From 1e42d7f36562f6d079bc29828536ae292a065569 Mon Sep 17 00:00:00 2001
From: Pierre Theo Klein <pierre.klein@mail.mcgill.ca>
Date: Sun, 1 Nov 2020 13:37:01 -0500
Subject: [PATCH] fix: give admins full permissions when they create their
 account

---
 middlewares/auth.middleware.js | 37 ++++++++++++++++++++++------------
 1 file changed, 24 insertions(+), 13 deletions(-)

diff --git a/middlewares/auth.middleware.js b/middlewares/auth.middleware.js
index ca2c26e4..bb9e14fb 100644
--- a/middlewares/auth.middleware.js
+++ b/middlewares/auth.middleware.js
@@ -426,13 +426,15 @@ async function validateConfirmationToken(req, res, next) {
 }
 
 /**
- *
+ * Finds the confirmation token for this account. If there is no account ID associated with this
+ * confirmation token, then the user was invited. Therefore, we should set the confirmation bit to
+ * true by default (since they were invited).
  * @param {body: {decodedToken:{accountConfirmationId: String}}} req
  * @param {*} res
  * @param {*} next
  */
 async function validateConfirmationTokenWithoutAccount(req, res, next) {
-    if (!!req.body.decodedToken) {
+    if (req.body.decodedToken) {
         const confirmationObj = await Services.AccountConfirmation.findById(
             req.body.decodedToken.accountConfirmationId
         );
@@ -468,17 +470,26 @@ function deleteResetToken(req, res, next) {
  * @param {(err?)=>void} next
  */
 async function addCreationRoleBindings(req, res, next) {
-    // Get the default role for the account type given
-    const roleName = Constants.General.POST_ROLES[req.body.account.accountType];
-    await Services.RoleBinding.createRoleBindingByRoleName(
-        req.body.account.id,
-        roleName
-    );
-    // Add default account role bindings
-    await Services.RoleBinding.createRoleBindingByRoleName(
-        req.body.account.id,
-        Constants.Role.accountRole.name
-    );
+    if (req.body.account.accountType === Constants.General.STAFF) {
+        // Staff do not have to create a STAFF object, so give them the full permissions immediately.
+        await Services.RoleBinding.createRoleBindingByRoleName(
+            req.body.account.id,
+            Constants.Role.adminRole.name
+        );
+    } else {
+        // Get the default role for the account type given
+        const roleName =
+            Constants.General.POST_ROLES[req.body.account.accountType];
+        await Services.RoleBinding.createRoleBindingByRoleName(
+            req.body.account.id,
+            roleName
+        );
+        // Add default account role bindings
+        await Services.RoleBinding.createRoleBindingByRoleName(
+            req.body.account.id,
+            Constants.Role.accountRole.name
+        );
+    }
     return next();
 }