98 lines
2.5 KiB
JavaScript
98 lines
2.5 KiB
JavaScript
const express = require("express");
|
|
const { User } = require("../models");
|
|
const {
|
|
authenticate,
|
|
authorizeAdmin,
|
|
authorizeManager,
|
|
} = require("../middleware/auth");
|
|
|
|
const router = express.Router();
|
|
|
|
// Get all users (admin and manager)
|
|
router.get("/", authenticate, authorizeManager, async (req, res) => {
|
|
try {
|
|
const users = await User.findAll({
|
|
attributes: ["id", "username", "role"],
|
|
});
|
|
res.json(users);
|
|
} catch (error) {
|
|
res.status(500).json({ message: "Server error" });
|
|
}
|
|
});
|
|
|
|
// Create user (admin and manager)
|
|
router.post("/", authenticate, authorizeManager, async (req, res) => {
|
|
try {
|
|
const { username, password, role } = req.body;
|
|
let userRole = role || "user";
|
|
|
|
// Managers cannot create admins
|
|
if (userRole === "admin" && req.user.role !== "admin") {
|
|
return res
|
|
.status(403)
|
|
.json({ message: "Managers cannot create admin users" });
|
|
}
|
|
|
|
// Managers can only create users or managers
|
|
if (
|
|
req.user.role === "manager" &&
|
|
!["user", "manager"].includes(userRole)
|
|
) {
|
|
return res
|
|
.status(403)
|
|
.json({ message: "Managers can only create users or managers" });
|
|
}
|
|
|
|
const user = await User.create({
|
|
username,
|
|
password,
|
|
role: userRole,
|
|
});
|
|
res
|
|
.status(201)
|
|
.json({ id: user.id, username: user.username, role: user.role });
|
|
} catch (error) {
|
|
if (error.name === "SequelizeUniqueConstraintError") {
|
|
return res.status(400).json({ message: "Username already exists" });
|
|
}
|
|
res.status(500).json({ message: "Server error" });
|
|
}
|
|
});
|
|
|
|
// Update user password (admin and manager)
|
|
router.put(
|
|
"/:id/password",
|
|
authenticate,
|
|
authorizeManager,
|
|
async (req, res) => {
|
|
try {
|
|
const { password } = req.body;
|
|
const user = await User.findByPk(req.params.id);
|
|
if (!user) {
|
|
return res.status(404).json({ message: "User not found" });
|
|
}
|
|
user.password = password;
|
|
await user.save();
|
|
res.json({ message: "Password updated" });
|
|
} catch (error) {
|
|
res.status(500).json({ message: "Server error" });
|
|
}
|
|
}
|
|
);
|
|
|
|
// Delete user (admin and manager)
|
|
router.delete("/:id", authenticate, authorizeManager, async (req, res) => {
|
|
try {
|
|
const user = await User.findByPk(req.params.id);
|
|
if (!user) {
|
|
return res.status(404).json({ message: "User not found" });
|
|
}
|
|
await user.destroy();
|
|
res.json({ message: "User deleted" });
|
|
} catch (error) {
|
|
res.status(500).json({ message: "Server error" });
|
|
}
|
|
});
|
|
|
|
module.exports = router;
|