From 68fe9fabef2d67bd021b2111e8f0a8af746ebfcf Mon Sep 17 00:00:00 2001 From: Robert Jackson Date: Wed, 30 Jul 2014 22:44:51 -0400 Subject: [PATCH] Limit Posts for Authors. * Ensures that posts listing only shows posts that the current user authored, if they only have the Author role. * Do not transition into the posts.post route if the current user is not the author (but has the Author role). This is needed because the API server will always return the post (regardless of the current user). --- ghost/admin/models/post.js | 1 + ghost/admin/routes/posts.js | 6 +++++- ghost/admin/routes/posts/post.js | 5 +++++ ghost/admin/serializers/post.js | 9 +++++++++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/ghost/admin/models/post.js b/ghost/admin/models/post.js index 879a88774f..7d05e6611c 100644 --- a/ghost/admin/models/post.js +++ b/ghost/admin/models/post.js @@ -18,6 +18,7 @@ var Post = DS.Model.extend(NProgressSaveMixin, ValidationEngine, { meta_title: DS.attr('string'), meta_description: DS.attr('string'), author: DS.belongsTo('user', { async: true }), + author_id: DS.attr('number'), updated_at: DS.attr('moment-date'), published_at: DS.attr('moment-date'), published_by: DS.belongsTo('user', { async: true }), diff --git a/ghost/admin/routes/posts.js b/ghost/admin/routes/posts.js index 8b4e409443..313d79dc12 100644 --- a/ghost/admin/routes/posts.js +++ b/ghost/admin/routes/posts.js @@ -21,7 +21,11 @@ var PostsRoute = Ember.Route.extend(SimpleAuth.AuthenticatedRouteMixin, Shortcut } // using `.filter` allows the template to auto-update when new models are pulled in from the server. // we just need to 'return true' to allow all models by default. - return self.store.filter('post', paginationSettings, function () { + return self.store.filter('post', paginationSettings, function (post) { + if (user.get('isAuthor')) { + return user.get('id') === post.get('author_id'); + } + return true; }); }); diff --git a/ghost/admin/routes/posts/post.js b/ghost/admin/routes/posts/post.js index 4ab2074636..0f1f38d566 100644 --- a/ghost/admin/routes/posts/post.js +++ b/ghost/admin/routes/posts/post.js @@ -35,6 +35,11 @@ var PostsPostRoute = Ember.Route.extend(SimpleAuth.AuthenticatedRouteMixin, load return self.store.find('post', paginationSettings).then(function (records) { var post = records.get('firstObject'); + if (user.get('isAuthor') && user.get('id') !== post.get('author_id')) { + // do not show the post if they are an author but not this posts author + post = null; + } + if (post) { return post; } diff --git a/ghost/admin/serializers/post.js b/ghost/admin/serializers/post.js index 1b252a17e3..46b22d22e8 100644 --- a/ghost/admin/serializers/post.js +++ b/ghost/admin/serializers/post.js @@ -6,6 +6,15 @@ var PostSerializer = ApplicationSerializer.extend(DS.EmbeddedRecordsMixin, { tags: { embedded: 'always' } }, + normalize: function (type, hash) { + // this is to enable us to still access the raw author_id + // without requiring an extra get request (since it is an + // async relationship). + hash.author_id = hash.author; + + return this._super(type, hash); + }, + extractSingle: function (store, primaryType, payload) { var root = this.keyForAttribute(primaryType.typeKey), pluralizedRoot = Ember.String.pluralize(primaryType.typeKey);