You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which is intended to allow the owner of an object to perform any operation, will only be executed for authors performing an edit action. Which should significantly reduce the problem.
There's a hook in the permissions system where a model class can have a
permissable
method which allows it to make a decision on pending operations against it:https://github.com/TryGhost/Ghost/blob/master/core/server/permissions/index.js#L123
The User model does this:
https://github.com/TryGhost/Ghost/blob/master/core/server/models/user.js#L446
Which needs to be rethought before MU ships as it opens up a potential privilege escalation issue (e.g., a user can change his or her role).
The text was updated successfully, but these errors were encountered: