Added restriction for viewing participants only for those, who has 'g…

…odmode'. Closes #7
GDG-Ukraine · Sep 26, 2013 · 948b597 · 948b597
1 parent f71b2b4
commit 948b597
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 5 deletions.
diff --git a/public/admin/index.html b/public/admin/index.html
@@ -23,7 +23,7 @@
         <a class="brand" href="#">GDG Data</a>
         <ul class="nav">
             <li ng-class="{active: current == 'events'}"><a href="#/events"><i class="icon-trophy"></i> Events</a></li>
-            <li ng-class="{active: current == 'participants'}"><a href="#/participants"><i class="icon-group"></i> Participants</a></li>
+            <li ng-class="{active: current == 'participants'}" ng-show="info.user.godmode"><a href="#/participants"><i class="icon-group"></i> Participants</a></li>
             <li id="spinner" ng-class='{visible:requests>0}'>
                 <span id="l1">L</span><span id="l2">o</span><span id="l3">a</span><span id="l4">d</span><span id="l5">i</span><span id="l6">n</span><span id="l7">g</span><span id="l8">.</span><span id="l9">.</span><span id="l10">.</span>
             </li>

diff --git a/server/api/participants.js b/server/api/participants.js
@@ -6,15 +6,15 @@ module.exports = function(app) {
 
 // list
 app.get('/api/participants', function (req, res) {
-   if (!auth.check(req,res)) return;
+   if (!auth.check(req,res,'god')) return;
    models.participants.findAll().success(function(participants) {
      res.send(participants);
   })
 });
 
 // get
 app.get('/api/participants/:id', function (req, res) {
-    if (!auth.check(req,res)) return;
+    if (!auth.check(req,res,'god')) return;
     if (!req.params.id) return res.send("Invalid request");
     models.participants.find(req.params.id).success(function (p) {
         p.getEvents().success(function(events) {
@@ -51,7 +51,7 @@ app.post('/api/participants', function (req, res){
 
 // update
 app.put('/api/participants/:id', function (req, res){
-  if (!auth.check(req,res)) return;
+  if (!auth.check(req,res,'god')) return;
   models.participants.find(req.params.id).success(function (p) { 
 	p.updateAttributes(req.body)
 	  .success(function(p) { res.send(p);}).error(app.onError(res));

diff --git a/server/auth.js b/server/auth.js
@@ -54,6 +54,7 @@ exports.restrictAdmin = function(req, res, next) {
                  else {
                     req.user.admin = true;
                     req.user.filter_place = user[0].filter_place;
+                    req.user.godmode = user[0].godmode;
                     next();
                 }
             });
@@ -99,7 +100,8 @@ everyauth.everymodule.handleLogout( function (req, res) {
 exports.check = function(req,res, checkMode) {
     if (authMode == "none") return true;
     var allowed = req.user && req.user.admin;
-    console.log(req.user.filter_place, req.params.id);
+    if (allowed) console.log(req.user.filter_place, req.params.id);
+    if (allowed && checkMode=='god') allowed = req.user.godmode;
     if (allowed && checkMode=='event') allowed = req.user.filter_place == req.params.id;
     if (!allowed) res.send(403,"Not authorized");
     return allowed;