npm - @strapi/admin - Versions diffs - 4.12.6 → 4.13.0-alpha.0 - Mend

@strapi/admin 4.12.6 → 4.13.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (211) hide show

package/ee/server/services/review-workflows/review-workflows.js CHANGED Viewed

@@ -8,6 +8,8 @@ const defaultStages = require('../../constants/default-stages.json');
 const defaultWorkflow = require('../../constants/default-workflow.json');
 const {
   ENTITY_STAGE_ATTRIBUTE,
+  ENTITY_ASSIGNEE_ATTRIBUTE,
+  STAGE_MODEL_UID,
   MAX_WORKFLOWS,
   MAX_STAGES_PER_WORKFLOW,
 } = require('../../constants/workflows');
@@ -52,19 +54,26 @@ function extendReviewWorkflowContentTypes({ strapi }) {
       );
       return contentType;
     };
-    const setStageAttribute = set(`attributes.${ENTITY_STAGE_ATTRIBUTE}`, {
-      writable: true,
-      private: false,
-      configurable: false,
-      visible: false,
-      useJoinTable: true, // We want a join table to persist data when downgrading to CE
-      type: 'relation',
-      relation: 'oneToOne',
-      target: 'admin::workflow-stage',
-    });
+    const setRelation = (path, target) =>
+      set(path, {
+        writable: true,
+        private: false,
+        configurable: false,
+        visible: false,
+        useJoinTable: true, // We want a join table to persist data when downgrading to CE
+        type: 'relation',
+        relation: 'oneToOne',
+        target,
+      });
+    const setReviewWorkflowAttributes = pipe([
+      setRelation(`attributes.${ENTITY_STAGE_ATTRIBUTE}`, STAGE_MODEL_UID),
+      setRelation(`attributes.${ENTITY_ASSIGNEE_ATTRIBUTE}`, 'admin::user'),
+    ]);
     const extendContentTypeIfCompatible = cond([
-      [assertContentTypeCompatibility, setStageAttribute],
+      [assertContentTypeCompatibility, setReviewWorkflowAttributes],
       [stubTrue, incompatibleContentTypeAlert],
     ]);
     strapi.container.get('content-types').extend(contentTypeUID, extendContentTypeIfCompatible);

package/ee/server/validation/review-workflows.js CHANGED Viewed

@@ -66,8 +66,16 @@ const validateWorkflowUpdateSchema = yup.object().shape({
   contentTypes: validateContentTypes,
 });
+const validateUpdateAssigneeOnEntity = yup
+  .object()
+  .shape({
+    id: yup.number().integer().min(1).nullable(),
+  })
+  .required();
 module.exports = {
   validateWorkflowCreate: validateYupSchema(validateWorkflowCreateSchema),
   validateUpdateStageOnEntity: validateYupSchema(validateUpdateStageOnEntity),
+  validateUpdateAssigneeOnEntity: validateYupSchema(validateUpdateAssigneeOnEntity),
   validateWorkflowUpdate: validateYupSchema(validateWorkflowUpdateSchema),
 };

package/index.js CHANGED Viewed

@@ -30,7 +30,6 @@ async function build({ appDir, buildDestDir, env, forceBuild, optimize, options,
   const entry = path.resolve(cacheDir, 'admin', 'src');
   const dest = path.resolve(buildDestDir, 'build');
-  const pluginsPath = Object.keys(plugins).map((pluginName) => plugins[pluginName].pathToPlugin);
   const enforceSourceMaps = process.env.STRAPI_ENFORCE_SOURCEMAPS === 'true' ?? false;
   // Either use the tsconfig file from the generated app or the one inside the .cache folder
@@ -41,14 +40,13 @@ async function build({ appDir, buildDestDir, env, forceBuild, optimize, options,
   const config = getCustomWebpackConfig(appDir, {
     appDir,
-    cacheDir,
     dest,
     enforceSourceMaps,
     entry,
     env,
     optimize,
     options,
-    pluginsPath,
+    plugins,
     tsConfigFilePath,
   });
@@ -100,8 +98,6 @@ async function watchAdmin({ appDir, browser, buildDestDir, host, options, plugin
   const dest = path.join(buildDestDir, 'build');
   const env = 'development';
-  const pluginsPath = Object.keys(plugins).map((pluginName) => plugins[pluginName].pathToPlugin);
   // Either use the tsconfig file from the generated app or the one inside the .cache folder
   // so we can develop plugins in TS while being in a JS app
   const tsConfigFilePath = useTypeScript
@@ -115,7 +111,7 @@ async function watchAdmin({ appDir, browser, buildDestDir, host, options, plugin
     entry,
     env,
     options,
-    pluginsPath,
+    plugins,
     devServer: {
       port,
       client: {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/admin",
-  "version": "4.12.6",
+  "version": "4.13.0-alpha.0",
   "description": "Strapi Admin",
   "repository": {
     "type": "git",
@@ -42,15 +42,15 @@
   "dependencies": {
     "@casl/ability": "^5.4.3",
     "@pmmmwh/react-refresh-webpack-plugin": "0.5.10",
-    "@strapi/data-transfer": "4.12.6",
+    "@strapi/data-transfer": "4.13.0-alpha.0",
     "@strapi/design-system": "1.9.0",
-    "@strapi/helper-plugin": "4.12.6",
+    "@strapi/helper-plugin": "4.13.0-alpha.0",
     "@strapi/icons": "1.9.0",
-    "@strapi/permissions": "4.12.6",
-    "@strapi/provider-audit-logs-local": "4.12.6",
-    "@strapi/typescript-utils": "4.12.6",
-    "@strapi/utils": "4.12.6",
-    "axios": "1.4.0",
+    "@strapi/permissions": "4.13.0-alpha.0",
+    "@strapi/provider-audit-logs-local": "4.13.0-alpha.0",
+    "@strapi/typescript-utils": "4.13.0-alpha.0",
+    "@strapi/utils": "4.13.0-alpha.0",
+    "axios": "1.5.0",
     "bcryptjs": "2.4.3",
     "browserslist": "^4.17.3",
     "browserslist-to-esbuild": "1.2.0",
@@ -154,5 +154,5 @@
       }
     }
   },
-  "gitHead": "9bb6ba1e0d07c65423e99075438262540a042d76"
+  "gitHead": "41844c2867621a1f47dd6ae6ac83283aa54b22f8"
 }

package/scripts/build.js CHANGED Viewed

@@ -7,14 +7,8 @@ const { isObject } = require('lodash');
 const SpeedMeasurePlugin = require('speed-measure-webpack-plugin');
 const webpackConfig = require('../webpack.config');
-const getPluginsPath = require('../utils/get-plugins-path');
-const {
-  getCorePluginsPath,
-  getPluginToInstallPath,
-  createPluginsFile,
-} = require('./create-plugins-file');
-const PLUGINS_TO_INSTALL = ['i18n', 'users-permissions'];
+const { getPlugins } = require('../utils/get-plugins');
+const { createPluginsJs } = require('../utils/create-cache-dir');
 // Wrapper that outputs the webpack speed
 const smp = new SpeedMeasurePlugin();
@@ -24,18 +18,24 @@ const buildAdmin = async () => {
   const dest = path.join(__dirname, '..', 'build');
   const tsConfigFilePath = path.join(__dirname, '..', 'admin', 'src', 'tsconfig.json');
-  const corePlugins = getCorePluginsPath();
-  const plugins = getPluginToInstallPath(PLUGINS_TO_INSTALL);
-  const allPlugins = { ...corePlugins, ...plugins };
-  const pluginsPath = getPluginsPath();
+  /**
+   * We _always_ install these FE plugins, they're considered "core"
+   * and are typically marked as `required` in their package.json
+   */
+  const plugins = getPlugins([
+    '@strapi/plugin-content-type-builder',
+    '@strapi/plugin-email',
+    '@strapi/plugin-upload',
+    '@strapi/plugin-i18n',
+    '@strapi/plugin-users-permissions',
+  ]);
-  await createPluginsFile(allPlugins);
+  await createPluginsJs(plugins, path.join(__dirname, '..'));
   const args = {
     entry,
     dest,
-    cacheDir: path.join(__dirname, '..'),
-    pluginsPath,
+    plugins,
     env: 'production',
     optimize: true,
     options: {

package/scripts/create-dev-plugins-file.js CHANGED Viewed

@@ -1,40 +1,9 @@
 'use strict';
-const { join, resolve, relative } = require('path');
-const { promisify } = require('util');
-// eslint-disable-next-line import/no-extraneous-dependencies
-const glob = promisify(require('glob').glob);
+const { join } = require('path');
 const fs = require('fs-extra');
-const { getCorePluginsPath, createPluginsFile } = require('./create-plugins-file');
-/**
- * Retrieve all plugins that are inside the plugins folder
- * @returns Object the plugins
- */
-const getPluginsPackages = async () => {
-  const pathToPackages = resolve(__dirname, '..', '..', '..', 'plugins', '*');
-  const pluginsPackageDirs = await glob(pathToPackages);
-  return pluginsPackageDirs
-    .filter((pluginDir) => {
-      return fs.existsSync(join(pluginDir, 'admin', 'src', 'index.js'));
-    })
-    .reduce((acc, current) => {
-      const depName = current.replace(/\\/g, '/').split('/').slice(-1)[0];
-      const adminEntryPoint = join(__dirname, '..', 'admin', 'src');
-      const pathToPlugin = join(relative(adminEntryPoint, current), 'admin', 'src').replace(
-        /\\/g,
-        '/'
-      );
-      acc[depName] = pathToPlugin;
-      return acc;
-    }, {});
-};
+const { getPlugins } = require('../utils/get-plugins');
+const { createPluginsJs } = require('../utils/create-cache-dir');
 /**
  * Write the plugins.js file or copy the plugins-dev.js file if it exists
@@ -49,11 +18,9 @@ const createFile = async () => {
     return;
   }
-  const corePlugins = getCorePluginsPath();
-  const plugins = await getPluginsPackages();
-  const allPlugins = { ...corePlugins, ...plugins };
+  const plugins = getPlugins();
-  return createPluginsFile(allPlugins);
+  return createPluginsJs(plugins, join(__dirname, '..'));
 };
 createFile()

package/server/controllers/role.js CHANGED Viewed

@@ -55,6 +55,8 @@ module.exports = {
       ability: ctx.state.userAbility,
       model: 'admin::role',
     });
+    await permissionsManager.validateQuery(query);
     const sanitizedQuery = await permissionsManager.sanitizeQuery(query);
     const roles = await getService('role').findAllWithUsersCount(sanitizedQuery);

package/server/controllers/user.js CHANGED Viewed

@@ -52,6 +52,8 @@ module.exports = {
       ability: ctx.state.userAbility,
       model: 'admin::user',
     });
+    await permissionsManager.validateQuery(ctx.query);
     const sanitizedQuery = await permissionsManager.sanitizeQuery(ctx.query);
     const { results, pagination } = await userService.findPage(sanitizedQuery);

package/server/services/permission/permissions-manager/index.js CHANGED Viewed

@@ -4,8 +4,9 @@ const _ = require('lodash');
 const { cloneDeep, isPlainObject } = require('lodash/fp');
 const { subject: asSubject } = require('@casl/ability');
 const createSanitizeHelpers = require('./sanitize');
+const createValidateHelpers = require('./validate');
-const { buildStrapiQuery, buildCaslQuery } = require('./query-builers');
+const { buildStrapiQuery, buildCaslQuery } = require('./query-builders');
 module.exports = ({ ability, action, model }) => ({
   ability,
@@ -48,4 +49,5 @@ module.exports = ({ ability, action, model }) => ({
   },
   ...createSanitizeHelpers({ action, ability, model }),
+  ...createValidateHelpers({ action, ability, model }),
 });

package/server/services/permission/permissions-manager/sanitize.js CHANGED Viewed

@@ -45,7 +45,7 @@ const STATIC_FIELDS = [ID_ATTRIBUTE];
 module.exports = ({ action, ability, model }) => {
   const schema = strapi.getModel(model);
-  const { allowedFields } = sanitize.visitors;
+  const { removeDisallowedFields } = sanitize.visitors;
   const createSanitizeQuery = (options = {}) => {
     const { fields } = options;
@@ -54,8 +54,9 @@ module.exports = ({ action, ability, model }) => {
     const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);
     const sanitizeFilters = pipeAsync(
-      traverse.traverseQueryFilters(allowedFields(permittedFields), { schema }),
+      traverse.traverseQueryFilters(removeDisallowedFields(permittedFields), { schema }),
       traverse.traverseQueryFilters(omitDisallowedAdminUserFields, { schema }),
+      traverse.traverseQueryFilters(omitHiddenFields, { schema }),
       traverse.traverseQueryFilters(removePassword, { schema }),
       traverse.traverseQueryFilters(
         ({ key, value }, { remove }) => {
@@ -68,8 +69,9 @@ module.exports = ({ action, ability, model }) => {
     );
     const sanitizeSort = pipeAsync(
-      traverse.traverseQuerySort(allowedFields(permittedFields), { schema }),
+      traverse.traverseQuerySort(removeDisallowedFields(permittedFields), { schema }),
       traverse.traverseQuerySort(omitDisallowedAdminUserFields, { schema }),
+      traverse.traverseQuerySort(omitHiddenFields, { schema }),
       traverse.traverseQuerySort(removePassword, { schema }),
       traverse.traverseQuerySort(
         ({ key, attribute, value }, { remove }) => {
@@ -82,13 +84,15 @@ module.exports = ({ action, ability, model }) => {
     );
     const sanitizePopulate = pipeAsync(
-      traverse.traverseQueryPopulate(allowedFields(permittedFields), { schema }),
+      traverse.traverseQueryPopulate(removeDisallowedFields(permittedFields), { schema }),
       traverse.traverseQueryPopulate(omitDisallowedAdminUserFields, { schema }),
+      traverse.traverseQueryPopulate(omitHiddenFields, { schema }),
       traverse.traverseQueryPopulate(removePassword, { schema })
     );
     const sanitizeFields = pipeAsync(
-      traverse.traverseQueryFields(allowedFields(permittedFields), { schema }),
+      traverse.traverseQueryFields(removeDisallowedFields(permittedFields), { schema }),
+      traverse.traverseQueryFields(omitHiddenFields, { schema }),
       traverse.traverseQueryFields(removePassword, { schema })
     );
@@ -126,7 +130,7 @@ module.exports = ({ action, ability, model }) => {
       // Remove unallowed fields from admin::user relations
       traverseEntity(pickAllowedAdminUserFields, { schema }),
       // Remove not allowed fields (RBAC)
-      traverseEntity(allowedFields(permittedFields), { schema }),
+      traverseEntity(removeDisallowedFields(permittedFields), { schema }),
       // Remove all fields of type 'password'
       sanitize.sanitizers.sanitizePasswords(schema)
     );
@@ -141,7 +145,7 @@ module.exports = ({ action, ability, model }) => {
       // Remove fields hidden from the admin
       traverseEntity(omitHiddenFields, { schema }),
       // Remove not allowed fields (RBAC)
-      traverseEntity(allowedFields(permittedFields), { schema }),
+      traverseEntity(removeDisallowedFields(permittedFields), { schema }),
       // Remove roles from createdBy & updateBy fields
       omitCreatorRoles
     );
@@ -256,13 +260,21 @@ module.exports = ({ action, ability, model }) => {
   };
   const getQueryFields = (fields = []) => {
+    const nonVisibleAttributes = getNonVisibleAttributes(schema);
+    const writableAttributes = getWritableAttributes(schema);
+    const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);
     return uniq([
       ...fields,
       ...STATIC_FIELDS,
       ...COMPONENT_FIELDS,
+      ...nonVisibleWritableAttributes,
       CREATED_AT_ATTRIBUTE,
       UPDATED_AT_ATTRIBUTE,
       PUBLISHED_AT_ATTRIBUTE,
+      CREATED_BY_ATTRIBUTE,
+      UPDATED_BY_ATTRIBUTE,
     ]);
   };

package/server/services/permission/permissions-manager/validate.js ADDED Viewed

@@ -0,0 +1,218 @@
+'use strict';
+const { subject: asSubject, detectSubjectType } = require('@casl/ability');
+const { permittedFieldsOf } = require('@casl/ability/extra');
+const {
+  defaults,
+  omit,
+  isArray,
+  isEmpty,
+  isNil,
+  flatMap,
+  some,
+  prop,
+  uniq,
+  intersection,
+  getOr,
+  isObject,
+} = require('lodash/fp');
+const {
+  contentTypes,
+  traverseEntity,
+  traverse,
+  validate,
+  pipeAsync,
+  errors: { ValidationError },
+} = require('@strapi/utils');
+const { throwPassword, throwDisallowedFields } = validate.visitors;
+const { ADMIN_USER_ALLOWED_FIELDS } = require('../../../domain/user');
+const { constants, isScalarAttribute, getNonVisibleAttributes, getWritableAttributes } =
+  contentTypes;
+const {
+  ID_ATTRIBUTE,
+  CREATED_AT_ATTRIBUTE,
+  UPDATED_AT_ATTRIBUTE,
+  PUBLISHED_AT_ATTRIBUTE,
+  CREATED_BY_ATTRIBUTE,
+  UPDATED_BY_ATTRIBUTE,
+} = constants;
+const COMPONENT_FIELDS = ['__component'];
+const STATIC_FIELDS = [ID_ATTRIBUTE];
+const throwInvalidParam = ({ key }) => {
+  throw new ValidationError(`Invalid parameter ${key}`);
+};
+module.exports = ({ action, ability, model }) => {
+  const schema = strapi.getModel(model);
+  const createValidateQuery = (options = {}) => {
+    const { fields } = options;
+    // TODO: validate relations to admin users in all validators
+    const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);
+    const validateFilters = pipeAsync(
+      traverse.traverseQueryFilters(throwDisallowedFields(permittedFields), { schema }),
+      traverse.traverseQueryFilters(throwDisallowedAdminUserFields, { schema }),
+      traverse.traverseQueryFilters(throwPassword, { schema }),
+      traverse.traverseQueryFilters(
+        ({ key, value }) => {
+          if (isObject(value) && isEmpty(value)) {
+            throwInvalidParam({ key });
+          }
+        },
+        { schema }
+      )
+    );
+    const validateSort = pipeAsync(
+      traverse.traverseQuerySort(throwDisallowedFields(permittedFields), { schema }),
+      traverse.traverseQuerySort(throwDisallowedAdminUserFields, { schema }),
+      traverse.traverseQuerySort(throwPassword, { schema }),
+      traverse.traverseQuerySort(
+        ({ key, attribute, value }) => {
+          if (!isScalarAttribute(attribute) && isEmpty(value)) {
+            throwInvalidParam({ key });
+          }
+        },
+        { schema }
+      )
+    );
+    const validateFields = pipeAsync(
+      traverse.traverseQueryFields(throwDisallowedFields(permittedFields), { schema }),
+      traverse.traverseQueryFields(throwPassword, { schema })
+    );
+    return async (query) => {
+      if (query.filters) {
+        await validateFilters(query.filters);
+      }
+      if (query.sort) {
+        await validateSort(query.sort);
+      }
+      if (query.fields) {
+        await validateFields(query.fields);
+      }
+      return true;
+    };
+  };
+  const createValidateInput = (options = {}) => {
+    const { fields } = options;
+    const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);
+    return pipeAsync(
+      // Remove fields hidden from the admin
+      traverseEntity(throwHiddenFields, { schema }),
+      // Remove not allowed fields (RBAC)
+      traverseEntity(throwDisallowedFields(permittedFields), { schema }),
+      // Remove roles from createdBy & updatedBy fields
+      omitCreatorRoles
+    );
+  };
+  const wrapValidate = (createValidateFunction) => {
+    const wrappedValidate = async (data, options = {}) => {
+      if (isArray(data)) {
+        return Promise.all(data.map((entity) => wrappedValidate(entity, options)));
+      }
+      const { subject, action: actionOverride } = getDefaultOptions(data, options);
+      const permittedFields = permittedFieldsOf(ability, actionOverride, subject, {
+        fieldsFrom: (rule) => rule.fields || [],
+      });
+      const hasAtLeastOneRegistered = some(
+        (fields) => !isNil(fields),
+        flatMap(prop('fields'), ability.rulesFor(actionOverride, detectSubjectType(subject)))
+      );
+      const shouldIncludeAllFields = isEmpty(permittedFields) && !hasAtLeastOneRegistered;
+      const validateOptions = {
+        ...options,
+        fields: {
+          shouldIncludeAll: shouldIncludeAllFields,
+          permitted: permittedFields,
+          hasAtLeastOneRegistered,
+        },
+      };
+      const validateFunction = createValidateFunction(validateOptions);
+      return validateFunction(data);
+    };
+    return wrappedValidate;
+  };
+  const getDefaultOptions = (data, options) => {
+    return defaults({ subject: asSubject(model, data), action }, options);
+  };
+  /**
+   * Omit creator fields' (createdBy & updatedBy) roles from the admin API responses
+   */
+  const omitCreatorRoles = omit([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);
+  /**
+   * Visitor used to remove hidden fields from the admin API responses
+   */
+  const throwHiddenFields = ({ key, schema }) => {
+    const isHidden = getOr(false, ['config', 'attributes', key, 'hidden'], schema);
+    if (isHidden) {
+      throwInvalidParam({ key });
+    }
+  };
+  /**
+   * Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information
+   */
+  const throwDisallowedAdminUserFields = ({ key, attribute, schema }) => {
+    if (schema.uid === 'admin::user' && attribute && !ADMIN_USER_ALLOWED_FIELDS.includes(key)) {
+      throwInvalidParam({ key });
+    }
+  };
+  const getInputFields = (fields = []) => {
+    const nonVisibleAttributes = getNonVisibleAttributes(schema);
+    const writableAttributes = getWritableAttributes(schema);
+    const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);
+    return uniq([
+      ...fields,
+      ...STATIC_FIELDS,
+      ...COMPONENT_FIELDS,
+      ...nonVisibleWritableAttributes,
+    ]);
+  };
+  const getQueryFields = (fields = []) => {
+    return uniq([
+      ...fields,
+      ...STATIC_FIELDS,
+      ...COMPONENT_FIELDS,
+      CREATED_AT_ATTRIBUTE,
+      UPDATED_AT_ATTRIBUTE,
+      PUBLISHED_AT_ATTRIBUTE,
+    ]);
+  };
+  return {
+    validateQuery: wrapValidate(createValidateQuery),
+    validateInput: wrapValidate(createValidateInput),
+  };
+};