mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-26 20:34:02 +03:00
Fixed mirage members route permissions checks
refs568e4183e3
refs258f56ded9
- when in test environment add a `X-Test-User` header to API requests that allows the mirage endpoints to check the logged in user without having to cross boundaries into the application or test contexts
This commit is contained in:
parent
01249926d5
commit
353cad7ed2
@ -197,6 +197,13 @@ class ajaxService extends AjaxService {
|
|||||||
|
|
||||||
hash.withCredentials = true;
|
hash.withCredentials = true;
|
||||||
|
|
||||||
|
// mocked routes used in development/testing do not have access to the
|
||||||
|
// test context so we add a header here to give them access to the logged
|
||||||
|
// in user id that can be checked against the mocked database
|
||||||
|
if (this.isTesting) {
|
||||||
|
hash.headers['X-Test-User'] = this.session.user?.id;
|
||||||
|
}
|
||||||
|
|
||||||
// attempt retries for 15 seconds in two situations:
|
// attempt retries for 15 seconds in two situations:
|
||||||
// 1. Server Unreachable error from the browser (code 0), typically from short internet blips
|
// 1. Server Unreachable error from the browser (code 0), typically from short internet blips
|
||||||
// 2. Maintenance error from Ghost, upgrade in progress so API is temporarily unavailable
|
// 2. Maintenance error from Ghost, upgrade in progress so API is temporarily unavailable
|
||||||
|
@ -3,29 +3,37 @@ import moment from 'moment-timezone';
|
|||||||
import nql from '@tryghost/nql';
|
import nql from '@tryghost/nql';
|
||||||
import {Response} from 'miragejs';
|
import {Response} from 'miragejs';
|
||||||
import {extractFilterParam, paginateModelCollection} from '../utils';
|
import {extractFilterParam, paginateModelCollection} from '../utils';
|
||||||
// import {getContext} from '@ember/test-helpers';
|
|
||||||
import {underscore} from '@ember/string';
|
import {underscore} from '@ember/string';
|
||||||
|
|
||||||
function hasInvalidPermissions() {
|
function hasInvalidPermissions() {
|
||||||
return false;
|
const {schema, request} = this;
|
||||||
|
|
||||||
// const {owner} = getContext(this);
|
// always allow dev requests through - the logged in user will be real so
|
||||||
// const session = owner.lookup('service:session');
|
// we can't check against it in the mocked db
|
||||||
|
if (!request.requestHeaders['X-Test-User']) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
// if (!session?.user?.isAdmin) {
|
const invalidPermsResponse = new Response(403, {}, {
|
||||||
// return new Response(403, {}, {
|
errors: [{
|
||||||
// errors: [{
|
type: 'NoPermissionError',
|
||||||
// type: 'NoPermissionError',
|
message: 'You do not have permission to perform this action'
|
||||||
// message: 'You do not have permission to perform this action'
|
}]
|
||||||
// }]
|
});
|
||||||
// });
|
|
||||||
// }
|
const user = schema.users.find(request.requestHeaders['X-Test-User']);
|
||||||
|
const adminRoles = user.roles.filter(role => ['Owner', 'Administrator'].includes(role.name));
|
||||||
|
|
||||||
|
if (adminRoles.length === 0) {
|
||||||
|
return invalidPermsResponse;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function withPermissionsCheck(fn) {
|
function withPermissionsCheck(fn) {
|
||||||
return function () {
|
return function () {
|
||||||
|
const boundPermsCheck = hasInvalidPermissions.bind(this);
|
||||||
const boundFn = fn.bind(this);
|
const boundFn = fn.bind(this);
|
||||||
return hasInvalidPermissions() || boundFn(...arguments);
|
return boundPermsCheck() || boundFn(...arguments);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user