Ghost

mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-26 20:34:02 +03:00

History

Fabien 'egg' O'Carroll 3d3b3ff701 Fixed Editors being able to invite Editors (#19904 ) ref ENG-774 ref https://linear.app/tryghost/issue/ENG-774 Staff Tokens will have both a `user` and an `apiKey` present on the `loadedPermissions`. The check here for `apiKey` was written when we could assume that an `apiKey` was an Admin Integration - so it completely overwrote the previous `allowed` list. When we added the concept of Staff Tokens - this resulted in a privilege escalation. This is a good lesson in not using proxies or indicators for data, as changes elsewhere can invalidate them - if we had been specific and checked the role of the current actor we wouldn't've had this bug!		2024-03-26 00:45:08 +07:00
..
e2e-api	Revert "Added referral tracking to the powered-by-ghost newsletter badge" (#19899 )	2024-03-21 10:02:17 +01:00
e2e-browser	Fixed browser tests (#19852 )	2024-03-13 12:54:19 +01:00
e2e-frontend	Added comments count endpoint to robots.txt disallow list	2024-03-20 14:48:54 +01:00
e2e-server	Added cache-control header back to /auth-frame/ response (#19858 )	2024-03-13 16:00:46 +00:00
e2e-webhooks	Cleaned up `lexicalEditor` labs flag, switched Post model to lexical-by-default (#18607 )	2023-10-23 17:51:34 +01:00
integration	Fixed design issue DES-4 (#19662 )	2024-03-25 12:08:34 +01:00
regression	Cached api controller pipelines (#19880 )	2024-03-19 00:29:41 +07:00
unit	Fixed Editors being able to invite Editors (#19904 )	2024-03-26 00:45:08 +07:00
utils	Added missing permissions to Contributor & Editor (#19881 )	2024-03-20 20:36:07 +07:00
.eslintignore	✨ Added `Source` as the new default theme	2023-10-03 14:02:08 +02:00
.eslintrc.js	Removed all unused variables from test files	2023-03-10 14:29:55 +01:00