Add password updating

pkg/gcsql/staff.go

@@ -83,6 +83,13 @@ func (s *Staff) RankTitle() string {
 	return ""
 }
 
+func UpdatePassword(username string, newPassword string) error {
+	const sqlUPDATE = `UPDATE DBPREFIXstaff SET password_checksum = ? WHERE username = ?`
+	checksum := gcutil.BcryptSum(newPassword)
+	_, err := ExecSQL(sqlUPDATE, checksum, username)
+	return err
+}
+
 // EndStaffSession deletes any session rows associated with the requests session cookie and then
 // makes the cookie expire, essentially deleting it
 func EndStaffSession(writer http.ResponseWriter, request *http.Request) error {

pkg/manage/actionsAdminPerm.go

@@ -20,7 +20,8 @@ import (
 )
 
 var (
-	ErrPasswordConfirm = errors.New("passwords do not match")
+	ErrPasswordConfirm        = errors.New("passwords do not match")
+	ErrInsufficientPermission = errors.New("insufficient account permission")
 )
 
 // manage actions that require admin-level permission go here
@@ -63,7 +64,7 @@ func registerAdminPages() {
 		Action{
 			ID:          "staff",
 			Title:       "Staff",
-			Permissions: AdminPerms,
+			Permissions: JanitorPerms,
 			JSONoutput:  OptionalJSON,
 			Callback: func(writer http.ResponseWriter, request *http.Request, staff *gcsql.Staff, wantsJSON bool, infoEv *zerolog.Event, errEv *zerolog.Event) (output interface{}, err error) {
 				var outputStr string
@@ -81,21 +82,31 @@ func registerAdminPages() {
 					return "", err
 				}
 
+				updateUsername := request.FormValue("update")
 				username := request.FormValue("username")
 				password := request.FormValue("password")
 				passwordConfirm := request.FormValue("passwordconfirm")
-				if password != passwordConfirm {
+				if (do == "add" || do == "update") && password != passwordConfirm {
 					return "", ErrPasswordConfirm
 				}
+				fmt.Println(do, updateUsername)
 				rankStr := request.FormValue("rank")
-				rank, err := strconv.Atoi(rankStr)
-				if err != nil {
-					errEv.Err(err).Caller().
-						Str("rank", rankStr).Send()
-					return "", err
+				var rank int
+				if rankStr != "" {
+					if rank, err = strconv.Atoi(rankStr); err != nil {
+						errEv.Err(err).Caller().
+							Str("rank", rankStr).Send()
+						return "", err
+					}
 				}
+
 				if do == "add" {
-					fmt.Println("do = 'add'")
+					if staff.Rank < 3 {
+						writer.WriteHeader(http.StatusUnauthorized)
+						errEv.Err(ErrInsufficientPermission).Caller().
+							Int("rank", staff.Rank).Send()
+						return "", ErrInsufficientPermission
+					}
 					if _, err = gcsql.NewStaff(username, password, rank); err != nil {
 						errEv.Caller().
 							Str("newStaff", username).
@@ -106,6 +117,12 @@ func registerAdminPages() {
 							username, staff.Username, err.Error())
 					}
 				} else if do == "del" && username != "" {
+					if staff.Rank < 3 {
+						writer.WriteHeader(http.StatusUnauthorized)
+						errEv.Err(ErrInsufficientPermission).Caller().
+							Int("rank", staff.Rank).Send()
+						return "", ErrInsufficientPermission
+					}
 					if err = gcsql.DeactivateStaff(username); err != nil {
 						errEv.Err(err).Caller().
 							Str("delStaff", username).
@@ -113,18 +130,35 @@ func registerAdminPages() {
 						return "", fmt.Errorf("Error deleting staff account %q by %q: %s",
 							username, staff.Username, err.Error())
 					}
+				} else if do == "update" && updateUsername != "" {
+					if staff.Username != updateUsername && staff.Rank < 3 {
+						writer.WriteHeader(http.StatusUnauthorized)
+						errEv.Err(ErrInsufficientPermission).Caller().
+							Int("rank", staff.Rank).Send()
+						return "", ErrInsufficientPermission
+					}
+					if err = gcsql.UpdatePassword(updateUsername, password); err != nil {
+						errEv.Err(err).Caller().
+							Str("updateStaff", username).
+							Msg("Error updating password")
+						return "", err
+					}
 				}
-				allStaff, err = getAllStaffNopass(true)
-				if err != nil {
-					errEv.Err(err).Caller().Msg("Error getting updated staff list")
-					err = errors.New("Error getting updated staff list: " + err.Error())
-					return "", err
+				if do == "add" || do == "del" {
+					allStaff, err = getAllStaffNopass(true)
+					if err != nil {
+						errEv.Err(err).Caller().Msg("Error getting updated staff list")
+						err = errors.New("Error getting updated staff list: " + err.Error())
+						return "", err
+					}
 				}
 
 				staffBuffer := bytes.NewBufferString("")
 				if err = serverutil.MinifyTemplate(gctemplates.ManageStaff, map[string]interface{}{
-					"allstaff":        allStaff,
-					"currentUsername": staff.Username,
+					"do":             do,
+					"updateUsername": updateUsername,
+					"allstaff":       allStaff,
+					"currentStaff":   staff,
 				}, staffBuffer, "text/html"); err != nil {
 					errEv.Err(err).Str("template", "manage_staff.html").Send()
 					return "", errors.New("Error executing staff management page template: " + err.Error())

templates/manage_staff.html

@@ -1,3 +1,5 @@
+{{$isAdmin := (eq .currentStaff.Rank 3) -}}
+{{$showNewStaffForm := (and (eq .updateUsername "") $isAdmin) -}}
 <style>
 	table#stafftable, table#stafftable th, table#stafftable td {
 		border: 1px solid;
@@ -11,28 +13,45 @@
 	<td>{{$staff.RankTitle}}</td>
 	<td>{{formatTimestamp $staff.AddedOn}}</td>
 	<td>
-		<a href="{{webPath "/manage/staff"}}" title="Update your password">Update</a> | 
-		<a {{if eq $staff.Username $.currentUsername -}}
-			href="{{webPath "/manage/staff"}}" title="Cannot self terminate" style="color: black;"
-		{{- else -}}
-			href="{{webPath "/manage/staff"}}?do=del&username={{$staff.Username}}" title="Delete {{$staff.Username}}" onclick="return confirm('Are you sure you want to delete the staff account for \'{{$staff.Username}}\'?')" style="color:red;"
-		{{end}}>Delete</a>
+		{{if or $isAdmin (eq $staff.Username $.currentStaff.Username) -}}
+			<a href="{{webPath "/manage/staff"}}?update={{$staff.Username}}" title="Update your password">Update</a>
+		{{end -}}
+		{{if eq $.currentStaff.Rank 3}}
+			<a {{if eq $staff.Username $.currentStaff.Username -}}
+				href="{{webPath "/manage/staff"}}" title="Cannot self terminate" style="color: black;"
+			{{- else -}}
+				href="{{webPath "/manage/staff"}}?do=del&username={{$staff.Username}}" title="Delete {{$staff.Username}}" onclick="return confirm('Are you sure you want to delete the staff account for \'{{$staff.Username}}\'?')" style="color:red;"
+			{{end}}>Delete</a>
+		{{- end}}
 	</td>
 </tr>
 {{end}}
 </table><hr />
+{{if $showNewStaffForm -}}
 <h2>Add new staff</h2>
-<form action="{{webPath "/manage/staff"}}" onsubmit="return makeNewStaff();" method="POST">
-<input type="hidden" name="do" value="add" />
+{{- else -}}
+<h2>Update password</h2>
+{{- end}}
+<form action="{{webPath "/manage/staff"}}" {{if $showNewStaffForm}}onsubmit="return makeNewStaff();"{{end}} method="POST">
 <table>
-	<tr><td>Username:</td><td><input id="username" name="username" type="text"/></td></tr>
+	<tr><td>Username:</td><td><input id="username" name="username" type="text" value="{{if $isAdmin}}{{.updateUsername}}{{else}}{{.currentStaff.Username}}{{end}}" {{if not $showNewStaffForm}}disabled{{end}}/></td></tr>
 	<tr><td>Password:</td><td><input id="password" name="password" type="password"/></td></tr>
 	<tr><td>Confirm password:</td><td><input id="passwordconfirm" name="passwordconfirm" type="password"/></td></tr>
+	{{if $showNewStaffForm -}}
 	<tr><td>Rank:</td><td><select id="rank" name="rank">
 		<option value="3">Admin</option>
 		<option value="2">Moderator</option>
 		<option value="1">Janitor</option>
 	</select></td></tr>
-	<tr><td><input id="submitnewstaff" type="submit" value="Add" /></td></tr>
+	<tr><td>
+		<input type="hidden" name="do" value="add" />
+		<input id="submitnewstaff" type="submit" value="Add" /></td></tr>
+		{{- else -}}
+	<tr><td>
+		<input type="hidden" name="do" value="update" />
+		<input type="hidden" name="update" value="{{if $isAdmin}}{{.updateUsername}}{{else}}{{.currentStaff.Username}}{{end}}">
+		<input id="submitupdate" type="submit" value="Update password" />
+	{{- end}}
+	</td></tr>
 </table>
 </form>