ACL & the API: Current user everywhere

In order to roll out full access control, we need to update, improve and fix the concept of `apiContext` which exists in the [API request handler](https://github.com/TryGhost/Ghost/blob/master/core/server/api/index.js#L47).

Currently API context is set to:

> `user: req.session && req.session.user`

This is wrong, by accident, the `&&` evaluates to `true` which evaluates to `1` which is the correct user ID in the majority of cases, but I believe this should really be:

> `user: req.session && req.session.user ? req.session.user : null`

In addition to this, we need to consider how to pass this concept of user through to every action which makes a change on a model, so that the `created_by`, `updated_by` and other user id's are set correctly.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ACL & the API: Current user everywhere #2058

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

ACL & the API: Current user everywhere #2058

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions