🐛 Fixed contributors being able to delete draft posts as co-author (#10239)

closes #10238

- The user of contributor role should not be allowed editing a post while not being a primary author
This commit is contained in:
Naz Gargol 2018-12-04 13:31:02 +01:00 committed by GitHub
parent bf295a96a8
commit 5cc441e720
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -314,22 +314,26 @@ module.exports.extendModel = function extendModel(Post, Posts, ghostBookshelf) {
return isCorrectOwner;
}
function isCurrentOwner() {
function isPrimaryAuthor() {
return (context.user === postModel.related('authors').models[0].id);
}
function isCoAuthor() {
return postModel.related('authors').models.map(author => author.id).includes(context.user);
}
if (isContributor && isEdit) {
hasUserPermission = !isChanging('author_id') && !isChangingAuthors() && isCurrentOwner();
hasUserPermission = !isChanging('author_id') && !isChangingAuthors() && isCoAuthor();
} else if (isContributor && isAdd) {
hasUserPermission = isOwner();
} else if (isContributor && isDestroy) {
hasUserPermission = isCurrentOwner();
hasUserPermission = isPrimaryAuthor();
} else if (isAuthor && isEdit) {
hasUserPermission = isCurrentOwner() && !isChanging('author_id') && !isChangingAuthors();
hasUserPermission = isCoAuthor() && !isChanging('author_id') && !isChangingAuthors();
} else if (isAuthor && isAdd) {
hasUserPermission = isOwner();
} else if (postModel) {
hasUserPermission = hasUserPermission || isCurrentOwner();
hasUserPermission = hasUserPermission || isPrimaryAuthor();
}
if (hasUserPermission && hasAppPermission) {