ref #377

bugfixes related to board owning, adding/removing staff, transferring, deleting accounts with positions, etc.
better handling existing staff being transferred ownership
owner can't be deleted by other staff

controllers/forms/deletestaff.js

@@ -3,6 +3,7 @@
 const deleteStaff = require(__dirname+'/../../models/forms/deletestaff.js')
 	, dynamicResponse = require(__dirname+'/../../helpers/dynamic.js')
 	, paramConverter = require(__dirname+'/../../helpers/paramconverter.js')
+	, Permissions = require(__dirname+'/../../helpers/permissions.js')
 	, { checkSchema, lengthBody, numberBody, minmaxBody, numberBodyVariable,
 		inArrayBody, arrayInBody, existsBody } = require(__dirname+'/../../helpers/schema.js');
 
@@ -17,6 +18,7 @@ module.exports = {
 		const errors = await checkSchema([
 			{ result: lengthBody(req.body.checkedstaff, 1), expected: false, error: 'Must select at least one staff to delete' },
 			{ result: existsBody(req.body.checkedstaff) && req.body.checkedstaff.some(s => !res.locals.board.staff[s]), expected: false, error: 'Invalid staff selection' },
+			{ result: existsBody(req.body.checkedstaff) && req.body.checkedstaff.some(s => s === res.locals.board.owner), expected: false, permission: Permissions.ROOT, error: "You can't delete the board owner" },
 			//not really necessary, but its a bit retarded to "delete yourself" as staff this way
 			{ result: existsBody(req.body.checkedstaff) && req.body.checkedstaff.some(s => s === res.locals.user.username), expected: false, error: 'Resign from the accounts page instead' },
 		]);

controllers/forms/transfer.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const transferBoard = require(__dirname+'/../../models/forms/transferboard.js')
+	, { Accounts } = require(__dirname+'/../../db/')
 	, dynamicResponse = require(__dirname+'/../../helpers/dynamic.js')
 	, alphaNumericRegex = require(__dirname+'/../../helpers/checks/alphanumregex.js')
 	, paramConverter = require(__dirname+'/../../helpers/paramconverter.js')

db/boards.js

@@ -125,30 +125,30 @@ module.exports = {
 		);
 	},
 
-	setStaffPermissions: (board, username, permissions) => {
+	setStaffPermissions: (board, username, permissions, setOwner = false) => {
 		cache.del(`board:${board}`);
-		return db.updateOne(
-			{
-				'_id': board,
-			}, {
-				'$set': {
-					[`staff.${username}.permissions`]: Mongo.Binary(permissions.array),
-				}
+		const update = {
+			'$set': {
+				[`staff.${username}.permissions`]: Mongo.Binary(permissions.array),
 			}
-		);
+		};
+		if (setOwner === true) {
+			update['$set']['owner'] = username;
+		}
+		return db.updateOne({
+			'_id': board,
+		}, update);
 	},
 
 	setOwner: (board, username = null) => {
 		cache.del(`board:${board}`);
-		return db.updateOne(
-			{
-				'_id': board,
-			}, {
-				'$set': {
-					'owner': null
-				}
-			}
-		);
+		return db.updateOne({
+			'_id': board,
+		}, {
+			'$set': {
+				'owner': null,
+			},
+		});
 	},
 
 	addToArray: (board, key, list) => {

models/forms/deleteaccounts.js

@@ -2,7 +2,7 @@
 
 const { Accounts, Boards } = require(__dirname+'/../../db/')
 	, dynamicResponse = require(__dirname+'/../../helpers/dynamic.js')
-	, cache = require(__dirname+'/../../redis.js')
+	, cache = require(__dirname+'/../../redis.js');
 
 module.exports = async (req, res, next) => {
 
@@ -40,8 +40,11 @@ module.exports = async (req, res, next) => {
 						},
 						'update': {
 							'$set': {
-								'owner': null //board has no owner
-							}
+								'owner': null,
+							},
+							'$unset': {
+								[`staff.${acc.username}`]: "",
+							},
 						}
 					}
 				});

models/forms/deletestaff.js

@@ -5,9 +5,14 @@ const { Boards, Accounts } = require(__dirname+'/../../db/')
 
 module.exports = async (req, res, next) => {
 
+	//only a ROOT could do this, per the permission bypass in the controller
+	const deletingBoardOwner = req.body.checkedstaff.some(s => s === res.locals.board.owner);
+
 	await Promise.all([
 		Accounts.removeStaffBoard(req.body.checkedstaff, res.locals.board._id),
-		Boards.removeStaff(res.locals.board._id, req.body.checkedstaff)
+		Boards.removeStaff(res.locals.board._id, req.body.checkedstaff),
+		deletingBoardOwner ? Accounts.removeOwnedBoard(res.locals.board.owner, res.locals.board._id) : void 0,
+		deletingBoardOwner ? Boards.setOwner(res.locals.board._id, null) : void 0,
 	]);
 
 	return dynamicResponse(req, res, 200, 'message', {

models/forms/transferboard.js

@@ -9,22 +9,25 @@ module.exports = async (req, res, next) => {
 	const newOwner = res.locals.newOwner;
 
 	//remove current owner
-	await Accounts.removeOwnedBoard(res.locals.board.owner, req.params.board)
+	await Promise.all([
+		Accounts.removeOwnedBoard(res.locals.board.owner, req.params.board),
+		Boards.removeStaff(req.params.board, [res.locals.board.owner]),
+	]);
 
 	//set new owner in locals
 	res.locals.board.owner = newOwner._id;
 
-	if (res.locals.board.staff[newOwner.username] != null) {
+	if (res.locals.board.staff[newOwner._id] != null) {
 		//if already a staff, just change their permission instead of removing+adding back
 		await Promise.all([
-			Boards.setStaffPermissions(req.params.board, res.locals.user.username),
+			Boards.setStaffPermissions(req.params.board, newOwner._id, PermissionTemplates.BOARD_OWNER, true),
 			Accounts.removeStaffBoard([newOwner._id], req.params.board),
 			Accounts.addOwnedBoard(newOwner._id, req.params.board),
 		]);
 	} else {
 		//otherwise add them as a new staff+owner
 		await Promise.all([
-			Boards.addStaff(req.params.board, newOwner._id, req.params.board, PermissionTemplates.BOARD_OWNER, true),
+			Boards.addStaff(req.params.board, newOwner._id, PermissionTemplates.BOARD_OWNER, true),
 			Accounts.addOwnedBoard(newOwner._id, req.params.board),
 		]);
 	}

views/pages/login.pug

@@ -15,7 +15,6 @@ block content
 				.label Password
 				input(type='password', name='password', maxlength='100' required)
 			input(type='submit', value='submit')
-		if enableUserAccountCreation
-			p: a(href='/register.html') Register
+		p: a(href='/register.html') Register
 		p: a(href='/changepassword.html') Change Password