mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-03-11 02:12:21 -05:00
Switched to use new implementation of authorizeAdminApi
refs #9865 - see code comments
This commit is contained in:
kirrg001
parent
de7ba3cd85
commit
e90148e7c3
4 changed files with 13 additions and 41 deletions
|
|
@ -43,8 +43,6 @@ const authorize = {
|
|||
};
|
||||
},
|
||||
|
||||
authorizeAdminApi: [session.ensureUser],
|
||||
|
||||
authorizeContentApi(req, res, next) {
|
||||
const hasApiKey = req.api_key && req.api_key.id;
|
||||
const hasMember = req.member;
|
||||
|
|
@ -59,7 +57,13 @@ const authorize = {
|
|||
}));
|
||||
},
|
||||
|
||||
requiresAuthorizedUserOrApiKey(req, res, next) {
|
||||
/**
|
||||
* @NOTE:
|
||||
*
|
||||
* We don't support admin api keys yet, but we can already use this authorization helper, because
|
||||
* we have not connected authenticating with admin api keys yet. `req.api_key` will be always null.
|
||||
*/
|
||||
authorizeAdminApi(req, res, next) {
|
||||
const hasUser = req.user && req.user.id;
|
||||
const hasApiKey = req.api_key && req.api_key.id;
|
||||
|
||||
|
|
|
|||
|
|
@ -2,22 +2,24 @@ module.exports = {
|
|||
get getSession() {
|
||||
return require('./middleware').getSession;
|
||||
},
|
||||
|
||||
get cookieCsrfProtection() {
|
||||
return require('./middleware').cookieCsrfProtection;
|
||||
},
|
||||
|
||||
get safeGetSession() {
|
||||
return require('./middleware').safeGetSession;
|
||||
},
|
||||
|
||||
get createSession() {
|
||||
return require('./middleware').createSession;
|
||||
},
|
||||
|
||||
get destroySession() {
|
||||
return require('./middleware').destroySession;
|
||||
},
|
||||
|
||||
get getUser() {
|
||||
return require('./middleware').getUser;
|
||||
},
|
||||
get ensureUser() {
|
||||
return require('./middleware').ensureUser;
|
||||
}
|
||||
};
|
||||
|
|
|
|||
|
|
@ -91,15 +91,6 @@ const getUser = (req, res, next) => {
|
|||
});
|
||||
};
|
||||
|
||||
const ensureUser = (req, res, next) => {
|
||||
if (req.user && req.user.id) {
|
||||
return next();
|
||||
}
|
||||
next(new common.errors.UnauthorizedError({
|
||||
message: common.i18n.t('errors.middleware.auth.accessDenied')
|
||||
}));
|
||||
};
|
||||
|
||||
const cookieCsrfProtection = (req, res, next) => {
|
||||
// If there is no origin on the session object it means this is a *new*
|
||||
// session, that hasn't been initialised yet. So we don't need CSRF protection
|
||||
|
|
@ -126,6 +117,5 @@ module.exports = exports = {
|
|||
safeGetSession: [getSession, cookieCsrfProtection],
|
||||
createSession,
|
||||
destroySession,
|
||||
getUser,
|
||||
ensureUser
|
||||
getUser
|
||||
};
|
||||
|
|
|
|||
|
|
@ -202,30 +202,6 @@ describe('Session Service', function () {
|
|||
});
|
||||
});
|
||||
|
||||
describe('ensureUser', function () {
|
||||
it('calls next with no error if req.user.id exists', function (done) {
|
||||
const req = fakeReq();
|
||||
const res = fakeRes();
|
||||
const user = models.User.forge({id: 23});
|
||||
req.user = user;
|
||||
|
||||
sessionService.ensureUser(req, res, function next(err) {
|
||||
should.equal(err, null);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('calls next with UnauthorizedError if req.user.id does not exist', function (done) {
|
||||
const req = fakeReq();
|
||||
const res = fakeRes();
|
||||
|
||||
sessionService.ensureUser(req, res, function next(err) {
|
||||
should.equal(err instanceof UnauthorizedError, true);
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('CSRF protection', function () {
|
||||
it('calls next if the session is uninitialized', function (done) {
|
||||
const req = fakeReq();
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue