npm - @strapi/admin - Versions diffs - 4.14.2 → 4.14.3 - Mend

@strapi/admin 4.14.2 → 4.14.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (378) hide show

package/dist/server/services/permission/permissions-manager/query-builders.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+declare const buildCaslQuery: (ability: any, action: any, model: any) => import("@casl/ability/extra").AbilityQuery<object> | null;
+declare const buildStrapiQuery: (caslQuery: any) => any;
+export { buildCaslQuery, buildStrapiQuery };

package/dist/server/services/permission/permissions-manager/query-builders.js ADDED Viewed

@@ -0,0 +1,66 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildStrapiQuery = exports.buildCaslQuery = void 0;
+// TODO: migration
+const lodash_1 = __importDefault(require("lodash"));
+const extra_1 = require("@casl/ability/extra");
+const operatorsMap = {
+    $in: '$in',
+    $nin: '$notIn',
+    $exists: '$notNull',
+    $gte: '$gte',
+    $gt: '$gt',
+    $lte: '$lte',
+    $lt: '$lt',
+    $eq: '$eq',
+    $ne: '$ne',
+    $and: '$and',
+    $or: '$or',
+    $not: '$not',
+};
+const mapKey = (key) => {
+    if (lodash_1.default.isString(key) && key.startsWith('$') && key in operatorsMap) {
+        return operatorsMap[key];
+    }
+    return key;
+};
+const buildCaslQuery = (ability, action, model) => {
+    // @ts-expect-error
+    return (0, extra_1.rulesToQuery)(ability, action, model, (o) => o.conditions);
+};
+exports.buildCaslQuery = buildCaslQuery;
+const buildStrapiQuery = (caslQuery) => {
+    return unwrapDeep(caslQuery);
+};
+exports.buildStrapiQuery = buildStrapiQuery;
+const unwrapDeep = (obj) => {
+    if (!lodash_1.default.isPlainObject(obj) && !lodash_1.default.isArray(obj)) {
+        return obj;
+    }
+    if (lodash_1.default.isArray(obj)) {
+        return obj.map((v) => unwrapDeep(v));
+    }
+    return lodash_1.default.reduce(obj, (acc, v, k) => {
+        const key = mapKey(k);
+        if (lodash_1.default.isPlainObject(v)) {
+            if ('$elemMatch' in v) {
+                lodash_1.default.setWith(acc, key, unwrapDeep(v.$elemMatch));
+            }
+            else {
+                lodash_1.default.setWith(acc, key, unwrapDeep(v));
+            }
+        }
+        else if (lodash_1.default.isArray(v)) {
+            // prettier-ignore
+            lodash_1.default.setWith(acc, key, v.map(v => unwrapDeep(v)));
+        }
+        else {
+            lodash_1.default.setWith(acc, key, v);
+        }
+        return acc;
+    }, {});
+};
+//# sourceMappingURL=query-builders.js.map

package/dist/server/services/permission/permissions-manager/query-builders.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"query-builders.js","sourceRoot":"","sources":["../../../../../server/src/services/permission/permissions-manager/query-builders.ts"],"names":[],"mappings":";;;;;;AAAA,kBAAkB;AAClB,oDAAuB;AACvB,+CAAmD;AAEnD,MAAM,YAAY,GAAG;IACnB,GAAG,EAAE,KAAK;IACV,IAAI,EAAE,QAAQ;IACd,OAAO,EAAE,UAAU;IACnB,IAAI,EAAE,MAAM;IACZ,GAAG,EAAE,KAAK;IACV,IAAI,EAAE,MAAM;IACZ,GAAG,EAAE,KAAK;IACV,GAAG,EAAE,KAAK;IACV,GAAG,EAAE,KAAK;IACV,IAAI,EAAE,MAAM;IACZ,GAAG,EAAE,KAAK;IACV,IAAI,EAAE,MAAM;CACJ,CAAC;AAEX,MAAM,MAAM,GAAG,CAAC,GAA8B,EAAE,EAAE;IAChD,IAAI,gBAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,YAAY,EAAE;QACjE,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;KAC1B;IACD,OAAO,GAAG,CAAC;AACb,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,CAAC,OAAY,EAAE,MAAW,EAAE,KAAU,EAAE,EAAE;IAC/D,mBAAmB;IACnB,OAAO,IAAA,oBAAY,EAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;AACnE,CAAC,CAAC;AAsCO,wCAAc;AApCvB,MAAM,gBAAgB,GAAG,CAAC,SAAc,EAAE,EAAE;IAC1C,OAAO,UAAU,CAAC,SAAS,CAAC,CAAC;AAC/B,CAAC,CAAC;AAkCuB,4CAAgB;AAhCzC,MAAM,UAAU,GAAG,CAAC,GAAQ,EAAO,EAAE;IACnC,IAAI,CAAC,gBAAC,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAC,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;QAC5C,OAAO,GAAG,CAAC;KACZ;IACD,IAAI,gBAAC,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;QAClB,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;KAC3C;IAED,OAAO,gBAAC,CAAC,MAAM,CACb,GAAG,EACH,CAAC,GAAG,EAAE,CAAC,EAAE,CAAM,EAAE,EAAE;QACjB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAEtB,IAAI,gBAAC,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE;YACtB,IAAI,YAAY,IAAI,CAAC,EAAE;gBACrB,gBAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;aAC/C;iBAAM;gBACL,gBAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;aACpC;SACF;aAAM,IAAI,gBAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;YACvB,kBAAkB;YAClB,gBAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAChD;aAAM;YACL,gBAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;SACxB;QAED,OAAO,GAAG,CAAC;IACb,CAAC,EACD,EAAE,CACH,CAAC;AACJ,CAAC,CAAC"}

package/dist/server/services/permission/permissions-manager/sanitize.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+declare const _default: ({ action, ability, model }: any) => {
+    sanitizeOutput: (data: any, options?: any) => any;
+    sanitizeInput: (data: any, options?: any) => any;
+    sanitizeQuery: (data: any, options?: any) => any;
+};
+export default _default;

package/dist/server/services/permission/permissions-manager/sanitize.js ADDED Viewed

@@ -0,0 +1,184 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const ability_1 = require("@casl/ability");
+const extra_1 = require("@casl/ability/extra");
+const fp_1 = require("lodash/fp");
+const utils_1 = require("@strapi/utils");
+const user_1 = require("../../../domain/user");
+const { visitors: { removePassword }, } = utils_1.sanitize;
+const { constants, isScalarAttribute, getNonVisibleAttributes, getNonWritableAttributes, getWritableAttributes, } = utils_1.contentTypes;
+const { ID_ATTRIBUTE, CREATED_AT_ATTRIBUTE, UPDATED_AT_ATTRIBUTE, PUBLISHED_AT_ATTRIBUTE, CREATED_BY_ATTRIBUTE, UPDATED_BY_ATTRIBUTE, } = constants;
+const COMPONENT_FIELDS = ['__component'];
+const STATIC_FIELDS = [ID_ATTRIBUTE];
+exports.default = ({ action, ability, model }) => {
+    const schema = strapi.getModel(model);
+    const { removeDisallowedFields } = utils_1.sanitize.visitors;
+    const createSanitizeQuery = (options = {}) => {
+        const { fields } = options;
+        // TODO: sanitize relations to admin users in all sanitizers
+        const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);
+        const sanitizeFilters = (0, utils_1.pipeAsync)(utils_1.traverse.traverseQueryFilters(removeDisallowedFields(permittedFields), { schema }), utils_1.traverse.traverseQueryFilters(omitDisallowedAdminUserFields, { schema }), utils_1.traverse.traverseQueryFilters(omitHiddenFields, { schema }), utils_1.traverse.traverseQueryFilters(removePassword, { schema }), utils_1.traverse.traverseQueryFilters(({ key, value }, { remove }) => {
+            if ((0, fp_1.isObject)(value) && (0, fp_1.isEmpty)(value)) {
+                remove(key);
+            }
+        }, { schema }));
+        const sanitizeSort = (0, utils_1.pipeAsync)(utils_1.traverse.traverseQuerySort(removeDisallowedFields(permittedFields), { schema }), utils_1.traverse.traverseQuerySort(omitDisallowedAdminUserFields, { schema }), utils_1.traverse.traverseQuerySort(omitHiddenFields, { schema }), utils_1.traverse.traverseQuerySort(removePassword, { schema }), utils_1.traverse.traverseQuerySort(({ key, attribute, value }, { remove }) => {
+            if (!isScalarAttribute(attribute) && (0, fp_1.isEmpty)(value)) {
+                remove(key);
+            }
+        }, { schema }));
+        const sanitizePopulate = (0, utils_1.pipeAsync)(utils_1.traverse.traverseQueryPopulate(removeDisallowedFields(permittedFields), { schema }), utils_1.traverse.traverseQueryPopulate(omitDisallowedAdminUserFields, { schema }), utils_1.traverse.traverseQueryPopulate(omitHiddenFields, { schema }), utils_1.traverse.traverseQueryPopulate(removePassword, { schema }));
+        const sanitizeFields = (0, utils_1.pipeAsync)(utils_1.traverse.traverseQueryFields(removeDisallowedFields(permittedFields), { schema }), utils_1.traverse.traverseQueryFields(omitHiddenFields, { schema }), utils_1.traverse.traverseQueryFields(removePassword, { schema }));
+        return async (query) => {
+            const sanitizedQuery = (0, fp_1.cloneDeep)(query);
+            if (query.filters) {
+                Object.assign(sanitizedQuery, { filters: await sanitizeFilters(query.filters) });
+            }
+            if (query.sort) {
+                Object.assign(sanitizedQuery, { sort: await sanitizeSort(query.sort) });
+            }
+            if (query.populate) {
+                Object.assign(sanitizedQuery, { populate: await sanitizePopulate(query.populate) });
+            }
+            if (query.fields) {
+                Object.assign(sanitizedQuery, { fields: await sanitizeFields(query.fields) });
+            }
+            return sanitizedQuery;
+        };
+    };
+    const createSanitizeOutput = (options = {}) => {
+        const { fields } = options;
+        const permittedFields = fields.shouldIncludeAll ? null : getOutputFields(fields.permitted);
+        return (0, utils_1.pipeAsync)(
+        // Remove fields hidden from the admin
+        (0, utils_1.traverseEntity)(omitHiddenFields, { schema }),
+        // Remove unallowed fields from admin::user relations
+        // @ts-expect-error
+        (0, utils_1.traverseEntity)(pickAllowedAdminUserFields, { schema }),
+        // Remove not allowed fields (RBAC)
+        (0, utils_1.traverseEntity)(removeDisallowedFields(permittedFields), { schema }),
+        // Remove all fields of type 'password'
+        utils_1.sanitize.sanitizers.sanitizePasswords(schema));
+    };
+    const createSanitizeInput = (options = {}) => {
+        const { fields } = options;
+        const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);
+        return (0, utils_1.pipeAsync)(
+        // Remove fields hidden from the admin
+        (0, utils_1.traverseEntity)(omitHiddenFields, { schema }),
+        // Remove not allowed fields (RBAC)
+        // @ts-expect-error
+        (0, utils_1.traverseEntity)(removeDisallowedFields(permittedFields), { schema }),
+        // Remove roles from createdBy & updateBy fields
+        omitCreatorRoles);
+    };
+    const wrapSanitize = (createSanitizeFunction) => {
+        // @ts-expect-error
+        const wrappedSanitize = async (data, options = {}) => {
+            if ((0, fp_1.isArray)(data)) {
+                return Promise.all(data.map((entity) => wrappedSanitize(entity, options)));
+            }
+            const { subject, action: actionOverride } = getDefaultOptions(data, options);
+            const permittedFields = (0, extra_1.permittedFieldsOf)(ability, actionOverride, subject, {
+                fieldsFrom: (rule) => rule.fields || [],
+            });
+            const hasAtLeastOneRegistered = (0, fp_1.some)((fields) => !(0, fp_1.isNil)(fields), (0, fp_1.flatMap)((0, fp_1.prop)('fields'), ability.rulesFor(actionOverride, (0, ability_1.detectSubjectType)(subject))));
+            const shouldIncludeAllFields = (0, fp_1.isEmpty)(permittedFields) && !hasAtLeastOneRegistered;
+            const sanitizeOptions = {
+                ...options,
+                fields: {
+                    shouldIncludeAll: shouldIncludeAllFields,
+                    permitted: permittedFields,
+                    hasAtLeastOneRegistered,
+                },
+            };
+            const sanitizeFunction = createSanitizeFunction(sanitizeOptions);
+            return sanitizeFunction(data);
+        };
+        return wrappedSanitize;
+    };
+    const getDefaultOptions = (data, options) => {
+        return (0, fp_1.defaults)({ subject: (0, ability_1.subject)(model, data), action }, options);
+    };
+    /**
+     * Omit creator fields' (createdBy & updatedBy) roles from the admin API responses
+     */
+    const omitCreatorRoles = (0, fp_1.omit)([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);
+    /**
+     * Visitor used to remove hidden fields from the admin API responses
+     */
+    const omitHiddenFields = ({ key, schema }, { remove }) => {
+        const isHidden = (0, fp_1.getOr)(false, ['config', 'attributes', key, 'hidden'], schema);
+        if (isHidden) {
+            remove(key);
+        }
+    };
+    /**
+     * Visitor used to only select needed fields from the admin users entities & avoid leaking sensitive information
+     */
+    const pickAllowedAdminUserFields = ({ attribute, key, value }, { set }) => {
+        const pickAllowedFields = (0, fp_1.pick)(user_1.ADMIN_USER_ALLOWED_FIELDS);
+        if (attribute.type === 'relation' && attribute.target === 'admin::user' && value) {
+            if (Array.isArray(value)) {
+                set(key, value.map(pickAllowedFields));
+            }
+            else {
+                set(key, pickAllowedFields(value));
+            }
+        }
+    };
+    /**
+     * Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information
+     */
+    const omitDisallowedAdminUserFields = ({ key, attribute, schema }, { remove }) => {
+        if (schema.uid === 'admin::user' && attribute && !user_1.ADMIN_USER_ALLOWED_FIELDS.includes(key)) {
+            remove(key);
+        }
+    };
+    const getInputFields = (fields = []) => {
+        const nonVisibleAttributes = getNonVisibleAttributes(schema);
+        const writableAttributes = getWritableAttributes(schema);
+        const nonVisibleWritableAttributes = (0, fp_1.intersection)(nonVisibleAttributes, writableAttributes);
+        return (0, fp_1.uniq)([
+            ...fields,
+            ...STATIC_FIELDS,
+            ...COMPONENT_FIELDS,
+            ...nonVisibleWritableAttributes,
+        ]);
+    };
+    const getOutputFields = (fields = []) => {
+        const nonWritableAttributes = getNonWritableAttributes(schema);
+        const nonVisibleAttributes = getNonVisibleAttributes(schema);
+        return (0, fp_1.uniq)([
+            ...fields,
+            ...STATIC_FIELDS,
+            ...COMPONENT_FIELDS,
+            ...nonWritableAttributes,
+            ...nonVisibleAttributes,
+            CREATED_AT_ATTRIBUTE,
+            UPDATED_AT_ATTRIBUTE,
+        ]);
+    };
+    const getQueryFields = (fields = []) => {
+        const nonVisibleAttributes = getNonVisibleAttributes(schema);
+        const writableAttributes = getWritableAttributes(schema);
+        const nonVisibleWritableAttributes = (0, fp_1.intersection)(nonVisibleAttributes, writableAttributes);
+        return (0, fp_1.uniq)([
+            ...fields,
+            ...STATIC_FIELDS,
+            ...COMPONENT_FIELDS,
+            ...nonVisibleWritableAttributes,
+            CREATED_AT_ATTRIBUTE,
+            UPDATED_AT_ATTRIBUTE,
+            PUBLISHED_AT_ATTRIBUTE,
+            CREATED_BY_ATTRIBUTE,
+            UPDATED_BY_ATTRIBUTE,
+        ]);
+    };
+    return {
+        sanitizeOutput: wrapSanitize(createSanitizeOutput),
+        sanitizeInput: wrapSanitize(createSanitizeInput),
+        sanitizeQuery: wrapSanitize(createSanitizeQuery),
+    };
+};
+//# sourceMappingURL=sanitize.js.map

package/dist/server/services/permission/permissions-manager/sanitize.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../../../../server/src/services/permission/permissions-manager/sanitize.ts"],"names":[],"mappings":";;AAAA,2CAAwE;AACxE,+CAAwD;AACxD,kCAemB;AAEnB,yCAA4F;AAC5F,+CAAiE;AAEjE,MAAM,EACJ,QAAQ,EAAE,EAAE,cAAc,EAAE,GAC7B,GAAG,gBAAQ,CAAC;AAEb,MAAM,EACJ,SAAS,EACT,iBAAiB,EACjB,uBAAuB,EACvB,wBAAwB,EACxB,qBAAqB,GACtB,GAAG,oBAAY,CAAC;AACjB,MAAM,EACJ,YAAY,EACZ,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,GACrB,GAAG,SAAS,CAAC;AAEd,MAAM,gBAAgB,GAAG,CAAC,aAAa,CAAC,CAAC;AACzC,MAAM,aAAa,GAAG,CAAC,YAAY,CAAC,CAAC;AAErC,kBAAe,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAO,EAAE,EAAE;IACjD,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAEtC,MAAM,EAAE,sBAAsB,EAAE,GAAG,gBAAQ,CAAC,QAAQ,CAAC;IAErD,MAAM,mBAAmB,GAAG,CAAC,UAAU,EAAS,EAAE,EAAE;QAClD,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;QAE3B,4DAA4D;QAC5D,MAAM,eAAe,GAAG,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAE1F,MAAM,eAAe,GAAG,IAAA,iBAAS,EAC/B,gBAAQ,CAAC,oBAAoB,CAAC,sBAAsB,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,EAClF,gBAAQ,CAAC,oBAAoB,CAAC,6BAA6B,EAAE,EAAE,MAAM,EAAE,CAAC,EACxE,gBAAQ,CAAC,oBAAoB,CAAC,gBAAgB,EAAE,EAAE,MAAM,EAAE,CAAC,EAC3D,gBAAQ,CAAC,oBAAoB,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,CAAC,EACzD,gBAAQ,CAAC,oBAAoB,CAC3B,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;YAC7B,IAAI,IAAA,aAAQ,EAAC,KAAK,CAAC,IAAI,IAAA,YAAO,EAAC,KAAK,CAAC,EAAE;gBACrC,MAAM,CAAC,GAAG,CAAC,CAAC;aACb;QACH,CAAC,EACD,EAAE,MAAM,EAAE,CACX,CACF,CAAC;QAEF,MAAM,YAAY,GAAG,IAAA,iBAAS,EAC5B,gBAAQ,CAAC,iBAAiB,CAAC,sBAAsB,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,EAC/E,gBAAQ,CAAC,iBAAiB,CAAC,6BAA6B,EAAE,EAAE,MAAM,EAAE,CAAC,EACrE,gBAAQ,CAAC,iBAAiB,CAAC,gBAAgB,EAAE,EAAE,MAAM,EAAE,CAAC,EACxD,gBAAQ,CAAC,iBAAiB,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,CAAC,EACtD,gBAAQ,CAAC,iBAAiB,CACxB,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;YACxC,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,IAAI,IAAA,YAAO,EAAC,KAAK,CAAC,EAAE;gBACnD,MAAM,CAAC,GAAG,CAAC,CAAC;aACb;QACH,CAAC,EACD,EAAE,MAAM,EAAE,CACX,CACF,CAAC;QAEF,MAAM,gBAAgB,GAAG,IAAA,iBAAS,EAChC,gBAAQ,CAAC,qBAAqB,CAAC,sBAAsB,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,EACnF,gBAAQ,CAAC,qBAAqB,CAAC,6BAA6B,EAAE,EAAE,MAAM,EAAE,CAAC,EACzE,gBAAQ,CAAC,qBAAqB,CAAC,gBAAgB,EAAE,EAAE,MAAM,EAAE,CAAC,EAC5D,gBAAQ,CAAC,qBAAqB,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,CAAC,CAC3D,CAAC;QAEF,MAAM,cAAc,GAAG,IAAA,iBAAS,EAC9B,gBAAQ,CAAC,mBAAmB,CAAC,sBAAsB,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,EACjF,gBAAQ,CAAC,mBAAmB,CAAC,gBAAgB,EAAE,EAAE,MAAM,EAAE,CAAC,EAC1D,gBAAQ,CAAC,mBAAmB,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,CAAC,CACzD,CAAC;QAEF,OAAO,KAAK,EAAE,KAAU,EAAE,EAAE;YAC1B,MAAM,cAAc,GAAG,IAAA,cAAS,EAAC,KAAK,CAAC,CAAC;YAExC,IAAI,KAAK,CAAC,OAAO,EAAE;gBACjB,MAAM,CAAC,MAAM,CAAC,cAAc,EAAE,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;aAClF;YAED,IAAI,KAAK,CAAC,IAAI,EAAE;gBACd,MAAM,CAAC,MAAM,CAAC,cAAc,EAAE,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;aACzE;YAED,IAAI,KAAK,CAAC,QAAQ,EAAE;gBAClB,MAAM,CAAC,MAAM,CAAC,cAAc,EAAE,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;aACrF;YAED,IAAI,KAAK,CAAC,MAAM,EAAE;gBAChB,MAAM,CAAC,MAAM,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;aAC/E;YAED,OAAO,cAAc,CAAC;QACxB,CAAC,CAAC;IACJ,CAAC,CAAC;IAEF,MAAM,oBAAoB,GAAG,CAAC,UAAU,EAAS,EAAE,EAAE;QACnD,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;QAE3B,MAAM,eAAe,GAAG,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAE3F,OAAO,IAAA,iBAAS;QACd,sCAAsC;QACtC,IAAA,sBAAc,EAAC,gBAAgB,EAAE,EAAE,MAAM,EAAE,CAAC;QAC5C,qDAAqD;QACrD,mBAAmB;QACnB,IAAA,sBAAc,EAAC,0BAA0B,EAAE,EAAE,MAAM,EAAE,CAAC;QACtD,mCAAmC;QACnC,IAAA,sBAAc,EAAC,sBAAsB,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC;QACnE,uCAAuC;QACvC,gBAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAC9C,CAAC;IACJ,CAAC,CAAC;IAEF,MAAM,mBAAmB,GAAG,CAAC,UAAU,EAAS,EAAE,EAAE;QAClD,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;QAE3B,MAAM,eAAe,GAAG,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAE1F,OAAO,IAAA,iBAAS;QACd,sCAAsC;QACtC,IAAA,sBAAc,EAAC,gBAAgB,EAAE,EAAE,MAAM,EAAE,CAAC;QAC5C,mCAAmC;QACnC,mBAAmB;QACnB,IAAA,sBAAc,EAAC,sBAAsB,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC;QACnE,gDAAgD;QAChD,gBAAgB,CACjB,CAAC;IACJ,CAAC,CAAC;IAEF,MAAM,YAAY,GAAG,CAAC,sBAA2B,EAAE,EAAE;QACnD,mBAAmB;QACnB,MAAM,eAAe,GAAG,KAAK,EAAE,IAAS,EAAE,UAAU,EAAS,EAAE,EAAE;YAC/D,IAAI,IAAA,YAAO,EAAC,IAAI,CAAC,EAAE;gBACjB,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAW,EAAE,EAAE,CAAC,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;aACjF;YAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAE7E,MAAM,eAAe,GAAG,IAAA,yBAAiB,EAAC,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE;gBAC1E,UAAU,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE;aACxC,CAAC,CAAC;YAEH,MAAM,uBAAuB,GAAG,IAAA,SAAI,EAClC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,IAAA,UAAK,EAAC,MAAM,CAAC,EAC1B,IAAA,YAAO,EAAC,IAAA,SAAI,EAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,cAAc,EAAE,IAAA,2BAAiB,EAAC,OAAO,CAAC,CAAC,CAAC,CACtF,CAAC;YACF,MAAM,sBAAsB,GAAG,IAAA,YAAO,EAAC,eAAe,CAAC,IAAI,CAAC,uBAAuB,CAAC;YAEpF,MAAM,eAAe,GAAG;gBACtB,GAAG,OAAO;gBACV,MAAM,EAAE;oBACN,gBAAgB,EAAE,sBAAsB;oBACxC,SAAS,EAAE,eAAe;oBAC1B,uBAAuB;iBACxB;aACF,CAAC;YAEF,MAAM,gBAAgB,GAAG,sBAAsB,CAAC,eAAe,CAAC,CAAC;YAEjE,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC,CAAC;QAEF,OAAO,eAAe,CAAC;IACzB,CAAC,CAAC;IAEF,MAAM,iBAAiB,GAAG,CAAC,IAAS,EAAE,OAAY,EAAE,EAAE;QACpD,OAAO,IAAA,aAAQ,EAAC,EAAE,OAAO,EAAE,IAAA,iBAAS,EAAC,KAAK,EAAE,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,OAAO,CAAC,CAAC;IACxE,CAAC,CAAC;IAEF;;OAEG;IACH,MAAM,gBAAgB,GAAG,IAAA,SAAI,EAAC,CAAC,GAAG,oBAAoB,QAAQ,EAAE,GAAG,oBAAoB,QAAQ,CAAC,CAAC,CAAC;IAElG;;OAEG;IACH,MAAM,gBAAgB,GAAG,CAAC,EAAE,GAAG,EAAE,MAAM,EAAO,EAAE,EAAE,MAAM,EAAO,EAAE,EAAE;QACjE,MAAM,QAAQ,GAAG,IAAA,UAAK,EAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,YAAY,EAAE,GAAG,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,CAAC;QAE/E,IAAI,QAAQ,EAAE;YACZ,MAAM,CAAC,GAAG,CAAC,CAAC;SACb;IACH,CAAC,CAAC;IAEF;;OAEG;IACH,MAAM,0BAA0B,GAAG,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,KAAK,EAAO,EAAE,EAAE,GAAG,EAAO,EAAE,EAAE;QAClF,MAAM,iBAAiB,GAAG,IAAA,SAAI,EAAC,gCAAyB,CAAC,CAAC;QAE1D,IAAI,SAAS,CAAC,IAAI,KAAK,UAAU,IAAI,SAAS,CAAC,MAAM,KAAK,aAAa,IAAI,KAAK,EAAE;YAChF,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;gBACxB,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC;aACxC;iBAAM;gBACL,GAAG,CAAC,GAAG,EAAE,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC;aACpC;SACF;IACH,CAAC,CAAC;IAEF;;OAEG;IACH,MAAM,6BAA6B,GAAG,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAO,EAAE,EAAE,MAAM,EAAO,EAAE,EAAE;QACzF,IAAI,MAAM,CAAC,GAAG,KAAK,aAAa,IAAI,SAAS,IAAI,CAAC,gCAAyB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;YACzF,MAAM,CAAC,GAAG,CAAC,CAAC;SACb;IACH,CAAC,CAAC;IAEF,MAAM,cAAc,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,EAAE;QACrC,MAAM,oBAAoB,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAC7D,MAAM,kBAAkB,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAEzD,MAAM,4BAA4B,GAAG,IAAA,iBAAY,EAAC,oBAAoB,EAAE,kBAAkB,CAAC,CAAC;QAE5F,OAAO,IAAA,SAAI,EAAC;YACV,GAAG,MAAM;YACT,GAAG,aAAa;YAChB,GAAG,gBAAgB;YACnB,GAAG,4BAA4B;SAChC,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,MAAM,eAAe,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,EAAE;QACtC,MAAM,qBAAqB,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;QAC/D,MAAM,oBAAoB,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAE7D,OAAO,IAAA,SAAI,EAAC;YACV,GAAG,MAAM;YACT,GAAG,aAAa;YAChB,GAAG,gBAAgB;YACnB,GAAG,qBAAqB;YACxB,GAAG,oBAAoB;YACvB,oBAAoB;YACpB,oBAAoB;SACrB,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,MAAM,cAAc,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,EAAE;QACrC,MAAM,oBAAoB,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAC7D,MAAM,kBAAkB,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAEzD,MAAM,4BAA4B,GAAG,IAAA,iBAAY,EAAC,oBAAoB,EAAE,kBAAkB,CAAC,CAAC;QAE5F,OAAO,IAAA,SAAI,EAAC;YACV,GAAG,MAAM;YACT,GAAG,aAAa;YAChB,GAAG,gBAAgB;YACnB,GAAG,4BAA4B;YAC/B,oBAAoB;YACpB,oBAAoB;YACpB,sBAAsB;YACtB,oBAAoB;YACpB,oBAAoB;SACrB,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,OAAO;QACL,cAAc,EAAE,YAAY,CAAC,oBAAoB,CAAC;QAClD,aAAa,EAAE,YAAY,CAAC,mBAAmB,CAAC;QAChD,aAAa,EAAE,YAAY,CAAC,mBAAmB,CAAC;KACjD,CAAC;AACJ,CAAC,CAAC"}

package/dist/server/services/permission/permissions-manager/validate.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+declare const _default: ({ action, ability, model }: any) => {
+    validateQuery: (data: any, options?: {}) => any;
+    validateInput: (data: any, options?: {}) => any;
+};
+export default _default;

package/dist/server/services/permission/permissions-manager/validate.js ADDED Viewed

@@ -0,0 +1,134 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const ability_1 = require("@casl/ability");
+const extra_1 = require("@casl/ability/extra");
+const fp_1 = require("lodash/fp");
+const utils_1 = require("@strapi/utils");
+const user_1 = require("../../../domain/user");
+const { ValidationError } = utils_1.errors;
+const { throwPassword, throwDisallowedFields } = utils_1.validate.visitors;
+const { constants, isScalarAttribute, getNonVisibleAttributes, getWritableAttributes } = utils_1.contentTypes;
+const { ID_ATTRIBUTE, CREATED_AT_ATTRIBUTE, UPDATED_AT_ATTRIBUTE, PUBLISHED_AT_ATTRIBUTE, CREATED_BY_ATTRIBUTE, UPDATED_BY_ATTRIBUTE, } = constants;
+const COMPONENT_FIELDS = ['__component'];
+const STATIC_FIELDS = [ID_ATTRIBUTE];
+const throwInvalidParam = ({ key }) => {
+    throw new ValidationError(`Invalid parameter ${key}`);
+};
+exports.default = ({ action, ability, model }) => {
+    const schema = strapi.getModel(model);
+    const createValidateQuery = (options = {}) => {
+        const { fields } = options;
+        // TODO: validate relations to admin users in all validators
+        const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);
+        const validateFilters = (0, utils_1.pipeAsync)(utils_1.traverse.traverseQueryFilters(throwDisallowedFields(permittedFields), { schema }), utils_1.traverse.traverseQueryFilters(throwDisallowedAdminUserFields, { schema }), utils_1.traverse.traverseQueryFilters(throwPassword, { schema }), utils_1.traverse.traverseQueryFilters(({ key, value }) => {
+            if ((0, fp_1.isObject)(value) && (0, fp_1.isEmpty)(value)) {
+                throwInvalidParam({ key });
+            }
+        }, { schema }));
+        const validateSort = (0, utils_1.pipeAsync)(utils_1.traverse.traverseQuerySort(throwDisallowedFields(permittedFields), { schema }), utils_1.traverse.traverseQuerySort(throwDisallowedAdminUserFields, { schema }), utils_1.traverse.traverseQuerySort(throwPassword, { schema }), utils_1.traverse.traverseQuerySort(({ key, attribute, value }) => {
+            if (!isScalarAttribute(attribute) && (0, fp_1.isEmpty)(value)) {
+                throwInvalidParam({ key });
+            }
+        }, { schema }));
+        const validateFields = (0, utils_1.pipeAsync)(utils_1.traverse.traverseQueryFields(throwDisallowedFields(permittedFields), { schema }), utils_1.traverse.traverseQueryFields(throwPassword, { schema }));
+        return async (query) => {
+            if (query.filters) {
+                await validateFilters(query.filters);
+            }
+            if (query.sort) {
+                await validateSort(query.sort);
+            }
+            if (query.fields) {
+                await validateFields(query.fields);
+            }
+            return true;
+        };
+    };
+    const createValidateInput = (options = {}) => {
+        const { fields } = options;
+        const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);
+        return (0, utils_1.pipeAsync)(
+        // Remove fields hidden from the admin
+        (0, utils_1.traverseEntity)(throwHiddenFields, { schema }),
+        // Remove not allowed fields (RBAC)
+        // @ts-expect-error
+        (0, utils_1.traverseEntity)(throwDisallowedFields(permittedFields), { schema }),
+        // Remove roles from createdBy & updatedBy fields
+        omitCreatorRoles);
+    };
+    const wrapValidate = (createValidateFunction) => {
+        // @ts-expect-error
+        const wrappedValidate = async (data, options = {}) => {
+            if ((0, fp_1.isArray)(data)) {
+                return Promise.all(data.map((entity) => wrappedValidate(entity, options)));
+            }
+            const { subject, action: actionOverride } = getDefaultOptions(data, options);
+            const permittedFields = (0, extra_1.permittedFieldsOf)(ability, actionOverride, subject, {
+                fieldsFrom: (rule) => rule.fields || [],
+            });
+            const hasAtLeastOneRegistered = (0, fp_1.some)((fields) => !(0, fp_1.isNil)(fields), (0, fp_1.flatMap)((0, fp_1.prop)('fields'), ability.rulesFor(actionOverride, (0, ability_1.detectSubjectType)(subject))));
+            const shouldIncludeAllFields = (0, fp_1.isEmpty)(permittedFields) && !hasAtLeastOneRegistered;
+            const validateOptions = {
+                ...options,
+                fields: {
+                    shouldIncludeAll: shouldIncludeAllFields,
+                    permitted: permittedFields,
+                    hasAtLeastOneRegistered,
+                },
+            };
+            const validateFunction = createValidateFunction(validateOptions);
+            return validateFunction(data);
+        };
+        return wrappedValidate;
+    };
+    const getDefaultOptions = (data, options) => {
+        return (0, fp_1.defaults)({ subject: (0, ability_1.subject)(model, data), action }, options);
+    };
+    /**
+     * Omit creator fields' (createdBy & updatedBy) roles from the admin API responses
+     */
+    const omitCreatorRoles = (0, fp_1.omit)([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);
+    /**
+     * Visitor used to remove hidden fields from the admin API responses
+     */
+    const throwHiddenFields = ({ key, schema }) => {
+        const isHidden = (0, fp_1.getOr)(false, ['config', 'attributes', key, 'hidden'], schema);
+        if (isHidden) {
+            throwInvalidParam({ key });
+        }
+    };
+    /**
+     * Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information
+     */
+    const throwDisallowedAdminUserFields = ({ key, attribute, schema }) => {
+        if (schema.uid === 'admin::user' && attribute && !user_1.ADMIN_USER_ALLOWED_FIELDS.includes(key)) {
+            throwInvalidParam({ key });
+        }
+    };
+    const getInputFields = (fields = []) => {
+        const nonVisibleAttributes = getNonVisibleAttributes(schema);
+        const writableAttributes = getWritableAttributes(schema);
+        const nonVisibleWritableAttributes = (0, fp_1.intersection)(nonVisibleAttributes, writableAttributes);
+        return (0, fp_1.uniq)([
+            ...fields,
+            ...STATIC_FIELDS,
+            ...COMPONENT_FIELDS,
+            ...nonVisibleWritableAttributes,
+        ]);
+    };
+    const getQueryFields = (fields = []) => {
+        return (0, fp_1.uniq)([
+            ...fields,
+            ...STATIC_FIELDS,
+            ...COMPONENT_FIELDS,
+            CREATED_AT_ATTRIBUTE,
+            UPDATED_AT_ATTRIBUTE,
+            PUBLISHED_AT_ATTRIBUTE,
+        ]);
+    };
+    return {
+        validateQuery: wrapValidate(createValidateQuery),
+        validateInput: wrapValidate(createValidateInput),
+    };
+};
+//# sourceMappingURL=validate.js.map

package/dist/server/services/permission/permissions-manager/validate.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"validate.js","sourceRoot":"","sources":["../../../../../server/src/services/permission/permissions-manager/validate.ts"],"names":[],"mappings":";;AAAA,2CAAwE;AACxE,+CAAwD;AACxD,kCAamB;AAEnB,yCAAoG;AACpG,+CAAiE;AAEjE,MAAM,EAAE,eAAe,EAAE,GAAG,cAAM,CAAC;AACnC,MAAM,EAAE,aAAa,EAAE,qBAAqB,EAAE,GAAG,gBAAQ,CAAC,QAAQ,CAAC;AAEnE,MAAM,EAAE,SAAS,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,GACpF,oBAAY,CAAC;AACf,MAAM,EACJ,YAAY,EACZ,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,GACrB,GAAG,SAAS,CAAC;AAEd,MAAM,gBAAgB,GAAG,CAAC,aAAa,CAAC,CAAC;AAEzC,MAAM,aAAa,GAAG,CAAC,YAAY,CAAC,CAAC;AAErC,MAAM,iBAAiB,GAAG,CAAC,EAAE,GAAG,EAAO,EAAE,EAAE;IACzC,MAAM,IAAI,eAAe,CAAC,qBAAqB,GAAG,EAAE,CAAC,CAAC;AACxD,CAAC,CAAC;AAEF,kBAAe,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAO,EAAE,EAAE;IACjD,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAEtC,MAAM,mBAAmB,GAAG,CAAC,UAAU,EAAS,EAAE,EAAE;QAClD,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;QAE3B,4DAA4D;QAC5D,MAAM,eAAe,GAAG,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAE1F,MAAM,eAAe,GAAG,IAAA,iBAAS,EAC/B,gBAAQ,CAAC,oBAAoB,CAAC,qBAAqB,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,EACjF,gBAAQ,CAAC,oBAAoB,CAAC,8BAA8B,EAAE,EAAE,MAAM,EAAE,CAAC,EACzE,gBAAQ,CAAC,oBAAoB,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,CAAC,EACxD,gBAAQ,CAAC,oBAAoB,CAC3B,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE;YACjB,IAAI,IAAA,aAAQ,EAAC,KAAK,CAAC,IAAI,IAAA,YAAO,EAAC,KAAK,CAAC,EAAE;gBACrC,iBAAiB,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;aAC5B;QACH,CAAC,EACD,EAAE,MAAM,EAAE,CACX,CACF,CAAC;QAEF,MAAM,YAAY,GAAG,IAAA,iBAAS,EAC5B,gBAAQ,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,EAC9E,gBAAQ,CAAC,iBAAiB,CAAC,8BAA8B,EAAE,EAAE,MAAM,EAAE,CAAC,EACtE,gBAAQ,CAAC,iBAAiB,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,CAAC,EACrD,gBAAQ,CAAC,iBAAiB,CACxB,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,EAAE,EAAE;YAC5B,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,IAAI,IAAA,YAAO,EAAC,KAAK,CAAC,EAAE;gBACnD,iBAAiB,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;aAC5B;QACH,CAAC,EACD,EAAE,MAAM,EAAE,CACX,CACF,CAAC;QAEF,MAAM,cAAc,GAAG,IAAA,iBAAS,EAC9B,gBAAQ,CAAC,mBAAmB,CAAC,qBAAqB,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,EAChF,gBAAQ,CAAC,mBAAmB,CAAC,aAAa,EAAE,EAAE,MAAM,EAAE,CAAC,CACxD,CAAC;QAEF,OAAO,KAAK,EAAE,KAAU,EAAE,EAAE;YAC1B,IAAI,KAAK,CAAC,OAAO,EAAE;gBACjB,MAAM,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;aACtC;YAED,IAAI,KAAK,CAAC,IAAI,EAAE;gBACd,MAAM,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;aAChC;YAED,IAAI,KAAK,CAAC,MAAM,EAAE;gBAChB,MAAM,cAAc,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;aACpC;YAED,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;IACJ,CAAC,CAAC;IAEF,MAAM,mBAAmB,GAAG,CAAC,UAAU,EAAS,EAAE,EAAE;QAClD,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;QAE3B,MAAM,eAAe,GAAG,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAE1F,OAAO,IAAA,iBAAS;QACd,sCAAsC;QACtC,IAAA,sBAAc,EAAC,iBAAiB,EAAE,EAAE,MAAM,EAAE,CAAC;QAC7C,mCAAmC;QACnC,mBAAmB;QACnB,IAAA,sBAAc,EAAC,qBAAqB,CAAC,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC;QAClE,iDAAiD;QACjD,gBAAgB,CACjB,CAAC;IACJ,CAAC,CAAC;IAEF,MAAM,YAAY,GAAG,CAAC,sBAA2B,EAAE,EAAE;QACnD,mBAAmB;QACnB,MAAM,eAAe,GAAG,KAAK,EAAE,IAAI,EAAE,OAAO,GAAG,EAAE,EAAE,EAAE;YACnD,IAAI,IAAA,YAAO,EAAC,IAAI,CAAC,EAAE;gBACjB,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAW,EAAE,EAAE,CAAC,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;aACjF;YAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,GAAG,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAE7E,MAAM,eAAe,GAAG,IAAA,yBAAiB,EAAC,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE;gBAC1E,UAAU,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE;aACxC,CAAC,CAAC;YAEH,MAAM,uBAAuB,GAAG,IAAA,SAAI,EAClC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,IAAA,UAAK,EAAC,MAAM,CAAC,EAC1B,IAAA,YAAO,EAAC,IAAA,SAAI,EAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,cAAc,EAAE,IAAA,2BAAiB,EAAC,OAAO,CAAC,CAAC,CAAC,CACtF,CAAC;YACF,MAAM,sBAAsB,GAAG,IAAA,YAAO,EAAC,eAAe,CAAC,IAAI,CAAC,uBAAuB,CAAC;YAEpF,MAAM,eAAe,GAAG;gBACtB,GAAG,OAAO;gBACV,MAAM,EAAE;oBACN,gBAAgB,EAAE,sBAAsB;oBACxC,SAAS,EAAE,eAAe;oBAC1B,uBAAuB;iBACxB;aACF,CAAC;YAEF,MAAM,gBAAgB,GAAG,sBAAsB,CAAC,eAAe,CAAC,CAAC;YAEjE,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC,CAAC;QAEF,OAAO,eAAe,CAAC;IACzB,CAAC,CAAC;IAEF,MAAM,iBAAiB,GAAG,CAAC,IAAS,EAAE,OAAY,EAAE,EAAE;QACpD,OAAO,IAAA,aAAQ,EAAC,EAAE,OAAO,EAAE,IAAA,iBAAS,EAAC,KAAK,EAAE,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,OAAO,CAAC,CAAC;IACxE,CAAC,CAAC;IAEF;;OAEG;IACH,MAAM,gBAAgB,GAAG,IAAA,SAAI,EAAC,CAAC,GAAG,oBAAoB,QAAQ,EAAE,GAAG,oBAAoB,QAAQ,CAAC,CAAC,CAAC;IAElG;;OAEG;IACH,MAAM,iBAAiB,GAAG,CAAC,EAAE,GAAG,EAAE,MAAM,EAAO,EAAE,EAAE;QACjD,MAAM,QAAQ,GAAG,IAAA,UAAK,EAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,YAAY,EAAE,GAAG,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,CAAC;QAE/E,IAAI,QAAQ,EAAE;YACZ,iBAAiB,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;SAC5B;IACH,CAAC,CAAC;IAEF;;OAEG;IACH,MAAM,8BAA8B,GAAG,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAO,EAAE,EAAE;QACzE,IAAI,MAAM,CAAC,GAAG,KAAK,aAAa,IAAI,SAAS,IAAI,CAAC,gCAAyB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;YACzF,iBAAiB,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;SAC5B;IACH,CAAC,CAAC;IAEF,MAAM,cAAc,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,EAAE;QACrC,MAAM,oBAAoB,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAC7D,MAAM,kBAAkB,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAEzD,MAAM,4BAA4B,GAAG,IAAA,iBAAY,EAAC,oBAAoB,EAAE,kBAAkB,CAAC,CAAC;QAE5F,OAAO,IAAA,SAAI,EAAC;YACV,GAAG,MAAM;YACT,GAAG,aAAa;YAChB,GAAG,gBAAgB;YACnB,GAAG,4BAA4B;SAChC,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,MAAM,cAAc,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,EAAE;QACrC,OAAO,IAAA,SAAI,EAAC;YACV,GAAG,MAAM;YACT,GAAG,aAAa;YAChB,GAAG,gBAAgB;YACnB,oBAAoB;YACpB,oBAAoB;YACpB,sBAAsB;SACvB,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,OAAO;QACL,aAAa,EAAE,YAAY,CAAC,mBAAmB,CAAC;QAChD,aAAa,EAAE,YAAY,CAAC,mBAAmB,CAAC;KACjD,CAAC;AACJ,CAAC,CAAC"}

package/dist/server/services/permission/queries.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * Delete permissions of roles in database
+ * @param rolesIds ids of roles
+ * @returns {Promise<array>}
+ */
+export declare const deleteByRolesIds: (rolesIds: string[]) => Promise<void>;
+/**
+ * Delete permissions
+ * @param ids ids of permissions
+ * @returns {Promise<array>}
+ */
+export declare const deleteByIds: (ids: string[]) => Promise<void>;
+/**
+ * Create many permissions
+ * @param permissions
+ * @returns {Promise<*[]|*>}
+ */
+export declare const createMany: (permissions: any) => Promise<import("../../domain/permission/index").Permission>;
+/**
+ * Find assigned permissions in the database
+ * @param params query params to find the permissions
+ * @returns {Promise<Permission[]>}
+ */
+export declare const findMany: (params?: {}) => Promise<import("../../domain/permission/index").Permission>;
+/**
+ * Find all permissions for a user
+ * @param user - user
+ * @returns {Promise<Permission[]>}
+ */
+export declare const findUserPermissions: (user: any) => Promise<import("../../domain/permission/index").Permission>;
+/**
+ * Removes permissions in database that don't exist anymore
+ * @returns {Promise<>}
+ */
+export declare const cleanPermissionsInDatabase: () => Promise<void>;
+declare const _default: {
+    createMany: (permissions: any) => Promise<import("../../domain/permission/index").Permission>;
+    findMany: (params?: {}) => Promise<import("../../domain/permission/index").Permission>;
+    deleteByRolesIds: (rolesIds: string[]) => Promise<void>;
+    deleteByIds: (ids: string[]) => Promise<void>;
+    findUserPermissions: (user: any) => Promise<import("../../domain/permission/index").Permission>;
+    cleanPermissionsInDatabase: () => Promise<void>;
+};
+export default _default;

package/dist/server/services/permission/queries.js ADDED Viewed

@@ -0,0 +1,159 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cleanPermissionsInDatabase = exports.findUserPermissions = exports.findMany = exports.createMany = exports.deleteByIds = exports.deleteByRolesIds = void 0;
+const fp_1 = require("lodash/fp");
+const p_map_1 = __importDefault(require("p-map"));
+const utils_1 = require("../../utils");
+const index_1 = __importDefault(require("../../domain/permission/index"));
+/**
+ * Delete permissions of roles in database
+ * @param rolesIds ids of roles
+ * @returns {Promise<array>}
+ */
+const deleteByRolesIds = async (rolesIds) => {
+    const permissionsToDelete = await strapi.query('admin::permission').findMany({
+        select: ['id'],
+        where: {
+            role: { id: rolesIds },
+        },
+    });
+    if (permissionsToDelete.length > 0) {
+        await (0, exports.deleteByIds)(permissionsToDelete.map((0, fp_1.prop)('id')));
+    }
+};
+exports.deleteByRolesIds = deleteByRolesIds;
+/**
+ * Delete permissions
+ * @param ids ids of permissions
+ * @returns {Promise<array>}
+ */
+const deleteByIds = async (ids) => {
+    const result = [];
+    for (const id of ids) {
+        const queryResult = await strapi.query('admin::permission').delete({ where: { id } });
+        result.push(queryResult);
+    }
+    strapi.eventHub.emit('permission.delete', { permissions: result });
+};
+exports.deleteByIds = deleteByIds;
+/**
+ * Create many permissions
+ * @param permissions
+ * @returns {Promise<*[]|*>}
+ */
+const createMany = async (permissions) => {
+    const createdPermissions = [];
+    for (const permission of permissions) {
+        const newPerm = await strapi.query('admin::permission').create({ data: permission });
+        createdPermissions.push(newPerm);
+    }
+    const permissionsToReturn = index_1.default.toPermission(createdPermissions);
+    strapi.eventHub.emit('permission.create', { permissions: permissionsToReturn });
+    return permissionsToReturn;
+};
+exports.createMany = createMany;
+/**
+ * Update a permission
+ * @returns {Promise<*[]|*>}
+ * @param params
+ * @param attributes
+ */
+const update = async (params, attributes) => {
+    const updatedPermission = await strapi
+        .query('admin::permission')
+        .update({ where: params, data: attributes });
+    const permissionToReturn = index_1.default.toPermission(updatedPermission);
+    strapi.eventHub.emit('permission.update', { permissions: permissionToReturn });
+    return permissionToReturn;
+};
+/**
+ * Find assigned permissions in the database
+ * @param params query params to find the permissions
+ * @returns {Promise<Permission[]>}
+ */
+const findMany = async (params = {}) => {
+    const rawPermissions = await strapi.query('admin::permission').findMany(params);
+    return index_1.default.toPermission(rawPermissions);
+};
+exports.findMany = findMany;
+/**
+ * Find all permissions for a user
+ * @param user - user
+ * @returns {Promise<Permission[]>}
+ */
+const findUserPermissions = async (user) => {
+    return (0, exports.findMany)({ where: { role: { users: { id: user.id } } } });
+};
+exports.findUserPermissions = findUserPermissions;
+const filterPermissionsToRemove = async (permissions) => {
+    const { actionProvider } = (0, utils_1.getService)('permission');
+    const permissionsToRemove = [];
+    for (const permission of permissions) {
+        const { subjects, options = {} } = actionProvider.get(permission.action) || {};
+        const { applyToProperties } = options;
+        const invalidProperties = await Promise.all((applyToProperties || []).map(async (property) => {
+            const applies = await actionProvider.appliesToProperty(property, permission.action, permission.subject);
+            return applies && (0, fp_1.isNil)(index_1.default.getProperty(property, permission));
+        }));
+        const isRegisteredAction = actionProvider.has(permission.action);
+        const hasInvalidProperties = (0, fp_1.isArray)(applyToProperties) && invalidProperties.every((0, fp_1.eq)(true));
+        const isInvalidSubject = (0, fp_1.isArray)(subjects) && !subjects.includes(permission.subject);
+        // If the permission has an invalid action, an invalid subject or invalid properties, then add it to the toBeRemoved collection
+        if (!isRegisteredAction || isInvalidSubject || hasInvalidProperties) {
+            permissionsToRemove.push(permission);
+        }
+    }
+    return permissionsToRemove;
+};
+/**
+ * Removes permissions in database that don't exist anymore
+ * @returns {Promise<>}
+ */
+const cleanPermissionsInDatabase = async () => {
+    const pageSize = 200;
+    const contentTypeService = (0, utils_1.getService)('content-type');
+    const total = await strapi.query('admin::permission').count();
+    const pageCount = Math.ceil(total / pageSize);
+    for (let page = 0; page < pageCount; page += 1) {
+        // 1. Find invalid permissions and collect their ID to delete them later
+        const results = await strapi
+            .query('admin::permission')
+            .findMany({ limit: pageSize, offset: page * pageSize });
+        const permissions = index_1.default.toPermission(results);
+        const permissionsToRemove = await filterPermissionsToRemove(permissions);
+        const permissionsIdToRemove = (0, fp_1.map)((0, fp_1.prop)('id'), permissionsToRemove);
+        // 2. Clean permissions' fields (add required ones, remove the non-existing ones)
+        // @ts-expect-error - Make toPermission return an array if the input was an array
+        const remainingPermissions = permissions.filter((permission) => !permissionsIdToRemove.includes(permission.id));
+        const permissionsWithCleanFields = contentTypeService.cleanPermissionFields(remainingPermissions);
+        // Update only the ones that need to be updated
+        const permissionsNeedingToBeUpdated = (0, fp_1.differenceWith)((a, b) => {
+            return a.id === b.id && (0, fp_1.xor)(a.properties.fields, b.properties.fields).length === 0;
+        }, permissionsWithCleanFields, remainingPermissions);
+        const updatePromiseProvider = (permission) => {
+            return update({ id: permission.id }, permission);
+        };
+        // Execute all the queries, update the database
+        await Promise.all([
+            (0, exports.deleteByIds)(permissionsIdToRemove),
+            // @ts-ignore
+            (0, p_map_1.default)(permissionsNeedingToBeUpdated, updatePromiseProvider, {
+                concurrency: 100,
+                stopOnError: true,
+            }),
+        ]);
+    }
+};
+exports.cleanPermissionsInDatabase = cleanPermissionsInDatabase;
+exports.default = {
+    createMany: exports.createMany,
+    findMany: exports.findMany,
+    deleteByRolesIds: exports.deleteByRolesIds,
+    deleteByIds: exports.deleteByIds,
+    findUserPermissions: exports.findUserPermissions,
+    cleanPermissionsInDatabase: exports.cleanPermissionsInDatabase,
+};
+//# sourceMappingURL=queries.js.map