diff --git a/src/html/pages/api/users/edit.js b/src/html/pages/api/users/edit.js new file mode 100644 index 0000000..24f0e23 --- /dev/null +++ b/src/html/pages/api/users/edit.js @@ -0,0 +1,41 @@ +import { checkPermissions, permissionBits } from "../../../../../utils/permissions.js"; + +export default { + path: "/api/users/:username", + requiresLogin: true, + permissions: permissionBits.USERS | permissionBits.ADMIN, + type: "put", + async execute(request, response) { + const { username } = request.params; + let { permissions, newname } = request.body; + const target = await global.database.users.findOne({ + where: { username: username }, + }); + if (!target) return response.status(404).send({ message: "User does not exists" }); + + if (await global.database.users.findOne({ + where: { username: newname }, + })) return response.status(409).send({ message: "Another user with this name already exists" }); + + + const userPerms = checkPermissions(request.session.user.permissions); + const targetPerms = checkPermissions(target.dataValues.permissions); + + if((permissionBits.ADMIN & request.session.user.permissions) == 0){ + for(const perm in Object.keys(checkPermissions(permissions))){ + if(targetPerms[perm] != permissions[perm] && !userPerms[perm]) return response.status(403).send({ message: "You're not allowed to give permissions you don't have" }); + } + } + + const userParams = { + username: newname, + permissions: permissions, + } + console.log(`Editing user ${username}`); + await global.database.users.update(userParams, { where: { username: username } }); + response.status(201).send({ + username: newname, + permissions: permissions, + }); + }, +}; diff --git a/src/html/pages/dashboard/users/show.js b/src/html/pages/dashboard/users/show.js index 9097902..4b090bd 100644 --- a/src/html/pages/dashboard/users/show.js +++ b/src/html/pages/dashboard/users/show.js @@ -46,6 +46,38 @@ function getUserHTML(user) {
Retour