TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-01 05:50:35 +03:00
Code Issues Projects Releases Wiki Activity
d0f2b843c8
Ghost/core/server/models/role.js
Kevin Ansfield 1db3aefb9b
Set up schema and models for API Key authentication (#9904) 
refs https://github.com/TryGhost/Ghost/issues/9865
- schema migrations
  - adds `integrations` and `api_keys` tables
  - inserts `integration` and `api_key` permissions and Administrator role relationships
  - inserts `Admin Integration` role and permissions
- adds `Integration` model
- adds `ApiKey` model
  - creates default secret if not given
  - hardcodes associated role based on key type
    - `admin` = `Admin API Client`
    - `content` = no role
- updates `Role` model to use `bookshelf-relations` for auto cleanup of permission relationships on destroy
2018-10-02 17:46:38 +01:00

109 lines
3.7 KiB
JavaScript
Raw Blame History

var _ = require('lodash'),
ghostBookshelf = require('./base'),
Promise = require('bluebird'),
common = require('../lib/common'),
Role,
Roles;
Role = ghostBookshelf.Model.extend({
tableName: 'roles',
relationships: ['permissions'],
relationshipBelongsTo: {
permissions: 'permissions'
},
users: function users() {
return this.belongsToMany('User');
},
permissions: function permissions() {
return this.belongsToMany('Permission');
},
api_keys: function apiKeys() {
return this.hasMany('ApiKey');
}
}, {
/**
* Returns an array of keys permitted in a method's `options` hash, depending on the current method.
* @param {String} methodName The name of the method to check valid options for.
* @return {Array} Keys allowed in the `options` hash of the model's method.
*/
permittedOptions: function permittedOptions(methodName) {
var options = ghostBookshelf.Model.permittedOptions.call(this, methodName),
// whitelists for the `options` hash argument on methods, by method name.
// these are the only options that can be passed to Bookshelf / Knex.
validOptions = {
findOne: ['withRelated'],
findAll: ['withRelated']
};
if (validOptions[methodName]) {
options = options.concat(validOptions[methodName]);
}
return options;
},
permissible: function permissible(roleModelOrId, action, context, unsafeAttrs, loadedPermissions, hasUserPermission, hasAppPermission) {
var self = this,
checkAgainst = [],
origArgs;
// If we passed in an id instead of a model, get the model
// then check the permissions
if (_.isNumber(roleModelOrId) || _.isString(roleModelOrId)) {
// Grab the original args without the first one
origArgs = _.toArray(arguments).slice(1);
// Get the actual role model
return this.findOne({id: roleModelOrId, status: 'all'})
.then(function then(foundRoleModel) {
if (!foundRoleModel) {
throw new common.errors.NotFoundError({
message: common.i18n.t('errors.models.role.roleNotFound')
});
}
// Build up the original args but substitute with actual model
var newArgs = [foundRoleModel].concat(origArgs);
return self.permissible.apply(self, newArgs);
});
}
if (action === 'assign' && loadedPermissions.user) {
if (_.some(loadedPermissions.user.roles, {name: 'Owner'})) {
checkAgainst = ['Owner', 'Administrator', 'Editor', 'Author', 'Contributor'];
} else if (_.some(loadedPermissions.user.roles, {name: 'Administrator'})) {
checkAgainst = ['Administrator', 'Editor', 'Author', 'Contributor'];
} else if (_.some(loadedPermissions.user.roles, {name: 'Editor'})) {
checkAgainst = ['Author', 'Contributor'];
}
// Role in the list of permissible roles
hasUserPermission = roleModelOrId && _.includes(checkAgainst, roleModelOrId.get('name'));
}
if (hasUserPermission && hasAppPermission) {
return Promise.resolve();
}
return Promise.reject(new common.errors.NoPermissionError({message: common.i18n.t('errors.models.role.notEnoughPermission')}));
}
});
Roles = ghostBookshelf.Collection.extend({
model: Role
});
module.exports = {
Role: ghostBookshelf.model('Role', Role),
Roles: ghostBookshelf.collection('Roles', Roles)
};
Reference in New Issue View Git Blame Copy Permalink