From 5291aecf162c77fb0f48d8f6bcc48c7c481f0eef Mon Sep 17 00:00:00 2001
From: Jack Andrews <japotts16@gmail.com>
Date: Thu, 14 Nov 2024 17:16:36 +0000
Subject: [PATCH] fix: admin only check

---
 apps/api/src/controllers/users.ts | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/apps/api/src/controllers/users.ts b/apps/api/src/controllers/users.ts
index 8689dba12..fa6d17892 100644
--- a/apps/api/src/controllers/users.ts
+++ b/apps/api/src/controllers/users.ts
@@ -2,6 +2,7 @@ import bcrypt from "bcrypt";
 import { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 
 import { track } from "../lib/hog";
+import { checkSession } from "../lib/session";
 import { prisma } from "../prisma";
 
 export function userRoutes(fastify: FastifyInstance) {
@@ -70,20 +71,25 @@ export function userRoutes(fastify: FastifyInstance) {
   // (ADMIN) Reset password
   fastify.put(
     "/api/v1/user/reset-password",
-
     async (request: FastifyRequest, reply: FastifyReply) => {
       const { password, id }: any = request.body;
 
-      const hashedPass = await bcrypt.hash(password, 10);
-      await prisma.user.update({
-        where: { id: id },
-        data: {
-          password: hashedPass,
-        },
-      });
-      reply
-        .status(201)
-        .send({ message: "password updated success", failed: false });
+      const session = await checkSession(request);
+
+      if (session!.isAdmin) {
+        const hashedPass = await bcrypt.hash(password, 10);
+        await prisma.user.update({
+          where: { id: id },
+          data: {
+            password: hashedPass,
+          },
+        });
+        reply
+          .status(201)
+          .send({ message: "password updated success", failed: false });
+      } else {
+        reply.status(403).send({ message: "Unauthorized", failed: true });
+      }
     }
   );