TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-26 12:21:36 +03:00
Code Issues Projects Releases Wiki Activity

Fixed mirage members route permissions checks

Browse Source 
refs 568e4183e3
refs 258f56ded9

- when in test environment add a `X-Test-User` header to API requests that allows the mirage endpoints to check the logged in user without having to cross boundaries into the application or test contexts
This commit is contained in:
Kevin Ansfield 2022-10-03 14:59:09 +01:00
parent 01249926d5
commit 353cad7ed2
2 changed files with 28 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ghost/admin/app/services/ajax.js
View File

@ -197,6 +197,13 @@ class ajaxService extends AjaxService {
hash.withCredentials = true; hash.withCredentials = true;
// mocked routes used in development/testing do not have access to the
// test context so we add a header here to give them access to the logged
// in user id that can be checked against the mocked database
if (this.isTesting) {
hash.headers['X-Test-User'] = this.session.user?.id;
}
// attempt retries for 15 seconds in two situations: // attempt retries for 15 seconds in two situations:
// 1. Server Unreachable error from the browser (code 0), typically from short internet blips // 1. Server Unreachable error from the browser (code 0), typically from short internet blips
// 2. Maintenance error from Ghost, upgrade in progress so API is temporarily unavailable // 2. Maintenance error from Ghost, upgrade in progress so API is temporarily unavailable

32
ghost/admin/mirage/config/members.js
View File

@ -3,29 +3,37 @@ import moment from 'moment-timezone';
import nql from '@tryghost/nql'; import nql from '@tryghost/nql';
import {Response} from 'miragejs'; import {Response} from 'miragejs';
import {extractFilterParam, paginateModelCollection} from '../utils'; import {extractFilterParam, paginateModelCollection} from '../utils';
// import {getContext} from '@ember/test-helpers';
import {underscore} from '@ember/string'; import {underscore} from '@ember/string';
function hasInvalidPermissions() { function hasInvalidPermissions() {
const {schema, request} = this;
// always allow dev requests through - the logged in user will be real so
// we can't check against it in the mocked db
if (!request.requestHeaders['X-Test-User']) {
return false; return false;
}
// const {owner} = getContext(this); const invalidPermsResponse = new Response(403, {}, {
// const session = owner.lookup('service:session'); errors: [{
type: 'NoPermissionError',
message: 'You do not have permission to perform this action'
}]
});
// if (!session?.user?.isAdmin) { const user = schema.users.find(request.requestHeaders['X-Test-User']);
// return new Response(403, {}, { const adminRoles = user.roles.filter(role => ['Owner', 'Administrator'].includes(role.name));
// errors: [{
// type: 'NoPermissionError', if (adminRoles.length === 0) {
// message: 'You do not have permission to perform this action' return invalidPermsResponse;
// }] }
// });
// }
} }
function withPermissionsCheck(fn) { function withPermissionsCheck(fn) {
return function () { return function () {
const boundPermsCheck = hasInvalidPermissions.bind(this);
const boundFn = fn.bind(this); const boundFn = fn.bind(this);
return hasInvalidPermissions() || boundFn(...arguments); return boundPermsCheck() || boundFn(...arguments);
}; };
} }