@@ -277,14 +277,15 @@ import clone from 'lodash/clone';
import throttle from 'lodash/throttle';
import markdownDirective from '@/directives/markdown';
+import { userStateMixin } from '../../mixins/userState';
import { TAVERN_ID, MIN_SHORTNAME_SIZE_FOR_CHALLENGES, MAX_SUMMARY_SIZE_FOR_CHALLENGES } from '@/../../common/script/constants';
-import { mapState } from '@/libs/store';
export default {
directives: {
markdown: markdownDirective,
},
+ mixins: [userStateMixin],
props: ['groupId'],
data () {
const categoryOptions = [
@@ -378,7 +379,6 @@ export default {
};
},
computed: {
- ...mapState({ user: 'user.data' }),
creating () {
return !this.workingChallenge.id;
},
diff --git a/website/client/src/components/chat/chatCard.vue b/website/client/src/components/chat/chatCard.vue
index ef0e5a1b06..a22914c727 100644
--- a/website/client/src/components/chat/chatCard.vue
+++ b/website/client/src/components/chat/chatCard.vue
@@ -5,7 +5,7 @@
class="mentioned-icon"
>
@@ -202,7 +202,7 @@ import cloneDeep from 'lodash/cloneDeep';
import escapeRegExp from 'lodash/escapeRegExp';
import renderWithMentions from '@/libs/renderWithMentions';
-import { mapState } from '@/libs/store';
+import { userStateMixin } from '../../mixins/userState';
import userLink from '../userLink';
import deleteIcon from '@/assets/svg/delete.svg';
@@ -223,6 +223,7 @@ export default {
return moment(value).toDate().toString();
},
},
+ mixins: [userStateMixin],
props: {
msg: {},
groupId: {},
@@ -240,7 +241,6 @@ export default {
};
},
computed: {
- ...mapState({ user: 'user.data' }),
isUserMentioned () {
const message = this.msg;
diff --git a/website/client/src/components/chat/chatMessages.vue b/website/client/src/components/chat/chatMessages.vue
index c34bce5ce7..823d781789 100644
--- a/website/client/src/components/chat/chatMessages.vue
+++ b/website/client/src/components/chat/chatMessages.vue
@@ -149,7 +149,7 @@ import moment from 'moment';
import axios from 'axios';
import debounce from 'lodash/debounce';
import findIndex from 'lodash/findIndex';
-import { mapState } from '@/libs/store';
+import { userStateMixin } from '../../mixins/userState';
import Avatar from '../avatar';
import copyAsTodoModal from './copyAsTodoModal';
@@ -161,6 +161,7 @@ export default {
chatCard,
Avatar,
},
+ mixins: [userStateMixin],
props: {
chat: {},
groupType: {},
@@ -182,7 +183,6 @@ export default {
};
},
computed: {
- ...mapState({ user: 'user.data' }),
// @TODO: We need a different lazy load mechnism.
// But honestly, adding a paging route to chat would solve this
messages () {
@@ -214,7 +214,7 @@ export default {
canViewFlag (message) {
if (message.uuid === this.user._id) return true;
if (!message.flagCount || message.flagCount < 2) return true;
- return this.user.contributor.admin;
+ return this.hasPermission(this.user, 'moderator');
},
loadProfileCache: debounce(function loadProfileCache (screenPosition) {
this._loadProfileCache(screenPosition);
diff --git a/website/client/src/components/chat/reportFlagModal.vue b/website/client/src/components/chat/reportFlagModal.vue
index ff12fc4589..53b2f0f020 100644
--- a/website/client/src/components/chat/reportFlagModal.vue
+++ b/website/client/src/components/chat/reportFlagModal.vue
@@ -23,7 +23,7 @@
@@ -111,6 +111,12 @@
class="admin-action"
@click="adminUnblockUser()"
>un-ban
+
+ Admin Panel
+
@@ -730,6 +736,7 @@ import challenge from '@/assets/svg/challenge.svg';
import member from '@/assets/svg/member-icon.svg';
import staff from '@/assets/svg/tier-staff.svg';
import error404 from '../404';
+import { userCustomStateMixin } from '../../mixins/userState';
// @TODO: EMAILS.COMMUNITY_MANAGER_EMAIL
const COMMUNITY_MANAGER_EMAIL = 'admin@habitica.com';
@@ -742,6 +749,7 @@ export default {
profileStats,
error404,
},
+ mixins: [userCustomStateMixin('userLoggedIn')],
props: ['userId', 'startingPage'],
data () {
return {
@@ -780,7 +788,6 @@ export default {
},
computed: {
...mapState({
- userLoggedIn: 'user.data',
flatGear: 'content.gear.flat',
}),
userJoinedDate () {
diff --git a/website/client/src/mixins/userState.js b/website/client/src/mixins/userState.js
index 6d951d07e7..8d007f4184 100644
--- a/website/client/src/mixins/userState.js
+++ b/website/client/src/mixins/userState.js
@@ -1,7 +1,20 @@
import { mapState } from '@/libs/store';
-export const userStateMixin = { // eslint-disable-line import/prefer-default-export
- computed: {
- ...mapState({ user: 'user.data' }),
- },
+export const userCustomStateMixin = fieldname => {
+ const map = { };
+ map[fieldname] = 'user.data';
+ return { // eslint-disable-line import/prefer-default-export
+ computed: {
+ ...mapState(map),
+ },
+ methods: {
+ hasPermission (user, permission) {
+ return Boolean((user.permissions
+ && (user.permissions[permission] || user.permissions.fullAccess))
+ || (user.contributor && user.contributor.admin));
+ },
+ },
+ };
};
+
+export const userStateMixin = userCustomStateMixin('user');
diff --git a/website/client/src/pages/private-messages.vue b/website/client/src/pages/private-messages.vue
index 4cccee5cc1..e179e81452 100644
--- a/website/client/src/pages/private-messages.vue
+++ b/website/client/src/pages/private-messages.vue
@@ -800,7 +800,7 @@ export default {
await this.reload();
- // close members modal if the Private Messages page is opened in an existing tab
+ // close modal if the Private Messages page is opened in an existing tab
this.$root.$emit('bv::hide::modal', 'profile');
this.$root.$emit('bv::hide::modal', 'members-modal');
diff --git a/website/client/src/router/index.js b/website/client/src/router/index.js
index 19ae62e299..1a5fc4e99d 100644
--- a/website/client/src/router/index.js
+++ b/website/client/src/router/index.js
@@ -6,7 +6,7 @@ import handleRedirect from './handleRedirect';
import ParentPage from '@/components/parentPage';
import { PAGES } from '@/libs/consts';
-// NOTE: when adding a page make sure to implement setTitle
+// NOTE: when adding a page make sure to implement the `common:setTitle` action
// Static Pages
const StaticWrapper = () => import(/* webpackChunkName: "entry" */'@/components/static/staticWrapper');
@@ -53,6 +53,10 @@ const HallPage = () => import(/* webpackChunkName: "hall" */'@/components/hall/i
const PatronsPage = () => import(/* webpackChunkName: "hall" */'@/components/hall/patrons');
const HeroesPage = () => import(/* webpackChunkName: "hall" */'@/components/hall/heroes');
+// Admin Panel
+const AdminPanelPage = () => import(/* webpackChunkName: "admin-panel" */'@/components/admin-panel');
+const AdminPanelUserPage = () => import(/* webpackChunkName: "admin-panel" */'@/components/admin-panel/user-support');
+
// Except for tasks that are always loaded all the other main level
// All the main level
// components are loaded in separate webpack chunks.
@@ -109,7 +113,7 @@ const router = new VueRouter({
scrollBehavior () {
return { x: 0, y: 0 };
},
- // requiresLogin is true by default, isStatic false
+ // meta defaults: requiresLogin true, privilegeNeeded empty
// NOTE: when adding a new route entry make sure to implement the `common:setTitle` action
// in the route component to set a specific subtitle for the page.
routes: [
@@ -348,6 +352,31 @@ const router = new VueRouter({
{ name: 'contributors', path: 'contributors', component: HeroesPage },
],
},
+
+ {
+ name: 'adminPanel',
+ path: '/admin-panel',
+ component: AdminPanelPage,
+ meta: {
+ privilegeNeeded: [ // any one of these is enough to give access
+ 'userSupport',
+ 'newsPoster',
+ ],
+ },
+ children: [
+ {
+ name: 'adminPanelUser',
+ path: ':userIdentifier', // User ID or Username
+ component: AdminPanelUserPage,
+ meta: {
+ privilegeNeeded: [
+ 'userSupport',
+ ],
+ },
+ },
+ ],
+ },
+
// Only used to handle some redirects
// See router.beforeEach
{ path: '/redirect/:redirect', name: 'redirect' },
@@ -357,9 +386,10 @@ const router = new VueRouter({
const store = getStore();
-router.beforeEach((to, from, next) => {
- const { isUserLoggedIn } = store.state;
+router.beforeEach(async (to, from, next) => {
+ const { isUserLoggedIn, isUserLoaded } = store.state;
const routeRequiresLogin = to.meta.requiresLogin !== false;
+ const routePrivilegeNeeded = to.meta.privilegeNeeded;
if (to.name === 'redirect') return handleRedirect(to, from, next);
@@ -392,6 +422,17 @@ router.beforeEach((to, from, next) => {
return next({ name: 'tasks' });
}
+ if (routePrivilegeNeeded) {
+ // Redirect non-admin users when trying to access a page.
+ if (!isUserLoaded) await store.dispatch('user:fetch');
+ if (!store.state.user.data.permissions.fullAccess) {
+ const userHasPriv = routePrivilegeNeeded.some(
+ privName => store.state.user.data.permissions[privName],
+ );
+ if (!userHasPriv) return next({ name: 'tasks' });
+ }
+ }
+
// Redirect old guild urls
if (to.hash.indexOf('#/options/groups/guilds/') !== -1) {
const splits = to.hash.split('/');
diff --git a/website/client/src/store/actions/hall.js b/website/client/src/store/actions/hall.js
index c3139e07cb..52fde94b26 100644
--- a/website/client/src/store/actions/hall.js
+++ b/website/client/src/store/actions/hall.js
@@ -26,3 +26,9 @@ export async function getPatrons (store, payload) {
const response = await axios.get(url);
return response.data.data;
}
+
+export async function getHeroParty (store, payload) {
+ const url = `/api/v4/hall/heroes/party/${payload.groupId}`;
+ const response = await axios.get(url);
+ return response.data.data;
+}
diff --git a/website/client/src/store/getters/tasks.js b/website/client/src/store/getters/tasks.js
index 9fb5beea61..7b426d3ca1 100644
--- a/website/client/src/store/getters/tasks.js
+++ b/website/client/src/store/getters/tasks.js
@@ -46,7 +46,7 @@ export function canDelete (store) {
const user = store.state.user.data;
const userId = user.id || user._id;
- const isUserAdmin = user.contributor && !!user.contributor.admin;
+ const isUserAdmin = user.permissions && user.permissions.challengeAdmin;
const isUserGroupLeader = group && (group.leader
&& group.leader._id === userId);
const isUserGroupManager = group && (group.managers
@@ -84,7 +84,7 @@ export function canEdit (store) {
const user = store.state.user.data;
const userId = user.id || user._id;
- const isUserAdmin = user.contributor && !!user.contributor.admin;
+ const isUserAdmin = user.permissions && user.permissions.challengeAdmin;
const isUserGroupLeader = group && (group.leader
&& group.leader._id === userId);
const isUserGroupManager = group && (group.managers
diff --git a/website/client/tests/unit/store/getters/tasks/canDelete.spec.js b/website/client/tests/unit/store/getters/tasks/canDelete.spec.js
index 371d496256..345fc35aac 100644
--- a/website/client/tests/unit/store/getters/tasks/canDelete.spec.js
+++ b/website/client/tests/unit/store/getters/tasks/canDelete.spec.js
@@ -39,7 +39,7 @@ describe('canDelete getter', () => {
});
it('can Delete any challenge task as admin', () => {
- store.state.user.data.contributor.admin = true;
+ store.state.user.data.permissions = { challengeAdmin: true };
expect(store.getters['tasks:canDelete'](task, 'challenge', true, null, challenge)).to.equal(true);
});
diff --git a/website/client/tests/unit/store/getters/tasks/canEdit.spec.js b/website/client/tests/unit/store/getters/tasks/canEdit.spec.js
index 27db5190f7..e736a77493 100644
--- a/website/client/tests/unit/store/getters/tasks/canEdit.spec.js
+++ b/website/client/tests/unit/store/getters/tasks/canEdit.spec.js
@@ -39,7 +39,7 @@ describe('canEdit getter', () => {
});
it('can Edit any challenge task if admin', () => {
- store.state.user.data.contributor.admin = true;
+ store.state.user.data.permissions = { challengeAdmin: true };
expect(store.getters['tasks:canEdit'](task, 'challenge', true, null, challenge)).to.equal(true);
expect(store.getters['tasks:canEdit'](task, 'challenge', false, null, challenge)).to.equal(true);
diff --git a/website/common/locales/en/contrib.json b/website/common/locales/en/contrib.json
index 3cbac414fd..fda3ef91ac 100644
--- a/website/common/locales/en/contrib.json
+++ b/website/common/locales/en/contrib.json
@@ -31,6 +31,7 @@
"hallContributors": "Hall of Contributors",
"hallPatrons": "Hall of Patrons",
"noAdminAccess": "You don't have admin access.",
+ "noPrivAccess": "You don't have the required privileges.",
"userNotFound": "User not found.",
"invalidUUID": "UUID must be valid",
"title": "Title",
diff --git a/website/common/script/errors/apiErrorMessages.js b/website/common/script/errors/apiErrorMessages.js
index 2d45de4e3f..db44491357 100644
--- a/website/common/script/errors/apiErrorMessages.js
+++ b/website/common/script/errors/apiErrorMessages.js
@@ -14,9 +14,10 @@ export default {
guildsOnlyPaginate: 'Only public guilds support pagination.',
guildsPaginateBooleanString: 'req.query.paginate must be a boolean string.',
groupIdRequired: 'req.params.groupId must contain a groupId.',
+ groupWithIDNotFound: 'Group with id "<%= groupId %>" not found.',
groupRemainOrLeaveChallenges: 'req.query.keep must be either "remain-in-challenges" or "leave-challenges"',
managerIdRequired: 'req.body.managerId must contain a User ID.',
- noSudoAccess: 'You don\'t have sudo access.',
+ noPrivAccess: 'You don\'t have the required privileges.',
eventRequired: '"req.params.event" is required.',
countRequired: '"req.query.count" is required.',
diff --git a/website/server/api-doc.js b/website/server/api-doc.js
index e0a4cdeecd..1bdc62f366 100644
--- a/website/server/api-doc.js
+++ b/website/server/api-doc.js
@@ -56,6 +56,19 @@
* }
*/
+/**
+ * @apiDefine NoPrivs You don't have the required privileges.
+ *
+ * @apiError (401) {NotAuthorized} NoPrivs User does not have the required admin privileges.
+ *
+ * @apiErrorExample User does not have the required privileges.
+ * {
+ * "success": false,
+ * "error": "NotAuthorized",
+ * "message": "You don't have the required privileges."
+ * }
+ */
+
/**
* @apiDefine NoUser No user
* @apiError (404) {NotFound} NoUser The specified user could not be found.
diff --git a/website/server/controllers/api-v3/chat.js b/website/server/controllers/api-v3/chat.js
index 966552fd28..28e80458b0 100644
--- a/website/server/controllers/api-v3/chat.js
+++ b/website/server/controllers/api-v3/chat.js
@@ -401,14 +401,14 @@ api.clearChatFlags = {
const validationErrors = req.validationErrors();
if (validationErrors) throw validationErrors;
- if (!user.contributor.admin) {
+ if (!user.hasPermission('moderator')) {
throw new NotAuthorized(res.t('messageGroupChatAdminClearFlagCount'));
}
const group = await Group.getGroup({
user,
groupId,
- optionalMembership: user.contributor.admin,
+ optionalMembership: user.hasPermission('moderator'),
});
if (!group) throw new NotFound(res.t('groupNotFound'));
@@ -550,7 +550,7 @@ api.deleteChat = {
const message = await Chat.findOne({ _id: chatId }).exec();
if (!message) throw new NotFound(res.t('messageGroupChatNotFound'));
- if (user._id !== message.uuid && !user.contributor.admin) {
+ if (user._id !== message.uuid && !user.hasPermission('moderator')) {
throw new NotAuthorized(res.t('onlyCreatorOrAdminCanDeleteChat'));
}
diff --git a/website/server/controllers/api-v3/coupon.js b/website/server/controllers/api-v3/coupon.js
index 80d8bc4d66..b184d61baa 100644
--- a/website/server/controllers/api-v3/coupon.js
+++ b/website/server/controllers/api-v3/coupon.js
@@ -5,7 +5,7 @@ import {
authWithHeaders,
authWithSession,
} from '../../middlewares/auth';
-import { ensureSudo } from '../../middlewares/ensureAccessRight';
+import { ensurePermission } from '../../middlewares/ensureAccessRight';
import * as couponsLib from '../../libs/coupons';
import apiError from '../../libs/apiError';
import { model as Coupon } from '../../models/coupon';
@@ -35,7 +35,7 @@ const api = {};
api.getCoupons = {
method: 'GET',
url: '/coupons',
- middlewares: [authWithSession, ensureSudo],
+ middlewares: [authWithSession, ensurePermission('coupons')],
async handler (req, res) {
const coupons = await Coupon.find().sort('createdAt').lean().exec();
@@ -70,7 +70,7 @@ api.getCoupons = {
api.generateCoupons = {
method: 'POST',
url: '/coupons/generate/:event',
- middlewares: [authWithHeaders(), ensureSudo],
+ middlewares: [authWithHeaders(), ensurePermission('coupons')],
async handler (req, res) {
req.checkParams('event', apiError('eventRequired')).notEmpty();
req.checkQuery('count', apiError('countRequired')).notEmpty().isNumeric();
diff --git a/website/server/controllers/api-v3/debug.js b/website/server/controllers/api-v3/debug.js
index 4072c1ff20..0b80667343 100644
--- a/website/server/controllers/api-v3/debug.js
+++ b/website/server/controllers/api-v3/debug.js
@@ -90,7 +90,7 @@ api.setCron = {
};
/**
- * @api {post} /api/v3/debug/make-admin Sets contributor.admin to true
+ * @api {post} /api/v3/debug/make-admin Sets admin privileges for current user
* @apiName setCron
* @apiGroup Development
* @apiPermission Developers
@@ -104,7 +104,7 @@ api.makeAdmin = {
async handler (req, res) {
const { user } = res.locals;
- user.contributor.admin = true;
+ user.permissions.fullAccess = true;
await user.save();
diff --git a/website/server/controllers/api-v3/groups.js b/website/server/controllers/api-v3/groups.js
index cb9595e3e1..2168ad25ae 100644
--- a/website/server/controllers/api-v3/groups.js
+++ b/website/server/controllers/api-v3/groups.js
@@ -137,8 +137,12 @@ api.createGroup = {
user.party._id = group._id;
}
- const results = await Promise.all([user.save(), group.save()]);
- const savedGroup = results[1];
+ let savedGroup;
+
+ await Group.db.transaction(async session => {
+ await user.save({ session });
+ savedGroup = await group.save({ session });
+ });
// Instead of populate we make a find call manually because of https://github.com/Automattic/mongoose/issues/3833
// await Q.ninvoke(savedGroup, 'populate', ['leader', nameFields]);
@@ -463,12 +467,12 @@ api.updateGroup = {
const validationErrors = req.validationErrors();
if (validationErrors) throw validationErrors;
- const optionalMembership = Boolean(user.contributor.admin);
+ const optionalMembership = Boolean(user.hasPermission('moderator'));
const group = await Group.getGroup({ user, groupId: req.params.groupId, optionalMembership });
if (!group) throw new NotFound(res.t('groupNotFound'));
- if (user.contributor.admin) {
+ if (user.hasPermission('moderator')) {
if (req.body.bannedWordsAllowed === true) {
group.bannedWordsAllowed = true;
} else {
@@ -477,7 +481,7 @@ api.updateGroup = {
}
if (group.leader !== user._id && group.type === 'party') throw new NotAuthorized(res.t('messageGroupOnlyLeaderCanUpdate'));
- else if (group.leader !== user._id && !user.contributor.admin) throw new NotAuthorized(res.t('messageGroupOnlyLeaderCanUpdate'));
+ else if (group.leader !== user._id && !user.hasPermission('moderator')) throw new NotAuthorized(res.t('messageGroupOnlyLeaderCanUpdate'));
if (req.body.leader !== user._id && group.hasNotCancelled()) throw new NotAuthorized(res.t('cannotChangeLeaderWithActiveGroupPlan'));
@@ -932,7 +936,7 @@ api.removeGroupMember = {
const validationErrors = req.validationErrors();
if (validationErrors) throw validationErrors;
- const optionalMembership = Boolean(user.contributor.admin);
+ const optionalMembership = Boolean(user.hasPermission('moderator'));
const group = await Group.getGroup({
user, groupId: req.params.groupId, optionalMembership, fields: '-chat',
}); // Do not fetch chat
@@ -942,9 +946,9 @@ api.removeGroupMember = {
const uuid = req.params.memberId;
if (group.leader !== user._id && group.type === 'party') throw new NotAuthorized(res.t('onlyLeaderCanRemoveMember'));
- if (group.leader !== user._id && !user.contributor.admin) throw new NotAuthorized(res.t('onlyLeaderCanRemoveMember'));
+ if (group.leader !== user._id && !user.hasPermission('moderator')) throw new NotAuthorized(res.t('onlyLeaderCanRemoveMember'));
- if (group.leader === uuid && user.contributor.admin) throw new NotAuthorized(res.t('cannotRemoveCurrentLeader'));
+ if (group.leader === uuid && user.hasPermission('moderator')) throw new NotAuthorized(res.t('cannotRemoveCurrentLeader'));
if (user._id === uuid) throw new NotAuthorized(res.t('memberCannotRemoveYourself'));
diff --git a/website/server/controllers/api-v3/hall.js b/website/server/controllers/api-v3/hall.js
index 3a631b9474..e133f09d91 100644
--- a/website/server/controllers/api-v3/hall.js
+++ b/website/server/controllers/api-v3/hall.js
@@ -1,8 +1,10 @@
import _ from 'lodash';
import validator from 'validator';
import { authWithHeaders } from '../../middlewares/auth';
-import { ensureAdmin } from '../../middlewares/ensureAccessRight';
+import { ensurePermission } from '../../middlewares/ensureAccessRight';
import { model as User } from '../../models/user';
+import { model as Group } from '../../models/group';
+import common from '../../../common';
import {
NotFound,
} from '../../libs/errors';
@@ -144,7 +146,12 @@ api.getHeroes = {
// Note, while the following routes are called getHero / updateHero
// they can be used by admins to get/update any user
-const heroAdminFields = 'contributor balance profile.name purchased items auth flags.chatRevoked flags.chatShadowMuted secret';
+const heroAdminFields = 'auth balance contributor flags items lastCron party preferences profile.name purchased secret permissions';
+const heroAdminFieldsToFetch = heroAdminFields; // these variables will make more sense when...
+const heroAdminFieldsToShow = heroAdminFields; // ... apiTokenObscured is added
+
+const heroPartyAdminFields = 'balance challengeCount leader leaderOnly memberCount purchased quest';
+// must never include Party name, description, summary, leaderMessage
/**
* @api {get} /api/v3/hall/heroes/:heroId Get any user ("hero") given the UUID or Username
@@ -153,7 +160,7 @@ const heroAdminFields = 'contributor balance profile.name purchased items auth f
* @apiGroup Hall
* @apiPermission Admin
*
- * @apiDescription Returns the profile of the given user. User does not need to be a contributor.
+ * @apiDescription Returns various data about the user. User does not need to be a contributor.
*
* @apiSuccess {Object} data The user object
*
@@ -165,7 +172,7 @@ const heroAdminFields = 'contributor balance profile.name purchased items auth f
api.getHero = {
method: 'GET',
url: '/hall/heroes/:heroId',
- middlewares: [authWithHeaders(), ensureAdmin],
+ middlewares: [authWithHeaders(), ensurePermission('userSupport')],
async handler (req, res) {
req.checkParams('heroId', res.t('heroIdRequired')).notEmpty();
@@ -183,16 +190,17 @@ api.getHero = {
const hero = await User
.findOne(query)
- .select(heroAdminFields)
+ .select(heroAdminFieldsToFetch)
.exec();
if (!hero) throw new NotFound(res.t('userWithIDNotFound', { userId: heroId }));
const heroRes = hero.toJSON({ minimize: true });
- heroRes.secret = hero.getSecretData();
-
// supply to the possible absence of hero.contributor
// if we didn't pass minimize: true it would have returned all fields as empty
if (!heroRes.contributor) heroRes.contributor = {};
+
+ heroRes.secret = hero.getSecretData();
+
res.respond(200, heroRes);
},
};
@@ -209,9 +217,8 @@ const gemsPerTier = {
* @apiGroup Hall
* @apiPermission Admin
*
- * @apiDescription Update user's gem balance, contributions and contribution tier,
- * or admin status. Grant items. Block / unblock user's account.
- * Revoke / unrevoke chat privileges.
+ * @apiDescription Update various details in the user's User document,
+ * including but not limited to privileges, gems, contributions, items.
*
* @apiExample Example Body:
* {
@@ -224,12 +231,17 @@ const gemsPerTier = {
* "purchased": {"ads": true},
* "contributor": {
* "admin": true,
+ * "newsPoster": false,
* "contributions": "Improving API documentation",
* "level": 5,
* "text": "Scribe, Blacksmith"
* },
+ * "secret": {
+ * "text": "child with permission to use site",
+ * },
* "itemPath": "items.pets.BearCub-Skeleton",
- * "itemVal": 1
+ * "itemVal": 5,
+ * "changeApiToken": true,
* }
*
* @apiSuccess {Object} data The updated user object
@@ -242,7 +254,7 @@ const gemsPerTier = {
api.updateHero = {
method: 'PUT',
url: '/hall/heroes/:heroId',
- middlewares: [authWithHeaders(), ensureAdmin],
+ middlewares: [authWithHeaders(), ensurePermission('userSupport')],
async handler (req, res) {
const { heroId } = req.params;
const updateData = req.body;
@@ -275,6 +287,7 @@ api.updateHero = {
}
if (updateData.contributor) _.assign(hero.contributor, updateData.contributor);
+ if (updateData.permissions && res.locals.user.hasPermission('userSupport')) _.assign(hero.permissions, updateData.permissions);
if (updateData.purchased && updateData.purchased.ads) {
hero.purchased.ads = updateData.purchased.ads;
}
@@ -310,11 +323,13 @@ api.updateHero = {
}
}
+ if (updateData.changeApiToken) hero.apiToken = common.uuid();
+
const savedHero = await hero.save();
const heroJSON = savedHero.toJSON();
heroJSON.secret = savedHero.getSecretData();
const responseHero = { _id: heroJSON._id }; // only respond with important fields
- heroAdminFields.split(' ').forEach(field => {
+ heroAdminFieldsToShow.split(' ').forEach(field => {
_.set(responseHero, field, _.get(heroJSON, field));
});
@@ -322,4 +337,49 @@ api.updateHero = {
},
};
+/**
+ * @api {get} /api/v3/hall/heroes/party/:groupId Get any Party given its ID
+ * @apiParam (Path) {UUID} groupId party's group ID
+ * @apiName GetHeroParty
+ * @apiGroup Hall
+ * @apiPermission userSupport
+ *
+ * @apiDescription Returns some basic information about a given Party,
+ * to assist admins with user support.
+ *
+ * @apiSuccess {Object} data The party object (contains computed fields
+ * that are not in the Group model)
+ *
+ * @apiUse NoAuthHeaders
+ * @apiUse NoAccount
+ * @apiUse NoUser
+ * @apiUse NoPrivs
+ * @apiUse groupIdRequired
+ * @apiUse GroupNotFound
+ */
+api.getHeroParty = { // @TODO XXX add tests
+ method: 'GET',
+ url: '/hall/heroes/party/:groupId',
+ middlewares: [authWithHeaders(), ensurePermission('userSupport')],
+ async handler (req, res) {
+ req.checkParams('groupId', apiError('groupIdRequired')).notEmpty().isUUID();
+
+ const validationErrors = req.validationErrors();
+ if (validationErrors) throw validationErrors;
+
+ const { groupId } = req.params;
+
+ const query = { _id: groupId, type: 'party' };
+
+ const party = await Group
+ .findOne(query)
+ .select(heroPartyAdminFields)
+ .exec();
+
+ if (!party) throw new NotFound(apiError('groupWithIDNotFound', { groupId }));
+ const partyRes = party.toJSON();
+ res.respond(200, partyRes);
+ },
+};
+
export default api;
diff --git a/website/server/controllers/api-v3/members.js b/website/server/controllers/api-v3/members.js
index 1331b455fb..cb05e57cd2 100644
--- a/website/server/controllers/api-v3/members.js
+++ b/website/server/controllers/api-v3/members.js
@@ -668,7 +668,7 @@ api.sendPrivateMessage = {
if (!receiver.flags.verifiedUsername) delete receiver.auth.local.username;
const objections = sender.getObjectionsToInteraction('send-private-message', receiver);
- if (objections.length > 0 && !sender.isAdmin()) throw new NotAuthorized(res.t(objections[0]));
+ if (objections.length > 0 && !sender.hasPermission('moderator')) throw new NotAuthorized(res.t(objections[0]));
const messageSent = await sentMessage(sender, receiver, message, res.t);
diff --git a/website/server/controllers/api-v3/user.js b/website/server/controllers/api-v3/user.js
index 19b4b5508e..0aeb1bf4dc 100644
--- a/website/server/controllers/api-v3/user.js
+++ b/website/server/controllers/api-v3/user.js
@@ -382,6 +382,7 @@ api.getUserAnonymized = {
delete user.achievements.challenges;
delete user.notifications;
delete user.secret;
+ delete user.permissions;
_.forEach(user.inbox.messages, msg => {
msg.text = 'inbox message text';
diff --git a/website/server/controllers/api-v4/members.js b/website/server/controllers/api-v4/members.js
index 50409a0d53..04050e9192 100644
--- a/website/server/controllers/api-v4/members.js
+++ b/website/server/controllers/api-v4/members.js
@@ -1,6 +1,6 @@
import { authWithHeaders } from '../../middlewares/auth';
import { chatReporterFactory } from '../../libs/chatReporting/chatReporterFactory';
-import { ensureAdmin } from '../../middlewares/ensureAccessRight';
+import { ensurePermission } from '../../middlewares/ensureAccessRight';
import { model as Transaction } from '../../models/transaction';
const api = {};
@@ -58,7 +58,7 @@ api.flagPrivateMessage = {
*/
api.purchaseHistory = {
method: 'GET',
- middlewares: [authWithHeaders(), ensureAdmin],
+ middlewares: [authWithHeaders(), ensurePermission('userSupport')],
url: '/members/:memberId/purchase-history',
async handler (req, res) {
req.checkParams('memberId', res.t('memberIdRequired')).notEmpty().isUUID();
diff --git a/website/server/controllers/api-v4/news.js b/website/server/controllers/api-v4/news.js
index 49a3ef5680..7300d31e6c 100644
--- a/website/server/controllers/api-v4/news.js
+++ b/website/server/controllers/api-v4/news.js
@@ -2,7 +2,7 @@ import _ from 'lodash';
import { authWithHeaders } from '../../middlewares/auth';
import apiError from '../../libs/apiError';
import { model as NewsPost } from '../../models/newsPost';
-import { ensureNewsPoster } from '../../middlewares/ensureAccessRight';
+import { ensurePermission } from '../../middlewares/ensureAccessRight';
import {
NotFound,
} from '../../libs/errors';
@@ -70,7 +70,7 @@ api.getNews = {
api.createNews = {
method: 'POST',
url: '/news',
- middlewares: [authWithHeaders(), ensureNewsPoster],
+ middlewares: [authWithHeaders(), ensurePermission('news')],
async handler (req, res) {
const newsPost = new NewsPost(NewsPost.sanitize(req.body));
newsPost.author = res.locals.user._id;
@@ -146,7 +146,7 @@ api.getPost = {
api.updateNews = {
method: 'PUT',
url: '/news/:postId',
- middlewares: [authWithHeaders(), ensureNewsPoster],
+ middlewares: [authWithHeaders(), ensurePermission('news')],
async handler (req, res) {
req.checkParams('postId', apiError('postIdRequired')).notEmpty().isUUID();
const validationErrors = req.validationErrors();
@@ -181,7 +181,7 @@ api.updateNews = {
api.deleteNews = {
method: 'DELETE',
url: '/news/:postId',
- middlewares: [authWithHeaders(), ensureNewsPoster],
+ middlewares: [authWithHeaders(), ensurePermission('news')],
async handler (req, res) {
req.checkParams('postId', apiError('postIdRequired')).notEmpty().isUUID();
const validationErrors = req.validationErrors();
diff --git a/website/server/libs/challenges/index.js b/website/server/libs/challenges/index.js
index c72f723b8f..3105b1e4cd 100644
--- a/website/server/libs/challenges/index.js
+++ b/website/server/libs/challenges/index.js
@@ -56,7 +56,7 @@ export async function createChallenge (user, req, res) {
req.body.summary = req.body.name;
}
req.body.leader = user._id;
- req.body.official = !!(user.contributor.admin && req.body.official);
+ req.body.official = !!(user.hasPermission('challengeAdmin') && req.body.official);
const challenge = new Challenge(Challenge.sanitize(req.body));
// First validate challenge so we don't save group if it's invalid (only runs sync validators)
diff --git a/website/server/libs/chatReporting/groupChatReporter.js b/website/server/libs/chatReporting/groupChatReporter.js
index 11b6ea2106..18caf90c9a 100644
--- a/website/server/libs/chatReporting/groupChatReporter.js
+++ b/website/server/libs/chatReporting/groupChatReporter.js
@@ -37,7 +37,7 @@ export default class GroupChatReporter extends ChatReporter {
const group = await Group.getGroup({
user: this.user,
groupId: this.groupId,
- optionalMembership: this.user.contributor.admin,
+ optionalMembership: this.user.hasPermission('moderator'),
});
if (!group) throw new NotFound(this.res.t('groupNotFound'));
@@ -72,13 +72,13 @@ export default class GroupChatReporter extends ChatReporter {
// Log user ids that have flagged the message
if (!message.flags) message.flags = {};
// TODO fix error type
- if (message.flags[this.user._id] && !this.user.contributor.admin) throw new NotFound(this.res.t('messageGroupChatFlagAlreadyReported'));
+ if (message.flags[this.user._id] && !this.user.hasPermission('moderator')) throw new NotFound(this.res.t('messageGroupChatFlagAlreadyReported'));
message.flags[this.user._id] = true;
message.markModified('flags');
// Log total number of flags (publicly viewable)
if (!message.flagCount) message.flagCount = 0;
- if (this.user.contributor.admin) {
+ if (this.user.hasPermission('moderator')) {
// Arbitrary amount, higher than 2
message.flagCount = 5;
} else if (increaseFlagCount) {
diff --git a/website/server/libs/chatReporting/inboxChatReporter.js b/website/server/libs/chatReporting/inboxChatReporter.js
index fb412c89c3..94c6302cf4 100644
--- a/website/server/libs/chatReporting/inboxChatReporter.js
+++ b/website/server/libs/chatReporting/inboxChatReporter.js
@@ -30,7 +30,7 @@ export default class InboxChatReporter extends ChatReporter {
const validationErrors = this.req.validationErrors();
if (validationErrors) throw validationErrors;
- if (this.user.contributor.admin && this.req.query.userId) {
+ if (this.user.hasPermission('moderator') && this.req.query.userId) {
this.inboxUser = await User.findOne({ _id: this.req.query.userId }).exec();
}
@@ -103,7 +103,7 @@ export default class InboxChatReporter extends ChatReporter {
// Log user ids that have flagged the message
if (!message.flags) message.flags = {};
// TODO fix error type
- if (message.flags[this.user._id] && !this.user.contributor.admin) {
+ if (message.flags[this.user._id] && !this.user.hasPermission('moderator')) {
throw new BadRequest(this.res.t('messageGroupChatFlagAlreadyReported'));
}
diff --git a/website/server/libs/inbox/conversation.methods.js b/website/server/libs/inbox/conversation.methods.js
index 7a3e878be5..a2b68e2de0 100644
--- a/website/server/libs/inbox/conversation.methods.js
+++ b/website/server/libs/inbox/conversation.methods.js
@@ -96,7 +96,7 @@ export async function listConversations (owner, page) {
const isOwnerBlocked = user.blocks.includes(owner._id);
- conversation.canReceive = !(user.optOut || isOwnerBlocked) || owner.isAdmin();
+ conversation.canReceive = !(user.optOut || isOwnerBlocked) || owner.hasPermission('moderator');
}
return conversation;
diff --git a/website/server/libs/items/utils.js b/website/server/libs/items/utils.js
index 5e039d4fe7..191d717a14 100644
--- a/website/server/libs/items/utils.js
+++ b/website/server/libs/items/utils.js
@@ -60,7 +60,7 @@ export function validateItemPath (itemPath) {
// When passed a value of an item in the user object it'll convert the
// value to the correct format.
-// Example a numeric string like "5" applied to a food item (expecting an interger)
+// Example a numeric string like "5" applied to a food item (expecting an integer)
// will be converted to the number 5
export function castItemVal (itemPath, itemVal) {
if (
@@ -73,13 +73,19 @@ export function castItemVal (itemPath, itemVal) {
return Number(itemVal);
}
- if (
- itemPath.indexOf('items.mounts') === 0
- || itemPath.indexOf('items.gear.owned') === 0
- ) {
- if (itemVal === 'true') return true;
- if (itemVal === 'false') return false;
+ if (itemPath.indexOf('items.mounts') === 0) {
+ // Mounts are true when you own them and null when you have used Keys to the Kennel
+ // to release them.
+ // They are never false but allow 'false' to be null in case of user error.
+ if (itemVal === 'null' || itemVal === 'false') return null;
+ if (itemVal) return true; // any truthy value
+ return null; // any false value
+ }
+ if (itemPath.indexOf('items.gear.owned') === 0) {
+ // Gear is true when you own it and false if you previously owned it but lost it (e.g., Death)
+ // It is never null but allow 'null' to be false in case of user error.
+ if (itemVal === 'false' || itemVal === 'null') return false;
return Boolean(itemVal);
}
diff --git a/website/server/middlewares/auth.js b/website/server/middlewares/auth.js
index 5527a0d0fb..7332ba30c3 100644
--- a/website/server/middlewares/auth.js
+++ b/website/server/middlewares/auth.js
@@ -11,7 +11,7 @@ import common from '../../common';
import { getLanguageFromUser } from '../libs/language';
const COMMUNITY_MANAGER_EMAIL = nconf.get('EMAILS_COMMUNITY_MANAGER_EMAIL');
-const USER_FIELDS_ALWAYS_LOADED = ['_id', 'notifications', 'preferences', 'auth', 'flags'];
+const USER_FIELDS_ALWAYS_LOADED = ['_id', 'notifications', 'preferences', 'auth', 'flags', 'permissions'];
function getUserFields (options, req) {
// A list of user fields that aren't needed for the route and are not loaded from the db.
diff --git a/website/server/middlewares/ensureAccessRight.js b/website/server/middlewares/ensureAccessRight.js
index 12b2293a68..4c50434cda 100644
--- a/website/server/middlewares/ensureAccessRight.js
+++ b/website/server/middlewares/ensureAccessRight.js
@@ -3,32 +3,19 @@ import {
} from '../libs/errors';
import apiError from '../libs/apiError';
-export function ensureAdmin (req, res, next) {
- const { user } = res.locals;
+export function ensurePermission (permission) {
+ return function ensurePermissionHandler (req, res, next) {
+ const { user } = res.locals;
- if (!user.contributor.admin) {
- return next(new NotAuthorized(res.t('noAdminAccess')));
- }
+ if (user.permissions.fullAccess) {
+ // No matter what is checked, fullAccess admins can do it
+ return next();
+ }
- return next();
-}
-
-export function ensureNewsPoster (req, res, next) {
- const { user } = res.locals;
-
- if (!user.contributor.newsPoster) {
- return next(new NotAuthorized(apiError('noNewsPosterAccess')));
- }
-
- return next();
-}
-
-export function ensureSudo (req, res, next) {
- const { user } = res.locals;
-
- if (!user.contributor.sudo) {
- return next(new NotAuthorized(apiError('noSudoAccess')));
- }
-
- return next();
+ if (!user.permissions[permission]) {
+ return next(new NotAuthorized(apiError('noPrivAccess')));
+ }
+
+ return next();
+ };
}
diff --git a/website/server/models/challenge.js b/website/server/models/challenge.js
index b97f058f76..4d7ce99fad 100644
--- a/website/server/models/challenge.js
+++ b/website/server/models/challenge.js
@@ -85,7 +85,7 @@ schema.methods.isMember = function isChallengeMember (user) {
// Returns true if the user can modify (close, selectWinner, ...) the challenge
schema.methods.canModify = function canModifyChallenge (user) {
- return user.contributor.admin || this.isLeader(user);
+ return user.hasPermission('challengeAdmin') || this.isLeader(user);
};
// Returns true if user can join the challenge
diff --git a/website/server/models/group.js b/website/server/models/group.js
index d2e332fb45..8f915e92a8 100644
--- a/website/server/models/group.js
+++ b/website/server/models/group.js
@@ -396,7 +396,7 @@ schema.statics.toJSONCleanChat = async function groupToJSONCleanChat (group, use
chatMsg.timestamp = chatMsg.timestamp.getTime();
}
- if (!user.contributor.admin) {
+ if (!user.hasPermission('moderator')) {
// Flags are hidden to non admins
chatMsg.flags = {};
if (chatMsg._meta) chatMsg._meta = undefined;
diff --git a/website/server/models/user/index.js b/website/server/models/user/index.js
index 8cbd19ffaa..fb965d003b 100644
--- a/website/server/models/user/index.js
+++ b/website/server/models/user/index.js
@@ -26,7 +26,7 @@ export const model = mongoose.model('User', schema);
export const mods = [];
mongoose.model('User')
- .find({ 'contributor.admin': true })
+ .find({ 'contributor.moderator': true })
.sort('-contributor.level -backer.npc profile.name')
.select('profile contributor backer')
.exec()
diff --git a/website/server/models/user/methods.js b/website/server/models/user/methods.js
index 09a394034e..ad2e451ffe 100644
--- a/website/server/models/user/methods.js
+++ b/website/server/models/user/methods.js
@@ -522,7 +522,11 @@ schema.methods.isAdmin = function isAdmin () {
};
schema.methods.isNewsPoster = function isNewsPoster () {
- return Boolean(this.contributor && this.contributor.newsPoster);
+ return this.hasPermission('news');
+};
+
+schema.methods.hasPermission = function hasPermission (permission) {
+ return Boolean(this.permissions && (this.permissions[permission] || this.permissions.fullAccess));
};
// When converting to json add inbox messages from the Inbox collection
diff --git a/website/server/models/user/schema.js b/website/server/models/user/schema.js
index d4371d180d..5fc22138a1 100644
--- a/website/server/models/user/schema.js
+++ b/website/server/models/user/schema.js
@@ -171,8 +171,6 @@ export default new Schema({
max: 9,
},
admin: Boolean,
- newsPoster: Boolean,
- sudo: Boolean,
// Artisan, Friend, Blacksmith, etc
text: String,
// a markdown textarea to list their contributions + links
@@ -180,7 +178,14 @@ export default new Schema({
// user can own Critical Hammer of Bug-Crushing if this has a truthy value
critical: String,
},
-
+ permissions: {
+ fullAccess: Boolean, // esentially what was previously contributor.admin. Can do everything
+ news: Boolean,
+ userSupport: Boolean, // access User Support feature in Admin Panel
+ challengeAdmin: Boolean, // Can manage and administrate challenges
+ moderator: Boolean, // Can ban, flag users and manage social spaces
+ coupons: Boolean, // Can generate and request coupons
+ },
balance: { $type: Number, default: 0 },
purchased: {