From 0b8c3747c5666b1bb5978f6ec2ce7ec2828b24c1 Mon Sep 17 00:00:00 2001 From: Fabien 'egg' O'Carroll Date: Mon, 8 May 2023 15:27:15 -0400 Subject: [PATCH] Supported inviting users using an Admin API Integration Whilst Admin API Integrations had the permissions to create invites they were blocked from doing so at the HTTP level. We've removed this restriction for creating Invites as well as browsing Roles, because a Role ID is necessary to create an invite. The code was also not setup to support Admin API Integrations as it made assumptions about the existence of a User. That has been updated in the permissions layer - so that the Invites are limited to Contributors, Authors and Editors as well as at the email layer, which has has the copy and from address updated to reflect the lack of a User creating the Invite. --- .../core/core/server/api/endpoints/invites.js | 4 +- ghost/core/core/server/models/invite.js | 16 +- .../core/server/services/invites/index.js | 2 + .../core/server/services/invites/invites.js | 35 +- .../templates/invite-user-by-api-key.html | 160 ++++++++++ .../web/api/endpoints/admin/middleware.js | 2 + ghost/core/test/e2e-api/admin/invites.test.js | 302 +++++++++++++----- ghost/core/test/utils/e2e-utils.js | 2 +- 8 files changed, 422 insertions(+), 101 deletions(-) create mode 100644 ghost/core/core/server/services/mail/templates/invite-user-by-api-key.html diff --git a/ghost/core/core/server/api/endpoints/invites.js b/ghost/core/core/server/api/endpoints/invites.js index 705c09224c..97ac0ea233 100644 --- a/ghost/core/core/server/api/endpoints/invites.js +++ b/ghost/core/core/server/api/endpoints/invites.js @@ -109,8 +109,8 @@ module.exports = { invites: frame.data.invites, options: frame.options, user: { - name: frame.user.get('name'), - email: frame.user.get('email') + name: frame.user?.get('name'), + email: frame.user?.get('email') } }); } diff --git a/ghost/core/core/server/models/invite.js b/ghost/core/core/server/models/invite.js index 581224c37e..e7d014d3ca 100644 --- a/ghost/core/core/server/models/invite.js +++ b/ghost/core/core/server/models/invite.js @@ -87,12 +87,16 @@ Invite = ghostBookshelf.Model.extend({ } let allowed = []; - - if (_.some(loadedPermissions.user.roles, {name: 'Owner'}) || - _.some(loadedPermissions.user.roles, {name: 'Administrator'})) { - allowed = ['Administrator', 'Editor', 'Author', 'Contributor']; - } else if (_.some(loadedPermissions.user.roles, {name: 'Editor'})) { - allowed = ['Author', 'Contributor']; + if (loadedPermissions.user) { + if (_.some(loadedPermissions.user.roles, {name: 'Owner'}) || + _.some(loadedPermissions.user.roles, {name: 'Administrator'})) { + allowed = ['Administrator', 'Editor', 'Author', 'Contributor']; + } else if (_.some(loadedPermissions.user.roles, {name: 'Editor'})) { + allowed = ['Author', 'Contributor']; + } + } + if (loadedPermissions.apiKey) { + allowed = ['Editor', 'Author', 'Contributor']; } if (allowed.indexOf(roleToInvite.get('name')) === -1) { diff --git a/ghost/core/core/server/services/invites/index.js b/ghost/core/core/server/services/invites/index.js index 84692c42cd..1716cde3a7 100644 --- a/ghost/core/core/server/services/invites/index.js +++ b/ghost/core/core/server/services/invites/index.js @@ -1,10 +1,12 @@ const settingsCache = require('../../../shared/settings-cache'); +const settingsHelpers = require('../settings-helpers'); const mailService = require('../../services/mail'); const urlUtils = require('../../../shared/url-utils'); const Invites = require('./invites'); module.exports = new Invites({ settingsCache, + settingsHelpers, mailService, urlUtils }); diff --git a/ghost/core/core/server/services/invites/invites.js b/ghost/core/core/server/services/invites/invites.js index d2f16102fe..240dcba329 100644 --- a/ghost/core/core/server/services/invites/invites.js +++ b/ghost/core/core/server/services/invites/invites.js @@ -4,6 +4,7 @@ const logging = require('@tryghost/logging'); const messages = { invitedByName: '{invitedByName} has invited you to join {blogName}', + invitedByNoName: 'You have been invited to join {blogName}', errorSendingEmail: { error: 'Error sending email: {message}', help: 'Please check your email settings and resend the invitation.' @@ -11,8 +12,9 @@ const messages = { }; class Invites { - constructor({settingsCache, mailService, urlUtils}) { + constructor({settingsCache, settingsHelpers, mailService, urlUtils}) { this.settingsCache = settingsCache; + this.settingsHelpers = settingsHelpers; this.mailService = mailService; this.urlUtils = urlUtils; } @@ -37,15 +39,26 @@ class Invites { const adminUrl = this.urlUtils.urlFor('admin', true); - emailData = { - blogName: this.settingsCache.get('title'), - invitedByName: user.name, - invitedByEmail: user.email, - resetLink: this.urlUtils.urlJoin(adminUrl, 'signup', security.url.encodeBase64(invite.get('token')), '/'), - recipientEmail: invite.get('email') - }; + if (user.name || user.email) { + emailData = { + blogName: this.settingsCache.get('title'), + invitedByName: user.name, + invitedByEmail: user.email, + resetLink: this.urlUtils.urlJoin(adminUrl, 'signup', security.url.encodeBase64(invite.get('token')), '/'), + recipientEmail: invite.get('email') + }; - return this.mailService.utils.generateContent({data: emailData, template: 'invite-user'}); + return this.mailService.utils.generateContent({data: emailData, template: 'invite-user'}); + } else { + emailData = { + blogName: this.settingsCache.get('title'), + invitedByEmail: `ghost@${this.settingsHelpers.getDefaultEmailDomain()}`, + resetLink: this.urlUtils.urlJoin(adminUrl, 'signup', security.url.encodeBase64(invite.get('token')), '/'), + recipientEmail: invite.get('email') + }; + + return this.mailService.utils.generateContent({data: emailData, template: 'invite-user-by-api-key'}); + } }) .then((emailContent) => { const payload = { @@ -53,9 +66,11 @@ class Invites { message: { to: invite.get('email'), replyTo: emailData.invitedByEmail, - subject: tpl(messages.invitedByName, { + subject: emailData.invitedByName ? tpl(messages.invitedByName, { invitedByName: emailData.invitedByName, blogName: emailData.blogName + }) : tpl(messages.invitedByNoName, { + blogName: emailData.blogName }), html: emailContent.html, text: emailContent.text diff --git a/ghost/core/core/server/services/mail/templates/invite-user-by-api-key.html b/ghost/core/core/server/services/mail/templates/invite-user-by-api-key.html new file mode 100644 index 0000000000..3c9c45b4a5 --- /dev/null +++ b/ghost/core/core/server/services/mail/templates/invite-user-by-api-key.html @@ -0,0 +1,160 @@ + + + + + +Welcome to Ghost + + + + + + + + + + +
  + +
+ + + + + + + + + + + + + +
+ + + + + + + + + + +
+

Welcome

+
+

{{blogName}} is using Ghost to publish things on the internet! You've been invited to join them as a staff user.. Please click on the link below to activate your account.

+

+ Click here to activate your account +

+

No idea what Ghost is? It's a simple, beautiful platform for running an online publication. Writers, businesses and individuals from all over the world use Ghost to publish their stories and ideas. Find out more.

+ +

Have fun, and good luck!

+
+
+
+

This email was sent from {{ siteUrl }} to {{recipientEmail}}

+
+
+ + +
+ 		 
+ + diff --git a/ghost/core/core/server/web/api/endpoints/admin/middleware.js b/ghost/core/core/server/web/api/endpoints/admin/middleware.js index 23e4c8108b..d375222af0 100644 --- a/ghost/core/core/server/web/api/endpoints/admin/middleware.js +++ b/ghost/core/core/server/web/api/endpoints/admin/middleware.js @@ -25,6 +25,8 @@ const notImplemented = function (req, res, next) { tags: ['GET', 'PUT', 'DELETE', 'POST'], labels: ['GET', 'PUT', 'DELETE', 'POST'], users: ['GET'], + roles: ['GET'], + invites: ['POST'], themes: ['POST', 'PUT'], members: ['GET', 'PUT', 'DELETE', 'POST'], tiers: ['GET', 'PUT', 'POST'], diff --git a/ghost/core/test/e2e-api/admin/invites.test.js b/ghost/core/test/e2e-api/admin/invites.test.js index e2b2dfb544..16d6ee62a3 100644 --- a/ghost/core/test/e2e-api/admin/invites.test.js +++ b/ghost/core/test/e2e-api/admin/invites.test.js @@ -9,109 +9,247 @@ const localUtils = require('./utils'); describe('Invites API', function () { let request; - before(async function () { - await localUtils.startGhost(); - request = supertest.agent(config.get('url')); - await localUtils.doAuth(request, 'invites'); + describe('As Owner', function () { + before(async function () { + await localUtils.startGhost(); + request = supertest.agent(config.get('url')); + await localUtils.doAuth(request, 'invites'); + }); + + beforeEach(function () { + sinon.stub(mailService.GhostMailer.prototype, 'send').resolves('Mail is disabled'); + }); + + afterEach(function () { + sinon.restore(); + }); + + it('Can fetch all invites', async function () { + const res = await request.get(localUtils.API.getApiQuery('invites/')) + .set('Origin', config.get('url')) + .expect('Content-Type', /json/) + .expect('Cache-Control', testUtils.cacheRules.private) + .expect(200); + + should.not.exist(res.headers['x-cache-invalidate']); + const jsonResponse = res.body; + should.exist(jsonResponse); + should.exist(jsonResponse.invites); + jsonResponse.invites.should.have.length(2); + + localUtils.API.checkResponse(jsonResponse, 'invites'); + localUtils.API.checkResponse(jsonResponse.invites[0], 'invite'); + + jsonResponse.invites[0].status.should.eql('sent'); + jsonResponse.invites[0].email.should.eql('test1@ghost.org'); + jsonResponse.invites[0].role_id.should.eql(testUtils.roles.ids.admin); + + jsonResponse.invites[1].status.should.eql('sent'); + jsonResponse.invites[1].email.should.eql('test2@ghost.org'); + jsonResponse.invites[1].role_id.should.eql(testUtils.roles.ids.author); + + mailService.GhostMailer.prototype.send.called.should.be.false(); + }); + + it('Can read an invitation by id', async function () { + const res = await request.get(localUtils.API.getApiQuery(`invites/${testUtils.DataGenerator.forKnex.invites[0].id}/`)) + .set('Origin', config.get('url')) + .expect('Content-Type', /json/) + .expect('Cache-Control', testUtils.cacheRules.private) + .expect(200); + + should.not.exist(res.headers['x-cache-invalidate']); + const jsonResponse = res.body; + should.exist(jsonResponse); + should.exist(jsonResponse.invites); + jsonResponse.invites.should.have.length(1); + + localUtils.API.checkResponse(jsonResponse.invites[0], 'invite'); + + mailService.GhostMailer.prototype.send.called.should.be.false(); + }); + + it('Can add a new invite', async function () { + const res = await request + .post(localUtils.API.getApiQuery('invites/')) + .set('Origin', config.get('url')) + .send({ + invites: [{email: 'test@example.com', role_id: testUtils.getExistingData().roles[1].id}] + }) + .expect('Content-Type', /json/) + .expect('Cache-Control', testUtils.cacheRules.private) + .expect(201); + + should.not.exist(res.headers['x-cache-invalidate']); + const jsonResponse = res.body; + should.exist(jsonResponse); + should.exist(jsonResponse.invites); + jsonResponse.invites.should.have.length(1); + + localUtils.API.checkResponse(jsonResponse.invites[0], 'invite'); + jsonResponse.invites[0].role_id.should.eql(testUtils.getExistingData().roles[1].id); + + mailService.GhostMailer.prototype.send.called.should.be.true(); + + should.exist(res.headers.location); + res.headers.location.should.equal(`http://127.0.0.1:2369${localUtils.API.getApiQuery('invites/')}${res.body.invites[0].id}/`); + }); + + it('Can destroy an existing invite', async function () { + await request.del(localUtils.API.getApiQuery(`invites/${testUtils.DataGenerator.forKnex.invites[0].id}/`)) + .set('Origin', config.get('url')) + .expect('Cache-Control', testUtils.cacheRules.private) + .expect(204); + + mailService.GhostMailer.prototype.send.called.should.be.false(); + }); + + it('Cannot destroy an non-existent invite', async function () { + await request.del(localUtils.API.getApiQuery(`invites/abcd1234abcd1234abcd1234/`)) + .set('Origin', config.get('url')) + .expect('Cache-Control', testUtils.cacheRules.private) + .expect(404) + .expect((res) => { + res.body.errors[0].message.should.eql('Resource not found error, cannot delete invite.'); + }); + + mailService.GhostMailer.prototype.send.called.should.be.false(); + }); }); + describe('As Admin Integration', function () { + before(async function () { + await localUtils.startGhost(); + request = supertest.agent(config.get('url')); + await testUtils.initFixtures('api_keys'); + }); - beforeEach(function () { - sinon.stub(mailService.GhostMailer.prototype, 'send').resolves('Mail is disabled'); - }); + beforeEach(function () { + sinon.stub(mailService.GhostMailer.prototype, 'send').resolves('Mail is disabled'); + }); - afterEach(function () { - sinon.restore(); - }); + afterEach(function () { + sinon.restore(); + }); - it('Can fetch all invites', async function () { - const res = await request.get(localUtils.API.getApiQuery('invites/')) - .set('Origin', config.get('url')) - .expect('Content-Type', /json/) - .expect('Cache-Control', testUtils.cacheRules.private) - .expect(200); + it('Can add a new invite by API Key with the Author Role', async function () { + const roleId = testUtils.getExistingData().roles.find(role => role.name === 'Author').id; + const res = await request + .post(localUtils.API.getApiQuery('invites/')) + .set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`) + .send({ + invites: [{email: 'admin-api-key-test@example.com', role_id: roleId}] + }) + .expect('Content-Type', /json/) + .expect('Cache-Control', testUtils.cacheRules.private) + .expect(201); - should.not.exist(res.headers['x-cache-invalidate']); - const jsonResponse = res.body; - should.exist(jsonResponse); - should.exist(jsonResponse.invites); - jsonResponse.invites.should.have.length(2); + should.not.exist(res.headers['x-cache-invalidate']); + const jsonResponse = res.body; + should.exist(jsonResponse); + should.exist(jsonResponse.invites); + jsonResponse.invites.should.have.length(1); - localUtils.API.checkResponse(jsonResponse, 'invites'); - localUtils.API.checkResponse(jsonResponse.invites[0], 'invite'); + localUtils.API.checkResponse(jsonResponse.invites[0], 'invite'); + jsonResponse.invites[0].role_id.should.eql(roleId); - jsonResponse.invites[0].status.should.eql('sent'); - jsonResponse.invites[0].email.should.eql('test1@ghost.org'); - jsonResponse.invites[0].role_id.should.eql(testUtils.roles.ids.admin); + mailService.GhostMailer.prototype.send.called.should.be.true(); - jsonResponse.invites[1].status.should.eql('sent'); - jsonResponse.invites[1].email.should.eql('test2@ghost.org'); - jsonResponse.invites[1].role_id.should.eql(testUtils.roles.ids.author); + should.exist(res.headers.location); + res.headers.location.should.equal(`http://127.0.0.1:2369${localUtils.API.getApiQuery('invites/')}${res.body.invites[0].id}/`); + }); - mailService.GhostMailer.prototype.send.called.should.be.false(); - }); + it('Can add a new invite by API Key with the Editor Role', async function () { + const roleId = testUtils.getExistingData().roles.find(role => role.name === 'Editor').id; + const res = await request + .post(localUtils.API.getApiQuery('invites/')) + .set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`) + .send({ + invites: [{email: 'admin-api-key-test@example.com', role_id: roleId}] + }) + .expect('Content-Type', /json/) + .expect('Cache-Control', testUtils.cacheRules.private) + .expect(201); - it('Can read an invitation by id', async function () { - const res = await request.get(localUtils.API.getApiQuery(`invites/${testUtils.DataGenerator.forKnex.invites[0].id}/`)) - .set('Origin', config.get('url')) - .expect('Content-Type', /json/) - .expect('Cache-Control', testUtils.cacheRules.private) - .expect(200); + should.not.exist(res.headers['x-cache-invalidate']); + const jsonResponse = res.body; + should.exist(jsonResponse); + should.exist(jsonResponse.invites); + jsonResponse.invites.should.have.length(1); - should.not.exist(res.headers['x-cache-invalidate']); - const jsonResponse = res.body; - should.exist(jsonResponse); - should.exist(jsonResponse.invites); - jsonResponse.invites.should.have.length(1); + localUtils.API.checkResponse(jsonResponse.invites[0], 'invite'); + jsonResponse.invites[0].role_id.should.eql(roleId); - localUtils.API.checkResponse(jsonResponse.invites[0], 'invite'); + mailService.GhostMailer.prototype.send.called.should.be.true(); - mailService.GhostMailer.prototype.send.called.should.be.false(); - }); + should.exist(res.headers.location); + res.headers.location.should.equal(`http://127.0.0.1:2369${localUtils.API.getApiQuery('invites/')}${res.body.invites[0].id}/`); + }); - it('Can add a new invite', async function () { - const res = await request - .post(localUtils.API.getApiQuery('invites/')) - .set('Origin', config.get('url')) - .send({ - invites: [{email: 'test@example.com', role_id: testUtils.getExistingData().roles[1].id}] - }) - .expect('Content-Type', /json/) - .expect('Cache-Control', testUtils.cacheRules.private) - .expect(201); + it('Can add a new invite by API Key with the Contributor Role', async function () { + const roleId = testUtils.getExistingData().roles.find(role => role.name === 'Contributor').id; + const res = await request + .post(localUtils.API.getApiQuery('invites/')) + .set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`) + .send({ + invites: [{email: 'admin-api-key-test@example.com', role_id: roleId}] + }) + .expect('Content-Type', /json/) + .expect('Cache-Control', testUtils.cacheRules.private) + .expect(201); - should.not.exist(res.headers['x-cache-invalidate']); - const jsonResponse = res.body; - should.exist(jsonResponse); - should.exist(jsonResponse.invites); - jsonResponse.invites.should.have.length(1); + should.not.exist(res.headers['x-cache-invalidate']); + const jsonResponse = res.body; + should.exist(jsonResponse); + should.exist(jsonResponse.invites); + jsonResponse.invites.should.have.length(1); - localUtils.API.checkResponse(jsonResponse.invites[0], 'invite'); - jsonResponse.invites[0].role_id.should.eql(testUtils.getExistingData().roles[1].id); + localUtils.API.checkResponse(jsonResponse.invites[0], 'invite'); + jsonResponse.invites[0].role_id.should.eql(roleId); - mailService.GhostMailer.prototype.send.called.should.be.true(); + mailService.GhostMailer.prototype.send.called.should.be.true(); - should.exist(res.headers.location); - res.headers.location.should.equal(`http://127.0.0.1:2369${localUtils.API.getApiQuery('invites/')}${res.body.invites[0].id}/`); - }); + should.exist(res.headers.location); + res.headers.location.should.equal(`http://127.0.0.1:2369${localUtils.API.getApiQuery('invites/')}${res.body.invites[0].id}/`); + }); - it('Can destroy an existing invite', async function () { - await request.del(localUtils.API.getApiQuery(`invites/${testUtils.DataGenerator.forKnex.invites[0].id}/`)) - .set('Origin', config.get('url')) - .expect('Cache-Control', testUtils.cacheRules.private) - .expect(204); + it('Can not add a new invite by API Key with the Administrator Role', async function () { + const roleId = testUtils.getExistingData().roles.find(role => role.name === 'Administrator').id; + await request + .post(localUtils.API.getApiQuery('invites/')) + .set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`) + .send({ + invites: [{email: 'admin-api-key-test@example.com', role_id: roleId}] + }) + .expect('Content-Type', /json/) + .expect('Cache-Control', testUtils.cacheRules.private) + .expect(403); + }); - mailService.GhostMailer.prototype.send.called.should.be.false(); - }); + it('Can add a new invite by API Key with the Contributor Role', async function () { + const roleId = testUtils.getExistingData().roles.find(role => role.name === 'Contributor').id; + const res = await request + .post(localUtils.API.getApiQuery('invites/')) + .set('Authorization', `Ghost ${localUtils.getValidAdminToken('/admin/')}`) + .send({ + invites: [{email: 'admin-api-key-test@example.com', role_id: roleId}] + }) + .expect('Content-Type', /json/) + .expect('Cache-Control', testUtils.cacheRules.private) + .expect(201); - it('Cannot destroy an non-existent invite', async function () { - await request.del(localUtils.API.getApiQuery(`invites/abcd1234abcd1234abcd1234/`)) - .set('Origin', config.get('url')) - .expect('Cache-Control', testUtils.cacheRules.private) - .expect(404) - .expect((res) => { - res.body.errors[0].message.should.eql('Resource not found error, cannot delete invite.'); - }); + should.not.exist(res.headers['x-cache-invalidate']); + const jsonResponse = res.body; + should.exist(jsonResponse); + should.exist(jsonResponse.invites); + jsonResponse.invites.should.have.length(1); - mailService.GhostMailer.prototype.send.called.should.be.false(); + localUtils.API.checkResponse(jsonResponse.invites[0], 'invite'); + jsonResponse.invites[0].role_id.should.eql(roleId); + + mailService.GhostMailer.prototype.send.called.should.be.true(); + + should.exist(res.headers.location); + res.headers.location.should.equal(`http://127.0.0.1:2369${localUtils.API.getApiQuery('invites/')}${res.body.invites[0].id}/`); + }); }); }); diff --git a/ghost/core/test/utils/e2e-utils.js b/ghost/core/test/utils/e2e-utils.js index 409ce9902f..7c46d311b0 100644 --- a/ghost/core/test/utils/e2e-utils.js +++ b/ghost/core/test/utils/e2e-utils.js @@ -37,7 +37,7 @@ let totalBoots = 0; */ const exposeFixtures = async () => { const fixturePromises = { - roles: models.Role.findAll({columns: ['id']}), + roles: models.Role.findAll({columns: ['id', 'name']}), users: models.User.findAll({columns: ['id', 'email', 'slug']}), tags: models.Tag.findAll({columns: ['id']}), apiKeys: models.ApiKey.findAll({withRelated: 'integration'})