mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-25 20:03:12 +03:00
Fixed mirage members route permissions checks
refs568e4183e3
refs258f56ded9
- when in test environment add a `X-Test-User` header to API requests that allows the mirage endpoints to check the logged in user without having to cross boundaries into the application or test contexts
This commit is contained in:
parent
01249926d5
commit
353cad7ed2
@ -197,6 +197,13 @@ class ajaxService extends AjaxService {
|
||||
|
||||
hash.withCredentials = true;
|
||||
|
||||
// mocked routes used in development/testing do not have access to the
|
||||
// test context so we add a header here to give them access to the logged
|
||||
// in user id that can be checked against the mocked database
|
||||
if (this.isTesting) {
|
||||
hash.headers['X-Test-User'] = this.session.user?.id;
|
||||
}
|
||||
|
||||
// attempt retries for 15 seconds in two situations:
|
||||
// 1. Server Unreachable error from the browser (code 0), typically from short internet blips
|
||||
// 2. Maintenance error from Ghost, upgrade in progress so API is temporarily unavailable
|
||||
|
@ -3,29 +3,37 @@ import moment from 'moment-timezone';
|
||||
import nql from '@tryghost/nql';
|
||||
import {Response} from 'miragejs';
|
||||
import {extractFilterParam, paginateModelCollection} from '../utils';
|
||||
// import {getContext} from '@ember/test-helpers';
|
||||
import {underscore} from '@ember/string';
|
||||
|
||||
function hasInvalidPermissions() {
|
||||
const {schema, request} = this;
|
||||
|
||||
// always allow dev requests through - the logged in user will be real so
|
||||
// we can't check against it in the mocked db
|
||||
if (!request.requestHeaders['X-Test-User']) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// const {owner} = getContext(this);
|
||||
// const session = owner.lookup('service:session');
|
||||
const invalidPermsResponse = new Response(403, {}, {
|
||||
errors: [{
|
||||
type: 'NoPermissionError',
|
||||
message: 'You do not have permission to perform this action'
|
||||
}]
|
||||
});
|
||||
|
||||
// if (!session?.user?.isAdmin) {
|
||||
// return new Response(403, {}, {
|
||||
// errors: [{
|
||||
// type: 'NoPermissionError',
|
||||
// message: 'You do not have permission to perform this action'
|
||||
// }]
|
||||
// });
|
||||
// }
|
||||
const user = schema.users.find(request.requestHeaders['X-Test-User']);
|
||||
const adminRoles = user.roles.filter(role => ['Owner', 'Administrator'].includes(role.name));
|
||||
|
||||
if (adminRoles.length === 0) {
|
||||
return invalidPermsResponse;
|
||||
}
|
||||
}
|
||||
|
||||
function withPermissionsCheck(fn) {
|
||||
return function () {
|
||||
const boundPermsCheck = hasInvalidPermissions.bind(this);
|
||||
const boundFn = fn.bind(this);
|
||||
return hasInvalidPermissions() || boundFn(...arguments);
|
||||
return boundPermsCheck() || boundFn(...arguments);
|
||||
};
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user