Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-27 22:49:56 -05:00
Code Issues Activity

Removed support for id specific permissions

Browse source 
ref ENG-728
ref https://linear.app/tryghost/issue/ENG-728

This is not used anywhere, and makes the code more complicated, it's a good
step toward simplifying permissions and pulling them out of the database.
This commit is contained in:
Fabien O'Carroll 2024-03-20 12:21:06 -04:00 committed by Fabien 'egg' O'Carroll
parent e29c653ef6
commit cb72835af1
2 changed files with 1 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
ghost/core/core/server/services/permissions/can-this.js
View file

@ -59,26 +59,12 @@ class CanThisResult {
let hasMemberPermission = false;
const checkPermission = function (perm) {
let permObjId;
// Look for a matching action type and object type first
if (perm.get('action_type') !== actType || perm.get('object_type') !== objType) {
return false;
}
// Grab the object id (if specified, could be null)
permObjId = perm.get('object_id');
// If we didn't specify a model (any thing)
// or the permission didn't have an id scope set
// then the "thing" has permission
if (!modelId || !permObjId) {
return true;
}
// Otherwise, check if the id's match
// TODO: String vs Int comparison possibility here?
return modelId === permObjId;
return true;
};
if (loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Owner'})) {

90
ghost/core/test/unit/server/services/permissions/can-this.test.js
View file

@ -308,96 +308,6 @@ describe('Permissions', function () {
.catch(done);
});
it('Specific permissions: can edit correct specific tag (no permissible function on model)', function (done) {
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: models.Permissions.forge([
{
id: 'abc123',
name: 'test',
action_type: 'edit',
object_type: 'tag',
object_id: 1
}
]).models,
roles: undefined
});
});
permissions
.canThis({user: {}}) // user context
.edit
.tag({id: 1}) // tag id in model syntax
.then(function (res) {
userProviderStub.callCount.should.eql(1);
should.not.exist(res);
done();
})
.catch(done);
});
it('Specific permissions: cannot edit incorrect specific tag (no permissible function on model)', function (done) {
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: models.Permissions.forge([
{
id: 'abc123',
name: 'test',
action_type: 'edit',
object_type: 'tag',
object_id: 1
}
]).models,
roles: undefined
});
});
permissions
.canThis({user: {}}) // user context
.edit
.tag({id: 10}) // tag id in model syntax
.then(function () {
done(new Error('was able to edit tag without permission'));
})
.catch(function (err) {
userProviderStub.callCount.should.eql(1);
err.errorType.should.eql('NoPermissionError');
done();
});
});
// @TODO fix this case - it makes no sense?!
it('Specific permissions: CAN edit non-specific tag (no permissible function on model) @TODO fix this', function (done) {
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
// Fake the response from providers.user, which contains permissions and roles
return Promise.resolve({
permissions: models.Permissions.forge([
{
id: 'abc123',
name: 'test',
action_type: 'edit',
object_type: 'tag',
object_id: 1
}
]).models,
roles: undefined
});
});
permissions
.canThis({user: {}}) // user context
.edit
.tag() // tag id in model syntax
.then(function (res) {
userProviderStub.callCount.should.eql(1);
should.not.exist(res);
done();
})
.catch(done);
});
it('With owner role: can edit tag (no permissible function on model)', function (done) {
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
// Fake the response from providers.user, which contains permissions and roles