diff --git a/routes/profiles.js b/routes/profiles.js index a03f27b..3b90529 100644 --- a/routes/profiles.js +++ b/routes/profiles.js @@ -38,264 +38,319 @@ function processQueryParams (params) { } function update (req, res, next) { - Token.verifyThen(req.get('authorization'), 'edit', (err, decoded) => { - if (err) { + Token.verifyThen(req.get('authorization'), 'update', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); return; } - var ProfileEvents = new EventEmitter(); - var id = req.params.id; - var data = req.body; + if (decoded && decoded.hasPermission) { + var ProfileEvents = new EventEmitter(); + var id = req.params.id; + var data = req.body; - if (!id || !data) { - res.status(500).json({ message: 'No profile id or data specified.', err: err }); - return; + if (!id || !data) { + res.status(500).json({ message: 'No profile id or data specified.', err: err }); + return; + } + + ProfileEvents.once('update', (err, result) => { + if (err) { + res.status(500).json({message: 'Could not update profile id: ' + id, err: err}); + } + + if (result) { + res.status(200).json(result); + } + }); + + Profiles.update(ProfileEvents, id, data); } - - ProfileEvents.once('update', (err, result) => { - if (err) { - res.status(500).json({message: 'Could not update profile id: ' + id, err: err}); - } - - if (result) { - res.status(200).json(result); - } - }); - - Profiles.update(ProfileEvents, id, data); }); } function updateMessage (req, res, next) { -// Token.verifyThen(req.get('authorization'), 'edit', (err, decoded) => { -// if (err) { -// res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); -// return; -// } - - var ProfileEvents = new EventEmitter(); - var profileId = req.params.profileId; - var messageId = req.params.messageId; - var data = req.body; - - if (!profileId || !data) { - res.status(500).json({ message: 'No profile id or data specified.', err: err }); + Token.verifyThen(req.get('authorization'), 'update', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); return; + } + + if (decoded && decoded.hasPermission) { + var ProfileEvents = new EventEmitter(); + var profileId = req.params.profileId; + var messageId = req.params.messageId; + var data = req.body; + + if (!profileId || !data) { + res.status(500).json({ message: 'No profile id or data specified.', err: err }); + return; + } + + ProfileEvents.once('updateMessage', (err, result) => { + if (err) { + res.status(500).json({message: 'Could not update profile id: ' + profileId + ' [' + err + ']', err: err}); + } + + if (result) { + res.status(200).json(result); + } + }); + + Profiles.updateMessage(ProfileEvents, profileId, messageId, data); } - - ProfileEvents.once('updateMessage', (err, result) => { - if (err) { - res.status(500).json({message: 'Could not update profile id: ' + profileId + ' [' + err + ']', err: err}); - } - - if (result) { - res.status(200).json(result); - } - }); - - Profiles.updateMessage(ProfileEvents, profileId, messageId, data); -// }); + }); } Router.route('/find' + ParamStr) .get((req, res) => { - var ProfileEvents = new EventEmitter(); - var find = processQueryParams(req.params); + Token.verifyThen(req.get('authorization'), 'view', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var ProfileEvents = new EventEmitter(); + var find = processQueryParams(req.params); - var query = { - find: find, - select: null, - options: { - limit: !isNaN(parseInt(req.params.limit)) ? parseInt(req.params.limit) : 0, - skip: !isNaN(parseInt(req.params.skip)) ? parseInt(req.params.skip) : 0, - sort: { 'order': 1 } - } - }; + var query = { + find: find, + select: null, + options: { + limit: !isNaN(parseInt(req.params.limit)) ? parseInt(req.params.limit) : 0, + skip: !isNaN(parseInt(req.params.skip)) ? parseInt(req.params.skip) : 0, + sort: { 'order': 1 } + } + }; - ProfileEvents.once('find', (err, result) => { - if (err) { - res.status(500).json({ message: 'There was an error getting the getting the profiles [' + err + ']', err: err }); - } + ProfileEvents.once('find', (err, result) => { + if (err) { + res.status(500).json({ message: 'There was an error getting the getting the profiles [' + err + ']', err: err }); + } - if (result) { - res.status(200).json(result); - } + if (result) { + res.status(200).json(result); + } + }); + + Profiles.find(ProfileEvents, query); + } }); - - Profiles.find(ProfileEvents, query); }); Router.route('/list' + ParamStr) .get((req, res) => { - var ProfileEvents = new EventEmitter(); - var find = processQueryParams(req.params); + Token.verifyThen(req.get('authorization'), 'view', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var ProfileEvents = new EventEmitter(); + var find = processQueryParams(req.params); - var query = { - find: find, - select: { order: 1, 'details.name': 1, 'details.pic.thumb': 1 }, - options: { - limit: (!isNaN(parseInt(req.params.limit)) ? parseInt(req.params.limit) : 0), - skip: (!isNaN(parseInt(req.params.skip)) ? parseInt(req.params.skip) : 0), - sort: { 'order': 1 } - } - }; + var query = { + find: find, + select: { order: 1, 'details.name': 1, 'details.pic.thumb': 1 }, + options: { + limit: (!isNaN(parseInt(req.params.limit)) ? parseInt(req.params.limit) : 0), + skip: (!isNaN(parseInt(req.params.skip)) ? parseInt(req.params.skip) : 0), + sort: { 'order': 1 } + } + }; - ProfileEvents.once('find', (err, result) => { - if (err) { - res.status(500).json({ message: 'There was an error getting the profile list [' + err + ']', err: err }); - } + ProfileEvents.once('find', (err, result) => { + if (err) { + res.status(500).json({ message: 'There was an error getting the profile list [' + err + ']', err: err }); + } - if (result) { - res.status(200).json(result); - } + if (result) { + res.status(200).json(result); + } + }); + + Profiles.find(ProfileEvents, query); + } }); - - Profiles.find(ProfileEvents, query); }); Router.route('/:profileId/messages/images/:which?') .get((req, res) => { - var method; - var ProfileEvents = new EventEmitter(); - var profileId = req.params.profileId; + Token.verifyThen(req.get('authorization'), 'view', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var method; + var ProfileEvents = new EventEmitter(); + var profileId = req.params.profileId; - switch (req.params.which) { - case "all": - method = 'allChatImages'; - break; - case "sent": - method = 'allChatImagesSent'; - break; - case "recd": - default: - method = 'allChatImagesReceived'; - } + switch (req.params.which) { + case "all": + method = 'allChatImages'; + break; + case "sent": + method = 'allChatImagesSent'; + break; + case "recd": + default: + method = 'allChatImagesReceived'; + } - ProfileEvents.once(method, (err, result) => { - if (err) { - res.status(500).json({ message: 'Could not get chat images for profile ' + profileId + '. [' + err + ']', err: err }); + ProfileEvents.once(method, (err, result) => { + if (err) { + res.status(500).json({ message: 'Could not get chat images for profile ' + profileId + '. [' + err + ']', err: err }); + } + + if (result) { + res.status(200).json(result); + } + }); + + Profiles[method](ProfileEvents, profileId); } - - if (result) { - res.status(200).json(result); - } }); - - Profiles[method](ProfileEvents, profileId); }); Router.route('/:profileId/messages/:messageId?') .delete((req, res) => { - var ProfileEvents = new EventEmitter(); - var profileId = req.params.profileId || null; - var messageId = req.params.messageId || null; + Token.verifyThen(req.get('authorization'), 'delete', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var ProfileEvents = new EventEmitter(); + var profileId = req.params.profileId || null; + var messageId = req.params.messageId || null; - ProfileEvents.once('deleteMessage', (err, result) => { - if (err) { - res.status(500).json({ message: 'Could not delete message id: ' + messageId + ' [' + err + ']', err: err }); + ProfileEvents.once('deleteMessage', (err, result) => { + if (err) { + res.status(500).json({ message: 'Could not delete message id: ' + messageId + ' [' + err + ']', err: err }); + } + + if (result) { + res.status(200).json(result); + } + }); + + Profiles.deleteMessage(ProfileEvents, profileId, messageId); } - - if (result) { - res.status(200).json(result); - } }); - - Profiles.deleteMessage(ProfileEvents, profileId, messageId); }) .get((req, res) => { - var ProfileEvents = new EventEmitter(); - var profileId = req.params.profileId || null; - var messageId = req.params.messageId || null; - var method = messageId ? 'getMessage' : 'allMessages'; + Token.verifyThen(req.get('authorization'), 'view', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var ProfileEvents = new EventEmitter(); + var profileId = req.params.profileId || null; + var messageId = req.params.messageId || null; + var method = messageId ? 'getMessage' : 'allMessages'; - ProfileEvents.once(method, (err, result) => { - if (err) { - res.status(500).json({ message: 'Could not get message' + (messageId ? ' ' : 's ') + 'for profile' + (profileId ? '' : 's') + ' [' + err + ']', err: err }); + ProfileEvents.once(method, (err, result) => { + if (err) { + res.status(500).json({ message: 'Could not get message' + (messageId ? ' ' : 's ') + 'for profile' + (profileId ? '' : 's') + ' [' + err + ']', err: err }); + } + + if (result) { + res.status(200).json(result); + } + }); + + Profiles[method](ProfileEvents, profileId, messageId); } - - if (result) { - res.status(200).json(result); - } }); - - Profiles[method](ProfileEvents, profileId, messageId); }) .patch( updateMessage ) .put( updateMessage ); Router.route('/:id?') .delete( (req, res) => { -// Token.verifyThen(req.get('authorization'), 'delete', (err, decoded) => { -// if (err) { -// res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); -// return; -// } - - var ProfileEvents = new EventEmitter(); - var id = req.params.id; + Token.verifyThen(req.get('authorization'), 'delete', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var ProfileEvents = new EventEmitter(); + var id = req.params.id; - ProfileEvents.once('delete', (err, result) => { - if (err) { - res.status(500).json({message: 'Could not delete profile id: ' + id, err: err}); - } + ProfileEvents.once('delete', (err, result) => { + if (err) { + res.status(500).json({message: 'Could not delete profile id: ' + id, err: err}); + } - if (result) { - res.status(204).json({}); - } - }); + if (result) { + res.status(204).json({}); + } + }); - Profiles.delete(ProfileEvents, id); -// }); + Profiles.delete(ProfileEvents, id); + } + }); }) .get( (req, res) => { -// Token.verifyThen(req.get('authorization'), 'view', (err, decoded) => { -// if (err) { -// res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); -// return; -// } - - var ProfileEvents = new EventEmitter(); - var id = req.params.id || null; - var method = id ? 'get' : 'all'; + Token.verifyThen(req.get('authorization'), 'view', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var ProfileEvents = new EventEmitter(); + var id = req.params.id || null; + var method = id ? 'get' : 'all'; - ProfileEvents.once(method, (err, result) => { - if (err) { - res.status(500).json({ message: 'Could not get profile' + (id ? '' : 's'), err: err }); - } + ProfileEvents.once(method, (err, result) => { + if (err) { + res.status(500).json({ message: 'Could not get profile' + (id ? '' : 's'), err: err }); + } - if (result) { - res.status(200).json(result); - } - }); + if (result) { + res.status(200).json(result); + } + }); - Profiles[method](ProfileEvents, id); -// }); + Profiles[method](ProfileEvents, id); + } + }); }) .patch( update ) .post((req, res) => { -// Token.verifyThen(req.get('authorization'), 'add', (err, decoded) => { -// if (err) { -// res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); -// return; -// } + Token.verifyThen(req.get('authorization'), 'add', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } - var ProfileEvents = new EventEmitter(); - var profile = Array.isArray(req.body) ? req.body : [ req.body ]; - var multi = profile.length > 1; + if (decoded && decoded.hasPermission) { + var ProfileEvents = new EventEmitter(); + var profile = Array.isArray(req.body) ? req.body : [ req.body ]; + var multi = profile.length > 1; - ProfileEvents.once('create', (err, result) => { - if (err) { - res.status(500).json({ message: 'Could not create profile' + (multi ? 's' : ''), err: err, profile: profile }); - } + ProfileEvents.once('create', (err, result) => { + if (err) { + res.status(500).json({ message: 'Could not create profile' + (multi ? 's' : ''), err: err, profile: profile }); + } - if (result) { - res.status(200).json(result); - } - }); + if (result) { + res.status(200).json(result); + } + }); - Profiles.create(ProfileEvents, profile); -// }); + Profiles.create(ProfileEvents, profile); + } + }); }) .put( update ); diff --git a/routes/users.js b/routes/users.js index 0a36a9c..75d8e99 100644 --- a/routes/users.js +++ b/routes/users.js @@ -5,156 +5,25 @@ var Token = require('../modules/token'); var UserModel = require('../models/user'); function updateUser (req, res, next) { - Token.verifyThen(req.get('authorization'), ['view', 'super'], (err, decoded) => { + Token.verifyThen(req.get('authorization'), 'super', (err, decoded) => { if (err) { res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); return; } - var UserEvents = new EventEmitter(); - var id = req.params.id; - var data = req.body; - - if (id === decoded.data.uid || decoded.canElevate) { - if (!decoded.canElevate) { - delete data.permission; - } - - UserEvents.once('updateUser', (err, result) => { - if (err) { - res.status(500).json({message: 'Could not update user id ' + id, err: err}); - } - - if (result) { - res.status(200).json(result); - } - }); - - UserModel.updateUser(UserEvents, id, data); - } else { - res.status(403).json({ message: 'User not authorized to perform this action.' }); - } - }); -} - -function updateUserSetting (req, res, next) { - console.log('[UsersRoute::updateUserSetting]'); - console.log('req.params: ', req.params); - console.log('req.body: ', req.body); - - Token.verifyThen(req.get('authorization'), 'viewPublicDetails', (err, decoded) => { - if (err) { - res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); - return; - } - - var UserEvents = new EventEmitter(); - var userId = req.params.userId; - var settingsId = req.params.settingsId; - var data = req.body; - - - UserEvents.once('updateUserSetting', (err, result) => { - if (err) { - res.status(500).json({ message: 'Could not update setting' + (data.key ? ' key:' + data.key : 's') + ' for user ' + (userId ? userId : ''), err: err }); - } - - if (result) { - res.status(200).json(result); - } - }); - - UserModel.updateUserSetting(UserEvents, userId, settingsId, data); - }); -} - -Router.route('/') - .post((req, res, next) => { - Token.verifyThen(req.get('authorization'), 'manageUsers', (err, decoded) => { - if (err) { - res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); - return; - } - + if (decoded && decoded.hasPermission) { var UserEvents = new EventEmitter(); - var user = req.body; + var id = req.params.id; + var data = req.body; - UserEvents.once('createUser', (err, result) => { - if (err) { - res.status(500).json({ message: 'Could not create user', err: err }); + if (id === decoded.data.uid || decoded.canElevate) { + if (!decoded.canElevate) { + delete data.permission; } - - if (result) { - res.status(200).json(result); - } - }); - - UserModel.createUser(UserEvents, user); - }); - }); - -Router.route('/search/:find?') - .get((req, res, next) => { - Token.verifyThen(req.get('authorization'), 'manageUsers', (err, decoded) => { - if (err) { - res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); - return; - } - var UserEvents = new EventEmitter(); - - // Process parameters - var find = req.params.find ? decodeURIComponent(req.params.find) : false; - - if (find) { - find = { - 'userName': new RegExp(find, 'i'), - 'name.last': new RegExp(find, 'i'), - 'name.first': new RegExp(find, 'i'), - 'email': new RegExp(find, 'i') - }; - } - - // Setup query object - var query = { - find: find || (req.query.find ? JSON.parse(decodeURIComponent(req.query.find)) : {}), - select: req.query.select ? decodeURIComponent(req.query.select) : null, - options: { - limit: req.query.limit ? parseInt(req.query.limit) : 0, - skip: req.query.ski ? parseInt(req.query.skip) : 0, - sort: req.query.sort ? JSON.parse(decodeURIComponent(req.query.sort)) : { 'userName': 1 } - } - }; - - UserEvents.once('getUsers', (err, result) => { - if (err) { - res.status(500).json({ message: 'There was an error performing the user search', err: err }); - } - - if (result) { - res.status(200).json(result); - } - }); - - UserModel.getUsers(UserEvents, query); - }); - }); - -Router.route('/validate/:username?') - .get((req, res) => { - Token.verifyThen(req.get('authorization'), 'viewPublicDetails', (err, decoded) => { - if (err) { - res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); - return; - } - - var UserEvents = new EventEmitter(); - var username = req.params.username || ''; - - if (username && username.length >= 4) { - UserEvents.once('isUserNameUnique', (err, result) => { + UserEvents.once('updateUser', (err, result) => { if (err) { - res.status(500).json({ message: 'Could not validate username: ' + username, err: err }); + res.status(500).json({message: 'Could not update user id ' + id, err: err}); } if (result) { @@ -162,109 +31,165 @@ Router.route('/validate/:username?') } }); - UserModel.isUserNameUnique(UserEvents, username); + UserModel.updateUser(UserEvents, id, data); } else { - res.status(200).json({ unique: null, length: false }); + res.status(403).json({ message: 'User not authorized to perform this action.' }); + } + } + }); +} + +function updateUserSetting (req, res, next) { + Token.verifyThen(req.get('authorization'), 'view', (err, decoded) => { + if (err) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var UserEvents = new EventEmitter(); + var userId = req.params.userId; + var settingsId = req.params.settingsId; + var data = req.body; + + + UserEvents.once('updateUserSetting', (err, result) => { + if (err) { + res.status(500).json({ message: 'Could not update setting' + (data.key ? ' key:' + data.key : 's') + ' for user ' + (userId ? userId : ''), err: err }); + } + + if (result) { + res.status(200).json(result); + } + }); + + UserModel.updateUserSetting(UserEvents, userId, settingsId, data); + } + }); +} + +Router.route('/') + .post((req, res, next) => { + Token.verifyThen(req.get('authorization'), 'super', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var UserEvents = new EventEmitter(); + var user = req.body; + + UserEvents.once('createUser', (err, result) => { + if (err) { + res.status(500).json({ message: 'Could not create user', err: err }); + } + + if (result) { + res.status(200).json(result); + } + }); + + UserModel.createUser(UserEvents, user); + } + }); + }); + +Router.route('/search/:find?') + .get((req, res, next) => { + Token.verifyThen(req.get('authorization'), 'super', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var UserEvents = new EventEmitter(); + + // Process parameters + var find = req.params.find ? decodeURIComponent(req.params.find) : false; + + if (find) { + find = { + 'userName': new RegExp(find, 'i'), + 'name.last': new RegExp(find, 'i'), + 'name.first': new RegExp(find, 'i'), + 'email': new RegExp(find, 'i') + }; + } + + // Setup query object + var query = { + find: find || (req.query.find ? JSON.parse(decodeURIComponent(req.query.find)) : {}), + select: req.query.select ? decodeURIComponent(req.query.select) : null, + options: { + limit: req.query.limit ? parseInt(req.query.limit) : 0, + skip: req.query.ski ? parseInt(req.query.skip) : 0, + sort: req.query.sort ? JSON.parse(decodeURIComponent(req.query.sort)) : { 'userName': 1 } + } + }; + + UserEvents.once('getUsers', (err, result) => { + if (err) { + res.status(500).json({ message: 'There was an error performing the user search', err: err }); + } + + if (result) { + res.status(200).json(result); + } + }); + + UserModel.getUsers(UserEvents, query); + } + }); + }); + +Router.route('/validate/:username?') + .get((req, res) => { + Token.verifyThen(req.get('authorization'), 'view', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var UserEvents = new EventEmitter(); + var username = req.params.username || ''; + + if (username && username.length >= 4) { + UserEvents.once('isUserNameUnique', (err, result) => { + if (err) { + res.status(500).json({ message: 'Could not validate username: ' + username, err: err }); + } + + if (result) { + res.status(200).json(result); + } + }); + + UserModel.isUserNameUnique(UserEvents, username); + } else { + res.status(200).json({ unique: null, length: false }); + } } }); }); Router.route('/force-password-reset/:id') .post( (req, res, next) => { - Token.verifyThen(req.get('authorization'), 'manageUsers', (err, decoded) => { - if (err) { + Token.verifyThen(req.get('authorization'), 'super', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); return; } - - var UserEvents = new EventEmitter(); - var id = req.params.id; + + if (decoded && decoded.hasPermission) { + var UserEvents = new EventEmitter(); + var id = req.params.id; - UserEvents.once('forcePasswordReset', (err, result) => { - if (err) { - res.status(500).json({ message: 'Could not force password reset for the user', err: err }); - } - - if (result) { - res.status(200).json(result); - } - }); - - UserModel.forcePasswordReset(UserEvents, id); - }); - }); - -Router.route('/:id/settings/:key?') - .get( (req, res, next) => { - Token.verifyThen(req.get('authorization'), 'viewPublicDetails', (err, decoded) => { - if (err) { - res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); - return; - } - - var UserEvents = new EventEmitter(); - var id = req.params.id; - var key = req.params.key || false; - var method = key ? 'getUserSetting' : 'getUserSettings'; - - UserEvents.once(method, (err, result) => { - if (err) { - res.status(500).json({ message: 'Could not get setting' + (key ? ' key:' + key : 's') + ' for user ' + (id ? id : ''), err: err }); - } - - if (result) { - res.status(200).json(result); - } - }); - - UserModel[method](UserEvents, id, key); - }); - }); - -Router.route('/:userId/settings/:settingsId?') - .patch( updateUserSetting ) - .post( (req, res, next) => { - Token.verifyThen(req.get('authorization'), 'viewPublicDetails', (err, decoded) => { - if (err) { - res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); - return; - } - - var UserEvents = new EventEmitter(); - var userId = req.params.userId; - var data = req.body; - - UserEvents.once('createUserSetting', (err, result) => { - if (err) { - res.status(500).json({ message: 'Could not create setting' + (data.key ? ' key:' + data.key : 's') + ' for user ' + (userId ? userId : ''), err: err }); - } - - if (result) { - res.status(200).json(result); - } - }); - - UserModel.createUserSetting(UserEvents, userId, data); - }); - }) - .put( updateUserSetting ); - -Router.route('/:id?') - .get( (req, res, next) => { - Token.verifyThen(req.get('authorization'), ['viewPublicDetails', 'manageUsers'], (err, decoded) => { - if (err) { - res.status(403).json({ message: 'User not authorized to perform this action. ' + err, err: err }); - return; - } - - var UserEvents = new EventEmitter(); - var id = req.params.id || false; - var method = id ? 'getUser' : 'getUsers'; - - if ((id === decoded.data.uid && method === 'getUser') || decoded.canElevate) { - UserEvents.once(method, (err, result) => { + UserEvents.once('forcePasswordReset', (err, result) => { if (err) { - res.status(500).json({ message: 'Could not get user' + (id ? '' : 's'), err: err }); + res.status(500).json({ message: 'Could not force password reset for the user', err: err }); } if (result) { @@ -272,40 +197,131 @@ Router.route('/:id?') } }); - UserModel[method](UserEvents, id || false, !decoded.canElevate); - } else { - res.status(403).json({ message: 'User not authorized to perform this action.' }); + UserModel.forcePasswordReset(UserEvents, id); + } + }); + }); + +Router.route('/:id/settings/:key?') + .get( (req, res, next) => { + Token.verifyThen(req.get('authorization'), 'view', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var UserEvents = new EventEmitter(); + var id = req.params.id; + var key = req.params.key || false; + var method = key ? 'getUserSetting' : 'getUserSettings'; + + UserEvents.once(method, (err, result) => { + if (err) { + res.status(500).json({ message: 'Could not get setting' + (key ? ' key:' + key : 's') + ' for user ' + (id ? id : ''), err: err }); + } + + if (result) { + res.status(200).json(result); + } + }); + + UserModel[method](UserEvents, id, key); + } + }); + }); + +Router.route('/:userId/settings/:settingsId?') + .patch( updateUserSetting ) + .post( (req, res, next) => { + Token.verifyThen(req.get('authorization'), 'view', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var UserEvents = new EventEmitter(); + var userId = req.params.userId; + var data = req.body; + + UserEvents.once('createUserSetting', (err, result) => { + if (err) { + res.status(500).json({ message: 'Could not create setting' + (data.key ? ' key:' + data.key : 's') + ' for user ' + (userId ? userId : ''), err: err }); + } + + if (result) { + res.status(200).json(result); + } + }); + + UserModel.createUserSetting(UserEvents, userId, data); + } + }); + }) + .put( updateUserSetting ); + +Router.route('/:id?') + .get( (req, res, next) => { + Token.verifyThen(req.get('authorization'), 'manage', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { + res.status(403).json({ message: 'User not authorized to perform this action. ' + err, err: err }); + return; + } + + if (decoded && decoded.hasPermission) { + var UserEvents = new EventEmitter(); + var id = req.params.id || false; + var method = id ? 'getUser' : 'getUsers'; + + if ((id === decoded.data.uid && method === 'getUser') || decoded.canElevate) { + UserEvents.once(method, (err, result) => { + if (err) { + res.status(500).json({ message: 'Could not get user' + (id ? '' : 's'), err: err }); + } + + if (result) { + res.status(200).json(result); + } + }); + + UserModel[method](UserEvents, id || false, !decoded.canElevate); + } else { + res.status(403).json({ message: 'User not authorized to perform this action.' }); + } } }); }) .put( updateUser ) .patch( updateUser ) .delete( (req, res, next) => { - Token.verifyThen(req.get('authorization'), 'manageUsers', (err, decoded) => { - if (err) { + Token.verifyThen(req.get('authorization'), 'manage', (err, decoded) => { + if (err || (decoded && !decoded.hasPermission)) { res.status(403).json({ message: 'User not authorized to perform this action.', err: err }); return; } - - var UserEvents = new EventEmitter(); - var id = req.params.id; + + if (decoded && decoded.hasPermission) { + var UserEvents = new EventEmitter(); + var id = req.params.id; - if (id === decoded.data.uid) { - res.status(403).json({ message: 'You cannot delete yourself. Surely it isn\'t that bad?!' }); - return; + if (id === decoded.data.uid) { + res.status(403).json({ message: 'You cannot delete yourself. Surely it isn\'t that bad?!' }); + return; + } + + UserEvents.once('deleteUser', (err, result) => { + if (err) { + res.status(500).json({message: 'Could not delete user id ' + id, err: err}); + } + + if (result) { + res.status(204).json({}); + } + }); + + UserModel.deleteUser(UserEvents, id); } - - UserEvents.once('deleteUser', (err, result) => { - if (err) { - res.status(500).json({message: 'Could not delete user id ' + id, err: err}); - } - - if (result) { - res.status(204).json({}); - } - }); - - UserModel.deleteUser(UserEvents, id); }); });