improve is_editor backend handling

2025-01-31 16:42:22 +01:00 · 2024-02-09 22:14:52 +01:00 · 2024-02-09 22:14:52 +01:00 · 464f230749
commit 464f230749
parent 17bf8ea376
4 changed files with 20 additions and 5 deletions
--- a/server/api/auth.js
+++ b/server/api/auth.js
@ -19,6 +19,14 @@ const Auth = {
    }
  },

+  isAdminOrEditor (req, res, next) {
+    if (req.user && req.user.is_active && (req.user.is_admin || req.user.is_editor)) {
+      next()
+    } else {
+      res.sendStatus(403)
+    }
+  },
+
  // TODO
  hasPerm (scope) {
    return (req, res, next) => {
--- a/server/api/controller/oauth.js
+++ b/server/api/controller/oauth.js
@ -28,6 +28,7 @@ passport.deserializeUser(async (id, done) => {
    email: user.email,
    role: user.role,
    is_admin: user.role === 'admin',
+    is_editor: user.role === 'editor',
    is_active: user.is_active,
  }
  done(null, userInfo)
--- a/server/api/index.js
+++ b/server/api/index.js
@ -51,7 +51,7 @@ module.exports = () => {

  } else {

-    const { isAuth, isAdmin } = require('./auth')
+    const { isAuth, isAdmin, isAdminOrEditor } = require('./auth')
    const upload = multer({ storage })

    /**
@ -201,16 +201,16 @@ module.exports = () => {


    // - FEDIVERSE INSTANCES, MODERATION, RESOURCES
-    api.get('/instances', isAdmin, instanceController.getAll)
+    api.get('/instances', isAdminOrEditor, instanceController.getAll)
    api.get('/instances/trusted', instanceController.getTrusted)
-    api.get('/instances/:instance_domain', isAdmin, instanceController.get)
+    api.get('/instances/:instance_domain', isAdminOrEditor, instanceController.get)
    api.post('/instances/toggle_block', isAdmin, instanceController.toggleBlock)
    api.post('/instances/toggle_user_block', isAdmin, apUserController.toggleBlock)
    api.post('/instances/add_trust', isAdmin, instanceController.addTrust)
    api.delete('/instances/trust', isAdmin, instanceController.removeTrust)
    api.put('/resources/:resource_id', isAdmin, resourceController.hide)
    api.delete('/resources/:resource_id', isAdmin, resourceController.remove)
-    api.get('/resources', isAdmin, resourceController.getAll)
+    api.get('/resources', isAdminOrEditor, resourceController.getAll)

    // - ADMIN ANNOUNCEMENTS
    api.get('/announcements', isAdmin, announceController.getAll)
--- a/server/api/models/user.js
+++ b/server/api/models/user.js
@ -30,6 +30,12 @@ module.exports = (sequelize, DataTypes) => {
        return this.role === 'admin'
      }
    },
+    is_editor: {
+      type: DataTypes.VIRTUAL,
+      get () {
+        return this.role === 'editor'
+      }      
+    },
    is_active: DataTypes.BOOLEAN
  }, {
    scopes: {
@ -37,7 +43,7 @@ module.exports = (sequelize, DataTypes) => {
        attributes: { exclude: ['password', 'recover_code'] }
      },
      withRecover: {
-        attributes: { exclude: ['password'] }
+        attributes: { exclude: ['password', 'insert_at', 'created_at'] }
      }
    }
  })