@akemona-org/strapi-admin 3.7.0

package/services/permission/engine.js

@@ -0,0 +1,275 @@
+'use strict';
+
+const {
+  curry,
+  map,
+  filter,
+  propEq,
+  isFunction,
+  isBoolean,
+  isArray,
+  isNil,
+  isEmpty,
+  isObject,
+  prop,
+  merge,
+  pick,
+  difference,
+  cloneDeep,
+} = require('lodash/fp');
+const { AbilityBuilder, Ability } = require('@casl/ability');
+const sift = require('sift');
+const permissionDomain = require('../../domain/permission/index');
+const { getService } = require('../../utils');
+const {
+  createEngineHooks,
+  createWillEvaluateContext,
+  createWillRegisterContext,
+} = require('./engine-hooks');
+
+const allowedOperations = [
+  '$or',
+  '$and',
+  '$eq',
+  '$ne',
+  '$in',
+  '$nin',
+  '$lt',
+  '$lte',
+  '$gt',
+  '$gte',
+  '$exists',
+  '$elemMatch',
+];
+const operations = pick(allowedOperations, sift);
+
+const conditionsMatcher = conditions => {
+  return sift.createQueryTester(conditions, { operations });
+};
+
+module.exports = conditionProvider => {
+  const state = {
+    hooks: createEngineHooks(),
+  };
+
+  return {
+    hooks: state.hooks,
+
+    /**
+     * Generate an ability based on the given user (using associated roles & permissions)
+     * @param user
+     * @param options
+     * @returns {Promise<Ability>}
+     */
+    async generateUserAbility(user, options) {
+      const permissions = await getService('permission').findUserPermissions(user);
+      const abilityCreator = this.generateAbilityCreatorFor(user);
+
+      return abilityCreator(permissions, options);
+    },
+
+    /**
+     * Create an ability factory for a specific user
+     * @param user
+     * @returns {function(*, *): Promise<Ability>}
+     */
+    generateAbilityCreatorFor(user) {
+      return async (permissions, options) => {
+        const { can, build } = new AbilityBuilder(Ability);
+
+        for (const permission of permissions) {
+          const registerFn = this.createRegisterFunction(can, permission, user);
+
+          await this.evaluate({ permission, user, options, registerFn });
+        }
+
+        return build({ conditionsMatcher });
+      };
+    },
+
+    /**
+     * Validate, invalidate and transform the permission attributes
+     * @param {Permission} permission
+     * @returns {null|Permission}
+     */
+    formatPermission(permission) {
+      const { actionProvider } = getService('permission');
+
+      const action = actionProvider.get(permission.action);
+
+      // If the action isn't registered into the action provider, then ignore the permission
+      if (!action) {
+        return null;
+      }
+
+      const properties = permission.properties || {};
+
+      // Only keep the properties allowed by the action (action.applyToProperties)
+      const propertiesName = Object.keys(properties);
+      const invalidProperties = difference(
+        propertiesName,
+        action.applyToProperties || propertiesName
+      );
+
+      const permissionWithSanitizedProperties = invalidProperties.reduce(
+        property => permissionDomain.deleteProperty(property, permission),
+        permission
+      );
+
+      // If the `fields` property is an empty array, then ignore the permission
+      const { fields } = properties;
+
+      if (isArray(fields) && isEmpty(fields)) {
+        return null;
+      }
+
+      return permissionWithSanitizedProperties;
+    },
+
+    /**
+     * Update the permission components through various processing
+     * @param {Permission} permission
+     * @returns {Promise<void>}
+     */
+    async applyPermissionProcessors(permission) {
+      const context = createWillEvaluateContext(permission);
+
+      // 1. Trigger willEvaluatePermission hook and await transformation operated on the permission
+      await state.hooks.willEvaluatePermission.call(context);
+    },
+
+    /**
+     * Register new rules using `registerFn` based on valid permission's conditions
+     * @param options {object}
+     * @param options.permission {object}
+     * @param options.user {object}
+     * @param options.options {object | undefined}
+     * @param options.registerFn {Function}
+     * @returns {Promise<void>}
+     */
+    async evaluate(options) {
+      const { user, registerFn, options: conditionOptions } = options;
+
+      // Assert options.permission validity and format it
+      const permission = this.formatPermission(options.permission);
+
+      // If options.permission is invalid, then ignore the permission
+      if (permission === null) {
+        return;
+      }
+
+      await this.applyPermissionProcessors(permission);
+
+      // Extract the up-to-date components from the permission
+      const { action, subject, properties = {}, conditions } = permission;
+
+      // Register the permission if there is no condition
+      if (isEmpty(conditions)) {
+        return registerFn({ action, subject, fields: properties.fields });
+      }
+
+      /** Set of functions used to resolve + evaluate conditions & register the permission if allowed */
+
+      // 1. Replace each condition name by its associated value
+      const resolveConditions = map(conditionProvider.get);
+
+      // 2. Filter conditions, only keep those whose handler is a function
+      const filterValidConditions = filter(condition => isFunction(condition.handler));
+
+      // 3. Evaluate the conditions handler and returns an object
+      // containing both the original condition and its result
+      const evaluateConditions = conditions => {
+        return Promise.all(
+          conditions.map(async condition => ({
+            condition,
+            result: await condition.handler(
+              user,
+              merge(conditionOptions, { permission: cloneDeep(permission) })
+            ),
+          }))
+        );
+      };
+
+      // 4. Only keeps booleans or objects as condition's result
+      const filterValidResults = filter(({ result }) => isBoolean(result) || isObject(result));
+
+      /**/
+
+      const evaluatedConditions = await Promise.resolve(conditions)
+        .then(resolveConditions)
+        .then(filterValidConditions)
+        .then(evaluateConditions)
+        .then(filterValidResults);
+
+      // Utils
+      const resultPropEq = propEq('result');
+      const pickResults = map(prop('result'));
+
+      if (evaluatedConditions.every(resultPropEq(false))) {
+        return;
+      }
+
+      // If there is no condition or if one of them return true, register the permission as is
+      if (isEmpty(evaluatedConditions) || evaluatedConditions.some(resultPropEq(true))) {
+        return registerFn({ action, subject, fields: properties.fields });
+      }
+
+      const results = pickResults(evaluatedConditions).filter(isObject);
+
+      if (isEmpty(results)) {
+        return registerFn({ action, subject, fields: properties.fields });
+      }
+
+      // Register the permission
+      return registerFn({
+        action,
+        subject,
+        fields: properties.fields,
+        condition: { $and: [{ $or: results }] },
+      });
+    },
+
+    /**
+     * Encapsulate a register function with custom params to fit `evaluatePermission`'s syntax
+     * @param can
+     * @param {Permission} permission
+     * @param {object} user
+     * @returns {function}
+     */
+    createRegisterFunction(can, permission, user) {
+      const registerToCasl = caslPermission => {
+        const { action, subject, fields, condition } = caslPermission;
+
+        can(
+          action,
+          isNil(subject) ? 'all' : subject,
+          fields,
+          isObject(condition) ? condition : undefined
+        );
+      };
+
+      const runWillRegisterHook = async caslPermission => {
+        const hookContext = createWillRegisterContext(caslPermission, {
+          permission,
+          user,
+        });
+
+        await state.hooks.willRegisterPermission.call(hookContext);
+
+        return caslPermission;
+      };
+
+      return async caslPermission => {
+        await runWillRegisterHook(caslPermission);
+        registerToCasl(caslPermission);
+      };
+    },
+
+    /**
+     * Check many permissions based on an ability
+     */
+    checkMany: curry((ability, permissions) => {
+      return permissions.map(({ action, subject, field }) => ability.can(action, subject, field));
+    }),
+  };
+};

package/services/permission/permissions-manager/index.js

@@ -0,0 +1,87 @@
+'use strict';
+
+const _ = require('lodash');
+const { cloneDeep, isObject, set, isArray } = require('lodash/fp');
+const { subject: asSubject } = require('@casl/ability');
+const { permittedFieldsOf } = require('@casl/ability/extra');
+const {
+  sanitizeEntity,
+  contentTypes: { constants },
+} = require('@akemona-org/strapi-utils');
+const { buildStrapiQuery, buildCaslQuery } = require('./query-builers');
+
+module.exports = ({ ability, action, model }) => ({
+  ability,
+  action,
+  model,
+
+  get isAllowed() {
+    return this.ability.can(action, model);
+  },
+
+  toSubject(target, subjectType = model) {
+    return asSubject(subjectType, target);
+  },
+
+  pickPermittedFieldsOf(data, options = {}) {
+    return this.sanitize(data, { ...options, isOutput: false });
+  },
+
+  getQuery(queryAction = action) {
+    if (_.isUndefined(queryAction)) {
+      throw new Error('Action must be defined to build a permission query');
+    }
+
+    return buildStrapiQuery(buildCaslQuery(ability, queryAction, model));
+  },
+
+  queryFrom(query = {}, action) {
+    const permissionQuery = this.getQuery(action);
+
+    const newQuery = cloneDeep(query);
+    const { _where } = query;
+
+    if (isObject(_where) && !isArray(_where)) {
+      Object.assign(newQuery, { _where: [_where] });
+    }
+
+    if (!_where) {
+      Object.assign(newQuery, { _where: [] });
+    }
+
+    return set('_where', newQuery._where.concat(permissionQuery), newQuery);
+  },
+
+  sanitize(data, options = {}) {
+    const {
+      subject = this.toSubject(data),
+      action: actionOverride = action,
+      withPrivate = true,
+      withHidden = false,
+      isOutput = true,
+    } = options;
+
+    if (_.isArray(data)) {
+      return data.map((entity) => this.sanitize(entity, { action, withPrivate, isOutput }));
+    }
+
+    const permittedFields = permittedFieldsOf(ability, actionOverride, subject);
+    const hasAtLeastOneRegisteredField = _.some(
+      _.flatMap(ability.rulesFor(actionOverride, subject), 'fields')
+    );
+    const shouldIncludeAllFields = _.isEmpty(permittedFields) && !hasAtLeastOneRegisteredField;
+
+    const sanitizedEntity = sanitizeEntity(data, {
+      model: strapi.getModel(model),
+      includeFields: shouldIncludeAllFields ? null : permittedFields,
+      withPrivate,
+      withHidden,
+      isOutput,
+    });
+
+    return _.omit(sanitizedEntity, [
+      `${constants.CREATED_BY_ATTRIBUTE}.roles`,
+      `${constants.UPDATED_BY_ATTRIBUTE}.roles`,
+    ]);
+  },
+});

package/services/permission/permissions-manager/query-builers.js

@@ -0,0 +1,86 @@
+'use strict';
+
+const _ = require('lodash');
+const { rulesToQuery } = require('@casl/ability/extra');
+const { VALID_REST_OPERATORS } = require('@akemona-org/strapi-utils');
+
+const ops = {
+  common: VALID_REST_OPERATORS.map((op) => `$${op}`),
+  boolean: ['$or', '$and'],
+  cleanable: ['$elemMatch'],
+};
+
+const buildCaslQuery = (ability, action, model) => {
+  const query = rulesToQuery(ability, action, model, (o) => o.conditions);
+  return _.get(query, '$or[0].$and', {});
+};
+
+const buildStrapiQuery = (caslQuery) => {
+  const transform = _.flow([flattenDeep, cleanupUnwantedProperties]);
+  return transform(caslQuery);
+};
+
+const flattenDeep = (condition) => {
+  if (_.isArray(condition)) {
+    return _.map(condition, flattenDeep);
+  }
+
+  if (!_.isObject(condition)) {
+    return condition;
+  }
+
+  const shouldIgnore = (e) => !!ops.common.includes(e);
+  const shouldPerformTransformation = (v, k) => _.isObject(v) && !_.isArray(v) && !shouldIgnore(k);
+
+  const result = {};
+  const set = (key, value) => (result[key] = value);
+
+  const getTransformParams = (prevKey, v, k) =>
+    shouldIgnore(k) ? [`${prevKey}_${k.replace('$', '')}`, v] : [`${prevKey}.${k}`, v];
+
+  _.each(condition, (value, key) => {
+    if (ops.boolean.includes(key)) {
+      set(key.replace('$', '_'), _.map(value, flattenDeep));
+    } else if (shouldPerformTransformation(value, key)) {
+      _.each(flattenDeep(value), (v, k) => {
+        set(...getTransformParams(key, v, k));
+      });
+    } else {
+      set(key, flattenDeep(value));
+    }
+  });
+
+  return result;
+};
+
+const cleanupUnwantedProperties = (condition) => {
+  if (!_.isObject(condition)) {
+    return condition;
+  }
+
+  if (_.isArray(condition)) {
+    return condition.map(cleanupUnwantedProperties);
+  }
+
+  const shouldClean = (e) =>
+    typeof e === 'string' ? ops.cleanable.find((o) => e.includes(`.${o}`)) : undefined;
+
+  return _.reduce(
+    condition,
+    (acc, value, key) => {
+      const keyToClean = shouldClean(key);
+      const newKey = keyToClean ? key.split(`.${keyToClean}`).join('') : key;
+
+      return {
+        ...acc,
+        [newKey]: _.isArray(value) ? value.map(cleanupUnwantedProperties) : value,
+      };
+    },
+    {}
+  );
+};
+
+module.exports = {
+  buildCaslQuery,
+  buildStrapiQuery,
+};

package/services/permission/queries.js

@@ -0,0 +1,241 @@
+'use strict';
+
+const {
+  flatMap,
+  reject,
+  isNil,
+  isArray,
+  prop,
+  xor,
+  eq,
+  uniq,
+  map,
+  difference,
+  differenceWith,
+  pipe,
+} = require('lodash/fp');
+const pmap = require('p-map');
+const { EDITOR_CODE } = require('../constants');
+const { getBoundActionsBySubject, BOUND_ACTIONS_FOR_FIELDS } = require('../../domain/role');
+const { getService } = require('../../utils');
+const permissionDomain = require('../../domain/permission/index');
+
+/**
+ * Delete permissions of roles in database
+ * @param rolesIds ids of roles
+ * @returns {Promise<array>}
+ */
+const deleteByRolesIds = async rolesIds => {
+  const deletedPermissions = await strapi
+    .query('permission', 'admin')
+    .delete({ role_in: rolesIds });
+
+  return permissionDomain.toPermission(deletedPermissions);
+};
+
+/**
+ * Delete permissions
+ * @param ids ids of permissions
+ * @returns {Promise<array>}
+ */
+const deleteByIds = async ids => {
+  const deletedPermissions = await strapi.query('permission', 'admin').delete({ id_in: ids });
+
+  return permissionDomain.toPermission(deletedPermissions);
+};
+
+/**
+ * Create many permissions
+ * @param permissions
+ * @returns {Promise<*[]|*>}
+ */
+const createMany = async permissions => {
+  const createdPermissions = await strapi.query('permission', 'admin').createMany(permissions);
+
+  return permissionDomain.toPermission(createdPermissions);
+};
+
+/**
+ * Update a permission
+ * @returns {Promise<*[]|*>}
+ * @param params
+ * @param attributes
+ */
+const update = async (params, attributes) => {
+  const updatedPermissions = await strapi.query('permission', 'admin').update(params, attributes);
+
+  return permissionDomain.toPermission(updatedPermissions);
+};
+
+/**
+ * Find assigned permissions in the database
+ * @param params query params to find the permissions
+ * @returns {Promise<Permission[]>}
+ */
+const find = async (params = {}) => {
+  const rawPermissions = await strapi.query('permission', 'admin').find(params, []);
+
+  return permissionDomain.toPermission(rawPermissions);
+};
+
+/**
+ * Find all permissions for a user
+ * @param roles
+ * @returns {Promise<Permission[]>}
+ */
+const findUserPermissions = async ({ roles }) => {
+  if (!isArray(roles)) {
+    return [];
+  }
+
+  return find({ role_in: roles.map(prop('id')), _limit: -1 });
+};
+
+const filterPermissionsToRemove = async permissions => {
+  const { actionProvider } = getService('permission');
+
+  const permissionsToRemove = [];
+
+  for (const permission of permissions) {
+    const { subjects, options = {} } = actionProvider.get(permission.action) || {};
+    const { applyToProperties } = options;
+
+    const invalidProperties = await Promise.all(
+      (applyToProperties || []).map(async property => {
+        const applies = await actionProvider.appliesToProperty(
+          property,
+          permission.action,
+          permission.subject
+        );
+
+        return applies && isNil(permissionDomain.getProperty(property, permission));
+      })
+    );
+
+    const isRegisteredAction = actionProvider.has(permission.action);
+    const hasInvalidProperties = isArray(applyToProperties) && invalidProperties.every(eq(true));
+    const isInvalidSubject = isArray(subjects) && !subjects.includes(permission.subject);
+
+    // If the permission has an invalid action, an invalid subject or invalid properties, then add it to the toBeRemoved collection
+    if (!isRegisteredAction || isInvalidSubject || hasInvalidProperties) {
+      permissionsToRemove.push(permission);
+    }
+  }
+
+  return permissionsToRemove;
+};
+
+/**
+ * Removes permissions in database that don't exist anymore
+ * @returns {Promise<>}
+ */
+const cleanPermissionsInDatabase = async () => {
+  const pageSize = 200;
+  let total = Infinity;
+
+  for (let page = 1; page * pageSize < total; page++) {
+    // 1. Find invalid permissions and collect their ID to delete them later
+    const { pagination, results } = await strapi
+      .query('permission', 'admin')
+      .findPage({ page, pageSize }, []);
+
+    total = pagination.total;
+
+    const permissions = permissionDomain.toPermission(results);
+    const permissionsToRemove = await filterPermissionsToRemove(permissions);
+    const permissionsIdToRemove = map(prop('id'), permissionsToRemove);
+
+    // 2. Clean permissions' fields (add required ones, remove the non-existing ones)
+    const remainingPermissions = permissions.filter(
+      permission => !permissionsIdToRemove.includes(permission.id)
+    );
+    const permissionsWithCleanFields = getService('content-type').cleanPermissionFields(
+      remainingPermissions
+    );
+
+    // Update only the ones that need to be updated
+    const permissionsNeedingToBeUpdated = differenceWith(
+      (a, b) => {
+        return a.id === b.id && xor(a.properties.fields, b.properties.fields).length === 0;
+      },
+      permissionsWithCleanFields,
+      remainingPermissions
+    );
+
+    const updatePromiseProvider = permission => {
+      return update({ id: permission.id }, permission);
+    };
+
+    // Execute all the queries, update the database
+    await Promise.all([
+      deleteByIds(permissionsIdToRemove),
+      pmap(permissionsNeedingToBeUpdated, updatePromiseProvider, {
+        concurrency: 100,
+        stopOnError: true,
+      }),
+    ]);
+  }
+};
+
+const ensureBoundPermissionsInDatabase = async () => {
+  if (strapi.EE) {
+    return;
+  }
+
+  const contentTypes = Object.values(strapi.contentTypes);
+  const editorRole = await strapi.query('role', 'admin').findOne({ code: EDITOR_CODE }, []);
+
+  if (isNil(editorRole)) {
+    return;
+  }
+
+  for (const contentType of contentTypes) {
+    const boundActions = getBoundActionsBySubject(editorRole, contentType.uid);
+
+    const permissions = await find({
+      subject: contentType.uid,
+      action_in: boundActions,
+      role: editorRole.id,
+    });
+
+    if (permissions.length === 0) {
+      return;
+    }
+
+    const fields = pipe(
+      flatMap(permissionDomain.getProperty('fields')),
+      reject(isNil),
+      uniq
+    )(permissions);
+
+    // Handle the scenario where permissions are missing
+    const missingActions = difference(map('action', permissions), boundActions);
+
+    if (missingActions.length > 0) {
+      const permissions = pipe(
+        // Create a permission skeleton from the action id
+        map(action => ({ action, subject: contentType.uid, role: editorRole.id })),
+        // Use the permission domain to create a clean permission from the given object
+        map(permissionDomain.create),
+        // Adds the fields property if the permission action is eligible
+        map(permission =>
+          BOUND_ACTIONS_FOR_FIELDS.includes(permission.action)
+            ? permissionDomain.setProperty('fields', fields, permission)
+            : permission
+        )
+      )(missingActions);
+
+      await createMany(permissions);
+    }
+  }
+};
+
+module.exports = {
+  createMany,
+  find,
+  deleteByRolesIds,
+  deleteByIds,
+  findUserPermissions,
+  cleanPermissionsInDatabase,
+  ensureBoundPermissionsInDatabase,
+};