|
|
|
import { Router } from 'express';
|
|
|
|
import { getRepository } from 'typeorm';
|
|
|
|
import { User } from '../entity/User';
|
|
|
|
import { hasPermission, Permission } from '../lib/permissions';
|
|
|
|
|
|
|
|
const router = Router();
|
|
|
|
|
|
|
|
router.get('/', async (_req, res) => {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
|
|
|
|
const users = await userRepository.find();
|
|
|
|
|
|
|
|
return res.status(200).json(User.filterMany(users));
|
|
|
|
});
|
|
|
|
|
|
|
|
router.post('/', async (req, res, next) => {
|
|
|
|
try {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
|
|
|
|
const user = new User({
|
|
|
|
email: req.body.email,
|
|
|
|
permissions: req.body.permissions,
|
|
|
|
plexToken: '',
|
|
|
|
});
|
|
|
|
await userRepository.save(user);
|
|
|
|
return res.status(201).json(user.filter());
|
|
|
|
} catch (e) {
|
|
|
|
next({ status: 500, message: e.message });
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
router.get<{ id: string }>('/:id', async (req, res, next) => {
|
|
|
|
try {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
|
|
|
|
const user = await userRepository.findOneOrFail({
|
|
|
|
where: { id: Number(req.params.id) },
|
|
|
|
});
|
|
|
|
|
|
|
|
return res.status(200).json(user.filter());
|
|
|
|
} catch (e) {
|
|
|
|
next({ status: 404, message: 'User not found' });
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
router.put<{ id: string }>('/:id', async (req, res, next) => {
|
|
|
|
try {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
|
|
|
|
const user = await userRepository.findOneOrFail({
|
|
|
|
where: { id: Number(req.params.id) },
|
|
|
|
});
|
|
|
|
|
|
|
|
// Only let the owner user modify themselves
|
|
|
|
if (user.id === 1 && req.user?.id !== 1) {
|
|
|
|
return next({
|
|
|
|
status: 403,
|
|
|
|
message: 'You do not have permission to modify this user',
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
// Only let the owner grant admin privileges
|
|
|
|
if (
|
|
|
|
hasPermission(Permission.ADMIN, req.body.permissions) &&
|
|
|
|
req.user?.id !== 1
|
|
|
|
) {
|
|
|
|
return next({
|
|
|
|
status: 403,
|
|
|
|
message: 'You do not have permission to grant this level of access',
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
// Only let users with the manage settings permission, grant the same permission
|
|
|
|
if (
|
|
|
|
hasPermission(Permission.MANAGE_SETTINGS, req.body.permissions) &&
|
|
|
|
!hasPermission(Permission.MANAGE_SETTINGS, req.user?.permissions ?? 0)
|
|
|
|
) {
|
|
|
|
return next({
|
|
|
|
status: 403,
|
|
|
|
message: 'You do not have permission to grant this level of access',
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
Object.assign(user, req.body);
|
|
|
|
await userRepository.save(user);
|
|
|
|
|
|
|
|
return res.status(200).json(user.filter());
|
|
|
|
} catch (e) {
|
|
|
|
next({ status: 404, message: 'User not found' });
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
router.delete<{ id: string }>('/:id', async (req, res, next) => {
|
|
|
|
try {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
|
|
|
|
const user = await userRepository.findOneOrFail({
|
|
|
|
where: { id: Number(req.params.id) },
|
|
|
|
});
|
|
|
|
await userRepository.delete(user.id);
|
|
|
|
return res.status(200).json(user.filter());
|
|
|
|
} catch (e) {
|
|
|
|
next({ status: 404, message: 'User not found' });
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
export default router;
|