Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-10 23:36:14 -05:00
Code Issues Activity

Removed bypassing option filtering in User model

Browse source 
no issue

- the logic here bypasses filtering options!
- that is wrong, because if we filter out certain options e.g. include
- the tests from the previous commit fail because of this
- if we don't fix this logic, the tests won't pass, because as said, you can bypass certain logic e.g. remove roles from include
- this has worked before, because we passed the wrong options via the API layer
- was introduced here 014e2c88dd, because of https://github.com/TryGhost/Ghost/pull/6122
- add proper tests to proof that these queries work!!
This commit is contained in:
kirrg001 2017-09-27 10:28:31 +02:00 committed by Hannah Wolfe
parent 1e2beface1
commit e347163940
3 changed files with 93 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
core/server/models/user.js
View file

@ -336,7 +336,6 @@ User = ghostBookshelf.Model.extend({
findOne: function findOne(dataToClone, options) {
var query,
status,
optInc,
data = _.cloneDeep(dataToClone),
lookupRole = data.role;
@ -348,14 +347,9 @@ User = ghostBookshelf.Model.extend({
status = data.status;
delete data.status;
options = _.cloneDeep(options || {});
optInc = options.include;
options.withRelated = _.union(options.withRelated, options.include);
data = this.filterData(data);
options = this.filterOptions(options, 'findOne');
delete options.include;
options.include = optInc;
options.withRelated = _.union(options.withRelated, options.include);
// Support finding by role
if (lookupRole) {

46
core/test/functional/routes/api/public_api_spec.js
View file

@ -373,6 +373,52 @@ describe('Public API', function () {
});
});
it('browse user by slug: count.posts', function (done) {
request.get(testUtils.API.getApiQuery('users/slug/ghost/?client_id=ghost-admin&client_secret=not_available&include=count.posts'))
.set('Origin', testUtils.API.getURL())
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200)
.end(function (err, res) {
if (err) {
return done(err);
}
should.not.exist(res.headers['x-cache-invalidate']);
var jsonResponse = res.body;
should.exist(jsonResponse.users);
jsonResponse.users.should.have.length(1);
// We don't expose the email address.
testUtils.API.checkResponse(jsonResponse.users[0], 'user', ['count'], ['email']);
done();
});
});
it('browse user by id: count.posts', function (done) {
request.get(testUtils.API.getApiQuery('users/1/?client_id=ghost-admin&client_secret=not_available&include=count.posts'))
.set('Origin', testUtils.API.getURL())
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200)
.end(function (err, res) {
if (err) {
return done(err);
}
should.not.exist(res.headers['x-cache-invalidate']);
var jsonResponse = res.body;
should.exist(jsonResponse.users);
jsonResponse.users.should.have.length(1);
// We don't expose the email address.
testUtils.API.checkResponse(jsonResponse.users[0], 'user', ['count'], ['email']);
done();
});
});
it('[unsupported] browse user by email', function (done) {
request
.get(testUtils.API.getApiQuery('users/email/ghost-author@ghost.org/?client_id=ghost-admin&client_secret=not_available'))

46
core/test/functional/routes/api/users_spec.js
View file

@ -312,6 +312,52 @@ describe('User API', function () {
});
});
it('can retrieve a user by slug with count.posts', function (done) {
request.get(testUtils.API.getApiQuery('users/slug/joe-bloggs/?include=count.posts'))
.set('Authorization', 'Bearer ' + ownerAccessToken)
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200)
.end(function (err, res) {
if (err) {
return done(err);
}
should.not.exist(res.headers['x-cache-invalidate']);
var jsonResponse = res.body;
should.exist(jsonResponse.users);
should.not.exist(jsonResponse.meta);
jsonResponse.users.should.have.length(1);
testUtils.API.checkResponse(jsonResponse.users[0], 'user', ['count']);
done();
});
});
it('can retrieve a user by id with count.posts', function (done) {
request.get(testUtils.API.getApiQuery('users/1/?include=count.posts'))
.set('Authorization', 'Bearer ' + ownerAccessToken)
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200)
.end(function (err, res) {
if (err) {
return done(err);
}
should.not.exist(res.headers['x-cache-invalidate']);
var jsonResponse = res.body;
should.exist(jsonResponse.users);
should.not.exist(jsonResponse.meta);
jsonResponse.users.should.have.length(1);
testUtils.API.checkResponse(jsonResponse.users[0], 'user', ['count']);
done();
});
});
it('can\'t retrieve non existent user by id', function (done) {
request.get(testUtils.API.getApiQuery('users/' + ObjectId.generate() + '/'))
.set('Authorization', 'Bearer ' + ownerAccessToken)