@strapi/admin 4.13.2 → 4.14.0-alpha.0

package/ee/server/controllers/workflows/stages/index.js

@@ -3,7 +3,11 @@
 const { mapAsync } = require('@strapi/utils');
 const { getService } = require('../../../utils');
 const { validateUpdateStageOnEntity } = require('../../../validation/review-workflows');
-const { STAGE_MODEL_UID } = require('../../../constants/workflows');
+const {
+  STAGE_MODEL_UID,
+  ENTITY_STAGE_ATTRIBUTE,
+  STAGE_TRANSITION_UID,
+} = require('../../../constants/workflows');
 
 /**
  *
@@ -75,18 +79,36 @@ module.exports = {
    */
   async updateEntity(ctx) {
     const stagesService = getService('stages');
+    const stagePermissions = getService('stage-permissions');
     const workflowService = getService('workflows');
 
-    const { model_uid: modelUID, id: entityIdString } = ctx.params;
+    const { model_uid: modelUID, id } = ctx.params;
     const { body } = ctx.request;
 
-    const entityId = Number(entityIdString);
-
     const { sanitizeOutput } = strapi
       .plugin('content-manager')
       .service('permission-checker')
       .create({ userAbility: ctx.state.userAbility, model: modelUID });
 
+    // Load entity
+    const entity = await strapi.entityService.findOne(modelUID, Number(id), {
+      populate: [ENTITY_STAGE_ATTRIBUTE],
+    });
+
+    if (!entity) {
+      ctx.throw(404, 'Entity not found');
+    }
+
+    // Validate if entity stage can be updated
+    const canTransition = stagePermissions.can(
+      STAGE_TRANSITION_UID,
+      entity[ENTITY_STAGE_ATTRIBUTE]?.id
+    );
+
+    if (!canTransition) {
+      ctx.throw(403, 'Forbidden stage transition');
+    }
+
     const { id: stageId } = await validateUpdateStageOnEntity(
       { id: Number(body?.data?.id) },
       'You should pass an id to the body of the put request.'
@@ -95,8 +117,73 @@ module.exports = {
     const workflow = await workflowService.assertContentTypeBelongsToWorkflow(modelUID);
     workflowService.assertStageBelongsToWorkflow(stageId, workflow);
 
-    const entity = await stagesService.updateEntity({ id: entityId, modelUID }, stageId);
+    const updatedEntity = await stagesService.updateEntity({ id: entity.id, modelUID }, stageId);
 
-    ctx.body = { data: await sanitizeOutput(entity) };
+    ctx.body = { data: await sanitizeOutput(updatedEntity) };
+  },
+
+  /**
+   * List all the stages that are available for a user to transition an entity to.
+   * If the user has permission to change the current stage of the entity every other stage in the workflow is returned
+   * @async
+   * @param {*} ctx
+   * @param {string} ctx.params.model_uid - The model UID of the entity.
+   * @param {string} ctx.params.id - The ID of the entity.
+   * @throws {ApplicationError} If review workflows is not activated on the specified model UID.
+   */
+  async listAvailableStages(ctx) {
+    const stagePermissions = getService('stage-permissions');
+    const workflowService = getService('workflows');
+
+    const { model_uid: modelUID, id } = ctx.params;
+
+    if (
+      strapi
+        .plugin('content-manager')
+        .service('permission-checker')
+        .create({ userAbility: ctx.state.userAbility, model: modelUID })
+        .cannot.read()
+    ) {
+      return ctx.forbidden();
+    }
+
+    // Load entity
+    const entity = await strapi.entityService.findOne(modelUID, Number(id), {
+      populate: [ENTITY_STAGE_ATTRIBUTE],
+    });
+
+    if (!entity) {
+      ctx.throw(404, 'Entity not found');
+    }
+
+    const entityStageId = entity[ENTITY_STAGE_ATTRIBUTE]?.id;
+    const canTransition = stagePermissions.can(STAGE_TRANSITION_UID, entityStageId);
+
+    const [workflowCount, { stages: workflowStages }] = await Promise.all([
+      workflowService.count(),
+      workflowService.getAssignedWorkflow(modelUID, {
+        populate: 'stages',
+      }),
+    ]);
+
+    const meta = {
+      stageCount: workflowStages.length,
+      workflowCount,
+    };
+
+    if (!canTransition) {
+      ctx.body = {
+        data: [],
+        meta,
+      };
+
+      return;
+    }
+
+    const data = workflowStages.filter((stage) => stage.id !== entityStageId);
+    ctx.body = {
+      data,
+      meta,
+    };
   },
 };

package/ee/server/routes/review-workflows.js

@@ -131,15 +131,16 @@ module.exports = {
       handler: 'stages.updateEntity',
       config: {
         middlewares: [enableFeatureMiddleware('review-workflows')],
-        policies: [
-          'admin::isAuthenticatedAdmin',
-          {
-            name: 'admin::hasPermissions',
-            config: {
-              actions: ['admin::review-workflows.update'],
-            },
-          },
-        ],
+        policies: ['admin::isAuthenticatedAdmin'],
+      },
+    },
+    {
+      method: 'GET',
+      path: '/content-manager/(collection|single)-types/:model_uid/:id/stages',
+      handler: 'stages.listAvailableStages',
+      config: {
+        middlewares: [enableFeatureMiddleware('review-workflows')],
+        policies: ['admin::isAuthenticatedAdmin'],
       },
     },
     {

package/ee/server/services/index.js

@@ -8,6 +8,7 @@ module.exports = {
   'seat-enforcement': require('./seat-enforcement'),
   workflows: require('./review-workflows/workflows'),
   stages: require('./review-workflows/stages'),
+  'stage-permissions': require('./review-workflows/stage-permissions'),
   assignees: require('./review-workflows/assignees'),
   'review-workflows': require('./review-workflows/review-workflows'),
   'review-workflows-validation': require('./review-workflows/validation'),

package/ee/server/services/review-workflows/stage-permissions.js

@@ -0,0 +1,60 @@
+'use strict';
+
+const { prop } = require('lodash/fp');
+const {
+  mapAsync,
+  errors: { ApplicationError },
+} = require('@strapi/utils');
+const { getService } = require('../../utils');
+const { STAGE_TRANSITION_UID } = require('../../constants/workflows');
+
+const validActions = [STAGE_TRANSITION_UID];
+
+module.exports = ({ strapi }) => {
+  const roleService = getService('role');
+  const permissionService = getService('permission');
+
+  return {
+    async register(roleId, action, fromStage) {
+      if (!validActions.includes(action)) {
+        throw new ApplicationError(`Invalid action ${action}`);
+      }
+      const permissions = await roleService.addPermissions(roleId, [
+        {
+          action,
+          actionParameters: {
+            from: fromStage,
+          },
+        },
+      ]);
+
+      // TODO: Filter response
+      return permissions;
+    },
+    async registerMany(permissions) {
+      return mapAsync(permissions, this.register);
+    },
+    async unregister(permissions) {
+      const permissionIds = permissions.map(prop('id'));
+      await permissionService.deleteByIds(permissionIds);
+    },
+    can(action, fromStage) {
+      const requestState = strapi.requestContext.get()?.state;
+
+      if (!requestState) {
+        return false;
+      }
+
+      // Override permissions for super admin
+      const userRoles = requestState.user?.roles;
+      if (userRoles?.some((role) => role.code === 'strapi-super-admin')) {
+        return true;
+      }
+
+      return requestState.userAbility.can({
+        name: action,
+        params: { from: fromStage },
+      });
+    },
+  };
+};

package/ee/server/services/review-workflows/stages.js

@@ -2,15 +2,20 @@
 
 const {
   mapAsync,
+  reduceAsync,
   errors: { ApplicationError, ValidationError },
 } = require('@strapi/utils');
-const { map } = require('lodash/fp');
+const { map, pick, isEqual } = require('lodash/fp');
 
 const { STAGE_MODEL_UID, ENTITY_STAGE_ATTRIBUTE, ERRORS } = require('../../constants/workflows');
 const { getService } = require('../../utils');
 
+const sanitizedStageFields = ['id', 'name', 'workflow', 'color'];
+const sanitizeStageFields = pick(sanitizedStageFields);
+
 module.exports = ({ strapi }) => {
   const metrics = getService('review-workflows-metrics', { strapi });
+  const stagePermissionsService = getService('stage-permissions', { strapi });
   const workflowsValidationService = getService('review-workflows-validation', { strapi });
 
   return {
@@ -32,20 +37,64 @@ module.exports = ({ strapi }) => {
     async createMany(stagesList, { fields } = {}) {
       const params = { select: fields ?? '*' };
 
+      // TODO: pick the fields from the stage
       const stages = await Promise.all(
         stagesList.map((stage) =>
-          strapi.entityService.create(STAGE_MODEL_UID, { data: stage, ...params })
+          strapi.entityService.create(STAGE_MODEL_UID, {
+            data: sanitizeStageFields(stage),
+            ...params,
+          })
         )
       );
 
+      // Create stage permissions
+      await reduceAsync(stagesList)(async (_, stage, idx) => {
+        // Ignore stages without permissions
+        if (!stage.permissions || stage.permissions.length === 0) {
+          return;
+        }
+
+        const stagePermissions = stage.permissions;
+        const stageId = stages[idx].id;
+
+        const permissions = await mapAsync(
+          stagePermissions,
+          // Register each stage permission
+          (permission) =>
+            stagePermissionsService.register(permission.role, permission.action, stageId)
+        );
+
+        // Update stage with the new permissions
+        await strapi.entityService.update(STAGE_MODEL_UID, stageId, {
+          data: {
+            permissions: permissions.flat().map((p) => p.id),
+          },
+        });
+      }, []);
+
       metrics.sendDidCreateStage();
 
       return stages;
     },
 
-    async update(stageId, stageData) {
+    async update(srcStage, destStage) {
+      let stagePermissions = srcStage?.permissions ?? [];
+      const stageId = destStage.id;
+
+      if (destStage.permissions) {
+        await this.deleteStagePermissions([srcStage]);
+
+        const permissions = await mapAsync(destStage.permissions, (permission) =>
+          stagePermissionsService.register(permission.role, permission.action, stageId)
+        );
+        stagePermissions = permissions.flat().map((p) => p.id);
+      }
+
       const stage = await strapi.entityService.update(STAGE_MODEL_UID, stageId, {
-        data: stageData,
+        data: {
+          ...destStage,
+          permissions: stagePermissions,
+        },
       });
 
       metrics.sendDidEditStage();
@@ -53,20 +102,31 @@ module.exports = ({ strapi }) => {
       return stage;
     },
 
-    async delete(stageId) {
-      const stage = await strapi.entityService.delete(STAGE_MODEL_UID, stageId);
+    async delete(stage) {
+      // Unregister all permissions related to this stage id
+      await this.deleteStagePermissions([stage]);
+
+      const deletedStage = await strapi.entityService.delete(STAGE_MODEL_UID, stage.id);
 
       metrics.sendDidDeleteStage();
 
-      return stage;
+      return deletedStage;
     },
 
-    async deleteMany(stagesId) {
+    async deleteMany(stages) {
+      await this.deleteStagePermissions(stages);
+
       return strapi.entityService.deleteMany(STAGE_MODEL_UID, {
-        filters: { id: { $in: stagesId } },
+        filters: { id: { $in: stages.map((s) => s.id) } },
       });
     },
 
+    async deleteStagePermissions(stages) {
+      // TODO: Find another way to do this for when we use the "to" parameter.
+      const permissions = stages.map((s) => s.permissions || []).flat();
+      await stagePermissionsService.unregister(permissions || []);
+    },
+
     count({ workflowId } = {}) {
       const opts = {};
 
@@ -91,7 +151,11 @@ module.exports = ({ strapi }) => {
         const createdStagesIds = map('id', createdStages);
 
         // Update the workflow stages
-        await mapAsync(updated, (stage) => this.update(stage.id, stage));
+        await mapAsync(updated, (destStage) => {
+          const srcStage = srcStages.find((s) => s.id === destStage.id);
+
+          return this.update(srcStage, destStage);
+        });
 
         // Delete the stages that are not in the new stages list
         await mapAsync(deleted, async (stage) => {
@@ -114,7 +178,7 @@ module.exports = ({ strapi }) => {
             });
           });
 
-          return this.delete(stage.id);
+          return this.delete(stage);
         });
 
         return destStages.map((stage) => ({ ...stage, id: stage.id ?? createdStagesIds.shift() }));
@@ -241,12 +305,19 @@ module.exports = ({ strapi }) => {
  */
 function getDiffBetweenStages(sourceStages, comparisonStages) {
   const result = comparisonStages.reduce(
+    // ...
+
     (acc, stageToCompare) => {
       const srcStage = sourceStages.find((stage) => stage.id === stageToCompare.id);
 
       if (!srcStage) {
         acc.created.push(stageToCompare);
-      } else if (srcStage.name !== stageToCompare.name || srcStage.color !== stageToCompare.color) {
+      } else if (
+        !isEqual(
+          pick(['name', 'color', 'permissions'], srcStage),
+          pick(['name', 'color', 'permissions'], stageToCompare)
+        )
+      ) {
         acc.updated.push(stageToCompare);
       }
       return acc;

package/ee/server/services/review-workflows/workflows/index.js

@@ -2,7 +2,7 @@
 
 const { set, isString, map, get } = require('lodash/fp');
 const { ApplicationError } = require('@strapi/utils').errors;
-const { WORKFLOW_MODEL_UID } = require('../../../constants/workflows');
+const { WORKFLOW_MODEL_UID, WORKFLOW_POPULATE } = require('../../../constants/workflows');
 const { getService } = require('../../../utils');
 const { getWorkflowContentTypeFilter } = require('../../../utils/review-workflows');
 const workflowsContentTypesFactory = require('./content-types');
@@ -17,6 +17,16 @@ const processFilters = ({ strapi }, filters = {}) => {
   return processedFilters;
 };
 
+// TODO: How can we improve this? Maybe using traversePopulate?
+const processPopulate = (populate) => {
+  // If it does not exist or it's not an object (like an array) return the default populate
+  if (!populate) {
+    return populate;
+  }
+
+  return WORKFLOW_POPULATE;
+};
+
 module.exports = ({ strapi }) => {
   const workflowsContentTypes = workflowsContentTypesFactory({ strapi });
   const workflowsValidationService = getService('review-workflows-validation', { strapi });
@@ -31,7 +41,9 @@ module.exports = ({ strapi }) => {
      */
     async find(opts = {}) {
       const filters = processFilters({ strapi }, opts.filters);
-      return strapi.entityService.findMany(WORKFLOW_MODEL_UID, { ...opts, filters });
+      const populate = processPopulate(opts.populate);
+
+      return strapi.entityService.findMany(WORKFLOW_MODEL_UID, { ...opts, filters, populate });
     },
 
     /**
@@ -41,7 +53,8 @@ module.exports = ({ strapi }) => {
      * @returns {Promise<object>} - Workflow object matching the requested ID.
      */
     findById(id, opts) {
-      return strapi.entityService.findOne(WORKFLOW_MODEL_UID, id, opts);
+      const populate = processPopulate(opts.populate);
+      return strapi.entityService.findOne(WORKFLOW_MODEL_UID, id, { ...opts, populate });
     },
 
     /**
@@ -51,7 +64,7 @@ module.exports = ({ strapi }) => {
      * @throws {ValidationError} - If the workflow has no stages.
      */
     async create(opts) {
-      let createOpts = { ...opts, populate: { stages: true } };
+      let createOpts = { ...opts, populate: WORKFLOW_POPULATE };
 
       workflowsValidationService.validateWorkflowStages(opts.data.stages);
       await workflowsValidationService.validateWorkflowCount(1);
@@ -87,7 +100,7 @@ module.exports = ({ strapi }) => {
      */
     async update(workflow, opts) {
       const stageService = getService('stages', { strapi });
-      let updateOpts = { ...opts, populate: { stages: true } };
+      let updateOpts = { ...opts, populate: { ...WORKFLOW_POPULATE } };
       let updatedStageIds;
 
       await workflowsValidationService.validateWorkflowCount();
@@ -104,7 +117,7 @@ module.exports = ({ strapi }) => {
             .replaceStages(workflow.stages, opts.data.stages, workflow.contentTypes)
             .then((stages) => stages.map((stage) => stage.id));
 
-          updateOpts = set('data.stages', updatedStageIds, opts);
+          updateOpts = set('data.stages', updatedStageIds, updateOpts);
         }
 
         // Update (un)assigned Content Types
@@ -141,7 +154,7 @@ module.exports = ({ strapi }) => {
 
       return strapi.db.transaction(async () => {
         // Delete stages
-        await stageService.deleteMany(workflow.stages.map((stage) => stage.id));
+        await stageService.deleteMany(workflow.stages);
 
         // Unassign all content types, this will migrate the content types to null
         await workflowsContentTypes.migrate({

package/ee/server/validation/review-workflows.js

@@ -4,11 +4,22 @@
 
 const { yup, validateYupSchema } = require('@strapi/utils');
 const { hasStageAttribute } = require('../utils/review-workflows');
+const { STAGE_TRANSITION_UID } = require('../constants/workflows');
 
 const stageObject = yup.object().shape({
   id: yup.number().integer().min(1),
   name: yup.string().max(255).required(),
   color: yup.string().matches(/^#(?:[0-9a-fA-F]{3}){1,2}$/i), // hex color
+  permissions: yup.array().of(
+    yup.object().shape({
+      role: yup.number().integer().min(1).required(),
+      action: yup.string().oneOf([STAGE_TRANSITION_UID]).required(),
+      actionParameters: yup.object().shape({
+        from: yup.number().integer().min(1).required(),
+        to: yup.number().integer().min(1),
+      }),
+    })
+  ),
 });
 
 const validateUpdateStageOnEntity = yup

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/admin",
-  "version": "4.13.2",
+  "version": "4.14.0-alpha.0",
   "description": "Strapi Admin",
   "repository": {
     "type": "git",
@@ -42,14 +42,14 @@
   "dependencies": {
     "@casl/ability": "^5.4.3",
     "@pmmmwh/react-refresh-webpack-plugin": "0.5.10",
-    "@strapi/data-transfer": "4.13.2",
+    "@strapi/data-transfer": "4.14.0-alpha.0",
     "@strapi/design-system": "1.9.0",
-    "@strapi/helper-plugin": "4.13.2",
+    "@strapi/helper-plugin": "4.14.0-alpha.0",
     "@strapi/icons": "1.9.0",
-    "@strapi/permissions": "4.13.2",
-    "@strapi/provider-audit-logs-local": "4.13.2",
-    "@strapi/typescript-utils": "4.13.2",
-    "@strapi/utils": "4.13.2",
+    "@strapi/permissions": "4.14.0-alpha.0",
+    "@strapi/provider-audit-logs-local": "4.14.0-alpha.0",
+    "@strapi/typescript-utils": "4.14.0-alpha.0",
+    "@strapi/utils": "4.14.0-alpha.0",
     "axios": "1.5.0",
     "bcryptjs": "2.4.3",
     "browserslist": "^4.17.3",
@@ -154,5 +154,5 @@
       }
     }
   },
-  "gitHead": "989fc49fa863563de26161544d21716c9ee805b5"
+  "gitHead": "1c3c286e2481cd8cbbb50e0e0bb8fbd0b824d2e4"
 }

package/scripts/build.js

@@ -7,8 +7,7 @@ const { isObject } = require('lodash');
 const SpeedMeasurePlugin = require('speed-measure-webpack-plugin');
 
 const webpackConfig = require('../webpack.config');
-const { getPlugins } = require('../utils/get-plugins');
-const { createPluginsJs } = require('../utils/create-cache-dir');
+const { getPlugins, createPluginFile } = require('../utils/plugins');
 
 // Wrapper that outputs the webpack speed
 const smp = new SpeedMeasurePlugin();
@@ -30,7 +29,7 @@ const buildAdmin = async () => {
     '@strapi/plugin-users-permissions',
   ]);
 
-  await createPluginsJs(plugins, path.join(__dirname, '..'));
+  await createPluginFile(plugins, path.join(__dirname, '..'));
 
   const args = {
     entry,

package/scripts/create-dev-plugins-file.js

@@ -2,8 +2,7 @@
 
 const { join } = require('path');
 const fs = require('fs-extra');
-const { getPlugins } = require('../utils/get-plugins');
-const { createPluginsJs } = require('../utils/create-cache-dir');
+const { getPlugins, createPluginFile } = require('../utils/plugins');
 
 /**
  * Write the plugins.js file or copy the plugins-dev.js file if it exists
@@ -20,7 +19,7 @@ const createFile = async () => {
 
   const plugins = getPlugins();
 
-  return createPluginsJs(plugins, join(__dirname, '..'));
+  return createPluginFile(plugins, join(__dirname, '..'));
 };
 
 createFile()

package/server/content-types/Permission.js

@@ -29,6 +29,12 @@ module.exports = {
       configurable: false,
       required: true,
     },
+    actionParameters: {
+      type: 'json',
+      configurable: false,
+      required: false,
+      default: {},
+    },
     subject: {
       type: 'string',
       minLength: 1,

package/server/domain/permission/index.js

@@ -26,8 +26,16 @@ const {
  * @property {string} subject - The subject on which the permission should applies
  */
 
-const permissionFields = ['id', 'action', 'subject', 'properties', 'conditions', 'role'];
-const sanitizedPermissionFields = ['id', 'action', 'subject', 'properties', 'conditions'];
+const permissionFields = [
+  'id',
+  'action',
+  'actionParameters',
+  'subject',
+  'properties',
+  'conditions',
+  'role',
+];
+const sanitizedPermissionFields = ['id', 'action', 'actionParameters', 'subject', 'properties', 'conditions'];
 
 const sanitizePermissionFields = pick(sanitizedPermissionFields);
 
@@ -36,6 +44,7 @@ const sanitizePermissionFields = pick(sanitizedPermissionFields);
  * @return {Permission}
  */
 const getDefaultPermission = () => ({
+  actionParameters: {},
   conditions: [],
   properties: {},
   subject: null,

package/server/services/role.js

@@ -24,7 +24,7 @@ const ACTIONS = {
 
 const sanitizeRole = omit(['users', 'permissions']);
 
-const COMPARABLE_FIELDS = ['conditions', 'properties', 'subject', 'action'];
+const COMPARABLE_FIELDS = ['conditions', 'properties', 'subject', 'action', 'actionParameters'];
 const pickComparableFields = pick(COMPARABLE_FIELDS);
 
 const jsonClean = (data) => JSON.parse(JSON.stringify(data));
@@ -323,6 +323,13 @@ const displayWarningIfNoSuperAdmin = async () => {
 const assignPermissions = async (roleId, permissions = []) => {
   await validatePermissionsExist(permissions);
 
+  // Internal actions are not handled by the role service, so any permission
+  // with an internal action is filtered out
+  const internalActions = getService('permission')
+    .actionProvider.values()
+    .filter((action) => action.section === 'internal')
+    .map((action) => action.actionId);
+
   const superAdmin = await getService('role').getSuperAdmin();
   const isSuperAdmin = superAdmin && superAdmin.id === roleId;
   const assignRole = set('role', roleId);
@@ -342,13 +349,13 @@ const assignPermissions = async (roleId, permissions = []) => {
     arePermissionsEqual,
     permissionsWithRole,
     existingPermissions
-  );
+  ).filter((permission) => !internalActions.includes(permission.action));
 
   const permissionsToDelete = differenceWith(
     arePermissionsEqual,
     existingPermissions,
     permissionsWithRole
-  );
+  ).filter((permission) => !internalActions.includes(permission.action));
 
   const permissionsToReturn = differenceBy('id', permissionsToDelete, existingPermissions);
 
@@ -374,7 +381,8 @@ const addPermissions = async (roleId, permissions) => {
 
   const permissionsWithRole = permissions
     .map(set('role', roleId))
-    .map(sanitizeConditions(conditionProvider));
+    .map(sanitizeConditions(conditionProvider))
+    .map(permissionDomain.create);
 
   return createMany(permissionsWithRole);
 };

package/server/validation/action-provider.js

@@ -17,7 +17,7 @@ const registerProviderActionSchema = yup
             (v) => `${v.path}: The id can only contain lowercase letters, dots and hyphens.`
           )
           .required(),
-        section: yup.string().oneOf(['contentTypes', 'plugins', 'settings']).required(),
+        section: yup.string().oneOf(['contentTypes', 'plugins', 'settings', 'internal']).required(),
         pluginName: yup.mixed().when('section', {
           is: 'plugins',
           then: validators.isAPluginName.required(),