Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-20 22:42:53 -05:00
Code Issues Activity

Refactor omit of password

Browse source 
- remove password in toJSON() instead of filtering every occurrence of
user
- changed faulty error type ‚NotFound‘ to ‚NoPermission‘
This commit is contained in:
Sebastian Gierlinger 2014-05-06 12:14:58 +02:00
parent 8a4e0e27f2
commit b98709b3ce
3 changed files with 24 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
core/server/api/posts.js
View file

@ -2,7 +2,6 @@ var when = require('when'),
_ = require('lodash'),
dataProvider = require('../models'),
canThis = require('../permissions').canThis,
filteredUserAttributes = require('./users').filteredAttributes,
posts,
allowedIncludes = ['created_by', 'updated_by', 'published_by', 'author', 'tags', 'fields'];
@ -45,17 +44,7 @@ posts = {
}
// **returns:** a promise for a page of posts in a json object
return dataProvider.Post.findPage(options).then(function (result) {
var i = 0,
omitted = result;
for (i = 0; i < omitted.posts.length; i = i + 1) {
if (!_.isNumber(omitted.posts[i].author)) {
omitted.posts[i].author = _.omit(omitted.posts[i].author, filteredUserAttributes);
}
}
return omitted;
});
return dataProvider.Post.findPage(options);
},
// #### Read
@ -76,14 +65,8 @@ posts = {
// **returns:** a promise for a single post in a json object
return dataProvider.Post.findOne(options, {include: include}).then(function (result) {
var omitted;
if (result) {
omitted = result.toJSON();
if (!_.isNumber(omitted.author)) {
omitted.author = _.omit(omitted.author, filteredUserAttributes);
}
return { posts: [ omitted ]};
return { posts: [ result.toJSON() ]};
}
return when.reject({type: 'NotFound', message: 'Post not found.'});
@ -108,15 +91,13 @@ posts = {
return dataProvider.Post.edit(checkedPostData.posts[0], {user: self.user, include: include});
}).then(function (result) {
if (result) {
var omitted = result.toJSON();
if (!_.isNumber(omitted.author)) {
omitted.author = _.omit(omitted.author, filteredUserAttributes);
}
var post = result.toJSON();
// If previously was not published and now is, signal the change
if (result.updated('status') !== result.get('status')) {
omitted.statusChanged = true;
post.statusChanged = true;
}
return { posts: [ omitted ]};
return { posts: [ post ]};
}
return when.reject({type: 'NotFound', message: 'Post not found.'});
@ -141,15 +122,13 @@ posts = {
return dataProvider.Post.add(checkedPostData.posts[0], {user: self.user, include: include});
}).then(function (result) {
var omitted = result.toJSON();
if (!_.isNumber(omitted.author)) {
omitted.author = _.omit(omitted.author, filteredUserAttributes);
}
if (omitted.status === 'published') {
var post = result.toJSON();
if (post.status === 'published') {
// When creating a new post that is published right now, signal the change
omitted.statusChanged = true;
post.statusChanged = true;
}
return { posts: [ omitted ]};
return { posts: [ post ]};
});
}, function () {
return when.reject({type: 'NoPermission', message: 'You do not have permission to add posts.'});

26
core/server/api/users.js
View file

@ -4,7 +4,6 @@ var when = require('when'),
settings = require('./settings'),
canThis = require('../permissions').canThis,
ONE_DAY = 86400000,
filteredAttributes = ['password'],
users;
@ -23,21 +22,10 @@ users = {
// **returns:** a promise for a collection of users in a json object
return canThis(this.user).browse.user().then(function () {
return dataProvider.User.findAll(options).then(function (result) {
var omitted = {},
i;
if (result) {
omitted = result.toJSON();
}
for (i = 0; i < omitted.length; i = i + 1) {
omitted[i] = _.omit(omitted[i], filteredAttributes);
}
return { users: omitted };
return { users: result.toJSON() };
});
}, function () {
return when.reject({type: 'NotFound', message: 'You do not have permission to browse users.'});
return when.reject({type: 'NoPermission', message: 'You do not have permission to browse users.'});
});
},
@ -51,8 +39,7 @@ users = {
return dataProvider.User.findOne(args).then(function (result) {
if (result) {
var omitted = _.omit(result.toJSON(), filteredAttributes);
return { users: [omitted] };
return { users: [result.toJSON()] };
}
return when.reject({type: 'NotFound', message: 'User not found.'});
@ -69,8 +56,7 @@ users = {
return dataProvider.User.edit(checkedUserData.users[0], {user: self.user});
}).then(function (result) {
if (result) {
var omitted = _.omit(result.toJSON(), filteredAttributes);
return { users: [omitted]};
return { users: [result.toJSON()]};
}
return when.reject({type: 'NotFound', message: 'User not found.'});
});
@ -94,8 +80,7 @@ users = {
return dataProvider.User.add(checkedUserData.users[0], {user: self.user});
}).then(function (result) {
if (result) {
var omitted = _.omit(result.toJSON(), filteredAttributes);
return { users: [omitted]};
return { users: [result.toJSON()]};
}
});
}, function () {
@ -160,4 +145,3 @@ users = {
};
module.exports = users;
module.exports.filteredAttributes = filteredAttributes;

8
core/server/models/user.js
View file

@ -61,6 +61,14 @@ User = ghostBookshelf.Model.extend({
}
},
toJSON: function (options) {
var attrs = ghostBookshelf.Model.prototype.toJSON.call(this, options);
// remove password hash for security reasons
delete attrs.password;
return attrs;
},
posts: function () {
return this.hasMany(Posts, 'created_by');
},