From 61ddd5b38f1a20b46e54fe69ab5a89b34d8982cd Mon Sep 17 00:00:00 2001
From: Kayne Ruse <kayneruse@gmail.com>
Date: Fri, 12 Mar 2021 15:04:01 +1100
Subject: [PATCH] Added privilege modification to the API

---
 README.md                        |  9 +++++++++
 server/auth/account-privilege.js | 25 +++++++++++++++++++++++++
 server/auth/account.js           |  4 ++--
 server/auth/index.js             |  2 ++
 4 files changed, 38 insertions(+), 2 deletions(-)
 create mode 100644 server/auth/account-privilege.js

diff --git a/README.md b/README.md
index 8854333..67a6c50 100644
--- a/README.md
+++ b/README.md
@@ -77,4 +77,13 @@ Content-Type: application/json
 	"password": "helloworld"
 }
 
+//DOCS: Sets the privilege of the specified user; usable only by admins
+DELETE /auth/deletion
+Authorization: Bearer accessToken
+Content-Type: application/json
+
+{
+	"username": "example",
+	"privilege: "administrator"
+}
 ```
diff --git a/server/auth/account-privilege.js b/server/auth/account-privilege.js
new file mode 100644
index 0000000..719c525
--- /dev/null
+++ b/server/auth/account-privilege.js
@@ -0,0 +1,25 @@
+const { accounts } = require('../database/models');
+
+//auth/account/privilege
+const route = async (req, res) => {
+	//check the user's privilege
+	if (req.user.privilege != 'administrator') {
+		return res.status(401).send('Only admins can change privilege');
+	}
+
+	const updated = await accounts.update({
+		privilege: req.body.privilege
+	}, {
+		where: {
+			username: req.body.username
+		}
+	});
+
+	if (updated < 1) {
+		return res.status(403).send(`Unknown account`);
+	}
+
+	return res.status(200).end();
+};
+
+module.exports = route;
\ No newline at end of file
diff --git a/server/auth/account.js b/server/auth/account.js
index daf45fa..91bbed2 100644
--- a/server/auth/account.js
+++ b/server/auth/account.js
@@ -9,11 +9,11 @@ const route = async (req, res) => {
 	});
 
 	if (!account) {
-		res.status(401).send('Unknown account');
+		return res.status(401).send('Unknown account');
 	}
 
 	//respond with the private-facing data
-	res.status(200).json({
+	return res.status(200).json({
 		contact: account.contact
 	});
 };
diff --git a/server/auth/index.js b/server/auth/index.js
index 357dd95..3152d4d 100644
--- a/server/auth/index.js
+++ b/server/auth/index.js
@@ -21,4 +21,6 @@ router.get('/account', require('./account'));
 router.patch('/update', require('./update'));
 router.delete('/deletion', require('./deletion'));
 
+router.patch('/account/privilege', require('./account-privilege'));
+
 module.exports = router;