Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-03 23:00:14 -05:00
Code Issues Activity

Added stricter validation for post.authors

Browse source 
refs #10438

- By stripping relational fields, it allows to remove redundant code in post input serializer
This commit is contained in:
Nazar Gargol 2019-02-14 20:18:51 +00:00
parent e305d5e9cb
commit c58e03a359
2 changed files with 6 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
core/server/api/v2/utils/serializers/input/posts.js
View file

@ -108,30 +108,6 @@ module.exports = {
delete frame.data.posts[0].author;
}
/**
* CASE: we don't support updating nested-nested relations e.g. `post.authors[*].roles` yet.
*
* Bookshelf-relations supports this feature, BUT bookshelf's `hasChanged` fn will currently
* clash with this, because `hasChanged` won't be able to tell if relations have changed or not.
* It would always return `changed.roles = [....]`. It would always throw a model event that relations
* were updated, which is not true.
*
* Bookshelf-relations can tell us if a relation has changed, it knows that.
* But the connection between our model layer, Bookshelf's `hasChanged` fn and Bookshelf-relations
* is not present. As long as we don't support this case, we have to ignore this.
*/
if (frame.data.posts[0].authors && frame.data.posts[0].authors.length) {
_.each(frame.data.posts[0].authors, (author, index) => {
if (author.hasOwnProperty('roles')) {
delete frame.data.posts[0].authors[index].roles;
}
if (author.hasOwnProperty('permissions')) {
delete frame.data.posts[0].authors[index].permissions;
}
});
}
/**
* Model notation is: `tag.parent_id`.
* The API notation is `tag.parent`.

6
core/server/api/v2/utils/validators/input/schemas/posts.json
View file

@ -142,6 +142,12 @@
"email": {
"type": "string",
"maxLength": 191
},
"roles": {
"strip": true
},
"permissions": {
"strip": true
}
},
"anyOf": [