth1,
isAuth2,
isAuth3,
isAuth4,
isAuth5,
isAuth6,
isAuth7,
isAuth8,
isAuth9,
isAuth10
]
let otherThanNull = allowArray.some(function (el) {
return el !== null;
});
if(team && otherThanNull) {
let roles = await TeamInvite.findAll({
where: {
TeamId: team.id
@ -294,7 +665,61 @@ router.delete('/:username/invites/delete/:code', auth, async(req, res, next) =>
let team = await Team.findOne({
where: {username: req.params.username}
});
if(team) {
let isAuthMem = await TeamMembers.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
});
if(!isAuthMem) {
throw Errors.notInTeam
}
let isAuthRole = await TeamMemberRole.findOne({
where: {UserId: req.userData.UserId, TeamId: team.id}
})
let isAuth1 = await TeamRoles.findOne({
where: {id: isAuthRole.RoleId, administrator: true}
})
let isAuth2 = await TeamRoles.findOne({
where: {id: isAuthRole.Role2Id, administrator: true}
})
let isAuth3 = await TeamRoles.findOne({
where: {id: isAuthRole.Role3Id, administrator: true}
})
let isAuth4 = await TeamRoles.findOne({
where: {id: isAuthRole.Role4Id, administrator: true}
})
let isAuth5 = await TeamRoles.findOne({
where: {id: isAuthRole.Role5Id, administrator: true}
})
let isAuth6 = await TeamRoles.findOne({
where: {id: isAuthRole.Role6Id, administrator: true}
})
let isAuth7 = await TeamRoles.findOne({
where: {id: isAuthRole.Role7Id, administrator: true}
})
let isAuth8 = await TeamRoles.findOne({
where: {id: isAuthRole.Role8Id, administrator: true}
})
let isAuth9 = await TeamRoles.findOne({
where: {id: isAuthRole.Role9Id, administrator: true}
})
let isAuth10 = await TeamRoles.findOne({
where: {id: isAuthRole.Role10Id, administrator: true}
})
const allowArray = [
isAuth1,
isAuth2,
isAuth3,
isAuth4,
isAuth5,
isAuth6,
isAuth7,
isAuth8,
isAuth9,
isAuth10
]
let otherThanNull = allowArray.some(function (el) {
return el !== null;
});
if(team && otherThanNull) {
let code = await TeamInvite.findOne({
where: {code: req.params.code, TeamId: team.id}
});
@ -311,4 +736,4 @@ router.delete('/:username/invites/delete/:code', auth, async(req, res, next) =>
} catch (e) { next(e) }
})
module.exports = router;
module.exports = router;