npm - @strapi/admin - Versions diffs - 4.13.0-beta.0 → 4.13.0 - Mend

@strapi/admin 4.13.0-beta.0 → 4.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/scripts/build.js CHANGED Viewed

@@ -7,14 +7,8 @@ const { isObject } = require('lodash');
 const SpeedMeasurePlugin = require('speed-measure-webpack-plugin');
 const webpackConfig = require('../webpack.config');
-const getPluginsPath = require('../utils/get-plugins-path');
-const {
-  getCorePluginsPath,
-  getPluginToInstallPath,
-  createPluginsFile,
-} = require('./create-plugins-file');
-const PLUGINS_TO_INSTALL = ['i18n', 'users-permissions'];
+const { getPlugins } = require('../utils/get-plugins');
+const { createPluginsJs } = require('../utils/create-cache-dir');
 // Wrapper that outputs the webpack speed
 const smp = new SpeedMeasurePlugin();
@@ -24,18 +18,24 @@ const buildAdmin = async () => {
   const dest = path.join(__dirname, '..', 'build');
   const tsConfigFilePath = path.join(__dirname, '..', 'admin', 'src', 'tsconfig.json');
-  const corePlugins = getCorePluginsPath();
-  const plugins = getPluginToInstallPath(PLUGINS_TO_INSTALL);
-  const allPlugins = { ...corePlugins, ...plugins };
-  const pluginsPath = getPluginsPath();
+  /**
+   * We _always_ install these FE plugins, they're considered "core"
+   * and are typically marked as `required` in their package.json
+   */
+  const plugins = getPlugins([
+    '@strapi/plugin-content-type-builder',
+    '@strapi/plugin-email',
+    '@strapi/plugin-upload',
+    '@strapi/plugin-i18n',
+    '@strapi/plugin-users-permissions',
+  ]);
-  await createPluginsFile(allPlugins);
+  await createPluginsJs(plugins, path.join(__dirname, '..'));
   const args = {
     entry,
     dest,
-    cacheDir: path.join(__dirname, '..'),
-    pluginsPath,
+    plugins,
     env: 'production',
     optimize: true,
     options: {

package/scripts/create-dev-plugins-file.js CHANGED Viewed

@@ -1,40 +1,9 @@
 'use strict';
-const { join, resolve, relative } = require('path');
-const { promisify } = require('util');
-// eslint-disable-next-line import/no-extraneous-dependencies
-const glob = promisify(require('glob').glob);
+const { join } = require('path');
 const fs = require('fs-extra');
-const { getCorePluginsPath, createPluginsFile } = require('./create-plugins-file');
-/**
- * Retrieve all plugins that are inside the plugins folder
- * @returns Object the plugins
- */
-const getPluginsPackages = async () => {
-  const pathToPackages = resolve(__dirname, '..', '..', '..', 'plugins', '*');
-  const pluginsPackageDirs = await glob(pathToPackages);
-  return pluginsPackageDirs
-    .filter((pluginDir) => {
-      return fs.existsSync(join(pluginDir, 'admin', 'src', 'index.js'));
-    })
-    .reduce((acc, current) => {
-      const depName = current.replace(/\\/g, '/').split('/').slice(-1)[0];
-      const adminEntryPoint = join(__dirname, '..', 'admin', 'src');
-      const pathToPlugin = join(relative(adminEntryPoint, current), 'admin', 'src').replace(
-        /\\/g,
-        '/'
-      );
-      acc[depName] = pathToPlugin;
-      return acc;
-    }, {});
-};
+const { getPlugins } = require('../utils/get-plugins');
+const { createPluginsJs } = require('../utils/create-cache-dir');
 /**
  * Write the plugins.js file or copy the plugins-dev.js file if it exists
@@ -49,11 +18,9 @@ const createFile = async () => {
     return;
   }
-  const corePlugins = getCorePluginsPath();
-  const plugins = await getPluginsPackages();
-  const allPlugins = { ...corePlugins, ...plugins };
+  const plugins = getPlugins();
-  return createPluginsFile(allPlugins);
+  return createPluginsJs(plugins, join(__dirname, '..'));
 };
 createFile()

package/server/controllers/role.js CHANGED Viewed

@@ -55,6 +55,8 @@ module.exports = {
       ability: ctx.state.userAbility,
       model: 'admin::role',
     });
+    await permissionsManager.validateQuery(query);
     const sanitizedQuery = await permissionsManager.sanitizeQuery(query);
     const roles = await getService('role').findAllWithUsersCount(sanitizedQuery);

package/server/controllers/user.js CHANGED Viewed

@@ -52,6 +52,8 @@ module.exports = {
       ability: ctx.state.userAbility,
       model: 'admin::user',
     });
+    await permissionsManager.validateQuery(ctx.query);
     const sanitizedQuery = await permissionsManager.sanitizeQuery(ctx.query);
     const { results, pagination } = await userService.findPage(sanitizedQuery);

package/server/services/permission/permissions-manager/index.js CHANGED Viewed

@@ -4,8 +4,9 @@ const _ = require('lodash');
 const { cloneDeep, isPlainObject } = require('lodash/fp');
 const { subject: asSubject } = require('@casl/ability');
 const createSanitizeHelpers = require('./sanitize');
+const createValidateHelpers = require('./validate');
-const { buildStrapiQuery, buildCaslQuery } = require('./query-builers');
+const { buildStrapiQuery, buildCaslQuery } = require('./query-builders');
 module.exports = ({ ability, action, model }) => ({
   ability,
@@ -48,4 +49,5 @@ module.exports = ({ ability, action, model }) => ({
   },
   ...createSanitizeHelpers({ action, ability, model }),
+  ...createValidateHelpers({ action, ability, model }),
 });

package/server/services/permission/permissions-manager/sanitize.js CHANGED Viewed

@@ -45,7 +45,7 @@ const STATIC_FIELDS = [ID_ATTRIBUTE];
 module.exports = ({ action, ability, model }) => {
   const schema = strapi.getModel(model);
-  const { allowedFields } = sanitize.visitors;
+  const { removeDisallowedFields } = sanitize.visitors;
   const createSanitizeQuery = (options = {}) => {
     const { fields } = options;
@@ -54,7 +54,7 @@ module.exports = ({ action, ability, model }) => {
     const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);
     const sanitizeFilters = pipeAsync(
-      traverse.traverseQueryFilters(allowedFields(permittedFields), { schema }),
+      traverse.traverseQueryFilters(removeDisallowedFields(permittedFields), { schema }),
       traverse.traverseQueryFilters(omitDisallowedAdminUserFields, { schema }),
       traverse.traverseQueryFilters(omitHiddenFields, { schema }),
       traverse.traverseQueryFilters(removePassword, { schema }),
@@ -69,7 +69,7 @@ module.exports = ({ action, ability, model }) => {
     );
     const sanitizeSort = pipeAsync(
-      traverse.traverseQuerySort(allowedFields(permittedFields), { schema }),
+      traverse.traverseQuerySort(removeDisallowedFields(permittedFields), { schema }),
       traverse.traverseQuerySort(omitDisallowedAdminUserFields, { schema }),
       traverse.traverseQuerySort(omitHiddenFields, { schema }),
       traverse.traverseQuerySort(removePassword, { schema }),
@@ -84,14 +84,14 @@ module.exports = ({ action, ability, model }) => {
     );
     const sanitizePopulate = pipeAsync(
-      traverse.traverseQueryPopulate(allowedFields(permittedFields), { schema }),
+      traverse.traverseQueryPopulate(removeDisallowedFields(permittedFields), { schema }),
       traverse.traverseQueryPopulate(omitDisallowedAdminUserFields, { schema }),
       traverse.traverseQueryPopulate(omitHiddenFields, { schema }),
       traverse.traverseQueryPopulate(removePassword, { schema })
     );
     const sanitizeFields = pipeAsync(
-      traverse.traverseQueryFields(allowedFields(permittedFields), { schema }),
+      traverse.traverseQueryFields(removeDisallowedFields(permittedFields), { schema }),
       traverse.traverseQueryFields(omitHiddenFields, { schema }),
       traverse.traverseQueryFields(removePassword, { schema })
     );
@@ -130,7 +130,7 @@ module.exports = ({ action, ability, model }) => {
       // Remove unallowed fields from admin::user relations
       traverseEntity(pickAllowedAdminUserFields, { schema }),
       // Remove not allowed fields (RBAC)
-      traverseEntity(allowedFields(permittedFields), { schema }),
+      traverseEntity(removeDisallowedFields(permittedFields), { schema }),
       // Remove all fields of type 'password'
       sanitize.sanitizers.sanitizePasswords(schema)
     );
@@ -145,7 +145,7 @@ module.exports = ({ action, ability, model }) => {
       // Remove fields hidden from the admin
       traverseEntity(omitHiddenFields, { schema }),
       // Remove not allowed fields (RBAC)
-      traverseEntity(allowedFields(permittedFields), { schema }),
+      traverseEntity(removeDisallowedFields(permittedFields), { schema }),
       // Remove roles from createdBy & updateBy fields
       omitCreatorRoles
     );

package/server/services/permission/permissions-manager/validate.js ADDED Viewed

@@ -0,0 +1,218 @@
+'use strict';
+const { subject: asSubject, detectSubjectType } = require('@casl/ability');
+const { permittedFieldsOf } = require('@casl/ability/extra');
+const {
+  defaults,
+  omit,
+  isArray,
+  isEmpty,
+  isNil,
+  flatMap,
+  some,
+  prop,
+  uniq,
+  intersection,
+  getOr,
+  isObject,
+} = require('lodash/fp');
+const {
+  contentTypes,
+  traverseEntity,
+  traverse,
+  validate,
+  pipeAsync,
+  errors: { ValidationError },
+} = require('@strapi/utils');
+const { throwPassword, throwDisallowedFields } = validate.visitors;
+const { ADMIN_USER_ALLOWED_FIELDS } = require('../../../domain/user');
+const { constants, isScalarAttribute, getNonVisibleAttributes, getWritableAttributes } =
+  contentTypes;
+const {
+  ID_ATTRIBUTE,
+  CREATED_AT_ATTRIBUTE,
+  UPDATED_AT_ATTRIBUTE,
+  PUBLISHED_AT_ATTRIBUTE,
+  CREATED_BY_ATTRIBUTE,
+  UPDATED_BY_ATTRIBUTE,
+} = constants;
+const COMPONENT_FIELDS = ['__component'];
+const STATIC_FIELDS = [ID_ATTRIBUTE];
+const throwInvalidParam = ({ key }) => {
+  throw new ValidationError(`Invalid parameter ${key}`);
+};
+module.exports = ({ action, ability, model }) => {
+  const schema = strapi.getModel(model);
+  const createValidateQuery = (options = {}) => {
+    const { fields } = options;
+    // TODO: validate relations to admin users in all validators
+    const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);
+    const validateFilters = pipeAsync(
+      traverse.traverseQueryFilters(throwDisallowedFields(permittedFields), { schema }),
+      traverse.traverseQueryFilters(throwDisallowedAdminUserFields, { schema }),
+      traverse.traverseQueryFilters(throwPassword, { schema }),
+      traverse.traverseQueryFilters(
+        ({ key, value }) => {
+          if (isObject(value) && isEmpty(value)) {
+            throwInvalidParam({ key });
+          }
+        },
+        { schema }
+      )
+    );
+    const validateSort = pipeAsync(
+      traverse.traverseQuerySort(throwDisallowedFields(permittedFields), { schema }),
+      traverse.traverseQuerySort(throwDisallowedAdminUserFields, { schema }),
+      traverse.traverseQuerySort(throwPassword, { schema }),
+      traverse.traverseQuerySort(
+        ({ key, attribute, value }) => {
+          if (!isScalarAttribute(attribute) && isEmpty(value)) {
+            throwInvalidParam({ key });
+          }
+        },
+        { schema }
+      )
+    );
+    const validateFields = pipeAsync(
+      traverse.traverseQueryFields(throwDisallowedFields(permittedFields), { schema }),
+      traverse.traverseQueryFields(throwPassword, { schema })
+    );
+    return async (query) => {
+      if (query.filters) {
+        await validateFilters(query.filters);
+      }
+      if (query.sort) {
+        await validateSort(query.sort);
+      }
+      if (query.fields) {
+        await validateFields(query.fields);
+      }
+      return true;
+    };
+  };
+  const createValidateInput = (options = {}) => {
+    const { fields } = options;
+    const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);
+    return pipeAsync(
+      // Remove fields hidden from the admin
+      traverseEntity(throwHiddenFields, { schema }),
+      // Remove not allowed fields (RBAC)
+      traverseEntity(throwDisallowedFields(permittedFields), { schema }),
+      // Remove roles from createdBy & updatedBy fields
+      omitCreatorRoles
+    );
+  };
+  const wrapValidate = (createValidateFunction) => {
+    const wrappedValidate = async (data, options = {}) => {
+      if (isArray(data)) {
+        return Promise.all(data.map((entity) => wrappedValidate(entity, options)));
+      }
+      const { subject, action: actionOverride } = getDefaultOptions(data, options);
+      const permittedFields = permittedFieldsOf(ability, actionOverride, subject, {
+        fieldsFrom: (rule) => rule.fields || [],
+      });
+      const hasAtLeastOneRegistered = some(
+        (fields) => !isNil(fields),
+        flatMap(prop('fields'), ability.rulesFor(actionOverride, detectSubjectType(subject)))
+      );
+      const shouldIncludeAllFields = isEmpty(permittedFields) && !hasAtLeastOneRegistered;
+      const validateOptions = {
+        ...options,
+        fields: {
+          shouldIncludeAll: shouldIncludeAllFields,
+          permitted: permittedFields,
+          hasAtLeastOneRegistered,
+        },
+      };
+      const validateFunction = createValidateFunction(validateOptions);
+      return validateFunction(data);
+    };
+    return wrappedValidate;
+  };
+  const getDefaultOptions = (data, options) => {
+    return defaults({ subject: asSubject(model, data), action }, options);
+  };
+  /**
+   * Omit creator fields' (createdBy & updatedBy) roles from the admin API responses
+   */
+  const omitCreatorRoles = omit([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);
+  /**
+   * Visitor used to remove hidden fields from the admin API responses
+   */
+  const throwHiddenFields = ({ key, schema }) => {
+    const isHidden = getOr(false, ['config', 'attributes', key, 'hidden'], schema);
+    if (isHidden) {
+      throwInvalidParam({ key });
+    }
+  };
+  /**
+   * Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information
+   */
+  const throwDisallowedAdminUserFields = ({ key, attribute, schema }) => {
+    if (schema.uid === 'admin::user' && attribute && !ADMIN_USER_ALLOWED_FIELDS.includes(key)) {
+      throwInvalidParam({ key });
+    }
+  };
+  const getInputFields = (fields = []) => {
+    const nonVisibleAttributes = getNonVisibleAttributes(schema);
+    const writableAttributes = getWritableAttributes(schema);
+    const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);
+    return uniq([
+      ...fields,
+      ...STATIC_FIELDS,
+      ...COMPONENT_FIELDS,
+      ...nonVisibleWritableAttributes,
+    ]);
+  };
+  const getQueryFields = (fields = []) => {
+    return uniq([
+      ...fields,
+      ...STATIC_FIELDS,
+      ...COMPONENT_FIELDS,
+      CREATED_AT_ATTRIBUTE,
+      UPDATED_AT_ATTRIBUTE,
+      PUBLISHED_AT_ATTRIBUTE,
+    ]);
+  };
+  return {
+    validateQuery: wrapValidate(createValidateQuery),
+    validateInput: wrapValidate(createValidateInput),
+  };
+};

package/utils/create-cache-dir.js CHANGED Viewed

@@ -9,20 +9,29 @@ const getCustomAppConfigFile = require('./get-custom-app-config-file');
 const getPkgPath = (name) => path.dirname(require.resolve(`${name}/package.json`));
 async function createPluginsJs(plugins, dest) {
-  const pluginsArray = plugins.map(({ pathToPlugin, name }) => {
+  const pluginsArray = plugins.map(({ pathToPlugin, name, info }) => {
     const shortName = _.camelCase(name);
+    let realPath = '';
     /**
-     * path.join, on windows, it uses backslashes to resolve path.
-     * The problem is that Webpack does not windows paths
-     * With this tool, we need to rely on "/" and not "\".
-     * This is the reason why '..\\..\\..\\node_modules\\@strapi\\plugin-content-type-builder/strapi-admin.js' was not working.
-     * The regexp at line 105 aims to replace the windows backslashes by standard slash so that webpack can deal with them.
-     * Backslash looks to work only for absolute paths with webpack => https://webpack.js.org/concepts/module-resolution/#absolute-paths
+     * We're using a module here so we want to keep using the module resolution procedure.
      */
-    const realPath = path
-      .join(path.relative(path.resolve(dest, 'admin', 'src'), pathToPlugin), 'strapi-admin.js')
-      .replace(/\\/g, '/');
+    if (info?.packageName || info?.required) {
+      /**
+       * path.join, on windows, it uses backslashes to resolve path.
+       * The problem is that Webpack does not windows paths
+       * With this tool, we need to rely on "/" and not "\".
+       * This is the reason why '..\\..\\..\\node_modules\\@strapi\\plugin-content-type-builder/strapi-admin.js' was not working.
+       * The regexp at line 105 aims to replace the windows backslashes by standard slash so that webpack can deal with them.
+       * Backslash looks to work only for absolute paths with webpack => https://webpack.js.org/concepts/module-resolution/#absolute-paths
+       */
+      realPath = path.join(pathToPlugin, 'strapi-admin').replace(/\\/g, '/');
+    } else {
+      realPath = path
+        .join(path.relative(path.resolve(dest, 'admin', 'src'), pathToPlugin), 'strapi-admin')
+        .replace(/\\/g, '/');
+    }
     return {
       name,
@@ -76,12 +85,49 @@ async function createCacheDir({ appDir, plugins }) {
     'tsconfig.json'
   );
-  const pluginsWithFront = Object.keys(plugins)
-    .filter((pluginName) => {
-      const pluginInfo = plugins[pluginName];
-      return fs.existsSync(path.resolve(pluginInfo.pathToPlugin, 'strapi-admin.js'));
+  const pluginsWithFront = Object.entries(plugins)
+    .filter(([, plugin]) => {
+      /**
+       * There are two ways a plugin should be imported, either it's local to the strapi app,
+       * or it's an actual npm module that's installed and resolved via node_modules.
+       *
+       * We first check if the plugin is local to the strapi app, using a regular `resolve` because
+       * the pathToPlugin will be relative i.e. `/Users/my-name/strapi-app/src/plugins/my-plugin`.
+       *
+       * If the file doesn't exist well then it's probably a node_module, so instead we use `require.resolve`
+       * which will resolve the path to the module in node_modules. If it fails with the specific code `MODULE_NOT_FOUND`
+       * then it doesn't have an admin part to the package.
+       *
+       * NOTE: we should try to move to `./package.json[exports]` map with bundling of our own plugins,
+       * because these entry files are written in commonjs restricting features e.g. tree-shaking.
+       */
+      try {
+        const isLocalPluginWithLegacyAdminFile = fs.existsSync(
+          path.resolve(`${plugin.pathToPlugin}/strapi-admin.js`)
+        );
+        if (!isLocalPluginWithLegacyAdminFile) {
+          const isModulewithLegacyAdminFile = require.resolve(
+            `${plugin.pathToPlugin}/strapi-admin.js`
+          );
+          return isModulewithLegacyAdminFile;
+        }
+        return isLocalPluginWithLegacyAdminFile;
+      } catch (err) {
+        if (err.code === 'MODULE_NOT_FOUND') {
+          /**
+           * the plugin does not contain FE code, so we
+           * don't want to import it anyway
+           */
+          return false;
+        }
+        throw err;
+      }
     })
-    .map((name) => ({ name, ...plugins[name] }));
+    .map(([name, plugin]) => ({ name, ...plugin }));
   // create .cache dir
   await fs.emptyDir(cacheDir);
@@ -128,4 +174,4 @@ async function createCacheDir({ appDir, plugins }) {
   }
 }
-module.exports = createCacheDir;
+module.exports = { createCacheDir, createPluginsJs };

package/utils/create-plugins-exclude-path.js CHANGED Viewed

@@ -1,40 +1,20 @@
 'use strict';
-const { sep, join } = require('path');
 const NODE_MODULES = 'node_modules';
 /**
  * @param {string[]} pluginsPath – an array of paths to the plugins from the user's directory
  * @returns {RegExp} a regex that will exclude _all_ node_modules except for the plugins in the pluginsPath array.
  */
 const createPluginsExcludePath = (pluginsPath = []) => {
-  /**
-   * converts the full path to just the plugin path
-   * e.g. `/Users/username/strapi/node_modules/@scope/plugin-name`
-   * to `@scope/plugin-name`
-   */
-  const tsxPlugins = pluginsPath.reduce((acc, curr) => {
-    const dirPaths = curr.split(sep);
-    const nodeModulePathIndex = dirPaths.findIndex((val) => val === NODE_MODULES);
-    if (nodeModulePathIndex > 0) {
-      const pluginNodeModulePath = dirPaths.slice(nodeModulePathIndex + 1);
-      return [...acc, join(...pluginNodeModulePath)];
-    }
-    return acc;
-  }, []);
   /**
    * If there aren't any plugins in the node_modules array, just return the node_modules regex
    * without complicating it.
    */
-  if (tsxPlugins.length === 0) {
+  if (pluginsPath.length === 0) {
     return /node_modules/;
   }
-  return new RegExp(`${NODE_MODULES}/(?!(${tsxPlugins.join('|')}))`);
+  return new RegExp(`${NODE_MODULES}/(?!(${pluginsPath.join('|')}))`);
 };
-module.exports = createPluginsExcludePath;
+module.exports = { createPluginsExcludePath };

package/utils/get-plugins.js ADDED Viewed

@@ -0,0 +1,110 @@
+'use strict';
+const { join, resolve, sep, posix } = require('path');
+const fs = require('fs');
+// eslint-disable-next-line import/no-extraneous-dependencies
+const glob = require('glob');
+const getPlugins = (pluginsAllowlist) => {
+  const rootPath = resolve(__dirname, '..', join('..', '..', '..', 'packages'));
+  /**
+   * So `glob` only supports '/' as a path separator, so we need to replace
+   * the path separator for the current OS with '/'. e.g. on windows it's `\`.
+   *
+   * see https://github.com/isaacs/node-glob/#windows for more information
+   *
+   * and see https://github.com/isaacs/node-glob/issues/467#issuecomment-1114240501 for the recommended fix.
+   */
+  let corePath = join(rootPath, 'core', '*');
+  let pluginsPath = join(rootPath, 'plugins', '*');
+  if (process.platform === 'win32') {
+    corePath = corePath.split(sep).join(posix.sep);
+    pluginsPath = pluginsPath.split(sep).join(posix.sep);
+  }
+  const corePackageDirs = glob.sync(corePath);
+  const pluginsPackageDirs = glob.sync(pluginsPath);
+  const plugins = [...corePackageDirs, ...pluginsPackageDirs]
+    .map((directory) => {
+      const isCoreAdmin = directory.includes('packages/core/admin');
+      if (isCoreAdmin) {
+        return null;
+      }
+      const { name, strapi } = require(join(directory, 'package.json'));
+      /**
+       * this will remove any of our packages that are
+       * not actually plugins for the application
+       */
+      if (!strapi) {
+        return null;
+      }
+      /**
+       * we want the name of the node_module
+       */
+      return {
+        pathToPlugin: name,
+        name: strapi.name,
+        info: { ...strapi, packageName: name },
+        directory,
+      };
+    })
+    .filter((plugin) => {
+      if (!plugin) {
+        return false;
+      }
+      /**
+       * There are two ways a plugin should be imported, either it's local to the strapi app,
+       * or it's an actual npm module that's installed and resolved via node_modules.
+       *
+       * We first check if the plugin is local to the strapi app, using a regular `resolve` because
+       * the pathToPlugin will be relative i.e. `/Users/my-name/strapi-app/src/plugins/my-plugin`.
+       *
+       * If the file doesn't exist well then it's probably a node_module, so instead we use `require.resolve`
+       * which will resolve the path to the module in node_modules. If it fails with the specific code `MODULE_NOT_FOUND`
+       * then it doesn't have an admin part to the package.
+       *
+       * NOTE: we should try to move to `./package.json[exports]` map with bundling of our own plugins,
+       * because these entry files are written in commonjs restricting features e.g. tree-shaking.
+       */
+      try {
+        const isLocalPluginWithLegacyAdminFile = fs.existsSync(
+          resolve(`${plugin.pathToPlugin}/strapi-admin.js`)
+        );
+        if (!isLocalPluginWithLegacyAdminFile) {
+          const isModulewithLegacyAdminFile = require.resolve(
+            `${plugin.pathToPlugin}/strapi-admin.js`
+          );
+          return isModulewithLegacyAdminFile;
+        }
+        return isLocalPluginWithLegacyAdminFile;
+      } catch (err) {
+        if (err.code === 'MODULE_NOT_FOUND') {
+          /**
+           * the plugin does not contain FE code, so we
+           * don't want to import it anyway
+           */
+          return false;
+        }
+        throw err;
+      }
+    });
+  if (Array.isArray(pluginsAllowlist)) {
+    return plugins.filter((plugin) => pluginsAllowlist.includes(plugin.pathToPlugin));
+  }
+  return plugins;
+};
+module.exports = { getPlugins };