Skip to content

Commit

Permalink
🐛 Fixed permission for "Administrator" to be able to edit post visibi…
Browse files Browse the repository at this point in the history 
…lity

closes #11825

- The initial implementation had a typo in a role name which didn't allow "Administrator" to edit post's "visibility" attribute
- Added unit tests to check administrator specific role and visibility attribute permission
  • Loading branch information
@naz
naz committed May 20, 2020
1 parent efdc230 commit 2d41e5c
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 3 deletions.
2 changes: 1 addition & 1 deletion core/server/models/post.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -960,7 +960,7 @@ Post = ghostBookshelf.Model.extend({

isContributor = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Contributor'});
isOwner = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Owner'});
isAdmin = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Admin'});
isAdmin = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Administrator'});
isEditor = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Editor'});
isIntegration = loadedPermissions.apiKey && _.some(loadedPermissions.apiKey.roles, {name: 'Admin Integration'});

Expand Down
36 changes: 34 additions & 2 deletions test/unit/models/post_spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1235,7 +1235,7 @@ describe('Unit: models/post: uses database (@TODO: fix me)', function () {
});
});

it('resolves if changing visibility', function () {
it('resolves if changing visibility as owner', function (done) {
const mockPostObj = {
get: sinon.stub(),
related: sinon.stub()
Expand All @@ -1251,13 +1251,45 @@ describe('Unit: models/post: uses database (@TODO: fix me)', function () {
'edit',
context,
unsafeAttrs,
testUtils.permissions.editor,
testUtils.permissions.owner,
false,
true,
true
).then(() => {
should(mockPostObj.get.called).be.false();
should(mockPostObj.related.calledOnce).be.true();
done();
}).catch(() => {
done(new Error('Permissible function should have passed for owner.'));
});
});

it('resolves if changing visibility as administrator', function (done) {
const mockPostObj = {
get: sinon.stub(),
related: sinon.stub()
};
const context = {user: 1};
const unsafeAttrs = {visibility: 'public'};

mockPostObj.get.withArgs('visibility').returns('paid');
mockPostObj.related.withArgs('authors').returns({models: [{id: 1}]});

models.Post.permissible(
mockPostObj,
'edit',
context,
unsafeAttrs,
testUtils.permissions.admin,
false,
true,
true
).then(() => {
should(mockPostObj.get.called).be.false();
should(mockPostObj.related.calledOnce).be.true();
done();
}).catch(() => {
done(new Error('Permissible function should have passed for administrator.'));
});
});
});
Expand Down

0 comments on commit 2d41e5c

Please sign in to comment.