From 9724eda5fded4a92c011ef49d36b5edb6217282e Mon Sep 17 00:00:00 2001
From: Craig Oates <craig@craigoates.net>
Date: Fri, 16 Sep 2022 19:04:46 +0100
Subject: [PATCH] add more functionality for user management (admin. and
 normal).

I forgot to add this to the previous commit.
---
 src/web.lisp | 100 +++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 98 insertions(+), 2 deletions(-)

diff --git a/src/web.lisp b/src/web.lisp
index 8e9a1a7..814d3c3 100644
--- a/src/web.lisp
+++ b/src/web.lisp
@@ -257,8 +257,104 @@
 	      (progn (utils:set-alert "You are not logged in.")
 		     (redirect "/login")))))))
 
-  ;;
-  ;; Error pages
+(defroute ("/user/admin/edit-password" :method :POST) ()
+  (destructuring-bind
+      (&key username password authenticity-token &allow-other-keys)
+      (utils:request-params (lack.request:request-body-parameters ningle:*request*))
+    (cond ((not (string= authenticity-token (auth:csrf-token)))
+	   `(,+forbidden+ (:content-type "text/plain") ("Denied")))
+	  (t (hermetic:auth
+	      (:administrator)
+	      ;; Authorised
+	      (cond ((utils:string-is-nil-or-empty? username)
+		     (utils:set-alert "Username not provided. No change made.")
+		     (redirect "/users"))
+		    ((utils:string-is-nil-or-empty? password)
+		     (utils:set-alert "Password not provided. No change made.")
+		     (redirect "/users"))
+		    ((null (nera:get-user username))
+		     (utils:set-alert "Unable to find user. Unable to delete account")
+		     (redirect "/users"))
+		    (t (nera:update-user
+			(user::username-of (nera:get-user username))
+			:new-password password)
+		       (utils:set-alert "Password changed.")
+		       (redirect "/users")))
+	      ;; Not Authorised
+	      (progn (utils:set-alert "You are not authorised to view that page.")
+		     (redirect "/")))))))
+
+(defroute ("/user/admin/delete" :method :POST) ()
+  (destructuring-bind
+      (&key username authenticity-token &allow-other-keys)
+      (utils:request-params (lack.request:request-body-parameters ningle:*request*))
+    (cond ((not (string= authenticity-token (auth:csrf-token)))
+	   `(,+forbidden+ (:content-type "text/plain") ("Denied")))
+	  (t (hermetic:auth
+	      (:administrator)
+	      ;; Authorised
+	      (cond ((utils:string-is-nil-or-empty? username)
+		     (utils:set-alert "Username not provided. Unable to delete account.")
+		     (redirect "/users"))
+		    ((null (nera:get-user username))
+		     (utils:set-alert "Unable to find user. Unable to delete account")
+		     (redirect "/users"))
+		    (t (nera:delete-user
+			(user::username-of (nera:get-user username)))
+		       (utils:set-alert "Account deleted.")
+		       (redirect "/users")))
+	      ;; Not Authorised
+	      (progn (utils:set-alert "You are not logged in.")
+		     (redirect "/login")))))))
+
+(defroute ("/user/delete" :method :POST) ()
+  (destructuring-bind
+      (&key authenticity-token &allow-other-keys)
+      (utils:request-params (lack.request:request-body-parameters ningle:*request*))
+    (cond ((not (string= authenticity-token (auth:csrf-token)))
+	   `(,+forbidden+ (:content-type "text/plain") ("Denied")))
+	  (t (hermetic:auth (:logged-in)
+			    ;; Authorised
+			    (progn
+			      (nera-db:delete-user
+			       (user::username-of (auth:get-current-user)))
+			      (hermetic:logout
+			       ;; Successful log-out -- after account deleted
+			       ;; (session data cleared).
+			       (progn (auth:flash-gethash :id ningle:*session*)
+				      (redirect "/"))
+			       ;; Failed log-out -- after account deleted
+			       ;; (session data persits).
+			       (progn (utils:set-alert
+				       "Error: Unable to delete session data.")
+				      (redirect "/"))))
+			    ;; Not Authorised
+			    (progn (utils:set-alert "You are not logged in.")
+				   (redirect "/login")))))))
+
+(defroute ("/create/page" :method :GET) ()
+  (hermetic:auth (:logged-in)
+		 ;; Authorised
+		 (let ((alert (utils:get-and-reset-alert)))
+		   (render "/user/create-page.html"
+			   (append (auth:auth-user-data)
+				   `(:alert ,alert))))
+		 ;; Not Authorised
+		 (progn
+		   (utils:set-alert "You are not logged in.")
+		   (redirect "/login"))))
+
+;; TODO: UP-TO-HERE. NEED TO GET NIC TO DECIDE ON WHAT SHE ACTUALLY WANTS BEFORE
+;; I CAN FLUSH OUT HOW AND WHAT IS SAVED TO THE DATABASE (LOCAL) AND WHAT IS
+;; PUSHED TO MEILISEARCH DATABASE (IF USED).
+(defroute ("/create/page" :method :POST) ()
+  (destructuring-bind
+      (&key authenticity-token page-content &allow-other-keys)
+      (utils:request-params (lack.request:request-body-parameters ningle:*request*))
+    (format t "~a" page-content)
+    (redirect "/create/page")))
+;;
+;; Error pages
 
 (defmethod on-exception ((app <web>) (code (eql 404)))
   (declare (ignore app))