Added more granular permissions.

src/routers/api/adminRouter.js

@@ -32,18 +32,15 @@ const banController = require("../../controllers/api/admin/banController");
 //globals
 const router = Router();
 
-//Use authentication middleware
-router.use(permissionSchema.reqPermCheck("adminAPI"));
-
 //routing functions
-router.get('/listUsers', listUsersController.get);
-router.get('/listChannels', listChannelsController.get);
-router.get('/permissions', permissionsController.get);
-router.post('/permissions', checkExact([permissionsValidator.permissionsMap(), channelPermissionValidator.channelPermissionsMap()]), permissionsController.post);
-router.post('/changeRank', accountValidator.user(), accountValidator.rank(), changeRankController.post);
-router.get('/ban', banController.get);
+router.get('/listUsers', permissionSchema.reqPermCheck("adminPanel"), listUsersController.get);
+router.get('/listChannels', permissionSchema.reqPermCheck("adminPanel"),  listChannelsController.get);
+router.get('/permissions', permissionSchema.reqPermCheck("adminPanel"),  permissionsController.get);
+router.post('/permissions', permissionSchema.reqPermCheck("changePerms"), checkExact([permissionsValidator.permissionsMap(), channelPermissionValidator.channelPermissionsMap()]), permissionsController.post);
+router.post('/changeRank', permissionSchema.reqPermCheck("changeRank"),  accountValidator.user(), accountValidator.rank(), changeRankController.post);
+router.get('/ban', permissionSchema.reqPermCheck("adminPanel"),  banController.get);
 //Sometimes they're so simple you don't need to put your validators in their own special place :P
-router.post('/ban', accountValidator.user(), body("permanent").isBoolean(), body("expirationDays").isInt(), banController.post);
-router.delete('/ban', accountValidator.user(), banController.delete);
+router.post('/ban', permissionSchema.reqPermCheck("banUser"),  accountValidator.user(), body("permanent").isBoolean(), body("expirationDays").isInt(), banController.post);
+router.delete('/ban', permissionSchema.reqPermCheck("banUser"),  accountValidator.user(), banController.delete);
 
 module.exports = router;

src/routers/api/channelRouter.js

@@ -15,7 +15,7 @@ You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
 //npm imports
-const { body } = require('express-validator');
+const { body, checkExact } = require('express-validator');
 const { Router } = require('express');
 
 //local imports
@@ -37,31 +37,31 @@ const router = Router();
 
 //user authentication middleware
 router.use("/register",permissionSchema.reqPermCheck("registerChannel"));
-router.use("/settings", channelValidator.name('chanName'), channelModel.reqPermCheck("manageChannel"));
-router.use("/permissions", channelValidator.name('chanName'), channelModel.reqPermCheck("manageChannel"));
-router.use("/rank", channelValidator.name('chanName'), channelModel.reqPermCheck("manageChannel"));
-router.use("/delete", channelValidator.name('chanName'), channelModel.reqPermCheck("deleteChannel"));
-router.use("/ban", channelValidator.name('chanName'), channelModel.reqPermCheck("manageChannel"));
+router.use("/settings", channelValidator.name('chanName'));
+router.use("/permissions", channelValidator.name('chanName'));
+router.use("/rank", channelValidator.name('chanName'));
+router.use("/delete", channelValidator.name('chanName'));
+router.use("/ban", channelValidator.name('chanName'));
 
 //routing functions
 //register
 router.post('/register', channelValidator.name(), channelValidator.description(), channelValidator.thumbnail(), registerController.post);
 //list
-router.get('/list', listController.get);
+router.get('/list', channelModel.reqPermCheck("manageChannel"), listController.get);
 //settings
-router.get('/settings', settingsController.get);
-router.post('/settings', channelValidator.settingsMap(), settingsController.post);
+router.get('/settings', channelModel.reqPermCheck("manageChannel"),  settingsController.get);
+router.post('/settings', channelModel.reqPermCheck("changeSettings"),  channelValidator.settingsMap(), settingsController.post);
 //permissions
-router.get('/permissions', permissionsController.get);
-router.post('/permissions', channelPermissionValidator.channelPermissionsMap(), permissionsController.post);
+router.get('/permissions', channelModel.reqPermCheck("manageChannel"),  permissionsController.get);
+router.post('/permissions', channelModel.reqPermCheck("changePerms"),  checkExact(channelPermissionValidator.channelPermissionsMap()), permissionsController.post);
 //rank
-router.get('/rank', rankController.get);
-router.post('/rank', accountValidator.user(), channelValidator.rank(), rankController.post);
+router.get('/rank', channelModel.reqPermCheck("manageChannel"),  rankController.get);
+router.post('/rank', channelModel.reqPermCheck("changeRank"),  accountValidator.user(), channelValidator.rank(), rankController.post);
 //delete
-router.post('/delete', channelValidator.name('confirm'), deleteController.post);
+router.post('/delete', channelModel.reqPermCheck("deleteChannel"),  channelValidator.name('confirm'), deleteController.post);
 //ban
-router.get('/ban', banController.get);
-router.post('/ban',  accountValidator.user(), body("banAlts").isBoolean(), body("expirationDays").isInt(), banController.post);
-router.delete('/ban',  accountValidator.user(), banController.delete);
+router.get('/ban', channelModel.reqPermCheck("manageChannel"),  banController.get);
+router.post('/ban', channelModel.reqPermCheck("banUser"),   accountValidator.user(), body("banAlts").isBoolean(), body("expirationDays").isInt(), banController.post);
+router.delete('/ban', channelModel.reqPermCheck("banUser"),   accountValidator.user(), banController.delete);
 
 module.exports = router;