fix error handling and displaying on membership PUT and DELETE; don't allow to change your own role; require at least one admin

This commit is contained in:
mntmn 2020-04-09 14:55:18 +02:00
parent c05afaba8a
commit 16ffecdb16
4 changed files with 57 additions and 21 deletions

View File

@ -91,7 +91,7 @@ module.exports = {
user_id: Sequelize.STRING,
role: Sequelize.STRING,
code: Sequelize.STRING,
state: {type: Sequelize.STRING, defaultValue: "pending"},
state: {type: Sequelize.STRING, defaultValue: "pending"}, // valid: "pending", "active"
email_invited: Sequelize.STRING,
created_at: {type: Sequelize.DATE, defaultValue: Sequelize.NOW},
updated_at: {type: Sequelize.DATE, defaultValue: Sequelize.NOW}

View File

@ -776,9 +776,12 @@ var SpacedeckSpaces = {
this.invite_message = "";
}
}.bind(this), function(xhr){
text = JSON.stringify(xhr.responseText);
smoke.alert("Error: "+text);
try {
var res = JSON.parse(xhr.response);
alert("Error: "+res.error);
} catch (e) {
console.error(e, xhr);
}
}.bind(this));
}.bind(this));
},
@ -786,9 +789,13 @@ var SpacedeckSpaces = {
update_member: function(space, m, role) {
m.role = role;
save_membership(space, m, function() {
console.log("saved")
}.bind(this), function(xhr) {
console.error(xhr);
try {
var res = JSON.parse(xhr.response);
alert("Error: "+res.error);
} catch (e) {
console.error(e, xhr);
}
}.bind(this));
},
@ -797,7 +804,12 @@ var SpacedeckSpaces = {
delete_membership(space, m, function() {
this.access_settings_memberships.splice(this.access_settings_memberships.indexOf(m), 1);
}.bind(this), function(xhr) {
console.error(xhr);
try {
var res = JSON.parse(xhr.response);
alert("Error: "+res.error);
} catch (e) {
console.error(e, xhr);
}
}.bind(this));
},

View File

@ -45,10 +45,12 @@ router.post('/', function(req, res, next) {
"email": membership.email_invited
}}).then(function(user) {
// existing user? then immediately activate membership
if (user) {
membership.user_id = user._id;
membership.state = "active";
} else {
// if not, invite via email and invite code
membership.code = crypto.randomBytes(64).toString('hex').substring(0, 12);
}
@ -102,12 +104,19 @@ router.put('/:membership_id', function(req, res, next) {
_id: req.params.membership_id
}}).then(function(mem) {
if (mem) {
// is the user trying to change their own role?
if (mem.user_id == req.user._id) {
res.status(400).json({
"error": "Cannot change your own role."
});
} else {
var attrs = req.body;
mem.role = attrs.role;
mem.save(function() {
res.status(201).json(mem);
});
}
}
});
} else {
res.sendStatus(403);
@ -118,13 +127,25 @@ router.put('/:membership_id', function(req, res, next) {
});
router.delete('/:membership_id', function(req, res, next) {
if (req.user) {
if (req.user && req.spaceRole == 'admin') {
db.Membership.count({ where: {
space_id: req.space._id,
role: "admin"
}}).then(function(adminCount) {
db.Membership.findOne({ where: {
_id: req.params.membership_id
}}).then(function(mem) {
// deleting an admin? need at least 1
if (mem.role != "admin" || adminCount > 1) {
mem.destroy().then(function() {
res.sendStatus(204);
});
} else {
res.status(400).json({
"error": "Space needs at least one administrator."
});
}
})
});
} else {
res.sendStatus(403);

View File

@ -168,12 +168,15 @@ router.post('/', function(req, res, next) {
attrs.edit_slug = slug(attrs.name);
db.Space.create(attrs).then(createdSpace => {
//if (err) res.sendStatus(400);
res.status(201).json(createdSpace);
// create initial admin membership
var membership = {
_id: uuidv4(),
user_id: req.user._id,
space_id: attrs._id,
role: "admin"
role: "admin",
state: "active"
};
db.Membership.create(membership).then(() => {