Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-04-01 02:41:39 -05:00
Code Issues Activity

Supported inviting users using an Admin API Integration

Browse source 
Whilst Admin API Integrations had the permissions to create invites they were
blocked from doing so at the HTTP level. We've removed this restriction for
creating Invites as well as browsing Roles, because a Role ID is necessary to
create an invite. The code was also not setup to support Admin API Integrations
as it made assumptions about the existence of a User. That has been updated in
the permissions layer - so that the Invites are limited to Contributors,
Authors and Editors as well as at the email layer, which has has the copy and
from address updated to reflect the lack of a User creating the Invite.
This commit is contained in:
Fabien 'egg' O'Carroll 2023-05-08 15:27:15 -04:00 committed by GitHub
parent e2fe1171be
commit 0b8c3747c5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 422 additions and 101 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
ghost/core/core/server/api/endpoints/invites.js
View file

@ -109,8 +109,8 @@ module.exports = {
invites: frame.data.invites,
options: frame.options,
user: {
name: frame.user.get('name'),
email: frame.user.get('email')
name: frame.user?.get('name'),
email: frame.user?.get('email')
}
});
}

16
ghost/core/core/server/models/invite.js
View file

@ -87,12 +87,16 @@ Invite = ghostBookshelf.Model.extend({
}
let allowed = [];
if (_.some(loadedPermissions.user.roles, {name: 'Owner'}) ||
_.some(loadedPermissions.user.roles, {name: 'Administrator'})) {
allowed = ['Administrator', 'Editor', 'Author', 'Contributor'];
} else if (_.some(loadedPermissions.user.roles, {name: 'Editor'})) {
allowed = ['Author', 'Contributor'];
if (loadedPermissions.user) {
if (_.some(loadedPermissions.user.roles, {name: 'Owner'}) ||
_.some(loadedPermissions.user.roles, {name: 'Administrator'})) {
allowed = ['Administrator', 'Editor', 'Author', 'Contributor'];
} else if (_.some(loadedPermissions.user.roles, {name: 'Editor'})) {
allowed = ['Author', 'Contributor'];
}
}
if (loadedPermissions.apiKey) {
allowed = ['Editor', 'Author', 'Contributor'];
}
if (allowed.indexOf(roleToInvite.get('name')) === -1) {

2
ghost/core/core/server/services/invites/index.js
View file

@ -1,10 +1,12 @@
const settingsCache = require('../../../shared/settings-cache');
const settingsHelpers = require('../settings-helpers');
const mailService = require('../../services/mail');
const urlUtils = require('../../../shared/url-utils');
const Invites = require('./invites');
module.exports = new Invites({
settingsCache,
settingsHelpers,
mailService,
urlUtils
});

35
ghost/core/core/server/services/invites/invites.js
View file

@ -4,6 +4,7 @@ const logging = require('@tryghost/logging');
const messages = {
invitedByName: '{invitedByName} has invited you to join {blogName}',
invitedByNoName: 'You have been invited to join {blogName}',
errorSendingEmail: {
error: 'Error sending email: {message}',
help: 'Please check your email settings and resend the invitation.'
@ -11,8 +12,9 @@ const messages = {
};
class Invites {
constructor({settingsCache, mailService, urlUtils}) {
constructor({settingsCache, settingsHelpers, mailService, urlUtils}) {
this.settingsCache = settingsCache;
this.settingsHelpers = settingsHelpers;
this.mailService = mailService;
this.urlUtils = urlUtils;
}
@ -37,15 +39,26 @@ class Invites {
const adminUrl = this.urlUtils.urlFor('admin', true);
emailData = {
blogName: this.settingsCache.get('title'),
invitedByName: user.name,
invitedByEmail: user.email,
resetLink: this.urlUtils.urlJoin(adminUrl, 'signup', security.url.encodeBase64(invite.get('token')), '/'),
recipientEmail: invite.get('email')
};
if (user.name || user.email) {
emailData = {
blogName: this.settingsCache.get('title'),
invitedByName: user.name,
invitedByEmail: user.email,
resetLink: this.urlUtils.urlJoin(adminUrl, 'signup', security.url.encodeBase64(invite.get('token')), '/'),
recipientEmail: invite.get('email')
};
return this.mailService.utils.generateContent({data: emailData, template: 'invite-user'});
return this.mailService.utils.generateContent({data: emailData, template: 'invite-user'});
} else {
emailData = {
blogName: this.settingsCache.get('title'),
invitedByEmail: `ghost@${this.settingsHelpers.getDefaultEmailDomain()}`,
resetLink: this.urlUtils.urlJoin(adminUrl, 'signup', security.url.encodeBase64(invite.get('token')), '/'),
recipientEmail: invite.get('email')
};
return this.mailService.utils.generateContent({data: emailData, template: 'invite-user-by-api-key'});
}
})
.then((emailContent) => {
const payload = {
@ -53,9 +66,11 @@ class Invites {
message: {
to: invite.get('email'),
replyTo: emailData.invitedByEmail,
subject: tpl(messages.invitedByName, {
subject: emailData.invitedByName ? tpl(messages.invitedByName, {
invitedByName: emailData.invitedByName,
blogName: emailData.blogName
}) : tpl(messages.invitedByNoName, {
blogName: emailData.blogName
}),
html: emailContent.html,
text: emailContent.text

160
ghost/core/core/server/services/mail/templates/invite-user-by-api-key.html Normal file
View file

@ -0,0 +1,160 @@
<!doctype html>
<html>
<head>
<meta name="viewport" content="width=device-width">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Welcome to Ghost</title>
<style>
/* -------------------------------------
RESPONSIVE AND MOBILE FRIENDLY STYLES
------------------------------------- */
@media only screen and (max-width: 620px) {
table[class=body] h1 {
font-size: 28px !important;
margin-bottom: 10px !important;
}
table[class=body] p,
table[class=body] ul,
table[class=body] ol,
table[class=body] td,
table[class=body] span,
table[class=body] a {
font-size: 16px !important;
}
table[class=body] .title {
font-size: 22px !important;
}
table[class=body] .wrapper,
table[class=body] .article {
padding: 10px !important;
}
table[class=body] .content {
padding: 0 !important;
}
table[class=body] .container {
padding: 0 !important;
width: 100% !important;
}
table[class=body] .main {
border-left-width: 0 !important;
border-radius: 0 !important;
border-right-width: 0 !important;
}
table[class=body] .btn table {
width: 100% !important;
}
table[class=body] .btn a {
width: 100% !important;
}
table[class=body] .img-responsive {
height: auto !important;
max-width: 100% !important;
width: auto !important;
}
table[class=body] p[class=small],
table[class=body] a[class=small] {
font-size: 12x !important;
}
}
/* -------------------------------------
PRESERVE THESE STYLES IN THE HEAD
------------------------------------- */
@media all {
.ExternalClass {
width: 100%;
}
.ExternalClass,
.ExternalClass p,
.ExternalClass span,
.ExternalClass font,
.ExternalClass td,
.ExternalClass div {
line-height: 100%;
}
.recipient-link a {
color: inherit !important;
font-family: inherit !important;
font-size: inherit !important;
font-weight: inherit !important;
line-height: inherit !important;
text-decoration: none !important;
}
#MessageViewBody a {
color: inherit;
text-decoration: none;
font-size: inherit;
font-family: inherit;
font-weight: inherit;
line-height: inherit;
}
}
hr {
border-width: 0;
height: 0;
margin-top: 34px;
margin-bottom: 34px;
border-bottom-width: 1px;
border-bottom-color: #EEF5F8;
}
a {
color: #3A464C;
}
</style>
</head>
<body style="background-color: #ffffff; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; -webkit-font-smoothing: antialiased; font-size: 14px; line-height: 1.5em; margin: 0; padding: 0; -ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;">
<table border="0" cellpadding="0" cellspacing="0" class="body" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%;">
<tr>
<td style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 14px; vertical-align: top;">&nbsp;</td>
<td class="container" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 14px; vertical-align: top; display: block; Margin: 0 auto; max-width: 540px; padding: 10px; width: 540px;">
<div class="content" style="box-sizing: border-box; display: block; Margin: 0 auto; max-width: 600px; padding: 30px 20px;">
<!-- START CENTERED CONTAINER -->
<table class="main" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; background: #ffffff; border-radius: 8px;">
<!-- START MAIN CONTENT AREA -->
<tr>
<td class="wrapper" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 14px; vertical-align: top; box-sizing: border-box;">
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%;">
<tr>
<td align="center" style="padding-top: 20px; padding-bottom: 12px;"><img src="https://static.ghost.org/v4.0.0/images/ghost-orb-1.png" width="60" height="60" style="width: 60px; height: 60px;" /></td>
</tr>
<tr>
<td style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; vertical-align: top;">
<p class="title" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 21px; color: #3A464C; font-weight: normal; line-height: 25px; margin-bottom: 0px; margin-top: 50px; font-weight: 600; color: #15212A;">Welcome</p>
</td>
</tr>
<tr>
<td style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 14px; vertical-align: top; padding-top: 24px; padding-bottom: 10px;">
<p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 25px; margin-bottom: 40px;"> <strong style="font-weight: 600;">{{blogName}}</strong> is using Ghost to publish things on the internet! You've been invited to join them as a staff user.. Please click on the link below to activate your account.</p>
<p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 25px; margin-bottom: 40px;">
<a href="{{resetLink}}" target="_blank" style="display: inline-block; color: #ffffff; background-color: #15212A; border: solid 1px #15212A; border-radius: 5px; box-sizing: border-box; cursor: pointer; text-decoration: none; font-size: 16px; font-weight: normal; margin: 0; padding: 9px 22px 10px; border-color: #15212A;">Click here to activate your account</a>
</p>
<p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 25px; margin-bottom: 20px;"><strong style="font-weight: 600;">No idea what Ghost is?</strong> It's a simple, beautiful platform for running an online publication. Writers, businesses and individuals from all over the world use Ghost to publish their stories and ideas. <a href="http://ghost.org" style="color: #15212A;">Find out more</a>.</p>
<p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 25px; margin-bottom: 0px;">Have fun, and good luck!</p>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; vertical-align: top; padding-top: 80px; padding-bottom: 10px;">
<div class="footer">
<p class="small" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; color: #738A94; font-weight: normal; margin: 0; line-height: 18px; margin-bottom: 0px; font-size: 11px;">This email was sent from <a href="{{ siteUrl }}" style="color: #738A94;">{{ siteUrl }}</a> to <a href="mailto:{{recipientEmail}}" style="color: #738A94;">{{recipientEmail}}</a></p>
</div>
</td>
</tr>
<!-- END MAIN CONTENT AREA -->
</table>
<!-- END CENTERED CONTAINER -->
</div>
</td>
<td style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 14px; vertical-align: top;">&nbsp;</td>
</tr>
</table>
</body>
</html>

2
ghost/core/core/server/web/api/endpoints/admin/middleware.js
View file

@ -25,6 +25,8 @@ const notImplemented = function (req, res, next) {
tags: ['GET', 'PUT', 'DELETE', 'POST'],
labels: ['GET', 'PUT', 'DELETE', 'POST'],
users: ['GET'],
roles: ['GET'],
invites: ['POST'],
themes: ['POST', 'PUT'],
members: ['GET', 'PUT', 'DELETE', 'POST'],
tiers: ['GET', 'PUT', 'POST'],

302
ghost/core/test/e2e-api/admin/invites.test.js
View file

@ -9,109 +9,247 @@ const localUtils = require('./utils');
describe('Invites API', function () {
let request;
before(async function () {
await localUtils.startGhost();
request = supertest.agent(config.get('url'));
await localUtils.doAuth(request, 'invites');
describe('As Owner', function () {
before(async function () {
await localUtils.startGhost();
request = supertest.agent(config.get('url'));
await localUtils.doAuth(request, 'invites');
});
beforeEach(function () {
sinon.stub(mailService.GhostMailer.prototype, 'send').resolves('Mail is disabled');
});
afterEach(function () {
sinon.restore();
});
it('Can fetch all invites', async function () {
const res = await request.get(localUtils.API.getApiQuery('invites/'))
.set('Origin', config.get('url'))
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200);
should.not.exist(res.headers['x-cache-invalidate']);
const jsonResponse = res.body;
should.exist(jsonResponse);
should.exist(jsonResponse.invites);
jsonResponse.invites.should.have.length(2);
localUtils.API.checkResponse(jsonResponse, 'invites');
localUtils.API.checkResponse(jsonResponse.invites[0], 'invite');
jsonResponse.invites[0].status.should.eql('sent');
jsonResponse.invites[0].email.should.eql('test1@ghost.org');
jsonResponse.invites[0].role_id.should.eql(testUtils.roles.ids.admin);
jsonResponse.invites[1].status.should.eql('sent');
jsonResponse.invites[1].email.should.eql('test2@ghost.org');
jsonResponse.invites[1].role_id.should.eql(testUtils.roles.ids.author);
mailService.GhostMailer.prototype.send.called.should.be.false();
});
it('Can read an invitation by id', async function () {
const res = await request.get(localUtils.API.getApiQuery(`invites/${testUtils.DataGenerator.forKnex.invites[0].id}/`))
.set('Origin', config.get('url'))
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200);
should.not.exist(res.headers['x-cache-invalidate']);
const jsonResponse = res.body;
should.exist(jsonResponse);
should.exist(jsonResponse.invites);
jsonResponse.invites.should.have.length(1);
localUtils.API.checkResponse(jsonResponse.invites[0], 'invite');
mailService.GhostMailer.prototype.send.called.should.be.false();
});
it('Can add a new invite', async function () {
const res = await request
.post(localUtils.API.getApiQuery('invites/'))
.set('Origin', config.get('url'))
.send({
invites: [{email: 'test@example.com', role_id: testUtils.getExistingData().roles[1].id}]
})
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(201);
should.not.exist(res.headers['x-cache-invalidate']);
const jsonResponse = res.body;
should.exist(jsonResponse);
should.exist(jsonResponse.invites);
jsonResponse.invites.should.have.length(1);
localUtils.API.checkResponse(jsonResponse.invites[0], 'invite');
jsonResponse.invites[0].role_id.should.eql(testUtils.getExistingData().roles[1].id);
mailService.GhostMailer.prototype.send.called.should.be.true();
should.exist(res.headers.location);
res.headers.location.should.equal(`http://127.0.0.1:2369${localUtils.API.getApiQuery('invites/')}${res.body.invites[0].id}/`);
});
it('Can destroy an existing invite', async function () {
await request.del(localUtils.API.getApiQuery(`invites/${testUtils.DataGenerator.forKnex.invites[0].id}/`))
.set('Origin', config.get('url'))
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(204);
mailService.GhostMailer.prototype.send.called.should.be.false();
});
it('Cannot destroy an non-existent invite', async function () {
await request.del(localUtils.API.getApiQuery(`invites/abcd1234abcd1234abcd1234/`))
.set('Origin', config.get('url'))
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(404)
.expect((res) => {
res.body.errors[0].message.should.eql('Resource not found error, cannot delete invite.');
});
mailService.GhostMailer.prototype.send.called.should.be.false();
});
});
describe('As Admin Integration', function () {
before(async function () {
await localUtils.startGhost();
request = supertest.agent(config.get('url'));
await testUtils.initFixtures('api_keys');
});
beforeEach(function () {
sinon.stub(mailService.GhostMailer.prototype, 'send').resolves('Mail is disabled');
});
beforeEach(function () {
sinon.stub(mailService.GhostMailer.prototype, 'send').resolves('Mail is disabled');
});
afterEach(function () {
sinon.restore();
});
afterEach(function () {
sinon.restore();
});
it('Can fetch all invites', async function () {
const res = await request.get(localUtils.API.getApiQuery('invites/'))
.set('Origin', config.get('url'))
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200);
it('Can add a new invite by API Key with the Author Role', async function () {
const roleId = testUtils.getExistingData().roles.find(role => role.name === 'Author').id;
const res = await request
.post(localUtils.API.getApiQuery('invites/'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`)
.send({
invites: [{email: 'admin-api-key-test@example.com', role_id: roleId}]
})
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(201);
should.not.exist(res.headers['x-cache-invalidate']);
const jsonResponse = res.body;
should.exist(jsonResponse);
should.exist(jsonResponse.invites);
jsonResponse.invites.should.have.length(2);
should.not.exist(res.headers['x-cache-invalidate']);
const jsonResponse = res.body;
should.exist(jsonResponse);
should.exist(jsonResponse.invites);
jsonResponse.invites.should.have.length(1);
localUtils.API.checkResponse(jsonResponse, 'invites');
localUtils.API.checkResponse(jsonResponse.invites[0], 'invite');
localUtils.API.checkResponse(jsonResponse.invites[0], 'invite');
jsonResponse.invites[0].role_id.should.eql(roleId);
jsonResponse.invites[0].status.should.eql('sent');
jsonResponse.invites[0].email.should.eql('test1@ghost.org');
jsonResponse.invites[0].role_id.should.eql(testUtils.roles.ids.admin);
mailService.GhostMailer.prototype.send.called.should.be.true();
jsonResponse.invites[1].status.should.eql('sent');
jsonResponse.invites[1].email.should.eql('test2@ghost.org');
jsonResponse.invites[1].role_id.should.eql(testUtils.roles.ids.author);
should.exist(res.headers.location);
res.headers.location.should.equal(`http://127.0.0.1:2369${localUtils.API.getApiQuery('invites/')}${res.body.invites[0].id}/`);
});
mailService.GhostMailer.prototype.send.called.should.be.false();
});
it('Can add a new invite by API Key with the Editor Role', async function () {
const roleId = testUtils.getExistingData().roles.find(role => role.name === 'Editor').id;
const res = await request
.post(localUtils.API.getApiQuery('invites/'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`)
.send({
invites: [{email: 'admin-api-key-test@example.com', role_id: roleId}]
})
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(201);
it('Can read an invitation by id', async function () {
const res = await request.get(localUtils.API.getApiQuery(`invites/${testUtils.DataGenerator.forKnex.invites[0].id}/`))
.set('Origin', config.get('url'))
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200);
should.not.exist(res.headers['x-cache-invalidate']);
const jsonResponse = res.body;
should.exist(jsonResponse);
should.exist(jsonResponse.invites);
jsonResponse.invites.should.have.length(1);
should.not.exist(res.headers['x-cache-invalidate']);
const jsonResponse = res.body;
should.exist(jsonResponse);
should.exist(jsonResponse.invites);
jsonResponse.invites.should.have.length(1);
localUtils.API.checkResponse(jsonResponse.invites[0], 'invite');
jsonResponse.invites[0].role_id.should.eql(roleId);
localUtils.API.checkResponse(jsonResponse.invites[0], 'invite');
mailService.GhostMailer.prototype.send.called.should.be.true();
mailService.GhostMailer.prototype.send.called.should.be.false();
});
should.exist(res.headers.location);
res.headers.location.should.equal(`http://127.0.0.1:2369${localUtils.API.getApiQuery('invites/')}${res.body.invites[0].id}/`);
});
it('Can add a new invite', async function () {
const res = await request
.post(localUtils.API.getApiQuery('invites/'))
.set('Origin', config.get('url'))
.send({
invites: [{email: 'test@example.com', role_id: testUtils.getExistingData().roles[1].id}]
})
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(201);
it('Can add a new invite by API Key with the Contributor Role', async function () {
const roleId = testUtils.getExistingData().roles.find(role => role.name === 'Contributor').id;
const res = await request
.post(localUtils.API.getApiQuery('invites/'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`)
.send({
invites: [{email: 'admin-api-key-test@example.com', role_id: roleId}]
})
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(201);
should.not.exist(res.headers['x-cache-invalidate']);
const jsonResponse = res.body;
should.exist(jsonResponse);
should.exist(jsonResponse.invites);
jsonResponse.invites.should.have.length(1);
should.not.exist(res.headers['x-cache-invalidate']);
const jsonResponse = res.body;
should.exist(jsonResponse);
should.exist(jsonResponse.invites);
jsonResponse.invites.should.have.length(1);
localUtils.API.checkResponse(jsonResponse.invites[0], 'invite');
jsonResponse.invites[0].role_id.should.eql(testUtils.getExistingData().roles[1].id);
localUtils.API.checkResponse(jsonResponse.invites[0], 'invite');
jsonResponse.invites[0].role_id.should.eql(roleId);
mailService.GhostMailer.prototype.send.called.should.be.true();
mailService.GhostMailer.prototype.send.called.should.be.true();
should.exist(res.headers.location);
res.headers.location.should.equal(`http://127.0.0.1:2369${localUtils.API.getApiQuery('invites/')}${res.body.invites[0].id}/`);
});
should.exist(res.headers.location);
res.headers.location.should.equal(`http://127.0.0.1:2369${localUtils.API.getApiQuery('invites/')}${res.body.invites[0].id}/`);
});
it('Can destroy an existing invite', async function () {
await request.del(localUtils.API.getApiQuery(`invites/${testUtils.DataGenerator.forKnex.invites[0].id}/`))
.set('Origin', config.get('url'))
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(204);
it('Can not add a new invite by API Key with the Administrator Role', async function () {
const roleId = testUtils.getExistingData().roles.find(role => role.name === 'Administrator').id;
await request
.post(localUtils.API.getApiQuery('invites/'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`)
.send({
invites: [{email: 'admin-api-key-test@example.com', role_id: roleId}]
})
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(403);
});
mailService.GhostMailer.prototype.send.called.should.be.false();
});
it('Can add a new invite by API Key with the Contributor Role', async function () {
const roleId = testUtils.getExistingData().roles.find(role => role.name === 'Contributor').id;
const res = await request
.post(localUtils.API.getApiQuery('invites/'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`)
.send({
invites: [{email: 'admin-api-key-test@example.com', role_id: roleId}]
})
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(201);
it('Cannot destroy an non-existent invite', async function () {
await request.del(localUtils.API.getApiQuery(`invites/abcd1234abcd1234abcd1234/`))
.set('Origin', config.get('url'))
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(404)
.expect((res) => {
res.body.errors[0].message.should.eql('Resource not found error, cannot delete invite.');
});
should.not.exist(res.headers['x-cache-invalidate']);
const jsonResponse = res.body;
should.exist(jsonResponse);
should.exist(jsonResponse.invites);
jsonResponse.invites.should.have.length(1);
mailService.GhostMailer.prototype.send.called.should.be.false();
localUtils.API.checkResponse(jsonResponse.invites[0], 'invite');
jsonResponse.invites[0].role_id.should.eql(roleId);
mailService.GhostMailer.prototype.send.called.should.be.true();
should.exist(res.headers.location);
res.headers.location.should.equal(`http://127.0.0.1:2369${localUtils.API.getApiQuery('invites/')}${res.body.invites[0].id}/`);
});
});
});

2
ghost/core/test/utils/e2e-utils.js
View file

@ -37,7 +37,7 @@ let totalBoots = 0;
*/
const exposeFixtures = async () => {
const fixturePromises = {
roles: models.Role.findAll({columns: ['id']}),
roles: models.Role.findAll({columns: ['id', 'name']}),
users: models.User.findAll({columns: ['id', 'email', 'slug']}),
tags: models.Tag.findAll({columns: ['id']}),
apiKeys: models.ApiKey.findAll({withRelated: 'integration'})