🐛 Fixed contributors being able to delete draft posts as co-author

closes TryGhost#10238 - The user of contributor role should not be allowed editing a post while not being a primary author
naz · Dec 4, 2018 · 21d9853 · 21d9853
1 parent bf295a9
commit 21d9853
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/core/server/models/relations/authors.js b/core/server/models/relations/authors.js
@@ -314,22 +314,26 @@ module.exports.extendModel = function extendModel(Post, Posts, ghostBookshelf) {
                 return isCorrectOwner;
             }
 
-            function isCurrentOwner() {
+            function isPrimaryAuthor() {
+                return (context.user === postModel.related('authors').models[0].id);
+            }
+
+            function isCoAuthor() {
                 return postModel.related('authors').models.map(author => author.id).includes(context.user);
             }
 
             if (isContributor && isEdit) {
-                hasUserPermission = !isChanging('author_id') && !isChangingAuthors() && isCurrentOwner();
+                hasUserPermission = !isChanging('author_id') && !isChangingAuthors() && isCoAuthor();
             } else if (isContributor && isAdd) {
                 hasUserPermission = isOwner();
             } else if (isContributor && isDestroy) {
-                hasUserPermission = isCurrentOwner();
+                hasUserPermission = isPrimaryAuthor();
             } else if (isAuthor && isEdit) {
-                hasUserPermission = isCurrentOwner() && !isChanging('author_id') && !isChangingAuthors();
+                hasUserPermission = isCoAuthor() && !isChanging('author_id') && !isChangingAuthors();
             } else if (isAuthor && isAdd) {
                 hasUserPermission = isOwner();
             } else if (postModel) {
-                hasUserPermission = hasUserPermission || isCurrentOwner();
+                hasUserPermission = hasUserPermission || isPrimaryAuthor();
             }
 
             if (hasUserPermission && hasAppPermission) {