Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-10 23:36:14 -05:00
Code Issues Activity

🐛 Fixed permission for "Administrator" to be able to edit post visibility

Browse source 
closes #11825

- The initial implementation had a typo in a role name which didn't allow "Administrator" to edit post's "visibility" attribute
- Added unit tests to check administrator specific role and visibility attribute permission
This commit is contained in:
Nazar Gargol 2020-05-20 17:47:27 +12:00
parent efdc230c7d
commit 2d41e5cc88
2 changed files with 35 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
core/server/models/post.js
View file

@ -960,7 +960,7 @@ Post = ghostBookshelf.Model.extend({
isContributor = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Contributor'});
isOwner = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Owner'});
isAdmin = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Admin'});
isAdmin = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Administrator'});
isEditor = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Editor'});
isIntegration = loadedPermissions.apiKey && _.some(loadedPermissions.apiKey.roles, {name: 'Admin Integration'});

36
test/unit/models/post_spec.js
View file

@ -1235,7 +1235,7 @@ describe('Unit: models/post: uses database (@TODO: fix me)', function () {
});
});
it('resolves if changing visibility', function () {
it('resolves if changing visibility as owner', function (done) {
const mockPostObj = {
get: sinon.stub(),
related: sinon.stub()
@ -1251,13 +1251,45 @@ describe('Unit: models/post: uses database (@TODO: fix me)', function () {
'edit',
context,
unsafeAttrs,
testUtils.permissions.editor,
testUtils.permissions.owner,
false,
true,
true
).then(() => {
should(mockPostObj.get.called).be.false();
should(mockPostObj.related.calledOnce).be.true();
done();
}).catch(() => {
done(new Error('Permissible function should have passed for owner.'));
});
});
it('resolves if changing visibility as administrator', function (done) {
const mockPostObj = {
get: sinon.stub(),
related: sinon.stub()
};
const context = {user: 1};
const unsafeAttrs = {visibility: 'public'};
mockPostObj.get.withArgs('visibility').returns('paid');
mockPostObj.related.withArgs('authors').returns({models: [{id: 1}]});
models.Post.permissible(
mockPostObj,
'edit',
context,
unsafeAttrs,
testUtils.permissions.admin,
false,
true,
true
).then(() => {
should(mockPostObj.get.called).be.false();
should(mockPostObj.related.calledOnce).be.true();
done();
}).catch(() => {
done(new Error('Permissible function should have passed for administrator.'));
});
});
});