feat: block no admin users to access some routes

backend/src/controllers/SessionController.js

@@ -23,7 +23,10 @@ exports.store = async (req, res, next) => {
 		}
 	);
 
-	return res
-		.status(200)
-		.json({ token: token, username: user.name, userId: user.id });
+	return res.status(200).json({
+		token: token,
+		username: user.name,
+		profile: user.profile,
+		userId: user.id,
+	});
 };

backend/src/controllers/SettingController.js

@@ -2,12 +2,24 @@ const Setting = require("../models/Setting");
 const { getIO } = require("../libs/socket");
 
 exports.index = async (req, res) => {
+	if (req.user.profile !== "admin") {
+		return res
+			.status(403)
+			.json({ error: "Only administrators can access this route." });
+	}
+
 	const settings = await Setting.findAll();
 
 	return res.status(200).json(settings);
 };
 
 exports.update = async (req, res) => {
+	if (req.user.profile !== "admin") {
+		return res
+			.status(403)
+			.json({ error: "Only administrators can access this route." });
+	}
+
 	const io = getIO();
 	const { settingKey } = req.params;
 	const setting = await Setting.findByPk(settingKey);

backend/src/controllers/UserController.js

@@ -8,6 +8,12 @@ const Setting = require("../models/Setting");
 const { getIO } = require("../libs/socket");
 
 exports.index = async (req, res) => {
+	if (req.user.profile !== "admin") {
+		return res
+			.status(403)
+			.json({ error: "Only administrators can access this route." });
+	}
+
 	const { searchParam = "", pageNumber = 1 } = req.query;
 
 	const whereCondition = {

frontend/src/components/_layout/MainListItems.js

@@ -38,6 +38,7 @@ function ListItemLink(props) {
 }
 
 const MainListItems = () => {
+	const userProfile = localStorage.getItem("profile");
 	return (
 		<div>
 			<ListItemLink to="/" primary="Dashboard" icon={<DashboardIcon />} />
@@ -57,18 +58,22 @@ const MainListItems = () => {
 				primary={i18n.t("mainDrawer.listItems.contacts")}
 				icon={<ContactPhoneIcon />}
 			/>
-			<Divider />
-			<ListSubheader inset>Administration</ListSubheader>
-			<ListItemLink
-				to="/users"
-				primary={i18n.t("mainDrawer.listItems.users")}
-				icon={<GroupIcon />}
-			/>
-			<ListItemLink
-				to="/settings"
-				primary={i18n.t("mainDrawer.listItems.settings")}
-				icon={<SettingsIcon />}
-			/>
+			{userProfile === "admin" && (
+				<>
+					<Divider />
+					<ListSubheader inset>Administration</ListSubheader>
+					<ListItemLink
+						to="/users"
+						primary={i18n.t("mainDrawer.listItems.users")}
+						icon={<GroupIcon />}
+					/>
+					<ListItemLink
+						to="/settings"
+						primary={i18n.t("mainDrawer.listItems.settings")}
+						icon={<SettingsIcon />}
+					/>
+				</>
+			)}
 		</div>
 	);
 };

frontend/src/context/Auth/useAuth.js

@@ -47,11 +47,12 @@ const useAuth = () => {
 	const handleLogin = async (e, user) => {
 		e.preventDefault();
 		try {
-			const res = await api.post("/auth/login", user);
-			localStorage.setItem("token", JSON.stringify(res.data.token));
-			localStorage.setItem("username", res.data.username);
-			localStorage.setItem("userId", res.data.userId);
-			api.defaults.headers.Authorization = `Bearer ${res.data.token}`;
+			const { data } = await api.post("/auth/login", user);
+			localStorage.setItem("token", JSON.stringify(data.token));
+			localStorage.setItem("username", data.username);
+			localStorage.setItem("profile", data.profile);
+			localStorage.setItem("userId", data.userId);
+			api.defaults.headers.Authorization = `Bearer ${data.token}`;
 			setIsAuth(true);
 			toast.success(i18n.t("auth.toasts.success"));
 			history.push("/tickets");
@@ -68,6 +69,7 @@ const useAuth = () => {
 		setIsAuth(false);
 		localStorage.removeItem("token");
 		localStorage.removeItem("username");
+		localStorage.removeItem("profile");
 		localStorage.removeItem("userId");
 		api.defaults.headers.Authorization = undefined;
 		history.push("/login");