Fix Super Admin User Login issue

[JackHaeg]

Overview

After implementing the Super Admin User feature in #1747, we identified a bug where the Super Admin User (vrms-admin-perm@hackforla.org) is unable to log in to VRMS. This issue tracks the fix for this bug.

Past Research

Bug summary from Jack Haeger_2024-10-17

Trillium merged the Super User PR, rebuilt Dev, and edited the DB to make vrms-admin-perm@hackforla.org a super user.

The good news is that almost everything is working as expected (the user screen is grayed out and no other admin users can edit this user).

The bad news is that we cannot log in with this user to dev.vrms.io:

• When we go to log in with that user (vrms-admin-perm@hackforla.org) we are unable to log in and we receive the error message “We don’t recognize your email address. Please, create an account.”
• I can confirm that this account already existed due to the fact that 1) the account shows up in dev.VRMS.io, and 2) the account’s email inbox received VRMS magic links to log in to the dev.vrms.io website on September 16, so it clearly existed and was logging in appropriately.
• Also, this email address logs in as expected on PROD.
  

Nikhil's research_2024-10-22

The checkAuth Method has authOrigin Set to LOG_IN

It fetches SIGN_IN

Which is exposed by this route

That router works in this way
and it checks for a method called verifyUser.isAdminByEmai

And voila

if (role === 'admin' || user.managedProjects.length > 0)
It is allowing either "admin"
or someone who has managedProjects.length>0

Now if we look at the super user
Neither are they "admin" and their "managedProjects" empty
So they are not able to log in

But when you see Trillium's profile, Jack Haeger told me that when converting Trillium to super-user, he was still able to log in because the managedProjects list is not empty!

Action Items

• Implement Nikhil's proposed fix below:

change user.middleware.js to
const { User } = require('../models');
function checkDuplicateEmail(req, res, next) {
  User.findOne({ email: req.body.email }).then((user) => {
    if (user) {
      return res.sendStatus(400);
    }
    next();
  });
}
function isAdminByEmail(req, res, next) {
  User.findOne({ email: req.body.email }).then((user) => {
    if (!user) {
      return res.sendStatus(400);
    } else {
      const role = user.accessLevel;
      if (role === 'admin' || role ==='superadmin' ||  user.managedProjects.length > 0) {
        next();
      } else {
        next(res.sendStatus(401));
      }
    }
  });
}
const verifyUser = {
  checkDuplicateEmail,
  isAdminByEmail,
};
module.exports = verifyUser;

• Test if fix is successful by logging into Dev with vrms-admin-perm@hackforla.org
  • If fix worked, the "Success" message will be displayed and a VRMS Login link will be sent to the inbox of vrms-admin-perm@hackforla.org
  • If fix fails, the error message will be displayed under the email name: "We don't recognize your email address. Please, create an account."

"Success" Screenshot

Error message screenshot

Resources/Instructions

• This issue is part of this epic: Epic - User Permission Search #1737

[ntrehan]

@JackHaeg
The good news is that I was indeed able to sign in with the super user with the changes
So I was on the right track

But we have another big problem

The entire application runs as if the super user is a "USER"

This is happening because as I checked, a lot of parts of VRMS are only visible to users that have accessLevel = "ADMIN", for example user edit screen, event creation etc.

We have two options, I would like to know your opinions @trillium @jbubar @bkmorgan3

1. Scan the entire code base and wherever anything is allowed for Admin, should also be allowed for superadmin
2. Keep accessLevel of the superuser to be "admin", and add a totally separate boolean "isSuperAdmin" in the mongoDB users collection. That way the super user is both admin and super admin. This approach is much simpler and will need less refactoring