Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-03 23:00:14 -05:00
Code Issues Activity

Disallowed aditing "labs" settings in v2/v3 APIs

Browse source 
refs https://github.com/TryGhost/Team/issues/757

- There is no usecase for editing "labs" settings outside of canary/v4 API versions. Removing support for older versions makes the supported API surface smaller (easy maintenance).
This commit is contained in:
Naz 2021-06-07 17:56:52 +04:00 committed by naz
parent d8230f3343
commit 48d36b6a48
4 changed files with 10 additions and 48 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
core/server/api/v2/utils/serializers/input/settings.js
View file

@ -2,7 +2,6 @@ const _ = require('lodash');
const url = require('./utils/url'); const url = require('./utils/url');
const typeGroupMapper = require('../../../../shared/serializers/input/utils/settings-filter-type-group-mapper'); const typeGroupMapper = require('../../../../shared/serializers/input/utils/settings-filter-type-group-mapper');
const settingsCache = require('../../../../../services/settings/cache'); const settingsCache = require('../../../../../services/settings/cache');
const {WRITABLE_KEYS_ALLOWLIST} = require('../../../../../services/labs');
const DEPRECATED_SETTINGS = [ const DEPRECATED_SETTINGS = [
'bulk_email_settings', 'bulk_email_settings',
@ -92,11 +91,12 @@ module.exports = {
const settings = settingsCache.getAll(); const settings = settingsCache.getAll();
// Ignore and drop all values with Read-only flag
frame.data.settings = frame.data.settings.filter((setting) => { frame.data.settings = frame.data.settings.filter((setting) => {
const settingFlagsStr = settings[setting.key] ? settings[setting.key].flags : ''; const settingFlagsStr = settings[setting.key] ? settings[setting.key].flags : '';
const settingFlagsArr = settingFlagsStr ? settingFlagsStr.split(',') : []; const settingFlagsArr = settingFlagsStr ? settingFlagsStr.split(',') : [];
return !settingFlagsArr.includes('RO');
// Ignore and drop all values with Read-only flag AND 'labs' setting
return !settingFlagsArr.includes('RO') && (setting.key !== 'labs');
}); });
frame.data.settings.push(...getMappedDeprecatedSettings(frame.data.settings)); frame.data.settings.push(...getMappedDeprecatedSettings(frame.data.settings));
@ -139,19 +139,6 @@ module.exports = {
setting.value = JSON.parse(setting.value).isActive; setting.value = JSON.parse(setting.value).isActive;
} }
if (setting.key === 'labs') {
const inputLabsValue = JSON.parse(setting.value);
const filteredLabsValue = {};
for (const value in inputLabsValue) {
if (WRITABLE_KEYS_ALLOWLIST.includes(value)) {
filteredLabsValue[value] = inputLabsValue[value];
}
}
setting.value = JSON.stringify(filteredLabsValue);
}
setting = url.forSetting(setting); setting = url.forSetting(setting);
}); });

19
core/server/api/v3/utils/serializers/input/settings.js
View file

@ -2,7 +2,6 @@ const _ = require('lodash');
const url = require('./utils/url'); const url = require('./utils/url');
const typeGroupMapper = require('../../../../shared/serializers/input/utils/settings-filter-type-group-mapper'); const typeGroupMapper = require('../../../../shared/serializers/input/utils/settings-filter-type-group-mapper');
const settingsCache = require('../../../../../services/settings/cache'); const settingsCache = require('../../../../../services/settings/cache');
const {WRITABLE_KEYS_ALLOWLIST} = require('../../../../../services/labs');
const DEPRECATED_SETTINGS = [ const DEPRECATED_SETTINGS = [
'bulk_email_settings', 'bulk_email_settings',
@ -95,11 +94,12 @@ module.exports = {
} }
const settings = settingsCache.getAll(); const settings = settingsCache.getAll();
// Ignore and drop all values with Read-only flag
frame.data.settings = frame.data.settings.filter((setting) => { frame.data.settings = frame.data.settings.filter((setting) => {
const settingFlagsStr = settings[setting.key] ? settings[setting.key].flags : ''; const settingFlagsStr = settings[setting.key] ? settings[setting.key].flags : '';
const settingFlagsArr = settingFlagsStr ? settingFlagsStr.split(',') : []; const settingFlagsArr = settingFlagsStr ? settingFlagsStr.split(',') : [];
return !settingFlagsArr.includes('RO');
// Ignore and drop all values with Read-only flag AND 'labs' setting
return !settingFlagsArr.includes('RO') && (setting.key !== 'labs');
}); });
const mappedDeprecatedSettings = getMappedDeprecatedSettings(frame.data.settings); const mappedDeprecatedSettings = getMappedDeprecatedSettings(frame.data.settings);
@ -155,19 +155,6 @@ module.exports = {
setting.value = JSON.parse(setting.value).isActive; setting.value = JSON.parse(setting.value).isActive;
} }
if (setting.key === 'labs') {
const inputLabsValue = JSON.parse(setting.value);
const filteredLabsValue = {};
for (const value in inputLabsValue) {
if (WRITABLE_KEYS_ALLOWLIST.includes(value)) {
filteredLabsValue[value] = inputLabsValue[value];
}
}
setting.value = JSON.stringify(filteredLabsValue);
}
setting = url.forSetting(setting); setting = url.forSetting(setting);
}); });

10
test/regression/api/v2/admin/settings_spec.js
View file

@ -521,7 +521,7 @@ describe('Settings API (v2)', function () {
}); });
}); });
it('Can edit only allowed labs keys', async function () { it('Cannot edit labs keys', async function () {
const settingToChange = { const settingToChange = {
settings: [{ settings: [{
key: 'labs', key: 'labs',
@ -544,13 +544,7 @@ describe('Settings API (v2)', function () {
should.exist(jsonResponse); should.exist(jsonResponse);
should.exist(jsonResponse.settings); should.exist(jsonResponse.settings);
jsonResponse.settings.length.should.eql(1); jsonResponse.settings.length.should.eql(0);
testUtils.API.checkResponseValue(jsonResponse.settings[0], ['id', 'key', 'value', 'type', 'flags', 'created_at', 'updated_at']);
jsonResponse.settings[0].key.should.eql('labs');
jsonResponse.settings[0].value.should.eql(JSON.stringify({
activitypub: true
}));
}); });
it('Can\'t edit non existent setting', function () { it('Can\'t edit non existent setting', function () {

10
test/regression/api/v3/admin/settings_spec.js
View file

@ -464,7 +464,7 @@ describe('Settings API (v3)', function () {
}); });
}); });
it('Can edit only allowed labs keys', async function () { it('Cannot edit labs keys', async function () {
const settingToChange = { const settingToChange = {
settings: [{ settings: [{
key: 'labs', key: 'labs',
@ -487,13 +487,7 @@ describe('Settings API (v3)', function () {
should.exist(jsonResponse); should.exist(jsonResponse);
should.exist(jsonResponse.settings); should.exist(jsonResponse.settings);
jsonResponse.settings.length.should.eql(1); jsonResponse.settings.length.should.eql(0);
testUtils.API.checkResponseValue(jsonResponse.settings[0], ['id', 'group', 'key', 'value', 'type', 'flags', 'created_at', 'updated_at']);
jsonResponse.settings[0].key.should.eql('labs');
jsonResponse.settings[0].value.should.eql(JSON.stringify({
activitypub: true
}));
}); });
it('Can\'t read non existent setting', function (done) { it('Can\'t read non existent setting', function (done) {