mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-25 20:03:12 +03:00
🐛 Fixed contributors being able to delete draft posts as co-author (#10239)
closes #10238 - The user of contributor role should not be allowed editing a post while not being a primary author
This commit is contained in:
parent
bf295a96a8
commit
5cc441e720
@ -314,22 +314,26 @@ module.exports.extendModel = function extendModel(Post, Posts, ghostBookshelf) {
|
||||
return isCorrectOwner;
|
||||
}
|
||||
|
||||
function isCurrentOwner() {
|
||||
function isPrimaryAuthor() {
|
||||
return (context.user === postModel.related('authors').models[0].id);
|
||||
}
|
||||
|
||||
function isCoAuthor() {
|
||||
return postModel.related('authors').models.map(author => author.id).includes(context.user);
|
||||
}
|
||||
|
||||
if (isContributor && isEdit) {
|
||||
hasUserPermission = !isChanging('author_id') && !isChangingAuthors() && isCurrentOwner();
|
||||
hasUserPermission = !isChanging('author_id') && !isChangingAuthors() && isCoAuthor();
|
||||
} else if (isContributor && isAdd) {
|
||||
hasUserPermission = isOwner();
|
||||
} else if (isContributor && isDestroy) {
|
||||
hasUserPermission = isCurrentOwner();
|
||||
hasUserPermission = isPrimaryAuthor();
|
||||
} else if (isAuthor && isEdit) {
|
||||
hasUserPermission = isCurrentOwner() && !isChanging('author_id') && !isChangingAuthors();
|
||||
hasUserPermission = isCoAuthor() && !isChanging('author_id') && !isChangingAuthors();
|
||||
} else if (isAuthor && isAdd) {
|
||||
hasUserPermission = isOwner();
|
||||
} else if (postModel) {
|
||||
hasUserPermission = hasUserPermission || isCurrentOwner();
|
||||
hasUserPermission = hasUserPermission || isPrimaryAuthor();
|
||||
}
|
||||
|
||||
if (hasUserPermission && hasAppPermission) {
|
||||
|
Loading…
Reference in New Issue
Block a user