Files
MixedAssets/server/routes/admin.js
2026-06-05 04:15:24 -05:00

185 lines
7.0 KiB
JavaScript

const express = require('express');
const bcrypt = require('bcryptjs');
const { all, audit, now, one, run } = require('../db');
const { requireCapability } = require('../middleware/auth');
const { CAPABILITIES } = require('../services/accessControl');
const { createRole, deleteRole, listRoles, roleExists, updateRole } = require('../services/roles');
const router = express.Router();
const userSelect = `
SELECT u.id, u.team_id, t.name AS team_name, u.name, u.email, u.role, u.status, u.created_at, u.updated_at
FROM users u
LEFT JOIN teams t ON t.id = u.team_id
`;
function publicAdminUser(id) {
return one(`${userSelect} WHERE u.id = ?`, [id]);
}
function validateRole(role) {
if (!roleExists(role)) throw Object.assign(new Error('Invalid role'), { status: 400 });
}
router.get('/settings', requireCapability('admin.settings'), (req, res) => {
const rows = all('SELECT * FROM app_settings ORDER BY key');
const settings = Object.fromEntries(rows.map((row) => [row.key, row.value]));
delete settings.smtp_password; // managed (masked) via the notifications settings endpoint
res.json({ settings });
});
router.put('/settings', requireCapability('admin.settings'), (req, res) => {
for (const [key, value] of Object.entries(req.body.settings || req.body)) {
run('INSERT INTO app_settings (key, value, updated_at) VALUES (?, ?, ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value, updated_at = excluded.updated_at', [
key,
String(value),
now()
]);
}
audit(req.user.id, 'update', 'settings', 'app', null, req.body);
res.json({ settings: Object.fromEntries(all('SELECT * FROM app_settings ORDER BY key').map((row) => [row.key, row.value])) });
});
router.get('/users', requireCapability('admin.users'), (req, res) => {
res.json({ users: all(`${userSelect} ORDER BY u.name`) });
});
router.post('/users', requireCapability('admin.users'), (req, res) => {
validateRole(req.body.role || 'viewer');
if (req.body.status && !['active', 'inactive'].includes(req.body.status)) return res.status(400).json({ error: 'Invalid status' });
const created = now();
const result = run(
'INSERT INTO users (team_id, name, email, password_hash, role, status, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
[
req.body.team_id || one('SELECT id FROM teams ORDER BY id LIMIT 1')?.id,
req.body.name,
req.body.email,
bcrypt.hashSync(req.body.password || 'ChangeMe123!', 12),
req.body.role || 'viewer',
req.body.status || 'active',
created,
created
]
);
audit(req.user.id, 'create', 'user', result.lastInsertRowid, null, { ...req.body, password: '[redacted]' });
res.status(201).json({ user: publicAdminUser(result.lastInsertRowid) });
});
router.put('/users/:id', requireCapability('admin.users'), (req, res) => {
const before = publicAdminUser(req.params.id);
if (!before) return res.status(404).json({ error: 'User not found' });
const nextRole = req.body.role || before.role;
validateRole(nextRole);
const nextStatus = req.body.status || before.status;
if (!['active', 'inactive'].includes(nextStatus)) return res.status(400).json({ error: 'Invalid status' });
const activeAdmins = one("SELECT COUNT(*) AS count FROM users WHERE role = 'admin' AND status = 'active'").count;
if (before.role === 'admin' && before.status === 'active' && activeAdmins <= 1 && (nextRole !== 'admin' || nextStatus !== 'active')) {
return res.status(400).json({ error: 'At least one active admin is required' });
}
const updated = now();
run(
`UPDATE users SET
team_id = ?,
name = ?,
email = ?,
role = ?,
status = ?,
updated_at = ?
WHERE id = ?`,
[
req.body.team_id ?? before.team_id,
req.body.name || before.name,
req.body.email || before.email,
nextRole,
nextStatus,
updated,
req.params.id
]
);
if (req.body.password) {
run('UPDATE users SET password_hash = ?, updated_at = ? WHERE id = ?', [
bcrypt.hashSync(req.body.password, 12),
updated,
req.params.id
]);
}
const user = publicAdminUser(req.params.id);
audit(req.user.id, 'update', 'user', req.params.id, before, { ...user, password: req.body.password ? '[changed]' : undefined });
return res.json({ user });
});
router.get('/teams', requireCapability('admin.users'), (req, res) => {
res.json({ teams: all('SELECT * FROM teams ORDER BY name') });
});
router.post('/teams', requireCapability('admin.users'), (req, res) => {
const result = run('INSERT INTO teams (name, description, created_at) VALUES (?, ?, ?)', [
req.body.name,
req.body.description || null,
now()
]);
audit(req.user.id, 'create', 'team', result.lastInsertRowid, null, req.body);
res.status(201).json({ team: one('SELECT * FROM teams WHERE id = ?', [result.lastInsertRowid]) });
});
router.put('/teams/:id', requireCapability('admin.users'), (req, res) => {
const before = one('SELECT * FROM teams WHERE id = ?', [req.params.id]);
if (!before) return res.status(404).json({ error: 'Team not found' });
run('UPDATE teams SET name = ?, description = ? WHERE id = ?', [
req.body.name || before.name,
req.body.description ?? before.description,
req.params.id
]);
audit(req.user.id, 'update', 'team', req.params.id, before, req.body);
return res.json({ team: one('SELECT * FROM teams WHERE id = ?', [req.params.id]) });
});
router.delete('/teams/:id', requireCapability('admin.users'), (req, res) => {
const before = one('SELECT * FROM teams WHERE id = ?', [req.params.id]);
if (!before) return res.status(404).json({ error: 'Team not found' });
const memberCount = one('SELECT COUNT(*) AS count FROM users WHERE team_id = ?', [req.params.id]).count;
if (memberCount) {
return res.status(400).json({ error: `Reassign the ${memberCount} user(s) on this team before deleting it` });
}
run('DELETE FROM teams WHERE id = ?', [req.params.id]);
audit(req.user.id, 'delete', 'team', req.params.id, before, null);
return res.status(204).end();
});
router.get('/access-control', requireCapability('admin.users'), (req, res) => {
res.json({ roles: listRoles(), capabilities: CAPABILITIES });
});
// ---- Roles (capability sets, custom roles allowed) --------------------------
router.get('/roles', requireCapability('admin.roles'), (req, res) => {
res.json({ roles: listRoles(), capabilities: CAPABILITIES });
});
router.post('/roles', requireCapability('admin.roles'), (req, res, next) => {
try {
res.status(201).json({ role: createRole(req.body, req.user.id) });
} catch (error) {
next(error);
}
});
router.put('/roles/:key', requireCapability('admin.roles'), (req, res) => {
const role = updateRole(req.params.key, req.body, req.user.id);
if (!role) return res.status(404).json({ error: 'Role not found' });
return res.json({ role });
});
router.delete('/roles/:key', requireCapability('admin.roles'), (req, res) => {
const result = deleteRole(req.params.key, req.user.id);
if (!result.ok) return res.status(result.status).json({ error: result.error });
return res.status(204).end();
});
module.exports = router;