1
0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-20 01:03:23 +03:00
Ghost/ghost/core/test/unit/server/models
Fabien 'egg' O'Carroll 3d3b3ff701
Fixed Editors being able to invite Editors ()
ref ENG-774
ref https://linear.app/tryghost/issue/ENG-774

Staff Tokens will have both a `user` and an `apiKey` present on the
`loadedPermissions`.

The check here for `apiKey` was written when we could assume that an
`apiKey` was an Admin Integration - so it completely overwrote the
previous `allowed` list. When we added the concept of Staff Tokens -
this resulted in a privilege escalation.

This is a good lesson in not using proxies or indicators for data, as
changes elsewhere can invalidate them - if we had been specific and
checked the role of the current actor we wouldn't've had this bug!
2024-03-26 00:45:08 +07:00
..
base Updated to use assert/strict everywhere () 2023-06-21 09:56:59 +01:00
api-key.test.js Removed all unused variables from test files 2023-03-10 14:29:55 +01:00
comment.test.js Converted Ghost repo into a monorepo 2022-07-20 16:41:05 +02:00
custom-theme-setting.test.js Converted Ghost repo into a monorepo 2022-07-20 16:41:05 +02:00
email-spam-complaint-event.test.js Updated to use assert/strict everywhere () 2023-06-21 09:56:59 +01:00
integration.test.js Removed all unused variables from test files 2023-03-10 14:29:55 +01:00
invite.test.js Fixed Editors being able to invite Editors () 2024-03-26 00:45:08 +07:00
member-click-event.test.js Added post_id filter and total to activity feed API () 2022-10-18 15:52:04 +02:00
member-created-event.test.js Added ENUM validation for member/subscription created events () 2022-08-25 15:39:37 +02:00
member-feedback.test.js Added members_feedback table () 2022-10-11 13:21:31 +02:00
member-paid-subscription-event.test.js Added post_id filter and total to activity feed API () 2022-10-18 15:52:04 +02:00
member-subscribe-event.test.js Added ENUM validation for member/subscription created events () 2022-08-25 15:39:37 +02:00
member.test.js Fixed configUtils and adapter cache issues in E2E tests () 2023-01-30 14:06:20 +01:00
milestone.test.js Updated to use assert/strict everywhere () 2023-06-21 09:56:59 +01:00
newsletter.test.js Removed all unused variables from test files 2023-03-10 14:29:55 +01:00
permission.test.js Removed all unused variables from test files 2023-03-10 14:29:55 +01:00
post.test.js Added missing permissions to Contributor & Editor () 2024-03-20 20:36:07 +07:00
session.test.js Converted Ghost repo into a monorepo 2022-07-20 16:41:05 +02:00
settings.test.js Removed all unused variables from test files 2023-03-10 14:29:55 +01:00
single-use-token.test.js Updated to use assert/strict everywhere () 2023-06-21 09:56:59 +01:00
stripe-customer-subscription.test.js Removed all unused variables from test files 2023-03-10 14:29:55 +01:00
subscription-created-event.test.js Added ENUM validation for member/subscription created events () 2022-08-25 15:39:37 +02:00
suppression.test.js Updated to use assert/strict everywhere () 2023-06-21 09:56:59 +01:00
tag.test.js Removed all unused variables from test files 2023-03-10 14:29:55 +01:00
user.test.js Removed all unused variables from test files 2023-03-10 14:29:55 +01:00