fix error handling and displaying on membership PUT and DELETE; don't allow to...

fix error handling and displaying on membership PUT and DELETE; don't allow to change your own role; require at least one admin

fix error handling and displaying on membership PUT and DELETE; don't allow to...
fix error handling and displaying on membership PUT and DELETE; don't allow to change your own role; require at least one admin
16ffecdb · mntmn · c05afaba · 16ffecdb · 16ffecdb · 16ffecdb
Commit 16ffecdb authored Apr 09, 2020 by mntmn
--- a/models/db.js
+++ b/models/db.js
@@ -91,7 +91,7 @@ module.exports = {
    user_id: Sequelize.STRING,
    role: Sequelize.STRING,
    code: Sequelize.STRING,
-    state: {type: Sequelize.STRING, defaultValue: "pending"},
+    state: {type: Sequelize.STRING, defaultValue: "pending"}, // valid: "pending", "active"
    email_invited: Sequelize.STRING,
    created_at: {type: Sequelize.DATE, defaultValue: Sequelize.NOW},
    updated_at: {type: Sequelize.DATE, defaultValue: Sequelize.NOW}

--- a/public/javascripts/spacedeck_spaces.js
+++ b/public/javascripts/spacedeck_spaces.js
@@ -776,9 +776,12 @@ var SpacedeckSpaces = {
            this.invite_message = "";
          }
        }.bind(this), function(xhr){
-
-          text = JSON.stringify(xhr.responseText);
-          smoke.alert("Error: "+text);
+          try {
+            var res = JSON.parse(xhr.response);
+            alert("Error: "+res.error);
+          } catch (e) {
+            console.error(e, xhr);
+          }
        }.bind(this));
      }.bind(this));
    },
@@ -786,9 +789,13 @@ var SpacedeckSpaces = {
    update_member: function(space, m, role) {
      m.role = role;
      save_membership(space, m, function() {
-        console.log("saved")
      }.bind(this), function(xhr) {
-        console.error(xhr);
+        try {
+          var res = JSON.parse(xhr.response);
+          alert("Error: "+res.error);
+        } catch (e) {
+          console.error(e, xhr);
+        }
      }.bind(this));
    },

@@ -797,7 +804,12 @@ var SpacedeckSpaces = {
      delete_membership(space, m, function() {
        this.access_settings_memberships.splice(this.access_settings_memberships.indexOf(m), 1);
      }.bind(this), function(xhr) {
-        console.error(xhr);
+        try {
+          var res = JSON.parse(xhr.response);
+          alert("Error: "+res.error);
+        } catch (e) {
+          console.error(e, xhr);
+        }
      }.bind(this));
    },


--- a/routes/api/space_memberships.js
+++ b/routes/api/space_memberships.js
@@ -45,10 +45,12 @@ router.post('/', function(req, res, next) {
        "email": membership.email_invited
      }}).then(function(user) {

+        // existing user? then immediately activate membership
        if (user) {
          membership.user_id = user._id;
          membership.state = "active";
        } else {
+          // if not, invite via email and invite code
          membership.code = crypto.randomBytes(64).toString('hex').substring(0, 12);
        }

@@ -102,11 +104,18 @@ router.put('/:membership_id', function(req, res, next) {
        _id: req.params.membership_id
      }}).then(function(mem) {
        if (mem) {
-          var attrs = req.body;
-          mem.role = attrs.role;
-          mem.save(function() {
-            res.status(201).json(mem);
-          });
+          // is the user trying to change their own role?
+          if (mem.user_id == req.user._id) {
+            res.status(400).json({
+              "error": "Cannot change your own role."
+            });
+          } else {
+            var attrs = req.body;
+            mem.role = attrs.role;
+            mem.save(function() {
+              res.status(201).json(mem);
+            });
+          }
        }
      });
    } else {
@@ -118,13 +127,25 @@ router.put('/:membership_id', function(req, res, next) {
 });

 router.delete('/:membership_id', function(req, res, next) {
-  if (req.user) {
-    db.Membership.findOne({ where: {
-      _id: req.params.membership_id
-    }}).then(function(mem) {
-      mem.destroy().then(function() {
-        res.sendStatus(204);
-      });
+  if (req.user && req.spaceRole == 'admin') {
+    db.Membership.count({ where: {
+      space_id: req.space._id,
+      role: "admin"
+    }}).then(function(adminCount) {
+      db.Membership.findOne({ where: {
+        _id: req.params.membership_id
+      }}).then(function(mem) {
+        // deleting an admin? need at least 1
+        if (mem.role != "admin" || adminCount > 1) { 
+          mem.destroy().then(function() {
+            res.sendStatus(204);
+          });
+        } else {
+          res.status(400).json({
+            "error": "Space needs at least one administrator."
+          });
+        }
+      })
    });
  } else {
    res.sendStatus(403);

--- a/routes/api/spaces.js
+++ b/routes/api/spaces.js
@@ -168,12 +168,15 @@ router.post('/', function(req, res, next) {
      attrs.edit_slug = slug(attrs.name);
      
      db.Space.create(attrs).then(createdSpace => {
-        //if (err) res.sendStatus(400);
+        res.status(201).json(createdSpace);
+        
+        // create initial admin membership
        var membership = {
          _id: uuidv4(),
          user_id: req.user._id,
          space_id: attrs._id,
-          role: "admin"
+          role: "admin",
+          state: "active"
        };
        
        db.Membership.create(membership).then(() => {