Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-10 23:36:14 -05:00
Code Issues Activity

Check setup status when making API responses

Browse source 
Closes #3303, Closes #3299
- Check whether or not setup has been completed when deciding
  how to respond to certain API requests.
- Add tests.
This commit is contained in:
Jason Williams 2014-07-18 20:40:47 +00:00
parent f8a924731a
commit 7d3139d093
2 changed files with 216 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
core/server/api/authentication.js
View file

@ -26,7 +26,15 @@ authentication = {
var expires = Date.now() + ONE_DAY, var expires = Date.now() + ONE_DAY,
email; email;
return utils.checkObject(object, 'passwordreset').then(function (checkedPasswordReset) { return authentication.isSetup().then(function (result) {
var setup = result.setup[0].status;
if (!setup) {
return when.reject(new errors.NoPermissionError('Setup must be completed before making this request.'));
}
return utils.checkObject(object, 'passwordreset');
}).then(function (checkedPasswordReset) {
if (checkedPasswordReset.passwordreset[0].email) { if (checkedPasswordReset.passwordreset[0].email) {
email = checkedPasswordReset.passwordreset[0].email; email = checkedPasswordReset.passwordreset[0].email;
} else { } else {
@ -63,6 +71,7 @@ authentication = {
if (error && error.message === 'NotFound') { if (error && error.message === 'NotFound') {
error = new errors.UnauthorizedError('Invalid email address'); error = new errors.UnauthorizedError('Invalid email address');
} }
return when.reject(error); return when.reject(error);
}); });
}); });
@ -78,7 +87,16 @@ authentication = {
var resetToken, var resetToken,
newPassword, newPassword,
ne2Password; ne2Password;
return utils.checkObject(object, 'passwordreset').then(function (checkedPasswordReset) {
return authentication.isSetup().then(function (result) {
var setup = result.setup[0].status;
if (!setup) {
return when.reject(new errors.NoPermissionError('Setup must be completed before making this request.'));
}
return utils.checkObject(object, 'passwordreset');
}).then(function (checkedPasswordReset) {
resetToken = checkedPasswordReset.passwordreset[0].token; resetToken = checkedPasswordReset.passwordreset[0].token;
newPassword = checkedPasswordReset.passwordreset[0].newPassword; newPassword = checkedPasswordReset.passwordreset[0].newPassword;
ne2Password = checkedPasswordReset.passwordreset[0].ne2Password; ne2Password = checkedPasswordReset.passwordreset[0].ne2Password;
@ -106,7 +124,15 @@ authentication = {
name, name,
email; email;
return utils.checkObject(object, 'invitation').then(function (checkedInvitation) { return authentication.isSetup().then(function (result) {
var setup = result.setup[0].status;
if (!setup) {
return when.reject(new errors.NoPermissionError('Setup must be completed before making this request.'));
}
return utils.checkObject(object, 'invitation');
}).then(function (checkedInvitation) {
resetToken = checkedInvitation.invitation[0].token; resetToken = checkedInvitation.invitation[0].token;
newPassword = checkedInvitation.invitation[0].password; newPassword = checkedInvitation.invitation[0].password;
ne2Password = checkedInvitation.invitation[0].password; ne2Password = checkedInvitation.invitation[0].password;
@ -127,7 +153,6 @@ authentication = {
}, },
isSetup: function () { isSetup: function () {
return dataProvider.User.query(function (qb) { return dataProvider.User.query(function (qb) {
qb.where('status', '=', 'active') qb.where('status', '=', 'active')
.orWhere('status', '=', 'warn-1') .orWhere('status', '=', 'warn-1')
@ -148,7 +173,15 @@ authentication = {
setup: function (object) { setup: function (object) {
var setupUser; var setupUser;
return utils.checkObject(object, 'setup').then(function (checkedSetupData) { return authentication.isSetup().then(function (result) {
var setup = result.setup[0].status;
if (setup) {
return when.reject(new errors.NoPermissionError('Setup has already been completed.'));
}
return utils.checkObject(object, 'setup');
}).then(function (checkedSetupData) {
setupUser = { setupUser = {
name: checkedSetupData.setup[0].name, name: checkedSetupData.setup[0].name,
email: checkedSetupData.setup[0].email, email: checkedSetupData.setup[0].email,
@ -206,8 +239,6 @@ authentication = {
}); });
}).then(function () { }).then(function () {
return when.resolve({ users: [setupUser]}); return when.resolve({ users: [setupUser]});
}).otherwise(function (error) {
return when.reject(new errors.UnauthorizedError(error.message));
}); });
} }
}; };

177
core/test/integration/api/api_authentication_spec.js Normal file
View file

@ -0,0 +1,177 @@
var testUtils = require('../../utils'),
should = require('should'),
when = require('when'),
rewire = require('rewire'),
mail = rewire('../../../server/api/mail'),
permissions = require('../../../server/permissions'),
settings = require('../../../server/api/settings'),
authentication = require('../../../server/api/authentication');
describe('Authentication API', function () {
before(function (done) {
testUtils.clearData().then(function () {
done();
}).catch(done);
});
describe('Setup', function () {
describe('Not completed', function () {
beforeEach(function (done) {
testUtils.clearData().then(function () {
return testUtils.initData().then(function () {
return permissions.init().then(function () {
return settings.updateSettingsCache();
});
});
}).then(function () {
done();
}).catch(done);
});
it('should report that setup has not been completed', function (done) {
authentication.isSetup().then(function (result) {
should.exist(result);
result.setup[0].status.should.be.false;
done();
}).catch(done);
});
it('should allow setup to be completed', function (done) {
var setupData = {
name: 'test user',
email: 'test@example.com',
password: 'areallygoodpassword',
title: 'a test blog'
},
send = mail.__get__('mail.send');
mail.__set__('mail.send', function () {
return when.resolve();
});
authentication.setup({ setup: [setupData] }).then(function (result) {
should.exist(result);
var newUser = result.users[0];
newUser.id.should.equal(1);
newUser.name.should.equal(setupData.name);
newUser.email.should.equal(setupData.email);
done();
}).catch(done).finally(function () {
mail.__set__('mail.send', send);
});
});
});
describe('Completed', function () {
beforeEach(function (done) {
testUtils.clearData().then(function () {
return testUtils.initData().then(function () {
return testUtils.insertDefaultFixtures().then(function () {
return permissions.init().then(function () {
return settings.updateSettingsCache();
});
});
});
}).then(function () {
done();
}).catch(done);
});
it('should report that setup has been completed', function (done) {
authentication.isSetup().then(function (result) {
should.exist(result);
result.setup[0].status.should.be.true;
done();
}).catch(done);
});
it('should not allow setup to be run again', function (done) {
var setupData = {
name: 'test user',
email: 'test@example.com',
password: 'areallygoodpassword',
title: 'a test blog'
};
authentication.setup({ setup: [setupData] }).then(function (result) {
done(new Error('Setup was able to be run'));
}).catch(function (err) {
should.exist(err);
err.name.should.equal('NoPermissionError');
err.code.should.equal(403);
done();
});
});
});
});
describe('Authentication', function () {
describe('Setup not completed', function () {
beforeEach(function (done) {
testUtils.clearData().then(function () {
return testUtils.initData().then(function () {
return permissions.init().then(function () {
return settings.updateSettingsCache();
});
});
}).then(function () {
done();
}).catch(done);
});
it('should not allow an invitation to be accepted', function (done) {
authentication.acceptInvitation().then(function () {
done(new Error('Invitation was allowed to be accepted'));
}).catch(function (err) {
should.exist(err);
err.name.should.equal('NoPermissionError');
err.code.should.equal(403);
done();
});
});
it('should not generate a password reset token', function (done) {
authentication.generateResetToken().then(function () {
done(new Error('Reset token was generated'));
}).catch(function (err) {
should.exist(err);
err.name.should.equal('NoPermissionError');
err.code.should.equal(403);
done();
});
});
it('should not allow a password reset', function (done) {
authentication.resetPassword().then(function () {
done(new Error('Password was reset'));
}).catch(function (err) {
should.exist(err);
err.name.should.equal('NoPermissionError');
err.code.should.equal(403);
done();
});
});
});
});
});