A lot of improvements:

- Principal & assistant principal role - Resolves MeetPlan/MeetPlanFrontend#24 & Resolves MeetPlan/MeetPlanFrontend#23 - Principal name in official documents - Linked to MeetPlan/MeetPlanFrontend#15 - Start of school psychologist role - Linked to MeetPlan/MeetPlanFrontend#22 - And a lot more small tweaks and big security updates
MeetPlan · Apr 17, 2022 · 37f6f93 · 37f6f93
1 parent f243417
commit 37f6f93
Show file tree

Hide file tree

Showing 16 changed files with 1,296 additions and 1,197 deletions.
diff --git a/config.json b/config.json
@@ -1 +1 @@
-{"database_name":"sqlite3","database_config":"MeetPlanDB/meetplan.db","debug":true,"host":"127.0.0.1:8000","school_name":"Testna šola","school_address":"Testna ulica 1","school_city":"Ljubljana","school_country":"Slovenija","school_post_code":1000,"parent_view_grades":false,"parent_view_absences":false,"parent_view_homework":true}
+{"database_name":"sqlite3","database_config":"MeetPlanDB/meetplan.db","debug":true,"host":"127.0.0.1:8000","school_name":"Testna šola","school_address":"Testna ulica 1","school_city":"Ljubljana","school_country":"Slovenija","school_post_code":1000,"parent_view_grades":false,"parent_view_absences":true,"parent_view_homework":true}
diff --git a/httphandlers/admin.go b/httphandlers/admin.go
@@ -1,6 +1,7 @@
 package httphandlers
 
 import (
+	"fmt"
 	"github.com/MeetPlan/MeetPlanBackend/sql"
 	"github.com/gorilla/mux"
 	"net/http"
@@ -24,29 +25,64 @@ func (server *httpImpl) ChangeRole(w http.ResponseWriter, r *http.Request) {
 		WriteForbiddenJWT(w)
 		return
 	}
-	if jwt["role"] != "admin" {
-		WriteForbiddenJWT(w)
-		return
-	}
-	userId, err := strconv.Atoi(mux.Vars(r)["id"])
-	if err != nil {
-		return
-	}
-	user, err := server.db.GetUser(userId)
+
+	currentUserId, err := strconv.Atoi(fmt.Sprint(jwt["user_id"]))
 	if err != nil {
 		return
 	}
-	nrole := r.FormValue("role")
-	if nrole == "" {
-		WriteJSON(w, Response{Data: "Role is empty", Error: nrole, Success: false}, http.StatusBadRequest)
-		return
-	}
-	user.Role = nrole
-	err = server.db.UpdateUser(user)
-	if err != nil {
-		return
+
+	if jwt["role"] == "admin" || jwt["role"] == "principal" || jwt["role"] == "principal assistant" {
+		userId, err := strconv.Atoi(mux.Vars(r)["id"])
+		if err != nil {
+			return
+		}
+		user, err := server.db.GetUser(userId)
+		if err != nil {
+			return
+		}
+		if user.ID == currentUserId {
+			WriteJSON(w, Response{Data: "Cannot change role to itself", Success: false}, http.StatusConflict)
+			return
+		}
+		nrole := r.FormValue("role")
+		if nrole == "" {
+			WriteJSON(w, Response{Data: "Role is empty", Error: nrole, Success: false}, http.StatusBadRequest)
+			return
+		}
+
+		currentUser, err := server.db.GetUser(currentUserId)
+		if err != nil {
+			return
+		}
+
+		if (currentUser.Role == "principal assistant" && nrole != "admin" && nrole != "principal" && nrole != "principal assistant") ||
+			(currentUser.Role == "principal" && nrole != "admin" && nrole != "principal") ||
+			(currentUser.Role == "admin" && nrole != "admin") {
+			if currentUser.Role == "admin" && nrole == "principal" {
+				_, err := server.db.GetPrincipal()
+				if err != nil {
+					if err.Error() == "sql: no rows in result set" {
+						user.Role = nrole
+					}
+				} else {
+					WriteJSON(w, Response{Data: "There already is a principal", Success: false}, http.StatusConflict)
+					return
+				}
+			} else {
+				user.Role = nrole
+			}
+		} else {
+			WriteForbiddenJWT(w)
+			return
+		}
+		err = server.db.UpdateUser(user)
+		if err != nil {
+			return
+		}
+		WriteJSON(w, Response{Success: true}, http.StatusOK)
+	} else {
+		WriteForbiddenJWT(w)
 	}
-	WriteJSON(w, Response{Success: true}, http.StatusOK)
 }
 
 func (server *httpImpl) GetAllUsers(w http.ResponseWriter, r *http.Request) {
@@ -75,41 +111,43 @@ func (server *httpImpl) GetTeachers(w http.ResponseWriter, r *http.Request) {
 		WriteForbiddenJWT(w)
 		return
 	}
-	if jwt["role"] != "admin" {
+	if jwt["role"] == "admin" || jwt["role"] == "principal" || jwt["role"] == "principal assistant" {
+		users, err := server.db.GetTeachers()
+		if err != nil {
+			WriteJSON(w, Response{Error: err.Error(), Success: false}, http.StatusInternalServerError)
+			return
+		}
+		var usersjson = make([]UserJSON, 0)
+		for i := 0; i < len(users); i++ {
+			user := users[i]
+			m := UserJSON{ID: user.ID, Email: user.Email, Role: user.Role, Name: user.Name}
+			usersjson = append(usersjson, m)
+		}
+		WriteJSON(w, Response{Data: usersjson, Success: true}, http.StatusOK)
+	} else {
 		WriteForbiddenJWT(w)
 		return
 	}
-	users, err := server.db.GetTeachers()
-	if err != nil {
-		WriteJSON(w, Response{Error: err.Error(), Success: false}, http.StatusInternalServerError)
-		return
-	}
-	var usersjson = make([]UserJSON, 0)
-	for i := 0; i < len(users); i++ {
-		user := users[i]
-		m := UserJSON{ID: user.ID, Email: user.Email, Role: user.Role, Name: user.Name}
-		usersjson = append(usersjson, m)
-	}
-	WriteJSON(w, Response{Data: usersjson, Success: true}, http.StatusOK)
 }
 
 func (server *httpImpl) DeleteUser(w http.ResponseWriter, r *http.Request) {
 	jwt, err := sql.CheckJWT(GetAuthorizationJWT(r))
 	if err != nil {
 		return
 	}
-	if jwt["role"] != "admin" {
+	if jwt["role"] == "admin" || jwt["role"] == "principal" || jwt["role"] == "principal assistant" {
+		userId, err := strconv.Atoi(mux.Vars(r)["id"])
+		if err != nil {
+			return
+		}
+		err = server.db.DeleteUser(userId)
+		if err != nil {
+			WriteJSON(w, Response{Error: err.Error(), Success: false}, http.StatusInternalServerError)
+			return
+		}
+		WriteJSON(w, Response{Data: "OK", Success: true}, http.StatusOK)
+	} else {
 		WriteForbiddenJWT(w)
 		return
 	}
-	userId, err := strconv.Atoi(mux.Vars(r)["id"])
-	if err != nil {
-		return
-	}
-	err = server.db.DeleteUser(userId)
-	if err != nil {
-		WriteJSON(w, Response{Error: err.Error(), Success: false}, http.StatusInternalServerError)
-		return
-	}
-	WriteJSON(w, Response{Data: "OK", Success: true}, http.StatusOK)
 }