diff --git a/core/server/models/invite.js b/core/server/models/invite.js index 915c339b70..59ccfcfa49 100644 --- a/core/server/models/invite.js +++ b/core/server/models/invite.js @@ -46,11 +46,17 @@ Invite = ghostBookshelf.Model.extend({ return ghostBookshelf.Model.add.call(this, data, options); }, - permissible(inviteModel, action, context, unsafeAttrs, loadedPermissions /*hasUserPermission, hasAppPermission, result*/) { + permissible(inviteModel, action, context, unsafeAttrs, loadedPermissions, hasUserPermission, hasAppPermission /*result*/) { const isAdd = (action === 'add'); if (!isAdd) { - return Promise.resolve(); + if (hasUserPermission && hasAppPermission) { + return Promise.resolve(); + } + + return Promise.reject(new common.errors.NoPermissionError({ + message: common.i18n.t('errors.models.invite.notEnoughPermission') + })); } // CASE: make sure user is allowed to add a user with this role @@ -83,6 +89,14 @@ Invite = ghostBookshelf.Model.extend({ message: common.i18n.t('errors.api.invites.notAllowedToInvite') }); } + + if (hasUserPermission && hasAppPermission) { + return Promise.resolve(); + } + + return Promise.reject(new common.errors.NoPermissionError({ + message: common.i18n.t('errors.models.invite.notEnoughPermission') + })); }); } }); diff --git a/core/server/translations/en.json b/core/server/translations/en.json index 1f4c70d11a..cf818b37f7 100644 --- a/core/server/translations/en.json +++ b/core/server/translations/en.json @@ -215,6 +215,9 @@ "subscriber": { "notEnoughPermission": "You do not have permission to perform this action" }, + "invite": { + "notEnoughPermission": "You do not have permission to perform this action" + }, "post": { "postNotFound": "Post not found.", "untitled": "(Untitled)", diff --git a/core/test/unit/models/invite_spec.js b/core/test/unit/models/invite_spec.js index 9126ddcf2a..559a374352 100644 --- a/core/test/unit/models/invite_spec.js +++ b/core/test/unit/models/invite_spec.js @@ -124,28 +124,28 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Administrator'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions); + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true); }); it('invite editor', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Editor'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions); + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true); }); it('invite author', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Author'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions); + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true); }); it('invite contributor', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Contributor'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions); + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true); }); }); @@ -158,28 +158,28 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Administrator'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions); + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true); }); it('invite editor', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Editor'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions); + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true); }); it('invite author', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Author'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions); + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true); }); it('invite contributor', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Contributor'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions); + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true); }); }); @@ -192,7 +192,7 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Administrator'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions) + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true) .then(Promise.reject) .catch((err) => { (err instanceof common.errors.NoPermissionError).should.eql(true); @@ -203,7 +203,7 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Editor'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions) + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true) .then(Promise.reject) .catch((err) => { (err instanceof common.errors.NoPermissionError).should.eql(true); @@ -214,14 +214,14 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Author'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions); + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true); }); it('invite contributor', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Contributor'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions); + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true); }); }); @@ -234,7 +234,7 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Administrator'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions) + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, false, false) .then(Promise.reject) .catch((err) => { (err instanceof common.errors.NoPermissionError).should.eql(true); @@ -245,7 +245,7 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Editor'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions) + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, false, false) .then(Promise.reject) .catch((err) => { (err instanceof common.errors.NoPermissionError).should.eql(true); @@ -256,7 +256,7 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Author'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions) + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, false, false) .then(Promise.reject) .catch((err) => { (err instanceof common.errors.NoPermissionError).should.eql(true); @@ -267,7 +267,7 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Contributor'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions) + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, false, false) .then(Promise.reject) .catch((err) => { (err instanceof common.errors.NoPermissionError).should.eql(true); @@ -284,7 +284,7 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Administrator'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions) + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, false, false) .then(Promise.reject) .catch((err) => { (err instanceof common.errors.NoPermissionError).should.eql(true); @@ -295,7 +295,7 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Editor'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions) + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, false, false) .then(Promise.reject) .catch((err) => { (err instanceof common.errors.NoPermissionError).should.eql(true); @@ -306,7 +306,7 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Author'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions) + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, false, false) .then(Promise.reject) .catch((err) => { (err instanceof common.errors.NoPermissionError).should.eql(true); @@ -317,7 +317,7 @@ describe('Unit: models/invite', function () { sandbox.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel); roleModel.get.withArgs('name').returns('Contributor'); - return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions) + return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, false, false) .then(Promise.reject) .catch((err) => { (err instanceof common.errors.NoPermissionError).should.eql(true);