-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: implement new role for admin #122
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Skipped Deployment
|
src/middleware/auth.js
Outdated
|
||
export const externalPartyProtect = asyncHandler((req) => { | ||
if (req.headers['x-api-key'] === process.env.API_ACCESS_KEY) return; | ||
if (req.user.role !== 'SPECTATOR') throw new createError(403, 'You are not permitted to access this resource'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if this is used along with adminProtect neither of it will allow the call to go through, since each checks for a different role, can we refactor this into a function like roleProtect
which takes in a list of accepted roles and checks accordingly ?
src/models/user.js
Outdated
@@ -45,7 +45,7 @@ const UserSchema = new mongoose.Schema( | |||
}, | |||
role: { | |||
type: String, | |||
enum: ['ADMIN', 'GROUP'], | |||
enum: ['ADMIN', 'GROUP', 'SPECTATOR'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we move this into an enum like object and use it here with Object.Values()
src/validations/user.js
Outdated
@@ -3,7 +3,8 @@ import { genders, mealPreferences } from '@/models/user'; | |||
|
|||
export const addUserSchema = { | |||
name: Joi.string().required(), | |||
email: Joi.string().email().required() | |||
email: Joi.string().email().required(), | |||
role: Joi.string().valid('ADMIN', 'SPECTATOR').required() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like in the model, can we move this into an enum like object and use it here with Object.Values()
@@ -15,7 +15,7 @@ router.use('/auth', authRouter); | |||
router.use('/submissions', protect, submissionRouter); | |||
router.use('/users', protect, userRouter); | |||
router.use('/questions', protect, questionRouter); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question create update will have to be restricted as well for role SPECTATOR
@@ -15,7 +15,7 @@ router.use('/auth', authRouter); | |||
router.use('/submissions', protect, submissionRouter); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Submission grade will have to be restricted as well for role SPECTATOR
src/routes/user.routes.js
Outdated
@@ -14,7 +14,7 @@ import { | |||
const users = express.Router(); | |||
|
|||
users.post('/', adminProtect, celebrate({ [Segments.BODY]: addUserSchema }), tracedAsyncHandler(create)); | |||
users.get('/', adminProtect, tracedAsyncHandler(getAll)); | |||
users.get('/', externalPartyProtect, adminProtect, tracedAsyncHandler(getAll)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Somewhere below there's a user update route as well I guess that needs restriction as well
No description provided.