TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-26 12:21:36 +03:00
Code Issues Projects Releases Wiki Activity

Fixed unnecessary identity requests and 403s for non-Owner accounts (#15949)

Browse Source 
no issue

`<GhBillingIframe>` generates a request to the `/identities/` endpoint every time Admin is accessed for all users, however that endpoint is only accessible to users with the Owner role meaning we have a lot of unnecessary 403 errors in event logs and the developer console.

- added early exit when we know the logged in user doesn't have the Owner role
- removed the subscription fetching code that wasn't reachable (`token` was always `undefined`)
  - the BMA sends subscription data as soon as it's available so the extra fetch isn't necessary
This commit is contained in:
Kevin Ansfield 2022-12-06 15:20:57 +00:00 committed by GitHub
parent d04abc90b4
commit 65de55ae89
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
ghost/admin/app/components/gh-billing-iframe.js
View File

@ -6,15 +6,15 @@ import {inject as service} from '@ember/service';
import {tracked} from '@glimmer/tracking';
export default class GhBillingIframe extends Component {
@service ajax;
@service billing;
@service ghostPaths;
@service ajax;
@service notifications;
@service session;
@inject config;
@tracked isOwner = null;
@tracked fetchingSubscription = false;
willDestroy() {
super.willDestroy(...arguments);
@ -50,12 +50,25 @@ export default class GhBillingIframe extends Component {
}
_handleTokenRequest() {
this.fetchingSubscription = false;
let token;
const ghostIdentityUrl = this.ghostPaths.url.api('identities');
const handleNoPermission = () => {
// no permission means the current user requesting the token is not the owner of the site.
this.isOwner = false;
// Avoid letting the BMA waiting for a message and send an empty token response instead
this.billing.getBillingIframe().contentWindow.postMessage({
request: 'token',
response: null
}, '*');
};
if (!this.session.user?.isOwnerOnly) {
handleNoPermission();
return;
}
const ghostIdentityUrl = this.ghostPaths.url.api('identities');
this.ajax.request(ghostIdentityUrl).then((response) => {
token = response && response.identities && response.identities[0] && response.identities[0].token;
const token = response?.identities?.[0]?.token;
this.billing.getBillingIframe().contentWindow.postMessage({
request: 'token',
response: token
@ -63,29 +76,12 @@ export default class GhBillingIframe extends Component {
this.isOwner = true;
}).catch((error) => {
if (error.payload?.errors && error.payload.errors[0]?.type === 'NoPermissionError') {
// no permission means the current user requesting the token is not the owner of the site.
this.isOwner = false;
// Avoid letting the BMA waiting for a message and send an empty token response instead
this.billing.getBillingIframe().contentWindow.postMessage({
request: 'token',
response: null
}, '*');
if (error.payload?.errors?.[0]?.type === 'NoPermissionError') {
handleNoPermission();
} else {
throw error;
}
});
// NOTE: the handler is placed here to avoid additional logic to check if iframe has loaded
// receiving a 'token' request is an indication that page is ready
if (!this.fetchingSubscription && !this.billing.subscription && token) {
this.fetchingSubscription = true;
this.billing.getBillingIframe().contentWindow.postMessage({
query: 'getSubscription',
response: 'subscription'
}, '*');
}
}
_handleForceUpgradeRequest() {