2020-04-29 18:44:27 +03:00
|
|
|
const Promise = require('bluebird');
|
|
|
|
const _ = require('lodash');
|
|
|
|
const uuid = require('uuid');
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const keypair = require('keypair');
|
2020-06-25 16:22:15 +03:00
|
|
|
const ObjectID = require('bson-objectid');
|
2020-04-29 18:44:27 +03:00
|
|
|
const ghostBookshelf = require('./base');
|
2021-10-06 13:43:54 +03:00
|
|
|
const tpl = require('@tryghost/tpl');
|
2020-05-22 21:22:20 +03:00
|
|
|
const errors = require('@tryghost/errors');
|
2021-06-15 21:46:27 +03:00
|
|
|
const validator = require('@tryghost/validator');
|
2021-03-06 12:00:18 +03:00
|
|
|
const urlUtils = require('../../shared/url-utils');
|
2021-07-07 23:41:34 +03:00
|
|
|
const {WRITABLE_KEYS_ALLOWLIST} = require('../../shared/labs');
|
2021-06-04 18:56:16 +03:00
|
|
|
|
2021-10-06 13:43:54 +03:00
|
|
|
const messages = {
|
|
|
|
valueCannotBeBlank: 'Value in [settings.key] cannot be blank.',
|
|
|
|
unableToFindSetting: 'Unable to find setting to update: {key}',
|
|
|
|
notEnoughPermission: 'You do not have permission to perform this action'
|
|
|
|
};
|
|
|
|
|
2020-04-29 18:44:27 +03:00
|
|
|
const internalContext = {context: {internal: true}};
|
|
|
|
let Settings;
|
|
|
|
let defaultSettings;
|
2013-09-02 05:49:08 +04:00
|
|
|
|
2019-07-05 10:30:29 +03:00
|
|
|
const doBlock = fn => fn();
|
|
|
|
|
|
|
|
const getMembersKey = doBlock(() => {
|
|
|
|
let UNO_KEYPAIRINO;
|
2020-10-20 02:02:56 +03:00
|
|
|
return function getKey(type) {
|
2019-07-05 10:30:29 +03:00
|
|
|
if (!UNO_KEYPAIRINO) {
|
|
|
|
UNO_KEYPAIRINO = keypair({bits: 1024});
|
|
|
|
}
|
|
|
|
return UNO_KEYPAIRINO[type];
|
|
|
|
};
|
|
|
|
});
|
|
|
|
|
2020-01-20 14:45:58 +03:00
|
|
|
const getGhostKey = doBlock(() => {
|
|
|
|
let UNO_KEYPAIRINO;
|
2020-10-20 02:02:56 +03:00
|
|
|
return function getKey(type) {
|
2020-01-20 14:45:58 +03:00
|
|
|
if (!UNO_KEYPAIRINO) {
|
|
|
|
UNO_KEYPAIRINO = keypair({bits: 1024});
|
|
|
|
}
|
|
|
|
return UNO_KEYPAIRINO[type];
|
|
|
|
};
|
|
|
|
});
|
|
|
|
|
2013-09-02 05:49:08 +04:00
|
|
|
// For neatness, the defaults file is split into categories.
|
|
|
|
// It's much easier for us to work with it as a single level
|
|
|
|
// instead of iterating those categories every time
|
|
|
|
function parseDefaultSettings() {
|
2020-04-29 18:44:27 +03:00
|
|
|
const defaultSettingsInCategories = require('../data/schema/').defaultSettings;
|
|
|
|
const defaultSettingsFlattened = {};
|
|
|
|
|
|
|
|
const dynamicDefault = {
|
|
|
|
db_hash: () => uuid.v4(),
|
|
|
|
public_hash: () => crypto.randomBytes(15).toString('hex'),
|
|
|
|
// @TODO: session_secret would ideally be named "admin_session_secret"
|
|
|
|
session_secret: () => crypto.randomBytes(32).toString('hex'),
|
|
|
|
theme_session_secret: () => crypto.randomBytes(32).toString('hex'),
|
|
|
|
members_public_key: () => getMembersKey('public'),
|
|
|
|
members_private_key: () => getMembersKey('private'),
|
|
|
|
members_email_auth_secret: () => crypto.randomBytes(64).toString('hex'),
|
|
|
|
ghost_public_key: () => getGhostKey('public'),
|
|
|
|
ghost_private_key: () => getGhostKey('private')
|
|
|
|
};
|
2013-09-02 05:49:08 +04:00
|
|
|
|
2015-06-14 18:58:49 +03:00
|
|
|
_.each(defaultSettingsInCategories, function each(settings, categoryName) {
|
2020-06-30 15:02:43 +03:00
|
|
|
_.each(settings, function eachSetting(setting, settingName) {
|
2020-06-24 13:58:15 +03:00
|
|
|
setting.group = categoryName;
|
2013-09-02 05:49:08 +04:00
|
|
|
setting.key = settingName;
|
2019-07-05 10:30:29 +03:00
|
|
|
|
|
|
|
setting.getDefaultValue = function getDefaultValue() {
|
|
|
|
const getDynamicDefault = dynamicDefault[setting.key];
|
|
|
|
if (getDynamicDefault) {
|
|
|
|
return getDynamicDefault();
|
|
|
|
} else {
|
|
|
|
return setting.defaultValue;
|
|
|
|
}
|
|
|
|
};
|
2014-07-28 01:04:58 +04:00
|
|
|
|
2013-09-02 05:49:08 +04:00
|
|
|
defaultSettingsFlattened[settingName] = setting;
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
return defaultSettingsFlattened;
|
|
|
|
}
|
2014-06-17 19:36:47 +04:00
|
|
|
|
|
|
|
function getDefaultSettings() {
|
|
|
|
if (!defaultSettings) {
|
|
|
|
defaultSettings = parseDefaultSettings();
|
|
|
|
}
|
|
|
|
|
|
|
|
return defaultSettings;
|
|
|
|
}
|
2013-06-08 09:03:55 +04:00
|
|
|
|
2013-06-25 15:43:15 +04:00
|
|
|
// Each setting is saved as a separate row in the database,
|
|
|
|
// but the overlying API treats them as a single key:value mapping
|
2013-09-23 02:20:08 +04:00
|
|
|
Settings = ghostBookshelf.Model.extend({
|
2013-08-25 14:49:31 +04:00
|
|
|
|
2013-06-25 15:43:15 +04:00
|
|
|
tableName: 'settings',
|
2013-08-25 14:49:31 +04:00
|
|
|
|
2017-07-21 11:58:58 +03:00
|
|
|
emitChange: function emitChange(event, options) {
|
2018-04-06 19:19:45 +03:00
|
|
|
const eventToTrigger = 'settings' + '.' + event;
|
|
|
|
ghostBookshelf.Model.prototype.emitChange.bind(this)(this, eventToTrigger, options);
|
2015-06-15 11:36:01 +03:00
|
|
|
},
|
|
|
|
|
2018-04-06 19:19:45 +03:00
|
|
|
onDestroyed: function onDestroyed(model, options) {
|
2019-02-07 12:59:37 +03:00
|
|
|
ghostBookshelf.Model.prototype.onDestroyed.apply(this, arguments);
|
|
|
|
|
2018-04-06 19:19:45 +03:00
|
|
|
model.emitChange('deleted', options);
|
|
|
|
model.emitChange(model._previousAttributes.key + '.' + 'deleted', options);
|
2016-10-14 15:37:01 +03:00
|
|
|
},
|
2015-06-15 11:36:01 +03:00
|
|
|
|
2021-08-25 13:44:34 +03:00
|
|
|
onCreated: function onCreated(model, options) {
|
2019-02-07 12:59:37 +03:00
|
|
|
ghostBookshelf.Model.prototype.onCreated.apply(this, arguments);
|
|
|
|
|
2018-04-06 19:19:45 +03:00
|
|
|
model.emitChange('added', options);
|
2017-07-21 11:58:58 +03:00
|
|
|
model.emitChange(model.attributes.key + '.' + 'added', options);
|
2016-10-14 15:37:01 +03:00
|
|
|
},
|
|
|
|
|
2021-08-25 13:44:34 +03:00
|
|
|
onUpdated: function onUpdated(model, options) {
|
2019-02-07 12:59:37 +03:00
|
|
|
ghostBookshelf.Model.prototype.onUpdated.apply(this, arguments);
|
|
|
|
|
2018-04-06 19:19:45 +03:00
|
|
|
model.emitChange('edited', options);
|
2017-07-21 11:58:58 +03:00
|
|
|
model.emitChange(model.attributes.key + '.' + 'edited', options);
|
2015-06-15 11:36:01 +03:00
|
|
|
},
|
|
|
|
|
2020-06-30 17:39:37 +03:00
|
|
|
async onValidate(model, attr, options) {
|
|
|
|
await ghostBookshelf.Model.prototype.onValidate.call(this, model, attr, options);
|
2020-07-15 18:11:27 +03:00
|
|
|
|
2020-07-20 15:59:23 +03:00
|
|
|
await Settings.validators.all(model, options);
|
2020-07-15 18:11:27 +03:00
|
|
|
|
|
|
|
if (typeof Settings.validators[model.get('key')] === 'function') {
|
2020-07-20 15:59:23 +03:00
|
|
|
await Settings.validators[model.get('key')](model, options);
|
2020-07-15 18:11:27 +03:00
|
|
|
}
|
2019-03-06 14:56:26 +03:00
|
|
|
},
|
|
|
|
|
2019-03-07 14:17:21 +03:00
|
|
|
format() {
|
|
|
|
const attrs = ghostBookshelf.Model.prototype.format.apply(this, arguments);
|
2020-06-30 15:04:56 +03:00
|
|
|
const settingType = attrs.type;
|
|
|
|
|
|
|
|
if (settingType === 'boolean') {
|
|
|
|
// CASE: Ensure we won't forward strings, otherwise model events or model interactions can fail
|
|
|
|
if (attrs.value === '0' || attrs.value === '1') {
|
|
|
|
attrs.value = !!+attrs.value;
|
|
|
|
}
|
|
|
|
|
|
|
|
// CASE: Ensure we won't forward strings, otherwise model events or model interactions can fail
|
|
|
|
if (attrs.value === 'false' || attrs.value === 'true') {
|
|
|
|
attrs.value = JSON.parse(attrs.value);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (_.isBoolean(attrs.value)) {
|
|
|
|
attrs.value = attrs.value.toString();
|
|
|
|
}
|
2019-03-07 14:17:21 +03:00
|
|
|
}
|
2021-03-08 21:41:43 +03:00
|
|
|
|
2021-03-23 12:11:24 +03:00
|
|
|
return attrs;
|
|
|
|
},
|
|
|
|
|
|
|
|
formatOnWrite(attrs) {
|
2021-03-08 21:41:43 +03:00
|
|
|
if (attrs.value && ['cover_image', 'logo', 'icon', 'portal_button_icon', 'og_image', 'twitter_image'].includes(attrs.key)) {
|
|
|
|
attrs.value = urlUtils.toTransformReady(attrs.value);
|
|
|
|
}
|
|
|
|
|
2019-03-07 14:17:21 +03:00
|
|
|
return attrs;
|
|
|
|
},
|
|
|
|
|
2019-03-06 14:56:26 +03:00
|
|
|
parse() {
|
|
|
|
const attrs = ghostBookshelf.Model.prototype.parse.apply(this, arguments);
|
|
|
|
|
2020-06-30 15:04:56 +03:00
|
|
|
// transform "0" to false for boolean type
|
|
|
|
const settingType = attrs.type;
|
|
|
|
if (settingType === 'boolean' && (attrs.value === '0' || attrs.value === '1')) {
|
2019-03-06 14:56:26 +03:00
|
|
|
attrs.value = !!+attrs.value;
|
|
|
|
}
|
|
|
|
|
2020-06-30 15:04:56 +03:00
|
|
|
// transform "false" to false for boolean type
|
|
|
|
if (settingType === 'boolean' && (attrs.value === 'false' || attrs.value === 'true')) {
|
2019-03-06 14:56:26 +03:00
|
|
|
attrs.value = JSON.parse(attrs.value);
|
|
|
|
}
|
|
|
|
|
2021-03-06 12:00:18 +03:00
|
|
|
// transform URLs from __GHOST_URL__ to absolute
|
|
|
|
if (['cover_image', 'logo', 'icon', 'portal_button_icon', 'og_image', 'twitter_image'].includes(attrs.key)) {
|
|
|
|
attrs.value = urlUtils.transformReadyToAbsolute(attrs.value);
|
|
|
|
}
|
|
|
|
|
2019-03-06 14:56:26 +03:00
|
|
|
return attrs;
|
2013-06-25 15:43:15 +04:00
|
|
|
}
|
|
|
|
}, {
|
2016-06-03 11:06:18 +03:00
|
|
|
findOne: function (data, options) {
|
|
|
|
if (_.isEmpty(data)) {
|
|
|
|
options = data;
|
|
|
|
}
|
|
|
|
|
2013-06-25 15:43:15 +04:00
|
|
|
// Allow for just passing the key instead of attributes
|
2016-06-03 11:06:18 +03:00
|
|
|
if (!_.isObject(data)) {
|
|
|
|
data = {key: data};
|
2013-06-15 18:10:30 +04:00
|
|
|
}
|
2016-06-03 11:06:18 +03:00
|
|
|
|
|
|
|
return Promise.resolve(ghostBookshelf.Model.findOne.call(this, data, options));
|
2013-06-25 15:43:15 +04:00
|
|
|
},
|
2013-06-08 09:03:55 +04:00
|
|
|
|
Sorted out the mixed usages of `include` and `withRelated` (#9425)
no issue
- this commit cleans up the usages of `include` and `withRelated`.
### API layer (`include`)
- as request parameter e.g. `?include=roles,tags`
- as theme API parameter e.g. `{{get .... include="author"}}`
- as internal API access e.g. `api.posts.browse({include: 'author,tags'})`
- the `include` notation is more readable than `withRelated`
- and it allows us to use a different easier format (comma separated list)
- the API utility transforms these more readable properties into model style (or into Ghost style)
### Model access (`withRelated`)
- e.g. `models.Post.findPage({withRelated: ['tags']})`
- driven by bookshelf
---
Commits explained.
* Reorder the usage of `convertOptions`
- 1. validation
- 2. options convertion
- 3. permissions
- the reason is simple, the permission layer access the model layer
- we have to prepare the options before talking to the model layer
- added `convertOptions` where it was missed (not required, but for consistency reasons)
* Use `withRelated` when accessing the model layer and use `include` when accessing the API layer
* Change `convertOptions` API utiliy
- API Usage
- ghost.api(..., {include: 'tags,authors'})
- `include` should only be used when calling the API (either via request or via manual usage)
- `include` is only for readability and easier format
- Ghost (Model Layer Usage)
- models.Post.findOne(..., {withRelated: ['tags', 'authors']})
- should only use `withRelated`
- model layer cannot read 'tags,authors`
- model layer has no idea what `include` means, speaks a different language
- `withRelated` is bookshelf
- internal usage
* include-count plugin: use `withRelated` instead of `include`
- imagine you outsource this plugin to git and publish it to npm
- `include` is an unknown option in bookshelf
* Updated `permittedOptions` in base model
- `include` is no longer a known option
* Remove all occurances of `include` in the model layer
* Extend `filterOptions` base function
- this function should be called as first action
- we clone the unfiltered options
- check if you are using `include` (this is a protection which could help us in the beginning)
- check for permitted and (later on default `withRelated`) options
- the usage is coming in next commit
* Ensure we call `filterOptions` as first action
- use `ghostBookshelf.Model.filterOptions` as first action
- consistent naming pattern for incoming options: `unfilteredOptions`
- re-added allowed options for `toJSON`
- one unsolved architecture problem:
- if you override a function e.g. `edit`
- then you should call `filterOptions` as first action
- the base implementation of e.g. `edit` will call it again
- future improvement
* Removed `findOne` from Invite model
- no longer needed, the base implementation is the same
2018-02-15 12:53:53 +03:00
|
|
|
edit: function (data, unfilteredOptions) {
|
2020-04-29 18:44:27 +03:00
|
|
|
const options = this.filterOptions(unfilteredOptions, 'edit');
|
|
|
|
const self = this;
|
2014-04-03 17:03:09 +04:00
|
|
|
|
Refactor API arguments
closes #2610, refs #2697
- cleanup API index.js, and add docs
- all API methods take consistent arguments: object & options
- browse, read, destroy take options, edit and add take object and options
- the context is passed as part of options, meaning no more .call
everywhere
- destroy expects an object, rather than an id all the way down to the model layer
- route params such as :id, :slug, and :key are passed as an option & used
to perform reads, updates and deletes where possible - settings / themes
may need work here still
- HTTP posts api can find a post by slug
- Add API utils for checkData
2014-05-08 16:41:19 +04:00
|
|
|
if (!Array.isArray(data)) {
|
|
|
|
data = [data];
|
2013-06-08 09:03:55 +04:00
|
|
|
}
|
2014-04-03 17:03:09 +04:00
|
|
|
|
2014-08-17 10:17:23 +04:00
|
|
|
return Promise.map(data, function (item) {
|
2013-06-25 15:43:15 +04:00
|
|
|
// Accept an array of models as input
|
2017-12-12 00:47:46 +03:00
|
|
|
if (item.toJSON) {
|
|
|
|
item = item.toJSON();
|
|
|
|
}
|
2014-04-28 03:28:50 +04:00
|
|
|
if (!(_.isString(item.key) && item.key.length > 0)) {
|
2021-10-06 13:43:54 +03:00
|
|
|
return Promise.reject(new errors.ValidationError({message: tpl(messages.valueCannotBeBlank)}));
|
2014-04-28 03:28:50 +04:00
|
|
|
}
|
2014-05-06 05:45:08 +04:00
|
|
|
|
|
|
|
item = self.filterData(item);
|
|
|
|
|
2015-06-14 18:58:49 +03:00
|
|
|
return Settings.forge({key: item.key}).fetch(options).then(function then(setting) {
|
2013-09-02 05:49:08 +04:00
|
|
|
if (setting) {
|
2016-06-03 11:06:18 +03:00
|
|
|
// it's allowed to edit all attributes in case of importing/migrating
|
|
|
|
if (options.importing) {
|
2017-10-31 18:47:30 +03:00
|
|
|
return setting.save(item, options);
|
|
|
|
} else {
|
|
|
|
// If we have a value, set it.
|
2019-07-05 14:40:43 +03:00
|
|
|
if (Object.prototype.hasOwnProperty.call(item, 'value')) {
|
2017-10-31 18:47:30 +03:00
|
|
|
setting.set('value', item.value);
|
|
|
|
}
|
|
|
|
// Internal context can overwrite type (for fixture migrations)
|
2019-07-05 14:40:43 +03:00
|
|
|
if (options.context && options.context.internal && Object.prototype.hasOwnProperty.call(item, 'type')) {
|
2017-10-31 18:47:30 +03:00
|
|
|
setting.set('type', item.type);
|
|
|
|
}
|
|
|
|
|
|
|
|
// If anything has changed, save the updated model
|
|
|
|
if (setting.hasChanged()) {
|
|
|
|
return setting.save(null, options);
|
|
|
|
}
|
|
|
|
|
|
|
|
return setting;
|
2016-06-03 11:06:18 +03:00
|
|
|
}
|
2013-09-02 05:49:08 +04:00
|
|
|
}
|
2014-04-03 17:03:09 +04:00
|
|
|
|
2021-10-06 13:43:54 +03:00
|
|
|
return Promise.reject(new errors.NotFoundError({message: tpl(messages.unableToFindSetting, {key: item.key})}));
|
2016-10-04 18:33:43 +03:00
|
|
|
});
|
2013-06-25 15:43:15 +04:00
|
|
|
});
|
2013-09-02 05:49:08 +04:00
|
|
|
},
|
|
|
|
|
2020-06-25 16:22:15 +03:00
|
|
|
populateDefaults: async function populateDefaults(unfilteredOptions) {
|
2020-04-29 18:44:27 +03:00
|
|
|
const options = this.filterOptions(unfilteredOptions, 'populateDefaults');
|
|
|
|
const self = this;
|
2017-03-03 01:00:01 +03:00
|
|
|
|
Sorted out the mixed usages of `include` and `withRelated` (#9425)
no issue
- this commit cleans up the usages of `include` and `withRelated`.
### API layer (`include`)
- as request parameter e.g. `?include=roles,tags`
- as theme API parameter e.g. `{{get .... include="author"}}`
- as internal API access e.g. `api.posts.browse({include: 'author,tags'})`
- the `include` notation is more readable than `withRelated`
- and it allows us to use a different easier format (comma separated list)
- the API utility transforms these more readable properties into model style (or into Ghost style)
### Model access (`withRelated`)
- e.g. `models.Post.findPage({withRelated: ['tags']})`
- driven by bookshelf
---
Commits explained.
* Reorder the usage of `convertOptions`
- 1. validation
- 2. options convertion
- 3. permissions
- the reason is simple, the permission layer access the model layer
- we have to prepare the options before talking to the model layer
- added `convertOptions` where it was missed (not required, but for consistency reasons)
* Use `withRelated` when accessing the model layer and use `include` when accessing the API layer
* Change `convertOptions` API utiliy
- API Usage
- ghost.api(..., {include: 'tags,authors'})
- `include` should only be used when calling the API (either via request or via manual usage)
- `include` is only for readability and easier format
- Ghost (Model Layer Usage)
- models.Post.findOne(..., {withRelated: ['tags', 'authors']})
- should only use `withRelated`
- model layer cannot read 'tags,authors`
- model layer has no idea what `include` means, speaks a different language
- `withRelated` is bookshelf
- internal usage
* include-count plugin: use `withRelated` instead of `include`
- imagine you outsource this plugin to git and publish it to npm
- `include` is an unknown option in bookshelf
* Updated `permittedOptions` in base model
- `include` is no longer a known option
* Remove all occurances of `include` in the model layer
* Extend `filterOptions` base function
- this function should be called as first action
- we clone the unfiltered options
- check if you are using `include` (this is a protection which could help us in the beginning)
- check for permitted and (later on default `withRelated`) options
- the usage is coming in next commit
* Ensure we call `filterOptions` as first action
- use `ghostBookshelf.Model.filterOptions` as first action
- consistent naming pattern for incoming options: `unfilteredOptions`
- re-added allowed options for `toJSON`
- one unsolved architecture problem:
- if you override a function e.g. `edit`
- then you should call `filterOptions` as first action
- the base implementation of e.g. `edit` will call it again
- future improvement
* Removed `findOne` from Invite model
- no longer needed, the base implementation is the same
2018-02-15 12:53:53 +03:00
|
|
|
if (!options.context) {
|
|
|
|
options.context = internalContext.context;
|
|
|
|
}
|
2016-07-14 13:59:42 +03:00
|
|
|
|
2020-06-25 16:22:15 +03:00
|
|
|
// this is required for sqlite to pick up the columns after db init
|
|
|
|
await ghostBookshelf.knex.destroy();
|
|
|
|
await ghostBookshelf.knex.initialize();
|
|
|
|
|
|
|
|
// fetch available columns to avoid populating columns not yet created by migrations
|
|
|
|
const columnInfo = await ghostBookshelf.knex.table('settings').columnInfo();
|
|
|
|
const columns = Object.keys(columnInfo);
|
|
|
|
|
|
|
|
// fetch other data that is used when inserting new settings
|
|
|
|
const date = ghostBookshelf.knex.raw('CURRENT_TIMESTAMP');
|
|
|
|
let owner;
|
|
|
|
try {
|
|
|
|
owner = await ghostBookshelf.model('User').getOwnerUser();
|
|
|
|
} catch (e) {
|
|
|
|
// in some tests the owner is deleted and not recreated before setup
|
|
|
|
if (e.errorType === 'NotFoundError') {
|
|
|
|
owner = {id: 1};
|
|
|
|
} else {
|
|
|
|
throw e;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-03-03 01:00:01 +03:00
|
|
|
return this
|
|
|
|
.findAll(options)
|
|
|
|
.then(function checkAllSettings(allSettings) {
|
2020-04-29 18:44:27 +03:00
|
|
|
const usedKeys = allSettings.models.map(function mapper(setting) {
|
|
|
|
return setting.get('key');
|
|
|
|
});
|
|
|
|
|
|
|
|
const insertOperations = [];
|
2016-07-14 13:59:42 +03:00
|
|
|
|
2017-03-03 01:00:01 +03:00
|
|
|
_.each(getDefaultSettings(), function forEachDefault(defaultSetting, defaultSettingKey) {
|
2020-04-29 18:44:27 +03:00
|
|
|
const isMissingFromDB = usedKeys.indexOf(defaultSettingKey) === -1;
|
2017-03-03 01:00:01 +03:00
|
|
|
if (isMissingFromDB) {
|
2019-07-05 10:30:29 +03:00
|
|
|
defaultSetting.value = defaultSetting.getDefaultValue();
|
2020-06-25 16:22:15 +03:00
|
|
|
|
|
|
|
const settingValues = Object.assign({}, defaultSetting, {
|
2021-04-21 18:02:02 +03:00
|
|
|
id: ObjectID().toHexString(),
|
2020-06-25 16:22:15 +03:00
|
|
|
created_at: date,
|
|
|
|
created_by: owner.id,
|
|
|
|
updated_at: date,
|
|
|
|
updated_by: owner.id
|
|
|
|
});
|
|
|
|
|
|
|
|
insertOperations.push(
|
|
|
|
ghostBookshelf.knex
|
|
|
|
.table('settings')
|
|
|
|
.insert(_.pick(settingValues, columns))
|
|
|
|
);
|
2017-03-03 01:00:01 +03:00
|
|
|
}
|
|
|
|
});
|
2013-09-02 05:49:08 +04:00
|
|
|
|
2017-03-03 01:00:01 +03:00
|
|
|
if (insertOperations.length > 0) {
|
|
|
|
return Promise.all(insertOperations).then(function fetchAllToReturn() {
|
|
|
|
return self.findAll(options);
|
|
|
|
});
|
2013-09-02 05:49:08 +04:00
|
|
|
}
|
|
|
|
|
2017-03-03 01:00:01 +03:00
|
|
|
return allSettings;
|
|
|
|
});
|
2019-10-09 11:26:54 +03:00
|
|
|
},
|
|
|
|
|
2020-03-19 18:23:10 +03:00
|
|
|
permissible: function permissible(modelId, action, context, unsafeAttrs, loadedPermissions, hasUserPermission, hasApiKeyPermission) {
|
|
|
|
if (hasUserPermission && hasApiKeyPermission) {
|
2019-10-09 11:26:54 +03:00
|
|
|
return Promise.resolve();
|
|
|
|
}
|
|
|
|
|
2020-05-22 21:22:20 +03:00
|
|
|
return Promise.reject(new errors.NoPermissionError({
|
2021-10-06 13:43:54 +03:00
|
|
|
message: tpl(messages.notEnoughPermission)
|
2019-10-09 11:26:54 +03:00
|
|
|
}));
|
2020-07-15 18:11:27 +03:00
|
|
|
},
|
|
|
|
|
|
|
|
validators: {
|
|
|
|
async all(model) {
|
|
|
|
const settingName = model.get('key');
|
|
|
|
const settingDefault = getDefaultSettings()[settingName];
|
|
|
|
|
|
|
|
if (!settingDefault) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Basic validations from default-settings.json
|
2021-06-15 17:32:36 +03:00
|
|
|
const validationErrors = validator.validate(
|
2020-07-15 18:11:27 +03:00
|
|
|
model.get('value'),
|
|
|
|
model.get('key'),
|
|
|
|
settingDefault.validations,
|
|
|
|
'settings'
|
|
|
|
);
|
|
|
|
|
|
|
|
if (validationErrors.length) {
|
2021-12-01 14:22:14 +03:00
|
|
|
throw new errors.ValidationError({message: validationErrors.join('\n')});
|
2020-07-15 18:11:27 +03:00
|
|
|
}
|
|
|
|
},
|
2021-06-04 18:56:16 +03:00
|
|
|
async labs(model) {
|
|
|
|
const flags = JSON.parse(model.get('value'));
|
|
|
|
|
|
|
|
for (const flag in flags) {
|
|
|
|
if (!WRITABLE_KEYS_ALLOWLIST.includes(flag)) {
|
|
|
|
throw new errors.ValidationError({
|
|
|
|
message: `Settings lab value cannot have value other then ${WRITABLE_KEYS_ALLOWLIST.join(', ')}`
|
|
|
|
});
|
|
|
|
}
|
|
|
|
}
|
|
|
|
},
|
2020-07-20 15:59:23 +03:00
|
|
|
async stripe_plans(model, options) {
|
2020-07-15 18:11:27 +03:00
|
|
|
const plans = JSON.parse(model.get('value'));
|
|
|
|
for (const plan of plans) {
|
2020-07-20 15:59:23 +03:00
|
|
|
// Stripe plans used to be allowed (and defaulted to!) 0 amount plans
|
|
|
|
// this causes issues to people importing from older versions of Ghost
|
|
|
|
// even if they don't use Members/Stripe
|
|
|
|
// issue: https://github.com/TryGhost/Ghost/issues/12049
|
|
|
|
if (!options.importing) {
|
|
|
|
// We check 100, not 1, because amounts are in fractional units
|
|
|
|
if (plan.amount < 100 && plan.name !== 'Complimentary') {
|
|
|
|
throw new errors.ValidationError({
|
|
|
|
message: 'Plans cannot have an amount less than 1'
|
|
|
|
});
|
|
|
|
}
|
2020-07-15 18:11:27 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
if (typeof plan.name !== 'string') {
|
|
|
|
throw new errors.ValidationError({
|
|
|
|
message: 'Plan must have a name'
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
if (typeof plan.currency !== 'string') {
|
|
|
|
throw new errors.ValidationError({
|
|
|
|
message: 'Plan must have a currency'
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!['year', 'month', 'week', 'day'].includes(plan.interval)) {
|
|
|
|
throw new errors.ValidationError({
|
|
|
|
message: 'Plan interval must be one of: year, month, week or day'
|
|
|
|
});
|
|
|
|
}
|
|
|
|
}
|
|
|
|
},
|
|
|
|
// @TODO: Maybe move some of the logic into the members service, exporting an isValidStripeKey
|
|
|
|
// method which can be called here, cleaning up the duplication, but not removing control
|
|
|
|
async stripe_secret_key(model) {
|
|
|
|
const value = model.get('value');
|
|
|
|
if (value === null) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
const secretKeyRegex = /(?:sk|rk)_(?:test|live)_[\da-zA-Z]{1,247}$/;
|
|
|
|
|
|
|
|
if (!secretKeyRegex.test(value)) {
|
|
|
|
throw new errors.ValidationError({
|
|
|
|
message: `stripe_secret_key did not match ${secretKeyRegex}`
|
|
|
|
});
|
|
|
|
}
|
|
|
|
},
|
|
|
|
async stripe_publishable_key(model) {
|
|
|
|
const value = model.get('value');
|
|
|
|
if (value === null) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2021-02-03 19:42:51 +03:00
|
|
|
const publishableKeyRegex = /pk_(?:test|live)_[\da-zA-Z]{1,247}$/;
|
2020-07-15 18:11:27 +03:00
|
|
|
|
2021-02-03 19:42:51 +03:00
|
|
|
if (!publishableKeyRegex.test(value)) {
|
2020-07-15 18:11:27 +03:00
|
|
|
throw new errors.ValidationError({
|
2021-02-03 19:42:51 +03:00
|
|
|
message: `stripe_publishable_key did not match ${publishableKeyRegex}`
|
2020-07-15 18:11:27 +03:00
|
|
|
});
|
|
|
|
}
|
|
|
|
},
|
|
|
|
async stripe_connect_secret_key(model) {
|
|
|
|
const value = model.get('value');
|
|
|
|
if (value === null) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
const secretKeyRegex = /(?:sk|rk)_(?:test|live)_[\da-zA-Z]{1,247}$/;
|
|
|
|
|
|
|
|
if (!secretKeyRegex.test(value)) {
|
|
|
|
throw new errors.ValidationError({
|
|
|
|
message: `stripe_secret_key did not match ${secretKeyRegex}`
|
|
|
|
});
|
|
|
|
}
|
|
|
|
},
|
|
|
|
async stripe_connect_publishable_key(model) {
|
|
|
|
const value = model.get('value');
|
|
|
|
if (value === null) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2021-02-03 19:42:51 +03:00
|
|
|
const publishableKeyRegex = /pk_(?:test|live)_[\da-zA-Z]{1,247}$/;
|
2020-07-15 18:11:27 +03:00
|
|
|
|
2021-02-03 19:42:51 +03:00
|
|
|
if (!publishableKeyRegex.test(value)) {
|
2020-07-15 18:11:27 +03:00
|
|
|
throw new errors.ValidationError({
|
2021-02-03 19:42:51 +03:00
|
|
|
message: `stripe_publishable_key did not match ${publishableKeyRegex}`
|
2020-07-15 18:11:27 +03:00
|
|
|
});
|
|
|
|
}
|
|
|
|
}
|
2013-06-25 15:43:15 +04:00
|
|
|
}
|
|
|
|
});
|
2013-06-08 09:03:55 +04:00
|
|
|
|
2013-06-25 15:43:15 +04:00
|
|
|
module.exports = {
|
2014-07-13 15:17:18 +04:00
|
|
|
Settings: ghostBookshelf.model('Settings', Settings)
|
2013-09-02 05:49:08 +04:00
|
|
|
};
|