ExpressJs

⌘K
  2. Home
  4. Docs
  6. ExpressJs
  8. Authentication and Permis...
  10. 06. managing groups and permissions

06. managing groups and permissions

Step 7: Implement routes for managing groups and permissions

Now, let’s create routes to manage groups and permissions:

// routes/admin.routes.js
const express = require('express');
const { Group, Permission, User } = require('../models');
const verifyToken = require('../middleware/auth');
const checkPermission = require('../middleware/permissions');

const router = express.Router();

// Group CRUD operations
router.post('/groups', verifyToken, checkPermission('add_group', 'change_group'), async (req, res) => {
  try {
    const group = await Group.create(req.body);
    res.status(201).send(group);
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

router.get('/groups', verifyToken, checkPermission('view_group', 'change_group'), async (req, res) => {
  try {
    const groups = await Group.findAll();
    res.status(200).send(groups);
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

router.get('/groups/:id', verifyToken, checkPermission('view_group', 'change_group'), async (req, res) => {
  try {
    const group = await Group.findByPk(req.params.id);
    if (!group) {
      return res.status(404).send({ message: "Group not found." });
    }
    res.status(200).send(group);
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

router.put('/groups/:id', verifyToken, checkPermission('change_group'), async (req, res) => {
  try {
    const group = await Group.findByPk(req.params.id);
    if (!group) {
      return res.status(404).send({ message: "Group not found." });
    }
    await group.update(req.body);
    res.status(200).send(group);
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

router.delete('/groups/:id', verifyToken, checkPermission('delete_group'), async (req, res) => {
  try {
    const group = await Group.findByPk(req.params.id);
    if (!group) {
      return res.status(404).send({ message: "Group not found." });
    }
    await group.destroy();
    res.status(200).send({ message: "Group deleted successfully." });
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

// Permission CRUD operations
router.post('/permissions', verifyToken, checkPermission('add_permission', 'change_permission'), async (req, res) => {
  try {
    const permission = await Permission.create(req.body);
    res.status(201).send(permission);
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

router.get('/permissions', verifyToken, checkPermission('view_permission', 'change_permission'), async (req, res) => {
  try {
    const permissions = await Permission.findAll();
    res.status(200).send(permissions);
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

router.get('/permissions/:id', verifyToken, checkPermission('view_permission', 'change_permission'), async (req, res) => {
  try {
    const permission = await Permission.findByPk(req.params.id);
    if (!permission) {
      return res.status(404).send({ message: "Permission not found." });
    }
    res.status(200).send(permission);
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

router.put('/permissions/:id', verifyToken, checkPermission('change_permission'), async (req, res) => {
  try {
    const permission = await Permission.findByPk(req.params.id);
    if (!permission) {
      return res.status(404).send({ message: "Permission not found." });
    }
    await permission.update(req.body);
    res.status(200).send(permission);
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

router.delete('/permissions/:id', verifyToken, checkPermission('delete_permission'), async (req, res) => {
  try {
    const permission = await Permission.findByPk(req.params.id);
    if (!permission) {
      return res.status(404).send({ message: "Permission not found." });
    }
    await permission.destroy();
    res.status(200).send({ message: "Permission deleted successfully." });
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

// Assign group to user
router.post('/users/:userId/groups', verifyToken, checkPermission('change_user', 'change_group'), async (req, res) => {
  try {
    const user = await User.findByPk(req.params.userId);
    const group = await Group.findByPk(req.body.groupId);
    
    if (!user || !group) {
      return res.status(404).send({ message: "User or Group not found." });
    }

    await user.addGroup(group);
    res.status(200).send({ message: "User assigned to group successfully." });
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

// Remove group from user
router.delete('/users/:userId/groups/:groupId', verifyToken, checkPermission('change_user', 'change_group'), async (req, res) => {
  try {
    const user = await User.findByPk(req.params.userId);
    const group = await Group.findByPk(req.params.groupId);
    
    if (!user || !group) {
      return res.status(404).send({ message: "User or Group not found." });
    }

    await user.removeGroup(group);
    res.status(200).send({ message: "Group removed from user successfully." });
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

// Assign permission to group
router.post('/groups/:groupId/permissions', verifyToken, checkPermission('change_group', 'change_permission'), async (req, res) => {
  try {
    const group = await Group.findByPk(req.params.groupId);
    const permission = await Permission.findByPk(req.body.permissionId);
    
    if (!group || !permission) {
      return res.status(404).send({ message: "Group or Permission not found." });
    }

    await group.addPermission(permission);
    res.status(200).send({ message: "Permission assigned to group successfully." });
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

// Remove permission from group
router.delete('/groups/:groupId/permissions/:permissionId', verifyToken, checkPermission('change_group', 'change_permission'), async (req, res) => {
  try {
    const group = await Group.findByPk(req.params.groupId);
    const permission = await Permission.findByPk(req.params.permissionId);
    
    if (!group || !permission) {
      return res.status(404).send({ message: "Group or Permission not found." });
    }

    await group.removePermission(permission);
    res.status(200).send({ message: "Permission removed from group successfully." });
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

// Assign permission to user
router.post('/users/:userId/permissions', verifyToken, checkPermission('change_user', 'change_permission'), async (req, res) => {
  try {
    const user = await User.findByPk(req.params.userId);
    const permission = awaitPermission.findByPk(req.body.permissionId);
    
    if (!user || !permission) {
      return res.status(404).send({ message: "User or Permission not found." });
    }

    await user.addPermission(permission);
    res.status(200).send({ message: "Permission assigned to user successfully." });
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

// Remove permission from user
router.delete('/users/:userId/permissions/:permissionId', verifyToken, checkPermission('change_user', 'change_permission'), async (req, res) => {
  try {
    const user = await User.findByPk(req.params.userId);
    const permission = await Permission.findByPk(req.params.permissionId);
    
    if (!user || !permission) {
      return res.status(404).send({ message: "User or Permission not found." });
    }

    await user.removePermission(permission);
    res.status(200).send({ message: "Permission removed from user successfully." });
  } catch (err) {
    res.status(500).send({ message: err.message });
  }
});

module.exports = router;

How can we help?