search

boolean-uk / team-dev-server

3 stars 12 forks source link

#60 As product owner, to protect my application from sinister actors, I want to remove the role toggle on register #264

Closed mnmin closed 1 year ago

mnmin commented 1 year ago

User Story

The toggle box for selecting a role on register was a good first step. It's time to improve this feature.

Tasks

1) This box should be removed from the registration form 2) The default role for all users should be STUDENT when registering 3) A new role should be introduced: ADMIN 4) Admins should have complete access to all areas of the application 5) Admins should be able to change the role of any user

Server

2 - “The default role is for all users is set to be STUDENT”. This is already set in the user, constructor→ src → controllers → user.js 

role = 'STUDENT'

3 - Use prisma documentation https://www.prisma.io/docs/concepts/components/prisma-schema/data-model#defining-enums to update the prisma schema enum Role field to add ADMIN role.

Create a migration “add_Admin_Role”, then, update the seed file to include an ADMIN. Create a AdminUser and an AdminProfile:

const adminUser = await prisma.user.create({
    data: {
      email: 'admin@admin.com',
      password,
      role: 'ADMIN'
    }
  })
const adminProfile = await prisma.profile.create({
    data: {
      userId: adminUser.id,
      firstName: 'Admin',
      lastName: 'Boolean',
      profileImageUrl:
        'https://images.takeshape.io/86ce9525-f5f2-4e97-81ba-54e8ce933da7/dev/2a6f37ce-a2f9-4f31-a854-b38c4412baac/819%20sand%20cat%20WC%20Cle%CC%81ment%20Bardot.jpeg?auto=compress%2Cformat&w=1200'
    }
  })

  users.push(createdUser, adminUser)

Add adminProfile to console.log:

console.log(cohorts, users, userProfile, teacherProfile, adminProfile)

4 - In src → middleware → auth.js create a validateAdminRole function:

export async function validateAdminRole(req, res, next) {
  if (!req.user) {
    return sendMessageResponse(res, 500, 'Unable to verify user')
  }

  if (req.user.role !== 'ADMIN') {
    return sendDataResponse(res, 403, {
      authorization: 'You are not authorized to perform this action'
    })
  }

  next()
}

5 - In Index.js create:

app.use(‘/admin’, adminRouter)

Then create an admin.js file in routes folder and create a new router

router.put('/user/:id', validateAuthentication, validateAdminRole, updateUserById )

In updateUserById add an if statement to remove role from being updated unless user is admin.

vherus commented 1 year ago

If you're creating a validateAdminRole middleware, I'd recommend creating a new route that admins can use, e.g. PUT /admin/user/:id which uses the already existing updateUserById controller, but you can attach the validateAdminRole middleware to that route. You'll need to remove the role from ever being updated in that function unless you're an admin too

Create an Admin router that all admin routes go through and hook it up in the index or server file, separate to all of the other routers.

Let's see some updates to this plan with that feedback actioned :)

vherus commented 1 year ago

Nice, approved!