added user log-in status to admin page

token is returned in REST response but not displayed in client resolves juice-shop#28
oguzhalit · Oct 16, 2014 · 7574b22 · 7574b22
1 parent c1d87d7
commit 7574b22
Show file tree

Hide file tree

Showing 9 changed files with 46 additions and 13 deletions.
diff --git a/app/js/services/UserService.js b/app/js/services/UserService.js
@@ -4,7 +4,7 @@ angular.module('myApp').factory('UserService', ['$http', function ($http) {
  var host = '/api/Users';
 
  function find(params) {
- return $http.get(host + '/', {
+ return $http.get('/rest/user/authentication-details/', {
  params: params
  });
  }

diff --git a/app/views/Administration.html b/app/views/Administration.html
@@ -4,12 +4,14 @@ <h3 class="page-header page-header-sm">Administration <small>User</small></h3>
 
  <table class="table table-striped table-bordered table-condensed" ng-controller="UserController">
  <tr>
+ <th></th>
  <th>Email</th>
  <th></th>
  </tr>
  <tr data-ng-repeat="user in users">
+ <td class="col-md-1"><span ng-show="user.token" class="glyphicon glyphicon-user"></span></td>
  <td>{{user.email}}</td>
- <td>
+ <td class="col-md-1">
  <div class="btn-group">
  <a class="btn btn-default btn-xs" ng-click="showDetail(user.id)"><span class="glyphicon glyphicon-eye-open"></span></a>
  </div>
@@ -31,8 +33,10 @@ <h3 class="page-header page-header-sm"><small>Feedback</small></h3>
  <tr data-ng-repeat="feedback in feedbacks">
  <td>{{feedback.UserId}}</td>
  <td><div ng-bind-html="feedback.comment"></div></td>
- <td>{{feedback.rating}}</td>
  <td>
+ <rating max="5" name="feedbackRating" ng-model="feedback.rating" readonly="true"></rating>
+ </td>
+ <td class="col-md-1">
  <div class="btn-group">
  <a class="btn btn-default btn-xs" ng-click="delete(feedback.id)"><span class="glyphicon glyphicon-trash"></span></a>
  </div>

diff --git a/app/views/SearchResult.html b/app/views/SearchResult.html
@@ -29,6 +29,5 @@ <h3 class="page-header page-header-sm">Search Results <span class="label label-d
  </table>
 
  </div>
-
  </div>
 </div>
diff --git a/app/views/UserDetail.html b/app/views/UserDetail.html
@@ -10,13 +10,11 @@ <h3 class="modal-title">User #{{user.id}}</h3>
 
  <p>{{user.email}}</p>
  </div>
- <!--
- <div class="col-md-6">
+ <!--<div class="col-md-6" ng-show="user.password">
  <strong>Password</strong>
 
  <p>{{user.password}}</p>
- </div>
- -->
+ </div>-->
  </div>
  <div class="row">
  <div class="col-md-6">

diff --git a/lib/insecurity.js b/lib/insecurity.js
@@ -39,13 +39,22 @@ exports.sanitizeHtml = function(html) {
 };
 
 exports.authenticatedUsers = {
- userMap: {},
+ tokenMap: {},
+ idMap: {},
  put : function(token, user) {
- this.userMap[token] = user;
+ this.tokenMap[token] = user;
+ this.idMap[user.data.id] = token;
  },
  get: function(token) {
  if (token) {
- return this.userMap[utils.unquote(token)];
+ return this.tokenMap[utils.unquote(token)];
+ } else {
+ return undefined;
+ }
+ },
+ tokenOf: function(user) {
+ if (user) {
+ return this.idMap[user.id];
  } else {
  return undefined;
  }

diff --git a/lib/utils.js b/lib/utils.js
@@ -9,7 +9,7 @@ exports.queryResultToJson = function(data, status) {
  } else if (data.length > 0) {
  wrappedData = [];
  for (var i=0; i<data.length; i++) {
- wrappedData.push(data[i]);
+ wrappedData.push(data[i].dataValues ? data[i].dataValues : data[i]);
  }
  } else {
  wrappedData = data;

diff --git a/server.js b/server.js
@@ -432,6 +432,7 @@ app.use(restful(sequelize, { endpoint: '/api', allowed: ['Users', 'Products', 'F
 /* Custom Restful API */
 app.post('/rest/user/login', loginUser());
 app.get('/rest/user/change-password', changePassword());
+app.get('/rest/user/authentication-details', retrieveUserList());
 app.get('/rest/product/search', searchProducts());
 app.get('/rest/basket/:id', retrieveBasket());
 app.post('/rest/basket/:id/order', createOrderPdf());
@@ -534,6 +535,20 @@ function retrieveBasket() {
  };
 }
 
+function retrieveUserList() {
+ return function(req, res, next){
+ User.findAll().success(function(users) {
+ var usersWithLoginStatus = utils.queryResultToJson(users);
+ usersWithLoginStatus.data.forEach(function(user) {
+ user.token = insecurity.authenticatedUsers.tokenOf(user);
+ });
+ res.json(usersWithLoginStatus);
+ }).error(function (error) {
+ next(error);
+ });
+ };
+}
+
 function createOrderPdf() {
  return function(req, res, next){
  var id = req.params.id;

diff --git a/test/client/servicesSpec.js b/test/client/servicesSpec.js
@@ -16,7 +16,7 @@ describe('services', function () {
  }));
 
  it('should get all users directly from the rest api', inject(function (UserService) {
- $httpBackend.whenGET('/api/Users/').respond(200, 'apiResponse');
+ $httpBackend.whenGET('/rest/user/authentication-details/').respond(200, 'apiResponse');
 
  UserService.find().success(function (data) { result = data; });
  $httpBackend.flush();

diff --git a/test/server/userApiSpec.js b/test/server/userApiSpec.js
@@ -230,6 +230,14 @@ frisby.create('GET all users')
  .expectStatus(200)
  .toss();
 
+frisby.create('GET all users decorated with attribute for authentication token')
+ .addHeaders(authHeader)
+ .get(REST_URL + '/user/authentication-details')
+ .expectStatus(200)
+ .expectJSONTypes('data.?',{
+ token: String
+ }).toss();
+
 frisby.create('POST new user with XSS attack in email address')
  .post(API_URL + '/Users', {
  email: '<script>alert("XSS2")</script>',