Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-03 23:00:14 -05:00
Code Issues Activity

Merge pull request #5539 from jomahoney/owner-perm

Browse source 
Changed admin permissions so Owner role only editable by itself
This commit is contained in:
Hannah Wolfe 2015-07-11 11:33:17 +01:00
commit 76ebdfd4f9
2 changed files with 18 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
core/server/models/user.js
View file

@ -466,6 +466,10 @@ User = ghostBookshelf.Model.extend({
}
if (action === 'edit') {
// Owner can only be editted by owner
if (userModel.hasRole('Owner')) {
hasUserPermission = _.any(loadedPermissions.user.roles, {name: 'Owner'});
}
// Users with the role 'Editor' and 'Author' have complex permissions when the action === 'edit'
// We now have all the info we need to construct the permissions
if (_.any(loadedPermissions.user.roles, {name: 'Author'})) {

26
core/test/integration/api/api_users_spec.js
View file

@ -237,14 +237,10 @@ describe('Users API', function () {
}).catch(done);
});
it('Admin can edit all users in all roles', function (done) {
UserAPI.edit({users: [{name: newName}]}, _.extend({}, context.admin, {id: userIdFor.owner}))
it('Admin can edit Admin, Editor and Author roles', function (done) {
UserAPI.edit({users: [{name: newName}]}, _.extend({}, context.admin, {id: userIdFor.admin}))
.then(function (response) {
checkEditResponse(response);
return UserAPI.edit({users: [{name: newName}]}, _.extend({}, context.admin, {id: userIdFor.admin}));
}).then(function (response) {
checkEditResponse(response);
return UserAPI.edit({users: [{name: newName}]}, _.extend({}, context.admin, {id: userIdFor.editor}));
}).then(function (response) {
checkEditResponse(response);
@ -257,14 +253,20 @@ describe('Users API', function () {
}).catch(done);
});
it('Admin can edit all users in all roles with roles in payload', function (done) {
UserAPI.edit({users: [{name: newName, roles: [roleIdFor.owner]}]}, _.extend({}, context.admin, {id: userIdFor.owner}))
.then(function (response) {
it('Admin CANNOT edit Owner role', function (done) {
UserAPI.edit({users: [{name: newName}]}, _.extend({}, context.admin, {id: userIdFor.owner}))
.then(function () {
done(new Error('Admin should not be able to edit owner account'));
}).catch(function (error) {
error.errorType.should.eql('NoPermissionError');
done();
});
});
it('Admin can edit Admin, Editor and Author roles with roles in payload', function (done) {
UserAPI.edit({users: [{name: newName, roles: [roleIdFor.admin]}]}, _.extend({}, context.admin, {id: userIdFor.admin})).then(function (response) {
checkEditResponse(response);
return UserAPI.edit({users: [{name: newName, roles: [roleIdFor.admin]}]}, _.extend({}, context.admin, {id: userIdFor.admin}));
}).then(function (response) {
checkEditResponse(response);
return UserAPI.edit({users: [{name: newName, roles: [roleIdFor.editor]}]}, _.extend({}, context.admin, {id: userIdFor.editor}));
}).then(function (response) {
checkEditResponse(response);