mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-20 01:03:23 +03:00
3d3b3ff701
ref ENG-774 ref https://linear.app/tryghost/issue/ENG-774 Staff Tokens will have both a `user` and an `apiKey` present on the `loadedPermissions`. The check here for `apiKey` was written when we could assume that an `apiKey` was an Admin Integration - so it completely overwrote the previous `allowed` list. When we added the concept of Staff Tokens - this resulted in a privilege escalation. This is a good lesson in not using proxies or indicators for data, as changes elsewhere can invalidate them - if we had been specific and checked the role of the current actor we wouldn't've had this bug! |
||
---|---|---|
.. | ||
base | ||
api-key.test.js | ||
comment.test.js | ||
custom-theme-setting.test.js | ||
email-spam-complaint-event.test.js | ||
integration.test.js | ||
invite.test.js | ||
member-click-event.test.js | ||
member-created-event.test.js | ||
member-feedback.test.js | ||
member-paid-subscription-event.test.js | ||
member-subscribe-event.test.js | ||
member.test.js | ||
milestone.test.js | ||
newsletter.test.js | ||
permission.test.js | ||
post.test.js | ||
session.test.js | ||
settings.test.js | ||
single-use-token.test.js | ||
stripe-customer-subscription.test.js | ||
subscription-created-event.test.js | ||
suppression.test.js | ||
tag.test.js | ||
user.test.js |