TryGhost · ErisDS · Oct 21, 2015 · Oct 20, 2015
diff --git a/core/server/api/db.js b/core/server/api/db.js
@@ -6,10 +6,11 @@ var _                = require('lodash'),
     importer         = require('../data/importer'),
     models           = require('../models'),
     errors           = require('../errors'),
-    canThis          = require('../permissions').canThis,
     utils            = require('./utils'),
+    pipeline         = require('../utils/pipeline'),
 
     api              = {},
+    docName      = 'db',
     db;
 
 api.settings         = require('./settings');
@@ -29,18 +30,25 @@ db = {
      * @returns {Promise} Ghost Export JSON format
      */
     exportContent: function (options) {
+        var tasks = [];
+
         options = options || {};
 
         // Export data, otherwise send error 500
-        return canThis(options.context).exportContent.db().then(function () {
+        function exportContent() {
             return dataExport().then(function (exportedData) {
                 return {db: [exportedData]};
             }).catch(function (error) {
                 return Promise.reject(new errors.InternalServerError(error.message || error));
             });
-        }, function () {
-            return Promise.reject(new errors.NoPermissionError('You do not have permission to export data (no rights).'));
-        });
+        }
+
+        tasks = [
+            utils.handlePermissions(docName, 'exportContent'),
+            exportContent
+        ];
+
+        return pipeline(tasks, options);
     },
     /**
      * ### Import Content
@@ -51,31 +59,42 @@ db = {
      * @returns {Promise} Success
      */
     importContent: function (options) {
+        var tasks = [];
+
         options = options || {};
 
-        // Check if a file was provided
-        if (!utils.checkFileExists(options, 'importfile')) {
-            return Promise.reject(new errors.NoPermissionError('Please select a file to import.'));
-        }
+        function validate(options) {
+            // Check if a file was provided
+            if (!utils.checkFileExists(options, 'importfile')) {
+                return Promise.reject(new errors.NoPermissionError('Please select a file to import.'));
+            }
+
+            // Check if the file is valid
+            if (!utils.checkFileIsValid(options.importfile, importer.getTypes(), importer.getExtensions())) {
+                return Promise.reject(new errors.UnsupportedMediaTypeError(
+                    'Unsupported file. Please try any of the following formats: ' +
+                        _.reduce(importer.getExtensions(), function (memo, ext) {
+                            return memo ? memo + ', ' + ext : ext;
+                        })
+                ));
+            }
 
-        // Check if the file is valid
-        if (!utils.checkFileIsValid(options.importfile, importer.getTypes(), importer.getExtensions())) {
-            return Promise.reject(new errors.UnsupportedMediaTypeError(
-                'Unsupported file. Please try any of the following formats: ' +
-                    _.reduce(importer.getExtensions(), function (memo, ext) {
-                        return memo ? memo + ', ' + ext : ext;
-                    })
-            ));
+            return options;
         }
 
-        // Permissions check
-        return canThis(options.context).importContent.db().then(function () {
+        function importContent(options) {
             return importer.importFromFile(options.importfile)
                 .then(api.settings.updateSettingsCache)
                 .return({db: []});
-        }, function () {
-            return Promise.reject(new errors.NoPermissionError('You do not have permission to import data (no rights).'));
-        });
+        }
+
+        tasks = [
+            validate,
+            utils.handlePermissions(docName, 'importContent'),
+            importContent
+        ];
+
+        return pipeline(tasks, options);
     },
     /**
      * ### Delete All Content
@@ -86,17 +105,24 @@ db = {
      * @returns {Promise} Success
      */
     deleteAllContent: function (options) {
+        var tasks;
+
         options = options || {};
 
-        return canThis(options.context).deleteAllContent.db().then(function () {
+        function deleteContent() {
             return Promise.resolve(models.deleteAllContent())
                 .return({db: []})
                 .catch(function (error) {
                     return Promise.reject(new errors.InternalServerError(error.message || error));
                 });
-        }, function () {
-            return Promise.reject(new errors.NoPermissionError('You do not have permission to export data (no rights).'));
-        });
+        }
+
+        tasks = [
+            utils.handlePermissions(docName, 'deleteAllContent'),
+            deleteContent
+        ];
+
+        return pipeline(tasks, options);
     }
 };
 

diff --git a/core/server/permissions/index.js b/core/server/permissions/index.js
@@ -118,7 +118,6 @@ CanThisResult.prototype.buildObjectTypeHandlers = function (objTypes, actType, c
         permission: Models.Permission,
         setting:    Models.Settings
     };
-
     // Iterate through the object types, i.e. ['post', 'tag', 'user']
     return _.reduce(objTypes, function (objTypeHandlers, objType) {
         // Grab the TargetModel through the objectTypeModelMap
@@ -172,7 +171,7 @@ CanThisResult.prototype.buildObjectTypeHandlers = function (objTypes, actType, c
                     };
                 // Check user permissions for matching action, object and id.
 
-                if (_.any(loadedPermissions.user.roles, {name: 'Owner'})) {
+                if (loadedPermissions.user && _.any(loadedPermissions.user.roles, {name: 'Owner'})) {
                     hasUserPermission = true;
                 } else if (!_.isEmpty(userPermissions)) {
                     hasUserPermission = _.any(userPermissions, checkPermission);

diff --git a/core/test/integration/api/api_db_spec.js b/core/test/integration/api/api_db_spec.js
@@ -54,7 +54,7 @@ describe('DB API', function () {
         }).catch(done);
     });
 
-    it('delete all content is denied (editor & author)', function (done) {
+    it('delete all content is denied (editor, author & without authentication)', function (done) {
         return dbAPI.deleteAllContent(testUtils.context.editor).then(function () {
             done(new Error('Delete all content is not denied for editor.'));
         }, function (error) {
@@ -73,7 +73,7 @@ describe('DB API', function () {
         }).catch(done);
     });
 
-    it('export content is denied (editor & author)', function (done) {
+    it('export content is denied (editor, author & without authentication)', function (done) {
         return dbAPI.exportContent(testUtils.context.editor).then(function () {
             done(new Error('Export content is not denied for editor.'));
         }, function (error) {
@@ -92,7 +92,7 @@ describe('DB API', function () {
         }).catch(done);
     });
 
-    it('import content is denied (editor & author)', function (done) {
+    it('import content is denied (editor, author & without authentication)', function (done) {
         return dbAPI.importContent(testUtils.context.editor).then(function () {
             done(new Error('Import content is not denied for editor.'));
         }, function (error) {