diff options
| -rw-r--r-- | auth/index.js | 17 | ||||
| -rw-r--r-- | profile/index.js | 15 | ||||
| -rw-r--r-- | questions/index.js | 13 | ||||
| -rw-r--r-- | quotes/index.js | 8 |
4 files changed, 36 insertions, 17 deletions
diff --git a/auth/index.js b/auth/index.js index 0f63a55..cc1f5b3 100644 --- a/auth/index.js +++ b/auth/index.js @@ -15,6 +15,12 @@ function checkAdmin(req, res, next) { else return res.redirect("/auth"); } +function checkSuperAdmin(req, res, next) { + if (req.session.loggedIn && req.session.isAdmin && req.session.isSuperAdmin) next(); + else if (req.session.loggedIn) return res.redirect("/"); + else return res.redirect("/auth"); +} + app.use( "/", (req, res, next) => { @@ -39,6 +45,8 @@ app.post("/api/login", async (req, res) => { console.log("LOGIN: " + user.id); req.session.loggedIn = true; req.session.isAdmin = user.is_admin; + // Hardcoding ftw lol + req.session.isSuperAdmin = username == "bornerma" || username == "krönnela" ? user.is_admin : false; req.session.uid = user.id; req.session.cid = user.class_id; } @@ -93,14 +101,19 @@ app.get("/api/list", checkUser, async (req, res) => { }); app.get("/api/status", (req, res) => { - res.json({ loggedIn: req.session.loggedIn, admin: req.session.isAdmin }); + res.json({ + loggedIn: req.session.loggedIn, + admin: req.session.isAdmin, + superAdmin: req.session.isSuperAdmin || false, + }); }); app.get("/api/self", checkUser, async (req, res) => { try { const user = await db.query( "SELECT id, username, name, middlename, surname, class_id, type_id, is_admin FROM users WHERE id = ?", - [req.session.uid]); + [req.session.uid], + ); res.json(user[0]); } catch (e) { console.error(e); diff --git a/profile/index.js b/profile/index.js index 80603c1..e73e00e 100644 --- a/profile/index.js +++ b/profile/index.js @@ -95,7 +95,7 @@ app.get("/api/comments/:uid", async (req, res) => { const uid = req.params.uid; const comments = await db.query( "SELECT *, (user_id = ? OR ?) AS owner FROM profile_comments WHERE profile_id = ?", - [req.session.uid, req.session.isAdmin, uid], + [req.session.uid, req.session.isSuperAdmin || false, uid], ); res.json(comments); }); @@ -120,13 +120,10 @@ app.put("/api/comment", async (req, res) => { const { pid, cid, comment } = req.body; if (!pid || !comment || !cid) return res.json({ success: false }); try { - await db.query("UPDATE profile_comments SET comment = ? WHERE (user_id = ? OR ?) AND profile_id = ? AND id = ?", [ - comment, - req.session.uid, - req.session.isAdmin, - pid, - cid, - ]); + await db.query( + "UPDATE profile_comments SET comment = ? WHERE (user_id = ? OR ?) AND profile_id = ? AND id = ?", + [comment, req.session.uid, req.session.isSuperAdmin || false, pid, cid], + ); res.json({ success: true }); } catch (e) { console.error(e); @@ -140,7 +137,7 @@ app.delete("/api/comment", async (req, res) => { try { await db.query("DELETE FROM profile_comments WHERE (user_id = ? OR ?) AND profile_id = ? AND id = ?", [ req.session.uid, - req.session.isAdmin, + req.session.isSuperAdmin || false, pid, cid, ]); diff --git a/questions/index.js b/questions/index.js index 96bbb8b..1f2ea9a 100644 --- a/questions/index.js +++ b/questions/index.js @@ -16,7 +16,9 @@ app.get("/api/question/:id", checkUser, async (req, res) => { [question.id, req.session.uid], ); question.answer = answers.length > 0 ? answers[0].option_id : undefined; - question.options = await db.query("SELECT id, answer_option FROM question_options WHERE question_id = ?", [question.id]); + question.options = await db.query("SELECT id, answer_option FROM question_options WHERE question_id = ?", [ + question.id, + ]); res.json(question); } else { res.json({}); @@ -57,11 +59,14 @@ async function answer(req, res, qu) { const { question, answer } = req.body; const fail = { success: false }; try { - const possibleAnswers = await db.query(`SELECT qo.id + const possibleAnswers = await db.query( + `SELECT qo.id FROM question_questions qq INNER JOIN question_options qo on qq.id = qo.question_id - WHERE qq.id = ?`, [question]); - if (possibleAnswers.find(value => +value.id === +answer) === undefined) return res.json(fail); // Answer not for question + WHERE qq.id = ?`, + [question], + ); + if (possibleAnswers.find((value) => +value.id === +answer) === undefined) return res.json(fail); // Answer not for question await db.query(qu, [answer, question, req.session.uid]); res.json({ success: true }); } catch (e) { diff --git a/quotes/index.js b/quotes/index.js index 7a1a78b..179564f 100644 --- a/quotes/index.js +++ b/quotes/index.js @@ -23,7 +23,7 @@ app.post("/api/add", checkUser, async (req, res) => { app.get("/api/list", checkUser, async (req, res) => { const quotes = await db.query( "SELECT q.id, a.name, a.middlename, a.surname, q.quote, c.name AS class, (q.user_id = ? OR ?) AS owner FROM quotes AS q INNER JOIN users AS a ON author_id = a.id INNER JOIN class AS c ON a.class_id = c.id ORDER BY a.name", - [req.session.uid, req.session.isAdmin], + [req.session.uid, req.session.isSuperAdmin || false], ); res.json(quotes); }); @@ -31,7 +31,11 @@ app.get("/api/list", checkUser, async (req, res) => { app.delete("/api/delete/:id", checkUser, async (req, res) => { if (!req.params.id) return res.send("error"); try { - await db.query("DELETE FROM quotes WHERE id = ? AND (user_id = ? OR ?)", [req.params.id, req.session.uid, req.session.isAdmin]); + await db.query("DELETE FROM quotes WHERE id = ? AND (user_id = ? OR ?)", [ + req.params.id, + req.session.uid, + req.session.isSuperAdmin || false, + ]); res.send("ok"); } catch (e) { console.error(e); |