Skip to content

Commit

Permalink
send invites as owner if added via an admin api key
Browse files Browse the repository at this point in the history
  • Loading branch information
kevinansfield committed Sep 25, 2018
1 parent 66f16f8 commit f63963d
Show file tree
Hide file tree
Showing 3 changed files with 94 additions and 5 deletions.
26 changes: 23 additions & 3 deletions core/server/api/invites.js
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,6 @@ const invites = {
.then((response) => {
const adminUrl = urlService.utils.urlFor('admin', true);

// TODO: how to handle invitedBy for API Key requests
emailData = {
blogName: response.settings[0].value,
invitedByName: loggedInUser.get('name'),
Expand Down Expand Up @@ -194,7 +193,10 @@ const invites = {
const loggedInUserRole = loggedInUser.related('roles').models[0].get('name');
let allowed = [];

if (loggedInUserRole === 'Owner' || loggedInUserRole === 'Administrator') {
let userHasAdminRole = options.context.user && (loggedInUserRole === 'Owner' || loggedInUserRole === 'Administrator');

// admin api keys have an equivalent of the Adminstrator role
if (options.context.api_key || userHasAdminRole) {
allowed = ['Administrator', 'Editor', 'Author', 'Contributor'];
} else if (loggedInUserRole === 'Editor') {
allowed = ['Author', 'Contributor'];
Expand Down Expand Up @@ -235,11 +237,29 @@ const invites = {
});
}

function fetchOwner(options) {
return models.User.getOwnerUser(merge({}, omit(options, 'data'), {withRelated: ['roles']}))
.then((owner) => {
loggedInUser = owner;
return options;
});
}

// API Key requests are not tied to a user so send the invite from the
// owner user instead
function fetchLoggedInUserOrOwner(options) {
if (options.context.api_key && !options.context.user) {
return fetchOwner(options);
}

return fetchLoggedInUser(options);
}

tasks = [
localUtils.validate(docName, {opts: ['email']}),
localUtils.convertOptions(allowedIncludes),
localUtils.handlePermissions(docName, 'add'),
fetchLoggedInUser,
fetchLoggedInUserOrOwner,
validation,
checkIfUserExists,
destroyOldInvite,
Expand Down
69 changes: 68 additions & 1 deletion core/test/integration/api/api_invites_spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,14 @@ var should = require('should'),

describe('Invites API', function () {
before(testUtils.teardown);
before(testUtils.setup('invites', 'settings', 'users:roles', 'perms:invite', 'perms:init'));
before(testUtils.setup(
'invites',
'settings',
'users:roles',
'api_keys',
'perms:invite',
'perms:init'
));

beforeEach(function () {
sandbox.stub(mail, 'send').callsFake(function () {
Expand Down Expand Up @@ -440,5 +447,65 @@ describe('Invites API', function () {
}).catch(done);
});
});

describe('Admin API Key', function () {
it('CANNOT invite an Owner', function (done) {
InvitesAPI.add({
invites: [
{
email: '[email protected]',
role_id: testUtils.roles.ids.owner
}
]
}, testUtils.context.admin_api_key).then(function () {
done(new Error('API Key should not be able to add an owner'));
}).catch(checkForErrorType('NoPermissionError', done));
});

it('Can invite an Admin', function (done) {
InvitesAPI.add({
invites: [
{
email: '[email protected]',
role_id: testUtils.roles.ids.admin
}
]
}, _.merge({}, {include: 'roles'}, testUtils.context.admin_api_key)).then(function (response) {
checkAddResponse(response);
response.invites[0].role_id.should.equal(testUtils.roles.ids.admin);
done();
}).catch(done);
});

it('Can invite an Editor', function (done) {
InvitesAPI.add({
invites: [
{
email: '[email protected]',
role_id: testUtils.roles.ids.editor
}
]
}, testUtils.context.admin_api_key).then(function (response) {
checkAddResponse(response);
response.invites[0].role_id.should.equal(testUtils.roles.ids.editor);
done();
}).catch(done);
});

it('Can invite an Author', function (done) {
InvitesAPI.add({
invites: [
{
email: '[email protected]',
role_id: testUtils.roles.ids.author
}
]
}, testUtils.context.admin_api_key).then(function (response) {
checkAddResponse(response);
response.invites[0].role_id.should.equal(testUtils.roles.ids.author);
done();
}).catch(done);
});
});
});
});
4 changes: 3 additions & 1 deletion core/test/utils/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -1158,7 +1158,9 @@ module.exports = {
admin: {context: {user: DataGenerator.Content.users[1].id}},
editor: {context: {user: DataGenerator.Content.users[2].id}},
author: {context: {user: DataGenerator.Content.users[3].id}},
contributor: {context: {user: DataGenerator.Content.users[7].id}}
contributor: {context: {user: DataGenerator.Content.users[7].id}},
admin_api_key: {context: {api_key: DataGenerator.Content.api_keys[0].id}},
content_api_key: {context: {api_key: DataGenerator.Content.api_keys[1].id}}
},
permissions: {
owner: {user: {roles: [DataGenerator.Content.roles[3]]}},
Expand Down

0 comments on commit f63963d

Please sign in to comment.