@strapi/admin 4.13.6 → 4.14.0-beta.0

package/ee/server/content-types/workflow-stage/index.js

@@ -40,6 +40,12 @@ module.exports = {
         inversedBy: 'stages',
         configurable: false,
       },
+      permissions: {
+        type: 'relation',
+        target: 'admin::permission',
+        relation: 'manyToMany',
+        configurable: false,
+      }
     },
   },
 };

package/ee/server/controllers/workflows/index.js

@@ -1,5 +1,6 @@
 'use strict';
 
+const { update, map, property } = require('lodash/fp');
 const { mapAsync } = require('@strapi/utils');
 const { getService } = require('../../utils');
 
@@ -7,7 +8,7 @@ const {
   validateWorkflowCreate,
   validateWorkflowUpdate,
 } = require('../../validation/review-workflows');
-const { WORKFLOW_MODEL_UID } = require('../../constants/workflows');
+const { WORKFLOW_MODEL_UID, WORKFLOW_POPULATE } = require('../../constants/workflows');
 
 /**
  *
@@ -22,6 +23,21 @@ function getWorkflowsPermissionChecker({ strapi }, userAbility) {
     .create({ userAbility, model: WORKFLOW_MODEL_UID });
 }
 
+/**
+ * Transforms workflow to an admin UI format.
+ * Some attributes (like permissions) are presented in a different format in the admin UI.
+ * @param {Workflow} workflow
+ */
+function formatWorkflowToAdmin(workflow) {
+  if (!workflow) return;
+  if (!workflow.stages) return workflow;
+
+  // Transform permissions roles to be the id string instead of an object
+  const transformPermissions = map(update('role', property('id')));
+  const transformStages = map(update('permissions', transformPermissions));
+  return update('stages', transformStages, workflow);
+}
+
 module.exports = {
   /**
    * Create a new workflow
@@ -38,10 +54,12 @@ module.exports = {
     const workflowBody = await validateWorkflowCreate(body.data);
 
     const workflowService = getService('workflows');
-    const createdWorkflow = await workflowService.create({
-      data: await sanitizeCreateInput(workflowBody),
-      populate,
-    });
+    const createdWorkflow = await workflowService
+      .create({
+        data: await sanitizeCreateInput(workflowBody),
+        populate,
+      })
+      .then(formatWorkflowToAdmin);
 
     ctx.body = {
       data: await sanitizeOutput(createdWorkflow),
@@ -61,22 +79,27 @@ module.exports = {
       ctx.state.userAbility
     );
     const { populate } = await sanitizedQuery.update(query);
-
     const workflowBody = await validateWorkflowUpdate(body.data);
 
-    const workflow = await workflowService.findById(id, { populate: ['stages'] });
+    // Find if workflow exists
+    const workflow = await workflowService.findById(id, { populate: WORKFLOW_POPULATE });
     if (!workflow) {
       return ctx.notFound();
     }
-    const getPermittedFieldToUpdate = sanitizeUpdateInput(workflow);
 
+    // Sanitize input data
+    const getPermittedFieldToUpdate = sanitizeUpdateInput(workflow);
     const dataToUpdate = await getPermittedFieldToUpdate(workflowBody);
 
-    const updatedWorkflow = await workflowService.update(workflow, {
-      data: dataToUpdate,
-      populate,
-    });
+    // Update workflow
+    const updatedWorkflow = await workflowService
+      .update(workflow, {
+        data: dataToUpdate,
+        populate,
+      })
+      .then(formatWorkflowToAdmin);
 
+    // Send sanitized response
     ctx.body = {
       data: await sanitizeOutput(updatedWorkflow),
     };
@@ -96,12 +119,14 @@ module.exports = {
     );
     const { populate } = await sanitizedQuery.delete(query);
 
-    const workflow = await workflowService.findById(id, { populate: ['stages'] });
+    const workflow = await workflowService.findById(id, { populate: WORKFLOW_POPULATE });
     if (!workflow) {
       return ctx.notFound("Workflow doesn't exist");
     }
 
-    const deletedWorkflow = await workflowService.delete(workflow, { populate });
+    const deletedWorkflow = await workflowService
+      .delete(workflow, { populate })
+      .then(formatWorkflowToAdmin);
 
     ctx.body = {
       data: await sanitizeOutput(deletedWorkflow),
@@ -122,7 +147,7 @@ module.exports = {
     const { populate, filters, sort } = await sanitizedQuery.read(query);
 
     const [workflows, workflowCount] = await Promise.all([
-      workflowService.find({ populate, filters, sort }),
+      workflowService.find({ populate, filters, sort }).then(map(formatWorkflowToAdmin)),
       workflowService.count(),
     ]);
 
@@ -151,7 +176,7 @@ module.exports = {
     const workflowService = getService('workflows');
 
     const [workflow, workflowCount] = await Promise.all([
-      workflowService.findById(id, { populate }),
+      workflowService.findById(id, { populate }).then(formatWorkflowToAdmin),
       workflowService.count(),
     ]);
 

package/ee/server/controllers/workflows/stages/index.js

@@ -3,7 +3,11 @@
 const { mapAsync } = require('@strapi/utils');
 const { getService } = require('../../../utils');
 const { validateUpdateStageOnEntity } = require('../../../validation/review-workflows');
-const { STAGE_MODEL_UID } = require('../../../constants/workflows');
+const {
+  STAGE_MODEL_UID,
+  ENTITY_STAGE_ATTRIBUTE,
+  STAGE_TRANSITION_UID,
+} = require('../../../constants/workflows');
 
 /**
  *
@@ -75,18 +79,36 @@ module.exports = {
    */
   async updateEntity(ctx) {
     const stagesService = getService('stages');
+    const stagePermissions = getService('stage-permissions');
     const workflowService = getService('workflows');
 
-    const { model_uid: modelUID, id: entityIdString } = ctx.params;
+    const { model_uid: modelUID, id } = ctx.params;
     const { body } = ctx.request;
 
-    const entityId = Number(entityIdString);
-
     const { sanitizeOutput } = strapi
       .plugin('content-manager')
       .service('permission-checker')
       .create({ userAbility: ctx.state.userAbility, model: modelUID });
 
+    // Load entity
+    const entity = await strapi.entityService.findOne(modelUID, Number(id), {
+      populate: [ENTITY_STAGE_ATTRIBUTE],
+    });
+
+    if (!entity) {
+      ctx.throw(404, 'Entity not found');
+    }
+
+    // Validate if entity stage can be updated
+    const canTransition = stagePermissions.can(
+      STAGE_TRANSITION_UID,
+      entity[ENTITY_STAGE_ATTRIBUTE]?.id
+    );
+
+    if (!canTransition) {
+      ctx.throw(403, 'Forbidden stage transition');
+    }
+
     const { id: stageId } = await validateUpdateStageOnEntity(
       { id: Number(body?.data?.id) },
       'You should pass an id to the body of the put request.'
@@ -95,8 +117,73 @@ module.exports = {
     const workflow = await workflowService.assertContentTypeBelongsToWorkflow(modelUID);
     workflowService.assertStageBelongsToWorkflow(stageId, workflow);
 
-    const entity = await stagesService.updateEntity({ id: entityId, modelUID }, stageId);
+    const updatedEntity = await stagesService.updateEntity({ id: entity.id, modelUID }, stageId);
 
-    ctx.body = { data: await sanitizeOutput(entity) };
+    ctx.body = { data: await sanitizeOutput(updatedEntity) };
+  },
+
+  /**
+   * List all the stages that are available for a user to transition an entity to.
+   * If the user has permission to change the current stage of the entity every other stage in the workflow is returned
+   * @async
+   * @param {*} ctx
+   * @param {string} ctx.params.model_uid - The model UID of the entity.
+   * @param {string} ctx.params.id - The ID of the entity.
+   * @throws {ApplicationError} If review workflows is not activated on the specified model UID.
+   */
+  async listAvailableStages(ctx) {
+    const stagePermissions = getService('stage-permissions');
+    const workflowService = getService('workflows');
+
+    const { model_uid: modelUID, id } = ctx.params;
+
+    if (
+      strapi
+        .plugin('content-manager')
+        .service('permission-checker')
+        .create({ userAbility: ctx.state.userAbility, model: modelUID })
+        .cannot.read()
+    ) {
+      return ctx.forbidden();
+    }
+
+    // Load entity
+    const entity = await strapi.entityService.findOne(modelUID, Number(id), {
+      populate: [ENTITY_STAGE_ATTRIBUTE],
+    });
+
+    if (!entity) {
+      ctx.throw(404, 'Entity not found');
+    }
+
+    const entityStageId = entity[ENTITY_STAGE_ATTRIBUTE]?.id;
+    const canTransition = stagePermissions.can(STAGE_TRANSITION_UID, entityStageId);
+
+    const [workflowCount, { stages: workflowStages }] = await Promise.all([
+      workflowService.count(),
+      workflowService.getAssignedWorkflow(modelUID, {
+        populate: 'stages',
+      }),
+    ]);
+
+    const meta = {
+      stageCount: workflowStages.length,
+      workflowCount,
+    };
+
+    if (!canTransition) {
+      ctx.body = {
+        data: [],
+        meta,
+      };
+
+      return;
+    }
+
+    const data = workflowStages.filter((stage) => stage.id !== entityStageId);
+    ctx.body = {
+      data,
+      meta,
+    };
   },
 };

package/ee/server/migrations/review-workflows-stages-roles.js

@@ -0,0 +1,68 @@
+'use strict';
+
+const { STAGE_TRANSITION_UID, STAGE_MODEL_UID } = require('../constants/workflows');
+const { getService } = require('../utils');
+
+async function migrateReviewWorkflowStagesRoles({ oldContentTypes, contentTypes }) {
+  const stageUID = 'admin::workflow-stage';
+  const hadRolePermissions = !!oldContentTypes?.[stageUID]?.attributes?.permissions;
+  const hasRolePermissions = !!contentTypes?.[stageUID]?.attributes?.permissions;
+
+  // If the stage content type did not have permissions in the previous version
+  // then we set the permissions of every stage to be every current role in the app.
+  // This ensures consistent behaviour when upgrading to a strapi version with review workflows RBAC.
+  if (!hadRolePermissions && hasRolePermissions) {
+    const roleUID = 'admin::role';
+    strapi.log.info(
+      `Migrating all existing review workflow stages to have RBAC permissions for all ${roleUID}.`
+    );
+
+    const stagePermissionsService = getService('stage-permissions');
+
+    const stages = await strapi.query(stageUID).findMany();
+    const roles = await strapi.query(roleUID).findMany();
+
+    // Collect the permissions to add and group them by stage id.
+    const groupedPermissions = {};
+    roles
+      .map((role) => role.id)
+      .forEach((roleId) => {
+        stages
+          .map((stage) => stage.id)
+          .forEach((stageId) => {
+            if (!groupedPermissions[stageId]) {
+              groupedPermissions[stageId] = [];
+            }
+
+            groupedPermissions[stageId].push({
+              roleId,
+              fromStage: stageId,
+              action: STAGE_TRANSITION_UID,
+            });
+          });
+      });
+
+    for (const [stageId, permissions] of Object.entries(groupedPermissions)) {
+      const numericalStageId = Number(stageId);
+
+      if (Number.isNaN(numericalStageId)) {
+        strapi.log.warn(
+          `Unable to apply ${roleUID} migration for ${stageUID} with id ${stageId}. The stage does not have a numerical id.`
+        );
+        continue;
+      }
+
+      // Register the permissions for this stage
+      const stagePermissions = await stagePermissionsService.registerMany(permissions);
+
+      // Update the stage with its new permissions
+      await strapi.entityService.update(STAGE_MODEL_UID, numericalStageId, {
+        data: {
+          permissions: stagePermissions.flat().map((permission) => permission.id),
+        },
+      });
+    }
+  }
+}
+
+module.exports = migrateReviewWorkflowStagesRoles;

package/ee/server/migrations/review-workflows-workflow-name.js

@@ -3,6 +3,10 @@
 const { WORKFLOW_MODEL_UID } = require('../constants/workflows');
 const defaultWorkflow = require('../constants/default-workflow.json');
 
+/**
+ * Multiple workflows introduced the ability to name a workflow.
+ * This migration adds the default workflow name if the name attribute was added.
+ */
 async function migrateReviewWorkflowName({ oldContentTypes, contentTypes }) {
   // Look for RW name attribute
   const hadName = !!oldContentTypes?.[WORKFLOW_MODEL_UID]?.attributes?.name;
@@ -11,6 +15,9 @@ async function migrateReviewWorkflowName({ oldContentTypes, contentTypes }) {
   // Add the default workflow name if name attribute was added
   if (!hadName && hasName) {
     await strapi.query(WORKFLOW_MODEL_UID).updateMany({
+      where: {
+        name: { $null: true },
+      },
       data: {
         name: defaultWorkflow.name,
       },

package/ee/server/register.js

@@ -4,6 +4,7 @@ const { features } = require('@strapi/strapi/lib/utils/ee');
 const executeCERegister = require('../../server/register');
 const migrateAuditLogsTable = require('./migrations/audit-logs-table');
 const migrateReviewWorkflowStagesColor = require('./migrations/review-workflows-stages-color');
+const migrateReviewWorkflowStagesRoles = require('./migrations/review-workflows-stages-roles');
 const migrateReviewWorkflowName = require('./migrations/review-workflows-workflow-name');
 const migrateWorkflowsContentTypes = require('./migrations/review-workflows-content-types');
 const migrateStageAttribute = require('./migrations/review-workflows-stage-attribute');
@@ -26,6 +27,7 @@ module.exports = async ({ strapi }) => {
     strapi
       .hook('strapi::content-types.afterSync')
       .register(migrateReviewWorkflowStagesColor)
+      .register(migrateReviewWorkflowStagesRoles)
       .register(migrateReviewWorkflowName)
       .register(migrateWorkflowsContentTypes)
       .register(migrateDeletedCTInWorkflows);

package/ee/server/routes/review-workflows.js

@@ -131,15 +131,16 @@ module.exports = {
       handler: 'stages.updateEntity',
       config: {
         middlewares: [enableFeatureMiddleware('review-workflows')],
-        policies: [
-          'admin::isAuthenticatedAdmin',
-          {
-            name: 'admin::hasPermissions',
-            config: {
-              actions: ['admin::review-workflows.update'],
-            },
-          },
-        ],
+        policies: ['admin::isAuthenticatedAdmin'],
+      },
+    },
+    {
+      method: 'GET',
+      path: '/content-manager/(collection|single)-types/:model_uid/:id/stages',
+      handler: 'stages.listAvailableStages',
+      config: {
+        middlewares: [enableFeatureMiddleware('review-workflows')],
+        policies: ['admin::isAuthenticatedAdmin'],
       },
     },
     {

package/ee/server/services/index.js

@@ -8,6 +8,7 @@ module.exports = {
   'seat-enforcement': require('./seat-enforcement'),
   workflows: require('./review-workflows/workflows'),
   stages: require('./review-workflows/stages'),
+  'stage-permissions': require('./review-workflows/stage-permissions'),
   assignees: require('./review-workflows/assignees'),
   'review-workflows': require('./review-workflows/review-workflows'),
   'review-workflows-validation': require('./review-workflows/validation'),

package/ee/server/services/review-workflows/stage-permissions.js

@@ -0,0 +1,60 @@
+'use strict';
+
+const { prop } = require('lodash/fp');
+const {
+  mapAsync,
+  errors: { ApplicationError },
+} = require('@strapi/utils');
+const { getService } = require('../../utils');
+const { STAGE_TRANSITION_UID } = require('../../constants/workflows');
+
+const validActions = [STAGE_TRANSITION_UID];
+
+module.exports = ({ strapi }) => {
+  const roleService = getService('role');
+  const permissionService = getService('permission');
+
+  return {
+    async register({ roleId, action, fromStage }) {
+      if (!validActions.includes(action)) {
+        throw new ApplicationError(`Invalid action ${action}`);
+      }
+      const permissions = await roleService.addPermissions(roleId, [
+        {
+          action,
+          actionParameters: {
+            from: fromStage,
+          },
+        },
+      ]);
+
+      // TODO: Filter response
+      return permissions;
+    },
+    async registerMany(permissions) {
+      return mapAsync(permissions, this.register);
+    },
+    async unregister(permissions) {
+      const permissionIds = permissions.map(prop('id'));
+      await permissionService.deleteByIds(permissionIds);
+    },
+    can(action, fromStage) {
+      const requestState = strapi.requestContext.get()?.state;
+
+      if (!requestState) {
+        return false;
+      }
+
+      // Override permissions for super admin
+      const userRoles = requestState.user?.roles;
+      if (userRoles?.some((role) => role.code === 'strapi-super-admin')) {
+        return true;
+      }
+
+      return requestState.userAbility.can({
+        name: action,
+        params: { from: fromStage },
+      });
+    },
+  };
+};

package/ee/server/services/review-workflows/stages.js

@@ -2,15 +2,20 @@
 
 const {
   mapAsync,
+  reduceAsync,
   errors: { ApplicationError, ValidationError },
 } = require('@strapi/utils');
-const { map } = require('lodash/fp');
+const { map, pick, isEqual } = require('lodash/fp');
 
 const { STAGE_MODEL_UID, ENTITY_STAGE_ATTRIBUTE, ERRORS } = require('../../constants/workflows');
 const { getService } = require('../../utils');
 
+const sanitizedStageFields = ['id', 'name', 'workflow', 'color'];
+const sanitizeStageFields = pick(sanitizedStageFields);
+
 module.exports = ({ strapi }) => {
   const metrics = getService('review-workflows-metrics', { strapi });
+  const stagePermissionsService = getService('stage-permissions', { strapi });
   const workflowsValidationService = getService('review-workflows-validation', { strapi });
 
   return {
@@ -32,20 +37,72 @@ module.exports = ({ strapi }) => {
     async createMany(stagesList, { fields } = {}) {
       const params = { select: fields ?? '*' };
 
+      // TODO: pick the fields from the stage
       const stages = await Promise.all(
         stagesList.map((stage) =>
-          strapi.entityService.create(STAGE_MODEL_UID, { data: stage, ...params })
+          strapi.entityService.create(STAGE_MODEL_UID, {
+            data: sanitizeStageFields(stage),
+            ...params,
+          })
         )
       );
 
+      // Create stage permissions
+      await reduceAsync(stagesList)(async (_, stage, idx) => {
+        // Ignore stages without permissions
+        if (!stage.permissions || stage.permissions.length === 0) {
+          return;
+        }
+
+        const stagePermissions = stage.permissions;
+        const stageId = stages[idx].id;
+
+        const permissions = await mapAsync(
+          stagePermissions,
+          // Register each stage permission
+          (permission) =>
+            stagePermissionsService.register({
+              roleId: permission.role,
+              action: permission.action,
+              fromStage: stageId,
+            })
+        );
+
+        // Update stage with the new permissions
+        await strapi.entityService.update(STAGE_MODEL_UID, stageId, {
+          data: {
+            permissions: permissions.flat().map((p) => p.id),
+          },
+        });
+      }, []);
+
       metrics.sendDidCreateStage();
 
       return stages;
     },
 
-    async update(stageId, stageData) {
+    async update(srcStage, destStage) {
+      let stagePermissions = srcStage?.permissions ?? [];
+      const stageId = destStage.id;
+
+      if (destStage.permissions) {
+        await this.deleteStagePermissions([srcStage]);
+
+        const permissions = await mapAsync(destStage.permissions, (permission) =>
+          stagePermissionsService.register({
+            roleId: permission.role,
+            action: permission.action,
+            fromStage: stageId,
+          })
+        );
+        stagePermissions = permissions.flat().map((p) => p.id);
+      }
+
       const stage = await strapi.entityService.update(STAGE_MODEL_UID, stageId, {
-        data: stageData,
+        data: {
+          ...destStage,
+          permissions: stagePermissions,
+        },
       });
 
       metrics.sendDidEditStage();
@@ -53,20 +110,31 @@ module.exports = ({ strapi }) => {
       return stage;
     },
 
-    async delete(stageId) {
-      const stage = await strapi.entityService.delete(STAGE_MODEL_UID, stageId);
+    async delete(stage) {
+      // Unregister all permissions related to this stage id
+      await this.deleteStagePermissions([stage]);
+
+      const deletedStage = await strapi.entityService.delete(STAGE_MODEL_UID, stage.id);
 
       metrics.sendDidDeleteStage();
 
-      return stage;
+      return deletedStage;
     },
 
-    async deleteMany(stagesId) {
+    async deleteMany(stages) {
+      await this.deleteStagePermissions(stages);
+
       return strapi.entityService.deleteMany(STAGE_MODEL_UID, {
-        filters: { id: { $in: stagesId } },
+        filters: { id: { $in: stages.map((s) => s.id) } },
       });
     },
 
+    async deleteStagePermissions(stages) {
+      // TODO: Find another way to do this for when we use the "to" parameter.
+      const permissions = stages.map((s) => s.permissions || []).flat();
+      await stagePermissionsService.unregister(permissions || []);
+    },
+
     count({ workflowId } = {}) {
       const opts = {};
 
@@ -91,7 +159,11 @@ module.exports = ({ strapi }) => {
         const createdStagesIds = map('id', createdStages);
 
         // Update the workflow stages
-        await mapAsync(updated, (stage) => this.update(stage.id, stage));
+        await mapAsync(updated, (destStage) => {
+          const srcStage = srcStages.find((s) => s.id === destStage.id);
+
+          return this.update(srcStage, destStage);
+        });
 
         // Delete the stages that are not in the new stages list
         await mapAsync(deleted, async (stage) => {
@@ -114,7 +186,7 @@ module.exports = ({ strapi }) => {
             });
           });
 
-          return this.delete(stage.id);
+          return this.delete(stage);
         });
 
         return destStages.map((stage) => ({ ...stage, id: stage.id ?? createdStagesIds.shift() }));
@@ -241,12 +313,19 @@ module.exports = ({ strapi }) => {
  */
 function getDiffBetweenStages(sourceStages, comparisonStages) {
   const result = comparisonStages.reduce(
+    // ...
+
     (acc, stageToCompare) => {
       const srcStage = sourceStages.find((stage) => stage.id === stageToCompare.id);
 
       if (!srcStage) {
         acc.created.push(stageToCompare);
-      } else if (srcStage.name !== stageToCompare.name || srcStage.color !== stageToCompare.color) {
+      } else if (
+        !isEqual(
+          pick(['name', 'color', 'permissions'], srcStage),
+          pick(['name', 'color', 'permissions'], stageToCompare)
+        )
+      ) {
         acc.updated.push(stageToCompare);
       }
       return acc;