Ghost/core/server/api/v0.1/roles.js

// # Roles API
// RESTful API for the Role resource
const Promise = require('bluebird'),
    pipeline = require('../../lib/promise/pipeline'),
    localUtils = require('./utils'),
    canThis = require('../../services/permissions').canThis,
    models = require('../../models'),
    docName = 'roles';

let roles;

/**
 * ## Roles API Methods
 *
 * **See:** [API Methods](constants.js.html#api%20methods)
 */
roles = {
    /**
     * ### Browse
     * Find all roles
     *
     * If a 'permissions' property is passed in the options object then
     * the results will be filtered based on whether or not the context user has the given
     * permission on a role.
     *
     *
     * @public
     * @param {{context, permissions}} options (optional)
     * @returns {Promise(Roles)} Roles Collection
     */
    browse(options) {
        let permittedOptions = ['permissions'],
            tasks;

        /**
         * ### Model Query
         * Make the call to the Model layer
         * @param {Object} options
         * @returns {Object} options
         */
        function modelQuery(options) {
            return models.Role.findAll(options)
                .then((models) => {
                    let roles = models.map((role) => {
                        return role.toJSON();
                    });

                    if (options.permissions !== 'assign') {
                        return {roles: roles};
                    }

                    return Promise.filter(roles.map((role) => {
                        return canThis(options.context).assign.role(role)
                            .return(role)
                            .catch(() => {});
                    }), (value) => {
                        return value && value.name !== 'Owner';
                    }).then((roles) => {
                        return {
                            roles: roles
                        };
                    });
                });
        }

        // Push all of our tasks into a `tasks` array in the correct order
        tasks = [
            localUtils.validate(docName, {opts: permittedOptions}),
            localUtils.convertOptions(),
            localUtils.handlePermissions(docName, 'browse'),
            modelQuery
        ];

        // Pipeline calls each task passing the result of one to be the arguments for the next
        return pipeline(tasks, options);
    }
};

module.exports = roles;
Improve handling of users and roles in admin Closes #3083 Refs #3229 - Populates the dropdown list in the invite user menu with the list of roles a user is permitted to create. - Users API now checks the invite user request for allowed roles. - Change API response from 200 to 201 on successful invitation. - Change API response from 500 to 201 when the user was created but the email was not sent. The client will show a warning notification when it sees 'invite-pending' as the new user's status. - Add support for "?status=all" to the /users endpoint. - Refactor the route and controller for the /settings/users page so that there's only one network API call to load users instead of two. 2014-07-23 10:13:20 +04:00			`// # Roles API`
			`// RESTful API for the Role resource`
ES6 migration: server/api/ (#9876) refs #9589 2018-09-18 16:59:56 +03:00			`const Promise = require('bluebird'),`
Moved api controllers into api/v0.1 (#9918) refs #9866 - preparation for v2 - moved api/ to api/v0.1 - do export v0.1 straight from the api folder, we don't want to touch this right now - that means currently if you require the api folder, we return v0.1 by default - there were some direct requires of api files in the test env - some of them use rewire - for now, we just correct the require path to require api/v0.1/ - we touch the test env next week Docs about V2 design are coming soon! 2018-09-27 17:06:57 +03:00			`pipeline = require('../../lib/promise/pipeline'),`
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns 2017-12-14 00:14:19 +03:00			`localUtils = require('./utils'),`
Moved api controllers into api/v0.1 (#9918) refs #9866 - preparation for v2 - moved api/ to api/v0.1 - do export v0.1 straight from the api folder, we don't want to touch this right now - that means currently if you require the api folder, we return v0.1 by default - there were some direct requires of api files in the test env - some of them use rewire - for now, we just correct the require path to require api/v0.1/ - we touch the test env next week Docs about V2 design are coming soon! 2018-09-27 17:06:57 +03:00			`canThis = require('../../services/permissions').canThis,`
			`models = require('../../models'),`
ES6 migration: server/api/ (#9876) refs #9589 2018-09-18 16:59:56 +03:00			`docName = 'roles';`
Added /roles/ API endpoint Closes #3196 * adds `/roles/` endpoint * is given the current user as context * wraps everything in a canthis.browse.role * gets all the available roles (should "Owner" be filtered out?) * optional parameter: `permission=assign`. Gets all roles authenticated user could assign * if we're not signed in, gives a "please sign in" (standard) error * if we're signed in, but user is not in the context, gives a "there was no user in the context" error * if the user is an "Author", gives a "there are no available roles to assign" error * implemented hacky filter because when.js produces heisenbugs past 3.2.3 (when.filter not available) * added extra fixtures to `permissions.json`. Might need a migration. Caveats: * there are no tests * for some reason the setup functional test was failing for me locally 2014-07-15 19:22:06 +04:00
ES6 migration: server/api/ (#9876) refs #9589 2018-09-18 16:59:56 +03:00			`let roles;`
Added /roles/ API endpoint Closes #3196 * adds `/roles/` endpoint * is given the current user as context * wraps everything in a canthis.browse.role * gets all the available roles (should "Owner" be filtered out?) * optional parameter: `permission=assign`. Gets all roles authenticated user could assign * if we're not signed in, gives a "please sign in" (standard) error * if we're signed in, but user is not in the context, gives a "there was no user in the context" error * if the user is an "Author", gives a "there are no available roles to assign" error * implemented hacky filter because when.js produces heisenbugs past 3.2.3 (when.filter not available) * added extra fixtures to `permissions.json`. Might need a migration. Caveats: * there are no tests * for some reason the setup functional test was failing for me locally 2014-07-15 19:22:06 +04:00
			`/**`
			`* ## Roles API Methods`
			`*`
Moved utils constants to lib/constants refs #9178 2017-12-14 16:13:40 +03:00			`* See: [API Methods](constants.js.html#api%20methods)`
Added /roles/ API endpoint Closes #3196 * adds `/roles/` endpoint * is given the current user as context * wraps everything in a canthis.browse.role * gets all the available roles (should "Owner" be filtered out?) * optional parameter: `permission=assign`. Gets all roles authenticated user could assign * if we're not signed in, gives a "please sign in" (standard) error * if we're signed in, but user is not in the context, gives a "there was no user in the context" error * if the user is an "Author", gives a "there are no available roles to assign" error * implemented hacky filter because when.js produces heisenbugs past 3.2.3 (when.filter not available) * added extra fixtures to `permissions.json`. Might need a migration. Caveats: * there are no tests * for some reason the setup functional test was failing for me locally 2014-07-15 19:22:06 +04:00			`*/`
			`roles = {`
			`/**`
			`* ### Browse`
			`* Find all roles`
			`*`
Improve handling of users and roles in admin Closes #3083 Refs #3229 - Populates the dropdown list in the invite user menu with the list of roles a user is permitted to create. - Users API now checks the invite user request for allowed roles. - Change API response from 200 to 201 on successful invitation. - Change API response from 500 to 201 when the user was created but the email was not sent. The client will show a warning notification when it sees 'invite-pending' as the new user's status. - Add support for "?status=all" to the /users endpoint. - Refactor the route and controller for the /settings/users page so that there's only one network API call to load users instead of two. 2014-07-23 10:13:20 +04:00			`* If a 'permissions' property is passed in the options object then`
			`* the results will be filtered based on whether or not the context user has the given`
			`* permission on a role.`
Added /roles/ API endpoint Closes #3196 * adds `/roles/` endpoint * is given the current user as context * wraps everything in a canthis.browse.role * gets all the available roles (should "Owner" be filtered out?) * optional parameter: `permission=assign`. Gets all roles authenticated user could assign * if we're not signed in, gives a "please sign in" (standard) error * if we're signed in, but user is not in the context, gives a "there was no user in the context" error * if the user is an "Author", gives a "there are no available roles to assign" error * implemented hacky filter because when.js produces heisenbugs past 3.2.3 (when.filter not available) * added extra fixtures to `permissions.json`. Might need a migration. Caveats: * there are no tests * for some reason the setup functional test was failing for me locally 2014-07-15 19:22:06 +04:00			`*`
			`*`
			`* @public`
Improve handling of users and roles in admin Closes #3083 Refs #3229 - Populates the dropdown list in the invite user menu with the list of roles a user is permitted to create. - Users API now checks the invite user request for allowed roles. - Change API response from 200 to 201 on successful invitation. - Change API response from 500 to 201 when the user was created but the email was not sent. The client will show a warning notification when it sees 'invite-pending' as the new user's status. - Add support for "?status=all" to the /users endpoint. - Refactor the route and controller for the /settings/users page so that there's only one network API call to load users instead of two. 2014-07-23 10:13:20 +04:00			`* @param {{context, permissions}} options (optional)`
Added /roles/ API endpoint Closes #3196 * adds `/roles/` endpoint * is given the current user as context * wraps everything in a canthis.browse.role * gets all the available roles (should "Owner" be filtered out?) * optional parameter: `permission=assign`. Gets all roles authenticated user could assign * if we're not signed in, gives a "please sign in" (standard) error * if we're signed in, but user is not in the context, gives a "there was no user in the context" error * if the user is an "Author", gives a "there are no available roles to assign" error * implemented hacky filter because when.js produces heisenbugs past 3.2.3 (when.filter not available) * added extra fixtures to `permissions.json`. Might need a migration. Caveats: * there are no tests * for some reason the setup functional test was failing for me locally 2014-07-15 19:22:06 +04:00			`* @returns {Promise(Roles)} Roles Collection`
			`*/`
ES6 migration: server/api/ (#9876) refs #9589 2018-09-18 16:59:56 +03:00			`browse(options) {`
			`let permittedOptions = ['permissions'],`
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option 2015-07-01 21:17:56 +03:00			`tasks;`
Added /roles/ API endpoint Closes #3196 * adds `/roles/` endpoint * is given the current user as context * wraps everything in a canthis.browse.role * gets all the available roles (should "Owner" be filtered out?) * optional parameter: `permission=assign`. Gets all roles authenticated user could assign * if we're not signed in, gives a "please sign in" (standard) error * if we're signed in, but user is not in the context, gives a "there was no user in the context" error * if the user is an "Author", gives a "there are no available roles to assign" error * implemented hacky filter because when.js produces heisenbugs past 3.2.3 (when.filter not available) * added extra fixtures to `permissions.json`. Might need a migration. Caveats: * there are no tests * for some reason the setup functional test was failing for me locally 2014-07-15 19:22:06 +04:00
Pipeline roles and slugs API refs #5508 2015-07-02 17:38:31 +03:00			`/**`
			`* ### Model Query`
			`* Make the call to the Model layer`
			`* @param {Object} options`
			`* @returns {Object} options`
			`*/`
			`function modelQuery(options) {`
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently 2017-09-27 11:31:41 +03:00			`return models.Role.findAll(options)`
ES6 migration: server/api/ (#9876) refs #9589 2018-09-18 16:59:56 +03:00			`.then((models) => {`
			`let roles = models.map((role) => {`
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently 2017-09-27 11:31:41 +03:00			`return role.toJSON();`
			`});`

			`if (options.permissions !== 'assign') {`
			`return {roles: roles};`
			`}`

ES6 migration: server/api/ (#9876) refs #9589 2018-09-18 16:59:56 +03:00			`return Promise.filter(roles.map((role) => {`
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently 2017-09-27 11:31:41 +03:00			`return canThis(options.context).assign.role(role)`
			`.return(role)`
ES6 migration: server/api/ (#9876) refs #9589 2018-09-18 16:59:56 +03:00			`.catch(() => {});`
			`}), (value) => {`
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently 2017-09-27 11:31:41 +03:00			`return value && value.name !== 'Owner';`
ES6 migration: server/api/ (#9876) refs #9589 2018-09-18 16:59:56 +03:00			`}).then((roles) => {`
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently 2017-09-27 11:31:41 +03:00			`return {`
			`roles: roles`
			`};`
			`});`
			`});`
Pipeline roles and slugs API refs #5508 2015-07-02 17:38:31 +03:00			`}`

			// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option 2015-07-01 21:17:56 +03:00			`tasks = [`
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns 2017-12-14 00:14:19 +03:00			`localUtils.validate(docName, {opts: permittedOptions}),`
Sorted out the mixed usages of `include` and `withRelated` (#9425) no issue - this commit cleans up the usages of `include` and `withRelated`. ### API layer (`include`) - as request parameter e.g. `?include=roles,tags` - as theme API parameter e.g. `{{get .... include="author"}}` - as internal API access e.g. `api.posts.browse({include: 'author,tags'})` - the `include` notation is more readable than `withRelated` - and it allows us to use a different easier format (comma separated list) - the API utility transforms these more readable properties into model style (or into Ghost style) ### Model access (`withRelated`) - e.g. `models.Post.findPage({withRelated: ['tags']})` - driven by bookshelf --- Commits explained. * Reorder the usage of `convertOptions` - 1. validation - 2. options convertion - 3. permissions - the reason is simple, the permission layer access the model layer - we have to prepare the options before talking to the model layer - added `convertOptions` where it was missed (not required, but for consistency reasons) * Use `withRelated` when accessing the model layer and use `include` when accessing the API layer * Change `convertOptions` API utiliy - API Usage - ghost.api(..., {include: 'tags,authors'}) - `include` should only be used when calling the API (either via request or via manual usage) - `include` is only for readability and easier format - Ghost (Model Layer Usage) - models.Post.findOne(..., {withRelated: ['tags', 'authors']}) - should only use `withRelated` - model layer cannot read 'tags,authors` - model layer has no idea what `include` means, speaks a different language - `withRelated` is bookshelf - internal usage * include-count plugin: use `withRelated` instead of `include` - imagine you outsource this plugin to git and publish it to npm - `include` is an unknown option in bookshelf * Updated `permittedOptions` in base model - `include` is no longer a known option * Remove all occurances of `include` in the model layer * Extend `filterOptions` base function - this function should be called as first action - we clone the unfiltered options - check if you are using `include` (this is a protection which could help us in the beginning) - check for permitted and (later on default `withRelated`) options - the usage is coming in next commit * Ensure we call `filterOptions` as first action - use `ghostBookshelf.Model.filterOptions` as first action - consistent naming pattern for incoming options: `unfilteredOptions` - re-added allowed options for `toJSON` - one unsolved architecture problem: - if you override a function e.g. `edit` - then you should call `filterOptions` as first action - the base implementation of e.g. `edit` will call it again - future improvement * Removed `findOne` from Invite model - no longer needed, the base implementation is the same 2018-02-15 12:53:53 +03:00			`localUtils.convertOptions(),`
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns 2017-12-14 00:14:19 +03:00			`localUtils.handlePermissions(docName, 'browse'),`
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option 2015-07-01 21:17:56 +03:00			`modelQuery`
			`];`
Pipeline roles and slugs API refs #5508 2015-07-02 17:38:31 +03:00
			`// Pipeline calls each task passing the result of one to be the arguments for the next`
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently 2017-09-27 11:31:41 +03:00			`return pipeline(tasks, options);`
Added /roles/ API endpoint Closes #3196 * adds `/roles/` endpoint * is given the current user as context * wraps everything in a canthis.browse.role * gets all the available roles (should "Owner" be filtered out?) * optional parameter: `permission=assign`. Gets all roles authenticated user could assign * if we're not signed in, gives a "please sign in" (standard) error * if we're signed in, but user is not in the context, gives a "there was no user in the context" error * if the user is an "Author", gives a "there are no available roles to assign" error * implemented hacky filter because when.js produces heisenbugs past 3.2.3 (when.filter not available) * added extra fixtures to `permissions.json`. Might need a migration. Caveats: * there are no tests * for some reason the setup functional test was failing for me locally 2014-07-15 19:22:06 +04:00			`}`
			`};`

			`module.exports = roles;`