Switched to use new implementation of authorizeAdminApi

refs #9865 - see code comments
TryGhost · Jan 18, 2019 · e90148e · e90148e
1 parent de7ba3c
commit e90148e
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 41 deletions.
diff --git a/core/server/services/auth/authorize.js b/core/server/services/auth/authorize.js
@@ -43,8 +43,6 @@ const authorize = {
         };
     },
 
-    authorizeAdminApi: [session.ensureUser],
-
     authorizeContentApi(req, res, next) {
         const hasApiKey = req.api_key && req.api_key.id;
         const hasMember = req.member;
@@ -59,7 +57,13 @@ const authorize = {
         }));
     },
 
-    requiresAuthorizedUserOrApiKey(req, res, next) {
+    /**
+     * @NOTE:
+     *
+     * We don't support admin api keys yet, but we can already use this authorization helper, because
+     * we have not connected authenticating with admin api keys yet. `req.api_key` will be always null.
+     */
+    authorizeAdminApi(req, res, next) {
         const hasUser = req.user && req.user.id;
         const hasApiKey = req.api_key && req.api_key.id;
 

diff --git a/core/server/services/auth/session/index.js b/core/server/services/auth/session/index.js
@@ -2,22 +2,24 @@ module.exports = {
     get getSession() {
         return require('./middleware').getSession;
     },
+
     get cookieCsrfProtection() {
         return require('./middleware').cookieCsrfProtection;
     },
+
     get safeGetSession() {
         return require('./middleware').safeGetSession;
     },
+
     get createSession() {
         return require('./middleware').createSession;
     },
+
     get destroySession() {
         return require('./middleware').destroySession;
     },
+
     get getUser() {
         return require('./middleware').getUser;
-    },
-    get ensureUser() {
-        return require('./middleware').ensureUser;
     }
 };
diff --git a/core/server/services/auth/session/middleware.js b/core/server/services/auth/session/middleware.js
@@ -91,15 +91,6 @@ const getUser = (req, res, next) => {
         });
 };
 
-const ensureUser = (req, res, next) => {
-    if (req.user && req.user.id) {
-        return next();
-    }
-    next(new common.errors.UnauthorizedError({
-        message: common.i18n.t('errors.middleware.auth.accessDenied')
-    }));
-};
-
 const cookieCsrfProtection = (req, res, next) => {
     // If there is no origin on the session object it means this is a *new*
     // session, that hasn't been initialised yet. So we don't need CSRF protection
@@ -126,6 +117,5 @@ module.exports = exports = {
     safeGetSession: [getSession, cookieCsrfProtection],
     createSession,
     destroySession,
-    getUser,
-    ensureUser
+    getUser
 };
diff --git a/core/test/unit/services/auth/session/index_spec.js b/core/test/unit/services/auth/session/index_spec.js
@@ -202,30 +202,6 @@ describe('Session Service', function () {
         });
     });
 
-    describe('ensureUser', function () {
-        it('calls next with no error if req.user.id exists', function (done) {
-            const req = fakeReq();
-            const res = fakeRes();
-            const user = models.User.forge({id: 23});
-            req.user = user;
-
-            sessionService.ensureUser(req, res, function next(err) {
-                should.equal(err, null);
-                done();
-            });
-        });
-
-        it('calls next with UnauthorizedError if req.user.id does not exist', function (done) {
-            const req = fakeReq();
-            const res = fakeRes();
-
-            sessionService.ensureUser(req, res, function next(err) {
-                should.equal(err instanceof UnauthorizedError, true);
-                done();
-            });
-        });
-    });
-
     describe('CSRF protection', function () {
         it('calls next if the session is uninitialized', function (done) {
             const req = fakeReq();