From 32125c2f4671e0b8ae2372928f65ce93c8cd6dfd Mon Sep 17 00:00:00 2001 From: Hannah Wolfe Date: Wed, 22 Apr 2015 20:20:27 +0100 Subject: [PATCH 1/2] Filter options passed to toJSON fixes #5177 - we now pass API/model options directly to toJSON, which is unsafe as these options haven't always been filtered before they are passed. - this fix adds a filter so that toJSON only uses the options it needs - additionally, rename the 'name' option to something more specific to prevent clashes --- core/server/models/base.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/core/server/models/base.js b/core/server/models/base.js index 13b353210a..06e33b64a6 100644 --- a/core/server/models/base.js +++ b/core/server/models/base.js @@ -138,6 +138,7 @@ ghostBookshelf.Model = ghostBookshelf.Model.extend({ var attrs = _.extend({}, this.attributes), self = this; options = options || {}; + options = _.pick(options, ['shallow', 'baseKey', 'include', 'context']); if (options && options.shallow) { return attrs; @@ -150,9 +151,9 @@ ghostBookshelf.Model = ghostBookshelf.Model.extend({ _.each(this.relations, function (relation, key) { if (key.substring(0, 7) !== '_pivot_') { // if include is set, expand to full object - var fullKey = _.isEmpty(options.name) ? key : options.name + '.' + key; + var fullKey = _.isEmpty(options.baseKey) ? key : options.baseKey + '.' + key; if (_.contains(self.include, fullKey)) { - attrs[key] = relation.toJSON(_.extend({}, options, {name: fullKey, include: self.include})); + attrs[key] = relation.toJSON(_.extend({}, options, {baseKey: fullKey, include: self.include})); } } }); From eb5eca6edac955444a526a850fa2df2b5b993b21 Mon Sep 17 00:00:00 2001 From: Hannah Wolfe Date: Wed, 22 Apr 2015 19:56:56 +0100 Subject: [PATCH 2/2] Don't pass helper options to API for next/prev fixes #5177 - this combined with a change passing options through to toJSON results in a really flukey bug with next/prev where the name option from the helper clashes with a name option inside of toJSON --- core/server/helpers/prev_next.js | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/core/server/helpers/prev_next.js b/core/server/helpers/prev_next.js index 8798b82747..6ba4d7e8ca 100644 --- a/core/server/helpers/prev_next.js +++ b/core/server/helpers/prev_next.js @@ -8,9 +8,10 @@ var api = require('../api'), Promise = require('bluebird'), fetch, prevNext; -fetch = function (options) { - return api.posts.read(options).then(function (result) { +fetch = function (apiOptions, options) { + return api.posts.read(apiOptions).then(function (result) { var related = result.posts[0]; + if (related.previous) { return options.fn(related.previous); } else if (related.next) { @@ -26,10 +27,14 @@ fetch = function (options) { prevNext = function (options) { options = options || {}; - options.include = options.name === 'prev_post' ? 'previous' : 'next'; + + var apiOptions = { + include: options.name === 'prev_post' ? 'previous' : 'next' + }; + if (schema.isPost(this)) { - options.slug = this.slug; - return fetch(options); + apiOptions.slug = this.slug; + return fetch(apiOptions, options); } else { return Promise.resolve(options.inverse(this)); }