mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-01 13:54:35 +03:00
7eb316b786
* 🛠 bookshelf tarball, bson-objectid
* 🎨 schema changes
- change increment type to string
- add a default fallback for string length 191 (to avoid adding this logic to every single column which uses an ID)
- remove uuid, because ID now represents a global resource identifier
- keep uuid for post, because we are using this as preview id
- keep uuid for clients for now - we are using this param for Ghost-Auth
* ✨ base model: generate ObjectId on creating event
- each new resource get's a auto generate ObjectId
- this logic won't work for attached models, this commit comes later
* 🎨 centralised attach method
When attaching models there are two things important two know
1. To be able to attach an ObjectId, we need to register the `onCreating` event the fetched model!This is caused by the Bookshelf design in general. On this target model we are attaching the new model.
2. We need to manually fetch the target model, because Bookshelf has a weird behaviour (which is known as a bug, see see https://github.com/tgriesser/bookshelf/issues/629). The most important property when attaching a model is `parentFk`, which is the foreign key. This can be null when fetching the model with the option `withRelated`. To ensure quality and consistency, the custom attach wrapper always fetches the target model manual. By fetching the target model (again) is a little performance decrease, but it also has advantages: we can register the event, and directly unregister the event again. So very clean code.
Important: please only use the custom attach wrapper in the future.
* 🎨 token model had overriden the onCreating function because of the created_at field
- we need to ensure that the base onCreating hook get's triggered for ALL models
- if not, they don't get an ObjectId assigned
- in this case: be smart and check if the target model has a created_at field
* 🎨 we don't have a uuid field anymore, remove the usages
- no default uuid creation in models
- i am pretty sure we have some more definitions in our tests (for example in the export json files), but that is too much work to delete them all
* 🎨 do not parse ID to Number
- we had various occurances of parsing all ID's to numbers
- we don't need this behaviour anymore
- ID is string
- i will adapt the ID validation in the next commit
* 🎨 change ID regex for validation
- we only allow: ID as ObjectId, ID as 1 and ID as me
- we need to keep ID 1, because our whole software relies on ID 1 (permissions etc)
* 🎨 owner fixture
- roles: [4] does not work anymore
- 4 means -> static id 4
- this worked in an auto increment system (not even in a system with distributed writes)
- with ObjectId we generate each ID automatically (for static and dynamic resources)
- it is possible to define all id's for static resources still, but that means we need to know which ID is already used and for consistency we have to define ObjectId's for these static resources
- so no static id's anymore, except of: id 1 for owner and id 0 for external usage (because this is required from our permission system)
- NOTE: please read through the comment in the user model
* 🎨 tests: DataGenerator and test utils
First of all: we need to ensure using ObjectId's in the tests. When don't, we can't ensure that ObjectId's work properly.
This commit brings lot's of dynamic into all the static defined id's.
In one of the next commits, i will adapt all the tests.
* 🚨 remove counter in Notification API
- no need to add a counter
- we simply generate ObjectId's (they are auto incremental as well)
- our id validator does only allow ObjectId as id,1 and me
* 🎨 extend contextUser in Base Model
- remove isNumber check, because id's are no longer numbers, except of id 0/1
- use existing isExternalUser
- support id 0/1 as string or number
* ✨ Ghost Owner has id 1
- ensure we define this id in the fixtures.json
- doesn't matter if number or string
* 🎨 functional tests adaptions
- use dynamic id's
* 🎨 fix unit tests
* 🎨 integration tests adaptions
* 🎨 change importer utils
- all our export examples (test/fixtures/exports) contain id's as numbers
- fact: but we ignore them anyway when inserting into the database, see https://github.com/TryGhost/Ghost/blob/master/core/server/data/import/utils.js#L249
- in 0e6ed957cd (diff-70f514a06347c048648be464819503c4L67)
i removed parsing id's to integers
- i realised that this ^ check just existed, because the userIdToMap was an object key and object keys are always strings!
- i think this logic is a little bit complicated, but i don't want to refactor this now
- this commit ensures when trying to find the user, the id comparison works again
- i've added more documentation to understand this logic ;)
- plus i renamed an attribute to improve readability
* 🎨 Data-Generator: add more defaults to createUser
- if i use the function DataGenerator.forKnex.createUser i would like to get a full set of defaults
* 🎨 test utils: change/extend function set for functional tests
- functional tests work a bit different
- they boot Ghost and seed the database
- some functional tests have mis-used the test setup
- the test setup needs two sections: integration/unit and functional tests
- any functional test is allowed to either add more data or change data in the existing Ghost db
- but what it should not do is: add test fixtures like roles or users from our DataGenerator and cross fingers it will work
- this commit adds a clean method for functional tests to add extra users
* 🎨 functional tests adaptions
- use last commit to insert users for functional tests clean
- tidy up usage of testUtils.setup or testUtils.doAuth
* 🐛 test utils: reset database before init
- ensure we don't have any left data from other tests in the database when starting ghost
* 🐛 fix test (unrelated to this PR)
- fixes a random failure
- return statement was missing
* 🎨 make changes for invites
323 lines
11 KiB
JavaScript
323 lines
11 KiB
JavaScript
// # API Utils
|
|
// Shared helpers for working with the API
|
|
var Promise = require('bluebird'),
|
|
_ = require('lodash'),
|
|
path = require('path'),
|
|
errors = require('../errors'),
|
|
permissions = require('../permissions'),
|
|
validation = require('../data/validation'),
|
|
i18n = require('../i18n'),
|
|
|
|
utils;
|
|
|
|
utils = {
|
|
// ## Default Options
|
|
// Various default options for different types of endpoints
|
|
|
|
// ### Auto Default Options
|
|
// Handled / Added automatically by the validate function
|
|
// globalDefaultOptions - valid for every api endpoint
|
|
globalDefaultOptions: ['context', 'include'],
|
|
// dataDefaultOptions - valid for all endpoints which take object as well as options
|
|
dataDefaultOptions: ['data'],
|
|
|
|
// ### Manual Default Options
|
|
// These must be provided by the endpoint
|
|
// browseDefaultOptions - valid for all browse api endpoints
|
|
browseDefaultOptions: ['page', 'limit', 'fields', 'filter', 'order', 'debug'],
|
|
// idDefaultOptions - valid whenever an id is valid
|
|
idDefaultOptions: ['id'],
|
|
|
|
/**
|
|
* ## Validate
|
|
* Prepare to validate the object and options passed to an endpoint
|
|
* @param {String} docName
|
|
* @param {Object} extras
|
|
* @returns {Function} doValidate
|
|
*/
|
|
validate: function validate(docName, extras) {
|
|
/**
|
|
* ### Do Validate
|
|
* Validate the object and options passed to an endpoint
|
|
* @argument {...*} [arguments] object or object and options hash
|
|
*/
|
|
return function doValidate() {
|
|
var object, options, permittedOptions;
|
|
|
|
if (arguments.length === 2) {
|
|
object = arguments[0];
|
|
options = _.clone(arguments[1]) || {};
|
|
} else if (arguments.length === 1) {
|
|
options = _.clone(arguments[0]) || {};
|
|
} else {
|
|
options = {};
|
|
}
|
|
|
|
// Setup permitted options, starting with the global defaults
|
|
permittedOptions = utils.globalDefaultOptions;
|
|
|
|
// Add extra permitted options if any are passed in
|
|
if (extras && extras.opts) {
|
|
permittedOptions = permittedOptions.concat(extras.opts);
|
|
}
|
|
|
|
// This request will have a data key added during validation
|
|
if ((extras && extras.attrs) || object) {
|
|
permittedOptions = permittedOptions.concat(utils.dataDefaultOptions);
|
|
}
|
|
|
|
// If an 'attrs' object is passed, we use this to pick from options and convert them to data
|
|
if (extras && extras.attrs) {
|
|
options.data = _.pick(options, extras.attrs);
|
|
options = _.omit(options, extras.attrs);
|
|
}
|
|
|
|
/**
|
|
* ### Check Options
|
|
* Ensure that the options provided match exactly with what is permitted
|
|
* - incorrect option keys are sanitized
|
|
* - incorrect option values are validated
|
|
* @param {object} options
|
|
* @returns {Promise<options>}
|
|
*/
|
|
function checkOptions(options) {
|
|
// @TODO: should we throw an error if there are incorrect options provided?
|
|
options = _.pick(options, permittedOptions);
|
|
|
|
var validationErrors = utils.validateOptions(options);
|
|
|
|
if (_.isEmpty(validationErrors)) {
|
|
return Promise.resolve(options);
|
|
}
|
|
|
|
// For now, we can only handle showing the first validation error
|
|
return Promise.reject(validationErrors[0]);
|
|
}
|
|
|
|
// If we got an object, check that too
|
|
if (object) {
|
|
return utils.checkObject(object, docName, options.id).then(function (data) {
|
|
options.data = data;
|
|
|
|
return checkOptions(options);
|
|
});
|
|
}
|
|
|
|
// Otherwise just check options and return
|
|
return checkOptions(options);
|
|
};
|
|
},
|
|
|
|
validateOptions: function validateOptions(options) {
|
|
var globalValidations = {
|
|
id: {matches: /^[a-f\d]{24}$|^1$|me/i},
|
|
uuid: {isUUID: true},
|
|
slug: {isSlug: true},
|
|
page: {matches: /^\d+$/},
|
|
limit: {matches: /^\d+|all$/},
|
|
from: {isDate: true},
|
|
to: {isDate: true},
|
|
fields: {matches: /^[\w, ]+$/},
|
|
order: {matches: /^[a-z0-9_,\. ]+$/i},
|
|
name: {}
|
|
},
|
|
// these values are sanitised/validated separately
|
|
noValidation = ['data', 'context', 'include', 'filter'],
|
|
errors = [];
|
|
|
|
_.each(options, function (value, key) {
|
|
// data is validated elsewhere
|
|
if (noValidation.indexOf(key) === -1) {
|
|
if (globalValidations[key]) {
|
|
errors = errors.concat(validation.validate(value, key, globalValidations[key]));
|
|
} else {
|
|
// all other keys should be alpha-numeric with dashes/underscores, like tag, author, status, etc
|
|
errors = errors.concat(validation.validate(value, key, globalValidations.slug));
|
|
}
|
|
}
|
|
});
|
|
|
|
return errors;
|
|
},
|
|
|
|
/**
|
|
* ## Detect Public Context
|
|
* Calls parse context to expand the options.context object
|
|
* @param {Object} options
|
|
* @returns {Boolean}
|
|
*/
|
|
detectPublicContext: function detectPublicContext(options) {
|
|
options.context = permissions.parseContext(options.context);
|
|
return options.context.public;
|
|
},
|
|
/**
|
|
* ## Apply Public Permissions
|
|
* Update the options object so that the rules reflect what is permitted to be retrieved from a public request
|
|
* @param {String} docName
|
|
* @param {String} method (read || browse)
|
|
* @param {Object} options
|
|
* @returns {Object} options
|
|
*/
|
|
applyPublicPermissions: function applyPublicPermissions(docName, method, options) {
|
|
return permissions.applyPublicRules(docName, method, options);
|
|
},
|
|
|
|
/**
|
|
* ## Handle Public Permissions
|
|
* @param {String} docName
|
|
* @param {String} method (read || browse)
|
|
* @returns {Function}
|
|
*/
|
|
handlePublicPermissions: function handlePublicPermissions(docName, method) {
|
|
var singular = docName.replace(/s$/, '');
|
|
|
|
/**
|
|
* Check if this is a public request, if so use the public permissions, otherwise use standard canThis
|
|
* @param {Object} options
|
|
* @returns {Object} options
|
|
*/
|
|
return function doHandlePublicPermissions(options) {
|
|
var permsPromise;
|
|
|
|
if (utils.detectPublicContext(options)) {
|
|
permsPromise = utils.applyPublicPermissions(docName, method, options);
|
|
} else {
|
|
permsPromise = permissions.canThis(options.context)[method][singular](options.data);
|
|
}
|
|
|
|
return permsPromise.then(function permissionGranted() {
|
|
return options;
|
|
});
|
|
};
|
|
},
|
|
|
|
/**
|
|
* ## Handle Permissions
|
|
* @param {String} docName
|
|
* @param {String} method (browse || read || edit || add || destroy)
|
|
* @returns {Function}
|
|
*/
|
|
handlePermissions: function handlePermissions(docName, method) {
|
|
var singular = docName.replace(/s$/, '');
|
|
|
|
/**
|
|
* ### Handle Permissions
|
|
* We need to be an authorised user to perform this action
|
|
* @param {Object} options
|
|
* @returns {Object} options
|
|
*/
|
|
return function doHandlePermissions(options) {
|
|
var permsPromise = permissions.canThis(options.context)[method][singular](options.id);
|
|
|
|
return permsPromise.then(function permissionGranted() {
|
|
return options;
|
|
}).catch(function handleNoPermissionError(err) {
|
|
if (err instanceof errors.NoPermissionError) {
|
|
err.message = i18n.t('errors.api.utils.noPermissionToCall', {method: method, docName: docName});
|
|
return Promise.reject(err);
|
|
}
|
|
|
|
return Promise.reject(new errors.GhostError({
|
|
err: err
|
|
}));
|
|
});
|
|
};
|
|
},
|
|
|
|
trimAndLowerCase: function trimAndLowerCase(params) {
|
|
params = params || '';
|
|
if (_.isString(params)) {
|
|
params = params.split(',');
|
|
}
|
|
|
|
return _.map(params, function (item) {
|
|
return item.trim().toLowerCase();
|
|
});
|
|
},
|
|
|
|
prepareInclude: function prepareInclude(include, allowedIncludes) {
|
|
return _.intersection(this.trimAndLowerCase(include), allowedIncludes);
|
|
},
|
|
|
|
prepareFields: function prepareFields(fields) {
|
|
return this.trimAndLowerCase(fields);
|
|
},
|
|
|
|
/**
|
|
* ## Convert Options
|
|
* @param {Array} allowedIncludes
|
|
* @returns {Function} doConversion
|
|
*/
|
|
convertOptions: function convertOptions(allowedIncludes) {
|
|
/**
|
|
* Convert our options from API-style to Model-style
|
|
* @param {Object} options
|
|
* @returns {Object} options
|
|
*/
|
|
return function doConversion(options) {
|
|
if (options.include) {
|
|
options.include = utils.prepareInclude(options.include, allowedIncludes);
|
|
}
|
|
if (options.fields) {
|
|
options.columns = utils.prepareFields(options.fields);
|
|
delete options.fields;
|
|
}
|
|
return options;
|
|
};
|
|
},
|
|
/**
|
|
* ### Check Object
|
|
* Check an object passed to the API is in the correct format
|
|
*
|
|
* @param {Object} object
|
|
* @param {String} docName
|
|
* @returns {Promise(Object)} resolves to the original object if it checks out
|
|
*/
|
|
checkObject: function (object, docName, editId) {
|
|
if (_.isEmpty(object) || _.isEmpty(object[docName]) || _.isEmpty(object[docName][0])) {
|
|
return Promise.reject(new errors.BadRequestError({
|
|
message: i18n.t('errors.api.utils.noRootKeyProvided', {docName: docName})
|
|
}));
|
|
}
|
|
|
|
// convert author property to author_id to match the name in the database
|
|
if (docName === 'posts') {
|
|
if (object.posts[0].hasOwnProperty('author')) {
|
|
object.posts[0].author_id = object.posts[0].author;
|
|
delete object.posts[0].author;
|
|
}
|
|
}
|
|
|
|
// will remove unwanted null values
|
|
_.each(object[docName], function (value, index) {
|
|
if (!_.isObject(object[docName][index])) {
|
|
return;
|
|
}
|
|
|
|
object[docName][index] = _.omitBy(object[docName][index], _.isNull);
|
|
});
|
|
|
|
if (editId && object[docName][0].id && editId !== object[docName][0].id) {
|
|
return Promise.reject(new errors.BadRequestError({
|
|
message: i18n.t('errors.api.utils.invalidIdProvided')
|
|
}));
|
|
}
|
|
|
|
return Promise.resolve(object);
|
|
},
|
|
checkFileExists: function (fileData) {
|
|
return !!(fileData.mimetype && fileData.path);
|
|
},
|
|
checkFileIsValid: function (fileData, types, extensions) {
|
|
var type = fileData.mimetype,
|
|
ext = path.extname(fileData.name).toLowerCase();
|
|
|
|
if (_.includes(types, type) && _.includes(extensions, ext)) {
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
};
|
|
|
|
module.exports = utils;
|