mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-01-27 22:49:56 -05:00
801608e077
no-issue Essentially only active users should have their permissions loaded, this means that suspended or inactive users are stripped of all permissions until their status is changed.
75 lines
2.8 KiB
JavaScript
75 lines
2.8 KiB
JavaScript
var _ = require('lodash'),
|
|
Promise = require('bluebird'),
|
|
models = require('../../models'),
|
|
common = require('../../lib/common');
|
|
|
|
module.exports = {
|
|
user: function (id) {
|
|
return models.User.findOne({id: id, status: 'active'}, {withRelated: ['permissions', 'roles', 'roles.permissions']})
|
|
.then(function (foundUser) {
|
|
// CASE: {context: {user: id}} where the id is not in our database
|
|
if (!foundUser) {
|
|
return Promise.reject(new common.errors.NotFoundError({
|
|
message: common.i18n.t('errors.models.user.userNotFound')
|
|
}));
|
|
}
|
|
|
|
var seenPerms = {},
|
|
rolePerms = _.map(foundUser.related('roles').models, function (role) {
|
|
return role.related('permissions').models;
|
|
}),
|
|
allPerms = [],
|
|
user = foundUser.toJSON();
|
|
|
|
rolePerms.push(foundUser.related('permissions').models);
|
|
|
|
_.each(rolePerms, function (rolePermGroup) {
|
|
_.each(rolePermGroup, function (perm) {
|
|
var key = perm.get('action_type') + '-' + perm.get('object_type') + '-' + perm.get('object_id');
|
|
|
|
// Only add perms once
|
|
if (seenPerms[key]) {
|
|
return;
|
|
}
|
|
|
|
allPerms.push(perm);
|
|
seenPerms[key] = true;
|
|
});
|
|
});
|
|
|
|
// @TODO fix this!
|
|
// Permissions is an array of models
|
|
// Roles is a JSON array
|
|
return {permissions: allPerms, roles: user.roles};
|
|
});
|
|
},
|
|
|
|
app: function (appName) {
|
|
return models.App.findOne({name: appName}, {withRelated: ['permissions']})
|
|
.then(function (foundApp) {
|
|
if (!foundApp) {
|
|
return [];
|
|
}
|
|
|
|
return {permissions: foundApp.related('permissions').models};
|
|
});
|
|
},
|
|
|
|
apiKey(id) {
|
|
return models.ApiKey.findOne({id}, {withRelated: ['role', 'role.permissions']})
|
|
.then((foundApiKey) => {
|
|
if (!foundApiKey) {
|
|
throw new common.errors.NotFoundError({
|
|
message: common.i18n.t('errors.models.api_key.apiKeyNotFound')
|
|
});
|
|
}
|
|
|
|
// api keys have a belongs_to relationship to a role and no individual permissions
|
|
// so there's no need for permission deduplication
|
|
const permissions = foundApiKey.related('role').related('permissions').models;
|
|
const roles = [foundApiKey.toJSON().role];
|
|
|
|
return {permissions, roles};
|
|
});
|
|
}
|
|
};
|