-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Review _user API mod #1264
base: main
Are you sure you want to change the base?
Review _user API mod #1264
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
I am happy for this to be reviewed. @simon-leech Do you still want to write some tests for this? Or should I try give it a crack? |
@RobAndrewHurst Happy for you to pick up the tests then I can review the PR and tests all in one go? |
Sure! |
The main problem with testing these modules is that we can't test them via the CLI. We would want to write a login_test similar to the test_view to the run on deployed instances. This will then fully test the ACL. I don't see a point in mocking the ACL in the CLI. Let me know what you think? |
@RobAndrewHurst Agreed - sounds quite tricky to mock, maybe we can add a login_test view as a separate PR? Once this one is in? |
Sounds good! |
This is back into draft. There was a couple of issues especially in regards to the auth mod, token and session check. The session check did not work when no session field is available in ACL. This was failing silently with the request authenticating. The session and token check are now individual documented methods. |
The update method as called from the admin panel will now do the verification bits. let verification_by_admin = ''
if (req.params.field === 'verified' && req.params.value === true) {
verification_by_admin = `
, password = password_reset
, password_reset = NULL
, failedattempts = 0
, verificationtoken = NULL
, approved = true
, approved_by = '${req.params.user.email}|${ISODate}'
`
}
// Get user to update from ACL.
const rows = await acl(`
UPDATE acl_schema.acl_table
SET
${req.params.field} = $2
${verification_by_admin}
${approved_by}
WHERE lower(email) = lower($1);`,
[email, req.params.value])
if (rows instanceof Error) {
return res.status(500).send('Failed to access ACL.')
} The verification can be called directly by an admin.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we force the users verification flag be set to false when they reset their passwords? So that when an admin user goes to reset their password via the verification flag they don't have to toggle it from true to false to true.
@RobAndrewHurst No, we cannot. Otherwise I could set your verification to false knowing your email address. Anybody could... I can anyways being an administrator. But you get what I mean. |
We then need a way for Admin's to easily see who needs to be verified again |
I added a column re_verification which is false if there user [record] has a verification token. If clicked on this the the verified true update query will be sent and the verified and approved columns will be toggled after successful update query. |
Resetting a users email (roberthurstsa@gmail.com) I don't see a green tick in the outstanding password reset column. But after re-verifying the user through the admin panel, I then see a green tick for the user. Seems as if the logic needs to be reversed? |
Green tick means that the user is fully verified. Happy for you to reverse the logic. |
Ah ok! If you put it like that I am happy with it! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@RobAndrewHurst The issue with missing host should be resolved in last commit. The register request get's short circuited in the api module since it doesn't have user auth by definition. Hence the reqHost util is required in the register module itself. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have run through the ACL process. Looks all good!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy with this too, seems to be working from my testing!
It doesn't seem to want me to mark it as approved though idk why 😂 |
The _user API methods should each individually check whether the ACL is provided and user admin rights are required.
The admin view method was pushed into it's own mod file
user/admin.js
The
user/delete
API will now allow for a logged in user to remove themselves.