Ghost/ghost/admin/mirage/utils.js
Kevin Ansfield 5bf3fe9cb8 🐛 Fixed error preventing admin area being usable by staff users with Contributor role
closes https://github.com/TryGhost/Team/issues/2190

- added a guard around the tier fetches in `membersUtils` service so the fetch doesn't occur unless we have a logged in user and they aren't a contributor
- extracted the `withPermissionsCheck` mirage util function and added role checks around the mocked tiers endpoints
- added an acceptance test that loads the content screen and creates a draft post as a contributor to help catch regressions
2022-10-31 12:01:39 +00:00

157 lines
3.6 KiB
JavaScript

/* eslint-disable max-statements-per-line */
import {Response} from 'miragejs';
import {isArray} from '@ember/array';
export function paginatedResponse(modelName) {
return function (schema, request) {
let page = +request.queryParams.page || 1;
let limit = request.queryParams.limit;
let collection = schema[modelName].all();
if (limit !== 'all') {
limit = +request.queryParams.limit || 15;
}
return paginateModelCollection(modelName, collection, page, limit);
};
}
export function paginateModelCollection(modelName, collection, page, limit) {
let pages, next, prev, models;
if (limit === 'all') {
pages = 1;
} else {
limit = +limit;
let start = (page - 1) * limit;
let end = start + limit;
pages = Math.ceil(collection.models.length / limit);
models = collection.models.slice(start, end);
if (start > 0) {
prev = page - 1;
}
if (end < collection.models.length) {
next = page + 1;
}
}
collection.meta = {
pagination: {
page,
limit,
pages,
total: collection.models.length,
next: next || null,
prev: prev || null
}
};
if (models) {
collection.models = models;
}
return collection;
}
export function maintenanceResponse() {
return new Response(503, {}, {
errors: [{
type: 'Maintenance'
}]
});
}
export function versionMismatchResponse() {
return new Response(400, {}, {
errors: [{
type: 'VersionMismatchError'
}]
});
}
function normalizeBooleanParams(arr) {
if (!isArray(arr)) {
return arr;
}
return arr.map((i) => {
if (i === 'true') {
return true;
} else if (i === 'false') {
return false;
} else {
return i;
}
});
}
function normalizeStringParams(arr) {
if (!isArray(arr)) {
return arr;
}
return arr.map((i) => {
if (!i.replace) {
return i;
}
return i.replace(/^['"]|['"]$/g, '');
});
}
// TODO: use GQL to parse filter string?
export function extractFilterParam(param, filter = '') {
let filterRegex = new RegExp(`${param}:(.*?)(?:\\+|$)`);
let match;
let [, result] = filter.match(filterRegex) || [];
if (!result) {
return;
}
if (result.startsWith('[')) {
match = result.replace(/^\[|\]$/g, '').split(',');
} else {
match = [result];
}
return normalizeBooleanParams(normalizeStringParams(match));
}
export function hasInvalidPermissions(allowedRoles) {
const {schema, request} = this;
// always allow dev requests through - the logged in user will be real so
// we can't check against it in the mocked db
if (!request.requestHeaders['X-Test-User']) {
return false;
}
const invalidPermsResponse = new Response(403, {}, {
errors: [{
type: 'NoPermissionError',
message: 'You do not have permission to perform this action'
}]
});
const user = schema.users.find(request.requestHeaders['X-Test-User']);
const adminRoles = user.roles.filter(role => allowedRoles.includes(role.name));
if (adminRoles.length === 0) {
return invalidPermsResponse;
}
}
export function withPermissionsCheck(allowedRoles, fn) {
return function () {
const boundPermsCheck = hasInvalidPermissions.bind(this);
const boundFn = fn.bind(this);
return boundPermsCheck(allowedRoles) || boundFn(...arguments);
};
}