From 1962591c2ed4d3cfd2f14cad7bfafe6cf0a2aac5 Mon Sep 17 00:00:00 2001 From: Fabien O'Carroll Date: Fri, 16 Jul 2021 14:26:35 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Fixed=20permissible=20method=20f?= =?UTF-8?q?or=20Integration=20Model?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-j5c2-hm46-wp5c The permissible method of models overrides all permission logic, which means we must manually check the user & api key permissions before continuing. --- core/server/models/integration.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/core/server/models/integration.js b/core/server/models/integration.js index 66232990b5..c27ec3bfd3 100644 --- a/core/server/models/integration.js +++ b/core/server/models/integration.js @@ -1,5 +1,6 @@ const limitService = require('../services/limits'); const ghostBookshelf = require('./base'); +const {NoPermissionError} = require('@tryghost/errors'); const Integration = ghostBookshelf.Model.extend({ tableName: 'integrations', @@ -63,7 +64,7 @@ const Integration = ghostBookshelf.Model.extend({ return options; }, - async permissible(integrationModel, action) { + async permissible(integrationModel, action, context, attrs, loadedPerms, hasUserPermission, hasApiKeyPermission) { const isAdd = (action === 'add'); if (isAdd && limitService.isLimited('customIntegrations')) { @@ -71,7 +72,10 @@ const Integration = ghostBookshelf.Model.extend({ // Inviting a new custom integration requires we check we won't go over the limit await limitService.errorIfWouldGoOverLimit('customIntegrations'); } - return true; + + if (!hasUserPermission || !hasApiKeyPermission) { + throw new NoPermissionError(); + } } });