0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-06 22:40:14 -05:00

Fix up users API so admin role can edit owner

No Issue.
- Make sure that a user with the Admin role can edit the Owner.
- Add test for behavior.
This commit is contained in:
Jason Williams 2015-01-20 19:21:50 +00:00
parent e26d1a9257
commit 0fc152b2ad
2 changed files with 49 additions and 24 deletions

View file

@ -150,35 +150,40 @@ users = {
// Check permissions
return canThis(options.context).edit.user(options.id).then(function () {
if (data.users[0].roles && data.users[0].roles[0]) {
var role = data.users[0].roles[0],
roleId = parseInt(role.id || role, 10);
// if roles aren't in the payload, proceed with the edit
if (!(data.users[0].roles && data.users[0].roles[0])) {
return editOperation();
}
return dataProvider.User.findOne(
{id: options.context.user, status: 'all'}, {include: ['roles']}
).then(function (contextUser) {
var contextRoleId = contextUser.related('roles').toJSON()[0].id;
var role = data.users[0].roles[0],
roleId = parseInt(role.id || role, 10),
editedUserId = parseInt(options.id, 10);
if (roleId !== contextRoleId &&
parseInt(options.id, 10) === parseInt(options.context.user, 10)) {
return Promise.reject(new errors.NoPermissionError('You cannot change your own role.'));
} else if (roleId !== contextRoleId) {
return dataProvider.User.findOne({role: 'Owner'}).then(function (result) {
if (parseInt(result.id, 10) !== parseInt(options.id, 10)) {
return canThis(options.context).assign.role(role).then(function () {
return editOperation();
});
} else {
return Promise.reject(new errors.NoPermissionError('There has to be one owner.'));
return dataProvider.User.findOne(
{id: options.context.user, status: 'all'}, {include: ['roles']}
).then(function (contextUser) {
var contextRoleId = contextUser.related('roles').toJSON()[0].id;
if (roleId !== contextRoleId && editedUserId === contextUser.id) {
return Promise.reject(new errors.NoPermissionError('You cannot change your own role.'));
}
return dataProvider.User.findOne({role: 'Owner'}).then(function (owner) {
if (contextUser.id !== owner.id) {
if (editedUserId === owner.id) {
if (owner.related('roles').at(0).id !== roleId) {
return Promise.reject(new errors.NoPermissionError('Cannot change Owner\'s role.'));
}
});
} else if (roleId !== contextRoleId) {
return canThis(options.context).assign.role(role).then(function () {
return editOperation();
});
}
}
return editOperation();
});
}
return editOperation();
});
});
}).catch(function (error) {
return errors.handleAPIError(error, 'You do not have permission to edit this user');

View file

@ -219,7 +219,7 @@ describe('Users API', function () {
}).catch(done);
});
it('Admin can edit all roles', function (done) {
it('Admin can edit all users in all roles', function (done) {
UserAPI.edit({users: [{name: newName}]}, _.extend({}, context.admin, {id: userIdFor.owner}))
.then(function (response) {
checkEditResponse(response);
@ -239,6 +239,26 @@ describe('Users API', function () {
}).catch(done);
});
it('Admin can edit all users in all roles with roles in payload', function (done) {
UserAPI.edit({users: [{name: newName, roles: [roleIdFor.owner]}]}, _.extend({}, context.admin, {id: userIdFor.owner}))
.then(function (response) {
checkEditResponse(response);
return UserAPI.edit({users: [{name: newName, roles: [roleIdFor.admin]}]}, _.extend({}, context.admin, {id: userIdFor.admin}));
}).then(function (response) {
checkEditResponse(response);
return UserAPI.edit({users: [{name: newName, roles: [roleIdFor.editor]}]}, _.extend({}, context.admin, {id: userIdFor.editor}));
}).then(function (response) {
checkEditResponse(response);
return UserAPI.edit({users: [{name: newName, roles: [roleIdFor.author]}]}, _.extend({}, context.admin, {id: userIdFor.author}));
}).then(function (response) {
checkEditResponse(response);
done();
}).catch(done);
});
it('Editor CANNOT edit Owner, Admin or Editor roles', function (done) {
// Cannot edit Owner
UserAPI.edit(
@ -889,7 +909,7 @@ describe('Users API', function () {
}).catch(function (error) {
error.type.should.eql('NoPermissionError');
done();
});
}).catch(done);
});
});
});