Added access check for write and manage actions

2017-01-02 23:32:16 -05:00
parent 4625a302f6
commit 9578989b67
7 changed files with 93 additions and 33 deletions
--- a/controllers/admin.js
+++ b/controllers/admin.js
@@ -12,10 +12,21 @@ router.get('/', (req, res) => {
 });

 router.get('/profile', (req, res) => {
+
+	if(res.locals.isGuest) {
+		return res.render('error-forbidden');
+	}
+
 	res.render('pages/admin/profile', { adminTab: 'profile' });
+
 });

 router.get('/stats', (req, res) => {
+
+	if(res.locals.isGuest) {
+		return res.render('error-forbidden');
+	}
+
 	Promise.all([
 		db.Entry.count(),
 		db.UplFile.count(),
@@ -28,14 +39,27 @@ router.get('/stats', (req, res) => {
 	}).catch((err) => {
 		throw err;
 	});
+
 });

 router.get('/users', (req, res) => {
+
+	if(!res.locals.rights.manage) {
+		return res.render('error-forbidden');
+	}
+
 	res.render('pages/admin/users', { adminTab: 'users' });
+
 });

 router.get('/settings', (req, res) => {
+
+	if(!res.locals.rights.manage) {
+		return res.render('error-forbidden');
+	}
+
 	res.render('pages/admin/settings', { adminTab: 'settings' });
+
 });

 module.exports = router;