feat(admin): admin action buttons (#268)

Author: Who23

packages/admin/pages/admin/users.vue

@@ -31,6 +31,17 @@ const badgeColors = {
   hacker: 'gray'
 } as const;
 
+const mealItems = [
+  { label: 'meal 0', value: 0 },
+  { label: 'meal 1', value: 1 },
+  { label: 'meal 2', value: 2 }
+];
+
+// there's a nuxt ui bug which returns a thing whose actual type is a string
+// even though the USelect API is says it's gonna be a number, since the
+// value in mealItems above says it's going to be a number. But it's not. this language sucks ass.
+const selectedMealNum = ref<number>(0);
+
 // Admin/God self profile
 const { data: selfProfile } = useAsyncData<Profile>('selfProfile', async () => {
   const { getSelf } = useProfile();
@@ -81,8 +92,34 @@ const unlinkQRCode = async (user: FlatUserProfile) => {
   }
 };
 
-const notFunctional = () => {
-  alert('This feature is not functional yet.');
+const unsetMeal = async (user: FlatUserProfile) => {
+  const { unsetMeal } = useProfile();
+  const result = await unsetMeal(user.id, selectedMealNum.value);
+  if (result.isError()) {
+    return alert(result.error.message);
+  } else {
+    return alert(`Meal ${selectedMealNum.value} unset succesfully`);
+  }
+};
+
+const deleteCV = async (user: FlatUserProfile) => {
+  const { deleteCV } = useProfile();
+  const result = await deleteCV(user.id);
+  if (result.isError()) {
+    return alert(result.error.message);
+  } else {
+    return alert('CV deleted');
+  }
+};
+
+const sendResetPassword = async (user: FlatUserProfile) => {
+  const { forgotPassword } = useAuth();
+  const result = await forgotPassword(user.email);
+  if (result.isError()) {
+    return alert(result.error.message);
+  } else {
+    return alert('Reset password link sent successfully');
+  }
 };
 
 // Other misc things
@@ -222,9 +259,12 @@ useHead({
         <div>
           <h3 class="text-lg font-semibold">Other Actions</h3>
           <div class="mt-2 flex flex-wrap gap-4">
-            <UButton @click="notFunctional">Send Reset Password</UButton>
-            <UButton @click="notFunctional">Unset a Meal</UButton>
-            <UButton @click="notFunctional">Delete CV</UButton>
+            <UButton @click="sendResetPassword(selectedUser!)">
+              Send Reset Password
+            </UButton>
+            <UButton @click="unsetMeal(selectedUser!)"> Unset meal: </UButton>
+            <USelect v-model="selectedMealNum" :options="mealItems"></USelect>
+            <UButton @click="deleteCV(selectedUser!)">Delete CV</UButton>
           </div>
         </div>
       </div>

packages/common/composables/useProfile.ts

@@ -107,10 +107,49 @@ export default () => {
       return res.json();
     });
 
+  const unsetMeal = async (
+    userId: string,
+    mealNum: number
+  ): Promise<Result<void, Error>> =>
+    Result.try(async () => {
+      const res = await client.profile.meal.$delete({
+        json: {
+          userId: userId,
+          mealNum: mealNum
+        }
+      });
+
+      if (!res.ok) {
+        const errorMessage = await res.text();
+        throw new Error(errorMessage);
+      }
+    });
+
+  // Only gods will be able to do this because the route requires the use of the
+  // sudo middleware
+  const deleteCV = async (userId: string): Promise<Result<void, Error>> =>
+    Result.try(async () => {
+      const res = await client.profile.cv.$delete(
+        {},
+        {
+          headers: {
+            'X-sudo-user': userId
+          }
+        }
+      );
+
+      if (!res.ok) {
+        const errorMessage = await res.text();
+        throw new Error(errorMessage);
+      }
+    });
+
   return {
     getProfiles,
     getSelf,
     register,
-    getRegistrationStats
+    getRegistrationStats,
+    unsetMeal,
+    deleteCV
   };
 };

scalar/api.yaml

@@ -1125,6 +1125,34 @@ paths:
               schema:
                 type: string
                 example: You do not have access to PUT /api/profile/meal
+    delete:
+      tags:
+        - Profile
+      summary: Unset the meals for a user
+      description: |
+        Allows a admin or god to unset the meals for a user.
+        Only admins or gods can access this route.
+      security:
+        - cookieAuth: []
+      parameters:
+        - $ref: '#/components/parameters/cookie'
+      responses:
+        '200':
+          description: The meals have been updated.
+        '403':
+          description: When a user other than a volunteer accesses this route.
+          content:
+            text/plain:
+              schema:
+                type: string
+                example: You do not have access to DELETE /api/profile/meal
+        '404':
+          description: When the given user does not exist.
+          content:
+            text/plain:
+              schema:
+                type: string
+                example: Failed to unset user meals - user does not exist
 
   /profile/register:
     get:

server/src/profile/__tests__/modifyUser.test.ts

@@ -9,6 +9,7 @@ import { createUserWithSession } from '../../testHelpers';
 import { eq, sql } from 'drizzle-orm';
 import { sha256 } from 'hono/utils/crypto';
 import { qrs } from '../../qr/schema';
+import { adminMeta } from '../../admin/schema';
 
 const sessionIds: Partial<Record<Role, string>> = {};
 const userIds: Partial<Record<Role, string>> = {};
@@ -29,6 +30,7 @@ beforeAll(async () => {
   await db.execute(sql`TRUNCATE ${users} CASCADE`);
   await db.execute(sql`TRUNCATE ${profiles} CASCADE`);
   await db.execute(sql`TRUNCATE ${qrs} CASCADE`);
+  await db.execute(sql`TRUNCATE ${adminMeta} CASCADE`);
 
   for (const role of roles) {
     const toCreate = {
@@ -56,6 +58,8 @@ beforeAll(async () => {
       });
     }
   }
+
+  await db.insert(adminMeta).values({ mealNumber: 0, showCategories: false });
 });
 
 describe('Profiles module > PUT /', () => {
@@ -107,7 +111,7 @@ describe('Profiles module > PUT /', () => {
   });
 });
 
-describe('Profile smodule > PUT /meals', () => {
+describe('Profile module > PUT /meals', () => {
   test('volunteer can update meals', async () => {
     // { userId: string }
     let res = await baseRoute.meal.$put(
@@ -155,6 +159,61 @@ describe('Profile smodule > PUT /meals', () => {
   });
 });
 
+describe('Profile module > DELETE /meals', () => {
+  test('admin can update meals', async () => {
+    await db
+      .update(profiles)
+      .set({ meals: [true, false, false] })
+      .where(eq(profiles.id, userIds.hacker!));
+
+    // { userId: string }
+    let res = await baseRoute.meal.$delete(
+      {
+        json: {
+          userId: expectedUsers.hacker!.id,
+          mealNum: 0
+        }
+      },
+      {
+        headers: {
+          Cookie: `auth_session=${sessionIds.admin}`
+        }
+      }
+    );
+
+    let userInDb = await db
+      .select()
+      .from(profiles)
+      .where(eq(profiles.id, userIds.hacker!));
+
+    expect(res.status).toBe(200);
+    expect(userInDb[0]!.meals[0]).toBeFalse();
+  });
+
+  test('only volunteer can update meals', async () => {
+    let res = await baseRoute.meal.$delete(
+      {
+        json: {
+          userId: expectedUsers.hacker!.id,
+          mealNum: 0
+        }
+      },
+      {
+        headers: {
+          Cookie: `auth_session=${sessionIds.volunteer}`
+        }
+      }
+    );
+
+    // @ts-expect-error code is from middleware
+    expect(res.status).toBe(403);
+    expect(res.text()).resolves.toBe(
+      // @ts-ignore error message is from middleware
+      'You do not have access to DELETE /api/profile/meal'
+    );
+  });
+});
+
 describe.skip('Profiles module > GET/POST /cv', () => {
   test.skip('can upload & download own cv', async () => {
     let res = await baseRoute.cv.$get(undefined, {

server/src/profile/index.ts

@@ -6,7 +6,8 @@ import {
   updateProfileSchema,
   profiles,
   searchUserSchema,
-  registerProfilePostSchema
+  registerProfilePostSchema,
+  deleteMealSchema
 } from './schema';
 import { count, eq, ilike, isNotNull, and, lt, sql } from 'drizzle-orm';
 import { apiLogger } from '../logger';
@@ -23,6 +24,7 @@ import { sendEmail } from '../email';
 import nunjucks from 'nunjucks';
 import { emailTemplate, icticket } from './assets/register';
 import { qrs } from '../qr/schema';
+import { adminMeta } from '../admin/schema';
 
 nunjucks.configure({ autoescape: true });
 
@@ -265,8 +267,10 @@ const profile = factory
       // Toggle meal number `num`
       const { userId } = ctx.req.valid('json');
 
-      // TODO: replace with current meal number from db
-      const mealNum = 0;
+      const mealNumQuery = await db
+        .select({ mealNum: adminMeta.mealNumber })
+        .from(adminMeta);
+      const mealNum = mealNumQuery[0]!.mealNum;
 
       // Postgres is 1 indexed :|
       const updatedMeals = await db.execute(sql`
@@ -289,6 +293,35 @@ const profile = factory
       return ctx.text('', 200);
     }
   )
+  .delete(
+    '/meal',
+    grantAccessTo(['admin', 'god']),
+    simpleValidator('json', deleteMealSchema),
+    async ctx => {
+      // This mealNum is 0-indexed, to be consistent with the PUT /profiles/meal
+      const { userId, mealNum } = ctx.req.valid('json');
+
+      // Postgres is 1 indexed!
+      const updatedMeals = await db.execute(sql`
+        UPDATE profiles
+        SET meals[${mealNum + 1}] = false
+        WHERE id = ${userId}`);
+
+      if (updatedMeals.rowCount == null) {
+        apiLogger.error(
+          ctx,
+          'DELETE /profile/meal',
+          `User ${userId} does not exist in the database.`
+        );
+        return ctx.text(
+          'Failed to unset user meals - user does not exist.',
+          404
+        );
+      }
+
+      return ctx.text('', 200);
+    }
+  )
   .get(
     '/discord',
     grantAccessTo(['authenticated'], { allowUnlinkedHackers: true }),

server/src/profile/schema.ts

@@ -77,6 +77,13 @@ export const updateMealSchema = z
   })
   .strict();
 
+export const deleteMealSchema = z
+  .object({
+    userId: z.string(),
+    mealNum: z.coerce.number().int().lte(2).gte(0)
+  })
+  .strict();
+
 // searchUser requires an email or a name
 // there is a minimum length so the volunteer cannot essentially GET /all
 export const searchUserSchema = z