Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User API Permissions: Restrict based on role #3096

Closed
ErisDS opened this issue Jun 25, 2014 · 0 comments · Fixed by #3395
Closed

User API Permissions: Restrict based on role #3096

ErisDS opened this issue Jun 25, 2014 · 0 comments · Fixed by #3395
Assignees
@ErisDS
Labels
affects:api Affects the Ghost API
Milestone
0.5 Multi-user

Comments

@ErisDS
Copy link
Member

ErisDS commented Jun 25, 2014

In #2264 the permissions for the user API were defined as:

JSON API Admin Editor Author NoAuth
users.browse y y y
users.read y y y y
users.edit y y y (user == self)
users.add y y

This is not quite correct, and should be:

JSON API Admin Editor Author NoAuth
users.browse y y y
users.read y y y y
users.edit y y (user == author) y (user == self)
users.add y y (user == author)

This is related to #3080 and #3083
@ErisDS ErisDS added this to the 0.5 Multi-user milestone Jun 25, 2014
@ErisDS ErisDS mentioned this issue Jul 1, 2014
Closed
26 tasks
@ErisDS ErisDS self-assigned this Jul 8, 2014
@ErisDS ErisDS mentioned this issue Jul 16, 2014
Merged
ErisDS added a commit to ErisDS/Ghost that referenced this issue Jul 17, 2014
@ErisDS
Adding and renaming permissions
ce06ad4 
refs TryGhost#3283, refs TryGhost#2739, refs TryGhost#3096

- Renames permissions which didn't follow bread
- Adds permissions for notifications, mail and tags

Still todo:

- wire up the new permissions where they are needed
- add permissions for roles
This was referenced Jul 23, 2014
Closed
Closed
@ErisDS ErisDS mentioned this issue Jul 25, 2014
Merged
@ErisDS ErisDS mentioned this issue Jul 28, 2014
Closed
ErisDS added a commit to ErisDS/Ghost that referenced this issue Jul 28, 2014
@ErisDS
Permissions Improvements
4e3b21b 
refs TryGhost#3083, TryGhost#3096

In order to implement advanced permissions based on roles for specific
actions, we need to know
what role the current context user has and also what action we are
granting permissions for:
- Permissible gets passed the action type
- Effective permissions keeps the user role and eventually passes it to
  permissible
- Fixed spelling
- Still needs tests
ErisDS added a commit to ErisDS/Ghost that referenced this issue Jul 28, 2014
@ErisDS
User edit, add & destroy perms restricted by role
987e927 
closes TryGhost#3096, closes TryGhost#3378, refs TryGhost#3100

- user.permissible updated to reflect proper permissions
- small amount of API refactoring to handle extra cases
- extensive integration testing
This was referenced Mar 11, 2020
Open
Open
Open
Open
This was referenced Sep 12, 2021
Open
Open
Open
Open
@snyk-bot snyk-bot mentioned this issue Sep 15, 2021
Open
This was referenced Mar 23, 2022
Open
Open
Open
@amgir amgir mentioned this issue May 13, 2022
Open
@mdno mdno mentioned this issue May 14, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ErisDS ErisDS

Labels
affects:api Affects the Ghost API
Projects
None yet
Milestone
0.5 Multi-user
Development

Successfully merging a pull request may close this issue.

User Permissions: Edit, Add, Destroy & Role management ErisDS/Ghost
1 participant
@ErisDS