Rewrite admin. (#1713)

* Rewrite admin.

* Clean up password forms.

* Fix naming issues.

* CSS Naming.

pages/api/users/[id]/index.ts

@@ -26,7 +26,7 @@ export default async (
   const { id } = req.query;
 
   if (req.method === 'GET') {
-    if (await canViewUser(userId, id)) {
+    if (!isAdmin && !(await canViewUser(userId, id))) {
       return unauthorized(res);
     }
 
@@ -36,7 +36,7 @@ export default async (
   }
 
   if (req.method === 'POST') {
-    if (await canUpdateUser(userId, id)) {
+    if (!isAdmin && !(await canUpdateUser(userId, id))) {
       return unauthorized(res);
     }
 
@@ -46,7 +46,8 @@ export default async (
 
     const data: any = {};
 
-    if (password) {
+    // Only admin can change these fields
+    if (password && isAdmin) {
       data.password = hashPassword(password);
     }
 
@@ -70,7 +71,7 @@ export default async (
   }
 
   if (req.method === 'DELETE') {
-    if (isAdmin) {
+    if (!isAdmin) {
       return unauthorized(res);
     }
 

pages/api/users/[id]/password.ts

@@ -30,15 +30,15 @@ export default async (
   const { current_password, new_password } = req.body;
   const { id } = req.query;
   const {
-    user: { id: userId },
+    user: { id: userId, isAdmin },
   } = req.auth;
 
   if (req.method === 'POST') {
-    if (canUpdateUser(userId, id)) {
+    if (!isAdmin && !(await canUpdateUser(userId, id))) {
       return unauthorized(res);
     }
 
-    const user = await getUser({ id });
+    const user = await getUser({ id }, { includePassword: true });
 
     if (!checkPassword(current_password, user.password)) {
       return badRequest(res, 'Current password is incorrect');

pages/api/users/index.ts

@@ -23,7 +23,7 @@ export default async (
   } = req.auth;
 
   if (req.method === 'GET') {
-    if (isAdmin) {
+    if (!isAdmin) {
       return unauthorized(res);
     }
 
@@ -33,7 +33,7 @@ export default async (
   }
 
   if (req.method === 'POST') {
-    if (isAdmin) {
+    if (!isAdmin) {
       return unauthorized(res);
     }