@@ -250,6 +250,12 @@ router.delete('/project/:id', async function (req, res) {
250250 return res . status ( 401 ) . send ( { message : 'Not authorized' } ) ;
251251 }
252252
253+ let users_in_project = await dbsrv . mongo_users ( ) . find ( { projects : req . params . id } ) . toArray ( ) ;
254+
255+ if ( users_in_project . length > 0 ) {
256+ return res . status ( 403 ) . send ( { message : 'Project is not empty. Cannot remove' } ) ;
257+ }
258+
253259 try {
254260 await prjsrv . remove_project ( req . params . id , user . uid ) ;
255261 } catch ( e ) {
@@ -325,16 +331,26 @@ router.post('/project/:id/request/user', async function (req, res) {
325331 if ( ! sansrv . sanitizeAll ( [ req . params . id ] ) ) {
326332 return res . status ( 403 ) . send ( { message : 'Invalid parameters' } ) ;
327333 }
328- let user = await dbsrv . mongo_users ( ) . findOne ( { _id : req . locals . logInfo . id } ) ;
329- if ( ! user ) {
334+
335+ let session_user = null ;
336+ let isadmin = false ;
337+ try {
338+ session_user = await dbsrv . mongo_users ( ) . findOne ( { _id : req . locals . logInfo . id } ) ;
339+ isadmin = await rolsrv . is_admin ( session_user ) ;
340+ } catch ( e ) {
341+ logger . error ( e ) ;
342+ return res . status ( 404 ) . send ( { message : 'User session not found' } ) ;
343+ }
344+
345+ if ( ! session_user ) {
330346 return res . status ( 404 ) . send ( { message : 'User not found' } ) ;
331347 }
332348 let project = await dbsrv . mongo_projects ( ) . findOne ( { id : req . params . id } ) ;
333349 if ( ! project ) {
334350 return res . status ( 404 ) . send ( { message : 'Project ' + req . params . id + ' not found' } ) ;
335351 }
336- if ( ( ! project . managers || ! project . managers . includes ( user . uid ) ) && user . uid !== project . owner && ! user . is_admin ) {
337- return res . status ( 401 ) . send ( { message : 'User ' + user . uid + ' is not project manager for project ' + project . id } ) ;
352+ if ( ( ! project . managers || ! project . managers . includes ( session_user . uid ) ) && session_user . uid !== project . owner && ! isadmin ) {
353+ return res . status ( 401 ) . send ( { message : 'User ' + session_user . uid + ' is not project manager for project ' + project . id } ) ;
338354 }
339355 if ( req . body . user == project . owner ) {
340356 return res . status ( 403 ) . send ( { message : 'User ' + req . body . user + ' is the owner of project ' + project . id } ) ;
@@ -349,9 +365,9 @@ router.post('/project/:id/request/user', async function (req, res) {
349365
350366 try {
351367 if ( req . body . request === 'add' ) {
352- await usrsrv . add_user_to_project ( project . id , req . body . user , user . uid ) ;
368+ await usrsrv . add_user_to_project ( project . id , req . body . user , session_user . uid ) ;
353369 } else if ( req . body . request === 'remove' ) {
354- await usrsrv . remove_user_from_project ( project . id , req . body . user , user . uid , user . is_admin , false ) ;
370+ await usrsrv . remove_user_from_project ( project . id , req . body . user , session_user . uid , isadmin , false ) ;
355371 }
356372 } catch ( e ) {
357373 logger . error ( e ) ;
@@ -369,19 +385,30 @@ router.post('/project/:id/add/manager/:uid', async function(req, res) {
369385 if ( ! req . locals . logInfo . is_logged ) {
370386 return res . status ( 401 ) . send ( { message : 'Not authorized' } ) ;
371387 }
372- if ( ! sansrv . sanitizeAll ( [ req . params . id ] ) ) {
388+ if ( ! sansrv . sanitizeAll ( [ req . params . id ] ) || ! sansrv . sanitizeAll ( [ req . params . uid ] ) ) {
373389 return res . status ( 403 ) . send ( { message : 'Invalid parameters' } ) ;
374390 }
375- let user = await dbsrv . mongo_users ( ) . findOne ( { _id : req . locals . logInfo . id } ) ;
376- if ( ! user ) {
391+
392+ let session_user = null ;
393+ let isadmin = false ;
394+ try {
395+ session_user = await dbsrv . mongo_users ( ) . findOne ( { _id : req . locals . logInfo . id } ) ;
396+ isadmin = await rolsrv . is_admin ( session_user ) ;
397+ } catch ( e ) {
398+ logger . error ( e ) ;
399+ return res . status ( 404 ) . send ( { message : 'User session not found' } ) ;
400+ }
401+
402+ if ( ! session_user ) {
377403 return res . status ( 404 ) . send ( { message : 'User not found' } ) ;
378404 }
405+
379406 let project = await dbsrv . mongo_projects ( ) . findOne ( { 'id' : req . params . id } ) ;
380407 if ( ! project ) {
381408 return res . status ( 404 ) . send ( { message : 'Project ' + req . params . id + ' not found' } ) ;
382409 }
383- if ( user . uid != project . owner && ! user . is_admin ) {
384- return res . status ( 401 ) . send ( { message : 'Non-admin user ' + user . uid + ' is not the owner of project ' + project . id } ) ;
410+ if ( session_user . uid != project . owner && ! isadmin ) {
411+ return res . status ( 401 ) . send ( { message : 'Non-admin user ' + session_user . uid + ' is not the owner of project ' + project . id } ) ;
385412 }
386413 const new_manager = await dbsrv . mongo_users ( ) . findOne ( { 'uid' : req . params . uid } ) ;
387414 if ( ! new_manager ) {
@@ -416,19 +443,30 @@ router.post('/project/:id/remove/manager/:uid', async function(req, res) {
416443 if ( ! req . locals . logInfo . is_logged ) {
417444 return res . status ( 401 ) . send ( { message : 'Not authorized' } ) ;
418445 }
419- if ( ! sansrv . sanitizeAll ( [ req . params . id ] ) ) {
446+ if ( ! sansrv . sanitizeAll ( [ req . params . id ] ) || ! sansrv . sanitizeAll ( [ req . params . uid ] ) ) {
420447 return res . status ( 403 ) . send ( { message : 'Invalid parameters' } ) ;
421448 }
422- let user = await dbsrv . mongo_users ( ) . findOne ( { _id : req . locals . logInfo . id } ) ;
423- if ( ! user ) {
449+
450+ let session_user = null ;
451+ let isadmin = false ;
452+ try {
453+ session_user = await dbsrv . mongo_users ( ) . findOne ( { _id : req . locals . logInfo . id } ) ;
454+ isadmin = await rolsrv . is_admin ( session_user ) ;
455+ } catch ( e ) {
456+ logger . error ( e ) ;
457+ return res . status ( 404 ) . send ( { message : 'User session not found' } ) ;
458+ }
459+
460+ if ( ! session_user ) {
424461 return res . status ( 404 ) . send ( { message : 'User not found' } ) ;
425462 }
463+
426464 let project = await dbsrv . mongo_projects ( ) . findOne ( { 'id' : req . params . id } ) ;
427465 if ( ! project ) {
428466 return res . status ( 404 ) . send ( { message : 'Project ' + req . params . id + ' not found' } ) ;
429467 }
430- if ( user . uid != project . owner && ! user . is_admin ) {
431- return res . status ( 401 ) . send ( { message : 'Non-admin user ' + user . uid + ' is not the owner of project ' + project . id } ) ;
468+ if ( session_user . uid != project . owner && ! isadmin ) {
469+ return res . status ( 401 ) . send ( { message : 'Non-admin user ' + session_user . uid + ' is not the owner of project ' + project . id } ) ;
432470 }
433471 const ex_manager = await dbsrv . mongo_users ( ) . findOne ( { 'uid' : req . params . uid } ) ;
434472 if ( ! ex_manager ) {
0 commit comments