web: admins can change permissions of users

3 files changed, 128 insertions, 13 deletions

diff --git a/src/web/web.vala b/src/web/web.vala
index cec12ed..ee6e71a 100644
--- a/src/web/web.vala
+++ b/src/web/web.vala
@@ -72,6 +72,11 @@ public class WebServer {
 					case "stats":
 						handler_todo(server, msg, path, query, client);
 						break;
+					case "toggle_auth_products":
+					case "toggle_auth_cashbox":
+					case "toggle_auth_users":
+						handler_user_toggle_auth(server, msg, path, query, client, id, pathparts[3]);
+						break;
 					default:
 						handler_404(server, msg, path, query, client);
 						break;
@@ -266,6 +271,46 @@ public class WebServer {
 		}
 	}
 
+	void handler_user_toggle_auth(Soup.Server server, Soup.Message msg, string path, GLib.HashTable? query, Soup.ClientContext client, int id, string action) {
+		try {
+			var l = new WebSession(server, msg, path, query, client);
+
+			if(!l.superuser) {
+				handler_403(server, msg, path, query, client);
+				return;
+			}
+
+			var olduserauth = db.get_user_auth(id);
+
+			switch(action) {
+				case "toggle_auth_products":
+					olduserauth.auth_products = !olduserauth.auth_products;
+					break;
+				case "toggle_auth_cashbox":
+					olduserauth.auth_cashbox = !olduserauth.auth_cashbox;
+					break;
+				case "toggle_auth_users":
+					olduserauth.auth_users = !olduserauth.auth_users;
+					break;
+			}
+
+			db.set_user_auth(olduserauth);
+
+			var newuserauth = db.get_user_auth(id);
+
+			var auth_products = newuserauth.auth_products ? "true" : "false";
+			var auth_cashbox = newuserauth.auth_cashbox ? "true" : "false";
+			var auth_users = newuserauth.auth_users ? "true" : "false";
+
+			msg.set_response("application/json", Soup.MemoryUse.COPY, @"{ \"products\": \"$auth_products\", \"cashbox\": \"$auth_cashbox\", \"users\": \"$auth_users\"  }".data);
+			msg.set_status(200);
+		} catch(DatabaseError e) {
+			handler_400(server, msg, path, query, client, e.message);
+		} catch(IOError e) {
+			handler_400(server, msg, path, query, client, e.message);
+		}
+	}
+
 	void handler_user_entry(Soup.Server server, Soup.Message msg, string path, GLib.HashTable? query, Soup.ClientContext client, int id) {
 		try {
 			var session = new WebSession(server, msg, path, query, client);
@@ -292,9 +337,19 @@ public class WebServer {
 			var userauth = db.get_user_auth(id);
 			t.replace("DISABLED", userauth.disabled ? "true" : "false");
 			t.replace("ISSUPERUSER", userauth.superuser ? "true" : "false");
-			t.replace("HAS_AUTH_PRODUCTS", userauth.auth_products ? "true" : "false");
-			t.replace("HAS_AUTH_CASHBOX", userauth.auth_cashbox ? "true" : "false");
-			t.replace("HAS_AUTH_USERS", userauth.auth_users ? "true" : "false");
+			t.replace("HAS_AUTH_PRODUCTS", userauth.auth_products ? "Yes" : "No");
+			t.replace("HAS_AUTH_CASHBOX", userauth.auth_cashbox ? "Yes" : "No");
+			t.replace("HAS_AUTH_USERS", userauth.auth_users ? "Yes" : "No");
+
+			t.replace("BTN_AUTH_PRODUCTS", userauth.auth_products ? "btn-success" : "btn-danger");
+			t.replace("BTN_AUTH_CASHBOX", userauth.auth_cashbox ? "btn-success" : "btn-danger");
+			t.replace("BTN_AUTH_USERS", userauth.auth_users ? "btn-success" : "btn-danger");
+
+			if(session.superuser) {
+				t.replace("ISADMIN2", "");
+			} else {
+				t.replace("ISADMIN2", "disabled=\"disabled\"");
+			}
 
 			var postdata = Soup.Form.decode_multipart(msg, null, null, null, null);
 			if(postdata != null && postdata.contains("password1") && postdata.contains("password2")) {
diff --git a/templates/products/entry.html b/templates/products/entry.html
index 83d98b8..05c1dce 100644
--- a/templates/products/entry.html
+++ b/templates/products/entry.html
@@ -1,11 +1,11 @@
 <h2>Product Information</h2>
 <p>
 	<table class="table table-bordered table-nonfluid">
-		<th>EAN</th><td>{{{EAN}}}</td></tr>
-		<th>Name</th><td>{{{NAME}}}</td></tr>
-		<th>Category</th><td>{{{CATEGORY}}}</td></tr>
-		<th>Amount</th><td>{{{AMOUNT}}}</td></tr>
-		<th>State</th><td><button id="statebutton" type="button" class="btn {{{BTNSTATE}}}" {{{ISADMIN2}}}>{{{STATE}}}</button></td></tr>
+		<tr><th>EAN</th><td>{{{EAN}}}</td></tr>
+		<tr><th>Name</th><td>{{{NAME}}}</td></tr>
+		<tr><th>Category</th><td>{{{CATEGORY}}}</td></tr>
+		<tr><th>Amount</th><td>{{{AMOUNT}}}</td></tr>
+		<tr><th>State</th><td><button id="statebutton" type="button" class="btn {{{BTNSTATE}}}" {{{ISADMIN2}}}>{{{STATE}}}</button></td></tr>
 	</table>
 </p></p>
 
diff --git a/templates/users/entry.html b/templates/users/entry.html
index ad20b70..03594cb 100644
--- a/templates/users/entry.html
+++ b/templates/users/entry.html
@@ -25,9 +25,9 @@
 		<tr><th colspan="2">Administrative Information</th></tr>
 		<tr><th>Disabled</th><td>{{{DISABLED}}}</td></tr>
 		<tr><th>Superuser</th><td>{{{ISSUPERUSER}}}</td></tr>
-		<tr><th>Auth Products</th><td>{{{HAS_AUTH_PRODUCTS}}}</td></tr>
-		<tr><th>Auth Cashbox</th><td>{{{HAS_AUTH_CASHBOX}}}</td></tr>
-		<tr><th>Auth Users</th><td>{{{HAS_AUTH_USERS}}}</td></tr>
+		<tr><th>Auth Products</th><td><button id="authproductsbutton" type="button" class="btn {{{BTN_AUTH_PRODUCTS}}}" {{{ISADMIN2}}}>{{{HAS_AUTH_PRODUCTS}}}</button></td></tr>
+		<tr><th>Auth Cashbox</th><td><button id="authcashboxbutton" type="button" class="btn {{{BTN_AUTH_CASHBOX}}}" {{{ISADMIN2}}}>{{{HAS_AUTH_CASHBOX}}}</button></td></tr>
+		<tr><th>Auth Users</th><td><button id="authusersbutton" type="button" class="btn {{{BTN_AUTH_USERS}}}" {{{ISADMIN2}}}>{{{HAS_AUTH_USERS}}}</button></td></tr>
 		<tr><th>Invoices</th><td><a href="./{{{UID}}}/invoice">Show</a></td></tr>
 		<tr><th rowspan="3">Password</th><td><input name="password1" placeholder="New Password" type="password" /></td></tr>
 		<tr><td><input name="password2" placeholder="New Password (again)" type="password" /></td></tr>
@@ -36,6 +36,66 @@
 </form>
 
 <script language="JavaScript">
-	code39_init();
-	code39_draw("USER {{{UID}}}", true);
+code39_init();
+code39_draw("USER {{{UID}}}", true);
+
+$('#authproductsbutton').on('click', function (e) {
+	var req = $.getJSON(
+		"/users/{{{UID}}}/toggle_auth_products",
+		function( data ) {
+			if(data["products"] == "false") {
+				$('#authproductsbutton').html("No")
+				$('#authproductsbutton').addClass("btn-danger")
+				$('#authproductsbutton').removeClass("btn-success")
+			} else if(data["products"] == "true") {
+				$('#authproductsbutton').html("Yes")
+				$('#authproductsbutton').addClass("btn-success")
+				$('#authproductsbutton').removeClass("btn-danger")
+			} else {
+				console.error("unknown state")
+				console.info(data)
+			}
+		}
+	);
+});
+
+$('#authcashboxbutton').on('click', function (e) {
+	var req = $.getJSON(
+		"/users/{{{UID}}}/toggle_auth_cashbox",
+		function( data ) {
+			if(data["cashbox"] == "false") {
+				$('#authcashboxbutton').html("No")
+				$('#authcashboxbutton').addClass("btn-danger")
+				$('#authcashboxbutton').removeClass("btn-success")
+			} else if(data["cashbox"] == "true") {
+				$('#authcashboxbutton').html("Yes")
+				$('#authcashboxbutton').addClass("btn-success")
+				$('#authcashboxbutton').removeClass("btn-danger")
+			} else {
+				console.error("unknown state")
+				console.info(data)
+			}
+		}
+	);
+});
+
+$('#authusersbutton').on('click', function (e) {
+	var req = $.getJSON(
+		"/users/{{{UID}}}/toggle_auth_users",
+		function( data ) {
+			if(data["users"] == "false") {
+				$('#authusersbutton').html("No")
+				$('#authusersbutton').addClass("btn-danger")
+				$('#authusersbutton').removeClass("btn-success")
+			} else if(data["users"] == "true") {
+				$('#authusersbutton').html("Yes")
+				$('#authusersbutton').addClass("btn-success")
+				$('#authusersbutton').removeClass("btn-danger")
+			} else {
+				console.error("unknown state")
+				console.info(data)
+			}
+		}
+	);
+});
 </script>