mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-02-10 23:36:14 -05:00
Stopped api key from assigning the 'Owner' role (#9971)
* Stopped api key from assigning the 'Owner' role refs #9865 We do not want api keys to be able to assign the Owner role to any other key or user. * Cleaned up Role model permissible method no-issue
This commit is contained in:
Fabien O'Carroll
GitHub
parent
caccda1aab
commit
05330482e6
2 changed files with 37 additions and 12 deletions
|
|
@ -51,33 +51,29 @@ Role = ghostBookshelf.Model.extend({
|
||||||
},
|
},
|
||||||
|
|
||||||
permissible: function permissible(roleModelOrId, action, context, unsafeAttrs, loadedPermissions, hasUserPermission, hasAppPermission) {
|
permissible: function permissible(roleModelOrId, action, context, unsafeAttrs, loadedPermissions, hasUserPermission, hasAppPermission) {
|
||||||
var self = this,
|
|
||||||
checkAgainst = [],
|
|
||||||
origArgs;
|
|
||||||
|
|
||||||
// If we passed in an id instead of a model, get the model
|
// If we passed in an id instead of a model, get the model
|
||||||
// then check the permissions
|
// then check the permissions
|
||||||
if (_.isNumber(roleModelOrId) || _.isString(roleModelOrId)) {
|
if (_.isNumber(roleModelOrId) || _.isString(roleModelOrId)) {
|
||||||
// Grab the original args without the first one
|
|
||||||
origArgs = _.toArray(arguments).slice(1);
|
|
||||||
|
|
||||||
// Get the actual role model
|
// Get the actual role model
|
||||||
return this.findOne({id: roleModelOrId, status: 'all'})
|
return this.findOne({id: roleModelOrId, status: 'all'})
|
||||||
.then(function then(foundRoleModel) {
|
.then((foundRoleModel) => {
|
||||||
if (!foundRoleModel) {
|
if (!foundRoleModel) {
|
||||||
throw new common.errors.NotFoundError({
|
throw new common.errors.NotFoundError({
|
||||||
message: common.i18n.t('errors.models.role.roleNotFound')
|
message: common.i18n.t('errors.models.role.roleNotFound')
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
// Build up the original args but substitute with actual model
|
// Grab the original args without the first one
|
||||||
var newArgs = [foundRoleModel].concat(origArgs);
|
const origArgs = _.toArray(arguments).slice(1);
|
||||||
|
|
||||||
return self.permissible.apply(self, newArgs);
|
return this.permissible(foundRoleModel, ...origArgs);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const roleModel = roleModelOrId;
|
||||||
|
|
||||||
if (action === 'assign' && loadedPermissions.user) {
|
if (action === 'assign' && loadedPermissions.user) {
|
||||||
|
let checkAgainst;
|
||||||
if (_.some(loadedPermissions.user.roles, {name: 'Owner'})) {
|
if (_.some(loadedPermissions.user.roles, {name: 'Owner'})) {
|
||||||
checkAgainst = ['Owner', 'Administrator', 'Editor', 'Author', 'Contributor'];
|
checkAgainst = ['Owner', 'Administrator', 'Editor', 'Author', 'Contributor'];
|
||||||
} else if (_.some(loadedPermissions.user.roles, {name: 'Administrator'})) {
|
} else if (_.some(loadedPermissions.user.roles, {name: 'Administrator'})) {
|
||||||
|
|
@ -87,7 +83,16 @@ Role = ghostBookshelf.Model.extend({
|
||||||
}
|
}
|
||||||
|
|
||||||
// Role in the list of permissible roles
|
// Role in the list of permissible roles
|
||||||
hasUserPermission = roleModelOrId && _.includes(checkAgainst, roleModelOrId.get('name'));
|
hasUserPermission = roleModelOrId && _.includes(checkAgainst, roleModel.get('name'));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (action === 'assign' && loadedPermissions.apiKey) {
|
||||||
|
// apiKey cannot 'assign' the 'Owner' role
|
||||||
|
if (roleModel.get('name') === 'Owner') {
|
||||||
|
return Promise.reject(new common.errors.NoPermissionError({
|
||||||
|
message: common.i18n.t('errors.models.role.notEnoughPermission')
|
||||||
|
}));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (hasUserPermission && hasAppPermission) {
|
if (hasUserPermission && hasAppPermission) {
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,5 @@
|
||||||
const models = require('../../../server/models');
|
const models = require('../../../server/models');
|
||||||
|
const {NoPermissionError} = require('../../../server/lib/common/errors');
|
||||||
const ghostBookshelf = require('../../../server/models/base');
|
const ghostBookshelf = require('../../../server/models/base');
|
||||||
const testUtils = require('../../utils');
|
const testUtils = require('../../utils');
|
||||||
const should = require('should');
|
const should = require('should');
|
||||||
|
|
@ -25,4 +26,23 @@ describe('Unit: models/role', function () {
|
||||||
.then(() => checkRolePermissionsCount(0));
|
.then(() => checkRolePermissionsCount(0));
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
describe('permissible', function () {
|
||||||
|
it('does not let api key assign the owner role', function () {
|
||||||
|
return models.Role.permissible(
|
||||||
|
models.Role.forge({name: 'Owner'}), // Owner role
|
||||||
|
'assign', // assign action
|
||||||
|
{},
|
||||||
|
{},
|
||||||
|
{apiKey: {}}, // apiKey loaded permissions
|
||||||
|
true,
|
||||||
|
true,
|
||||||
|
true
|
||||||
|
).then(() => {
|
||||||
|
throw new Error('models.Role.permissible should have thrown!');
|
||||||
|
}, (err) => {
|
||||||
|
should.equal(err instanceof NoPermissionError, true);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue