mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-21 01:41:46 +03:00
b2f1d0559b
refs #8093
✨ Add activate theme permission
- add permission to activate themes
- update tests
- also: update tests for invites
TODO: change how the active theme setting is updated to reduce extra permissions
✨ Move theme validation to gscan
- add a new gscan validation method and use it for upload
- update activate endpoint to do validation also using gscan
- change to using SettingsModel instead of API so that we don't call validation or permissions on the settings API
- remove validation from the settings model
- remove the old validation function
- add new invalid theme message to translations & remove a bunch of theme validation related unused keys
📖 Planned changes
🚨 Tests for theme activation API endpoint
🐛 Don't allow deleting the active theme
🚫 Prevent activeTheme being set via settings API
- We want to control how this happens in future.
- We still want to store the information in settings, via the model.
- We just don't want to be able to change this info via the settings edit endpoint
🐛 ✨ Fix warnings for uploads & add for activations
- warnings for uploads were broken in f8b498d
- fix the response + adds tests to cover that warnings are correctly returned
- add the same response to activations + more tests
- activations now return a single theme object - the theme that was activated + any warnings
🎨 Improve how we generate theme API responses
- remove the requirement to pass in the active theme!
- move this to a specialist function, away from the list
🎨 Do not load gscan on boot
241 lines
7.5 KiB
JavaScript
241 lines
7.5 KiB
JavaScript
// # Settings API
|
|
// RESTful API for the Setting resource
|
|
var _ = require('lodash'),
|
|
dataProvider = require('../models'),
|
|
Promise = require('bluebird'),
|
|
canThis = require('../permissions').canThis,
|
|
errors = require('../errors'),
|
|
utils = require('./utils'),
|
|
i18n = require('../i18n'),
|
|
|
|
docName = 'settings',
|
|
settings,
|
|
|
|
settingsCache = require('../settings/cache'),
|
|
|
|
settingsFilter,
|
|
settingsResult,
|
|
canEditAllSettings,
|
|
|
|
// ## Helpers
|
|
|
|
/**
|
|
* ### Settings Filter
|
|
* Filters an object based on a given filter object
|
|
* @private
|
|
* @param {Object} settings
|
|
* @param {String} filter
|
|
* @returns {*}
|
|
*/
|
|
settingsFilter = function (settings, filter) {
|
|
return _.fromPairs(_.filter(_.toPairs(settings), function (setting) {
|
|
if (filter) {
|
|
return _.some(filter.split(','), function (f) {
|
|
return setting[1].type === f;
|
|
});
|
|
}
|
|
return true;
|
|
}));
|
|
};
|
|
|
|
/**
|
|
* ### Settings Result
|
|
*
|
|
* Takes a keyed JSON object
|
|
* E.g.
|
|
* dbHash: {
|
|
* id: '123abc',
|
|
* key: 'dbash',
|
|
* value: 'xxxx',
|
|
* type: 'core',
|
|
* timestamps
|
|
* }
|
|
*
|
|
* Performs a filter, based on the `type`
|
|
* And converts the remaining items to our API format by adding a `setting` and `meta` keys.
|
|
*
|
|
* @private
|
|
* @param {Object} settings - a keyed JSON object
|
|
* @param {String} type
|
|
* @returns {{settings: *}}
|
|
*/
|
|
settingsResult = function settingsResult(settings, type) {
|
|
var filteredSettings = _.values(settingsFilter(settings, type)),
|
|
result = {
|
|
settings: filteredSettings,
|
|
meta: {}
|
|
};
|
|
|
|
if (type) {
|
|
result.meta.filters = {
|
|
type: type
|
|
};
|
|
}
|
|
|
|
return result;
|
|
};
|
|
|
|
/**
|
|
* ### Can Edit All Settings
|
|
* Check that this edit request is allowed for all settings requested to be updated
|
|
* @private
|
|
* @param {Object} settingsInfo
|
|
* @returns {*}
|
|
*/
|
|
canEditAllSettings = function (settingsInfo, options) {
|
|
var checkSettingPermissions = function checkSettingPermissions(setting) {
|
|
if (setting.type === 'core' && !(options.context && options.context.internal)) {
|
|
return Promise.reject(
|
|
new errors.NoPermissionError({message: i18n.t('errors.api.settings.accessCoreSettingFromExtReq')})
|
|
);
|
|
}
|
|
|
|
return canThis(options.context).edit.setting(setting.key).catch(function () {
|
|
return Promise.reject(new errors.NoPermissionError({message: i18n.t('errors.api.settings.noPermissionToEditSettings')}));
|
|
});
|
|
},
|
|
checks = _.map(settingsInfo, function (settingInfo) {
|
|
var setting = settingsCache.get(settingInfo.key, {resolve: false});
|
|
|
|
if (!setting) {
|
|
return Promise.reject(new errors.NotFoundError(
|
|
{message: i18n.t('errors.api.settings.problemFindingSetting', {key: settingInfo.key})}
|
|
));
|
|
}
|
|
|
|
if (setting.key === 'activeTheme') {
|
|
return Promise.reject(
|
|
new errors.BadRequestError({
|
|
message: i18n.t('errors.api.settings.activeThemeSetViaAPI.error'),
|
|
help: i18n.t('errors.api.settings.activeThemeSetViaAPI.help')
|
|
})
|
|
);
|
|
}
|
|
|
|
return checkSettingPermissions(setting);
|
|
});
|
|
|
|
return Promise.all(checks);
|
|
};
|
|
|
|
/**
|
|
* ## Settings API Methods
|
|
*
|
|
* **See:** [API Methods](index.js.html#api%20methods)
|
|
*/
|
|
settings = {
|
|
|
|
/**
|
|
* ### Browse
|
|
* @param {Object} options
|
|
* @returns {*}
|
|
*/
|
|
browse: function browse(options) {
|
|
options = options || {};
|
|
|
|
var result = settingsResult(settingsCache.getAll(), options.type);
|
|
|
|
// If there is no context, return only blog settings
|
|
if (!options.context) {
|
|
return Promise.resolve(_.filter(result.settings, function (setting) { return setting.type === 'blog'; }));
|
|
}
|
|
|
|
// Otherwise return whatever this context is allowed to browse
|
|
return canThis(options.context).browse.setting().then(function () {
|
|
// Omit core settings unless internal request
|
|
if (!options.context.internal) {
|
|
result.settings = _.filter(result.settings, function (setting) { return setting.type !== 'core'; });
|
|
}
|
|
|
|
return result;
|
|
});
|
|
},
|
|
|
|
/**
|
|
* ### Read
|
|
* @param {Object} options
|
|
* @returns {*}
|
|
*/
|
|
read: function read(options) {
|
|
if (_.isString(options)) {
|
|
options = {key: options};
|
|
}
|
|
|
|
var setting = settingsCache.get(options.key, {resolve: false}),
|
|
result = {};
|
|
|
|
if (!setting) {
|
|
return Promise.reject(new errors.NotFoundError(
|
|
{message: i18n.t('errors.api.settings.problemFindingSetting', {key: options.key})}
|
|
));
|
|
}
|
|
|
|
result[options.key] = setting;
|
|
|
|
if (setting.type === 'core' && !(options.context && options.context.internal)) {
|
|
return Promise.reject(
|
|
new errors.NoPermissionError({message: i18n.t('errors.api.settings.accessCoreSettingFromExtReq')})
|
|
);
|
|
}
|
|
|
|
if (setting.type === 'blog') {
|
|
return Promise.resolve(settingsResult(result));
|
|
}
|
|
|
|
return canThis(options.context).read.setting(options.key).then(function () {
|
|
return settingsResult(result);
|
|
}, function () {
|
|
return Promise.reject(new errors.NoPermissionError({message: i18n.t('errors.api.settings.noPermissionToReadSettings')}));
|
|
});
|
|
},
|
|
|
|
/**
|
|
* ### Edit
|
|
* Update properties of a setting
|
|
* @param {{settings: }} object Setting or a single string name
|
|
* @param {{id (required), include,...}} options (optional) or a single string value
|
|
* @return {Promise(Setting)} Edited Setting
|
|
*/
|
|
edit: function edit(object, options) {
|
|
options = options || {};
|
|
var self = this,
|
|
type;
|
|
|
|
// Allow shorthand syntax where a single key and value are passed to edit instead of object and options
|
|
if (_.isString(object)) {
|
|
object = {settings: [{key: object, value: options}]};
|
|
}
|
|
|
|
// clean data
|
|
_.each(object.settings, function (setting) {
|
|
if (!_.isString(setting.value)) {
|
|
setting.value = JSON.stringify(setting.value);
|
|
}
|
|
});
|
|
|
|
type = _.find(object.settings, function (setting) { return setting.key === 'type'; });
|
|
if (_.isObject(type)) {
|
|
type = type.value;
|
|
}
|
|
|
|
object.settings = _.reject(object.settings, function (setting) {
|
|
return setting.key === 'type';
|
|
});
|
|
|
|
return canEditAllSettings(object.settings, options).then(function () {
|
|
return utils.checkObject(object, docName).then(function (checkedData) {
|
|
options.user = self.user;
|
|
return dataProvider.Settings.edit(checkedData.settings, options);
|
|
}).then(function (settingsModelsArray) {
|
|
// Instead of a standard bookshelf collection, Settings.edit returns an array of Settings Models.
|
|
// We convert this to JSON, by calling toJSON on each Model (using invokeMap for ease)
|
|
// We use keyBy to create an object that uses the 'key' as a key for each setting.
|
|
var settingsKeyedJSON = _.keyBy(_.invokeMap(settingsModelsArray, 'toJSON'), 'key');
|
|
return settingsResult(settingsKeyedJSON, type);
|
|
});
|
|
});
|
|
}
|
|
};
|
|
|
|
module.exports = settings;
|