Merge pull request #185

v2
anhnmt · Aug 28, 2021 · 7a95fea · 7a95fea
2 parents 0ddc4b6 + 085bdb9
commit 7a95fea
Show file tree

Hide file tree

Showing 18 changed files with 233 additions and 52 deletions.
diff --git a/Backend/Areas/Admin/Controllers/AccountsController.cs b/Backend/Areas/Admin/Controllers/AccountsController.cs
@@ -60,6 +60,7 @@ public ActionResult ChangePassword(AdminChangePasswordViewModels changePasswordV
         {
             var errors = new Dictionary<string, string>();
             var userUpdate = users.Get(changePasswordViewModel.AccountId);
+            var user = (Accounts)Session["user"];
             foreach (var k in ModelState.Keys)
                 foreach (var err in ModelState[k].Errors)
                 {
@@ -76,7 +77,27 @@ public ActionResult ChangePassword(AdminChangePasswordViewModels changePasswordV
                     message = "Error",
                 }, JsonRequestBehavior.AllowGet);
 
-            if (!changePasswordViewModel.Password.Equals(changePasswordViewModel.RePassword))
+            if (userUpdate.AccountId == 1 && user.AccountId != 1)
+            {
+                return Json(new
+                {
+                    data = "Unauthorized",
+                    statusCode = 400,
+                    message = "Error",
+                }, JsonRequestBehavior.AllowGet);
+            }
+
+            if (userUpdate.RoleId == 1 && user.RoleId != 1)
+            {
+                return Json(new
+                {
+                    data = "Unauthorized",
+                    statusCode = 400,
+                    message = "Error",
+                }, JsonRequestBehavior.AllowGet);
+            }
+
+            if (!changePasswordViewModel.NewPassword.Equals(changePasswordViewModel.ConfirmPassword))
             {
                 errors.Add("ConfirmPassword", "Your confirm is not the same as your new password!");
                 return Json(new
@@ -86,7 +107,7 @@ public ActionResult ChangePassword(AdminChangePasswordViewModels changePasswordV
                     message = "Error",
                 }, JsonRequestBehavior.AllowGet);
             }
-            userUpdate.Password = Utils.HashPassword(changePasswordViewModel.Password);
+            userUpdate.Password = Utils.HashPassword(changePasswordViewModel.NewPassword);
             if (!users.Edit(userUpdate))
             {
                 return Json(new
@@ -108,6 +129,7 @@ public ActionResult Create(AccountViewModel accounts)
         {
             var errors = new Dictionary<string, string>();
             var check = true;
+            var userSession = (Accounts)Session["user"];
             if (!ModelState.IsValid)
                 return Json(new
                 {
@@ -168,11 +190,12 @@ public ActionResult Create(AccountViewModel accounts)
                     NumberId = accounts.NumberId,
                     Phone = accounts.Phone,
                     AttemptLogin = 0,
-                    RoleId = accounts.RoleId,
+                    RoleId = userSession.AccountId == 1 ? accounts.RoleId : 3,
                     Address = accounts.Address,
                     Birthday = DateTime.Parse(accounts.Birthday),
                     Status = ((int)AccountStatus.Actived)
                 };
+
                 users.Add(account);
                 return Json(new
                 {
@@ -197,11 +220,13 @@ public ActionResult Create(AccountViewModel accounts)
             }, JsonRequestBehavior.AllowGet);
         }
 
+
         [HttpPost]
         public ActionResult Edit(AccountViewModel accounts)
         {
 
             var acc1 = users.Get(accounts.AccountId);
+            var user = (Accounts)Session["user"];
             var errors = new Dictionary<string, string>();
             var check = true;
             if (!ModelState.IsValid)
@@ -231,6 +256,34 @@ public ActionResult Edit(AccountViewModel accounts)
                 }
             }
 
+            if (acc1.AccountId == 1 && user.AccountId != 1)
+            {
+                return Json(new
+                {
+                    statusCode = 400,
+                    message = "Error",
+                    data = "Unauthorized"
+                }, JsonRequestBehavior.AllowGet); ;
+            }
+            if (acc1.RoleId == 1 && user.RoleId != 1)
+            {
+                return Json(new
+                {
+                    statusCode = 400,
+                    message = "Error",
+                    data = "Unauthorized"
+                }, JsonRequestBehavior.AllowGet); ;
+            }
+
+            if (user.AccountId == 1 && accounts.RoleId != 1)
+            {
+                return Json(new
+                {
+                    statusCode = 400,
+                    message = "Error",
+                    data = "You can't change your role!"
+                }, JsonRequestBehavior.AllowGet); ;
+            }
             if (users.CheckDuplicate(x => x.Email == accounts.Email && x.AccountId != acc1.AccountId))
             {
                 check = false;
@@ -257,15 +310,19 @@ public ActionResult Edit(AccountViewModel accounts)
 
             if (ModelState.IsValid && check)
             {
+
                 var acc3 = users.Get(accounts.AccountId);
                 acc3.Name = accounts.Name;
                 acc3.Email = accounts.Email;
                 acc3.Phone = accounts.Phone;
                 acc3.Birthday = DateTime.Parse(accounts.Birthday);
                 acc3.Address = accounts.Address;
                 acc3.NumberId = accounts.NumberId;
-                acc3.RoleId = accounts.RoleId;
-                acc3.Status = accounts.Status;
+                if (user.RoleId == 1 && user.AccountId == 1)
+                {
+                    acc3.RoleId = accounts.RoleId;
+                }
+                acc3.AttemptLogin = accounts.Status == (int)AccountStatus.Actived ? 0 : 3;
                 if (!users.Edit(acc3))
                 {
                     return Json(new
@@ -301,10 +358,31 @@ public ActionResult Edit(AccountViewModel accounts)
         [HttpPost]
         public ActionResult Delete(int id)
         {
+            var current = (Accounts)Session["user"];
+            if (id == current.AccountId)
+            {
+                return Json(new
+                {
+                    statusCode = 400,
+                    data = "You cannot delete your own account",
+                    message = "Error"
+                }, JsonRequestBehavior.AllowGet);
+            }
+
             using (var _context = new ApplicationDbContext())
             {
                 var user = _context.Accounts.FirstOrDefault(x => x.AccountId == id);
                 var bankaccount = _context.BankAccounts.FirstOrDefault(x => x.AccountId == id);
+                if (user.AccountId == 1)
+                {
+                    return Json(new
+                    {
+                        statusCode = 400,
+                        data = "Unauthorized",
+                        message = "Error"
+                    }, JsonRequestBehavior.AllowGet);
+                }
+
                 if (bankaccount != null)
                 {
                     user.Status = 2;
@@ -316,7 +394,7 @@ public ActionResult Delete(int id)
                     }, JsonRequestBehavior.AllowGet);
                 }
             }
-            
+
             if (users.Delete(id))
             {
                 return Json(new
@@ -328,7 +406,7 @@ public ActionResult Delete(int id)
 
             return Json(new
             {
-                statusCode = 402,
+                statusCode = 400,
                 message = "Error"
             }, JsonRequestBehavior.AllowGet);
         }
@@ -345,5 +423,71 @@ public ActionResult ProfileAccount(int id)
             var data = new AccountViewModel(x);
             return View(data);
         }
+        [HttpPost]
+        public ActionResult ChangeStatus(int id)
+        {
+            var userSession = (Accounts)Session["user"];
+            if (!CheckValidate(id))
+            {
+                return Json(new
+                {
+                    statusCode = 400,
+                    message = "Unathorzied",
+                    data = "Unathorzied"
+                }, JsonRequestBehavior.AllowGet);
+            }
+            if (userSession.AccountId == id)
+            {
+                return Json(new
+                {
+                    statusCode = 400,
+                    message = "Unathorzied",
+                    data = "You can't change your status yourself"
+                }, JsonRequestBehavior.AllowGet);
+            }
+            var user  = users.Get(id);
+            if (user.Status == (int)AccountStatus.Actived)
+            {
+                user.Status = (int)AccountStatus.Locked;
+            }
+            else
+            {
+                user.Status = (int)AccountStatus.Actived;
+            }
+            if (users.Edit(user))
+            {
+                return Json(new
+                {
+                    statusCode = 200,
+                    message = "Success"
+                }, JsonRequestBehavior.AllowGet);
+            }
+            return Json(new
+            {
+                statusCode = 400,
+                message = "Error"
+            }, JsonRequestBehavior.AllowGet);
+        }
+        private bool CheckValidate(int id)
+        {
+            var userSession = (Accounts)Session["user"];
+            var user = users.Get(id);
+            switch (userSession.RoleId)
+            {
+                case 1:
+                    if (user.AccountId == 1)
+                    {
+                        return false;
+                    }
+                    break;
+                case 2:
+                    if (user.RoleId == 1)
+                    {
+                        return false;
+                    }
+                    break;
+            }
+            return true;
+        }
     }
 }