TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-14 09:52:09 +03:00
Code Issues Projects Releases Wiki Activity
cf0835c829
Ghost/core/server/models/user.js

831 lines
32 KiB
JavaScript
Raw Normal View History

Improvements for models #closes #1655 - removed models as parameter for bookshelf-session - changed to read permittedAttributes from schema.js - changed updateTags to be executed at saved event - added validate to execute after saving event - added test for published_at = null (see #2015) - fixed typo in general.hbs
2014-02-19 17:57:26 +04:00
var _ = require('lodash'),
Replace the when promise library with bluebird. Closes #968
2014-08-17 10:17:23 +04:00
Promise = require('bluebird'),
Add distinct error classes closes #2690 - added new error classes - moved errorhandling.js to /errors/index.js - changed API errors to use new classes - updated tests
2014-05-09 14:11:29 +04:00
errors = require('../errors'),
URL safe base64 encoding closes #3872 - updated base64 escaping to respect + and \ - updated base64 escaping to remove = during transport - updated tests
2014-12-01 18:59:49 +03:00
utils = require('../utils'),
Refactor gravatarLookup, remove request dependency no issue - request is quite a heavy dependency - we were only using request in 3 places: a test, storing contrib images in the gruntfile & the gravatar lookup - all 3 are relatively simple to do with the http/https module - refactored all 3, removed request
2016-02-12 23:04:26 +03:00
gravatar = require('../utils/gravatar'),
Replace nodejs-bcrypt with bcryptjs * https://github.com/shaneGirish/bcrypt-nodejs * https://github.com/dcodeIO/bcrypt.js
2013-10-23 17:00:28 +04:00
bcrypt = require('bcryptjs'),
Updating to bookshelf 0.5.7 & knex 0.4.11
2013-09-23 02:20:08 +04:00
ghostBookshelf = require('./base'),
Improve password reset token no issue - added check that a combination of email + expires is rejected after 10 attempts - changed comparison to time independent method Thanks to @chiiph for reporting this issue!
2014-01-30 16:27:29 +04:00
crypto = require('crypto'),
Add validation from schema.js closes #1401 - added data/validation/index.js - added generic validation for length - added generic validation for nullable - added validations object to schema.js for custom validation - removed pyramid of doom from api/db.js
2014-02-19 21:32:23 +04:00
validator = require('validator'),
Disable user validation and errors on login fixes #3658 - Catch any errors from user.save() events during login - Prevent validation from happening at all when only updating status/last_login - Fixes a problem I introduced with errors which are arrays in logError
2014-08-07 21:50:23 +04:00
validation = require('../data/validation'),
Refactor sitemaps to use centralised events fixes #5104, refs #4348, #2263 - Create a centralised event module - Hook it up for posts, pages, tags and users - Use it in sitemaps instead of direct method calls - Use it for xmlrpc calls - Check events are fired in model tests - Update sitemap tests to work with new code - Fix a bug where invited users were appearing in sitemaps - Move sitemaps and xmlrpc into a directory together
2015-03-24 23:23:23 +03:00
events = require('../events'),
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
i18n = require('../i18n'),
Revert "Force UTC at process level"
2016-06-02 16:38:02 +03:00
toString = require('lodash.tostring'),
Improve password reset token no issue - added check that a combination of email + expires is rejected after 10 attempts - changed comparison to time independent method Thanks to @chiiph for reporting this issue!
2014-01-30 16:27:29 +04:00
Replace the when promise library with bluebird. Closes #968
2014-08-17 10:17:23 +04:00
bcryptGenSalt = Promise.promisify(bcrypt.genSalt),
bcryptHash = Promise.promisify(bcrypt.hash),
bcryptCompare = Promise.promisify(bcrypt.compare),
Improvements for models #closes #1655 - removed models as parameter for bookshelf-session - changed to read permittedAttributes from schema.js - changed updateTags to be executed at saved event - added validate to execute after saving event - added test for published_at = null (see #2015) - fixed typo in general.hbs
2014-02-19 17:57:26 +04:00
tokenSecurity = {},
Changing User.read API to default to active users. refs #3542 - Properly handle forgotten screen (ember) - Change Users API to only return active users on read - Adjust tests
2014-08-05 22:11:17 +04:00
activeStates = ['active', 'warn-1', 'warn-2', 'warn-3', 'warn-4', 'locked'],
invitedStates = ['invited', 'invited-pending'],
Improvements for models #closes #1655 - removed models as parameter for bookshelf-session - changed to read permittedAttributes from schema.js - changed updateTags to be executed at saved event - added validate to execute after saving event - added test for published_at = null (see #2015) - fixed typo in general.hbs
2014-02-19 17:57:26 +04:00
User,
Users;
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
Validation consistency - introduced validation method in the post and user model - moved signup validation onto model - consistent use of validation & error messaging in the admin UI - helper methods in base view moved to a utils object
2013-08-20 22:52:44 +04:00
function validatePasswordLength(password) {
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
return validator.isLength(password, 8);
Validation consistency - introduced validation method in the post and user model - moved signup validation onto model - consistent use of validation & error messaging in the admin UI - helper methods in base view moved to a utils object
2013-08-20 22:52:44 +04:00
}
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
function generatePasswordHash(password) {
// Generate a new salt
Replace the when promise library with bluebird. Closes #968
2014-08-17 10:17:23 +04:00
return bcryptGenSalt().then(function (salt) {
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
// Hash the provided password with bcrypt
Replace the when promise library with bluebird. Closes #968
2014-08-17 10:17:23 +04:00
return bcryptHash(password, salt);
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
});
}
Updating to bookshelf 0.5.7 & knex 0.4.11
2013-09-23 02:20:08 +04:00
User = ghostBookshelf.Model.extend({
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
tableName: 'users',
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
emitChange: function emitChange(event) {
Refactor sitemaps to use centralised events fixes #5104, refs #4348, #2263 - Create a centralised event module - Hook it up for posts, pages, tags and users - Use it in sitemaps instead of direct method calls - Use it for xmlrpc calls - Check events are fired in model tests - Update sitemap tests to work with new code - Fix a bug where invited users were appearing in sitemaps - Move sitemaps and xmlrpc into a directory together
2015-03-24 23:23:23 +03:00
events.emit('user' + '.' + event, this);
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
initialize: function initialize() {
Generate sitemap files Closes #623 - Add basic init and eventing scaffold - Add sitemap-index.xml generation - Broke out generators to individual files, added request handler - Add page, author and tag xml files; add index mapping - Add SiteMapManager unit tests - Add Generators tests - Cache invalidation headers for sitemap-*.xml - Redirect sitemap.xml to index and rename to sitemap-index - Handle page convert and publish/draft changes - Add very basic functional test for route existence - Add cache headers to sitemap routes
2014-10-28 03:41:18 +03:00
ghostBookshelf.Model.prototype.initialize.apply(this, arguments);
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
this.on('created', function onCreated(model) {
Refactor sitemaps to use centralised events fixes #5104, refs #4348, #2263 - Create a centralised event module - Hook it up for posts, pages, tags and users - Use it in sitemaps instead of direct method calls - Use it for xmlrpc calls - Check events are fired in model tests - Update sitemap tests to work with new code - Fix a bug where invited users were appearing in sitemaps - Move sitemaps and xmlrpc into a directory together
2015-03-24 23:23:23 +03:00
model.emitChange('added');
// active is the default state, so if status isn't provided, this will be an active user
if (!model.get('status') || _.contains(activeStates, model.get('status'))) {
model.emitChange('activated');
}
Generate sitemap files Closes #623 - Add basic init and eventing scaffold - Add sitemap-index.xml generation - Broke out generators to individual files, added request handler - Add page, author and tag xml files; add index mapping - Add SiteMapManager unit tests - Add Generators tests - Cache invalidation headers for sitemap-*.xml - Redirect sitemap.xml to index and rename to sitemap-index - Handle page convert and publish/draft changes - Add very basic functional test for route existence - Add cache headers to sitemap routes
2014-10-28 03:41:18 +03:00
});
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
this.on('updated', function onUpdated(model) {
Refactor sitemaps to use centralised events fixes #5104, refs #4348, #2263 - Create a centralised event module - Hook it up for posts, pages, tags and users - Use it in sitemaps instead of direct method calls - Use it for xmlrpc calls - Check events are fired in model tests - Update sitemap tests to work with new code - Fix a bug where invited users were appearing in sitemaps - Move sitemaps and xmlrpc into a directory together
2015-03-24 23:23:23 +03:00
model.statusChanging = model.get('status') !== model.updated('status');
model.isActive = _.contains(activeStates, model.get('status'));
if (model.statusChanging) {
model.emitChange(model.isActive ? 'activated' : 'deactivated');
} else {
if (model.isActive) {
model.emitChange('activated.edited');
}
}
model.emitChange('edited');
Generate sitemap files Closes #623 - Add basic init and eventing scaffold - Add sitemap-index.xml generation - Broke out generators to individual files, added request handler - Add page, author and tag xml files; add index mapping - Add SiteMapManager unit tests - Add Generators tests - Cache invalidation headers for sitemap-*.xml - Redirect sitemap.xml to index and rename to sitemap-index - Handle page convert and publish/draft changes - Add very basic functional test for route existence - Add cache headers to sitemap routes
2014-10-28 03:41:18 +03:00
});
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
this.on('destroyed', function onDestroyed(model) {
Refactor sitemaps to use centralised events fixes #5104, refs #4348, #2263 - Create a centralised event module - Hook it up for posts, pages, tags and users - Use it in sitemaps instead of direct method calls - Use it for xmlrpc calls - Check events are fired in model tests - Update sitemap tests to work with new code - Fix a bug where invited users were appearing in sitemaps - Move sitemaps and xmlrpc into a directory together
2015-03-24 23:23:23 +03:00
if (_.contains(activeStates, model.previous('status'))) {
model.emitChange('deactivated');
}
model.emitChange('deleted');
Generate sitemap files Closes #623 - Add basic init and eventing scaffold - Add sitemap-index.xml generation - Broke out generators to individual files, added request handler - Add page, author and tag xml files; add index mapping - Add SiteMapManager unit tests - Add Generators tests - Cache invalidation headers for sitemap-*.xml - Redirect sitemap.xml to index and rename to sitemap-index - Handle page convert and publish/draft changes - Add very basic functional test for route existence - Add cache headers to sitemap routes
2014-10-28 03:41:18 +03:00
});
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
saving: function saving(newPage, attr, options) {
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 20:00:59 +04:00
/*jshint unused:false*/
Ensure generateSlug gets transaction for tags fixes #2460 - add transacting to tag saving - add same to users while we're here
2014-03-25 14:59:15 +04:00
Set migrations to use new 000 schema issue #632 - removed old schemas - updated base model to reflect all of the consistent behaviours and properties across the models - updated all models to match the new schema TODO - no fixtures are currently loaded except settings - need to rename properties across the codebase
2013-09-14 23:01:46 +04:00
var self = this;
Agressive stripping of the model attributes - fixes #517 - prevents this from occuring again in future with other relations - validation function & stripping done for all models - casper test for flow, plus validation & logged out tests
2013-08-25 14:49:31 +04:00
Improvements for models #closes #1655 - removed models as parameter for bookshelf-session - changed to read permittedAttributes from schema.js - changed updateTags to be executed at saved event - added validate to execute after saving event - added test for published_at = null (see #2015) - fixed typo in general.hbs
2014-02-19 17:57:26 +04:00
ghostBookshelf.Model.prototype.saving.apply(this, arguments);
Set migrations to use new 000 schema issue #632 - removed old schemas - updated base model to reflect all of the consistent behaviours and properties across the models - updated all models to match the new schema TODO - no fixtures are currently loaded except settings - need to rename properties across the codebase
2013-09-14 23:01:46 +04:00
Ensure generateSlug gets transaction for tags fixes #2460 - add transacting to tag saving - add same to users while we're here
2014-03-25 14:59:15 +04:00
if (this.hasChanged('slug') || !this.get('slug')) {
Set migrations to use new 000 schema issue #632 - removed old schemas - updated base model to reflect all of the consistent behaviours and properties across the models - updated all models to match the new schema TODO - no fixtures are currently loaded except settings - need to rename properties across the codebase
2013-09-14 23:01:46 +04:00
// Generating a slug requires a db call to look for conflicting slugs
Ensure generateSlug gets transaction for tags fixes #2460 - add transacting to tag saving - add same to users while we're here
2014-03-25 14:59:15 +04:00
return ghostBookshelf.Model.generateSlug(User, this.get('slug') || this.get('name'),
Check all users when generating slug No Issue - Set 'status: all` when calling generateSlug from the user model so that all user slugs are checked for duplicates instead of only active users.
2015-01-16 09:56:53 +03:00
{status: 'all', transacting: options.transacting, shortSlug: !this.get('slug')})
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
.then(function then(slug) {
Set migrations to use new 000 schema issue #632 - removed old schemas - updated base model to reflect all of the consistent behaviours and properties across the models - updated all models to match the new schema TODO - no fixtures are currently loaded except settings - need to rename properties across the codebase
2013-09-14 23:01:46 +04:00
self.set({slug: slug});
});
}
Escaping several fields to prevent XSS issue #938 - escapes post's title field - escapes settings title, description, email - escapes user's name field - includes test for post title
2013-10-07 21:02:57 +04:00
},
Disable user validation and errors on login fixes #3658 - Catch any errors from user.save() events during login - Prevent validation from happening at all when only updating status/last_login - Fixes a problem I introduced with errors which are arrays in logError
2014-08-07 21:50:23 +04:00
// For the user model ONLY it is possible to disable validations.
// This is used to bypass validation during the credential check, and must never be done with user-provided data
// Should be removed when #3691 is done
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
validate: function validate() {
Provide entire model to validator Closes #6491
2016-02-18 02:02:16 +03:00
var opts = arguments[1],
userData;
Disable user validation and errors on login fixes #3658 - Catch any errors from user.save() events during login - Prevent validation from happening at all when only updating status/last_login - Fixes a problem I introduced with errors which are arrays in logError
2014-08-07 21:50:23 +04:00
if (opts && _.has(opts, 'validate') && opts.validate === false) {
return;
}
Provide entire model to validator Closes #6491
2016-02-18 02:02:16 +03:00
// use the base toJSON since this model's overridden toJSON
// removes fields and we want everything to run through the validator.
userData = ghostBookshelf.Model.prototype.toJSON.call(this);
return validation.validateSchema(this.tableName, userData);
Disable user validation and errors on login fixes #3658 - Catch any errors from user.save() events during login - Prevent validation from happening at all when only updating status/last_login - Fixes a problem I introduced with errors which are arrays in logError
2014-08-07 21:50:23 +04:00
},
Extending context concept to models fixes #3275, fixes #3290, ref #3086, ref #3084 - Ensure that we use the current logged in user and not just user 1 when - removing hard coded user: 1 except where absolutely necessary - passing context, rather than user to models - base model has a new function to determine what id to use for created_by etc
2014-07-15 15:03:12 +04:00
// Get the user from the options object
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
contextUser: function contextUser(options) {
Extending context concept to models fixes #3275, fixes #3290, ref #3086, ref #3084 - Ensure that we use the current logged in user and not just user 1 when - removing hard coded user: 1 except where absolutely necessary - passing context, rather than user to models - base model has a new function to determine what id to use for created_by etc
2014-07-15 15:03:12 +04:00
// Default to context user
if (options.context && options.context.user) {
return options.context.user;
// Other wise use the internal override
} else if (options.context && options.context.internal) {
return 1;
// This is the user object, so try using this user's id
} else if (this.get('id')) {
return this.get('id');
} else {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
errors.logAndThrowError(new errors.NotFoundError(i18n.t('errors.models.user.missingContext')));
Extending context concept to models fixes #3275, fixes #3290, ref #3086, ref #3084 - Ensure that we use the current logged in user and not just user 1 when - removing hard coded user: 1 except where absolutely necessary - passing context, rather than user to models - base model has a new function to determine what id to use for created_by etc
2014-07-15 15:03:12 +04:00
}
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
toJSON: function toJSON(options) {
Adding 'fields' param for browse requests refs #5601, #5463, #5343 - adds rudimentary support for a 'fields' parameter on browse requests
2015-07-04 21:27:23 +03:00
options = options || {};
Refactor omit of password - remove password in toJSON() instead of filtering every occurrence of user - changed faulty error type ‚NotFound‘ to ‚NoPermission‘
2014-05-06 14:14:58 +04:00
var attrs = ghostBookshelf.Model.prototype.toJSON.call(this, options);
// remove password hash for security reasons
delete attrs.password;
Sanitize models' attributes/options before passing to bookshelf/knex closes #2653 - enforce strict whitelists for model methods - create a class method that reports a model method's valid options - create a class method that filters a model's valid attributes from data - create a class method that filters valid options from a model method's options hash
2014-05-06 05:45:08 +04:00
Refactor to remove author.email from API refs #2330 - Pass through `options` to all toJSON calls on posts, tags, and users - Use options.context.user to determine whether it's OK to return user.email - Remove author.email handling code from frontend.js
2015-04-18 00:27:04 +03:00
if (!options || !options.context || (!options.context.user && !options.context.internal)) {
delete attrs.email;
}
Refactor omit of password - remove password in toJSON() instead of filtering every occurrence of user - changed faulty error type ‚NotFound‘ to ‚NoPermission‘
2014-05-06 14:14:58 +04:00
return attrs;
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
format: function format(options) {
Improve validation for user.website closes #4444 - validate URL without protocol in server and client - when saving url, add `http://` if the url doesn't have a protocol
2014-11-17 07:35:32 +03:00
if (!_.isEmpty(options.website) &&
!validator.isURL(options.website, {
require_protocol: true,
protocols: ['http', 'https']})) {
options.website = 'http://' + options.website;
}
Add parent call in user.format to fix dateTime closes #5066 - fix a problem that user model will fail to save if mysql has option of STRICT_TRANS_TABLES - add a parent call in user.format override function, which should fix dateTime format before user saved.
2015-03-25 07:11:25 +03:00
return ghostBookshelf.Model.prototype.format.call(this, options);
Improve validation for user.website closes #4444 - validate URL without protocol in server and client - when saving url, add `http://` if the url doesn't have a protocol
2014-11-17 07:35:32 +03:00
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
posts: function posts() {
Use bookshelf's model registry plugin Refs #2170 This removes the circular dependency problem from our models thanks to https://github.com/tgriesser/bookshelf/issues/181 - add the registry plugin - switch all models and collections to be registered - switch relationships to be defined using a string, which calls from the registry
2014-07-13 15:17:18 +04:00
return this.hasMany('Posts', 'created_by');
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
roles: function roles() {
Use bookshelf's model registry plugin Refs #2170 This removes the circular dependency problem from our models thanks to https://github.com/tgriesser/bookshelf/issues/181 - add the registry plugin - switch all models and collections to be registered - switch relationships to be defined using a string, which calls from the registry
2014-07-13 15:17:18 +04:00
return this.belongsToMany('Role');
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
permissions: function permissions() {
Use bookshelf's model registry plugin Refs #2170 This removes the circular dependency problem from our models thanks to https://github.com/tgriesser/bookshelf/issues/181 - add the registry plugin - switch all models and collections to be registered - switch relationships to be defined using a string, which calls from the registry
2014-07-13 15:17:18 +04:00
return this.belongsToMany('Permission');
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
hasRole: function hasRole(roleName) {
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
var roles = this.related('roles');
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return roles.some(function getRole(role) {
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
return role.get('name') === roleName;
});
Filter plugin with enforce/default logic refs #5614, #5943 - adds a new 'filter' bookshelf plugin which extends the model - the filter plugin provides handling for merging/combining various filters (enforced, defaults and custom/user-provided) - the filter plugin also handles the calls to gql - post processing is also moved to the plugin, to be further refactored/removed in future - adds tests showing how filter could be abused prior to this commit
2015-11-11 20:52:44 +03:00
},
add small permission improvements no issue - do not check client type in auth middleware - offer filtering for findAll function in base - add isInternalContext to base model
2016-04-14 18:54:49 +03:00
Filter plugin with enforce/default logic refs #5614, #5943 - adds a new 'filter' bookshelf plugin which extends the model - the filter plugin provides handling for merging/combining various filters (enforced, defaults and custom/user-provided) - the filter plugin also handles the calls to gql - post processing is also moved to the plugin, to be further refactored/removed in future - adds tests showing how filter could be abused prior to this commit
2015-11-11 20:52:44 +03:00
enforcedFilters: function enforcedFilters() {
add small permission improvements no issue - do not check client type in auth middleware - offer filtering for findAll function in base - add isInternalContext to base model
2016-04-14 18:54:49 +03:00
if (this.isInternalContext()) {
return null;
}
Filter plugin with enforce/default logic refs #5614, #5943 - adds a new 'filter' bookshelf plugin which extends the model - the filter plugin provides handling for merging/combining various filters (enforced, defaults and custom/user-provided) - the filter plugin also handles the calls to gql - post processing is also moved to the plugin, to be further refactored/removed in future - adds tests showing how filter could be abused prior to this commit
2015-11-11 20:52:44 +03:00
return this.isPublicContext() ? 'status:[' + activeStates.join(',') + ']' : null;
},
add small permission improvements no issue - do not check client type in auth middleware - offer filtering for findAll function in base - add isInternalContext to base model
2016-04-14 18:54:49 +03:00
Filter plugin with enforce/default logic refs #5614, #5943 - adds a new 'filter' bookshelf plugin which extends the model - the filter plugin provides handling for merging/combining various filters (enforced, defaults and custom/user-provided) - the filter plugin also handles the calls to gql - post processing is also moved to the plugin, to be further refactored/removed in future - adds tests showing how filter could be abused prior to this commit
2015-11-11 20:52:44 +03:00
defaultFilters: function defaultFilters() {
return this.isPublicContext() ? null : 'status:[' + activeStates.join(',') + ']';
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
}
}, {
Abstract findPage & add pagination Bookshelf plugin closes #2896 - move default options / custom code into model functions - move most of the filtering logic into base/utils.filtering (to be relocated) - move the remainder of findPage back into base/index.js and remove from posts/users&tags - move pagination-specific logic to a separate 'plugin' file - pagination provides new fetchPage function, similar to fetchAll but handling pagination - findPage model method uses fetchPage - plugin is fully unit-tested and documented
2015-06-17 16:55:39 +03:00
orderDefaultOptions: function orderDefaultOptions() {
return {
last_login: 'DESC',
name: 'ASC',
created_at: 'DESC'
};
},
Refactor old processOptions/where to use GQL JSON refs #5943 - no longer assume the options in processOptions are set - set where to a new GQL JSON-like statement object - rather than setting options, add statements which can be understood by knexify - pass the statements through knexify to build the query
2015-11-11 22:31:52 +03:00
/**
* @deprecated in favour of filter
*/
processOptions: function processOptions(options) {
if (!options.status) {
return options;
}
// This is the only place that 'options.where' is set now
options.where = {statements: []};
var allStates = activeStates.concat(invitedStates),
value;
Abstract findPage & add pagination Bookshelf plugin closes #2896 - move default options / custom code into model functions - move most of the filtering logic into base/utils.filtering (to be relocated) - move the remainder of findPage back into base/index.js and remove from posts/users&tags - move pagination-specific logic to a separate 'plugin' file - pagination provides new fetchPage function, similar to fetchAll but handling pagination - findPage model method uses fetchPage - plugin is fully unit-tested and documented
2015-06-17 16:55:39 +03:00
// Filter on the status. A status of 'all' translates to no filter since we want all statuses
Refactor old processOptions/where to use GQL JSON refs #5943 - no longer assume the options in processOptions are set - set where to a new GQL JSON-like statement object - rather than setting options, add statements which can be understood by knexify - pass the statements through knexify to build the query
2015-11-11 22:31:52 +03:00
if (options.status !== 'all') {
Abstract findPage & add pagination Bookshelf plugin closes #2896 - move default options / custom code into model functions - move most of the filtering logic into base/utils.filtering (to be relocated) - move the remainder of findPage back into base/index.js and remove from posts/users&tags - move pagination-specific logic to a separate 'plugin' file - pagination provides new fetchPage function, similar to fetchAll but handling pagination - findPage model method uses fetchPage - plugin is fully unit-tested and documented
2015-06-17 16:55:39 +03:00
// make sure that status is valid
Refactor old processOptions/where to use GQL JSON refs #5943 - no longer assume the options in processOptions are set - set where to a new GQL JSON-like statement object - rather than setting options, add statements which can be understood by knexify - pass the statements through knexify to build the query
2015-11-11 22:31:52 +03:00
options.status = allStates.indexOf(options.status) > -1 ? options.status : 'active';
Abstract findPage & add pagination Bookshelf plugin closes #2896 - move default options / custom code into model functions - move most of the filtering logic into base/utils.filtering (to be relocated) - move the remainder of findPage back into base/index.js and remove from posts/users&tags - move pagination-specific logic to a separate 'plugin' file - pagination provides new fetchPage function, similar to fetchAll but handling pagination - findPage model method uses fetchPage - plugin is fully unit-tested and documented
2015-06-17 16:55:39 +03:00
}
if (options.status === 'active') {
Refactor old processOptions/where to use GQL JSON refs #5943 - no longer assume the options in processOptions are set - set where to a new GQL JSON-like statement object - rather than setting options, add statements which can be understood by knexify - pass the statements through knexify to build the query
2015-11-11 22:31:52 +03:00
value = activeStates;
Abstract findPage & add pagination Bookshelf plugin closes #2896 - move default options / custom code into model functions - move most of the filtering logic into base/utils.filtering (to be relocated) - move the remainder of findPage back into base/index.js and remove from posts/users&tags - move pagination-specific logic to a separate 'plugin' file - pagination provides new fetchPage function, similar to fetchAll but handling pagination - findPage model method uses fetchPage - plugin is fully unit-tested and documented
2015-06-17 16:55:39 +03:00
} else if (options.status === 'invited') {
Refactor old processOptions/where to use GQL JSON refs #5943 - no longer assume the options in processOptions are set - set where to a new GQL JSON-like statement object - rather than setting options, add statements which can be understood by knexify - pass the statements through knexify to build the query
2015-11-11 22:31:52 +03:00
value = invitedStates;
} else if (options.status === 'all') {
value = allStates;
} else {
value = options.status;
Abstract findPage & add pagination Bookshelf plugin closes #2896 - move default options / custom code into model functions - move most of the filtering logic into base/utils.filtering (to be relocated) - move the remainder of findPage back into base/index.js and remove from posts/users&tags - move pagination-specific logic to a separate 'plugin' file - pagination provides new fetchPage function, similar to fetchAll but handling pagination - findPage model method uses fetchPage - plugin is fully unit-tested and documented
2015-06-17 16:55:39 +03:00
}
Refactor old processOptions/where to use GQL JSON refs #5943 - no longer assume the options in processOptions are set - set where to a new GQL JSON-like statement object - rather than setting options, add statements which can be understood by knexify - pass the statements through knexify to build the query
2015-11-11 22:31:52 +03:00
options.where.statements.push({prop: 'status', op: 'IN', value: value});
delete options.status;
Abstract findPage & add pagination Bookshelf plugin closes #2896 - move default options / custom code into model functions - move most of the filtering logic into base/utils.filtering (to be relocated) - move the remainder of findPage back into base/index.js and remove from posts/users&tags - move pagination-specific logic to a separate 'plugin' file - pagination provides new fetchPage function, similar to fetchAll but handling pagination - findPage model method uses fetchPage - plugin is fully unit-tested and documented
2015-06-17 16:55:39 +03:00
return options;
},
Sanitize models' attributes/options before passing to bookshelf/knex closes #2653 - enforce strict whitelists for model methods - create a class method that reports a model method's valid options - create a class method that filters a model's valid attributes from data - create a class method that filters valid options from a model method's options hash
2014-05-06 05:45:08 +04:00
/**
* Returns an array of keys permitted in a method's `options` hash, depending on the current method.
* @param {String} methodName The name of the method to check valid options for.
* @return {Array} Keys allowed in the `options` hash of the model's method.
*/
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
permittedOptions: function permittedOptions(methodName) {
Sanitize models' attributes/options before passing to bookshelf/knex closes #2653 - enforce strict whitelists for model methods - create a class method that reports a model method's valid options - create a class method that filters a model's valid attributes from data - create a class method that filters valid options from a model method's options hash
2014-05-06 05:45:08 +04:00
var options = ghostBookshelf.Model.permittedOptions(),
// whitelists for the `options` hash argument on methods, by method name.
// these are the only options that can be passed to Bookshelf / Knex.
validOptions = {
Changing User.read API to default to active users. refs #3542 - Properly handle forgotten screen (ember) - Change Users API to only return active users on read - Adjust tests
2014-08-05 22:11:17 +04:00
findOne: ['withRelated', 'status'],
Extending context concept to models fixes #3275, fixes #3290, ref #3086, ref #3084 - Ensure that we use the current logged in user and not just user 1 when - removing hard coded user: 1 except where absolutely necessary - passing context, rather than user to models - base model has a new function to determine what id to use for created_by etc
2014-07-15 15:03:12 +04:00
setup: ['id'],
Pagination for Users Management screen closes #3222 - implementing server-side pagination for /users API - passing /users?limit=none will return all users - passing /users?status=invited will filter base on user status - creating 3 mixins (route, controller and view) to keep pagination logic DRY - updating route, controller and view for Posts to use new mixing - implementing infinite scrolling for Users Management screen (using new mixins) - Users Management screen displays all invited users, but paginates active users
2014-07-20 20:42:03 +04:00
edit: ['withRelated', 'id'],
add small permission improvements no issue - do not check client type in auth middleware - offer filtering for findAll function in base - add isInternalContext to base model
2016-04-14 18:54:49 +03:00
findPage: ['page', 'limit', 'columns', 'filter', 'order', 'status'],
findAll: ['filter']
Sanitize models' attributes/options before passing to bookshelf/knex closes #2653 - enforce strict whitelists for model methods - create a class method that reports a model method's valid options - create a class method that filters a model's valid attributes from data - create a class method that filters valid options from a model method's options hash
2014-05-06 05:45:08 +04:00
};
if (validOptions[methodName]) {
options = options.concat(validOptions[methodName]);
}
return options;
},
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 20:00:59 +04:00
/**
* ### Find One
* @extends ghostBookshelf.Model.findOne to include roles
* **See:** [ghostBookshelf.Model.findOne](base.js.html#Find%20One)
*/
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
findOne: function findOne(data, options) {
Changing User.read API to default to active users. refs #3542 - Properly handle forgotten screen (ember) - Change Users API to only return active users on read - Adjust tests
2014-08-05 22:11:17 +04:00
var query,
Fixup finding user by role name No Issue. - Build up query object to lookup a user by the name of a role. Return user with "roles" objects included. - Add test for findOne by role.
2015-01-20 20:40:25 +03:00
status,
Restore options refs #6122 - restore original options after delete - this is a fix for one use case, long term we should aim to leave options untouched and execute special queries with temporary data
2015-11-24 17:31:28 +03:00
optInc,
Fixup finding user by role name No Issue. - Build up query object to lookup a user by the name of a role. Return user with "roles" objects included. - Add test for findOne by role.
2015-01-20 20:40:25 +03:00
lookupRole = data.role;
delete data.role;
Changing User.read API to default to active users. refs #3542 - Properly handle forgotten screen (ember) - Change Users API to only return active users on read - Adjust tests
2014-08-05 22:11:17 +04:00
Use extends correctly & consistently - extends clobbers the first argument you pass to it, so that should not be a variable that is used elsewhere, if you're also assigning the value, as it will have unintended side effects.
2015-06-25 21:56:27 +03:00
data = _.defaults(data || {}, {
Changing User.read API to default to active users. refs #3542 - Properly handle forgotten screen (ember) - Change Users API to only return active users on read - Adjust tests
2014-08-05 22:11:17 +04:00
status: 'active'
Use extends correctly & consistently - extends clobbers the first argument you pass to it, so that should not be a variable that is used elsewhere, if you're also assigning the value, as it will have unintended side effects.
2015-06-25 21:56:27 +03:00
});
Changing User.read API to default to active users. refs #3542 - Properly handle forgotten screen (ember) - Change Users API to only return active users on read - Adjust tests
2014-08-05 22:11:17 +04:00
status = data.status;
delete data.status;
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 20:00:59 +04:00
options = options || {};
Restore options refs #6122 - restore original options after delete - this is a fix for one use case, long term we should aim to leave options untouched and execute special queries with temporary data
2015-11-24 17:31:28 +03:00
optInc = options.include;
API - no more m-2-m relation ids by default closes #4498 - remove toJSON code which returns only IDs from objects - don't auto-include tags & fields in post responses - don't auto-include roles in user responses - fix #allthethings that made assumptions about the auto-includes, or otherwise were only working because of the auto-include
2014-11-27 03:28:29 +03:00
options.withRelated = _.union(options.withRelated, options.include);
Refactor pagination count query refs #2896 - remove duplicate query-building code - use the same approach for creating the count query from the main query - restructure the code to match more closely across the 3 findPage functions (prep for further refactoring)
2015-06-15 19:45:58 +03:00
data = this.filterData(data);
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 20:00:59 +04:00
Extending context concept to models fixes #3275, fixes #3290, ref #3086, ref #3084 - Ensure that we use the current logged in user and not just user 1 when - removing hard coded user: 1 except where absolutely necessary - passing context, rather than user to models - base model has a new function to determine what id to use for created_by etc
2014-07-15 15:03:12 +04:00
// Support finding by role
Fixup finding user by role name No Issue. - Build up query object to lookup a user by the name of a role. Return user with "roles" objects included. - Add test for findOne by role.
2015-01-20 20:40:25 +03:00
if (lookupRole) {
options.withRelated = _.union(options.withRelated, ['roles']);
options.include = _.union(options.include, ['roles']);
Extending context concept to models fixes #3275, fixes #3290, ref #3086, ref #3084 - Ensure that we use the current logged in user and not just user 1 when - removing hard coded user: 1 except where absolutely necessary - passing context, rather than user to models - base model has a new function to determine what id to use for created_by etc
2014-07-15 15:03:12 +04:00
Fixup finding user by role name No Issue. - Build up query object to lookup a user by the name of a role. Return user with "roles" objects included. - Add test for findOne by role.
2015-01-20 20:40:25 +03:00
query = this.forge(data, {include: options.include});
fix query user
2016-05-22 11:37:44 +03:00
query.query('join', 'roles_users', 'users.id', '=', 'roles_users.user_id');
Fixup finding user by role name No Issue. - Build up query object to lookup a user by the name of a role. Return user with "roles" objects included. - Add test for findOne by role.
2015-01-20 20:40:25 +03:00
query.query('join', 'roles', 'roles_users.role_id', '=', 'roles.id');
query.query('where', 'roles.name', '=', lookupRole);
} else {
// We pass include to forge so that toJSON has access
query = this.forge(data, {include: options.include});
}
Changing User.read API to default to active users. refs #3542 - Properly handle forgotten screen (ember) - Change Users API to only return active users on read - Adjust tests
2014-08-05 22:11:17 +04:00
if (status === 'active') {
query.query('whereIn', 'status', activeStates);
} else if (status === 'invited') {
query.query('whereIn', 'status', invitedStates);
} else if (status !== 'all') {
Add jscs task to grunt file and clean up files to adhere to jscs rules. resolves #1920 - updates all files to conform to style settings.
2014-09-10 08:06:24 +04:00
query.query('where', {status: options.status});
custom slugging capabilities for individual user pages closes #3401 - modifying slug-generator to be more generic - adding slugging capabilities for /settings/users/:slug - modified posts to use the updated slug-generator
2014-07-31 08:25:42 +04:00
}
Changing User.read API to default to active users. refs #3542 - Properly handle forgotten screen (ember) - Change Users API to only return active users on read - Adjust tests
2014-08-05 22:11:17 +04:00
options = this.filterOptions(options, 'findOne');
delete options.include;
Restore options refs #6122 - restore original options after delete - this is a fix for one use case, long term we should aim to leave options untouched and execute special queries with temporary data
2015-11-24 17:31:28 +03:00
options.include = optInc;
Changing User.read API to default to active users. refs #3542 - Properly handle forgotten screen (ember) - Change Users API to only return active users on read - Adjust tests
2014-08-05 22:11:17 +04:00
return query.fetch(options);
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 20:00:59 +04:00
},
/**
* ### Edit
* @extends ghostBookshelf.Model.edit to handle returning the full object
* **See:** [ghostBookshelf.Model.edit](base.js.html#edit)
*/
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
edit: function edit(data, options) {
Add edit roles refs #3087 - added ability to edit user/roles relation - user is not allowed assign roles to himself - only one role per user is supported atm - added tests
2014-07-22 00:50:43 +04:00
var self = this,
Fix incorrect error closes #3373 - added check if role is already assigned - added check for unknown fields to fixDates/fixBools - permissions are not implemented yet, so everyone is able to edit owner ;-)
2014-07-24 12:17:10 +04:00
roleId;
Add edit roles refs #3087 - added ability to edit user/roles relation - user is not allowed assign roles to himself - only one role per user is supported atm - added tests
2014-07-22 00:50:43 +04:00
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
if (data.roles && data.roles.length > 1) {
return Promise.reject(
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
new errors.ValidationError(i18n.t('errors.models.user.onlyOneRolePerUserSupported'))
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
);
}
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 20:00:59 +04:00
options = options || {};
API - no more m-2-m relation ids by default closes #4498 - remove toJSON code which returns only IDs from objects - don't auto-include tags & fields in post responses - don't auto-include roles in user responses - fix #allthethings that made assumptions about the auto-includes, or otherwise were only working because of the auto-include
2014-11-27 03:28:29 +03:00
options.withRelated = _.union(options.withRelated, options.include);
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 20:00:59 +04:00
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return ghostBookshelf.Model.edit.call(this, data, options).then(function then(user) {
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
if (!data.roles) {
return user;
}
roleId = parseInt(data.roles[0].id || data.roles[0], 10);
Add edit roles refs #3087 - added ability to edit user/roles relation - user is not allowed assign roles to himself - only one role per user is supported atm - added tests
2014-07-22 00:50:43 +04:00
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return user.roles().fetch().then(function then(roles) {
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
// return if the role is already assigned
if (roles.models[0].id === roleId) {
return;
}
return ghostBookshelf.model('Role').findOne({id: roleId});
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}).then(function then(roleToAssign) {
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
if (roleToAssign && roleToAssign.get('name') === 'Owner') {
Replace the when promise library with bluebird. Closes #968
2014-08-17 10:17:23 +04:00
return Promise.reject(
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
new errors.ValidationError(i18n.t('errors.models.user.methodDoesNotSupportOwnerRole'))
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
);
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
} else {
// assign all other roles
return user.roles().updatePivot({role_id: roleId});
Add edit roles refs #3087 - added ability to edit user/roles relation - user is not allowed assign roles to himself - only one role per user is supported atm - added tests
2014-07-22 00:50:43 +04:00
}
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}).then(function then() {
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
options.status = 'all';
return self.findOne({id: user.id}, options);
});
Add edit roles refs #3087 - added ability to edit user/roles relation - user is not allowed assign roles to himself - only one role per user is supported atm - added tests
2014-07-22 00:50:43 +04:00
});
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 20:00:59 +04:00
},
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
/**
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 16:41:19 +04:00
* ## Add
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
* Naive user add
* Hashes the password provided before saving to the database.
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 16:41:19 +04:00
*
* @param {object} data
* @param {object} options
* @extends ghostBookshelf.Model.add to manage all aspects of user signup
* **See:** [ghostBookshelf.Model.add](base.js.html#Add)
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
*/
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
add: function add(data, options) {
Edit Post Permissions
2013-08-16 03:22:08 +04:00
var self = this,
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
userData = this.filterData(data),
Transfer ownership end point closes #3426 - added transfer ownership endpoint - added owner to roles.permissible - manually removed owner from roles.browse - removed hard coded author role - fixed tests that were passing due to hard coded author role - added testUtils.setup(‚roles‘)
2014-07-30 19:40:30 +04:00
roles;
Sanitize models' attributes/options before passing to bookshelf/knex closes #2653 - enforce strict whitelists for model methods - create a class method that reports a model method's valid options - create a class method that filters a model's valid attributes from data - create a class method that filters valid options from a model method's options hash
2014-05-06 05:45:08 +04:00
Revert "Force UTC at process level"
2016-06-02 16:38:02 +03:00
userData.password = toString(userData.password);
deps: validator@5.1.0 closes #6462 - monkey-patch validator.extends() since it was dropped by validator @5.0.0 - coerce input to string prior to validation (custom toString func) - need to handle boolean validation based on column type not isIn() - use `lodash.tostring` to convert input values to strings
2016-03-27 13:19:32 +03:00
Sanitize models' attributes/options before passing to bookshelf/knex closes #2653 - enforce strict whitelists for model methods - create a class method that reports a model method's valid options - create a class method that filters a model's valid attributes from data - create a class method that filters valid options from a model method's options hash
2014-05-06 05:45:08 +04:00
options = this.filterOptions(options, 'add');
API - no more m-2-m relation ids by default closes #4498 - remove toJSON code which returns only IDs from objects - don't auto-include tags & fields in post responses - don't auto-include roles in user responses - fix #allthethings that made assumptions about the auto-includes, or otherwise were only working because of the auto-include
2014-11-27 03:28:29 +03:00
options.withRelated = _.union(options.withRelated, options.include);
Update importer for MU closes #3285 - remove apps stuff for now - if there is a single user, behave the same as before, overriding non-critical properties of the single owner user - if there are multiple users, import them like normal resource
2014-07-31 23:53:55 +04:00
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
// check for too many roles
if (data.roles && data.roles.length > 1) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.onlyOneRolePerUserSupported')));
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
}
User edit & add endpoints cleanup - edit and add endpoints don't assume role - edit and add endpoints cope with no role, role objects, and strings - resend user invite was failing at one point due to no role being sent, but this shouldn't be required - other random api cleanup
2014-07-31 04:15:34 +04:00
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
if (!validatePasswordLength(userData.password)) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordDoesNotComplyLength')));
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
}
Sanitize models' attributes/options before passing to bookshelf/knex closes #2653 - enforce strict whitelists for model methods - create a class method that reports a model method's valid options - create a class method that filters a model's valid attributes from data - create a class method that filters valid options from a model method's options hash
2014-05-06 05:45:08 +04:00
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
function getAuthorRole() {
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return ghostBookshelf.model('Role').findOne({name: 'Author'}, _.pick(options, 'transacting')).then(function then(authorRole) {
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
return [authorRole.get('id')];
});
}
roles = data.roles || getAuthorRole();
delete data.roles;
Fix upgrade path from really old versions closes #5692, refs felixrieseberg/Ghost-Azure#1 - fix broken promise code - fix incorrect handling of hash in user.add which causes 'Error: Invalid salt version 2' if owner user fixture is not present
2015-08-28 00:28:29 +03:00
return generatePasswordHash(userData.password).then(function then(hash) {
Edit Post Permissions
2013-08-16 03:22:08 +04:00
// Assign the hashed password
Fix upgrade path from really old versions closes #5692, refs felixrieseberg/Ghost-Azure#1 - fix broken promise code - fix incorrect handling of hash in user.add which causes 'Error: Invalid salt version 2' if owner user fixture is not present
2015-08-28 00:28:29 +03:00
userData.password = hash;
Add users Gravatar on signup When a user registers try to find their gravatar.
2013-11-11 23:55:22 +04:00
// LookupGravatar
Refactor gravatarLookup, remove request dependency no issue - request is quite a heavy dependency - we were only using request in 3 places: a test, storing contrib images in the gruntfile & the gravatar lookup - all 3 are relatively simple to do with the http/https module - refactored all 3, removed request
2016-02-12 23:04:26 +03:00
return gravatar.lookup(userData);
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}).then(function then(userData) {
Edit Post Permissions
2013-08-16 03:22:08 +04:00
// Save the user with the hashed password
Use current user in models closes #2058 - fixed apiContext as suggested in the issue - added user to options object for models - added api.users.register() for public registration - changed models to use options.user for created_by, updated_by, author_id and published_by - added override to session model to avoid created_by and updated_by values - added user (id: 1) to tests - added user (id: 1) for registration - added user (id: 1) for import, fixtures and default settings - added user (id: 1) for user update - added user (id: 1) for settings update (dbHash, installedApps, update check) - updated bookshelf to version 0.6.8
2014-04-03 17:03:09 +04:00
return ghostBookshelf.Model.add.call(self, userData, options);
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}).then(function then(addedUser) {
Edit Post Permissions
2013-08-16 03:22:08 +04:00
// Assign the userData to our created user so we can pass it back
userData = addedUser;
Add jscs task to grunt file and clean up files to adhere to jscs rules. resolves #1920 - updates all files to conform to style settings.
2014-09-10 08:06:24 +04:00
// if we are given a "role" object, only pass in the role ID in place of the full object
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return Promise.resolve(roles).then(function then(roles) {
roles = _.map(roles, function mapper(role) {
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
if (_.isString(role)) {
return parseInt(role, 10);
} else if (_.isNumber(role)) {
return role;
} else {
return parseInt(role.id, 10);
}
});
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
return addedUser.roles().attach(roles, options);
});
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}).then(function then() {
Move user API to primary document format closes #2593 - added new format to user API methods - changed all places where the user api was used - updated tests and added more coverage - little bit of cleanup in utils/api
2014-04-29 00:42:38 +04:00
// find and return the added user
Changing User.read API to default to active users. refs #3542 - Properly handle forgotten screen (ember) - Change Users API to only return active users on read - Adjust tests
2014-08-05 22:11:17 +04:00
return self.findOne({id: userData.id, status: 'all'}, options);
Added validation for signup and login screens Closes #374 * Included node-validator as a package * Implemented server side validation (the client side js is a mess, need a LOT of work) * Validates email address both on signup and login screens, gives error message on malformed email addresses * Requires at least 8 chars of password * Tells user if password is too short * Tells user if no such user on login * Tells user if wrong password on login * Tells user if server responds with a 404 (goes away, dies, etc) * Added middleware between req and login / signup for validation
2013-08-19 01:50:42 +04:00
});
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
setup: function setup(data, options) {
Setup hijacks owner user closes #3074 - user generated by fixture is hijacked - user is updated with name, email, password, slug and status - creates new user if db is migrated but no user exists - previously removed tests are back
2014-07-10 21:29:51 +04:00
var self = this,
userData = this.filterData(data);
Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 16:17:09 +04:00
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
if (!validatePasswordLength(userData.password)) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordDoesNotComplyLength')));
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
}
Setup hijacks owner user closes #3074 - user generated by fixture is hijacked - user is updated with name, email, password, slug and status - creates new user if db is migrated but no user exists - previously removed tests are back
2014-07-10 21:29:51 +04:00
options = this.filterOptions(options, 'setup');
API - no more m-2-m relation ids by default closes #4498 - remove toJSON code which returns only IDs from objects - don't auto-include tags & fields in post responses - don't auto-include roles in user responses - fix #allthethings that made assumptions about the auto-includes, or otherwise were only working because of the auto-include
2014-11-27 03:28:29 +03:00
options.withRelated = _.union(options.withRelated, options.include);
Shorter user slugs (if possible) Closes #4211
2014-09-30 02:45:58 +04:00
options.shortSlug = true;
Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 16:17:09 +04:00
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return generatePasswordHash(data.password).then(function then(hash) {
Setup hijacks owner user closes #3074 - user generated by fixture is hijacked - user is updated with name, email, password, slug and status - creates new user if db is migrated but no user exists - previously removed tests are back
2014-07-10 21:29:51 +04:00
// Assign the hashed password
userData.password = hash;
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
Refactor gravatarLookup, remove request dependency no issue - request is quite a heavy dependency - we were only using request in 3 places: a test, storing contrib images in the gruntfile & the gravatar lookup - all 3 are relatively simple to do with the http/https module - refactored all 3, removed request
2016-02-12 23:04:26 +03:00
return Promise.join(
gravatar.lookup(userData),
ghostBookshelf.Model.generateSlug.call(this, User, userData.name, options)
);
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}).then(function then(results) {
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
userData = results[0];
userData.slug = results[1];
Setup hijacks owner user closes #3074 - user generated by fixture is hijacked - user is updated with name, email, password, slug and status - creates new user if db is migrated but no user exists - previously removed tests are back
2014-07-10 21:29:51 +04:00
return self.edit.call(self, userData, options);
});
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
permissible: function permissible(userModelOrId, action, context, loadedPermissions, hasUserPermission, hasAppPermission) {
Add permissions to API closes #2264 - added permissions check to db, users and posts - added register method to users - added doesUserExist method to users - added user from session to internal calls - changed permissible to overwrite canThis - removed action map and action type from permissable method
2014-04-08 17:40:33 +04:00
var self = this,
Add apps permissable checks in posts and users Closes #2738 - Re-introduce the TargetModel.permissable interface check in the regular permission flow path - Pass loadedPermissions, hasUserPermission and hasAppPermission to permissable interface to reduce logic necessary - Refactor recursive call to pass original arguments but with actual model - Refactor canThis(this.user) use in api/posts.js to just canThis(this)
2014-05-14 05:49:07 +04:00
userModel = userModelOrId,
origArgs;
Add permissions to API closes #2264 - added permissions check to db, users and posts - added register method to users - added doesUserExist method to users - added user from session to internal calls - changed permissible to overwrite canThis - removed action map and action type from permissable method
2014-04-08 17:40:33 +04:00
API - no more m-2-m relation ids by default closes #4498 - remove toJSON code which returns only IDs from objects - don't auto-include tags & fields in post responses - don't auto-include roles in user responses - fix #allthethings that made assumptions about the auto-includes, or otherwise were only working because of the auto-include
2014-11-27 03:28:29 +03:00
// If we passed in a model without its related roles, we need to fetch it again
if (_.isObject(userModelOrId) && !_.isObject(userModelOrId.related('roles'))) {
userModelOrId = userModelOrId.id;
}
// If we passed in an id instead of a model get the model first
Add permissions to API closes #2264 - added permissions check to db, users and posts - added register method to users - added doesUserExist method to users - added user from session to internal calls - changed permissible to overwrite canThis - removed action map and action type from permissable method
2014-04-08 17:40:33 +04:00
if (_.isNumber(userModelOrId) || _.isString(userModelOrId)) {
Add apps permissable checks in posts and users Closes #2738 - Re-introduce the TargetModel.permissable interface check in the regular permission flow path - Pass loadedPermissions, hasUserPermission and hasAppPermission to permissable interface to reduce logic necessary - Refactor recursive call to pass original arguments but with actual model - Refactor canThis(this.user) use in api/posts.js to just canThis(this)
2014-05-14 05:49:07 +04:00
// Grab the original args without the first one
origArgs = _.toArray(arguments).slice(1);
Remove undefined function and fix some comments
2015-12-02 10:28:36 +03:00
// Get the actual user model
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return this.findOne({id: userModelOrId, status: 'all'}, {include: ['roles']}).then(function then(foundUserModel) {
Add apps permissable checks in posts and users Closes #2738 - Re-introduce the TargetModel.permissable interface check in the regular permission flow path - Pass loadedPermissions, hasUserPermission and hasAppPermission to permissable interface to reduce logic necessary - Refactor recursive call to pass original arguments but with actual model - Refactor canThis(this.user) use in api/posts.js to just canThis(this)
2014-05-14 05:49:07 +04:00
// Build up the original args but substitute with actual model
var newArgs = [foundUserModel].concat(origArgs);
Permissions Improvements refs #3083, #3096 In order to implement advanced permissions based on roles for specific actions, we need to know what role the current context user has and also what action we are granting permissions for: - Permissible gets passed the action type - Effective permissions keeps the user role and eventually passes it to permissible - Fixed spelling - Still needs tests
2014-07-23 22:17:29 +04:00
return self.permissible.apply(self, newArgs);
Add permissions to API closes #2264 - added permissions check to db, users and posts - added register method to users - added doesUserExist method to users - added user from session to internal calls - changed permissible to overwrite canThis - removed action map and action type from permissable method
2014-04-08 17:40:33 +04:00
}, errors.logAndThrowError);
}
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
if (action === 'edit') {
Changed admin permissions so Owner role only editable by itself closes #5521 - Added test for admin rejection of owner edit - Added specific permissions so admins can edit Admin, Editor and Author roles
2015-07-09 00:07:09 +03:00
// Owner can only be editted by owner
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
if (loadedPermissions.user && userModel.hasRole('Owner')) {
Changed admin permissions so Owner role only editable by itself closes #5521 - Added test for admin rejection of owner edit - Added specific permissions so admins can edit Admin, Editor and Author roles
2015-07-09 00:07:09 +03:00
hasUserPermission = _.any(loadedPermissions.user.roles, {name: 'Owner'});
}
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
// Users with the role 'Editor' and 'Author' have complex permissions when the action === 'edit'
// We now have all the info we need to construct the permissions
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
if (loadedPermissions.user && _.any(loadedPermissions.user.roles, {name: 'Author'})) {
Upgrade grunt-jscs to fix whitespace linting. No issue. - grunt-jscs@1.8.0 - Fix formatting
2015-05-01 00:14:19 +03:00
// If this is the same user that requests the operation allow it.
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
hasUserPermission = hasUserPermission || context.user === userModel.get('id');
}
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
if (loadedPermissions.user && _.any(loadedPermissions.user.roles, {name: 'Editor'})) {
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
// If this is the same user that requests the operation allow it.
hasUserPermission = context.user === userModel.get('id');
// Alternatively, if the user we are trying to edit is an Author, allow it
hasUserPermission = hasUserPermission || userModel.hasRole('Author');
}
}
if (action === 'destroy') {
// Owner cannot be deleted EVER
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
if (loadedPermissions.user && userModel.hasRole('Owner')) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.NoPermissionError(i18n.t('errors.models.user.notEnoughPermission')));
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
}
// Users with the role 'Editor' have complex permissions when the action === 'destroy'
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests
2015-10-22 16:28:47 +03:00
if (loadedPermissions.user && _.any(loadedPermissions.user.roles, {name: 'Editor'})) {
Upgrade grunt-jscs to fix whitespace linting. No issue. - grunt-jscs@1.8.0 - Fix formatting
2015-05-01 00:14:19 +03:00
// If this is the same user that requests the operation allow it.
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
hasUserPermission = context.user === userModel.get('id');
// Alternatively, if the user we are trying to edit is an Author, allow it
hasUserPermission = hasUserPermission || userModel.hasRole('Author');
}
Add apps permissable checks in posts and users Closes #2738 - Re-introduce the TargetModel.permissable interface check in the regular permission flow path - Pass loadedPermissions, hasUserPermission and hasAppPermission to permissable interface to reduce logic necessary - Refactor recursive call to pass original arguments but with actual model - Refactor canThis(this.user) use in api/posts.js to just canThis(this)
2014-05-14 05:49:07 +04:00
}
if (hasUserPermission && hasAppPermission) {
Replace the when promise library with bluebird. Closes #968
2014-08-17 10:17:23 +04:00
return Promise.resolve();
Add permissions to API closes #2264 - added permissions check to db, users and posts - added register method to users - added doesUserExist method to users - added user from session to internal calls - changed permissible to overwrite canThis - removed action map and action type from permissable method
2014-04-08 17:40:33 +04:00
}
Add apps permissable checks in posts and users Closes #2738 - Re-introduce the TargetModel.permissable interface check in the regular permission flow path - Pass loadedPermissions, hasUserPermission and hasAppPermission to permissable interface to reduce logic necessary - Refactor recursive call to pass original arguments but with actual model - Refactor canThis(this.user) use in api/posts.js to just canThis(this)
2014-05-14 05:49:07 +04:00
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.NoPermissionError(i18n.t('errors.models.user.notEnoughPermission')));
Add permissions to API closes #2264 - added permissions check to db, users and posts - added register method to users - added doesUserExist method to users - added user from session to internal calls - changed permissible to overwrite canThis - removed action map and action type from permissable method
2014-04-08 17:40:33 +04:00
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
setWarning: function setWarning(user, options) {
Adds login limiter Closes #499 * On wrong passwords, statuses: `active` -> `warn-1` -> `warn-2` -> `warn-3` -> `locked` * On login check, if user's status is `locked`, login automatically fails and user is encouraged to reset password. Does not even bother to check for passwords. * login attempts tell user how many attempts she has remaining in notification box * successful login will reset status to `active` * resetting password with forgotten password emailed token resets status to `active` * complete with a test suite
2013-11-29 04:28:01 +04:00
var status = user.get('status'),
regexp = /warn-(\d+)/i,
level;
if (status === 'active') {
user.set('status', 'warn-1');
level = 1;
} else {
level = parseInt(status.match(regexp)[1], 10) + 1;
Users should get 5 password attempts closes #4987
2015-03-03 00:58:00 +03:00
if (level > 4) {
Adds login limiter Closes #499 * On wrong passwords, statuses: `active` -> `warn-1` -> `warn-2` -> `warn-3` -> `locked` * On login check, if user's status is `locked`, login automatically fails and user is encouraged to reset password. Does not even bother to check for passwords. * login attempts tell user how many attempts she has remaining in notification box * successful login will reset status to `active` * resetting password with forgotten password emailed token resets status to `active` * complete with a test suite
2013-11-29 04:28:01 +04:00
user.set('status', 'locked');
} else {
user.set('status', 'warn-' + level);
}
}
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return Promise.resolve(user.save(options)).then(function then() {
Adds login limiter Closes #499 * On wrong passwords, statuses: `active` -> `warn-1` -> `warn-2` -> `warn-3` -> `locked` * On login check, if user's status is `locked`, login automatically fails and user is encouraged to reset password. Does not even bother to check for passwords. * login attempts tell user how many attempts she has remaining in notification box * successful login will reset status to `active` * resetting password with forgotten password emailed token resets status to `active` * complete with a test suite
2013-11-29 04:28:01 +04:00
return 5 - level;
});
},
Minor code cleanup, docs and other bits & pieces
2013-08-06 23:27:56 +04:00
// Finds the user by email, and checks the password
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
check: function check(object) {
Adds login limiter Closes #499 * On wrong passwords, statuses: `active` -> `warn-1` -> `warn-2` -> `warn-3` -> `locked` * On login check, if user's status is `locked`, login automatically fails and user is encouraged to reset password. Does not even bother to check for passwords. * login attempts tell user how many attempts she has remaining in notification box * successful login will reset status to `active` * resetting password with forgotten password emailed token resets status to `active` * complete with a test suite
2013-11-29 04:28:01 +04:00
var self = this,
s;
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return this.getByEmail(object.email).then(function then(user) {
Signin: Proper notification if user not found closes #3374 - If user object is returned but undefined, we'll display a human-readable error notification (user model) - If user object is returned, but the user is inactive or invited (but not activated), we'll display a human-readable error notification
2014-07-24 19:34:52 +04:00
if (!user) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.NotFoundError(i18n.t('errors.models.user.noUserWithEnteredEmailAddr')));
Signin: Proper notification if user not found closes #3374 - If user object is returned but undefined, we'll display a human-readable error notification (user model) - If user object is returned, but the user is inactive or invited (but not activated), we'll display a human-readable error notification
2014-07-24 19:34:52 +04:00
}
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
if (user.get('status') === 'invited' || user.get('status') === 'invited-pending' ||
user.get('status') === 'inactive'
) {
Fixing typo in i18n key
2016-02-18 15:52:53 +03:00
return Promise.reject(new errors.NoPermissionError(i18n.t('errors.models.user.userIsInactive')));
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘
2014-07-02 18:22:18 +04:00
}
Adds login limiter Closes #499 * On wrong passwords, statuses: `active` -> `warn-1` -> `warn-2` -> `warn-3` -> `locked` * On login check, if user's status is `locked`, login automatically fails and user is encouraged to reset password. Does not even bother to check for passwords. * login attempts tell user how many attempts she has remaining in notification box * successful login will reset status to `active` * resetting password with forgotten password emailed token resets status to `active` * complete with a test suite
2013-11-29 04:28:01 +04:00
if (user.get('status') !== 'locked') {
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return bcryptCompare(object.password, user.get('password')).then(function then(matched) {
Adds login limiter Closes #499 * On wrong passwords, statuses: `active` -> `warn-1` -> `warn-2` -> `warn-3` -> `locked` * On login check, if user's status is `locked`, login automatically fails and user is encouraged to reset password. Does not even bother to check for passwords. * login attempts tell user how many attempts she has remaining in notification box * successful login will reset status to `active` * resetting password with forgotten password emailed token resets status to `active` * complete with a test suite
2013-11-29 04:28:01 +04:00
if (!matched) {
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return Promise.resolve(self.setWarning(user, {validate: false})).then(function then(remaining) {
Adds login limiter Closes #499 * On wrong passwords, statuses: `active` -> `warn-1` -> `warn-2` -> `warn-3` -> `locked` * On login check, if user's status is `locked`, login automatically fails and user is encouraged to reset password. Does not even bother to check for passwords. * login attempts tell user how many attempts she has remaining in notification box * successful login will reset status to `active` * resetting password with forgotten password emailed token resets status to `active` * complete with a test suite
2013-11-29 04:28:01 +04:00
s = (remaining > 1) ? 's' : '';
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.UnauthorizedError(i18n.t('errors.models.user.incorrectPasswordAttempts', {remaining: remaining, s: s})));
Disable user validation and errors on login fixes #3658 - Catch any errors from user.save() events during login - Prevent validation from happening at all when only updating status/last_login - Fixes a problem I introduced with errors which are arrays in logError
2014-08-07 21:50:23 +04:00
// Use comma structure, not .catch, because we don't want to catch incorrect passwords
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}, function handleError(error) {
Disable user validation and errors on login fixes #3658 - Catch any errors from user.save() events during login - Prevent validation from happening at all when only updating status/last_login - Fixes a problem I introduced with errors which are arrays in logError
2014-08-07 21:50:23 +04:00
// If we get a validation or other error during this save, catch it and log it, but don't
// cause a login error because of it. The user validation is not important here.
errors.logError(
error,
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
i18n.t('errors.models.user.userUpdateError.context'),
i18n.t('errors.models.user.userUpdateError.help')
Disable user validation and errors on login fixes #3658 - Catch any errors from user.save() events during login - Prevent validation from happening at all when only updating status/last_login - Fixes a problem I introduced with errors which are arrays in logError
2014-08-07 21:50:23 +04:00
);
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.UnauthorizedError(i18n.t('errors.models.user.incorrectPassword')));
Adds login limiter Closes #499 * On wrong passwords, statuses: `active` -> `warn-1` -> `warn-2` -> `warn-3` -> `locked` * On login check, if user's status is `locked`, login automatically fails and user is encouraged to reset password. Does not even bother to check for passwords. * login attempts tell user how many attempts she has remaining in notification box * successful login will reset status to `active` * resetting password with forgotten password emailed token resets status to `active` * complete with a test suite
2013-11-29 04:28:01 +04:00
});
}
Add jscs task to grunt file and clean up files to adhere to jscs rules. resolves #1920 - updates all files to conform to style settings.
2014-09-10 08:06:24 +04:00
return Promise.resolve(user.set({status: 'active', last_login: new Date()}).save({validate: false}))
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
.catch(function handleError(error) {
Disable user validation and errors on login fixes #3658 - Catch any errors from user.save() events during login - Prevent validation from happening at all when only updating status/last_login - Fixes a problem I introduced with errors which are arrays in logError
2014-08-07 21:50:23 +04:00
// If we get a validation or other error during this save, catch it and log it, but don't
// cause a login error because of it. The user validation is not important here.
errors.logError(
error,
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
i18n.t('errors.models.user.userUpdateError.context'),
i18n.t('errors.models.user.userUpdateError.help')
Disable user validation and errors on login fixes #3658 - Catch any errors from user.save() events during login - Prevent validation from happening at all when only updating status/last_login - Fixes a problem I introduced with errors which are arrays in logError
2014-08-07 21:50:23 +04:00
);
return user;
});
Adds login limiter Closes #499 * On wrong passwords, statuses: `active` -> `warn-1` -> `warn-2` -> `warn-3` -> `locked` * On login check, if user's status is `locked`, login automatically fails and user is encouraged to reset password. Does not even bother to check for passwords. * login attempts tell user how many attempts she has remaining in notification box * successful login will reset status to `active` * resetting password with forgotten password emailed token resets status to `active` * complete with a test suite
2013-11-29 04:28:01 +04:00
}, errors.logAndThrowError);
}
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.NoPermissionError(
i18n.t('errors.models.user.accountLocked')));
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}, function handleError(error) {
Adding case-insensitive User.getByEmail method fixes #1498 - emails are no longer converted to lowercase, local mailbox can validly be mixed case - getByEmail uses JS to compare emails to ensure we can support unicode - tests that users can be retrieved by their email address with case insensitivity
2014-01-15 02:47:17 +04:00
if (error.message === 'NotFound' || error.message === 'EmptyResponse') {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.NotFoundError(i18n.t('errors.models.user.noUserWithEnteredEmailAddr')));
Adding case-insensitive User.getByEmail method fixes #1498 - emails are no longer converted to lowercase, local mailbox can validly be mixed case - getByEmail uses JS to compare emails to ensure we can support unicode - tests that users can be retrieved by their email address with case insensitivity
2014-01-15 02:47:17 +04:00
}
Replace the when promise library with bluebird. Closes #968
2014-08-17 10:17:23 +04:00
return Promise.reject(error);
Current user added Closes #340. Closes #375 * Replaced session with id of current user * Added method to ghostlocals to always send profile picture and full name to templates (template checks if falsy) * Modified user saving (`forge().set(new).save()` died on me, `forge().save(new)` didn't) * If user has profile picture, that will be used * If user has name, that will be used * Password changing doesn't care about your email. Uses cookies. Tasty! * User pane uses current user id. Had to set path to me, otherwise goes to `browse` instead of `read`. * Added logic to user api to check for `id === 'me'`, and then use the cookie value * User data saves are now correct * There is no logout error
2013-08-09 05:22:49 +04:00
});
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
},
Users can change password Closes #282 * Added a new route * Added new methods * Triple security! * Passwords are actually changed * Also added a change password button, because 'save' has too much baggage. On security: checks whether you're logged in. Then checks whether your old password is actually the one that belongs to you (gets value from the email field for the email, see caveat no2). Checks the new passwords for === and length > 6 on client and server side as well. And THEN changes passwords. Caveats: * didn't add a test, as mocha fails spectacularly on my machine. SQLITE_CORRUPT: database disk image is malformed. Cute, huh? * Because we don't have / I'm not aware of / could not find a "currentuser" variable, I need to get the email address of the user we want to change from the email field. Theoretically if they replace that with another user's email address, and supply their pw, they will change THEIR password instead of their own.
2013-08-06 03:49:06 +04:00
/**
* Naive change password method
Refactor changePassword and resetPassword issue #5500 - make `changePassword` and `resetPassword` methods on `user` model consistent: use `object` and `options` arguments instead of multiple different arguments - change User API `changePassword` method to use these new arguments
2015-07-07 16:32:50 +03:00
* @param {Object} object
Add jscs task to grunt file and clean up files to adhere to jscs rules. resolves #1920 - updates all files to conform to style settings.
2014-09-10 08:06:24 +04:00
* @param {Object} options
Users can change password Closes #282 * Added a new route * Added new methods * Triple security! * Passwords are actually changed * Also added a change password button, because 'save' has too much baggage. On security: checks whether you're logged in. Then checks whether your old password is actually the one that belongs to you (gets value from the email field for the email, see caveat no2). Checks the new passwords for === and length > 6 on client and server side as well. And THEN changes passwords. Caveats: * didn't add a test, as mocha fails spectacularly on my machine. SQLITE_CORRUPT: database disk image is malformed. Cute, huh? * Because we don't have / I'm not aware of / could not find a "currentuser" variable, I need to get the email address of the user we want to change from the email field. Theoretically if they replace that with another user's email address, and supply their pw, they will change THEIR password instead of their own.
2013-08-06 03:49:06 +04:00
*/
Refactor changePassword and resetPassword issue #5500 - make `changePassword` and `resetPassword` methods on `user` model consistent: use `object` and `options` arguments instead of multiple different arguments - change User API `changePassword` method to use these new arguments
2015-07-07 16:32:50 +03:00
changePassword: function changePassword(object, options) {
Validation consistency - introduced validation method in the post and user model - moved signup validation onto model - consistent use of validation & error messaging in the admin UI - helper methods in base view moved to a utils object
2013-08-20 22:52:44 +04:00
var self = this,
Refactor changePassword and resetPassword issue #5500 - make `changePassword` and `resetPassword` methods on `user` model consistent: use `object` and `options` arguments instead of multiple different arguments - change User API `changePassword` method to use these new arguments
2015-07-07 16:32:50 +03:00
newPassword = object.newPassword,
ne2Password = object.ne2Password,
Check Old Password on Password Change Closes #6620 * Changed it from always returning true, to evaluate if it is the current logged in user, and if so, check the old password. If not, ignore
2016-03-26 03:17:06 +03:00
userId = parseInt(object.user_id),
Refactor changePassword and resetPassword issue #5500 - make `changePassword` and `resetPassword` methods on `user` model consistent: use `object` and `options` arguments instead of multiple different arguments - change User API `changePassword` method to use these new arguments
2015-07-07 16:32:50 +03:00
oldPassword = object.oldPassword,
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
user;
Repaired email sending, implement password reset Closes #288 * I use SendGrid for sending the emails, and it works fine (provided you supply the correct credentials in `config.mail` in `config.js`) * Generates a random 12 char long alphanumeric password, replaces user's pw, and sends an email about it.
2013-09-01 02:20:12 +04:00
Check Old Password on Password Change Closes #6620 * Changed it from always returning true, to evaluate if it is the current logged in user, and if so, check the old password. If not, ignore
2016-03-26 03:17:06 +03:00
// If the two passwords do not match
Users can change password Closes #282 * Added a new route * Added new methods * Triple security! * Passwords are actually changed * Also added a change password button, because 'save' has too much baggage. On security: checks whether you're logged in. Then checks whether your old password is actually the one that belongs to you (gets value from the email field for the email, see caveat no2). Checks the new passwords for === and length > 6 on client and server side as well. And THEN changes passwords. Caveats: * didn't add a test, as mocha fails spectacularly on my machine. SQLITE_CORRUPT: database disk image is malformed. Cute, huh? * Because we don't have / I'm not aware of / could not find a "currentuser" variable, I need to get the email address of the user we want to change from the email field. Theoretically if they replace that with another user's email address, and supply their pw, they will change THEIR password instead of their own.
2013-08-06 03:49:06 +04:00
if (newPassword !== ne2Password) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.newPasswordsDoNotMatch')));
Password change MU closes #4624 - added user_id to password reset request - hide old password field - updated changePassword method to check permissions - updated changePassword method to work without oldPassword - fixed bug for errors shown as [Object object]
2014-12-11 23:23:07 +03:00
}
Check Old Password on Password Change Closes #6620 * Changed it from always returning true, to evaluate if it is the current logged in user, and if so, check the old password. If not, ignore
2016-03-26 03:17:06 +03:00
// If the old password is empty when changing current user's password
Password change MU closes #4624 - added user_id to password reset request - hide old password field - updated changePassword method to check permissions - updated changePassword method to work without oldPassword - fixed bug for errors shown as [Object object]
2014-12-11 23:23:07 +03:00
if (userId === options.context.user && _.isEmpty(oldPassword)) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordRequiredForOperation')));
Users can change password Closes #282 * Added a new route * Added new methods * Triple security! * Passwords are actually changed * Also added a change password button, because 'save' has too much baggage. On security: checks whether you're logged in. Then checks whether your old password is actually the one that belongs to you (gets value from the email field for the email, see caveat no2). Checks the new passwords for === and length > 6 on client and server side as well. And THEN changes passwords. Caveats: * didn't add a test, as mocha fails spectacularly on my machine. SQLITE_CORRUPT: database disk image is malformed. Cute, huh? * Because we don't have / I'm not aware of / could not find a "currentuser" variable, I need to get the email address of the user we want to change from the email field. Theoretically if they replace that with another user's email address, and supply their pw, they will change THEIR password instead of their own.
2013-08-06 03:49:06 +04:00
}
Check Old Password on Password Change Closes #6620 * Changed it from always returning true, to evaluate if it is the current logged in user, and if so, check the old password. If not, ignore
2016-03-26 03:17:06 +03:00
// If password is not complex enough
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
if (!validatePasswordLength(newPassword)) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordDoesNotComplyLength')));
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
}
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return self.forge({id: userId}).fetch({require: true}).then(function then(_user) {
Repaired email sending, implement password reset Closes #288 * I use SendGrid for sending the emails, and it works fine (provided you supply the correct credentials in `config.mail` in `config.js`) * Generates a random 12 char long alphanumeric password, replaces user's pw, and sends an email about it.
2013-09-01 02:20:12 +04:00
user = _user;
Check Old Password on Password Change Closes #6620 * Changed it from always returning true, to evaluate if it is the current logged in user, and if so, check the old password. If not, ignore
2016-03-26 03:17:06 +03:00
// If the user is the current user, check old password
Password change MU closes #4624 - added user_id to password reset request - hide old password field - updated changePassword method to check permissions - updated changePassword method to work without oldPassword - fixed bug for errors shown as [Object object]
2014-12-11 23:23:07 +03:00
if (userId === options.context.user) {
return bcryptCompare(oldPassword, user.get('password'));
}
Check Old Password on Password Change Closes #6620 * Changed it from always returning true, to evaluate if it is the current logged in user, and if so, check the old password. If not, ignore
2016-03-26 03:17:06 +03:00
// If user is admin and changing another user's password, old password isn't compared to the old one
Password change MU closes #4624 - added user_id to password reset request - hide old password field - updated changePassword method to check permissions - updated changePassword method to work without oldPassword - fixed bug for errors shown as [Object object]
2014-12-11 23:23:07 +03:00
return true;
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}).then(function then(matched) {
Repaired email sending, implement password reset Closes #288 * I use SendGrid for sending the emails, and it works fine (provided you supply the correct credentials in `config.mail` in `config.js`) * Generates a random 12 char long alphanumeric password, replaces user's pw, and sends an email about it.
2013-09-01 02:20:12 +04:00
if (!matched) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.incorrectPassword')));
Repaired email sending, implement password reset Closes #288 * I use SendGrid for sending the emails, and it works fine (provided you supply the correct credentials in `config.mail` in `config.js`) * Generates a random 12 char long alphanumeric password, replaces user's pw, and sends an email about it.
2013-09-01 02:20:12 +04:00
}
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
return generatePasswordHash(newPassword);
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}).then(function then(hash) {
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
return user.save({password: hash});
Users can change password Closes #282 * Added a new route * Added new methods * Triple security! * Passwords are actually changed * Also added a change password button, because 'save' has too much baggage. On security: checks whether you're logged in. Then checks whether your old password is actually the one that belongs to you (gets value from the email field for the email, see caveat no2). Checks the new passwords for === and length > 6 on client and server side as well. And THEN changes passwords. Caveats: * didn't add a test, as mocha fails spectacularly on my machine. SQLITE_CORRUPT: database disk image is malformed. Cute, huh? * Because we don't have / I'm not aware of / could not find a "currentuser" variable, I need to get the email address of the user we want to change from the email field. Theoretically if they replace that with another user's email address, and supply their pw, they will change THEIR password instead of their own.
2013-08-06 03:49:06 +04:00
});
Repaired email sending, implement password reset Closes #288 * I use SendGrid for sending the emails, and it works fine (provided you supply the correct credentials in `config.mail` in `config.js`) * Generates a random 12 char long alphanumeric password, replaces user's pw, and sends an email about it.
2013-09-01 02:20:12 +04:00
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
generateResetToken: function generateResetToken(email, expires, dbHash) {
return this.getByEmail(email).then(function then(foundUser) {
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘
2014-07-02 18:22:18 +04:00
if (!foundUser) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.NotFoundError(i18n.t('errors.models.user.noUserWithEnteredEmailAddr')));
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘
2014-07-02 18:22:18 +04:00
}
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
var hash = crypto.createHash('sha256'),
Extending context concept to models fixes #3275, fixes #3290, ref #3086, ref #3084 - Ensure that we use the current logged in user and not just user 1 when - removing hard coded user: 1 except where absolutely necessary - passing context, rather than user to models - base model has a new function to determine what id to use for created_by etc
2014-07-15 15:03:12 +04:00
text = '';
Validation consistency - introduced validation method in the post and user model - moved signup validation onto model - consistent use of validation & error messaging in the admin UI - helper methods in base view moved to a utils object
2013-08-20 22:52:44 +04:00
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
// Token:
URL safe base64 encoding closes #3872 - updated base64 escaping to respect + and \ - updated base64 escaping to remove = during transport - updated tests
2014-12-01 18:59:49 +03:00
// BASE64(TIMESTAMP + email + HASH(TIMESTAMP + email + oldPasswordHash + dbHash ))
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
hash.update(String(expires));
hash.update(email.toLocaleLowerCase());
hash.update(foundUser.get('password'));
hash.update(String(dbHash));
text += [expires, email, hash.digest('base64')].join('|');
URL safe base64 encoding closes #3872 - updated base64 escaping to respect + and \ - updated base64 escaping to remove = during transport - updated tests
2014-12-01 18:59:49 +03:00
return new Buffer(text).toString('base64');
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
});
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
validateToken: function validateToken(token, dbHash) {
Improve password reset token no issue - added check that a combination of email + expires is rejected after 10 attempts - changed comparison to time independent method Thanks to @chiiph for reporting this issue!
2014-01-30 16:27:29 +04:00
/*jslint bitwise:true*/
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
// TODO: Is there a chance the use of ascii here will cause problems if oldPassword has weird characters?
var tokenText = new Buffer(token, 'base64').toString('ascii'),
parts,
expires,
email;
parts = tokenText.split('|');
// Check if invalid structure
if (!parts || parts.length !== 3) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.BadRequestError(i18n.t('errors.models.user.invalidTokenStructure')));
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
}
expires = parseInt(parts[0], 10);
email = parts[1];
if (isNaN(expires)) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.BadRequestError(i18n.t('errors.models.user.invalidTokenExpiration')));
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
}
Improve password reset token no issue - added check that a combination of email + expires is rejected after 10 attempts - changed comparison to time independent method Thanks to @chiiph for reporting this issue!
2014-01-30 16:27:29 +04:00
// Check if token is expired to prevent replay attacks
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
if (expires < Date.now()) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.expiredToken')));
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
}
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
// to prevent brute force attempts to reset the password the combination of email+expires is only allowed for
// 10 attempts
Improve password reset token no issue - added check that a combination of email + expires is rejected after 10 attempts - changed comparison to time independent method Thanks to @chiiph for reporting this issue!
2014-01-30 16:27:29 +04:00
if (tokenSecurity[email + '+' + expires] && tokenSecurity[email + '+' + expires].count >= 10) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.NoPermissionError(i18n.t('errors.models.user.tokenLocked')));
Improve password reset token no issue - added check that a combination of email + expires is rejected after 10 attempts - changed comparison to time independent method Thanks to @chiiph for reporting this issue!
2014-01-30 16:27:29 +04:00
}
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return this.generateResetToken(email, expires, dbHash).then(function then(generatedToken) {
Improve password reset token no issue - added check that a combination of email + expires is rejected after 10 attempts - changed comparison to time independent method Thanks to @chiiph for reporting this issue!
2014-01-30 16:27:29 +04:00
// Check for matching tokens with timing independent comparison
var diff = 0,
i;
Sanitize models' attributes/options before passing to bookshelf/knex closes #2653 - enforce strict whitelists for model methods - create a class method that reports a model method's valid options - create a class method that filters a model's valid attributes from data - create a class method that filters valid options from a model method's options hash
2014-05-06 05:45:08 +04:00
// check if the token length is correct
Improve password reset token no issue - added check that a combination of email + expires is rejected after 10 attempts - changed comparison to time independent method Thanks to @chiiph for reporting this issue!
2014-01-30 16:27:29 +04:00
if (token.length !== generatedToken.length) {
diff = 1;
}
for (i = token.length - 1; i >= 0; i = i - 1) {
diff |= token.charCodeAt(i) ^ generatedToken.charCodeAt(i);
}
if (diff === 0) {
Replace the when promise library with bluebird. Closes #968
2014-08-17 10:17:23 +04:00
return email;
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
}
Improve password reset token no issue - added check that a combination of email + expires is rejected after 10 attempts - changed comparison to time independent method Thanks to @chiiph for reporting this issue!
2014-01-30 16:27:29 +04:00
// increase the count for email+expires for each failed attempt
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
tokenSecurity[email + '+' + expires] = {
count: tokenSecurity[email + '+' + expires] ? tokenSecurity[email + '+' + expires].count + 1 : 1
};
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.BadRequestError(i18n.t('errors.models.user.invalidToken')));
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
});
},
Refactor changePassword and resetPassword issue #5500 - make `changePassword` and `resetPassword` methods on `user` model consistent: use `object` and `options` arguments instead of multiple different arguments - change User API `changePassword` method to use these new arguments
2015-07-07 16:32:50 +03:00
resetPassword: function resetPassword(options) {
var self = this,
token = options.token,
newPassword = options.newPassword,
ne2Password = options.ne2Password,
dbHash = options.dbHash;
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
if (newPassword !== ne2Password) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.newPasswordsDoNotMatch')));
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
}
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
if (!validatePasswordLength(newPassword)) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.ValidationError(i18n.t('errors.models.user.passwordDoesNotComplyLength')));
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
}
// Validate the token; returns the email address from token
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return self.validateToken(utils.decodeBase64URLsafe(token), dbHash).then(function then(email) {
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
// Fetch the user by email, and hash the password at the same time.
Replace the when promise library with bluebird. Closes #968
2014-08-17 10:17:23 +04:00
return Promise.join(
Work with case-sensitive email addresses Closes #4235
2014-10-22 01:18:45 +04:00
self.getByEmail(email),
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
generatePasswordHash(newPassword)
);
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}).then(function then(results) {
Work with case-sensitive email addresses Closes #4235
2014-10-22 01:18:45 +04:00
if (!results[0]) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.NotFoundError(i18n.t('errors.models.user.userNotFound')));
Work with case-sensitive email addresses Closes #4235
2014-10-22 01:18:45 +04:00
}
Improved Password Reset Tool Closes #1471 - add api and User model methods for generating and validating tokens - add routes and handlers for reset password pages - add client styles and views for reset password form - some basic integration tests for User model methods
2013-11-22 07:17:38 +04:00
// Update the user with the new password hash
var foundUser = results[0],
passwordHash = results[1];
Allow user to accept invitation closes #3081 - added route `/ghost/api/v0.1/authentication/invitation` - added accept invitation - added signup with token - removed check() from users api - fixed promise in resetPassword()
2014-07-03 19:06:07 +04:00
return foundUser.save({password: passwordHash, status: 'active'});
Repaired email sending, implement password reset Closes #288 * I use SendGrid for sending the emails, and it works fine (provided you supply the correct credentials in `config.mail` in `config.js`) * Generates a random 12 char long alphanumeric password, replaces user's pw, and sends an email about it.
2013-09-01 02:20:12 +04:00
});
Users can change password Closes #282 * Added a new route * Added new methods * Triple security! * Passwords are actually changed * Also added a change password button, because 'save' has too much baggage. On security: checks whether you're logged in. Then checks whether your old password is actually the one that belongs to you (gets value from the email field for the email, see caveat no2). Checks the new passwords for === and length > 6 on client and server side as well. And THEN changes passwords. Caveats: * didn't add a test, as mocha fails spectacularly on my machine. SQLITE_CORRUPT: database disk image is malformed. Cute, huh? * Because we don't have / I'm not aware of / could not find a "currentuser" variable, I need to get the email address of the user we want to change from the email field. Theoretically if they replace that with another user's email address, and supply their pw, they will change THEIR password instead of their own.
2013-08-06 03:49:06 +04:00
},
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
transferOwnership: function transferOwnership(object, options) {
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
var ownerRole,
contextUser;
return Promise.join(ghostBookshelf.model('Role').findOne({name: 'Owner'}),
User.findOne({id: options.context.user}, {include: ['roles']}))
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
.then(function then(results) {
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
ownerRole = results[0];
contextUser = results[1];
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
// check if user has the owner role
Refactor to remove author.email from API refs #2330 - Pass through `options` to all toJSON calls on posts, tags, and users - Use options.context.user to determine whether it's OK to return user.email - Remove author.email handling code from frontend.js
2015-04-18 00:27:04 +03:00
var currentRoles = contextUser.toJSON(options).roles;
API - no more m-2-m relation ids by default closes #4498 - remove toJSON code which returns only IDs from objects - don't auto-include tags & fields in post responses - don't auto-include roles in user responses - fix #allthethings that made assumptions about the auto-includes, or otherwise were only working because of the auto-include
2014-11-27 03:28:29 +03:00
if (!_.any(currentRoles, {id: ownerRole.id})) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.NoPermissionError(i18n.t('errors.models.user.onlyOwnerCanTransferOwnerRole')));
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
}
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
return Promise.join(ghostBookshelf.model('Role').findOne({name: 'Administrator'}),
User.findOne({id: object.id}, {include: ['roles']}));
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}).then(function then(results) {
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
var adminRole = results[0],
user = results[1],
Refactor to remove author.email from API refs #2330 - Pass through `options` to all toJSON calls on posts, tags, and users - Use options.context.user to determine whether it's OK to return user.email - Remove author.email handling code from frontend.js
2015-04-18 00:27:04 +03:00
currentRoles = user.toJSON(options).roles;
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
API - no more m-2-m relation ids by default closes #4498 - remove toJSON code which returns only IDs from objects - don't auto-include tags & fields in post responses - don't auto-include roles in user responses - fix #allthethings that made assumptions about the auto-includes, or otherwise were only working because of the auto-include
2014-11-27 03:28:29 +03:00
if (!_.any(currentRoles, {id: adminRole.id})) {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 15:29:45 +03:00
return Promise.reject(new errors.ValidationError('errors.models.user.onlyAdmCanBeAssignedOwnerRole'));
Transfer ownership end point closes #3426 - added transfer ownership endpoint - added owner to roles.permissible - manually removed owner from roles.browse - removed hard coded author role - fixed tests that were passing due to hard coded author role - added testUtils.setup(‚roles‘)
2014-07-30 19:40:30 +04:00
}
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
// convert owner to admin
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
return Promise.join(contextUser.roles().updatePivot({role_id: adminRole.id}),
user.roles().updatePivot({role_id: ownerRole.id}),
user.id);
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}).then(function then(results) {
Update user roles in store after owner transfer Closes #3466 - Transferring the owner role is now done via a separate endpoint and not through Ember-Data. As a result the user role data needs to be updated manually. - Updated the owner endpoint to return a response body containing the updated user objects. - Updated tests.
2014-07-31 17:41:10 +04:00
return Users.forge()
Optimize model class methods No Issue - Reorder promise chains to defer database queries until they are needed. - Execute database queries that are not dependent on each other in parallel instead of sequentially. - Reduce the number of variables used to hold state across multiple promise blocks. - Do not go async unless necessary.
2014-12-17 18:36:08 +03:00
.query('whereIn', 'id', [contextUser.id, results[2]])
Add jscs task to grunt file and clean up files to adhere to jscs rules. resolves #1920 - updates all files to conform to style settings.
2014-09-10 08:06:24 +04:00
.fetch({withRelated: ['roles']});
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
}).then(function then(users) {
Refactor to remove author.email from API refs #2330 - Pass through `options` to all toJSON calls on posts, tags, and users - Use options.context.user to determine whether it's OK to return user.email - Remove author.email handling code from frontend.js
2015-04-18 00:27:04 +03:00
options.include = ['roles'];
return users.toJSON(options);
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
});
},
Adding case-insensitive User.getByEmail method fixes #1498 - emails are no longer converted to lowercase, local mailbox can validly be mixed case - getByEmail uses JS to compare emails to ensure we can support unicode - tests that users can be retrieved by their email address with case insensitivity
2014-01-15 02:47:17 +04:00
// Get the user by email address, enforces case insensitivity rejects if the user is not found
// When multi-user support is added, email addresses must be deduplicated with case insensitivity, so that
// joe@bloggs.com and JOE@BLOGGS.COM cannot be created as two separate users.
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
getByEmail: function getByEmail(email, options) {
User edit & add endpoints cleanup - edit and add endpoints don't assume role - edit and add endpoints cope with no role, role objects, and strings - resend user invite was failing at one point due to no role being sent, but this shouldn't be required - other random api cleanup
2014-07-31 04:15:34 +04:00
options = options || {};
Adding case-insensitive User.getByEmail method fixes #1498 - emails are no longer converted to lowercase, local mailbox can validly be mixed case - getByEmail uses JS to compare emails to ensure we can support unicode - tests that users can be retrieved by their email address with case insensitivity
2014-01-15 02:47:17 +04:00
// We fetch all users and process them in JS as there is no easy way to make this query across all DBs
// Although they all support `lower()`, sqlite can't case transform unicode characters
// This is somewhat mute, as validator.isEmail() also doesn't support unicode, but this is much easier / more
// likely to be fixed in the near future.
User edit & add endpoints cleanup - edit and add endpoints don't assume role - edit and add endpoints cope with no role, role objects, and strings - resend user invite was failing at one point due to no role being sent, but this shouldn't be required - other random api cleanup
2014-07-31 04:15:34 +04:00
options.require = true;
Misc cleanup: moving files & naming functions
2015-06-14 18:58:49 +03:00
return Users.forge(options).fetch(options).then(function then(users) {
var userWithEmail = users.find(function findUser(user) {
Adding case-insensitive User.getByEmail method fixes #1498 - emails are no longer converted to lowercase, local mailbox can validly be mixed case - getByEmail uses JS to compare emails to ensure we can support unicode - tests that users can be retrieved by their email address with case insensitivity
2014-01-15 02:47:17 +04:00
return user.get('email').toLowerCase() === email.toLowerCase();
});
if (userWithEmail) {
Replace the when promise library with bluebird. Closes #968
2014-08-17 10:17:23 +04:00
return userWithEmail;
Adding case-insensitive User.getByEmail method fixes #1498 - emails are no longer converted to lowercase, local mailbox can validly be mixed case - getByEmail uses JS to compare emails to ensure we can support unicode - tests that users can be retrieved by their email address with case insensitivity
2014-01-15 02:47:17 +04:00
}
});
}
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
});
simplifying the model structure, again
2013-06-01 18:47:41 +04:00
Updating to bookshelf 0.5.7 & knex 0.4.11
2013-09-23 02:20:08 +04:00
Users = ghostBookshelf.Collection.extend({
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
model: User
});
simplifying the model structure, again
2013-06-01 18:47:41 +04:00
issue #58 - removing the iiwf Function wrapper and use strict pragma removed from all node files
2013-06-25 15:43:15 +04:00
module.exports = {
Use bookshelf's model registry plugin Refs #2170 This removes the circular dependency problem from our models thanks to https://github.com/tgriesser/bookshelf/issues/181 - add the registry plugin - switch all models and collections to be registered - switch relationships to be defined using a string, which calls from the registry
2014-07-13 15:17:18 +04:00
User: ghostBookshelf.model('User', User),
Users: ghostBookshelf.collection('Users', Users)
Users can change password Closes #282 * Added a new route * Added new methods * Triple security! * Passwords are actually changed * Also added a change password button, because 'save' has too much baggage. On security: checks whether you're logged in. Then checks whether your old password is actually the one that belongs to you (gets value from the email field for the email, see caveat no2). Checks the new passwords for === and length > 6 on client and server side as well. And THEN changes passwords. Caveats: * didn't add a test, as mocha fails spectacularly on my machine. SQLITE_CORRUPT: database disk image is malformed. Cute, huh? * Because we don't have / I'm not aware of / could not find a "currentuser" variable, I need to get the email address of the user we want to change from the email field. Theoretically if they replace that with another user's email address, and supply their pw, they will change THEIR password instead of their own.
2013-08-06 03:49:06 +04:00
};
Reference in New Issue Copy Permalink