TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-30 06:12:03 +03:00
Code Issues Projects Releases Wiki Activity
df7e64fafa
Ghost/core/server/api/v0.1/users.js

353 lines
11 KiB
JavaScript
Raw Normal View History

Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 17:05:25 +04:00
// # Users API
// RESTful API for the User resource
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
const Promise = require('bluebird'),
Misc cleanup & consistency amends (#9002) no issue - Consistent naming for postLookup - makes it easier to search and inspect the various usages - Cleanup unneeded code - Make res.render calls more consistent - add some consistency to the calls to res.render - Remove ancient reference to dataProvider - Let's call it models everywhere now... - Use consistent formatting across the API - we're no longer using alignment in vars - Misc other consistency changes in API - always refer to local utils as apiUtils - logical grouping of requires - dependencies, utils, "lib common" etc - use xAPI to refer to API endpoints, e.g. mailAPI, settingsAPI for clarity
2017-09-12 18:31:14 +03:00
_ = require('lodash'),
Moved api controllers into api/v0.1 (#9918) refs #9866 - preparation for v2 - moved api/ to api/v0.1 - do export v0.1 straight from the api folder, we don't want to touch this right now - that means currently if you require the api folder, we return v0.1 by default - there were some direct requires of api files in the test env - some of them use rewire - for now, we just correct the require path to require api/v0.1/ - we touch the test env next week **Docs about V2 design are coming soon!**
2018-09-27 17:06:57 +03:00
pipeline = require('../../lib/promise/pipeline'),
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns
2017-12-14 00:14:19 +03:00
localUtils = require('./utils'),
Moved api controllers into api/v0.1 (#9918) refs #9866 - preparation for v2 - moved api/ to api/v0.1 - do export v0.1 straight from the api folder, we don't want to touch this right now - that means currently if you require the api folder, we return v0.1 by default - there were some direct requires of api files in the test env - some of them use rewire - for now, we just correct the require path to require api/v0.1/ - we touch the test env next week **Docs about V2 design are coming soon!**
2018-09-27 17:06:57 +03:00
canThis = require('../../services/permissions').canThis,
models = require('../../models'),
common = require('../../lib/common'),
Refactor URL generation from models (#9917) Moved URL attributes logic from the model into API layer refs #9866 - Moved URL related attribute calculation for posts, users, and tags into API layer - Added test coverage for url attributes in tags/authors/primary_tags/primary_authors
2018-10-03 16:44:30 +03:00
{urlsForUser} = require('./decorators/urls'),
Misc cleanup & consistency amends (#9002) no issue - Consistent naming for postLookup - makes it easier to search and inspect the various usages - Cleanup unneeded code - Make res.render calls more consistent - add some consistency to the calls to res.render - Remove ancient reference to dataProvider - Let's call it models everywhere now... - Use consistent formatting across the API - we're no longer using alignment in vars - Misc other consistency changes in API - always refer to local utils as apiUtils - logical grouping of requires - dependencies, utils, "lib common" etc - use xAPI to refer to API endpoints, e.g. mailAPI, settingsAPI for clarity
2017-09-12 18:31:14 +03:00
docName = 'users',
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
allowedIncludes = ['count.posts', 'permissions', 'roles', 'roles.permissions'];
let users;
User edit & add endpoints cleanup - edit and add endpoints don't assume role - edit and add endpoints cope with no role, role objects, and strings - resend user invite was failing at one point due to no role being sent, but this shouldn't be required - other random api cleanup
2014-07-31 04:15:34 +04:00
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 17:05:25 +04:00
/**
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
* ### Users API Methods
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 17:05:25 +04:00
*
Moved utils constants to lib/constants refs #9178
2017-12-14 16:13:40 +03:00
* **See:** [API Methods](constants.js.html#api%20methods)
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 17:05:25 +04:00
*/
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
users = {
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 16:41:19 +04:00
/**
* ## Browse
* Fetch all users
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 17:05:25 +04:00
* @param {{context}} options (optional)
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
* @returns {Promise<Users>} Users Collection
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 16:41:19 +04:00
*/
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
browse(options) {
let extraOptions = ['status', 'absolute_urls'],
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns
2017-12-14 00:14:19 +03:00
permittedOptions = localUtils.browseDefaultOptions.concat(extraOptions),
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
tasks;
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
/**
* ### Model Query
* Make the call to the Model layer
* @param {Object} options
* @returns {Object} options
*/
function doQuery(options) {
Removed `toJSON` serialization in `findPage` method (#9899) refs #9866 - Removed `toJSON` call in `findPage` - Added JSON serialization on API layer - Reason: model and api layer were coupled - all other model actions just returned the raw data and no specific format - Corrected test suites to serialize fetched models to JSON - Removed `absolute_urls` attribute from validOptions findPage methods as it's no longer needed in the data layer - Changed 'include' test as this option is now tolerated and returns data
2018-09-26 15:11:22 +03:00
return models.User.findPage(options)
.then(({data, meta}) => {
return {
🐛 Fixed 'url' attribute miscalculation when when requested as the only part of fields filter (#9969) closes #9962 - Fixed the bug with url being set to /404 when id was not present on the model - Added a functional test to cover this bug - Refactored url decorating methods to be more clear about the nature of passed parameters
2018-10-15 15:47:56 +03:00
users: data.map(model => urlsForUser(model.id, model.toJSON(options), options)),
Removed `toJSON` serialization in `findPage` method (#9899) refs #9866 - Removed `toJSON` call in `findPage` - Added JSON serialization on API layer - Reason: model and api layer were coupled - all other model actions just returned the raw data and no specific format - Corrected test suites to serialize fetched models to JSON - Removed `absolute_urls` attribute from validOptions findPage methods as it's no longer needed in the data layer - Changed 'include' test as this option is now tolerated and returns data
2018-09-26 15:11:22 +03:00
meta: meta
};
});
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
}
// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
tasks = [
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns
2017-12-14 00:14:19 +03:00
localUtils.validate(docName, {opts: permittedOptions}),
localUtils.convertOptions(allowedIncludes),
Sorted out the mixed usages of `include` and `withRelated` (#9425) no issue - this commit cleans up the usages of `include` and `withRelated`. ### API layer (`include`) - as request parameter e.g. `?include=roles,tags` - as theme API parameter e.g. `{{get .... include="author"}}` - as internal API access e.g. `api.posts.browse({include: 'author,tags'})` - the `include` notation is more readable than `withRelated` - and it allows us to use a different easier format (comma separated list) - the API utility transforms these more readable properties into model style (or into Ghost style) ### Model access (`withRelated`) - e.g. `models.Post.findPage({withRelated: ['tags']})` - driven by bookshelf --- Commits explained. * Reorder the usage of `convertOptions` - 1. validation - 2. options convertion - 3. permissions - the reason is simple, the permission layer access the model layer - we have to prepare the options before talking to the model layer - added `convertOptions` where it was missed (not required, but for consistency reasons) * Use `withRelated` when accessing the model layer and use `include` when accessing the API layer * Change `convertOptions` API utiliy - API Usage - ghost.api(..., {include: 'tags,authors'}) - `include` should only be used when calling the API (either via request or via manual usage) - `include` is only for readability and easier format - Ghost (Model Layer Usage) - models.Post.findOne(..., {withRelated: ['tags', 'authors']}) - should only use `withRelated` - model layer cannot read 'tags,authors` - model layer has no idea what `include` means, speaks a different language - `withRelated` is bookshelf - internal usage * include-count plugin: use `withRelated` instead of `include` - imagine you outsource this plugin to git and publish it to npm - `include` is an unknown option in bookshelf * Updated `permittedOptions` in base model - `include` is no longer a known option * Remove all occurances of `include` in the model layer * Extend `filterOptions` base function - this function should be called as first action - we clone the unfiltered options - check if you are using `include` (this is a protection which could help us in the beginning) - check for permitted and (later on default `withRelated`) options - the usage is coming in next commit * Ensure we call `filterOptions` as first action - use `ghostBookshelf.Model.filterOptions` as first action - consistent naming pattern for incoming options: `unfilteredOptions` - re-added allowed options for `toJSON` - one unsolved architecture problem: - if you override a function e.g. `edit` - then you should call `filterOptions` as first action - the base implementation of e.g. `edit` will call it again - future improvement * Removed `findOne` from Invite model - no longer needed, the base implementation is the same
2018-02-15 12:53:53 +03:00
localUtils.handlePublicPermissions(docName, 'browse'),
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
doQuery
];
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
// Pipeline calls each task passing the result of one to be the arguments for the next
return pipeline(tasks, options);
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
},
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 17:05:25 +04:00
/**
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
* ## Read
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 17:05:25 +04:00
* @param {{id, context}} options
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
* @returns {Promise<Users>} User
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 17:05:25 +04:00
*/
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
read(options) {
let attrs = ['id', 'slug', 'status', 'email', 'role'],
🎨Added `absolute_url` flag to public api (#9833) closes #9832 The API _should_ be returning absolute URLs for everything, 3rd party applications require absolute urls to read and display ghost data correctly. Currently they have to concat the blog url and the resource url, which is very uncomfortable. Changing the public api like this would be considered a breaking change however so we've opted to put it behind a query parameter named `absolute_urls`.
2018-08-31 13:02:39 +03:00
permittedOptions = ['absolute_urls'],
Removed OAuth leftover: emit event when calling /users/me (#9061) refs #8342 - was added in this commit https://github.com/TryGhost/Ghost/commit/319a38827726e6c0d1cb5d9a21dffc5ed701b620 - we can remove this event
2017-09-27 06:07:39 +03:00
tasks;
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
✨ ghost auth: sync email (#8027) * ✨ ghost auth: sync email refs #7452 - sync email changes in background (every hour right now) - sync logged in user only! - no sync if auth strategy password is used - GET /users/me is triggered on every page refresh - added TODO to support or add long polling for syncing data later - no tests yet on purpose, as i would like to get a basic review first * 🐩 use events - remember sync per user
2017-02-23 21:04:24 +03:00
// Special handling for /users/me request
Removed OAuth leftover: emit event when calling /users/me (#9061) refs #8342 - was added in this commit https://github.com/TryGhost/Ghost/commit/319a38827726e6c0d1cb5d9a21dffc5ed701b620 - we can remove this event
2017-09-27 06:07:39 +03:00
if (options.id === 'me' && options.context && options.context.user) {
Add public API permission handling refs #4004, #5614 - added new public permission handling functions to permissions - added a new util to handle either public permissions or normal permissions - updated posts, tags and users endpoints to use the new util - added test coverage for the new code
2015-06-27 21:09:25 +03:00
options.id = options.context.user;
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 20:00:59 +04:00
}
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
/**
* ### Model Query
* Make the call to the Model layer
* @param {Object} options
* @returns {Object} options
*/
function doQuery(options) {
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
return models.User.findOne(options.data, _.omit(options, ['data']))
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
.then((model) => {
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
if (!model) {
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file
2017-12-12 00:47:46 +03:00
return Promise.reject(new common.errors.NotFoundError({
message: common.i18n.t('errors.api.users.userNotFound')
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
}));
}
return {
🐛 Fixed 'url' attribute miscalculation when when requested as the only part of fields filter (#9969) closes #9962 - Fixed the bug with url being set to /404 when id was not present on the model - Added a functional test to cover this bug - Refactored url decorating methods to be more clear about the nature of passed parameters
2018-10-15 15:47:56 +03:00
users: [urlsForUser(model.id, model.toJSON(options), options)]
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
};
});
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
}
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
tasks = [
🎨Added `absolute_url` flag to public api (#9833) closes #9832 The API _should_ be returning absolute URLs for everything, 3rd party applications require absolute urls to read and display ghost data correctly. Currently they have to concat the blog url and the resource url, which is very uncomfortable. Changing the public api like this would be considered a breaking change however so we've opted to put it behind a query parameter named `absolute_urls`.
2018-08-31 13:02:39 +03:00
localUtils.validate(docName, {attrs: attrs, opts: permittedOptions}),
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns
2017-12-14 00:14:19 +03:00
localUtils.convertOptions(allowedIncludes),
Sorted out the mixed usages of `include` and `withRelated` (#9425) no issue - this commit cleans up the usages of `include` and `withRelated`. ### API layer (`include`) - as request parameter e.g. `?include=roles,tags` - as theme API parameter e.g. `{{get .... include="author"}}` - as internal API access e.g. `api.posts.browse({include: 'author,tags'})` - the `include` notation is more readable than `withRelated` - and it allows us to use a different easier format (comma separated list) - the API utility transforms these more readable properties into model style (or into Ghost style) ### Model access (`withRelated`) - e.g. `models.Post.findPage({withRelated: ['tags']})` - driven by bookshelf --- Commits explained. * Reorder the usage of `convertOptions` - 1. validation - 2. options convertion - 3. permissions - the reason is simple, the permission layer access the model layer - we have to prepare the options before talking to the model layer - added `convertOptions` where it was missed (not required, but for consistency reasons) * Use `withRelated` when accessing the model layer and use `include` when accessing the API layer * Change `convertOptions` API utiliy - API Usage - ghost.api(..., {include: 'tags,authors'}) - `include` should only be used when calling the API (either via request or via manual usage) - `include` is only for readability and easier format - Ghost (Model Layer Usage) - models.Post.findOne(..., {withRelated: ['tags', 'authors']}) - should only use `withRelated` - model layer cannot read 'tags,authors` - model layer has no idea what `include` means, speaks a different language - `withRelated` is bookshelf - internal usage * include-count plugin: use `withRelated` instead of `include` - imagine you outsource this plugin to git and publish it to npm - `include` is an unknown option in bookshelf * Updated `permittedOptions` in base model - `include` is no longer a known option * Remove all occurances of `include` in the model layer * Extend `filterOptions` base function - this function should be called as first action - we clone the unfiltered options - check if you are using `include` (this is a protection which could help us in the beginning) - check for permitted and (later on default `withRelated`) options - the usage is coming in next commit * Ensure we call `filterOptions` as first action - use `ghostBookshelf.Model.filterOptions` as first action - consistent naming pattern for incoming options: `unfilteredOptions` - re-added allowed options for `toJSON` - one unsolved architecture problem: - if you override a function e.g. `edit` - then you should call `filterOptions` as first action - the base implementation of e.g. `edit` will call it again - future improvement * Removed `findOne` from Invite model - no longer needed, the base implementation is the same
2018-02-15 12:53:53 +03:00
localUtils.handlePublicPermissions(docName, 'read'),
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
doQuery
];
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
// Pipeline calls each task passing the result of one to be the arguments for the next
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
return pipeline(tasks, options);
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
},
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 17:05:25 +04:00
/**
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
* ## Edit
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 17:05:25 +04:00
* @param {User} object the user details to edit
* @param {{id, context}} options
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
* @returns {Promise<User>}
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 17:05:25 +04:00
*/
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
edit(object, options) {
let extraOptions = ['editRoles'],
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns
2017-12-14 00:14:19 +03:00
permittedOptions = extraOptions.concat(localUtils.idDefaultOptions),
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
tasks;
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 16:41:19 +04:00
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
if (object.users && object.users[0] && object.users[0].roles && object.users[0].roles[0]) {
options.editRoles = true;
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
}
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 16:41:19 +04:00
Don't alter password from User.edit endpoint - password changes should only be possible from the password change endpoint Credits: An anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program
2015-09-23 21:44:38 +03:00
// The password should never be set via this endpoint, if it is passed, ignore it
if (object.users && object.users[0] && object.users[0].password) {
delete object.users[0].password;
}
Moved user controller permission handling to user permissible fn refs #9866 - prep for v2 - you can better unit test the permissible function - this avoids copying over the permission handling to v2 controller - it was possible to move this logic into the model layer, because we now support `unsafeAttrs`
2018-10-06 03:25:46 +03:00
function prepare(options) {
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
if (options.id === 'me' && options.context && options.context.user) {
options.id = options.context.user;
}
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 20:00:59 +04:00
Moved user controller permission handling to user permissible fn refs #9866 - prep for v2 - you can better unit test the permissible function - this avoids copying over the permission handling to v2 controller - it was possible to move this logic into the model layer, because we now support `unsafeAttrs`
2018-10-06 03:25:46 +03:00
return options;
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
}
/**
* ### Model Query
* Make the call to the Model layer
* @param {Object} options
* @returns {Object} options
*/
function doQuery(options) {
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
return models.User.edit(options.data.users[0], _.omit(options, ['data']))
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
.then((model) => {
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
if (!model) {
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file
2017-12-12 00:47:46 +03:00
return Promise.reject(new common.errors.NotFoundError({
message: common.i18n.t('errors.api.users.userNotFound')
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
}));
}
return {
🐛 Fixed 'url' attribute miscalculation when when requested as the only part of fields filter (#9969) closes #9962 - Fixed the bug with url being set to /404 when id was not present on the model - Added a functional test to cover this bug - Refactored url decorating methods to be more clear about the nature of passed parameters
2018-10-15 15:47:56 +03:00
users: [urlsForUser(model.id, model.toJSON(options), options)]
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
};
});
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
}
// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
tasks = [
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns
2017-12-14 00:14:19 +03:00
localUtils.validate(docName, {opts: permittedOptions}),
localUtils.convertOptions(allowedIncludes),
Moved user controller permission handling to user permissible fn refs #9866 - prep for v2 - you can better unit test the permissible function - this avoids copying over the permission handling to v2 controller - it was possible to move this logic into the model layer, because we now support `unsafeAttrs`
2018-10-06 03:25:46 +03:00
prepare,
localUtils.handlePermissions(docName, 'edit', ['status', 'roles']),
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
doQuery
];
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
return pipeline(tasks, object, options);
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 13:15:01 +04:00
},
Use current user in models closes #2058 - fixed apiContext as suggested in the issue - added user to options object for models - added api.users.register() for public registration - changed models to use options.user for created_by, updated_by, author_id and published_by - added override to session model to avoid created_by and updated_by values - added user (id: 1) to tests - added user (id: 1) for registration - added user (id: 1) for import, fixtures and default settings - added user (id: 1) for user update - added user (id: 1) for settings update (dbHash, installedApps, update check) - updated bookshelf to version 0.6.8
2014-04-03 17:03:09 +04:00
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
/**
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
* ## Destroy
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
* @param {{id, context}} options
Return http status 204 on deletes Closes #2871 - Refactor api http handlers. - Update tests. - Remove special handling of responses in ember adapter.
2016-03-20 20:26:42 +03:00
* @returns {Promise}
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
*/
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
destroy(options) {
let tasks;
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
/**
* ### Handle Permissions
* We need to be an authorised user to perform this action
* @param {Object} options
* @returns {Object} options
*/
function handlePermissions(options) {
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
return canThis(options.context).destroy.user(options.id).then(() => {
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
options.status = 'all';
return options;
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
}).catch((err) => {
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file
2017-12-12 00:47:46 +03:00
return Promise.reject(new common.errors.NoPermissionError({
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 15:27:35 +03:00
err: err,
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file
2017-12-12 00:47:46 +03:00
context: common.i18n.t('errors.api.users.noPermissionToDestroyUser')
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 15:27:35 +03:00
}));
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
});
}
/**
Return http status 204 on deletes Closes #2871 - Refactor api http handlers. - Update tests. - Remove special handling of responses in ember adapter.
2016-03-20 20:26:42 +03:00
* ### Delete User
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
* Make the call to the Model layer
* @param {Object} options
*/
Return http status 204 on deletes Closes #2871 - Refactor api http handlers. - Update tests. - Remove special handling of responses in ember adapter.
2016-03-20 20:26:42 +03:00
function deleteUser(options) {
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
return models.Base.transaction((t) => {
Return http status 204 on deletes Closes #2871 - Refactor api http handlers. - Update tests. - Remove special handling of responses in ember adapter.
2016-03-20 20:26:42 +03:00
options.transacting = t;
return Promise.all([
Misc cleanup & consistency amends (#9002) no issue - Consistent naming for postLookup - makes it easier to search and inspect the various usages - Cleanup unneeded code - Make res.render calls more consistent - add some consistency to the calls to res.render - Remove ancient reference to dataProvider - Let's call it models everywhere now... - Use consistent formatting across the API - we're no longer using alignment in vars - Misc other consistency changes in API - always refer to local utils as apiUtils - logical grouping of requires - dependencies, utils, "lib common" etc - use xAPI to refer to API endpoints, e.g. mailAPI, settingsAPI for clarity
2017-09-12 18:31:14 +03:00
models.Accesstoken.destroyByUser(options),
models.Refreshtoken.destroyByUser(options),
models.Post.destroyByAuthor(options)
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
]).then(() => {
Misc cleanup & consistency amends (#9002) no issue - Consistent naming for postLookup - makes it easier to search and inspect the various usages - Cleanup unneeded code - Make res.render calls more consistent - add some consistency to the calls to res.render - Remove ancient reference to dataProvider - Let's call it models everywhere now... - Use consistent formatting across the API - we're no longer using alignment in vars - Misc other consistency changes in API - always refer to local utils as apiUtils - logical grouping of requires - dependencies, utils, "lib common" etc - use xAPI to refer to API endpoints, e.g. mailAPI, settingsAPI for clarity
2017-09-12 18:31:14 +03:00
return models.User.destroy(options);
Return http status 204 on deletes Closes #2871 - Refactor api http handlers. - Update tests. - Remove special handling of responses in ember adapter.
2016-03-20 20:26:42 +03:00
}).return(null);
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
}).catch((err) => {
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file
2017-12-12 00:47:46 +03:00
return Promise.reject(new common.errors.NoPermissionError({
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 15:27:35 +03:00
err: err
}));
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
});
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
}
// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
tasks = [
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns
2017-12-14 00:14:19 +03:00
localUtils.validate(docName, {opts: localUtils.idDefaultOptions}),
localUtils.convertOptions(allowedIncludes),
Sorted out the mixed usages of `include` and `withRelated` (#9425) no issue - this commit cleans up the usages of `include` and `withRelated`. ### API layer (`include`) - as request parameter e.g. `?include=roles,tags` - as theme API parameter e.g. `{{get .... include="author"}}` - as internal API access e.g. `api.posts.browse({include: 'author,tags'})` - the `include` notation is more readable than `withRelated` - and it allows us to use a different easier format (comma separated list) - the API utility transforms these more readable properties into model style (or into Ghost style) ### Model access (`withRelated`) - e.g. `models.Post.findPage({withRelated: ['tags']})` - driven by bookshelf --- Commits explained. * Reorder the usage of `convertOptions` - 1. validation - 2. options convertion - 3. permissions - the reason is simple, the permission layer access the model layer - we have to prepare the options before talking to the model layer - added `convertOptions` where it was missed (not required, but for consistency reasons) * Use `withRelated` when accessing the model layer and use `include` when accessing the API layer * Change `convertOptions` API utiliy - API Usage - ghost.api(..., {include: 'tags,authors'}) - `include` should only be used when calling the API (either via request or via manual usage) - `include` is only for readability and easier format - Ghost (Model Layer Usage) - models.Post.findOne(..., {withRelated: ['tags', 'authors']}) - should only use `withRelated` - model layer cannot read 'tags,authors` - model layer has no idea what `include` means, speaks a different language - `withRelated` is bookshelf - internal usage * include-count plugin: use `withRelated` instead of `include` - imagine you outsource this plugin to git and publish it to npm - `include` is an unknown option in bookshelf * Updated `permittedOptions` in base model - `include` is no longer a known option * Remove all occurances of `include` in the model layer * Extend `filterOptions` base function - this function should be called as first action - we clone the unfiltered options - check if you are using `include` (this is a protection which could help us in the beginning) - check for permitted and (later on default `withRelated`) options - the usage is coming in next commit * Ensure we call `filterOptions` as first action - use `ghostBookshelf.Model.filterOptions` as first action - consistent naming pattern for incoming options: `unfilteredOptions` - re-added allowed options for `toJSON` - one unsolved architecture problem: - if you override a function e.g. `edit` - then you should call `filterOptions` as first action - the base implementation of e.g. `edit` will call it again - future improvement * Removed `findOne` from Invite model - no longer needed, the base implementation is the same
2018-02-15 12:53:53 +03:00
handlePermissions,
Return http status 204 on deletes Closes #2871 - Refactor api http handlers. - Update tests. - Remove special handling of responses in ember adapter.
2016-03-20 20:26:42 +03:00
deleteUser
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
];
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
// Pipeline calls each task passing the result of one to be the arguments for the next
return pipeline(tasks, options);
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 13:46:05 +04:00
},
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 13:15:01 +04:00
/**
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
* ## Change Password
Move post slug endpoint & add endpoints for users closes #3187 - move slug endpoint to post/slug/:slug - create similar slug and email endpoint for users - add/update tests
2014-07-09 02:28:31 +04:00
* @param {password} object
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 13:15:01 +04:00
* @param {{context}} options
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
* @returns {Promise<password>} success message
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 13:15:01 +04:00
*/
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
changePassword(object, options) {
let tasks;
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
🎨 remove token logic from user model (#7622) * 🔥 remove User model functions - validateToken - generateToken - resetPassword - all this logic will re-appear in a different way Token logic: - was already extracted as separate PR, see https://github.com/TryGhost/Ghost/pull/7554 - we will use this logic in the controller, you will see in the next commits Reset Password: Was just a wrapper for calling the token logic and change the password. We can reconsider keeping the function to call: changePassword and activate the status of the user - but i think it's fine to trigger these two actions from the controlling unit. * 🔥 remove password reset tests from User model - we already have unit tests for change password and the token logic - i will re-check at the end if any test case is missing - but for now i will just burn the tests * ✨ add token logic to controlling unit generateResetToken endpoint - the only change here is instead of calling the User model to generate a token, we generate the token via utils - we fetch the user by email, and generate a hash and return resetPassword endpoint - here we have changed a little bit more - first of all: we have added the validation check if the new passwords match - a new helper method to extract the token informations - the brute force security check, which can be handled later from the new bruteforce middleware (see TODO) - the actual reset function is doing the steps: load me the user, compare the token, change the password and activate the user - we can think of wrapping these steps into a User model function - i was not sure about it, because it is actually part of the controlling unit [ci skip] * 🎨 tidy up - jscs - jshint - naming functions - fixes * ✨ add a test for resetting the password - there was none - added a test to reset the password * 🎨 add more token tests - ensure quality - ensure logic we had * 🔥 remove compare new password check from User Model - this part of controlling unit * ✨ compare new passwords for user endpoint - we deleted the logic in User Model - we are adding the logic to controlling unit * 🐛 spam prevention forgotten can crash - no validation happend before this middleware - it just assumes that the root key is present - when we work on our API, we need to ensure that 1. pre validation happens 2. we call middlewares 3. ... * 🎨 token translation key
2016-11-07 14:18:50 +03:00
function validateRequest() {
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns
2017-12-14 00:14:19 +03:00
return localUtils.validate('password')(object, options)
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
.then((options) => {
let data = options.data.password[0];
🎨 remove token logic from user model (#7622) * 🔥 remove User model functions - validateToken - generateToken - resetPassword - all this logic will re-appear in a different way Token logic: - was already extracted as separate PR, see https://github.com/TryGhost/Ghost/pull/7554 - we will use this logic in the controller, you will see in the next commits Reset Password: Was just a wrapper for calling the token logic and change the password. We can reconsider keeping the function to call: changePassword and activate the status of the user - but i think it's fine to trigger these two actions from the controlling unit. * 🔥 remove password reset tests from User model - we already have unit tests for change password and the token logic - i will re-check at the end if any test case is missing - but for now i will just burn the tests * ✨ add token logic to controlling unit generateResetToken endpoint - the only change here is instead of calling the User model to generate a token, we generate the token via utils - we fetch the user by email, and generate a hash and return resetPassword endpoint - here we have changed a little bit more - first of all: we have added the validation check if the new passwords match - a new helper method to extract the token informations - the brute force security check, which can be handled later from the new bruteforce middleware (see TODO) - the actual reset function is doing the steps: load me the user, compare the token, change the password and activate the user - we can think of wrapping these steps into a User model function - i was not sure about it, because it is actually part of the controlling unit [ci skip] * 🎨 tidy up - jscs - jshint - naming functions - fixes * ✨ add a test for resetting the password - there was none - added a test to reset the password * 🎨 add more token tests - ensure quality - ensure logic we had * 🔥 remove compare new password check from User Model - this part of controlling unit * ✨ compare new passwords for user endpoint - we deleted the logic in User Model - we are adding the logic to controlling unit * 🐛 spam prevention forgotten can crash - no validation happend before this middleware - it just assumes that the root key is present - when we work on our API, we need to ensure that 1. pre validation happens 2. we call middlewares 3. ... * 🎨 token translation key
2016-11-07 14:18:50 +03:00
if (data.newPassword !== data.ne2Password) {
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file
2017-12-12 00:47:46 +03:00
return Promise.reject(new common.errors.ValidationError({
message: common.i18n.t('errors.models.user.newPasswordsDoNotMatch')
🎨 remove token logic from user model (#7622) * 🔥 remove User model functions - validateToken - generateToken - resetPassword - all this logic will re-appear in a different way Token logic: - was already extracted as separate PR, see https://github.com/TryGhost/Ghost/pull/7554 - we will use this logic in the controller, you will see in the next commits Reset Password: Was just a wrapper for calling the token logic and change the password. We can reconsider keeping the function to call: changePassword and activate the status of the user - but i think it's fine to trigger these two actions from the controlling unit. * 🔥 remove password reset tests from User model - we already have unit tests for change password and the token logic - i will re-check at the end if any test case is missing - but for now i will just burn the tests * ✨ add token logic to controlling unit generateResetToken endpoint - the only change here is instead of calling the User model to generate a token, we generate the token via utils - we fetch the user by email, and generate a hash and return resetPassword endpoint - here we have changed a little bit more - first of all: we have added the validation check if the new passwords match - a new helper method to extract the token informations - the brute force security check, which can be handled later from the new bruteforce middleware (see TODO) - the actual reset function is doing the steps: load me the user, compare the token, change the password and activate the user - we can think of wrapping these steps into a User model function - i was not sure about it, because it is actually part of the controlling unit [ci skip] * 🎨 tidy up - jscs - jshint - naming functions - fixes * ✨ add a test for resetting the password - there was none - added a test to reset the password * 🎨 add more token tests - ensure quality - ensure logic we had * 🔥 remove compare new password check from User Model - this part of controlling unit * ✨ compare new passwords for user endpoint - we deleted the logic in User Model - we are adding the logic to controlling unit * 🐛 spam prevention forgotten can crash - no validation happend before this middleware - it just assumes that the root key is present - when we work on our API, we need to ensure that 1. pre validation happens 2. we call middlewares 3. ... * 🎨 token translation key
2016-11-07 14:18:50 +03:00
}));
}
return Promise.resolve(options);
});
}
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
/**
* ### Handle Permissions
* We need to be an authorised user to perform this action
* @param {Object} options
* @returns {Object} options
*/
function handlePermissions(options) {
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
return canThis(options.context).edit.user(options.data.password[0].user_id).then(() => {
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
return options;
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
}).catch((err) => {
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file
2017-12-12 00:47:46 +03:00
return Promise.reject(new common.errors.NoPermissionError({
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 15:27:35 +03:00
err: err,
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file
2017-12-12 00:47:46 +03:00
context: common.i18n.t('errors.api.users.noPermissionToChangeUsersPwd')
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 15:27:35 +03:00
}));
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
});
}
/**
* ### Model Query
* Make the call to the Model layer
* @param {Object} options
* @returns {Object} options
*/
function doQuery(options) {
Misc cleanup & consistency amends (#9002) no issue - Consistent naming for postLookup - makes it easier to search and inspect the various usages - Cleanup unneeded code - Make res.render calls more consistent - add some consistency to the calls to res.render - Remove ancient reference to dataProvider - Let's call it models everywhere now... - Use consistent formatting across the API - we're no longer using alignment in vars - Misc other consistency changes in API - always refer to local utils as apiUtils - logical grouping of requires - dependencies, utils, "lib common" etc - use xAPI to refer to API endpoints, e.g. mailAPI, settingsAPI for clarity
2017-09-12 18:31:14 +03:00
return models.User.changePassword(
Refactor changePassword and resetPassword issue #5500 - make `changePassword` and `resetPassword` methods on `user` model consistent: use `object` and `options` arguments instead of multiple different arguments - change User API `changePassword` method to use these new arguments
2015-07-07 16:32:50 +03:00
options.data.password[0],
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
_.omit(options, ['data'])
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
).then(() => {
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
return Promise.resolve({
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file
2017-12-12 00:47:46 +03:00
password: [{message: common.i18n.t('notices.api.users.pwdChangedSuccessfully')}]
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
});
});
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
}
// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
tasks = [
🎨 remove token logic from user model (#7622) * 🔥 remove User model functions - validateToken - generateToken - resetPassword - all this logic will re-appear in a different way Token logic: - was already extracted as separate PR, see https://github.com/TryGhost/Ghost/pull/7554 - we will use this logic in the controller, you will see in the next commits Reset Password: Was just a wrapper for calling the token logic and change the password. We can reconsider keeping the function to call: changePassword and activate the status of the user - but i think it's fine to trigger these two actions from the controlling unit. * 🔥 remove password reset tests from User model - we already have unit tests for change password and the token logic - i will re-check at the end if any test case is missing - but for now i will just burn the tests * ✨ add token logic to controlling unit generateResetToken endpoint - the only change here is instead of calling the User model to generate a token, we generate the token via utils - we fetch the user by email, and generate a hash and return resetPassword endpoint - here we have changed a little bit more - first of all: we have added the validation check if the new passwords match - a new helper method to extract the token informations - the brute force security check, which can be handled later from the new bruteforce middleware (see TODO) - the actual reset function is doing the steps: load me the user, compare the token, change the password and activate the user - we can think of wrapping these steps into a User model function - i was not sure about it, because it is actually part of the controlling unit [ci skip] * 🎨 tidy up - jscs - jshint - naming functions - fixes * ✨ add a test for resetting the password - there was none - added a test to reset the password * 🎨 add more token tests - ensure quality - ensure logic we had * 🔥 remove compare new password check from User Model - this part of controlling unit * ✨ compare new passwords for user endpoint - we deleted the logic in User Model - we are adding the logic to controlling unit * 🐛 spam prevention forgotten can crash - no validation happend before this middleware - it just assumes that the root key is present - when we work on our API, we need to ensure that 1. pre validation happens 2. we call middlewares 3. ... * 🎨 token translation key
2016-11-07 14:18:50 +03:00
validateRequest,
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns
2017-12-14 00:14:19 +03:00
localUtils.convertOptions(allowedIncludes),
Sorted out the mixed usages of `include` and `withRelated` (#9425) no issue - this commit cleans up the usages of `include` and `withRelated`. ### API layer (`include`) - as request parameter e.g. `?include=roles,tags` - as theme API parameter e.g. `{{get .... include="author"}}` - as internal API access e.g. `api.posts.browse({include: 'author,tags'})` - the `include` notation is more readable than `withRelated` - and it allows us to use a different easier format (comma separated list) - the API utility transforms these more readable properties into model style (or into Ghost style) ### Model access (`withRelated`) - e.g. `models.Post.findPage({withRelated: ['tags']})` - driven by bookshelf --- Commits explained. * Reorder the usage of `convertOptions` - 1. validation - 2. options convertion - 3. permissions - the reason is simple, the permission layer access the model layer - we have to prepare the options before talking to the model layer - added `convertOptions` where it was missed (not required, but for consistency reasons) * Use `withRelated` when accessing the model layer and use `include` when accessing the API layer * Change `convertOptions` API utiliy - API Usage - ghost.api(..., {include: 'tags,authors'}) - `include` should only be used when calling the API (either via request or via manual usage) - `include` is only for readability and easier format - Ghost (Model Layer Usage) - models.Post.findOne(..., {withRelated: ['tags', 'authors']}) - should only use `withRelated` - model layer cannot read 'tags,authors` - model layer has no idea what `include` means, speaks a different language - `withRelated` is bookshelf - internal usage * include-count plugin: use `withRelated` instead of `include` - imagine you outsource this plugin to git and publish it to npm - `include` is an unknown option in bookshelf * Updated `permittedOptions` in base model - `include` is no longer a known option * Remove all occurances of `include` in the model layer * Extend `filterOptions` base function - this function should be called as first action - we clone the unfiltered options - check if you are using `include` (this is a protection which could help us in the beginning) - check for permitted and (later on default `withRelated`) options - the usage is coming in next commit * Ensure we call `filterOptions` as first action - use `ghostBookshelf.Model.filterOptions` as first action - consistent naming pattern for incoming options: `unfilteredOptions` - re-added allowed options for `toJSON` - one unsolved architecture problem: - if you override a function e.g. `edit` - then you should call `filterOptions` as first action - the base implementation of e.g. `edit` will call it again - future improvement * Removed `findOne` from Invite model - no longer needed, the base implementation is the same
2018-02-15 12:53:53 +03:00
handlePermissions,
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
doQuery
];
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
// Pipeline calls each task passing the result of one to be the arguments for the next
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
return pipeline(tasks, object, options);
Transfer ownership end point closes #3426 - added transfer ownership endpoint - added owner to roles.permissible - manually removed owner from roles.browse - removed hard coded author role - fixed tests that were passing due to hard coded author role - added testUtils.setup(‚roles‘)
2014-07-30 19:40:30 +04:00
},
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
Transfer ownership end point closes #3426 - added transfer ownership endpoint - added owner to roles.permissible - manually removed owner from roles.browse - removed hard coded author role - fixed tests that were passing due to hard coded author role - added testUtils.setup(‚roles‘)
2014-07-30 19:40:30 +04:00
/**
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
* ## Transfer Ownership
* @param {owner} object
* @param {Object} options
* @returns {Promise<User>}
Transfer ownership end point closes #3426 - added transfer ownership endpoint - added owner to roles.permissible - manually removed owner from roles.browse - removed hard coded author role - fixed tests that were passing due to hard coded author role - added testUtils.setup(‚roles‘)
2014-07-30 19:40:30 +04:00
*/
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
transferOwnership(object, options) {
let tasks;
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
/**
* ### Handle Permissions
* We need to be an authorised user to perform this action
* @param {Object} options
* @returns {Object} options
*/
function handlePermissions(options) {
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
return models.Role.findOne({name: 'Owner'}).then((ownerRole) => {
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
return canThis(options.context).assign.role(ownerRole);
ES6 migration: server/api/ (#9876) refs #9589
2018-09-18 16:59:56 +03:00
}).then(() => {
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
return options;
Transfer ownership end point closes #3426 - added transfer ownership endpoint - added owner to roles.permissible - manually removed owner from roles.browse - removed hard coded author role - fixed tests that were passing due to hard coded author role - added testUtils.setup(‚roles‘)
2014-07-30 19:40:30 +04:00
});
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
}
/**
* ### Model Query
* Make the call to the Model layer
* @param {Object} options
* @returns {Object} options
*/
function doQuery(options) {
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
return models.User.transferOwnership(options.data.owner[0], _.omit(options, ['data']))
Moved `toJSON` call to api v0.1 controller for ownership transfer refs #9866
2018-10-12 19:12:16 +03:00
.then((models) => {
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
return {
Moved `toJSON` call to api v0.1 controller for ownership transfer refs #9866
2018-10-12 19:12:16 +03:00
users: models.toJSON(_.omit(options, ['data']))
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
};
});
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
}
// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
tasks = [
Renamed apiUtils to localUtils - consistency change refs #9178 - we should always use the same naming patterns
2017-12-14 00:14:19 +03:00
localUtils.validate('owner'),
localUtils.convertOptions(allowedIncludes),
Sorted out the mixed usages of `include` and `withRelated` (#9425) no issue - this commit cleans up the usages of `include` and `withRelated`. ### API layer (`include`) - as request parameter e.g. `?include=roles,tags` - as theme API parameter e.g. `{{get .... include="author"}}` - as internal API access e.g. `api.posts.browse({include: 'author,tags'})` - the `include` notation is more readable than `withRelated` - and it allows us to use a different easier format (comma separated list) - the API utility transforms these more readable properties into model style (or into Ghost style) ### Model access (`withRelated`) - e.g. `models.Post.findPage({withRelated: ['tags']})` - driven by bookshelf --- Commits explained. * Reorder the usage of `convertOptions` - 1. validation - 2. options convertion - 3. permissions - the reason is simple, the permission layer access the model layer - we have to prepare the options before talking to the model layer - added `convertOptions` where it was missed (not required, but for consistency reasons) * Use `withRelated` when accessing the model layer and use `include` when accessing the API layer * Change `convertOptions` API utiliy - API Usage - ghost.api(..., {include: 'tags,authors'}) - `include` should only be used when calling the API (either via request or via manual usage) - `include` is only for readability and easier format - Ghost (Model Layer Usage) - models.Post.findOne(..., {withRelated: ['tags', 'authors']}) - should only use `withRelated` - model layer cannot read 'tags,authors` - model layer has no idea what `include` means, speaks a different language - `withRelated` is bookshelf - internal usage * include-count plugin: use `withRelated` instead of `include` - imagine you outsource this plugin to git and publish it to npm - `include` is an unknown option in bookshelf * Updated `permittedOptions` in base model - `include` is no longer a known option * Remove all occurances of `include` in the model layer * Extend `filterOptions` base function - this function should be called as first action - we clone the unfiltered options - check if you are using `include` (this is a protection which could help us in the beginning) - check for permitted and (later on default `withRelated`) options - the usage is coming in next commit * Ensure we call `filterOptions` as first action - use `ghostBookshelf.Model.filterOptions` as first action - consistent naming pattern for incoming options: `unfilteredOptions` - re-added allowed options for `toJSON` - one unsolved architecture problem: - if you override a function e.g. `edit` - then you should call `filterOptions` as first action - the base implementation of e.g. `edit` will call it again - future improvement * Removed `findOne` from Invite model - no longer needed, the base implementation is the same
2018-02-15 12:53:53 +03:00
handlePermissions,
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 21:17:56 +03:00
doQuery
];
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 23:11:35 +03:00
// Pipeline calls each task passing the result of one to be the arguments for the next
Refactored the API layer: do not handle API response after pipelining no issue - this has a big underlying problem - each task in the pipeline can modify the options - e.g. add a proper permission context - if we chain after the pipeline, we don't have access to the modified options object - and then we pass the wrong options into the `toJSON` function of a model - the toJSON function decides what to return based on options - this is the easiest solution for now, but i am going to write a spec if we can solve this problem differently
2017-09-27 11:31:41 +03:00
return pipeline(tasks, object, options);
Transfer ownership end point closes #3426 - added transfer ownership endpoint - added owner to roles.permissible - manually removed owner from roles.browse - removed hard coded author role - fixed tests that were passing due to hard coded author role - added testUtils.setup(‚roles‘)
2014-07-30 19:40:30 +04:00
}
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
};
module.exports = users;
Reference in New Issue Copy Permalink