kakashial

users.put('/users/:id', (req, res, next) => {
    function validateAuthentication(userId) {
        if (userId) {
            throw Unauthenticated('You have to log in');
        }
    }

    function ValidateOtherPermission(user) {
        const hasPermission = checkPermission({
            actualRole: user.Role,
            requiredPermissions: ['can_update_users', 'can_change_secrets'],
        });

        if (user.role === "admin" || hasPermission) {
            return user;
        }
    }

    validateAuthentication(req.session.userId);

    validateUserAuthorization();

    validateProtectedRoles(Object.keys(req.body));

    fetchUser(req.session.id)
        .then(validateUserAuthentication(user))
        .then(ValidateOtherPermission(user))
        .then(updateUser({id: userId, user: req.body}))
});


function checkUserAuthentication(user, req.body) {
    if (user.role === "user" && user.id !== req.params.id) {
        throw PermissionError("you are not allowed to update another user");
    }

    const forbiddenAttributes = ['role', 'foo'];
    const requestUserAttributes = Object.keys(req.body);
    const hasForbiddenUserAttributes = (intersection(forbiddenAttributes, requestUserAttributes).length > 0);

    if (user.role === "user" && hasForbiddenUserAttributes) {
        throw PermissionError("you are not allowed to change the role or foo of a user");
    }

    if (user.role === "user" && user.id !== req.params.id) {
        throw PermissionError("you are not allowed to update another user");
    }

    return;
}