TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-22 10:21:36 +03:00
Code Issues Projects Releases Wiki Activity
4dc413d6a1
Ghost/test/unit/services/permissions/can-this_spec.js

529 lines
23 KiB
JavaScript
Raw Normal View History

Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const should = require('should');
const sinon = require('sinon');
const testUtils = require('../../../utils');
const Promise = require('bluebird');
const _ = require('lodash');
const models = require('../../../../core/server/models');
const permissions = require('../../../../core/server/services/permissions');
const providers = require('../../../../core/server/services/permissions/providers');
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
describe('Permissions', function () {
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
let fakePermissions = [];
let findPostSpy;
let findTagSpy;
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
before(function () {
models.init();
});
beforeEach(function () {
Bumped sinon from 4.4.6 to 7.3.2 (#10400) refs #9389 - https://github.com/sinonjs/sinon/blob/master/CHANGELOG.md Breaking changes for Ghost: - no need to create a sandbox anymore, each file get's it's own sandbox - just require sinon and use this sandbox - you can still create separate sandboxes with .createSandbox - reset single stubs: use .resetHistory instead of .reset This is a global replace for any sandbox creation. --- From https://sinonjs.org/releases/v7.2.3/sandbox/ > Default sandbox > Since sinon@5.0.0, the sinon object is a default sandbox. Unless you have a very advanced setup or need a special configuration, you probably want to just use that one.
2019-01-21 19:53:44 +03:00
sinon.stub(models.Permission, 'findAll').callsFake(function () {
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
return Promise.resolve(models.Permissions.forge(fakePermissions));
});
Bumped sinon from 4.4.6 to 7.3.2 (#10400) refs #9389 - https://github.com/sinonjs/sinon/blob/master/CHANGELOG.md Breaking changes for Ghost: - no need to create a sandbox anymore, each file get's it's own sandbox - just require sinon and use this sandbox - you can still create separate sandboxes with .createSandbox - reset single stubs: use .resetHistory instead of .reset This is a global replace for any sandbox creation. --- From https://sinonjs.org/releases/v7.2.3/sandbox/ > Default sandbox > Since sinon@5.0.0, the sinon object is a default sandbox. Unless you have a very advanced setup or need a special configuration, you probably want to just use that one.
2019-01-21 19:53:44 +03:00
findPostSpy = sinon.stub(models.Post, 'findOne').callsFake(function () {
✨ Multiple authors (#9426) no issue This PR adds the server side logic for multiple authors. This adds the ability to add multiple authors per post. We keep and support single authors (maybe till the next major - this is still in discussion) ### key notes - `authors` are not fetched by default, only if we need them - the migration script iterates over all posts and figures out if an author_id is valid and exists (in master we can add invalid author_id's) and then adds the relation (falls back to owner if invalid) - ~~i had to push a fork of bookshelf to npm because we currently can't bump bookshelf + the two bugs i discovered are anyway not yet merged (https://github.com/kirrg001/bookshelf/commits/master)~~ replaced by new bookshelf release - the implementation of single & multiple authors lives in a single place (introduction of a new concept: model relation) - if you destroy an author, we keep the behaviour for now -> remove all posts where the primary author id matches. furthermore, remove all relations in posts_authors (e.g. secondary author) - we make re-use of the `excludeAttrs` concept which was invented in the contributors PR (to protect editing authors as author/contributor role) -> i've added a clear todo that we need a logic to make a diff of the target relation -> both for tags and authors - `authors` helper available (same as `tags` helper) - `primary_author` computed field available - `primary_author` functionality available (same as `primary_tag` e.g. permalinks, prev/next helper etc)
2018-03-27 17:16:15 +03:00
// @TODO: the test env has no concept of including relations
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
let post = models.Post.forge(testUtils.DataGenerator.Content.posts[0]);
let authors = [testUtils.DataGenerator.Content.users[0]];
✨ Multiple authors (#9426) no issue This PR adds the server side logic for multiple authors. This adds the ability to add multiple authors per post. We keep and support single authors (maybe till the next major - this is still in discussion) ### key notes - `authors` are not fetched by default, only if we need them - the migration script iterates over all posts and figures out if an author_id is valid and exists (in master we can add invalid author_id's) and then adds the relation (falls back to owner if invalid) - ~~i had to push a fork of bookshelf to npm because we currently can't bump bookshelf + the two bugs i discovered are anyway not yet merged (https://github.com/kirrg001/bookshelf/commits/master)~~ replaced by new bookshelf release - the implementation of single & multiple authors lives in a single place (introduction of a new concept: model relation) - if you destroy an author, we keep the behaviour for now -> remove all posts where the primary author id matches. furthermore, remove all relations in posts_authors (e.g. secondary author) - we make re-use of the `excludeAttrs` concept which was invented in the contributors PR (to protect editing authors as author/contributor role) -> i've added a clear todo that we need a logic to make a diff of the target relation -> both for tags and authors - `authors` helper available (same as `tags` helper) - `primary_author` computed field available - `primary_author` functionality available (same as `primary_tag` e.g. permalinks, prev/next helper etc)
2018-03-27 17:16:15 +03:00
post.related('authors').set(authors);
return Promise.resolve(post);
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
});
Bumped sinon from 4.4.6 to 7.3.2 (#10400) refs #9389 - https://github.com/sinonjs/sinon/blob/master/CHANGELOG.md Breaking changes for Ghost: - no need to create a sandbox anymore, each file get's it's own sandbox - just require sinon and use this sandbox - you can still create separate sandboxes with .createSandbox - reset single stubs: use .resetHistory instead of .reset This is a global replace for any sandbox creation. --- From https://sinonjs.org/releases/v7.2.3/sandbox/ > Default sandbox > Since sinon@5.0.0, the sinon object is a default sandbox. Unless you have a very advanced setup or need a special configuration, you probably want to just use that one.
2019-01-21 19:53:44 +03:00
findTagSpy = sinon.stub(models.Tag, 'findOne').callsFake(function () {
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
return Promise.resolve({});
});
});
afterEach(function () {
Bumped sinon from 4.4.6 to 7.3.2 (#10400) refs #9389 - https://github.com/sinonjs/sinon/blob/master/CHANGELOG.md Breaking changes for Ghost: - no need to create a sandbox anymore, each file get's it's own sandbox - just require sinon and use this sandbox - you can still create separate sandboxes with .createSandbox - reset single stubs: use .resetHistory instead of .reset This is a global replace for any sandbox creation. --- From https://sinonjs.org/releases/v7.2.3/sandbox/ > Default sandbox > Since sinon@5.0.0, the sinon object is a default sandbox. Unless you have a very advanced setup or need a special configuration, you probably want to just use that one.
2019-01-21 19:53:44 +03:00
sinon.restore();
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
});
/**
* Default test actionMap looks like this:
* {
* browse: [ 'post' ],
* edit: [ 'post', 'tag', 'user', 'page' ],
* add: [ 'post', 'user', 'page' ],
* destroy: [ 'post', 'user' ]
* }
*
* @param {object} options
* @return {Array|*}
*/
function loadFakePermissions(options) {
options = options || {};
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const fixturePermissions = _.cloneDeep(testUtils.DataGenerator.Content.permissions);
const extraPerm = {
name: 'test',
action_type: 'edit',
object_type: 'post'
};
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
if (options.extra) {
fixturePermissions.push(extraPerm);
}
return _.map(fixturePermissions, function (testPerm) {
return testUtils.DataGenerator.forKnex.createPermission(testPerm);
});
}
describe('CanThis', function () {
beforeEach(function () {
fakePermissions = loadFakePermissions();
return permissions.init();
});
it('canThisResult gets build properly', function () {
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const canThisResult = permissions.canThis();
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
canThisResult.browse.should.be.an.Object();
canThisResult.browse.post.should.be.a.Function();
canThisResult.edit.should.be.an.Object();
canThisResult.edit.post.should.be.a.Function();
canThisResult.edit.tag.should.be.a.Function();
canThisResult.edit.user.should.be.a.Function();
canThisResult.edit.page.should.be.a.Function();
canThisResult.add.should.be.an.Object();
canThisResult.add.post.should.be.a.Function();
canThisResult.add.user.should.be.a.Function();
canThisResult.add.page.should.be.a.Function();
canThisResult.destroy.should.be.an.Object();
canThisResult.destroy.post.should.be.a.Function();
canThisResult.destroy.user.should.be.a.Function();
});
Remove External Apps - Apps are marked as removed in 3.0, never officially launched and have been deprecated for at least 2 years. - We've slowly removed bits that got in our way or were insecure over time meaning they mostly didn't work - This cleans up the remainder of the logic - The tables should be cleaned up in a future major
2020-03-19 18:23:10 +03:00
describe('Non user permissions', function () {
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
// TODO change to using fake models in tests!
// Permissions need to be NOT fundamentally baked into Ghost, but a separate module, at some point
// It can depend on bookshelf, but should NOT use hard coded model knowledge.
describe('with permissible calls (post model)', function () {
it('No context: does not allow edit post (no model)', function (done) {
permissions
.canThis() // no context
.edit
.post() // post id
.then(function () {
done(new Error('was able to edit post without permission'));
})
.catch(function (err) {
err.errorType.should.eql('NoPermissionError');
findPostSpy.callCount.should.eql(0);
done();
});
});
it('No context: does not allow edit post (model syntax)', function (done) {
permissions
.canThis() // no context
.edit
.post({id: 1}) // post id in model syntax
.then(function () {
done(new Error('was able to edit post without permission'));
})
.catch(function (err) {
err.errorType.should.eql('NoPermissionError');
findPostSpy.callCount.should.eql(1);
findPostSpy.firstCall.args[0].should.eql({id: 1, status: 'all'});
done();
});
});
it('No context: does not allow edit post (model ID syntax)', function (done) {
permissions
.canThis({}) // no context
.edit
.post(1) // post id using number syntax
.then(function () {
done(new Error('was able to edit post without permission'));
})
.catch(function (err) {
err.errorType.should.eql('NoPermissionError');
findPostSpy.callCount.should.eql(1);
findPostSpy.firstCall.args[0].should.eql({id: 1, status: 'all'});
done();
});
});
it('Internal context: instantly grants permissions', function (done) {
permissions
.canThis({internal: true}) // internal context
.edit
.post({id: 1}) // post id
.then(function () {
// We don't get this far, permissions are instantly granted for internal
findPostSpy.callCount.should.eql(0);
done();
})
.catch(function () {
done(new Error('Should allow editing post with { internal: true }'));
});
});
it('External context: does not grant permissions', function (done) {
permissions
.canThis({external: true}) // internal context
.edit
.post({id: 1}) // post id
.then(function () {
done(new Error('was able to edit post without permission'));
})
.catch(function (err) {
err.errorType.should.eql('NoPermissionError');
findPostSpy.callCount.should.eql(1);
findPostSpy.firstCall.args[0].should.eql({id: 1, status: 'all'});
done();
});
});
});
describe('without permissible (tag model)', function () {
it('No context: does not allow edit tag (model syntax)', function (done) {
permissions
.canThis() // no context
.edit
.tag({id: 1}) // tag id in model syntax
.then(function () {
done(new Error('was able to edit tag without permission'));
})
.catch(function (err) {
err.errorType.should.eql('NoPermissionError');
// We don't look up tags
findTagSpy.callCount.should.eql(0);
done();
});
});
it('Internal context: instantly grants permissions', function (done) {
permissions
.canThis({internal: true}) // internal context
.edit
.tag({id: 1}) // tag id
.then(function () {
// We don't look up tags
findTagSpy.callCount.should.eql(0);
done();
})
.catch(function () {
done(new Error('Should allow editing post with { internal: true }'));
});
});
it('External context: does not grant permissions', function (done) {
permissions
.canThis({external: true}) // external context
.edit
.tag({id: 1}) // tag id
.then(function () {
done(new Error('was able to edit tag without permission'));
})
.catch(function (err) {
err.errorType.should.eql('NoPermissionError');
findTagSpy.callCount.should.eql(0);
done();
});
});
});
});
describe('User-based permissions', function () {
// TODO change to using fake models in tests!
// Permissions need to be NOT fundamentally baked into Ghost, but a separate module, at some point
// It can depend on bookshelf, but should NOT use hard coded model knowledge.
// We use the tag model here because it doesn't have permissible, once that changes, these tests must also change
it('No permissions: cannot edit tag (no permissible function on model)', function (done) {
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: [],
roles: undefined
});
});
permissions
.canThis({user: {}}) // user context
.edit
.tag({id: 1}) // tag id in model syntax
.then(function () {
done(new Error('was able to edit tag without permission'));
})
.catch(function (err) {
userProviderStub.callCount.should.eql(1);
err.errorType.should.eql('NoPermissionError');
done();
});
});
it('With permissions: can edit specific tag (no permissible function on model)', function (done) {
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: models.Permissions.forge(testUtils.DataGenerator.Content.permissions).models,
roles: undefined
});
});
permissions
.canThis({user: {}}) // user context
.edit
.tag({id: 1}) // tag id in model syntax
.then(function (res) {
userProviderStub.callCount.should.eql(1);
should.not.exist(res);
done();
})
.catch(done);
});
it('With permissions: can edit non-specific tag (no permissible function on model)', function (done) {
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: models.Permissions.forge(testUtils.DataGenerator.Content.permissions).models,
roles: undefined
});
});
permissions
.canThis({user: {}}) // user context
.edit
.tag() // tag id in model syntax
.then(function (res) {
userProviderStub.callCount.should.eql(1);
should.not.exist(res);
done();
})
.catch(done);
});
it('Specific permissions: can edit correct specific tag (no permissible function on model)', function (done) {
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: models.Permissions.forge([
{
id: 'abc123',
name: 'test',
action_type: 'edit',
object_type: 'tag',
object_id: 1
}
]).models,
roles: undefined
});
});
permissions
.canThis({user: {}}) // user context
.edit
.tag({id: 1}) // tag id in model syntax
.then(function (res) {
userProviderStub.callCount.should.eql(1);
should.not.exist(res);
done();
})
.catch(done);
});
it('Specific permissions: cannot edit incorrect specific tag (no permissible function on model)', function (done) {
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: models.Permissions.forge([
{
id: 'abc123',
name: 'test',
action_type: 'edit',
object_type: 'tag',
object_id: 1
}
]).models,
roles: undefined
});
});
permissions
.canThis({user: {}}) // user context
.edit
.tag({id: 10}) // tag id in model syntax
.then(function () {
done(new Error('was able to edit tag without permission'));
})
.catch(function (err) {
userProviderStub.callCount.should.eql(1);
err.errorType.should.eql('NoPermissionError');
done();
});
});
// @TODO fix this case - it makes no sense?!
it('Specific permissions: CAN edit non-specific tag (no permissible function on model) @TODO fix this', function (done) {
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: models.Permissions.forge([
{
id: 'abc123',
name: 'test',
action_type: 'edit',
object_type: 'tag',
object_id: 1
}
]).models,
roles: undefined
});
});
permissions
.canThis({user: {}}) // user context
.edit
.tag() // tag id in model syntax
.then(function (res) {
userProviderStub.callCount.should.eql(1);
should.not.exist(res);
done();
})
.catch(done);
});
it('With owner role: can edit tag (no permissible function on model)', function (done) {
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: [],
// This should be JSON, so no need to run it through the model layer. 3 === owner
roles: [testUtils.DataGenerator.Content.roles[3]]
});
});
permissions
.canThis({user: {}}) // user context
.edit
.tag({id: 1}) // tag id in model syntax
.then(function (res) {
userProviderStub.callCount.should.eql(1);
should.not.exist(res);
done();
})
.catch(done);
});
});
Updated permissions service to handle api keys (#9967) refs #9865 - Enabled the permissions module to lookup permissions based on an api_key id. - Updated the "can this" part of the permissions service to load permissions for any api key in the context, and correctly use that to determine whether an action is permissible. It also updates the permissible interface that models can implement to pass in the hasApiKeyPermissions param.
2019-01-18 14:17:12 +03:00
describe('API Key-based permissions', function () {
// TODO change to using fake models in tests!
// Permissions need to be NOT fundamentally baked into Ghost, but a separate module, at some point
// It can depend on bookshelf, but should NOT use hard coded model knowledge.
// We use the tag model here because it doesn't have permissible, once that changes, these tests must also change
it('With permissions: can edit non-specific tag (no permissible function on model)', function (done) {
Bumped sinon from 4.4.6 to 7.3.2 (#10400) refs #9389 - https://github.com/sinonjs/sinon/blob/master/CHANGELOG.md Breaking changes for Ghost: - no need to create a sandbox anymore, each file get's it's own sandbox - just require sinon and use this sandbox - you can still create separate sandboxes with .createSandbox - reset single stubs: use .resetHistory instead of .reset This is a global replace for any sandbox creation. --- From https://sinonjs.org/releases/v7.2.3/sandbox/ > Default sandbox > Since sinon@5.0.0, the sinon object is a default sandbox. Unless you have a very advanced setup or need a special configuration, you probably want to just use that one.
2019-01-21 19:53:44 +03:00
const apiKeyProviderStub = sinon.stub(providers, 'apiKey').callsFake(() => {
Updated permissions service to handle api keys (#9967) refs #9865 - Enabled the permissions module to lookup permissions based on an api_key id. - Updated the "can this" part of the permissions service to load permissions for any api key in the context, and correctly use that to determine whether an action is permissible. It also updates the permissible interface that models can implement to pass in the hasApiKeyPermissions param.
2019-01-18 14:17:12 +03:00
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: models.Permissions.forge(testUtils.DataGenerator.Content.permissions).models,
// This should be JSON, so no need to run it through the model layer. 5 === admin api key
roles: [testUtils.DataGenerator.Content.roles[5]]
});
});
Changed context.api_key_id to an object containing key type information refs #9865 - Changed id passed for api_key to an object to be able to differenciate between admin and content api requests - Added integration id to frame context - Small refactoring of frame context initialization
2019-01-24 17:19:34 +03:00
permissions.canThis({api_key: {
id: 123
}}) // api key context
Updated permissions service to handle api keys (#9967) refs #9865 - Enabled the permissions module to lookup permissions based on an api_key id. - Updated the "can this" part of the permissions service to load permissions for any api key in the context, and correctly use that to determine whether an action is permissible. It also updates the permissible interface that models can implement to pass in the hasApiKeyPermissions param.
2019-01-18 14:17:12 +03:00
.edit
.tag({id: 1}) // tag id in model syntax
.then(function (res) {
apiKeyProviderStub.callCount.should.eql(1);
should.not.exist(res);
done();
})
.catch(done);
});
});
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
});
describe('permissible (overridden)', function () {
it('can use permissible function on model to forbid something (post model)', function (done) {
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: models.Permissions.forge(testUtils.DataGenerator.Content.permissions).models,
roles: undefined
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
});
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
});
const permissibleStub = sinon.stub(models.Post, 'permissible').callsFake(function () {
return Promise.reject({message: 'Hello World!'});
});
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
permissions
.canThis({user: {}}) // user context
.edit
.post({id: 1}) // tag id in model syntax
.then(function () {
done(new Error('was able to edit post without permission'));
})
.catch(function (err) {
permissibleStub.callCount.should.eql(1);
Remove External Apps - Apps are marked as removed in 3.0, never officially launched and have been deprecated for at least 2 years. - We've slowly removed bits that got in our way or were insecure over time meaning they mostly didn't work - This cleans up the remainder of the logic - The tables should be cleaned up in a future major
2020-03-19 18:23:10 +03:00
permissibleStub.firstCall.args.should.have.lengthOf(7);
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
permissibleStub.firstCall.args[0].should.eql(1);
permissibleStub.firstCall.args[1].should.eql('edit');
permissibleStub.firstCall.args[2].should.be.an.Object();
permissibleStub.firstCall.args[3].should.be.an.Object();
permissibleStub.firstCall.args[4].should.be.an.Object();
permissibleStub.firstCall.args[5].should.be.true();
permissibleStub.firstCall.args[6].should.be.true();
userProviderStub.callCount.should.eql(1);
err.message.should.eql('Hello World!');
done();
});
});
it('can use permissible function on model to allow something (post model)', function (done) {
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: models.Permissions.forge(testUtils.DataGenerator.Content.permissions).models,
roles: undefined
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
});
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
});
const permissibleStub = sinon.stub(models.Post, 'permissible').callsFake(function () {
return Promise.resolve();
});
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
permissions
.canThis({user: {}}) // user context
.edit
.post({id: 1}) // tag id in model syntax
.then(function (res) {
permissibleStub.callCount.should.eql(1);
Remove External Apps - Apps are marked as removed in 3.0, never officially launched and have been deprecated for at least 2 years. - We've slowly removed bits that got in our way or were insecure over time meaning they mostly didn't work - This cleans up the remainder of the logic - The tables should be cleaned up in a future major
2020-03-19 18:23:10 +03:00
permissibleStub.firstCall.args.should.have.lengthOf(7);
Permissions: minor refactors (#9104) refs #9043 - Cleanups / refactors to make the code more manageable - Move remaining code out of index.js - Only "init" function is left. Actions map cache and init function is based heavily on the settings cache module - refactor the odd way of exporting - This was cleaned up naturally by moving the actionsMap object out - rename "effective" -> "providers" - "Providers" provide permissions for different things that can have permissions (users, apps, in future clients).
2017-10-05 22:01:34 +03:00
permissibleStub.firstCall.args[0].should.eql(1);
permissibleStub.firstCall.args[1].should.eql('edit');
permissibleStub.firstCall.args[2].should.be.an.Object();
permissibleStub.firstCall.args[3].should.be.an.Object();
permissibleStub.firstCall.args[4].should.be.an.Object();
permissibleStub.firstCall.args[5].should.be.true();
permissibleStub.firstCall.args[6].should.be.true();
userProviderStub.callCount.should.eql(1);
should.not.exist(res);
done();
})
.catch(done);
});
});
});
Reference in New Issue Copy Permalink