mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-01-04 08:54:36 +03:00
Disallowed aditing "labs" settings in v2/v3 APIs
refs https://github.com/TryGhost/Team/issues/757 - There is no usecase for editing "labs" settings outside of canary/v4 API versions. Removing support for older versions makes the supported API surface smaller (easy maintenance).
This commit is contained in:
parent
d8230f3343
commit
48d36b6a48
@ -2,7 +2,6 @@ const _ = require('lodash');
|
||||
const url = require('./utils/url');
|
||||
const typeGroupMapper = require('../../../../shared/serializers/input/utils/settings-filter-type-group-mapper');
|
||||
const settingsCache = require('../../../../../services/settings/cache');
|
||||
const {WRITABLE_KEYS_ALLOWLIST} = require('../../../../../services/labs');
|
||||
|
||||
const DEPRECATED_SETTINGS = [
|
||||
'bulk_email_settings',
|
||||
@ -92,11 +91,12 @@ module.exports = {
|
||||
|
||||
const settings = settingsCache.getAll();
|
||||
|
||||
// Ignore and drop all values with Read-only flag
|
||||
frame.data.settings = frame.data.settings.filter((setting) => {
|
||||
const settingFlagsStr = settings[setting.key] ? settings[setting.key].flags : '';
|
||||
const settingFlagsArr = settingFlagsStr ? settingFlagsStr.split(',') : [];
|
||||
return !settingFlagsArr.includes('RO');
|
||||
|
||||
// Ignore and drop all values with Read-only flag AND 'labs' setting
|
||||
return !settingFlagsArr.includes('RO') && (setting.key !== 'labs');
|
||||
});
|
||||
|
||||
frame.data.settings.push(...getMappedDeprecatedSettings(frame.data.settings));
|
||||
@ -139,19 +139,6 @@ module.exports = {
|
||||
setting.value = JSON.parse(setting.value).isActive;
|
||||
}
|
||||
|
||||
if (setting.key === 'labs') {
|
||||
const inputLabsValue = JSON.parse(setting.value);
|
||||
const filteredLabsValue = {};
|
||||
|
||||
for (const value in inputLabsValue) {
|
||||
if (WRITABLE_KEYS_ALLOWLIST.includes(value)) {
|
||||
filteredLabsValue[value] = inputLabsValue[value];
|
||||
}
|
||||
}
|
||||
|
||||
setting.value = JSON.stringify(filteredLabsValue);
|
||||
}
|
||||
|
||||
setting = url.forSetting(setting);
|
||||
});
|
||||
|
||||
|
@ -2,7 +2,6 @@ const _ = require('lodash');
|
||||
const url = require('./utils/url');
|
||||
const typeGroupMapper = require('../../../../shared/serializers/input/utils/settings-filter-type-group-mapper');
|
||||
const settingsCache = require('../../../../../services/settings/cache');
|
||||
const {WRITABLE_KEYS_ALLOWLIST} = require('../../../../../services/labs');
|
||||
|
||||
const DEPRECATED_SETTINGS = [
|
||||
'bulk_email_settings',
|
||||
@ -95,11 +94,12 @@ module.exports = {
|
||||
}
|
||||
const settings = settingsCache.getAll();
|
||||
|
||||
// Ignore and drop all values with Read-only flag
|
||||
frame.data.settings = frame.data.settings.filter((setting) => {
|
||||
const settingFlagsStr = settings[setting.key] ? settings[setting.key].flags : '';
|
||||
const settingFlagsArr = settingFlagsStr ? settingFlagsStr.split(',') : [];
|
||||
return !settingFlagsArr.includes('RO');
|
||||
|
||||
// Ignore and drop all values with Read-only flag AND 'labs' setting
|
||||
return !settingFlagsArr.includes('RO') && (setting.key !== 'labs');
|
||||
});
|
||||
|
||||
const mappedDeprecatedSettings = getMappedDeprecatedSettings(frame.data.settings);
|
||||
@ -155,19 +155,6 @@ module.exports = {
|
||||
setting.value = JSON.parse(setting.value).isActive;
|
||||
}
|
||||
|
||||
if (setting.key === 'labs') {
|
||||
const inputLabsValue = JSON.parse(setting.value);
|
||||
const filteredLabsValue = {};
|
||||
|
||||
for (const value in inputLabsValue) {
|
||||
if (WRITABLE_KEYS_ALLOWLIST.includes(value)) {
|
||||
filteredLabsValue[value] = inputLabsValue[value];
|
||||
}
|
||||
}
|
||||
|
||||
setting.value = JSON.stringify(filteredLabsValue);
|
||||
}
|
||||
|
||||
setting = url.forSetting(setting);
|
||||
});
|
||||
|
||||
|
@ -521,7 +521,7 @@ describe('Settings API (v2)', function () {
|
||||
});
|
||||
});
|
||||
|
||||
it('Can edit only allowed labs keys', async function () {
|
||||
it('Cannot edit labs keys', async function () {
|
||||
const settingToChange = {
|
||||
settings: [{
|
||||
key: 'labs',
|
||||
@ -544,13 +544,7 @@ describe('Settings API (v2)', function () {
|
||||
should.exist(jsonResponse);
|
||||
should.exist(jsonResponse.settings);
|
||||
|
||||
jsonResponse.settings.length.should.eql(1);
|
||||
testUtils.API.checkResponseValue(jsonResponse.settings[0], ['id', 'key', 'value', 'type', 'flags', 'created_at', 'updated_at']);
|
||||
jsonResponse.settings[0].key.should.eql('labs');
|
||||
|
||||
jsonResponse.settings[0].value.should.eql(JSON.stringify({
|
||||
activitypub: true
|
||||
}));
|
||||
jsonResponse.settings.length.should.eql(0);
|
||||
});
|
||||
|
||||
it('Can\'t edit non existent setting', function () {
|
||||
|
@ -464,7 +464,7 @@ describe('Settings API (v3)', function () {
|
||||
});
|
||||
});
|
||||
|
||||
it('Can edit only allowed labs keys', async function () {
|
||||
it('Cannot edit labs keys', async function () {
|
||||
const settingToChange = {
|
||||
settings: [{
|
||||
key: 'labs',
|
||||
@ -487,13 +487,7 @@ describe('Settings API (v3)', function () {
|
||||
should.exist(jsonResponse);
|
||||
should.exist(jsonResponse.settings);
|
||||
|
||||
jsonResponse.settings.length.should.eql(1);
|
||||
testUtils.API.checkResponseValue(jsonResponse.settings[0], ['id', 'group', 'key', 'value', 'type', 'flags', 'created_at', 'updated_at']);
|
||||
jsonResponse.settings[0].key.should.eql('labs');
|
||||
|
||||
jsonResponse.settings[0].value.should.eql(JSON.stringify({
|
||||
activitypub: true
|
||||
}));
|
||||
jsonResponse.settings.length.should.eql(0);
|
||||
});
|
||||
|
||||
it('Can\'t read non existent setting', function (done) {
|
||||
|
Loading…
Reference in New Issue
Block a user