Fixed mirage members route permissions checks

refs 568e4183e3
refs 258f56ded9

- when in test environment add a `X-Test-User` header to API requests that allows the mirage endpoints to check the logged in user without having to cross boundaries into the application or test contexts
This commit is contained in:
Kevin Ansfield 2022-10-03 14:59:09 +01:00
parent 01249926d5
commit 353cad7ed2
2 changed files with 28 additions and 13 deletions

View File

@ -197,6 +197,13 @@ class ajaxService extends AjaxService {
hash.withCredentials = true;
// mocked routes used in development/testing do not have access to the
// test context so we add a header here to give them access to the logged
// in user id that can be checked against the mocked database
if (this.isTesting) {
hash.headers['X-Test-User'] = this.session.user?.id;
}
// attempt retries for 15 seconds in two situations:
// 1. Server Unreachable error from the browser (code 0), typically from short internet blips
// 2. Maintenance error from Ghost, upgrade in progress so API is temporarily unavailable

View File

@ -3,29 +3,37 @@ import moment from 'moment-timezone';
import nql from '@tryghost/nql';
import {Response} from 'miragejs';
import {extractFilterParam, paginateModelCollection} from '../utils';
// import {getContext} from '@ember/test-helpers';
import {underscore} from '@ember/string';
function hasInvalidPermissions() {
const {schema, request} = this;
// always allow dev requests through - the logged in user will be real so
// we can't check against it in the mocked db
if (!request.requestHeaders['X-Test-User']) {
return false;
}
// const {owner} = getContext(this);
// const session = owner.lookup('service:session');
const invalidPermsResponse = new Response(403, {}, {
errors: [{
type: 'NoPermissionError',
message: 'You do not have permission to perform this action'
}]
});
// if (!session?.user?.isAdmin) {
// return new Response(403, {}, {
// errors: [{
// type: 'NoPermissionError',
// message: 'You do not have permission to perform this action'
// }]
// });
// }
const user = schema.users.find(request.requestHeaders['X-Test-User']);
const adminRoles = user.roles.filter(role => ['Owner', 'Administrator'].includes(role.name));
if (adminRoles.length === 0) {
return invalidPermsResponse;
}
}
function withPermissionsCheck(fn) {
return function () {
const boundPermsCheck = hasInvalidPermissions.bind(this);
const boundFn = fn.bind(this);
return hasInvalidPermissions() || boundFn(...arguments);
return boundPermsCheck() || boundFn(...arguments);
};
}