Remove private data from API

no issue - added removal to user.browse, posts.read, posts.browse - fixed removal for user.read
2025-03-11 02:12:21 -05:00 · 2013-10-17 17:15:25 +02:00 · 2013-10-17 17:15:25 +02:00 · 374c41e138
commit 374c41e138
parent daa87e92c2
2 changed files with 34 additions and 9 deletions
--- a/core/server/api.js
+++ b/core/server/api.js
@ -19,7 +19,8 @@ var Ghost        = require('../ghost'),
    requestHandler,
    settingsObject,
    settingsCollection,
-    settingsFilter;
+    settingsFilter,
+    filteredUserAttributes = ['password', 'created_by', 'updated_by'];

 // ## Posts
 posts = {
@ -28,7 +29,17 @@ posts = {
    // **takes:** filter / pagination parameters
    browse: function browse(options) {
        // **returns:** a promise for a page of posts in a json object
-        return dataProvider.Post.findPage(options);
+        //return dataProvider.Post.findPage(options);
+        return dataProvider.Post.findPage(options).then(function (result) {
+            var i = 0,
+                omitted = result;
+
+            for (i = 0; i < omitted.posts.length; i = i + 1) {
+                omitted.posts[i].author = _.omit(omitted.posts[i].author, filteredUserAttributes);
+                omitted.posts[i].user = _.omit(omitted.posts[i].user, filteredUserAttributes);
+            }
+            return omitted;
+        });
    },

    // #### Read
@ -36,7 +47,13 @@ posts = {
    // **takes:** an identifier (id or slug?)
    read: function read(args) {
        // **returns:** a promise for a single post in a json object
-        return dataProvider.Post.findOne(args);
+
+        return dataProvider.Post.findOne(args).then(function (result) {
+            var omitted = result.toJSON();
+            omitted.author = _.omit(omitted.author, filteredUserAttributes);
+            omitted.user = _.omit(omitted.user, filteredUserAttributes);
+            return omitted;
+        });
    },

    // #### Edit
@ -102,7 +119,16 @@ users = {
    // **takes:** options object
    browse: function browse(options) {
        // **returns:** a promise for a collection of users in a json object
-        return dataProvider.User.browse(options);
+
+        return dataProvider.User.browse(options).then(function (result) {
+            var i = 0,
+                omitted = result.toJSON();
+
+            for (i = 0; i < omitted.length; i = i + 1) {
+                omitted[i] = _.omit(omitted[i], filteredUserAttributes);
+            }
+            return omitted;
+        });
    },

    // #### Read
@ -114,10 +140,9 @@ users = {
            args = {id: this.user};
        }

-        var filteredAttributes = ['password', 'created_by', 'updated_by'];
-
-        return dataProvider.User.read(args).then(function omitAttrs(result) {
-            return _.omit(result, filteredAttributes);
+        return dataProvider.User.read(args).then(function (result) {
+            var omitted = _.omit(result.toJSON(), filteredUserAttributes);
+            return omitted;
        });
    },

--- a/core/server/controllers/frontend.js
+++ b/core/server/controllers/frontend.js
@ -88,7 +88,7 @@ frontendControllers = {
                title: ghost.settings('title'),
                description: ghost.settings('description'),
                generator: 'Ghost v' + res.locals.version,
-                author: user ? user.attributes.name : null,
+                author: user ? user.name : null,
                feed_url: url.resolve(siteUrl, '/rss/'),
                site_url: siteUrl,
                ttl: '60'