Add user profile management and account deletion functionality (#8712)

* mws authentication * add more tests and permission checkers * add logic to ensure that only authenticated users' requests are handled * add custom login page * Implement user authentication as well as session handling * work on user operations authorization * add middleware to route handlers for bags & tiddlers routes * add feature that only returns the tiddlers and bags which the user has permission to access on index page * refactor auth routes & added user management page * fix Ci Test failure issue * fix users list page, add manage roles page * add commands and scripts to create new user & assign roles and permissions * resolved ci-test failure * add ACL permissions to bags & tiddlers on creation * fix comments and access control list bug * fix indentation issues * working on user profile edit * remove list users command & added support for database in server options * implement user profile update and password change feature * update plugin readme * implement command which triggers protected mode on the server * revert server-wide auth flag. Implement selective authorization * ACL management feature * Complete Access control list implementation * Added support to manage users' assigned role by admin * fix comments * fix comment * Add user profile management and account deletion functionality
2026-04-27 20:05:09 +00:00 · 2024-10-30 19:38:21 +01:00
parent 6a7612ddf8
commit c7531e53ab
13 changed files with 304 additions and 54 deletions
--- a/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/update-user-profile.js
+++ b/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/update-user-profile.js
@@ -27,10 +27,24 @@ exports.handler = function (request,response,state) {
    return;
  }

-  var userId = state.authenticatedUser.user_id;
+  var userId = state.data.userId;
  var username = state.data.username;
  var email = state.data.email;
  var roleId = state.data.role;
+  var currentUserId = state.authenticatedUser.user_id;
+  
+  var hasPermission = ($tw.utils.parseInt(userId, 10) === currentUserId) || state.authenticatedUser.isAdmin;
+
+  if(!hasPermission) {
+    response.writeHead(403, "Forbidden", { "Content-Type": "text/plain" });
+    response.end("Forbidden");
+    return;
+  }
+
+  if(!state.authenticatedUser.isAdmin) {
+		var userRole = state.server.sqlTiddlerDatabase.getUserRoles(userId);
+    roleId = userRole.role_id;
+  }

  var result = state.server.sqlTiddlerDatabase.updateUser(userId, username, email, roleId);