tqt
/
Ghost
mirror of https://github.com/TryGhost/Ghost.git
2
1
Fork 0
Code Issues 1 Releases Wiki Activity

🚧 Authorized Content API requests with req.member 

closes #10111

The members labs setting is required to be set for req.member to be
considered valid authorization
This commit is contained in:
Fabien O'Carroll 2018-11-07 17:41:49 +07:00
parent 2e922808e8
commit 93781a0e78
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
core/server/services/auth/authorize.js
View File

@ -40,11 +40,14 @@ const authorize = {
authorizeAdminAPI: [session.ensureUser],
authorizeContentApi(req, res, next) {
const hasApiKey = req.api_key && req.api_key.id;
const hasMember = req.member;
if (hasApiKey) {
return next();
} else {
return next(new common.errors.NoPermissionError({message: common.i18n.t('errors.middleware.auth.pleaseSignInOrAuthenticate')}));
}
if (labs.isSet('members') && hasMember) {
return next();
}
return next(new common.errors.NoPermissionError({message: common.i18n.t('errors.middleware.auth.pleaseSignInOrAuthenticate')}));
},
requiresAuthorizedUserOrApiKey(req, res, next) {