tqt/Ghost
2
1
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2023-12-13 21:00:40 +01:00
Code Issues 1 Releases Wiki Activity

🐛 fix invite permissions for editor (#7889)

Browse source 
refs #7724

- we already fixed the permissions for the editor
- see 3d3101ad0e
- but as we are inside of a refactoring process, we had two fixtures.json files
- we fixed the fixtures.json in the wrong place
- now that the permissions are used, we can see failing tests
- i have added the correct permissions handling
This commit is contained in:
Katharina Irrgang 2017-01-25 13:07:31 +01:00 committed by Kevin Ansfield
parent ca521e234f
commit 042750f4cf
5 changed files with 75 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
core/server/api/invites.js
View file

@ -91,15 +91,7 @@ invites = {
function addInvite(options) {
var data = options.data;
return dataProvider.User.findOne({id: loggedInUser}, options)
.then(function (user) {
if (!user) {
return Promise.reject(new errors.NotFoundError({message: i18n.t('errors.api.users.userNotFound')}));
}
loggedInUser = user;
return dataProvider.Invite.add(data.invites[0], _.omit(options, 'data'));
})
return dataProvider.Invite.add(data.invites[0], _.omit(options, 'data'))
.then(function (_invite) {
invite = _invite;
@ -177,25 +169,56 @@ invites = {
return Promise.reject(new errors.ValidationError({message: i18n.t('errors.api.invites.roleIsRequired')}));
}
// @TODO move this logic to permissible
// @TODO remove when we have a new permission unit
// Make sure user is allowed to add a user with this role
return dataProvider.Role.findOne({id: options.data.invites[0].role_id}).then(function (role) {
if (!role) {
// We cannot use permissible because we don't have access to the role_id!!!
// Adding a permissible function to the invite model, doesn't give us much context of the invite we would like to add
// As we are looking forward to replace the permission system completely, we do not add a hack here
return dataProvider.Role.findOne({id: options.data.invites[0].role_id}).then(function (roleToInvite) {
if (!roleToInvite) {
return Promise.reject(new errors.NotFoundError({message: i18n.t('errors.api.invites.roleNotFound')}));
}
if (role.get('name') === 'Owner') {
if (roleToInvite.get('name') === 'Owner') {
return Promise.reject(new errors.NoPermissionError({message: i18n.t('errors.api.invites.notAllowedToInviteOwner')}));
}
var loggedInUserRole = loggedInUser.related('roles').models[0].get('name'),
allowed = [];
if (loggedInUserRole === 'Owner' || loggedInUserRole === 'Administrator') {
allowed = ['Administrator', 'Editor', 'Author'];
} else if (loggedInUserRole === 'Editor') {
allowed = ['Author'];
}
if (allowed.indexOf(roleToInvite.get('name')) === -1) {
return Promise.reject(new errors.NoPermissionError({
message: i18n.t('errors.api.invites.notAllowedToInvite')
}));
}
}).then(function () {
return options;
});
}
function fetchLoggedInUser(options) {
return dataProvider.User.findOne({id: loggedInUser}, _.merge({}, options, {include: ['roles']}))
.then(function (user) {
if (!user) {
return Promise.reject(new errors.NotFoundError({message: i18n.t('errors.api.users.userNotFound')}));
}
loggedInUser = user;
return options;
});
}
tasks = [
utils.validate(docName, {opts: ['email']}),
utils.handlePermissions(docName, 'add'),
utils.convertOptions(allowedIncludes),
fetchLoggedInUser,
validation,
destroyOldInvite,
addInvite

3
core/server/permissions/index.js
View file

@ -124,7 +124,8 @@ CanThisResult.prototype.buildObjectTypeHandlers = function (objTypes, actType, c
user: Models.User,
permission: Models.Permission,
setting: Models.Settings,
subscriber: Models.Subscriber
subscriber: Models.Subscriber,
invite: Models.Invite
};
// Iterate through the object types, i.e. ['post', 'tag', 'user']

3
core/server/translations/en.json
View file

@ -399,7 +399,8 @@
"error": "Error sending email: {message}",
"help": "Please check your email settings and resend the invitation."
},
"notAllowedToInviteOwner": "Not allowed to invire an owner user."
"notAllowedToInviteOwner": "Not allowed to invite an owner user.",
"notAllowedToInvite": "Not allowed to invite this role."
}
},
"data": {

53
core/test/integration/api/api_invites_spec.js
View file

@ -178,7 +178,7 @@ describe('Invites API', function () {
}
describe('Owner', function () {
it('CANNOT add an Owner', function (done) {
it('CANNOT invite an Owner', function (done) {
InvitesAPI.add({
invites: [
{
@ -191,7 +191,7 @@ describe('Invites API', function () {
}).catch(checkForErrorType('NoPermissionError', done));
});
it('Can add an Admin', function (done) {
it('Can invite an Admin', function (done) {
InvitesAPI.add({
invites: [
{
@ -206,7 +206,7 @@ describe('Invites API', function () {
}).catch(done);
});
it('Can add an Editor', function (done) {
it('Can invite an Editor', function (done) {
InvitesAPI.add({
invites: [
{
@ -221,7 +221,7 @@ describe('Invites API', function () {
}).catch(done);
});
it('Can add an Author', function (done) {
it('Can invite an Author', function (done) {
InvitesAPI.add({
invites: [
{
@ -236,7 +236,7 @@ describe('Invites API', function () {
}).catch(done);
});
it('Can add with role set as string', function (done) {
it('Can invite with role set as string', function (done) {
InvitesAPI.add({
invites: [
{
@ -253,7 +253,7 @@ describe('Invites API', function () {
});
describe('Admin', function () {
it('CANNOT add an Owner', function (done) {
it('CANNOT invite an Owner', function (done) {
InvitesAPI.add({
invites: [
{
@ -266,7 +266,7 @@ describe('Invites API', function () {
}).catch(checkForErrorType('NoPermissionError', done));
});
it('Can add an Admin', function (done) {
it('Can invite an Admin', function (done) {
InvitesAPI.add({
invites: [
{
@ -281,7 +281,7 @@ describe('Invites API', function () {
}).catch(done);
});
it('Can add an Editor', function (done) {
it('Can invite an Editor', function (done) {
InvitesAPI.add({
invites: [
{
@ -296,7 +296,7 @@ describe('Invites API', function () {
}).catch(done);
});
it('Can add an Author', function (done) {
it('Can invite an Author', function (done) {
InvitesAPI.add({
invites: [
{
@ -313,7 +313,7 @@ describe('Invites API', function () {
});
describe('Editor', function () {
it('CANNOT add an Owner', function (done) {
it('CANNOT invite an Owner', function (done) {
InvitesAPI.add({
invites: [
{
@ -322,11 +322,11 @@ describe('Invites API', function () {
}
]
}, context.editor).then(function () {
done(new Error('Editor should not be able to add an owner'));
done(new Error('Editor should not be able to invite an owner'));
}).catch(checkForErrorType('NoPermissionError', done));
});
it('CANNOT add an Adminstrator', function (done) {
it('CANNOT invite an Adminstrator', function (done) {
InvitesAPI.add({
invites: [
{
@ -335,11 +335,24 @@ describe('Invites API', function () {
}
]
}, context.editor).then(function () {
done(new Error('Editor should not be able to add an owner'));
done(new Error('Editor should not be able to invite an administrator'));
}).catch(checkForErrorType('NoPermissionError', done));
});
it('CANNOT add an Author', function (done) {
it('CANNOT invite an Editor', function (done) {
InvitesAPI.add({
invites: [
{
email: 'test@example.com',
role_id: testUtils.roles.ids.editor
}
]
}, context.editor).then(function () {
done(new Error('Editor should not be able to invite an editor'));
}).catch(checkForErrorType('NoPermissionError', done));
});
it('Can invite an Author', function (done) {
InvitesAPI.add({
invites: [
{
@ -347,14 +360,16 @@ describe('Invites API', function () {
role_id: testUtils.roles.ids.author
}
]
}, context.editor).then(function () {
done(new Error('Editor should not be able to add an author'));
}).catch(checkForErrorType('NoPermissionError', done));
}, context.editor).then(function (response) {
checkAddResponse(response);
response.invites[0].role_id.should.equal(testUtils.roles.ids.author);
done();
}).catch(done);
});
});
describe('Author', function () {
it('CANNOT add an Owner', function (done) {
it('CANNOT invite an Owner', function (done) {
InvitesAPI.add({
invites: [
{
@ -367,7 +382,7 @@ describe('Invites API', function () {
}).catch(checkForErrorType('NoPermissionError', done));
});
it('CANNOT add an Author', function (done) {
it('CANNOT invite an Author', function (done) {
InvitesAPI.add({
invites: [
{

2
core/test/utils/index.js
View file

@ -10,7 +10,7 @@ var Promise = require('bluebird'),
ghost = require('../../server'),
errors = require('../../server/errors'),
db = require('../../server/data/db'),
fixtureUtils = require('../../server/data/migration/fixtures/utils'),
fixtureUtils = require('../../server/data/schema/fixtures/utils'),
models = require('../../server/models'),
SettingsAPI = require('../../server/api/settings'),
permissions = require('../../server/permissions'),