add user confirmation by admins
This commit is contained in:
parent
ac51e5c0e8
commit
9c327957d9
SSH Key Fingerprint:
SHA256:6xjGb6uA7lAVcULa7byPEN//rQ0wPoG+UzYVMfZnbvc
@ -10,6 +10,15 @@ local models = require("models")
|
|||||||
local Users = models.Users
|
local Users = models.Users
|
||||||
local Sessions = models.Sessions
|
local Sessions = models.Sessions
|
||||||
|
|
||||||
|
local TransientUser = {
|
||||||
|
is_admin = function (self)
|
||||||
|
return false
|
||||||
|
end,
|
||||||
|
is_guest = function (self)
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
}
|
||||||
|
|
||||||
local function authenticate_user(user, password)
|
local function authenticate_user(user, password)
|
||||||
return bcrypt.verify(password, user.password_hash)
|
return bcrypt.verify(password, user.password_hash)
|
||||||
end
|
end
|
||||||
@ -30,6 +39,10 @@ local function create_session(user_id)
|
|||||||
end
|
end
|
||||||
|
|
||||||
local function validate_session(session_key)
|
local function validate_session(session_key)
|
||||||
|
if session_key == nil then
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
|
||||||
local session = db.select('* FROM "sessions" WHERE "key" = ? AND "expires_at" > "?" LIMIT 1', session_key, os.time())
|
local session = db.select('* FROM "sessions" WHERE "key" = ? AND "expires_at" > "?" LIMIT 1', session_key, os.time())
|
||||||
print(#session)
|
print(#session)
|
||||||
if #session > 0 then
|
if #session > 0 then
|
||||||
@ -69,15 +82,22 @@ app:get("user", "/:username", function(self)
|
|||||||
return {status = 404}
|
return {status = 404}
|
||||||
end
|
end
|
||||||
|
|
||||||
if self.session.flash.just_logged_in then
|
if self.session.flash ~= nil and self.session.flash.just_logged_in then
|
||||||
self.just_logged_in = true
|
self.just_logged_in = true
|
||||||
self.session.flash = {}
|
self.session.flash = {}
|
||||||
end
|
end
|
||||||
local me = validate_session(self.session.session_key)
|
|
||||||
if not me and user.permission == constants.PermissionLevel.GUEST then
|
local me = validate_session(self.session.session_key) or TransientUser
|
||||||
return {status = 404}
|
|
||||||
end
|
|
||||||
self.user = user
|
self.user = user
|
||||||
|
self.me = me
|
||||||
|
|
||||||
|
self.user_is_me = me.id == user.id
|
||||||
|
|
||||||
|
if user.permission == constants.PermissionLevel.GUEST then
|
||||||
|
if not (self.user_is_me or me:is_admin()) then
|
||||||
|
return {status = 404}
|
||||||
|
end
|
||||||
|
end
|
||||||
return {render = "user.user"}
|
return {render = "user.user"}
|
||||||
end)
|
end)
|
||||||
|
|
||||||
@ -178,4 +198,35 @@ app:post("user_signup", "/signup", function(self)
|
|||||||
return {redirect_to = self:url_for("user", {username = username})}
|
return {redirect_to = self:url_for("user", {username = username})}
|
||||||
end)
|
end)
|
||||||
|
|
||||||
|
app:post("user_logout", "/logout", function (self)
|
||||||
|
local user = validate_session(self.session.session_key)
|
||||||
|
if not user then
|
||||||
|
return {redirect_to = self:url_for("user_login")}
|
||||||
|
end
|
||||||
|
|
||||||
|
local session = Sessions:find({key = self.session.session_key})
|
||||||
|
session:delete()
|
||||||
|
return {redirect_to = self:url_for("user_login")}
|
||||||
|
end)
|
||||||
|
|
||||||
|
app:post("confirm_user", "/confirm_user/:user_id", function (self)
|
||||||
|
local user = validate_session(self.session.session_key)
|
||||||
|
if not user then
|
||||||
|
return {status = 403}
|
||||||
|
end
|
||||||
|
if not user:is_admin() then
|
||||||
|
return {status = 403}
|
||||||
|
end
|
||||||
|
local target_user = Users:find(self.params.user_id)
|
||||||
|
if not target_user then
|
||||||
|
return {status = 404}
|
||||||
|
end
|
||||||
|
if target_user.permission > constants.PermissionLevel.GUEST then
|
||||||
|
return {status = 404}
|
||||||
|
end
|
||||||
|
|
||||||
|
target_user:update({permission = constants.PermissionLevel.USER, confirmed_on = os.time()})
|
||||||
|
return {redirect_to = self:url_for("user", {username = target_user.username})}
|
||||||
|
end)
|
||||||
|
|
||||||
return app
|
return app
|
||||||
@ -14,5 +14,9 @@ return {
|
|||||||
|
|
||||||
db.query("CREATE INDEX sessions_user_id ON sessions(user_id)")
|
db.query("CREATE INDEX sessions_user_id ON sessions(user_id)")
|
||||||
db.query("CREATE INDEX session_keys ON sessions(key)")
|
db.query("CREATE INDEX session_keys ON sessions(key)")
|
||||||
|
end,
|
||||||
|
|
||||||
|
[2] = function ()
|
||||||
|
schema.add_column("users", "confirmed_on", types.integer{null = true})
|
||||||
end
|
end
|
||||||
}
|
}
|
||||||
|
|||||||
@ -8,6 +8,10 @@ function Users_mt:is_guest()
|
|||||||
return self.permission == constants.PermissionLevel.GUEST
|
return self.permission == constants.PermissionLevel.GUEST
|
||||||
end
|
end
|
||||||
|
|
||||||
|
function Users_mt:is_admin()
|
||||||
|
return self.permission == constants.PermissionLevel.ADMIN
|
||||||
|
end
|
||||||
|
|
||||||
local ret = {
|
local ret = {
|
||||||
Users = Users,
|
Users = Users,
|
||||||
Topics = Model:extend("topics"),
|
Topics = Model:extend("topics"),
|
||||||
|
|||||||
@ -2,6 +2,19 @@
|
|||||||
<h1>Logged in successfully.</h1>
|
<h1>Logged in successfully.</h1>
|
||||||
<% end %>
|
<% end %>
|
||||||
<h1><%= user.username %></h1>
|
<h1><%= user.username %></h1>
|
||||||
<% if user:is_guest() then %>
|
<% if user:is_guest() and user_is_me then %>
|
||||||
<h2>You are a guest. An administrator needs to approve your account before you will be able to post.</h2>
|
<h2>You are a guest. An administrator needs to approve your account before you will be able to post.</h2>
|
||||||
<% end %>
|
<% end %>
|
||||||
|
<% if user_is_me then %>
|
||||||
|
<form method="post" action="<%= url_for("user_logout", {user_id = me.id}) %>">
|
||||||
|
<input type="submit" value="Log out">
|
||||||
|
</form>
|
||||||
|
<% end %>
|
||||||
|
<% if me:is_admin() and user:is_guest() then %>
|
||||||
|
<p>This user is a guest. They signed up on <%= os.date("%c", user.created_at) %>.</p>
|
||||||
|
<form method="post" action="<%= url_for("confirm_user", {user_id = user.id}) %>">
|
||||||
|
<input type="submit" value="Confirm user">
|
||||||
|
</form>
|
||||||
|
<% elseif me:is_admin() then %>
|
||||||
|
<p>This user signed up on <%= os.date("%c", user.created_at) %> and was confirmed on <%= os.date("%c", user.confirmed_on) %>.</p>
|
||||||
|
<% end %>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user