mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-11-28 22:43:30 +03:00
22738b1b50
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-9gh8-wp53-ccc6 refs https://github.com/TryGhost/Toolbox/issues/465 - Bookshelf relations allows us to edit relational records by default, which was used liberally in the codebase. - Not having a clear track record of editable relations left the model layer prone to triggering unwanted nested saves and created a vulnerability where members were able to edit newsletter settings. - With explicit editable relations it's easier to keep track of relations having editable access to related records. Makes the relational data modification pattern safer to use too. - Anyone running 5.x should update to 5.24.1 Credits: Dave McDaniel and other members of [Cisco Talos](https://talosintelligence.com/vulnerability_reports)
169 lines
4.8 KiB
JavaScript
169 lines
4.8 KiB
JavaScript
const assert = require('assert');
|
|
const {
|
|
agentProvider,
|
|
fixtureManager,
|
|
mockManager,
|
|
matchers
|
|
} = require('../../utils/e2e-framework');
|
|
const {anyEtag} = matchers;
|
|
|
|
describe('Tiers API', function () {
|
|
let agent;
|
|
|
|
before(async function () {
|
|
agent = await agentProvider.getAdminAPIAgent();
|
|
await fixtureManager.init('members');
|
|
await agent.loginAsOwner();
|
|
});
|
|
|
|
afterEach(function () {
|
|
mockManager.restore();
|
|
});
|
|
|
|
it('Can browse Tiers', async function () {
|
|
await agent
|
|
.get('/tiers/')
|
|
.expectStatus(200)
|
|
.matchBodySnapshot({
|
|
tiers: Array(2).fill({
|
|
id: matchers.anyObjectId,
|
|
created_at: matchers.anyISODateTime,
|
|
updated_at: matchers.anyISODateTime
|
|
})
|
|
});
|
|
});
|
|
|
|
it('Errors when price is non-integer', async function () {
|
|
const tier = {
|
|
name: 'Blah',
|
|
monthly_price: 99.99,
|
|
currency: 'usd'
|
|
};
|
|
|
|
await agent
|
|
.post('/tiers/')
|
|
.body({tiers: [tier]})
|
|
.expectStatus(422)
|
|
.matchBodySnapshot({
|
|
errors: [{
|
|
id: matchers.anyUuid
|
|
}]
|
|
});
|
|
});
|
|
|
|
it('Errors when price is negative', async function () {
|
|
const tier = {
|
|
name: 'Blah',
|
|
monthly_price: -100,
|
|
currency: 'usd'
|
|
};
|
|
|
|
await agent
|
|
.post('/tiers/')
|
|
.body({tiers: [tier]})
|
|
.expectStatus(422)
|
|
.matchBodySnapshot({
|
|
errors: [{
|
|
id: matchers.anyUuid
|
|
}]
|
|
});
|
|
});
|
|
|
|
it('Errors when price is too large', async function () {
|
|
const tier = {
|
|
name: 'Blah',
|
|
monthly_price: Number.MAX_SAFE_INTEGER,
|
|
currency: 'usd'
|
|
};
|
|
|
|
await agent
|
|
.post('/tiers/')
|
|
.body({tiers: [tier]})
|
|
.expectStatus(422)
|
|
.matchBodySnapshot({
|
|
errors: [{
|
|
id: matchers.anyUuid
|
|
}]
|
|
});
|
|
});
|
|
|
|
it('Can read Tiers', async function () {
|
|
const {body: {tiers: [tier]}} = await agent.get('/tiers/');
|
|
|
|
await agent.get(`/tiers/${tier.id}/`)
|
|
.expectStatus(200);
|
|
});
|
|
|
|
it('Can edit visibility', async function () {
|
|
const {body: {tiers: [tier]}} = await agent.get('/tiers/?type:paid&limit=1');
|
|
|
|
const visibility = tier.visibility === 'none' ? 'public' : 'none';
|
|
|
|
await agent.put(`/tiers/${tier.id}/`)
|
|
.body({
|
|
tiers: [{
|
|
visibility
|
|
}]
|
|
})
|
|
.expectStatus(200);
|
|
|
|
const {body: {tiers: [updatedTier]}} = await agent.get(`/tiers/${tier.id}/`);
|
|
|
|
assert(updatedTier.visibility === visibility, `The visibility of the Tier should have been updated to ${visibility}`);
|
|
});
|
|
|
|
it('Can save with trial_days as null', async function () {
|
|
const {body: {tiers: [tier]}} = await agent.get('/tiers/?limit=1');
|
|
|
|
await agent.put(`/tiers/${tier.id}/`)
|
|
.body({
|
|
tiers: [{
|
|
trial_days: null
|
|
}]
|
|
})
|
|
.expectStatus(200);
|
|
|
|
const {body: {tiers: [updatedTier]}} = await agent.get(`/tiers/${tier.id}/`);
|
|
|
|
assert(updatedTier.trial_days === 0, `The trial_days should have been set to 0`);
|
|
});
|
|
|
|
it('Can edit tier properties and relations', async function () {
|
|
let {body: {tiers: [tier]}} = await agent.get('/tiers/?type:paid&limit=1')
|
|
.expectStatus(200)
|
|
.matchHeaderSnapshot({
|
|
etag: anyEtag
|
|
})
|
|
.matchBodySnapshot({
|
|
// @NOTE: bug here, the returned array of tiers should be '1' NOT '2'
|
|
tiers: Array(2).fill({
|
|
id: matchers.anyObjectId,
|
|
created_at: matchers.anyISODateTime,
|
|
updated_at: matchers.anyISODateTime
|
|
})
|
|
});
|
|
|
|
await agent.put(`/tiers/${tier.id}/`)
|
|
.body({
|
|
tiers: [{
|
|
description: 'Updated description',
|
|
benefits: ['daily cat pictures', 'delicious avo toast']
|
|
}]
|
|
})
|
|
.expectStatus(200);
|
|
|
|
const {body: {tiers: [updatedTier]}} = await agent.get(`/tiers/${tier.id}/`)
|
|
.expectStatus(200)
|
|
.matchHeaderSnapshot({
|
|
etag: anyEtag
|
|
})
|
|
.matchBodySnapshot({
|
|
tiers: Array(1).fill({
|
|
id: matchers.anyObjectId,
|
|
created_at: matchers.anyISODateTime,
|
|
updated_at: matchers.anyISODateTime
|
|
})
|
|
});
|
|
});
|
|
});
|