🎨 Optimise permissble function in user model

no issue - if you destroy a user with an unknown user id, Ghost would crash - because `userModel.hasRole` is undefined - there is actually a bigger underlying architectual problem: - the permission check should rely on an existing user - so there should be a first api layer, which 1. validates (this code exists) and 2. ensures that requested database id's exist - but this requires a bigger refactoring
TryGhost · Jul 18, 2017 · 522bd02 · 522bd02
1 parent f6cc48d
commit 522bd02
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/core/server/models/user.js b/core/server/models/user.js
@@ -562,6 +562,12 @@ User = ghostBookshelf.Model.extend({
 
             // Get the actual user model
             return this.findOne({id: userModelOrId, status: 'all'}, {include: ['roles']}).then(function then(foundUserModel) {
+                if (!foundUserModel) {
+                    throw new errors.NotFoundError({
+                        message: i18n.t('errors.models.user.userNotFound')
+                    });
+                }
+
                 // Build up the original args but substitute with actual model
                 var newArgs = [foundUserModel].concat(origArgs);