From 15e0731dd961aa83f7fcd23e5e913770b60b4b13 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 30 Oct 2020 12:30:58 -0400
Subject: [PATCH] fix: deprecate middleware.isAdmin

Also, handle admin logout timer in middleware.admin.checkPrivileges
---
 src/middleware/admin.js | 40 ++++++++++++++++++++++++++++++----------
 src/middleware/user.js  |  3 +++
 2 files changed, 33 insertions(+), 10 deletions(-)

diff --git a/src/middleware/admin.js b/src/middleware/admin.js
index da52a4a778bc..906b216314d7 100644
--- a/src/middleware/admin.js
+++ b/src/middleware/admin.js
@@ -103,18 +103,12 @@ middleware.renderFooter = async function (req, res, data) {
 	return await req.app.renderAsync('admin/footer', data);
 };
 
-middleware.checkPrivileges = async (req, res, next) => {
+middleware.checkPrivileges = helpers.try(async (req, res, next) => {
 	// Kick out guests, obviously
-	if (!req.uid) {
+	if (req.uid <= 0) {
 		return controllers.helpers.notAllowed(req, res);
 	}
 
-	// Users in "administrators" group are considered super admins
-	const isAdmin = await user.isAdministrator(req.uid);
-	if (isAdmin) {
-		return next();
-	}
-
 	// Otherwise, check for privilege based on page (if not in mapping, deny access)
 	const path = req.path.replace(/^(\/api)?\/admin\/?/g, '');
 	if (path) {
@@ -130,5 +124,31 @@ middleware.checkPrivileges = async (req, res, next) => {
 		}
 	}
 
-	next();
-};
+	// Reject if they need to re-login (due to ACP timeout), otherwise extend logout timer
+	const loginTime = req.session.meta ? req.session.meta.datetime : 0;
+	const adminReloginDuration = meta.config.adminReloginDuration * 60000;
+	const disabled = meta.config.adminReloginDuration === 0;
+	if (disabled || (loginTime && parseInt(loginTime, 10) > Date.now() - adminReloginDuration)) {
+		const timeLeft = parseInt(loginTime, 10) - (Date.now() - adminReloginDuration);
+		if (req.session.meta && timeLeft < Math.min(300000, adminReloginDuration)) {
+			req.session.meta.datetime += Math.min(300000, adminReloginDuration);
+			console.log('dateitme updated, now', req.session.meta.datetime);
+		}
+
+		return next();
+	}
+
+	let returnTo = req.path;
+	if (nconf.get('relative_path')) {
+		returnTo = req.path.replace(new RegExp('^' + nconf.get('relative_path')), '');
+	}
+	returnTo = returnTo.replace(/^\/api/, '');
+
+	req.session.returnTo = returnTo;
+	req.session.forceLogin = 1;
+	if (res.locals.isAPI) {
+		controllers.helpers.formatApiResponse(401, res);
+	} else {
+		res.redirect(nconf.get('relative_path') + '/login?local=1');
+	}
+});
diff --git a/src/middleware/user.js b/src/middleware/user.js
index 83f856031e03..63c309016095 100644
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@@ -200,6 +200,9 @@ module.exports = function (middleware) {
 	});
 
 	middleware.isAdmin = helpers.try(async function isAdmin(req, res, next) {
+		// TODO: Remove in v1.16.0
+		winston.warn('[middleware] middleware.isAdmin deprecated, use middleware.admin.checkPrivileges instead');
+
 		const isAdmin = await user.isAdministrator(req.uid);
 
 		if (!isAdmin) {