2020-04-29 16:44:27 +01:00
|
|
|
const _ = require('lodash');
|
|
|
|
const Promise = require('bluebird');
|
2020-04-30 20:26:12 +01:00
|
|
|
const errors = require('@tryghost/errors');
|
2021-10-13 00:46:35 +11:00
|
|
|
const tpl = require('@tryghost/tpl');
|
2020-04-29 16:44:27 +01:00
|
|
|
const parseContext = require('./parse-context');
|
|
|
|
const _private = {};
|
2017-09-25 10:17:06 +01:00
|
|
|
|
2021-10-13 00:46:35 +11:00
|
|
|
const messages = {
|
|
|
|
error: 'You do not have permission to retrieve {docName} with that status'
|
|
|
|
};
|
|
|
|
|
🐛 Fixed all known filter limitations (#10159)
refs #10105, closes #10108, closes https://github.com/TryGhost/Ghost/issues/9950, refs https://github.com/TryGhost/Ghost/issues/9923, refs https://github.com/TryGhost/Ghost/issues/9916, refs https://github.com/TryGhost/Ghost/issues/9574, refs https://github.com/TryGhost/Ghost/issues/6345, refs https://github.com/TryGhost/Ghost/issues/6309, refs https://github.com/TryGhost/Ghost/issues/6158, refs https://github.com/TryGhost/GQL/issues/16
- removed GQL dependency
- replaced GQL with our brand new NQL implementation
- fixed all known filter limitations
- GQL suffered from some underlying filter bugs, which NQL tried to fix
- the bugs were mostly in how we query the database for relation filtering
- the underlying problem was caused by a too simple implementation of querying the relations
- mongo-knex has implemented a more robust and complex filtering mechanism for relations
- replaced logic in our bookshelf filter plugin
- we pass the custom, default and override filters from Ghost to NQL, which then are getting parsed and merged into a mongo JSON object. The mongo JSON is getting attached by mongo-knex.
NQL: https://github.com/NexesJS/NQL
mongo-knex: https://github.com/NexesJS/mongo-knex
2018-12-11 11:53:40 +01:00
|
|
|
/**
|
|
|
|
* @TODO:
|
|
|
|
*
|
|
|
|
* - remove if we drop `extraFilters` (see e.g. post model)
|
|
|
|
* - we currently accept `?status={value}` in the API
|
|
|
|
* - but instead people should use the `?filter=status:{value}`
|
|
|
|
*
|
|
|
|
* This function protects against:
|
|
|
|
*
|
|
|
|
* - public context cannot fetch draft/scheduled posts
|
|
|
|
*/
|
2017-09-25 10:17:06 +01:00
|
|
|
_private.applyStatusRules = function applyStatusRules(docName, method, opts) {
|
2021-10-13 00:46:35 +11:00
|
|
|
const err = new errors.NoPermissionError({message: tpl(messages.error, {docName: docName})});
|
2017-09-25 10:17:06 +01:00
|
|
|
|
|
|
|
// Enforce status 'active' for users
|
|
|
|
if (docName === 'users') {
|
|
|
|
if (!opts.status) {
|
|
|
|
return 'all';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Enforce status 'published' for posts
|
|
|
|
if (docName === 'posts') {
|
|
|
|
if (!opts.status) {
|
|
|
|
return 'published';
|
|
|
|
} else if (
|
|
|
|
method === 'read'
|
|
|
|
&& (opts.status === 'draft' || opts.status === 'all')
|
|
|
|
&& _.isString(opts.uuid) && _.isUndefined(opts.id) && _.isUndefined(opts.slug)
|
|
|
|
) {
|
|
|
|
// public read requests can retrieve a draft, but only by UUID
|
|
|
|
return opts.status;
|
|
|
|
} else if (opts.status !== 'published') {
|
|
|
|
// any other parameter would make this a permissions error
|
|
|
|
throw err;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return opts.status;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* API Public Permission Rules
|
|
|
|
* This method enforces the rules for public requests
|
|
|
|
* @param {String} docName
|
|
|
|
* @param {String} method (read || browse)
|
|
|
|
* @param {Object} options
|
|
|
|
* @returns {Object} options
|
|
|
|
*/
|
|
|
|
module.exports = function applyPublicRules(docName, method, options) {
|
|
|
|
try {
|
|
|
|
// If this is a public context
|
|
|
|
if (parseContext(options.context).public === true) {
|
|
|
|
if (method === 'browse') {
|
|
|
|
options.status = _private.applyStatusRules(docName, method, options);
|
|
|
|
} else if (method === 'read') {
|
|
|
|
options.data.status = _private.applyStatusRules(docName, method, options.data);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return Promise.resolve(options);
|
|
|
|
} catch (err) {
|
|
|
|
return Promise.reject(err);
|
|
|
|
}
|
|
|
|
};
|