From cb72835af151c5f92facf61acb06751e59528411 Mon Sep 17 00:00:00 2001 From: Fabien O'Carroll Date: Wed, 20 Mar 2024 12:21:06 -0400 Subject: [PATCH] Removed support for id specific permissions ref ENG-728 ref https://linear.app/tryghost/issue/ENG-728 This is not used anywhere, and makes the code more complicated, it's a good step toward simplifying permissions and pulling them out of the database. --- .../server/services/permissions/can-this.js | 16 +--- .../services/permissions/can-this.test.js | 90 ------------------- 2 files changed, 1 insertion(+), 105 deletions(-) diff --git a/ghost/core/core/server/services/permissions/can-this.js b/ghost/core/core/server/services/permissions/can-this.js index 84cf513cbf..feb7acfb90 100644 --- a/ghost/core/core/server/services/permissions/can-this.js +++ b/ghost/core/core/server/services/permissions/can-this.js @@ -59,26 +59,12 @@ class CanThisResult { let hasMemberPermission = false; const checkPermission = function (perm) { - let permObjId; - // Look for a matching action type and object type first if (perm.get('action_type') !== actType || perm.get('object_type') !== objType) { return false; } - // Grab the object id (if specified, could be null) - permObjId = perm.get('object_id'); - - // If we didn't specify a model (any thing) - // or the permission didn't have an id scope set - // then the "thing" has permission - if (!modelId || !permObjId) { - return true; - } - - // Otherwise, check if the id's match - // TODO: String vs Int comparison possibility here? - return modelId === permObjId; + return true; }; if (loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Owner'})) { diff --git a/ghost/core/test/unit/server/services/permissions/can-this.test.js b/ghost/core/test/unit/server/services/permissions/can-this.test.js index 49c40a5e23..653065640d 100644 --- a/ghost/core/test/unit/server/services/permissions/can-this.test.js +++ b/ghost/core/test/unit/server/services/permissions/can-this.test.js @@ -308,96 +308,6 @@ describe('Permissions', function () { .catch(done); }); - it('Specific permissions: can edit correct specific tag (no permissible function on model)', function (done) { - const userProviderStub = sinon.stub(providers, 'user').callsFake(function () { - // Fake the response from providers.user, which contains permissions and roles - return Promise.resolve({ - permissions: models.Permissions.forge([ - { - id: 'abc123', - name: 'test', - action_type: 'edit', - object_type: 'tag', - object_id: 1 - } - ]).models, - roles: undefined - }); - }); - - permissions - .canThis({user: {}}) // user context - .edit - .tag({id: 1}) // tag id in model syntax - .then(function (res) { - userProviderStub.callCount.should.eql(1); - should.not.exist(res); - done(); - }) - .catch(done); - }); - - it('Specific permissions: cannot edit incorrect specific tag (no permissible function on model)', function (done) { - const userProviderStub = sinon.stub(providers, 'user').callsFake(function () { - // Fake the response from providers.user, which contains permissions and roles - return Promise.resolve({ - permissions: models.Permissions.forge([ - { - id: 'abc123', - name: 'test', - action_type: 'edit', - object_type: 'tag', - object_id: 1 - } - ]).models, - roles: undefined - }); - }); - - permissions - .canThis({user: {}}) // user context - .edit - .tag({id: 10}) // tag id in model syntax - .then(function () { - done(new Error('was able to edit tag without permission')); - }) - .catch(function (err) { - userProviderStub.callCount.should.eql(1); - err.errorType.should.eql('NoPermissionError'); - done(); - }); - }); - - // @TODO fix this case - it makes no sense?! - it('Specific permissions: CAN edit non-specific tag (no permissible function on model) @TODO fix this', function (done) { - const userProviderStub = sinon.stub(providers, 'user').callsFake(function () { - // Fake the response from providers.user, which contains permissions and roles - return Promise.resolve({ - permissions: models.Permissions.forge([ - { - id: 'abc123', - name: 'test', - action_type: 'edit', - object_type: 'tag', - object_id: 1 - } - ]).models, - roles: undefined - }); - }); - - permissions - .canThis({user: {}}) // user context - .edit - .tag() // tag id in model syntax - .then(function (res) { - userProviderStub.callCount.should.eql(1); - should.not.exist(res); - done(); - }) - .catch(done); - }); - it('With owner role: can edit tag (no permissible function on model)', function (done) { const userProviderStub = sinon.stub(providers, 'user').callsFake(function () { // Fake the response from providers.user, which contains permissions and roles