0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-20 22:42:53 -05:00

Disallowed aditing "labs" settings in v2/v3 APIs

refs https://github.com/TryGhost/Team/issues/757

- There is no usecase for editing "labs" settings outside of canary/v4 API versions. Removing support for older versions makes the supported API surface smaller (easy maintenance).
This commit is contained in:
Naz 2021-06-07 17:56:52 +04:00 committed by naz
parent d8230f3343
commit 48d36b6a48
4 changed files with 10 additions and 48 deletions

View file

@ -2,7 +2,6 @@ const _ = require('lodash');
const url = require('./utils/url');
const typeGroupMapper = require('../../../../shared/serializers/input/utils/settings-filter-type-group-mapper');
const settingsCache = require('../../../../../services/settings/cache');
const {WRITABLE_KEYS_ALLOWLIST} = require('../../../../../services/labs');
const DEPRECATED_SETTINGS = [
'bulk_email_settings',
@ -92,11 +91,12 @@ module.exports = {
const settings = settingsCache.getAll();
// Ignore and drop all values with Read-only flag
frame.data.settings = frame.data.settings.filter((setting) => {
const settingFlagsStr = settings[setting.key] ? settings[setting.key].flags : '';
const settingFlagsArr = settingFlagsStr ? settingFlagsStr.split(',') : [];
return !settingFlagsArr.includes('RO');
// Ignore and drop all values with Read-only flag AND 'labs' setting
return !settingFlagsArr.includes('RO') && (setting.key !== 'labs');
});
frame.data.settings.push(...getMappedDeprecatedSettings(frame.data.settings));
@ -139,19 +139,6 @@ module.exports = {
setting.value = JSON.parse(setting.value).isActive;
}
if (setting.key === 'labs') {
const inputLabsValue = JSON.parse(setting.value);
const filteredLabsValue = {};
for (const value in inputLabsValue) {
if (WRITABLE_KEYS_ALLOWLIST.includes(value)) {
filteredLabsValue[value] = inputLabsValue[value];
}
}
setting.value = JSON.stringify(filteredLabsValue);
}
setting = url.forSetting(setting);
});

View file

@ -2,7 +2,6 @@ const _ = require('lodash');
const url = require('./utils/url');
const typeGroupMapper = require('../../../../shared/serializers/input/utils/settings-filter-type-group-mapper');
const settingsCache = require('../../../../../services/settings/cache');
const {WRITABLE_KEYS_ALLOWLIST} = require('../../../../../services/labs');
const DEPRECATED_SETTINGS = [
'bulk_email_settings',
@ -95,11 +94,12 @@ module.exports = {
}
const settings = settingsCache.getAll();
// Ignore and drop all values with Read-only flag
frame.data.settings = frame.data.settings.filter((setting) => {
const settingFlagsStr = settings[setting.key] ? settings[setting.key].flags : '';
const settingFlagsArr = settingFlagsStr ? settingFlagsStr.split(',') : [];
return !settingFlagsArr.includes('RO');
// Ignore and drop all values with Read-only flag AND 'labs' setting
return !settingFlagsArr.includes('RO') && (setting.key !== 'labs');
});
const mappedDeprecatedSettings = getMappedDeprecatedSettings(frame.data.settings);
@ -155,19 +155,6 @@ module.exports = {
setting.value = JSON.parse(setting.value).isActive;
}
if (setting.key === 'labs') {
const inputLabsValue = JSON.parse(setting.value);
const filteredLabsValue = {};
for (const value in inputLabsValue) {
if (WRITABLE_KEYS_ALLOWLIST.includes(value)) {
filteredLabsValue[value] = inputLabsValue[value];
}
}
setting.value = JSON.stringify(filteredLabsValue);
}
setting = url.forSetting(setting);
});

View file

@ -521,7 +521,7 @@ describe('Settings API (v2)', function () {
});
});
it('Can edit only allowed labs keys', async function () {
it('Cannot edit labs keys', async function () {
const settingToChange = {
settings: [{
key: 'labs',
@ -544,13 +544,7 @@ describe('Settings API (v2)', function () {
should.exist(jsonResponse);
should.exist(jsonResponse.settings);
jsonResponse.settings.length.should.eql(1);
testUtils.API.checkResponseValue(jsonResponse.settings[0], ['id', 'key', 'value', 'type', 'flags', 'created_at', 'updated_at']);
jsonResponse.settings[0].key.should.eql('labs');
jsonResponse.settings[0].value.should.eql(JSON.stringify({
activitypub: true
}));
jsonResponse.settings.length.should.eql(0);
});
it('Can\'t edit non existent setting', function () {

View file

@ -464,7 +464,7 @@ describe('Settings API (v3)', function () {
});
});
it('Can edit only allowed labs keys', async function () {
it('Cannot edit labs keys', async function () {
const settingToChange = {
settings: [{
key: 'labs',
@ -487,13 +487,7 @@ describe('Settings API (v3)', function () {
should.exist(jsonResponse);
should.exist(jsonResponse.settings);
jsonResponse.settings.length.should.eql(1);
testUtils.API.checkResponseValue(jsonResponse.settings[0], ['id', 'group', 'key', 'value', 'type', 'flags', 'created_at', 'updated_at']);
jsonResponse.settings[0].key.should.eql('labs');
jsonResponse.settings[0].value.should.eql(JSON.stringify({
activitypub: true
}));
jsonResponse.settings.length.should.eql(0);
});
it('Can\'t read non existent setting', function (done) {