filter locked team members. prevent locking self

Author: ssundahlTTD

src/api/routers/managementRouter.ts

@@ -2,7 +2,7 @@ import express, { Response } from 'express';
 import { z } from 'zod';
 
 import { isSuperUserCheck } from '../middleware/userRoleMiddleware';
-import { getAllUsersList, updateUserLock } from '../services/managementService';
+import { getAllUsersList, getUserById, updateUserLock } from '../services/managementService';
 import { ParticipantRequest } from '../services/participantsService';
 
 const handleGetAllUsers = async (req: ParticipantRequest, res: Response) => {
@@ -13,6 +13,11 @@ const handleGetAllUsers = async (req: ParticipantRequest, res: Response) => {
 const handleChangeUserLock = async (req: ParticipantRequest, res: Response) => {
   const { userId } = z.object({ userId: z.coerce.number() }).parse(req.params);
   const { isLocked } = z.object({ isLocked: z.boolean() }).parse(req.body);
+  const user = await getUserById(userId);
+  if (req.auth?.payload?.email === user?.email) {
+    res.status(403).send([{ message: 'You cannot lock yourself.' }]);
+    return;
+  }
   await updateUserLock(req, userId, isLocked);
   return res.status(200).end();
 };

src/api/services/managementService.ts

@@ -13,6 +13,11 @@ export const getAllUsersList = async () => {
   return userList;
 };
 
+export const getUserById = async (userId: number) => {
+  const user = await User.query().where('id', userId).first();
+  return user;
+};
+
 export const updateUserLock = async (
   req: UserParticipantRequest,
   userId: number,

src/api/services/usersService.ts

@@ -74,6 +74,7 @@ export const findUserByEmail = async (email: string) => {
   const user = await User.query()
     .findOne('email', email)
     .where('deleted', 0)
+    .where('locked', 0)
     .modify('withParticipants');
 
   if (user?.participants) {
@@ -107,6 +108,7 @@ export const getAllUsersFromParticipantWithRoles = async (participant: Participa
   const usersWithParticipants = await User.query()
     .whereIn('id', participantUserIds)
     .where('deleted', 0)
+    .where('locked', 0)
     .withGraphFetched('userToParticipantRoles');
 
   return mapUsersWithParticipantRoles(usersWithParticipants, participant.id);
@@ -117,7 +119,7 @@ export const getAllUsersFromParticipant = async (participant: Participant) => {
     await UserToParticipantRole.query().where('participantId', participant.id)
   ).map((userToParticipantRole) => userToParticipantRole.userId);
 
-  return User.query().whereIn('id', participantUserIds).where('deleted', 0);
+  return User.query().whereIn('id', participantUserIds).where('deleted', 0).where('locked', 0);
 };
 
 export const sendInviteEmailToExistingUser = (

src/web/components/UserManagement/UserManagementItem.tsx

@@ -24,7 +24,7 @@ export function UserManagementItem({ user, onChangeUserLock }: UserManagementIte
       <td>
         <div className='theme-switch action-cell' title='Disable User Access'>
           <Switch.Root
-            name='dark-mode'
+            name='user-locked'
             checked={user.locked}
             onCheckedChange={onLockedToggle}
             className='theme-toggle clickable-item'

src/web/services/userAccount.ts

@@ -123,8 +123,7 @@ export async function GetAllUsers() {
 
 export async function ChangeUserLock(userId: number, isLocked: boolean) {
   try {
-    const res = await axios.patch(`/manage/${userId}/changeLock`, { userId, isLocked });
-    return res;
+    return await axios.patch(`/manage/${userId}/changeLock`, { userId, isLocked });
   } catch (e: unknown) {
     throw backendError(e, 'Unable to update user lock status.');
   }