OneCommunityGlobal · robertoooc · Oct 13, 2023 · Feb 4, 2024 · Feb 4, 2024 · Mar 9, 2024
diff --git a/src/controllers/userProfileController.js b/src/controllers/userProfileController.js
@@ -2,6 +2,7 @@ const moment = require('moment-timezone');
 
 const mongoose = require('mongoose');
 const bcrypt = require('bcryptjs');
+// eslint-disable-next-line import/no-extraneous-dependencies
 const fetch = require('node-fetch');
 
 const moment_ = require('moment');
@@ -17,6 +18,7 @@ const {
   canRequestorUpdateUser,
 } = require('../utilities/permissions');
 const escapeRegex = require('../utilities/escapeRegex');
+const emailSender = require('../utilities/emailSender');
 const config = require('../config');
 
 async function ValidatePassword(req, res) {
@@ -248,12 +250,42 @@ const userProfileController = function (UserProfile) {
     up.actualEmail = req.body.actualEmail;
     up.isVisible = !['Mentor'].includes(req.body.role);
 
+    const requestor = await UserProfile.findById(req.body.requestor.requestorId).select('firstName lastName email role').exec();
     up.save()
       .then(() => {
         res.status(200).send({
           _id: up._id,
         });
 
+        if (up.role === 'Owner' || up.role === 'Administrator') {
+          const subject = `*Main Site* - New ${up.role} Role Created`;
+
+          const emailBody = `<p> Hi Admin! </p>
+
+          <p><strong>New Account Details</strong></p>
+          <p>This email is to inform you that <strong>${up.firstName} ${up.lastName}</strong> has been created as a new ${up.role} account on the Main Highest Good Network application.</p>
+
+          <p><strong>Here are the details for the new ${up.role} account:</strong></p>
+          <ul>
+              <li><strong>Name:</strong> ${up.firstName} ${up.lastName}</li>
+              <li><strong>Email:</strong> <a href="mailto:${up.email}">${up.email}</a></li>
+           </ul>
+
+          <p><strong>Who created this new account?</strong></p>
+          <ul>
+              <li><strong>Name:</strong> ${requestor.firstName} ${requestor.lastName}</li>
+              <li><strong>Email:</strong> <a href="mailto:${requestor.email}">${requestor.email}</a></li>
+           </ul>
+
+           <p>If you have any questions or notice any issues, please investigate further.</p>
+
+           <p>Thank you for your attention to this matter.</p>
+
+           <p>Sincerely,</p>
+           <p>The HGN A.I. (and One Community)</p>`;
+
+          emailSender('[email protected] ', subject, emailBody, null, null);
+        }
         // update backend cache
 
         const userCache = {
@@ -667,10 +699,11 @@ const userProfileController = function (UserProfile) {
     // remove user from cache, it should be loaded next time
     cache.removeCache(`user-${userId}`);
     if (!key || value === undefined) {
-      return res.status(400).send({ error: 'Missing property or value' });
+      res.status(400).send({ error: 'Missing property or value' });
+      return;
     }
 
-    return UserProfile.findById(userId)
+    UserProfile.findById(userId)
       .then((user) => {
         user.set({
           [key]: value,
@@ -706,20 +739,10 @@ const userProfileController = function (UserProfile) {
       });
     }
     // Check if the requestor has the permission to update passwords.
-    const hasUpdatePasswordPermission = await hasPermission(
-      requestor,
-      'updatePassword',
-    );
+    const hasUpdatePasswordPermission = await hasPermission(requestor, 'updatePassword');
 
-    // If the requestor is updating their own password, allow them to proceed.
-    if (userId === requestor.requestorId) {
-      console.log('Requestor is updating their own password');
-    }
-    // Else if they're updating someone else's password, they need the 'updatePassword' permission.
-    else if (!hasUpdatePasswordPermission) {
-      console.log(
-        "Requestor is trying to update someone else's password but lacks the 'updatePassword' permission",
-      );
+    // if they're updating someone else's password, they need the 'updatePassword' permission.
+    if (!hasUpdatePasswordPermission) {
       return res.status(403).send({
         error: "You are unauthorized to update this user's password",
       });
@@ -897,28 +920,75 @@ const userProfileController = function (UserProfile) {
       });
   };
 
-  const resetPassword = function (req, res) {
-    ValidatePassword(req);
+  const resetPassword = async function (req, res) {
+    try {
+      ValidatePassword(req);
 
-    UserProfile.findById(req.params.userId, 'password')
-      .then((user) => {
-        user.set({
-          password: req.body.newpassword,
-        });
-        user
-          .save()
-          .then(() => {
-            res.status(200).send({
-              message: ' password Reset',
-            });
-          })
-          .catch((error) => {
-            res.status(500).send(error);
-          });
-      })
-      .catch((error) => {
-        res.status(500).send(error);
+      const requestor = await UserProfile.findById(req.body.requestor.requestorId).select('firstName lastName email role').exec();
+
+      if (!requestor) {
+        res.status(404).send({ error: 'Requestor not found' });
+        return;
+      }
+
+      const user = await UserProfile.findById(req.params.userId).select('firstName lastName email role').exec();
+
+      if (!user) {
+        res.status(404).send({ error: 'User not found' });
+        return;
+      }
+
+      if (!await hasPermission(requestor, 'putUserProfileImportantInfo')) {
+        res.status(403).send('You are not authorized to reset this users password');
+        return;
+      }
+
+      if (user.role === 'Owner' && !await hasPermission(requestor, 'addDeleteEditOwners')) {
+        res.status(403).send('You are not authorized to reset this user password');
+        return;
+      }
+
+      user.password = req.body.newpassword;
+
+      await user.save();
+
+      if (user.role === 'Owner' || user.role === 'Administrator') {
+        const subject = `*Main Site* - ${user.role} Password Reset Notification`;
+        const emailBody = `<p>Hi Admin! </p>
+
+        <p><strong>Account Details</strong></p>
+        <p>This email is to inform you that a password reset has been executed for an ${user.role} account:</p>
+
+        <ul>
+            <li><strong>Name:</strong> ${user.firstName} ${user.lastName}</li>
+            <li><strong>Email:</strong> <a href="mailto:${user.email}">${user.email}</a></li>
+        </ul>
+
+        <p><strong>Account that reset the ${user.role}'s password</strong></p>
+        <p>The password reset was made by:</p>
+
+        <ul>
+            <li><strong>Name:</strong> ${requestor.firstName} ${requestor.lastName}</li>
+            <li><strong>Email:</strong> <a href="mailto:${requestor.email}">${requestor.email}</a></li>
+        </ul>
+
+        <p>If you have any questions or need to verify this password reset, please investigate further.</p>
+
+        <p>Thank you for your attention to this matter.</p>
+
+        <p>Sincerely,</p>
+        <p>The HGN A.I. (and One Community)</p>
+        `;
+
+        emailSender('[email protected] ', subject, emailBody, null, null);
+      }
+
+      res.status(200).send({
+        message: 'Password Reset',
       });
+    } catch (error) {
+      res.status(500).send(error);
+    }
   };
 
   const getAllUsersWithFacebookLink = function (req, res) {