Fixed mirage members route permissions checks

refs 568e4183e3
refs 258f56ded9

- when in test environment add a `X-Test-User` header to API requests that allows the mirage endpoints to check the logged in user without having to cross boundaries into the application or test contexts
This commit is contained in:
Kevin Ansfield 2022-10-03 14:59:09 +01:00
parent 01249926d5
commit 353cad7ed2
2 changed files with 28 additions and 13 deletions

View File

@ -197,6 +197,13 @@ class ajaxService extends AjaxService {
hash.withCredentials = true; hash.withCredentials = true;
// mocked routes used in development/testing do not have access to the
// test context so we add a header here to give them access to the logged
// in user id that can be checked against the mocked database
if (this.isTesting) {
hash.headers['X-Test-User'] = this.session.user?.id;
}
// attempt retries for 15 seconds in two situations: // attempt retries for 15 seconds in two situations:
// 1. Server Unreachable error from the browser (code 0), typically from short internet blips // 1. Server Unreachable error from the browser (code 0), typically from short internet blips
// 2. Maintenance error from Ghost, upgrade in progress so API is temporarily unavailable // 2. Maintenance error from Ghost, upgrade in progress so API is temporarily unavailable

View File

@ -3,29 +3,37 @@ import moment from 'moment-timezone';
import nql from '@tryghost/nql'; import nql from '@tryghost/nql';
import {Response} from 'miragejs'; import {Response} from 'miragejs';
import {extractFilterParam, paginateModelCollection} from '../utils'; import {extractFilterParam, paginateModelCollection} from '../utils';
// import {getContext} from '@ember/test-helpers';
import {underscore} from '@ember/string'; import {underscore} from '@ember/string';
function hasInvalidPermissions() { function hasInvalidPermissions() {
return false; const {schema, request} = this;
// const {owner} = getContext(this); // always allow dev requests through - the logged in user will be real so
// const session = owner.lookup('service:session'); // we can't check against it in the mocked db
if (!request.requestHeaders['X-Test-User']) {
return false;
}
// if (!session?.user?.isAdmin) { const invalidPermsResponse = new Response(403, {}, {
// return new Response(403, {}, { errors: [{
// errors: [{ type: 'NoPermissionError',
// type: 'NoPermissionError', message: 'You do not have permission to perform this action'
// message: 'You do not have permission to perform this action' }]
// }] });
// });
// } const user = schema.users.find(request.requestHeaders['X-Test-User']);
const adminRoles = user.roles.filter(role => ['Owner', 'Administrator'].includes(role.name));
if (adminRoles.length === 0) {
return invalidPermsResponse;
}
} }
function withPermissionsCheck(fn) { function withPermissionsCheck(fn) {
return function () { return function () {
const boundPermsCheck = hasInvalidPermissions.bind(this);
const boundFn = fn.bind(this); const boundFn = fn.bind(this);
return hasInvalidPermissions() || boundFn(...arguments); return boundPermsCheck() || boundFn(...arguments);
}; };
} }