admin panel for editor

components/NavHeader.vue

@@ -49,12 +49,12 @@
               </v-list-item-content>
             </v-list-item>
 
-            <v-list-item v-if='$auth.user.is_admin' nuxt to='/admin'>
+            <v-list-item v-if='$auth.user.is_admin || $auth.user.is_editor' nuxt to='/admin'>
               <v-list-item-icon>
                 <v-icon v-text='mdiAccount' />
               </v-list-item-icon>
               <v-list-item-content>
-                <v-list-item-title v-text="$t('common.admin')" />
+                <v-list-item-title v-text="$t(`common.${$auth.user.role}`)" />
               </v-list-item-content>
             </v-list-item>
 

middleware/isAdminOrEditor.js

@@ -0,0 +1,5 @@
+export default async function ({ redirect, $auth }) {
+    if (!$auth.user.is_editor && !$auth.user.is_admin) {
+        return redirect('/')
+    }
+}

pages/Admin.vue

@@ -1,14 +1,16 @@
 <template lang="pug">
 v-container.container.pa-0.pa-md-3
   v-card
+    template(v-if='$auth.user.is_admin')
       v-alert(v-if='url!==settings.baseurl' rounded="0" flat border="left" type='warning' show-icon :icon='mdiAlert')
         span(v-html="$t('admin.wrong_domain_warning', { url, baseurl: settings.baseurl })")
       v-alert(v-if='!selfReachable' rounded="0" flat border="left" type='warning' show-icon :icon='mdiAlert')
         span(v-html="$t('admin.not_reachable_warning', { baseurl: settings.baseurl })")
+
     v-tabs(v-model='selectedTab' show-arrows :next-icon='mdiChevronRight' :prev-icon='mdiChevronLeft')
 
       //- SETTINGS
-      v-tab(href='#settings') {{$t('common.settings')}}
+      v-tab(href='#settings' v-if='$auth.user.is_admin') {{$t('common.settings')}}
       v-tab-item(value='settings')
         Settings
 
@@ -20,49 +22,49 @@ v-container.container.pa-0.pa-md-3
           @confirmed='id => { unconfirmedEvents = unconfirmedEvents.filter(e => e.id !== id)}')
 
       //- THEME
-      v-tab(href='#theme') {{$t('common.theme')}}
+      v-tab(href='#theme' v-if='$auth.user.is_admin') {{$t('common.theme')}}
       v-tab-item(value='theme')
         Theme
 
       //- USERS
-      v-tab(href='#users')
+      v-tab(href='#users' v-if='$auth.user.is_admin')
         v-badge(:value='!!unconfirmedUsers.length' :content='unconfirmedUsers.length') {{$t('common.users')}}
       v-tab-item(value='users')
         Users(:users='users' @update='updateUsers')
 
       //- PLACES
-      v-tab(href='#places') {{$t('common.places')}}
+      v-tab(href='#places' v-if='$auth.user.is_admin') {{$t('common.places')}}
       v-tab-item(value='places')
         Places
       
       //- TAGS
-      v-tab(href='#tags') {{$t('common.tags')}}
+      v-tab(href='#tags' v-if='$auth.user.is_admin') {{$t('common.tags')}}
       v-tab-item(value='tags')
         Tags
 
       //- GEOCODING / MAPS
-      v-tab(href='#geolocation' v-if='settings.allow_geolocation') {{$t('admin.geolocation')}}
+      v-tab(href='#geolocation' v-if='settings.allow_geolocation && $auth.user.is_admin') {{$t('admin.geolocation')}}
       v-tab-item(value='geolocation')
         client-only(placeholder='Loading...')
           Geolocation
 
       //- Collections
-      v-tab(href='#collections') {{$t('common.collections')}}
+      v-tab(href='#collections' v-if='$auth.user.is_admin') {{$t('common.collections')}}
       v-tab-item(value='collections')
         Collections
 
       //- ANNOUNCEMENTS
-      v-tab(href='#announcements') {{$t('common.announcements')}}
+      v-tab(href='#announcements' v-if='$auth.user.is_admin') {{$t('common.announcements')}}
       v-tab-item(value='announcements')
         Announcement
 
       //- PLUGINS
-      v-tab(href='#plugins') {{$t('common.plugins')}}
+      v-tab(href='#plugins' v-if='$auth.user.is_admin') {{$t('common.plugins')}}
       v-tab-item(value='plugins')
         Plugin
 
       //- FEDERATION
-      v-tab(href='#federation') {{$t('common.federation')}}
+      v-tab(href='#federation' v-if='$auth.user.is_admin') {{$t('common.federation')}}
       v-tab-item(value='federation')
         Federation
 
@@ -91,7 +93,7 @@ export default {
     Announcement: () => import(/* webpackChunkName: "admin" */'../components/admin/Announcement.vue'),
     Theme: () => import(/* webpackChunkName: "admin" */'../components/admin/Theme.vue')
   },
-  middleware: ['auth', 'isAdmin'],
+  middleware: ['auth', 'isAdminOrEditor'],
   async asyncData ({ $axios, req }) {
     let url
     if (process.client) {

pages/event/_slug.vue

@@ -84,7 +84,7 @@
 
 
           //- admin actions
-          template(v-if='is_mine')
+          template(v-if='can_edit')
             v-divider
             EventAdmin(:event='event')
 
@@ -240,12 +240,12 @@ export default {
     plainDescription () {
       return this.event.plain_description || ''
     },
-    is_mine () {
+    can_edit () {
       if (!this.$auth.user) {
         return false
       }
       return (
-        this.event.isMine || this.$auth.user.is_admin
+        this.event.isMine || this.$auth.user.is_admin || this.$auth.user.is_editor
       )
     },
     showResources () {

server/api/controller/event.js

@@ -216,7 +216,7 @@ const eventController = {
       log.warn(`Trying to confirm a unknown event, id: ${id}`)
       return res.sendStatus(404)
     }
-    if (!req.user.is_admin && req.user.id !== event.userId) {
+    if (!req.user.is_editor && !req.user.is_admin && req.user.id !== event.userId) {
       log.warn(`Someone not allowed is trying to confirm -> "${event.title} `)
       return res.sendStatus(403)
     }
@@ -241,7 +241,7 @@ const eventController = {
     const id = Number(req.params.event_id)
     const event = await Event.findByPk(id)
     if (!event) { return req.sendStatus(404) }
-    if (!req.user.is_admin && req.user.id !== event.userId) {
+    if (!req.user.is_editor && !req.user.is_admin && req.user.id !== event.userId) {
       log.warn(`Someone not allowed is trying to unconfirm -> "${event.title} `)
       return res.sendStatus(403)
     }
@@ -573,7 +573,7 @@ const eventController = {
   async remove(req, res) {
     const event = await Event.findByPk(req.params.id)
     // check if event is mine (or user is admin)
-    if (event && (req.user.is_admin || req.user.id === event.userId)) {
+    if (event && (req.user.is_editor || req.user.is_admin || req.user.id === event.userId)) {
       if (event.media && event.media.length && !event.recurrent) {
         try {
           const old_path = path.join(config.upload_path, event.media[0].url)

server/api/index.js

@@ -169,7 +169,7 @@ module.exports = () => {
     api.get('/settings/smtp', isAdmin, settingsController.getSMTPSettings)
 
     // get unconfirmed events
-    api.get('/event/unconfirmed', isAdmin, eventController.getUnconfirmed)
+    api.get('/event/unconfirmed', isAdminOrEditor, eventController.getUnconfirmed)
 
     // [un]confirm event
     api.put('/event/confirm/:event_id', isAuth, eventController.confirm)
@@ -204,12 +204,12 @@ module.exports = () => {
     api.get('/instances', isAdminOrEditor, instanceController.getAll)
     api.get('/instances/trusted', instanceController.getTrusted)
     api.get('/instances/:instance_domain', isAdminOrEditor, instanceController.get)
-    api.post('/instances/toggle_block', isAdmin, instanceController.toggleBlock)
-    api.post('/instances/toggle_user_block', isAdmin, apUserController.toggleBlock)
+    api.post('/instances/toggle_block', isAdminOrEditor, instanceController.toggleBlock)
+    api.post('/instances/toggle_user_block', isAdminOrEditor, apUserController.toggleBlock)
     api.post('/instances/add_trust', isAdmin, instanceController.addTrust)
     api.delete('/instances/trust', isAdmin, instanceController.removeTrust)
-    api.put('/resources/:resource_id', isAdmin, resourceController.hide)
-    api.delete('/resources/:resource_id', isAdmin, resourceController.remove)
+    api.put('/resources/:resource_id', isAdminOrEditor, resourceController.hide)
+    api.delete('/resources/:resource_id', isAdminOrEditor, resourceController.remove)
     api.get('/resources', isAdminOrEditor, resourceController.getAll)
 
     // - ADMIN ANNOUNCEMENTS