mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-01-27 22:49:56 -05:00
Removed support for id specific permissions
ref ENG-728 ref https://linear.app/tryghost/issue/ENG-728 This is not used anywhere, and makes the code more complicated, it's a good step toward simplifying permissions and pulling them out of the database.
This commit is contained in:
Fabien O'Carroll
Fabien 'egg' O'Carroll
parent
e29c653ef6
commit
cb72835af1
2 changed files with 1 additions and 105 deletions
|
|
@ -59,26 +59,12 @@ class CanThisResult {
|
||||||
let hasMemberPermission = false;
|
let hasMemberPermission = false;
|
||||||
|
|
||||||
const checkPermission = function (perm) {
|
const checkPermission = function (perm) {
|
||||||
let permObjId;
|
|
||||||
|
|
||||||
// Look for a matching action type and object type first
|
// Look for a matching action type and object type first
|
||||||
if (perm.get('action_type') !== actType || perm.get('object_type') !== objType) {
|
if (perm.get('action_type') !== actType || perm.get('object_type') !== objType) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Grab the object id (if specified, could be null)
|
|
||||||
permObjId = perm.get('object_id');
|
|
||||||
|
|
||||||
// If we didn't specify a model (any thing)
|
|
||||||
// or the permission didn't have an id scope set
|
|
||||||
// then the "thing" has permission
|
|
||||||
if (!modelId || !permObjId) {
|
|
||||||
return true;
|
return true;
|
||||||
}
|
|
||||||
|
|
||||||
// Otherwise, check if the id's match
|
|
||||||
// TODO: String vs Int comparison possibility here?
|
|
||||||
return modelId === permObjId;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
if (loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Owner'})) {
|
if (loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Owner'})) {
|
||||||
|
|
|
||||||
|
|
@ -308,96 +308,6 @@ describe('Permissions', function () {
|
||||||
.catch(done);
|
.catch(done);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('Specific permissions: can edit correct specific tag (no permissible function on model)', function (done) {
|
|
||||||
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
|
|
||||||
// Fake the response from providers.user, which contains permissions and roles
|
|
||||||
return Promise.resolve({
|
|
||||||
permissions: models.Permissions.forge([
|
|
||||||
{
|
|
||||||
id: 'abc123',
|
|
||||||
name: 'test',
|
|
||||||
action_type: 'edit',
|
|
||||||
object_type: 'tag',
|
|
||||||
object_id: 1
|
|
||||||
}
|
|
||||||
]).models,
|
|
||||||
roles: undefined
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
permissions
|
|
||||||
.canThis({user: {}}) // user context
|
|
||||||
.edit
|
|
||||||
.tag({id: 1}) // tag id in model syntax
|
|
||||||
.then(function (res) {
|
|
||||||
userProviderStub.callCount.should.eql(1);
|
|
||||||
should.not.exist(res);
|
|
||||||
done();
|
|
||||||
})
|
|
||||||
.catch(done);
|
|
||||||
});
|
|
||||||
|
|
||||||
it('Specific permissions: cannot edit incorrect specific tag (no permissible function on model)', function (done) {
|
|
||||||
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
|
|
||||||
// Fake the response from providers.user, which contains permissions and roles
|
|
||||||
return Promise.resolve({
|
|
||||||
permissions: models.Permissions.forge([
|
|
||||||
{
|
|
||||||
id: 'abc123',
|
|
||||||
name: 'test',
|
|
||||||
action_type: 'edit',
|
|
||||||
object_type: 'tag',
|
|
||||||
object_id: 1
|
|
||||||
}
|
|
||||||
]).models,
|
|
||||||
roles: undefined
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
permissions
|
|
||||||
.canThis({user: {}}) // user context
|
|
||||||
.edit
|
|
||||||
.tag({id: 10}) // tag id in model syntax
|
|
||||||
.then(function () {
|
|
||||||
done(new Error('was able to edit tag without permission'));
|
|
||||||
})
|
|
||||||
.catch(function (err) {
|
|
||||||
userProviderStub.callCount.should.eql(1);
|
|
||||||
err.errorType.should.eql('NoPermissionError');
|
|
||||||
done();
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
// @TODO fix this case - it makes no sense?!
|
|
||||||
it('Specific permissions: CAN edit non-specific tag (no permissible function on model) @TODO fix this', function (done) {
|
|
||||||
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
|
|
||||||
// Fake the response from providers.user, which contains permissions and roles
|
|
||||||
return Promise.resolve({
|
|
||||||
permissions: models.Permissions.forge([
|
|
||||||
{
|
|
||||||
id: 'abc123',
|
|
||||||
name: 'test',
|
|
||||||
action_type: 'edit',
|
|
||||||
object_type: 'tag',
|
|
||||||
object_id: 1
|
|
||||||
}
|
|
||||||
]).models,
|
|
||||||
roles: undefined
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
permissions
|
|
||||||
.canThis({user: {}}) // user context
|
|
||||||
.edit
|
|
||||||
.tag() // tag id in model syntax
|
|
||||||
.then(function (res) {
|
|
||||||
userProviderStub.callCount.should.eql(1);
|
|
||||||
should.not.exist(res);
|
|
||||||
done();
|
|
||||||
})
|
|
||||||
.catch(done);
|
|
||||||
});
|
|
||||||
|
|
||||||
it('With owner role: can edit tag (no permissible function on model)', function (done) {
|
it('With owner role: can edit tag (no permissible function on model)', function (done) {
|
||||||
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
|
const userProviderStub = sinon.stub(providers, 'user').callsFake(function () {
|
||||||
// Fake the response from providers.user, which contains permissions and roles
|
// Fake the response from providers.user, which contains permissions and roles
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue