How to implement user with "admin" role, which is able to edit another users?

[ketysek]

Hi, I've got this in my user.server.routes.js

app.route('/users/:userId')
    .get(users.read)
    .put(users.hasAuthorization(['admin']), users.update)
    .delete(users.hasAuthorization(['admin']), users.delete);
app.param('userId', users.userByID);

Problem is with app.param, because method userByID is returning logged in user, so when I click on delete, it will delete my account...If I change app.param to find user from DB by userId, I'm getting authorization problems (403 forbidden) :( Could someone help me to solve this problem?
Thank you very much!

If I neglect safety ...

app.param('userId', users.userByID);
app.route('/users/:idUser')
    .get(users.read)
    .put(users.updateById)
    .delete(users.delete);
app.param('idUser', users.userById);

Now I am able to delete users, but If I edit some user, it will change logged in user to the edited one :(

[ilanbiala]

You need a middleware that uses req.profile and not req.user. This is the line that causes issues for you in this case.

[ketysek]

Yeah, I got it few minutes ago too :D Thanks! :)

[marianoqueirel]

Hi, one query
How you add more than one user role ?

Thanks!

[debrouxl]

Having > 1 role for an user can be achieved through direct MongoDB database manipulation, e.g. in the mongo shell.

[marianoqueirel]

The solution is this: In users.server.controller.js
You should comment the line " delete req.body.roles; " , and in Angular create an array with roles you need. when you pass to server.

exports.signup = function(req, res) {
    // For security measurement we remove the roles from the req.body object
    /*delete req.body.roles;*/

    // Init Variables
    var user = new User(req.body);
    var message = null;

    // Add missing user fields
    user.provider = 'local';
    user.displayName = user.firstName + ' ' + user.lastName;

    // Then save the user 
    user.save(function(err) {
        if (err) {
            return res.status(400).send({
                message: errorHandler.getErrorMessage(err)
            });
        } else {
            // Remove sensitive data before login
            user.password = undefined;
            user.salt = undefined;

            req.login(user, function(err) {
                if (err) {
                    res.status(400).send(err);
                } else {
                    res.json(user);
                }
            });
        }
    });
};

[simison]

@marianoqueirel remember that then you'll also need a middleware to validate roles. Otherwise you might as well just leave all admin pages open...

[marianoqueirel]

Ofcourse, in the route you can do this:

app.route('/home/onlyAdmin')
  .get(users.requiresLogin, customers.read)
  .put(users.requiresLogin, customers.update)
  .delete(users.requiresLogin, users.hasAuthorization(['admin']), customers.delete);

Or if you want, you could do this from the Angular.

[trainerbill]

We are adding an admin module in the very near future for the specific purpose of adding additional roles to users:

#676

Can prolly close this issue

[lirantal]

yep, thanks @trainerbill

[bruna94]

Hello! Can someone please help me with a step by step tutorial about setting up an admin user on my meanjs app? Thank you!

[trainerbill]

@bruna94 You can use the seed feature

MONGO_SEED=true grunt

The users and passwords will appear in the console

[bruna94]

im sorry i executed this in GitBash but the console of the page does not show anything... am i doing something wrong?

[trainerbill]

What version of MEAN are you running? The seed feature was added within
the last 2 months.

On Thu, Sep 24, 2015 at 12:15 PM, bruna94 [email protected] wrote:

im sorry i executed this in GitBash but the console of the page does not
show anything... am i doing something wrong?

—
Reply to this email directly or view it on GitHub
#515 (comment).

[trainerbill]

@bruna94 Take this to the gitter chat so we don't revive this issue.

[ghost]

@marianoqueirel
By commenting this line really help me sign up a user with some roles.
//delete req.body.roles;

[ckapop]

The issue I think I am running into is when editing other users profiles the password gets changed due to the 'pre' hook on user save whenever you try and save the changed profile:

UserSchema.pre('save', function(next) {
if (this.password && this.password.length > 6) {
this.salt = new Buffer(crypto.randomBytes(16).toString('base64'), 'base64');
this.password = this.hashPassword(this.password);
}

next();

});

[mleanos]

@ckapop What version of MEANJS are you seeing this behavior? Can you provide step-by-step instructions on how to reproduce?

The password field should never be present in either the request, or response. If the password is updated, in a request other than the create profile, then this would indeed be a bug. However, I think we took care of any issues with this already.

[ckapop]

@mleanos How can I check to be sure? It is probably not as current as it should be.

I have this method that was generated when the mean app was created using 'yo' which looks like the new password is in the request, correct?

/**

• Change Password
  */
  exports.changePassword = function(req, res) {
  // Init Variables
  var passwordDetails = req.body;

  if (req.user) {
  if (passwordDetails.newPassword) {
  User.findById(req.user.id, function(err, user) {
  ...