Permissions and Models.User.permissable

[jaswilli]

There's a hook in the permissions system where a model class can have a permissable method which allows it to make a decision on pending operations against it:
https://github.com/TryGhost/Ghost/blob/master/core/server/permissions/index.js#L123

The User model does this:
https://github.com/TryGhost/Ghost/blob/master/core/server/models/user.js#L446

Which needs to be rethought before MU ships as it opens up a potential privilege escalation issue (e.g., a user can change his or her role).

[ErisDS]

I'm working on the issue #3096, which means that this code in User.permissable:

https://github.com/TryGhost/Ghost/blob/master/core/server/models/user.js#L446

Which is intended to allow the owner of an object to perform any operation, will only be executed for authors performing an edit action. Which should significantly reduce the problem.

The code which manages editing a user handles the role relation separately: https://github.com/TryGhost/Ghost/blob/master/core/server/models/user.js#L301

And it does need an additional canThis check on assigning roles.

I'll take this on because it overlaps neatly with what I'm working on right now.