mirror of
https://github.com/TryGhost/Ghost.git
synced 2023-12-13 21:00:40 +01:00
Refactor omit of password
- remove password in toJSON() instead of filtering every occurrence of user - changed faulty error type ‚NotFound‘ to ‚NoPermission‘
This commit is contained in:
Sebastian Gierlinger
parent
8a4e0e27f2
commit
b98709b3ce
3 changed files with 24 additions and 53 deletions
|
|
@ -2,7 +2,6 @@ var when = require('when'),
|
|||
_ = require('lodash'),
|
||||
dataProvider = require('../models'),
|
||||
canThis = require('../permissions').canThis,
|
||||
filteredUserAttributes = require('./users').filteredAttributes,
|
||||
|
||||
posts,
|
||||
allowedIncludes = ['created_by', 'updated_by', 'published_by', 'author', 'tags', 'fields'];
|
||||
|
|
@ -45,17 +44,7 @@ posts = {
|
|||
}
|
||||
|
||||
// **returns:** a promise for a page of posts in a json object
|
||||
return dataProvider.Post.findPage(options).then(function (result) {
|
||||
var i = 0,
|
||||
omitted = result;
|
||||
|
||||
for (i = 0; i < omitted.posts.length; i = i + 1) {
|
||||
if (!_.isNumber(omitted.posts[i].author)) {
|
||||
omitted.posts[i].author = _.omit(omitted.posts[i].author, filteredUserAttributes);
|
||||
}
|
||||
}
|
||||
return omitted;
|
||||
});
|
||||
return dataProvider.Post.findPage(options);
|
||||
},
|
||||
|
||||
// #### Read
|
||||
|
|
@ -76,14 +65,8 @@ posts = {
|
|||
|
||||
// **returns:** a promise for a single post in a json object
|
||||
return dataProvider.Post.findOne(options, {include: include}).then(function (result) {
|
||||
var omitted;
|
||||
|
||||
if (result) {
|
||||
omitted = result.toJSON();
|
||||
if (!_.isNumber(omitted.author)) {
|
||||
omitted.author = _.omit(omitted.author, filteredUserAttributes);
|
||||
}
|
||||
return { posts: [ omitted ]};
|
||||
return { posts: [ result.toJSON() ]};
|
||||
}
|
||||
|
||||
return when.reject({type: 'NotFound', message: 'Post not found.'});
|
||||
|
|
@ -108,15 +91,13 @@ posts = {
|
|||
return dataProvider.Post.edit(checkedPostData.posts[0], {user: self.user, include: include});
|
||||
}).then(function (result) {
|
||||
if (result) {
|
||||
var omitted = result.toJSON();
|
||||
if (!_.isNumber(omitted.author)) {
|
||||
omitted.author = _.omit(omitted.author, filteredUserAttributes);
|
||||
}
|
||||
var post = result.toJSON();
|
||||
|
||||
// If previously was not published and now is, signal the change
|
||||
if (result.updated('status') !== result.get('status')) {
|
||||
omitted.statusChanged = true;
|
||||
post.statusChanged = true;
|
||||
}
|
||||
return { posts: [ omitted ]};
|
||||
return { posts: [ post ]};
|
||||
}
|
||||
|
||||
return when.reject({type: 'NotFound', message: 'Post not found.'});
|
||||
|
|
@ -141,15 +122,13 @@ posts = {
|
|||
|
||||
return dataProvider.Post.add(checkedPostData.posts[0], {user: self.user, include: include});
|
||||
}).then(function (result) {
|
||||
var omitted = result.toJSON();
|
||||
if (!_.isNumber(omitted.author)) {
|
||||
omitted.author = _.omit(omitted.author, filteredUserAttributes);
|
||||
}
|
||||
if (omitted.status === 'published') {
|
||||
var post = result.toJSON();
|
||||
|
||||
if (post.status === 'published') {
|
||||
// When creating a new post that is published right now, signal the change
|
||||
omitted.statusChanged = true;
|
||||
post.statusChanged = true;
|
||||
}
|
||||
return { posts: [ omitted ]};
|
||||
return { posts: [ post ]};
|
||||
});
|
||||
}, function () {
|
||||
return when.reject({type: 'NoPermission', message: 'You do not have permission to add posts.'});
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ var when = require('when'),
|
|||
settings = require('./settings'),
|
||||
canThis = require('../permissions').canThis,
|
||||
ONE_DAY = 86400000,
|
||||
filteredAttributes = ['password'],
|
||||
users;
|
||||
|
||||
|
||||
|
|
@ -23,21 +22,10 @@ users = {
|
|||
// **returns:** a promise for a collection of users in a json object
|
||||
return canThis(this.user).browse.user().then(function () {
|
||||
return dataProvider.User.findAll(options).then(function (result) {
|
||||
var omitted = {},
|
||||
i;
|
||||
|
||||
if (result) {
|
||||
omitted = result.toJSON();
|
||||
}
|
||||
|
||||
for (i = 0; i < omitted.length; i = i + 1) {
|
||||
omitted[i] = _.omit(omitted[i], filteredAttributes);
|
||||
}
|
||||
|
||||
return { users: omitted };
|
||||
return { users: result.toJSON() };
|
||||
});
|
||||
}, function () {
|
||||
return when.reject({type: 'NotFound', message: 'You do not have permission to browse users.'});
|
||||
return when.reject({type: 'NoPermission', message: 'You do not have permission to browse users.'});
|
||||
});
|
||||
},
|
||||
|
||||
|
|
@ -51,8 +39,7 @@ users = {
|
|||
|
||||
return dataProvider.User.findOne(args).then(function (result) {
|
||||
if (result) {
|
||||
var omitted = _.omit(result.toJSON(), filteredAttributes);
|
||||
return { users: [omitted] };
|
||||
return { users: [result.toJSON()] };
|
||||
}
|
||||
|
||||
return when.reject({type: 'NotFound', message: 'User not found.'});
|
||||
|
|
@ -69,8 +56,7 @@ users = {
|
|||
return dataProvider.User.edit(checkedUserData.users[0], {user: self.user});
|
||||
}).then(function (result) {
|
||||
if (result) {
|
||||
var omitted = _.omit(result.toJSON(), filteredAttributes);
|
||||
return { users: [omitted]};
|
||||
return { users: [result.toJSON()]};
|
||||
}
|
||||
return when.reject({type: 'NotFound', message: 'User not found.'});
|
||||
});
|
||||
|
|
@ -94,8 +80,7 @@ users = {
|
|||
return dataProvider.User.add(checkedUserData.users[0], {user: self.user});
|
||||
}).then(function (result) {
|
||||
if (result) {
|
||||
var omitted = _.omit(result.toJSON(), filteredAttributes);
|
||||
return { users: [omitted]};
|
||||
return { users: [result.toJSON()]};
|
||||
}
|
||||
});
|
||||
}, function () {
|
||||
|
|
@ -160,4 +145,3 @@ users = {
|
|||
};
|
||||
|
||||
module.exports = users;
|
||||
module.exports.filteredAttributes = filteredAttributes;
|
||||
|
|
@ -61,6 +61,14 @@ User = ghostBookshelf.Model.extend({
|
|||
}
|
||||
},
|
||||
|
||||
toJSON: function (options) {
|
||||
var attrs = ghostBookshelf.Model.prototype.toJSON.call(this, options);
|
||||
// remove password hash for security reasons
|
||||
delete attrs.password;
|
||||
|
||||
return attrs;
|
||||
},
|
||||
|
||||
posts: function () {
|
||||
return this.hasMany(Posts, 'created_by');
|
||||
},
|
||||
|
|
|
|||
Loading…
Reference in a new issue