2020-04-29 10:44:27 -05:00
|
|
|
const _ = require('lodash');
|
|
|
|
const ghostBookshelf = require('./base');
|
|
|
|
const Promise = require('bluebird');
|
2020-05-22 13:22:20 -05:00
|
|
|
const {i18n} = require('../lib/common');
|
|
|
|
const errors = require('@tryghost/errors');
|
2020-04-29 10:44:27 -05:00
|
|
|
let Role;
|
|
|
|
let Roles;
|
2013-06-25 06:43:15 -05:00
|
|
|
|
2013-09-22 17:20:08 -05:00
|
|
|
Role = ghostBookshelf.Model.extend({
|
2013-06-25 06:43:15 -05:00
|
|
|
|
2013-09-14 14:01:46 -05:00
|
|
|
tableName: 'roles',
|
2013-08-25 05:49:31 -05:00
|
|
|
|
2018-10-02 11:46:38 -05:00
|
|
|
relationships: ['permissions'],
|
|
|
|
|
|
|
|
relationshipBelongsTo: {
|
|
|
|
permissions: 'permissions'
|
|
|
|
},
|
|
|
|
|
2015-06-14 10:58:49 -05:00
|
|
|
users: function users() {
|
2014-07-13 06:17:18 -05:00
|
|
|
return this.belongsToMany('User');
|
2013-06-25 06:43:15 -05:00
|
|
|
},
|
|
|
|
|
2015-06-14 10:58:49 -05:00
|
|
|
permissions: function permissions() {
|
2014-07-13 06:17:18 -05:00
|
|
|
return this.belongsToMany('Permission');
|
2018-10-02 11:46:38 -05:00
|
|
|
},
|
|
|
|
|
|
|
|
api_keys: function apiKeys() {
|
|
|
|
return this.hasMany('ApiKey');
|
2013-06-25 06:43:15 -05:00
|
|
|
}
|
2014-05-05 20:45:08 -05:00
|
|
|
}, {
|
|
|
|
/**
|
2017-12-11 16:47:46 -05:00
|
|
|
* Returns an array of keys permitted in a method's `options` hash, depending on the current method.
|
|
|
|
* @param {String} methodName The name of the method to check valid options for.
|
|
|
|
* @return {Array} Keys allowed in the `options` hash of the model's method.
|
|
|
|
*/
|
2015-06-14 10:58:49 -05:00
|
|
|
permittedOptions: function permittedOptions(methodName) {
|
2020-04-29 10:44:27 -05:00
|
|
|
let options = ghostBookshelf.Model.permittedOptions.call(this, methodName);
|
|
|
|
|
|
|
|
// whitelists for the `options` hash argument on methods, by method name.
|
|
|
|
// these are the only options that can be passed to Bookshelf / Knex.
|
|
|
|
const validOptions = {
|
|
|
|
findOne: ['withRelated'],
|
|
|
|
findAll: ['withRelated']
|
|
|
|
};
|
2014-05-05 20:45:08 -05:00
|
|
|
|
|
|
|
if (validOptions[methodName]) {
|
|
|
|
options = options.concat(validOptions[methodName]);
|
|
|
|
}
|
|
|
|
|
|
|
|
return options;
|
2014-07-15 10:22:06 -05:00
|
|
|
},
|
|
|
|
|
2020-03-19 10:23:10 -05:00
|
|
|
permissible: function permissible(roleModelOrId, action, context, unsafeAttrs, loadedPermissions, hasUserPermission, hasApiKeyPermission) {
|
2014-07-15 10:22:06 -05:00
|
|
|
// If we passed in an id instead of a model, get the model
|
|
|
|
// then check the permissions
|
|
|
|
if (_.isNumber(roleModelOrId) || _.isString(roleModelOrId)) {
|
2015-12-02 02:28:36 -05:00
|
|
|
// Get the actual role model
|
2018-02-21 10:59:48 -05:00
|
|
|
return this.findOne({id: roleModelOrId, status: 'all'})
|
2018-10-12 03:38:57 -05:00
|
|
|
.then((foundRoleModel) => {
|
2018-02-21 10:59:48 -05:00
|
|
|
if (!foundRoleModel) {
|
2020-05-22 13:22:20 -05:00
|
|
|
throw new errors.NotFoundError({
|
|
|
|
message: i18n.t('errors.models.role.roleNotFound')
|
2018-02-21 10:59:48 -05:00
|
|
|
});
|
|
|
|
}
|
2014-07-15 10:22:06 -05:00
|
|
|
|
2018-10-12 03:38:57 -05:00
|
|
|
// Grab the original args without the first one
|
|
|
|
const origArgs = _.toArray(arguments).slice(1);
|
2018-02-21 10:59:48 -05:00
|
|
|
|
2018-10-12 03:38:57 -05:00
|
|
|
return this.permissible(foundRoleModel, ...origArgs);
|
2018-02-21 10:59:48 -05:00
|
|
|
});
|
2014-07-15 10:22:06 -05:00
|
|
|
}
|
|
|
|
|
2018-10-12 03:38:57 -05:00
|
|
|
const roleModel = roleModelOrId;
|
|
|
|
|
2014-07-24 17:22:27 -05:00
|
|
|
if (action === 'assign' && loadedPermissions.user) {
|
2018-10-12 03:38:57 -05:00
|
|
|
let checkAgainst;
|
2016-06-11 13:23:27 -05:00
|
|
|
if (_.some(loadedPermissions.user.roles, {name: 'Owner'})) {
|
2018-02-07 04:46:22 -05:00
|
|
|
checkAgainst = ['Owner', 'Administrator', 'Editor', 'Author', 'Contributor'];
|
2016-06-11 13:23:27 -05:00
|
|
|
} else if (_.some(loadedPermissions.user.roles, {name: 'Administrator'})) {
|
2018-02-07 04:46:22 -05:00
|
|
|
checkAgainst = ['Administrator', 'Editor', 'Author', 'Contributor'];
|
2016-06-11 13:23:27 -05:00
|
|
|
} else if (_.some(loadedPermissions.user.roles, {name: 'Editor'})) {
|
2018-02-07 04:46:22 -05:00
|
|
|
checkAgainst = ['Author', 'Contributor'];
|
2014-07-24 17:22:27 -05:00
|
|
|
}
|
2014-07-15 10:22:06 -05:00
|
|
|
|
2014-07-24 17:22:27 -05:00
|
|
|
// Role in the list of permissible roles
|
2018-10-12 03:38:57 -05:00
|
|
|
hasUserPermission = roleModelOrId && _.includes(checkAgainst, roleModel.get('name'));
|
|
|
|
}
|
|
|
|
|
|
|
|
if (action === 'assign' && loadedPermissions.apiKey) {
|
|
|
|
// apiKey cannot 'assign' the 'Owner' role
|
|
|
|
if (roleModel.get('name') === 'Owner') {
|
2020-05-22 13:22:20 -05:00
|
|
|
return Promise.reject(new errors.NoPermissionError({
|
|
|
|
message: i18n.t('errors.models.role.notEnoughPermission')
|
2018-10-12 03:38:57 -05:00
|
|
|
}));
|
|
|
|
}
|
2014-07-15 10:22:06 -05:00
|
|
|
}
|
|
|
|
|
2020-03-19 10:23:10 -05:00
|
|
|
if (hasUserPermission && hasApiKeyPermission) {
|
2014-08-17 01:17:23 -05:00
|
|
|
return Promise.resolve();
|
2014-07-15 10:22:06 -05:00
|
|
|
}
|
2014-08-17 01:17:23 -05:00
|
|
|
|
2020-05-22 13:22:20 -05:00
|
|
|
return Promise.reject(new errors.NoPermissionError({message: i18n.t('errors.models.role.notEnoughPermission')}));
|
Refactor API arguments
closes #2610, refs #2697
- cleanup API index.js, and add docs
- all API methods take consistent arguments: object & options
- browse, read, destroy take options, edit and add take object and options
- the context is passed as part of options, meaning no more .call
everywhere
- destroy expects an object, rather than an id all the way down to the model layer
- route params such as :id, :slug, and :key are passed as an option & used
to perform reads, updates and deletes where possible - settings / themes
may need work here still
- HTTP posts api can find a post by slug
- Add API utils for checkData
2014-05-08 07:41:19 -05:00
|
|
|
}
|
2013-06-25 06:43:15 -05:00
|
|
|
});
|
|
|
|
|
2013-09-22 17:20:08 -05:00
|
|
|
Roles = ghostBookshelf.Collection.extend({
|
2013-06-25 06:43:15 -05:00
|
|
|
model: Role
|
|
|
|
});
|
|
|
|
|
|
|
|
module.exports = {
|
2014-07-13 06:17:18 -05:00
|
|
|
Role: ghostBookshelf.model('Role', Role),
|
|
|
|
Roles: ghostBookshelf.collection('Roles', Roles)
|
2013-06-25 06:43:15 -05:00
|
|
|
};
|