Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-27 22:49:56 -05:00
Code Issues Activity
ghost/core/server/api/users.js

380 lines
13 KiB
JavaScript
Raw Normal View History

Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 14:05:25 +01:00
// # Users API
// RESTful API for the User resource
Replace the when promise library with bluebird. Closes #968
2014-08-17 06:17:23 +00:00
var Promise = require('bluebird'),
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 13:41:19 +01:00
_ = require('lodash'),
dataProvider = require('../models'),
canThis = require('../permissions').canThis,
errors = require('../errors'),
utils = require('./utils'),
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
pipeline = require('../utils/pipeline'),
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 13:29:45 +01:00
i18n = require('../i18n'),
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 13:41:19 +01:00
docName = 'users',
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 18:00:59 +02:00
// TODO: implement created_by, updated_by
Rename post_count to count.posts refs #6009 - This is a straight rename, no functionality is added - The dot syntax requires pre/post processing to convert the name - This PR also includes several updates to the tests, as they weren't being run as part of Travis!
2015-11-20 12:04:49 +00:00
allowedIncludes = ['count.posts', 'permissions', 'roles', 'roles.permissions'],
🎨 Separate invites from user refs #7420 - remove invite logic from user - add invite model and adapt affected logic for inviting team members
2016-09-21 16:48:14 +02:00
users;
User edit & add endpoints cleanup - edit and add endpoints don't assume role - edit and add endpoints cope with no role, role objects, and strings - resend user invite was failing at one point due to no role being sent, but this shouldn't be required - other random api cleanup
2014-07-31 01:15:34 +01:00
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 14:05:25 +01:00
/**
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
* ### Users API Methods
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 14:05:25 +01:00
*
* **See:** [API Methods](index.js.html#api%20methods)
*/
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 09:51:35 +01:00
users = {
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 13:41:19 +01:00
/**
* ## Browse
* Fetch all users
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 14:05:25 +01:00
* @param {{context}} options (optional)
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
* @returns {Promise<Users>} Users Collection
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 13:41:19 +01:00
*/
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 09:51:35 +01:00
browse: function browse(options) {
Remove featured, tag, author & role API params refs #5943 - removed featured, tag and author parameters from posts API - featured was only used in tests - removed role filter from users API - role was only used in tests - fixed up the tests, skipping those that don't quite work yet
2015-10-24 21:39:47 +01:00
var extraOptions = ['status'],
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
permittedOptions = utils.browseDefaultOptions.concat(extraOptions),
tasks;
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
/**
* ### Model Query
* Make the call to the Model layer
* @param {Object} options
* @returns {Object} options
*/
function doQuery(options) {
Pagination for Users Management screen closes #3222 - implementing server-side pagination for /users API - passing /users?limit=none will return all users - passing /users?status=invited will filter base on user status - creating 3 mixins (route, controller and view) to keep pagination logic DRY - updating route, controller and view for Posts to use new mixing - implementing infinite scrolling for Users Management screen (using new mixins) - Users Management screen displays all invited users, but paginates active users
2014-07-20 12:42:03 -04:00
return dataProvider.User.findPage(options);
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
}
// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
tasks = [
utils.validate(docName, {opts: permittedOptions}),
Add public API permission handling refs #4004, #5614 - added new public permission handling functions to permissions - added a new util to handle either public permissions or normal permissions - updated posts, tags and users endpoints to use the new util - added test coverage for the new code
2015-06-27 19:09:25 +01:00
utils.handlePublicPermissions(docName, 'browse'),
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
utils.convertOptions(allowedIncludes),
doQuery
];
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
// Pipeline calls each task passing the result of one to be the arguments for the next
return pipeline(tasks, options);
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 09:51:35 +01:00
},
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 14:05:25 +01:00
/**
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
* ## Read
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 14:05:25 +01:00
* @param {{id, context}} options
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
* @returns {Promise<Users>} User
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 14:05:25 +01:00
*/
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 13:41:19 +01:00
read: function read(options) {
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
var attrs = ['id', 'slug', 'status', 'email', 'role'],
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
tasks;
Add public API permission handling refs #4004, #5614 - added new public permission handling functions to permissions - added a new util to handle either public permissions or normal permissions - updated posts, tags and users endpoints to use the new util - added test coverage for the new code
2015-06-27 19:09:25 +01:00
// Special handling for id = 'me'
if (options.id === 'me' && options.context && options.context.user) {
options.id = options.context.user;
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 18:00:59 +02:00
}
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
/**
* ### Model Query
* Make the call to the Model layer
* @param {Object} options
* @returns {Object} options
*/
function doQuery(options) {
return dataProvider.User.findOne(options.data, _.omit(options, ['data']));
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 09:51:35 +01:00
}
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
tasks = [
utils.validate(docName, {attrs: attrs}),
Add public API permission handling refs #4004, #5614 - added new public permission handling functions to permissions - added a new util to handle either public permissions or normal permissions - updated posts, tags and users endpoints to use the new util - added test coverage for the new code
2015-06-27 19:09:25 +01:00
utils.handlePublicPermissions(docName, 'read'),
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
utils.convertOptions(allowedIncludes),
doQuery
];
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
// Pipeline calls each task passing the result of one to be the arguments for the next
return pipeline(tasks, options).then(function formatResponse(result) {
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 09:51:35 +01:00
if (result) {
Refactor to remove author.email from API refs #2330 - Pass through `options` to all toJSON calls on posts, tags, and users - Use options.context.user to determine whether it's OK to return user.email - Remove author.email handling code from frontend.js
2015-04-17 22:27:04 +01:00
return {users: [result.toJSON(options)]};
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 09:51:35 +01:00
}
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 14:27:35 +02:00
return Promise.reject(new errors.NotFoundError({message: i18n.t('errors.api.users.userNotFound')}));
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 09:51:35 +01:00
});
},
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 14:05:25 +01:00
/**
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
* ## Edit
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 14:05:25 +01:00
* @param {User} object the user details to edit
* @param {{id, context}} options
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
* @returns {Promise<User>}
Full pass at inline API Docs closes #2622, ref #2125
2014-06-03 14:05:25 +01:00
*/
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 13:41:19 +01:00
edit: function edit(object, options) {
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
var extraOptions = ['editRoles'],
permittedOptions = extraOptions.concat(utils.idDefaultOptions),
tasks;
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 13:41:19 +01:00
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
if (object.users && object.users[0] && object.users[0].roles && object.users[0].roles[0]) {
options.editRoles = true;
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 10:46:05 +01:00
}
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 13:41:19 +01:00
Don't alter password from User.edit endpoint - password changes should only be possible from the password change endpoint Credits: An anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program
2015-09-23 19:44:38 +01:00
// The password should never be set via this endpoint, if it is passed, ignore it
if (object.users && object.users[0] && object.users[0].password) {
delete object.users[0].password;
}
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
/**
* ### Handle Permissions
* We need to be an authorised user to perform this action
* Edit user allows the related role object to be updated as well, with some rules:
* - No change permitted to the role of the owner
* - no change permitted to the role of the context user (user making the request)
* @param {Object} options
* @returns {Object} options
*/
function handlePermissions(options) {
if (options.id === 'me' && options.context && options.context.user) {
options.id = options.context.user;
}
closes #3197 - added role to user obj (only returned from the user endpoint) - added `/users/?include=roles` and `/users/?include=roles,roles.permissions` query parameters - added and updated tests
2014-07-08 18:00:59 +02:00
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 10:46:05 +01:00
return canThis(options.context).edit.user(options.id).then(function () {
Fix up users API so admin role can edit owner No Issue. - Make sure that a user with the Admin role can edit the Owner. - Add test for behavior.
2015-01-20 19:21:50 +00:00
// if roles aren't in the payload, proceed with the edit
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
if (!(options.data.users[0].roles && options.data.users[0].roles[0])) {
return options;
Fix up users API so admin role can edit owner No Issue. - Make sure that a user with the Admin role can edit the Owner. - Add test for behavior.
2015-01-20 19:21:50 +00:00
}
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
// @TODO move role permissions out of here
var role = options.data.users[0].roles[0],
Fix up users API so admin role can edit owner No Issue. - Make sure that a user with the Admin role can edit the Owner. - Add test for behavior.
2015-01-20 19:21:50 +00:00
roleId = parseInt(role.id || role, 10),
editedUserId = parseInt(options.id, 10);
return dataProvider.User.findOne(
{id: options.context.user, status: 'all'}, {include: ['roles']}
).then(function (contextUser) {
Refactor to remove author.email from API refs #2330 - Pass through `options` to all toJSON calls on posts, tags, and users - Use options.context.user to determine whether it's OK to return user.email - Remove author.email handling code from frontend.js
2015-04-17 22:27:04 +01:00
var contextRoleId = contextUser.related('roles').toJSON(options)[0].id;
Fix up users API so admin role can edit owner No Issue. - Make sure that a user with the Admin role can edit the Owner. - Add test for behavior.
2015-01-20 19:21:50 +00:00
if (roleId !== contextRoleId && editedUserId === contextUser.id) {
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 14:27:35 +02:00
return Promise.reject(new errors.NoPermissionError({message: i18n.t('errors.api.users.cannotChangeOwnRole')}));
Fix up users API so admin role can edit owner No Issue. - Make sure that a user with the Admin role can edit the Owner. - Add test for behavior.
2015-01-20 19:21:50 +00:00
}
return dataProvider.User.findOne({role: 'Owner'}).then(function (owner) {
if (contextUser.id !== owner.id) {
if (editedUserId === owner.id) {
if (owner.related('roles').at(0).id !== roleId) {
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 14:27:35 +02:00
return Promise.reject(new errors.NoPermissionError({message: i18n.t('errors.api.users.cannotChangeOwnersRole')}));
Ensure Owner's role isn't downgraded closes #3765 - Simple API check to ensure that the owner isn’t downgraded to a different role (analog to the ’can’t change your own role’ check) - Test added to ensure Owner can't be downgraded to a lower role
2014-08-13 12:12:50 -07:00
}
Fix up users API so admin role can edit owner No Issue. - Make sure that a user with the Admin role can edit the Owner. - Add test for behavior.
2015-01-20 19:21:50 +00:00
} else if (roleId !== contextRoleId) {
return canThis(options.context).assign.role(role).then(function () {
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
return options;
Fix up users API so admin role can edit owner No Issue. - Make sure that a user with the Admin role can edit the Owner. - Add test for behavior.
2015-01-20 19:21:50 +00:00
});
}
User edit & add endpoints cleanup - edit and add endpoints don't assume role - edit and add endpoints cope with no role, role objects, and strings - resend user invite was failing at one point due to no role being sent, but this shouldn't be required - other random api cleanup
2014-07-31 01:15:34 +01:00
}
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
return options;
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 10:46:05 +01:00
});
Fix up users API so admin role can edit owner No Issue. - Make sure that a user with the Admin role can edit the Owner. - Add test for behavior.
2015-01-20 19:21:50 +00:00
});
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 17:33:43 +02:00
}).catch(function handleError(err) {
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 14:27:35 +02:00
return Promise.reject(new errors.NoPermissionError({
err: err,
context: i18n.t('errors.api.users.noPermissionToEditUser')
}));
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
});
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
}
/**
* ### Model Query
* Make the call to the Model layer
* @param {Object} options
* @returns {Object} options
*/
function doQuery(options) {
return dataProvider.User.edit(options.data.users[0], _.omit(options, ['data']));
}
// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
tasks = [
utils.validate(docName, {opts: permittedOptions}),
handlePermissions,
utils.convertOptions(allowedIncludes),
doQuery
];
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
return pipeline(tasks, object, options).then(function formatResponse(result) {
if (result) {
return {users: [result.toJSON(options)]};
}
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 14:27:35 +02:00
return Promise.reject(new errors.NotFoundError({message: i18n.t('errors.api.users.userNotFound')}));
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
});
},
Use current user in models closes #2058 - fixed apiContext as suggested in the issue - added user to options object for models - added api.users.register() for public registration - changed models to use options.user for created_by, updated_by, author_id and published_by - added override to session model to avoid created_by and updated_by values - added user (id: 1) to tests - added user (id: 1) for registration - added user (id: 1) for import, fixtures and default settings - added user (id: 1) for user update - added user (id: 1) for settings update (dbHash, installedApps, update check) - updated bookshelf to version 0.6.8
2014-04-03 15:03:09 +02:00
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 10:46:05 +01:00
/**
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
* ## Destroy
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 10:46:05 +01:00
* @param {{id, context}} options
Return http status 204 on deletes Closes #2871 - Refactor api http handlers. - Update tests. - Remove special handling of responses in ember adapter.
2016-03-20 12:26:42 -05:00
* @returns {Promise}
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 10:46:05 +01:00
*/
destroy: function destroy(options) {
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
var tasks;
/**
* ### Handle Permissions
* We need to be an authorised user to perform this action
* @param {Object} options
* @returns {Object} options
*/
function handlePermissions(options) {
return canThis(options.context).destroy.user(options.id).then(function permissionGranted() {
options.status = 'all';
return options;
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 17:33:43 +02:00
}).catch(function handleError(err) {
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 14:27:35 +02:00
return Promise.reject(new errors.NoPermissionError({
err: err,
context: i18n.t('errors.api.users.noPermissionToDestroyUser')
}));
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
});
}
/**
Return http status 204 on deletes Closes #2871 - Refactor api http handlers. - Update tests. - Remove special handling of responses in ember adapter.
2016-03-20 12:26:42 -05:00
* ### Delete User
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
* Make the call to the Model layer
* @param {Object} options
*/
Return http status 204 on deletes Closes #2871 - Refactor api http handlers. - Update tests. - Remove special handling of responses in ember adapter.
2016-03-20 12:26:42 -05:00
function deleteUser(options) {
return dataProvider.Base.transaction(function (t) {
options.transacting = t;
return Promise.all([
dataProvider.Accesstoken.destroyByUser(options),
dataProvider.Refreshtoken.destroyByUser(options),
dataProvider.Post.destroyByAuthor(options)
]).then(function () {
return dataProvider.User.destroy(options);
}).return(null);
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 17:33:43 +02:00
}).catch(function (err) {
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 14:27:35 +02:00
return Promise.reject(new errors.NoPermissionError({
err: err
}));
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 10:46:05 +01:00
});
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
}
// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
tasks = [
utils.validate(docName, {opts: utils.idDefaultOptions}),
handlePermissions,
utils.convertOptions(allowedIncludes),
Return http status 204 on deletes Closes #2871 - Refactor api http handlers. - Update tests. - Remove special handling of responses in ember adapter.
2016-03-20 12:26:42 -05:00
deleteUser
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
];
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
// Pipeline calls each task passing the result of one to be the arguments for the next
return pipeline(tasks, options);
User edit, add & destroy perms restricted by role closes #3096, closes #3378, refs #3100 - user.permissible updated to reflect proper permissions - small amount of API refactoring to handle extra cases - extensive integration testing
2014-07-24 10:46:05 +01:00
},
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
/**
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
* ## Change Password
Move post slug endpoint & add endpoints for users closes #3187 - move slug endpoint to post/slug/:slug - create similar slug and email endpoint for users - add/update tests
2014-07-08 23:28:31 +01:00
* @param {password} object
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
* @param {{context}} options
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
* @returns {Promise<password>} success message
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
*/
changePassword: function changePassword(object, options) {
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
var tasks;
🎨 remove token logic from user model (#7622) * 🔥 remove User model functions - validateToken - generateToken - resetPassword - all this logic will re-appear in a different way Token logic: - was already extracted as separate PR, see https://github.com/TryGhost/Ghost/pull/7554 - we will use this logic in the controller, you will see in the next commits Reset Password: Was just a wrapper for calling the token logic and change the password. We can reconsider keeping the function to call: changePassword and activate the status of the user - but i think it's fine to trigger these two actions from the controlling unit. * 🔥 remove password reset tests from User model - we already have unit tests for change password and the token logic - i will re-check at the end if any test case is missing - but for now i will just burn the tests * ✨ add token logic to controlling unit generateResetToken endpoint - the only change here is instead of calling the User model to generate a token, we generate the token via utils - we fetch the user by email, and generate a hash and return resetPassword endpoint - here we have changed a little bit more - first of all: we have added the validation check if the new passwords match - a new helper method to extract the token informations - the brute force security check, which can be handled later from the new bruteforce middleware (see TODO) - the actual reset function is doing the steps: load me the user, compare the token, change the password and activate the user - we can think of wrapping these steps into a User model function - i was not sure about it, because it is actually part of the controlling unit [ci skip] * 🎨 tidy up - jscs - jshint - naming functions - fixes * ✨ add a test for resetting the password - there was none - added a test to reset the password * 🎨 add more token tests - ensure quality - ensure logic we had * 🔥 remove compare new password check from User Model - this part of controlling unit * ✨ compare new passwords for user endpoint - we deleted the logic in User Model - we are adding the logic to controlling unit * 🐛 spam prevention forgotten can crash - no validation happend before this middleware - it just assumes that the root key is present - when we work on our API, we need to ensure that 1. pre validation happens 2. we call middlewares 3. ... * 🎨 token translation key
2016-11-07 12:18:50 +01:00
function validateRequest() {
return utils.validate('password')(object, options)
.then(function (options) {
var data = options.data.password[0];
if (data.newPassword !== data.ne2Password) {
return Promise.reject(new errors.ValidationError({
message: i18n.t('errors.models.user.newPasswordsDoNotMatch')
}));
}
return Promise.resolve(options);
});
}
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
/**
* ### Handle Permissions
* We need to be an authorised user to perform this action
* @param {Object} options
* @returns {Object} options
*/
function handlePermissions(options) {
Refactor changePassword and resetPassword issue #5500 - make `changePassword` and `resetPassword` methods on `user` model consistent: use `object` and `options` arguments instead of multiple different arguments - change User API `changePassword` method to use these new arguments
2015-07-07 15:32:50 +02:00
return canThis(options.context).edit.user(options.data.password[0].user_id).then(function permissionGranted() {
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
return options;
🎨 configurable logging with bunyan (#7431) - 🛠 add bunyan and prettyjson, remove morgan - ✨ add logging module - GhostLogger class that handles setup of bunyan - PrettyStream for stdout - ✨ config for logging - @TODO: testing level fatal? - ✨ log each request via GhostLogger (express middleware) - @TODO: add errors to output - 🔥 remove errors.updateActiveTheme - we can read the value from config - 🔥 remove 15 helper functions in core/server/errors/index.js - all these functions get replaced by modules: 1. logging 2. error middleware handling for html/json 3. error creation (which will be part of PR #7477) - ✨ add express error handler for html/json - one true error handler for express responses - contains still some TODO's, but they are not high priority for first implementation/integration - this middleware only takes responsibility of either rendering html responses or return json error responses - 🎨 use new express error handler in middleware/index - 404 and 500 handling - 🎨 return error instead of error message in permissions/index.js - the rule for error handling should be: if you call a unit, this unit should return a custom Ghost error - 🎨 wrap serve static module - rule: if you call a module/unit, you should always wrap this error - it's always the same rule - so the caller never has to worry about what comes back - it's always a clear error instance - in this case: we return our notfounderror if serve static does not find the resource - this avoid having checks everywhere - 🎨 replace usages of errors/index.js functions and adapt tests - use logging.error, logging.warn - make tests green - remove some usages of logging and throwing api errors -> because when a request is involved, logging happens automatically - 🐛 return errorDetails to Ghost-Admin - errorDetails is used for Theme error handling - 🎨 use 500er error for theme is missing error in theme-handler - 🎨 extend file rotation to 1w
2016-10-04 17:33:43 +02:00
}).catch(function (err) {
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's
2016-10-06 14:27:35 +02:00
return Promise.reject(new errors.NoPermissionError({
err: err,
context: i18n.t('errors.api.users.noPermissionToChangeUsersPwd')
}));
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
});
}
/**
* ### Model Query
* Make the call to the Model layer
* @param {Object} options
* @returns {Object} options
*/
function doQuery(options) {
return dataProvider.User.changePassword(
Refactor changePassword and resetPassword issue #5500 - make `changePassword` and `resetPassword` methods on `user` model consistent: use `object` and `options` arguments instead of multiple different arguments - change User API `changePassword` method to use these new arguments
2015-07-07 15:32:50 +02:00
options.data.password[0],
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
_.omit(options, ['data'])
);
}
// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
tasks = [
🎨 remove token logic from user model (#7622) * 🔥 remove User model functions - validateToken - generateToken - resetPassword - all this logic will re-appear in a different way Token logic: - was already extracted as separate PR, see https://github.com/TryGhost/Ghost/pull/7554 - we will use this logic in the controller, you will see in the next commits Reset Password: Was just a wrapper for calling the token logic and change the password. We can reconsider keeping the function to call: changePassword and activate the status of the user - but i think it's fine to trigger these two actions from the controlling unit. * 🔥 remove password reset tests from User model - we already have unit tests for change password and the token logic - i will re-check at the end if any test case is missing - but for now i will just burn the tests * ✨ add token logic to controlling unit generateResetToken endpoint - the only change here is instead of calling the User model to generate a token, we generate the token via utils - we fetch the user by email, and generate a hash and return resetPassword endpoint - here we have changed a little bit more - first of all: we have added the validation check if the new passwords match - a new helper method to extract the token informations - the brute force security check, which can be handled later from the new bruteforce middleware (see TODO) - the actual reset function is doing the steps: load me the user, compare the token, change the password and activate the user - we can think of wrapping these steps into a User model function - i was not sure about it, because it is actually part of the controlling unit [ci skip] * 🎨 tidy up - jscs - jshint - naming functions - fixes * ✨ add a test for resetting the password - there was none - added a test to reset the password * 🎨 add more token tests - ensure quality - ensure logic we had * 🔥 remove compare new password check from User Model - this part of controlling unit * ✨ compare new passwords for user endpoint - we deleted the logic in User Model - we are adding the logic to controlling unit * 🐛 spam prevention forgotten can crash - no validation happend before this middleware - it just assumes that the root key is present - when we work on our API, we need to ensure that 1. pre validation happens 2. we call middlewares 3. ... * 🎨 token translation key
2016-11-07 12:18:50 +01:00
validateRequest,
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
handlePermissions,
utils.convertOptions(allowedIncludes),
doQuery
];
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
// Pipeline calls each task passing the result of one to be the arguments for the next
return pipeline(tasks, object, options).then(function formatResponse() {
Harvest server side strings closes #5617 - Replace all hard-coded server-side strings with i18n translations
2015-11-12 13:29:45 +01:00
return Promise.resolve({password: [{message: i18n.t('notices.api.users.pwdChangedSuccessfully')}]});
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
});
Transfer ownership end point closes #3426 - added transfer ownership endpoint - added owner to roles.permissible - manually removed owner from roles.browse - removed hard coded author role - fixed tests that were passing due to hard coded author role - added testUtils.setup(‚roles‘)
2014-07-30 17:40:30 +02:00
},
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 09:51:35 +01:00
Transfer ownership end point closes #3426 - added transfer ownership endpoint - added owner to roles.permissible - manually removed owner from roles.browse - removed hard coded author role - fixed tests that were passing due to hard coded author role - added testUtils.setup(‚roles‘)
2014-07-30 17:40:30 +02:00
/**
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
* ## Transfer Ownership
* @param {owner} object
* @param {Object} options
* @returns {Promise<User>}
Transfer ownership end point closes #3426 - added transfer ownership endpoint - added owner to roles.permissible - manually removed owner from roles.browse - removed hard coded author role - fixed tests that were passing due to hard coded author role - added testUtils.setup(‚roles‘)
2014-07-30 17:40:30 +02:00
*/
transferOwnership: function transferOwnership(object, options) {
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
var tasks;
/**
* ### Handle Permissions
* We need to be an authorised user to perform this action
* @param {Object} options
* @returns {Object} options
*/
function handlePermissions(options) {
return dataProvider.Role.findOne({name: 'Owner'}).then(function (ownerRole) {
return canThis(options.context).assign.role(ownerRole);
}).then(function () {
return options;
Transfer ownership end point closes #3426 - added transfer ownership endpoint - added owner to roles.permissible - manually removed owner from roles.browse - removed hard coded author role - fixed tests that were passing due to hard coded author role - added testUtils.setup(‚roles‘)
2014-07-30 17:40:30 +02:00
});
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
}
/**
* ### Model Query
* Make the call to the Model layer
* @param {Object} options
* @returns {Object} options
*/
function doQuery(options) {
return dataProvider.User.transferOwnership(options.data.owner[0], _.omit(options, ['data']));
}
// Push all of our tasks into a `tasks` array in the correct order
API Option Handling refs #2758 - add a set of default options to utils - update validation function to only pass through permitted options - pass permitted options into validate where necessary - setup basic validation for each known option, and generic validation for the remainder - change slug to treat 'name' as data, rather than an option
2015-07-01 19:17:56 +01:00
tasks = [
utils.validate('owner'),
handlePermissions,
utils.convertOptions(allowedIncludes),
doQuery
];
Refactor to using pipeline for the API refs #2758 - Post, Tag & User API methods are refactored to use pipeline - Each functional code block is a named task function - Each function takes options, manipulates it, and returns options back - Tasks like permissions can reject if they don't pass, causing the pipeline to fail - Tasks like validating and converting options might be abstracted out into utils - the same for each endpoint - Tasks like the data call can be extremely complex if needs be (like for some user endpoints) - Option validation is mostly factored out to utils - Option conversion is factored out to utils - API utils have 100% test coverage - Minor updates to inline docs, more to do here
2015-06-22 21:11:35 +01:00
// Pipeline calls each task passing the result of one to be the arguments for the next
return pipeline(tasks, object, options).then(function formatResult(result) {
return Promise.resolve({users: result});
Transfer ownership end point closes #3426 - added transfer ownership endpoint - added owner to roles.permissible - manually removed owner from roles.browse - removed hard coded author role - fixed tests that were passing due to hard coded author role - added testUtils.setup(‚roles‘)
2014-07-30 17:40:30 +02:00
});
}
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 09:51:35 +01:00
};
module.exports = users;
Reference in a new issue Copy permalink