Spaces:
Sleeping
Sleeping
Update routes/auth.js
Browse files- routes/auth.js +40 -1
routes/auth.js
CHANGED
|
@@ -7,10 +7,30 @@ const { User, Student, ClassModel, NotificationModel, School } = require('../mod
|
|
| 7 |
const getQueryFilter = (req) => {
|
| 8 |
const s = req.headers['x-school-id'];
|
| 9 |
const role = req.headers['x-user-role'];
|
|
|
|
|
|
|
| 10 |
if (role === 'PRINCIPAL') {
|
| 11 |
if (!s) return { _id: null };
|
| 12 |
return { schoolId: s };
|
| 13 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
if (!s) return {};
|
| 15 |
return {
|
| 16 |
$or: [
|
|
@@ -105,9 +125,28 @@ router.post('/update-profile', async (req, res) => {
|
|
| 105 |
|
| 106 |
// --- User Management Routes ---
|
| 107 |
router.get('/', async (req, res) => {
|
| 108 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 109 |
if (req.headers['x-user-role'] === 'PRINCIPAL') filter.role = { $ne: 'ADMIN' };
|
| 110 |
if (req.query.role) filter.role = req.query.role;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 111 |
res.json(await User.find(filter).sort({ createTime: -1 }));
|
| 112 |
});
|
| 113 |
|
|
|
|
| 7 |
const getQueryFilter = (req) => {
|
| 8 |
const s = req.headers['x-school-id'];
|
| 9 |
const role = req.headers['x-user-role'];
|
| 10 |
+
|
| 11 |
+
// 1. If requester is a Principal, they only see their own school's data
|
| 12 |
if (role === 'PRINCIPAL') {
|
| 13 |
if (!s) return { _id: null };
|
| 14 |
return { schoolId: s };
|
| 15 |
}
|
| 16 |
+
|
| 17 |
+
// 2. If requester is ADMIN (Super Admin)
|
| 18 |
+
if (role === 'ADMIN') {
|
| 19 |
+
// If filtering by a specific school (e.g. from dropdown), return that school's data
|
| 20 |
+
if (s) return { schoolId: s };
|
| 21 |
+
|
| 22 |
+
// If fetching "Global" list (no specific school selected or 'All' selected):
|
| 23 |
+
// We want to see:
|
| 24 |
+
// a) Users with NO schoolId (e.g. pending principals creating schools)
|
| 25 |
+
// b) Users from ALL schools (if we want a truly global list, we might remove the filter entirely,
|
| 26 |
+
// but usually 'getQueryFilter' is used to scope data.
|
| 27 |
+
// For the "User Management" page specifically, the route handler below handles the global flag.)
|
| 28 |
+
|
| 29 |
+
// Default behavior for other resources (like students/classes) when admin hasn't selected a school:
|
| 30 |
+
return {};
|
| 31 |
+
}
|
| 32 |
+
|
| 33 |
+
// 3. Teachers/Students
|
| 34 |
if (!s) return {};
|
| 35 |
return {
|
| 36 |
$or: [
|
|
|
|
| 125 |
|
| 126 |
// --- User Management Routes ---
|
| 127 |
router.get('/', async (req, res) => {
|
| 128 |
+
let filter = {};
|
| 129 |
+
|
| 130 |
+
// If requesting "Global" list (e.g. Admin Panel with 'global=true'), ignore school filter
|
| 131 |
+
if (req.query.global === 'true' && req.headers['x-user-role'] === 'ADMIN') {
|
| 132 |
+
filter = {}; // Return all users
|
| 133 |
+
} else {
|
| 134 |
+
// Otherwise apply standard school scoping
|
| 135 |
+
filter = getQueryFilter(req);
|
| 136 |
+
}
|
| 137 |
+
|
| 138 |
if (req.headers['x-user-role'] === 'PRINCIPAL') filter.role = { $ne: 'ADMIN' };
|
| 139 |
if (req.query.role) filter.role = req.query.role;
|
| 140 |
+
|
| 141 |
+
// Special case: If Admin is viewing a specific school, but we also want to see
|
| 142 |
+
// pending principals who HAVE NO schoolId yet (the "creating school" case),
|
| 143 |
+
// we need to OR the query.
|
| 144 |
+
// However, the UI usually separates "Global View" vs "School View".
|
| 145 |
+
// If Admin is in "Global View", they will see everything (including empty schoolId).
|
| 146 |
+
// If Admin selects a school, they only see that school's users.
|
| 147 |
+
// The issue was likely that `getQueryFilter` was being applied strictly even for global admin view.
|
| 148 |
+
// The change above (checking `req.query.global`) fixes this.
|
| 149 |
+
|
| 150 |
res.json(await User.find(filter).sort({ createTime: -1 }));
|
| 151 |
});
|
| 152 |
|