@strapi/admin 4.16.2 → 4.18.0

package/server/services/permission/permissions-manager/sanitize.js

@@ -1,286 +0,0 @@
-'use strict';
-
-const { subject: asSubject, detectSubjectType } = require('@casl/ability');
-const { permittedFieldsOf } = require('@casl/ability/extra');
-const {
-  defaults,
-  omit,
-  isArray,
-  isEmpty,
-  isNil,
-  flatMap,
-  some,
-  prop,
-  uniq,
-  intersection,
-  pick,
-  getOr,
-  isObject,
-  cloneDeep,
-} = require('lodash/fp');
-
-const { contentTypes, traverseEntity, sanitize, pipeAsync, traverse } = require('@strapi/utils');
-const { removePassword } = require('@strapi/utils').sanitize.visitors;
-const { ADMIN_USER_ALLOWED_FIELDS } = require('../../../domain/user');
-
-const {
-  constants,
-  isScalarAttribute,
-  getNonVisibleAttributes,
-  getNonWritableAttributes,
-  getWritableAttributes,
-} = contentTypes;
-const {
-  ID_ATTRIBUTE,
-  CREATED_AT_ATTRIBUTE,
-  UPDATED_AT_ATTRIBUTE,
-  PUBLISHED_AT_ATTRIBUTE,
-  CREATED_BY_ATTRIBUTE,
-  UPDATED_BY_ATTRIBUTE,
-} = constants;
-
-const COMPONENT_FIELDS = ['__component'];
-const STATIC_FIELDS = [ID_ATTRIBUTE];
-
-module.exports = ({ action, ability, model }) => {
-  const schema = strapi.getModel(model);
-
-  const { removeDisallowedFields } = sanitize.visitors;
-
-  const createSanitizeQuery = (options = {}) => {
-    const { fields } = options;
-
-    // TODO: sanitize relations to admin users in all sanitizers
-    const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);
-
-    const sanitizeFilters = pipeAsync(
-      traverse.traverseQueryFilters(removeDisallowedFields(permittedFields), { schema }),
-      traverse.traverseQueryFilters(omitDisallowedAdminUserFields, { schema }),
-      traverse.traverseQueryFilters(omitHiddenFields, { schema }),
-      traverse.traverseQueryFilters(removePassword, { schema }),
-      traverse.traverseQueryFilters(
-        ({ key, value }, { remove }) => {
-          if (isObject(value) && isEmpty(value)) {
-            remove(key);
-          }
-        },
-        { schema }
-      )
-    );
-
-    const sanitizeSort = pipeAsync(
-      traverse.traverseQuerySort(removeDisallowedFields(permittedFields), { schema }),
-      traverse.traverseQuerySort(omitDisallowedAdminUserFields, { schema }),
-      traverse.traverseQuerySort(omitHiddenFields, { schema }),
-      traverse.traverseQuerySort(removePassword, { schema }),
-      traverse.traverseQuerySort(
-        ({ key, attribute, value }, { remove }) => {
-          if (!isScalarAttribute(attribute) && isEmpty(value)) {
-            remove(key);
-          }
-        },
-        { schema }
-      )
-    );
-
-    const sanitizePopulate = pipeAsync(
-      traverse.traverseQueryPopulate(removeDisallowedFields(permittedFields), { schema }),
-      traverse.traverseQueryPopulate(omitDisallowedAdminUserFields, { schema }),
-      traverse.traverseQueryPopulate(omitHiddenFields, { schema }),
-      traverse.traverseQueryPopulate(removePassword, { schema })
-    );
-
-    const sanitizeFields = pipeAsync(
-      traverse.traverseQueryFields(removeDisallowedFields(permittedFields), { schema }),
-      traverse.traverseQueryFields(omitHiddenFields, { schema }),
-      traverse.traverseQueryFields(removePassword, { schema })
-    );
-
-    return async (query) => {
-      const sanitizedQuery = cloneDeep(query);
-
-      if (query.filters) {
-        Object.assign(sanitizedQuery, { filters: await sanitizeFilters(query.filters) });
-      }
-
-      if (query.sort) {
-        Object.assign(sanitizedQuery, { sort: await sanitizeSort(query.sort) });
-      }
-
-      if (query.populate) {
-        Object.assign(sanitizedQuery, { populate: await sanitizePopulate(query.populate) });
-      }
-
-      if (query.fields) {
-        Object.assign(sanitizedQuery, { fields: await sanitizeFields(query.fields) });
-      }
-
-      return sanitizedQuery;
-    };
-  };
-
-  const createSanitizeOutput = (options = {}) => {
-    const { fields } = options;
-
-    const permittedFields = fields.shouldIncludeAll ? null : getOutputFields(fields.permitted);
-
-    return pipeAsync(
-      // Remove fields hidden from the admin
-      traverseEntity(omitHiddenFields, { schema }),
-      // Remove unallowed fields from admin::user relations
-      traverseEntity(pickAllowedAdminUserFields, { schema }),
-      // Remove not allowed fields (RBAC)
-      traverseEntity(removeDisallowedFields(permittedFields), { schema }),
-      // Remove all fields of type 'password'
-      sanitize.sanitizers.sanitizePasswords(schema)
-    );
-  };
-
-  const createSanitizeInput = (options = {}) => {
-    const { fields } = options;
-
-    const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);
-
-    return pipeAsync(
-      // Remove fields hidden from the admin
-      traverseEntity(omitHiddenFields, { schema }),
-      // Remove not allowed fields (RBAC)
-      traverseEntity(removeDisallowedFields(permittedFields), { schema }),
-      // Remove roles from createdBy & updateBy fields
-      omitCreatorRoles
-    );
-  };
-
-  const wrapSanitize = (createSanitizeFunction) => {
-    const wrappedSanitize = async (data, options = {}) => {
-      if (isArray(data)) {
-        return Promise.all(data.map((entity) => wrappedSanitize(entity, options)));
-      }
-
-      const { subject, action: actionOverride } = getDefaultOptions(data, options);
-
-      const permittedFields = permittedFieldsOf(ability, actionOverride, subject, {
-        fieldsFrom: (rule) => rule.fields || [],
-      });
-
-      const hasAtLeastOneRegistered = some(
-        (fields) => !isNil(fields),
-        flatMap(prop('fields'), ability.rulesFor(actionOverride, detectSubjectType(subject)))
-      );
-      const shouldIncludeAllFields = isEmpty(permittedFields) && !hasAtLeastOneRegistered;
-
-      const sanitizeOptions = {
-        ...options,
-        fields: {
-          shouldIncludeAll: shouldIncludeAllFields,
-          permitted: permittedFields,
-          hasAtLeastOneRegistered,
-        },
-      };
-
-      const sanitizeFunction = createSanitizeFunction(sanitizeOptions);
-
-      return sanitizeFunction(data);
-    };
-
-    return wrappedSanitize;
-  };
-
-  const getDefaultOptions = (data, options) => {
-    return defaults({ subject: asSubject(model, data), action }, options);
-  };
-
-  /**
-   * Omit creator fields' (createdBy & updatedBy) roles from the admin API responses
-   */
-  const omitCreatorRoles = omit([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);
-
-  /**
-   * Visitor used to remove hidden fields from the admin API responses
-   */
-  const omitHiddenFields = ({ key, schema }, { remove }) => {
-    const isHidden = getOr(false, ['config', 'attributes', key, 'hidden'], schema);
-
-    if (isHidden) {
-      remove(key);
-    }
-  };
-
-  /**
-   * Visitor used to only select needed fields from the admin users entities & avoid leaking sensitive information
-   */
-  const pickAllowedAdminUserFields = ({ attribute, key, value }, { set }) => {
-    const pickAllowedFields = pick(ADMIN_USER_ALLOWED_FIELDS);
-
-    if (attribute.type === 'relation' && attribute.target === 'admin::user' && value) {
-      if (Array.isArray(value)) {
-        set(key, value.map(pickAllowedFields));
-      } else {
-        set(key, pickAllowedFields(value));
-      }
-    }
-  };
-
-  /**
-   * Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information
-   */
-  const omitDisallowedAdminUserFields = ({ key, attribute, schema }, { remove }) => {
-    if (schema.uid === 'admin::user' && attribute && !ADMIN_USER_ALLOWED_FIELDS.includes(key)) {
-      remove(key);
-    }
-  };
-
-  const getInputFields = (fields = []) => {
-    const nonVisibleAttributes = getNonVisibleAttributes(schema);
-    const writableAttributes = getWritableAttributes(schema);
-
-    const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);
-
-    return uniq([
-      ...fields,
-      ...STATIC_FIELDS,
-      ...COMPONENT_FIELDS,
-      ...nonVisibleWritableAttributes,
-    ]);
-  };
-
-  const getOutputFields = (fields = []) => {
-    const nonWritableAttributes = getNonWritableAttributes(schema);
-    const nonVisibleAttributes = getNonVisibleAttributes(schema);
-
-    return uniq([
-      ...fields,
-      ...STATIC_FIELDS,
-      ...COMPONENT_FIELDS,
-      ...nonWritableAttributes,
-      ...nonVisibleAttributes,
-      CREATED_AT_ATTRIBUTE,
-      UPDATED_AT_ATTRIBUTE,
-    ]);
-  };
-
-  const getQueryFields = (fields = []) => {
-    const nonVisibleAttributes = getNonVisibleAttributes(schema);
-    const writableAttributes = getWritableAttributes(schema);
-
-    const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);
-
-    return uniq([
-      ...fields,
-      ...STATIC_FIELDS,
-      ...COMPONENT_FIELDS,
-      ...nonVisibleWritableAttributes,
-      CREATED_AT_ATTRIBUTE,
-      UPDATED_AT_ATTRIBUTE,
-      PUBLISHED_AT_ATTRIBUTE,
-      CREATED_BY_ATTRIBUTE,
-      UPDATED_BY_ATTRIBUTE,
-    ]);
-  };
-
-  return {
-    sanitizeOutput: wrapSanitize(createSanitizeOutput),
-    sanitizeInput: wrapSanitize(createSanitizeInput),
-    sanitizeQuery: wrapSanitize(createSanitizeQuery),
-  };
-};

package/server/services/permission/permissions-manager/validate.js

@@ -1,218 +0,0 @@
-'use strict';
-
-const { subject: asSubject, detectSubjectType } = require('@casl/ability');
-const { permittedFieldsOf } = require('@casl/ability/extra');
-const {
-  defaults,
-  omit,
-  isArray,
-  isEmpty,
-  isNil,
-  flatMap,
-  some,
-  prop,
-  uniq,
-  intersection,
-  getOr,
-  isObject,
-} = require('lodash/fp');
-
-const {
-  contentTypes,
-  traverseEntity,
-  traverse,
-  validate,
-  pipeAsync,
-  errors: { ValidationError },
-} = require('@strapi/utils');
-
-const { throwPassword, throwDisallowedFields } = validate.visitors;
-const { ADMIN_USER_ALLOWED_FIELDS } = require('../../../domain/user');
-
-const { constants, isScalarAttribute, getNonVisibleAttributes, getWritableAttributes } =
-  contentTypes;
-const {
-  ID_ATTRIBUTE,
-  CREATED_AT_ATTRIBUTE,
-  UPDATED_AT_ATTRIBUTE,
-  PUBLISHED_AT_ATTRIBUTE,
-  CREATED_BY_ATTRIBUTE,
-  UPDATED_BY_ATTRIBUTE,
-} = constants;
-
-const COMPONENT_FIELDS = ['__component'];
-
-const STATIC_FIELDS = [ID_ATTRIBUTE];
-
-const throwInvalidParam = ({ key }) => {
-  throw new ValidationError(`Invalid parameter ${key}`);
-};
-
-module.exports = ({ action, ability, model }) => {
-  const schema = strapi.getModel(model);
-
-  const createValidateQuery = (options = {}) => {
-    const { fields } = options;
-
-    // TODO: validate relations to admin users in all validators
-    const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);
-
-    const validateFilters = pipeAsync(
-      traverse.traverseQueryFilters(throwDisallowedFields(permittedFields), { schema }),
-      traverse.traverseQueryFilters(throwDisallowedAdminUserFields, { schema }),
-      traverse.traverseQueryFilters(throwPassword, { schema }),
-      traverse.traverseQueryFilters(
-        ({ key, value }) => {
-          if (isObject(value) && isEmpty(value)) {
-            throwInvalidParam({ key });
-          }
-        },
-        { schema }
-      )
-    );
-
-    const validateSort = pipeAsync(
-      traverse.traverseQuerySort(throwDisallowedFields(permittedFields), { schema }),
-      traverse.traverseQuerySort(throwDisallowedAdminUserFields, { schema }),
-      traverse.traverseQuerySort(throwPassword, { schema }),
-      traverse.traverseQuerySort(
-        ({ key, attribute, value }) => {
-          if (!isScalarAttribute(attribute) && isEmpty(value)) {
-            throwInvalidParam({ key });
-          }
-        },
-        { schema }
-      )
-    );
-
-    const validateFields = pipeAsync(
-      traverse.traverseQueryFields(throwDisallowedFields(permittedFields), { schema }),
-      traverse.traverseQueryFields(throwPassword, { schema })
-    );
-
-    return async (query) => {
-      if (query.filters) {
-        await validateFilters(query.filters);
-      }
-
-      if (query.sort) {
-        await validateSort(query.sort);
-      }
-
-      if (query.fields) {
-        await validateFields(query.fields);
-      }
-
-      return true;
-    };
-  };
-
-  const createValidateInput = (options = {}) => {
-    const { fields } = options;
-
-    const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);
-
-    return pipeAsync(
-      // Remove fields hidden from the admin
-      traverseEntity(throwHiddenFields, { schema }),
-      // Remove not allowed fields (RBAC)
-      traverseEntity(throwDisallowedFields(permittedFields), { schema }),
-      // Remove roles from createdBy & updatedBy fields
-      omitCreatorRoles
-    );
-  };
-
-  const wrapValidate = (createValidateFunction) => {
-    const wrappedValidate = async (data, options = {}) => {
-      if (isArray(data)) {
-        return Promise.all(data.map((entity) => wrappedValidate(entity, options)));
-      }
-
-      const { subject, action: actionOverride } = getDefaultOptions(data, options);
-
-      const permittedFields = permittedFieldsOf(ability, actionOverride, subject, {
-        fieldsFrom: (rule) => rule.fields || [],
-      });
-
-      const hasAtLeastOneRegistered = some(
-        (fields) => !isNil(fields),
-        flatMap(prop('fields'), ability.rulesFor(actionOverride, detectSubjectType(subject)))
-      );
-      const shouldIncludeAllFields = isEmpty(permittedFields) && !hasAtLeastOneRegistered;
-
-      const validateOptions = {
-        ...options,
-        fields: {
-          shouldIncludeAll: shouldIncludeAllFields,
-          permitted: permittedFields,
-          hasAtLeastOneRegistered,
-        },
-      };
-
-      const validateFunction = createValidateFunction(validateOptions);
-
-      return validateFunction(data);
-    };
-
-    return wrappedValidate;
-  };
-
-  const getDefaultOptions = (data, options) => {
-    return defaults({ subject: asSubject(model, data), action }, options);
-  };
-
-  /**
-   * Omit creator fields' (createdBy & updatedBy) roles from the admin API responses
-   */
-  const omitCreatorRoles = omit([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);
-
-  /**
-   * Visitor used to remove hidden fields from the admin API responses
-   */
-  const throwHiddenFields = ({ key, schema }) => {
-    const isHidden = getOr(false, ['config', 'attributes', key, 'hidden'], schema);
-
-    if (isHidden) {
-      throwInvalidParam({ key });
-    }
-  };
-
-  /**
-   * Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information
-   */
-  const throwDisallowedAdminUserFields = ({ key, attribute, schema }) => {
-    if (schema.uid === 'admin::user' && attribute && !ADMIN_USER_ALLOWED_FIELDS.includes(key)) {
-      throwInvalidParam({ key });
-    }
-  };
-
-  const getInputFields = (fields = []) => {
-    const nonVisibleAttributes = getNonVisibleAttributes(schema);
-    const writableAttributes = getWritableAttributes(schema);
-
-    const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);
-
-    return uniq([
-      ...fields,
-      ...STATIC_FIELDS,
-      ...COMPONENT_FIELDS,
-      ...nonVisibleWritableAttributes,
-    ]);
-  };
-
-  const getQueryFields = (fields = []) => {
-    return uniq([
-      ...fields,
-      ...STATIC_FIELDS,
-      ...COMPONENT_FIELDS,
-      CREATED_AT_ATTRIBUTE,
-      UPDATED_AT_ATTRIBUTE,
-      PUBLISHED_AT_ATTRIBUTE,
-    ]);
-  };
-
-  return {
-    validateQuery: wrapValidate(createValidateQuery),
-    validateInput: wrapValidate(createValidateInput),
-  };
-};

package/server/services/permission/queries.js

@@ -1,190 +0,0 @@
-'use strict';
-
-const { isNil, isArray, prop, xor, eq, map, differenceWith } = require('lodash/fp');
-const pmap = require('p-map');
-const { getService } = require('../../utils');
-const permissionDomain = require('../../domain/permission/index');
-
-/**
- * Delete permissions of roles in database
- * @param rolesIds ids of roles
- * @returns {Promise<array>}
- */
-const deleteByRolesIds = async (rolesIds) => {
-  const permissionsToDelete = await strapi.query('admin::permission').findMany({
-    select: ['id'],
-    where: {
-      role: { id: rolesIds },
-    },
-  });
-
-  if (permissionsToDelete.length > 0) {
-    await deleteByIds(permissionsToDelete.map(prop('id')));
-  }
-};
-
-/**
- * Delete permissions
- * @param ids ids of permissions
- * @returns {Promise<array>}
- */
-const deleteByIds = async (ids) => {
-  const result = [];
-  for (const id of ids) {
-    const queryResult = await strapi.query('admin::permission').delete({ where: { id } });
-    result.push(queryResult);
-  }
-  strapi.eventHub.emit('permission.delete', { permissions: result });
-};
-
-/**
- * Create many permissions
- * @param permissions
- * @returns {Promise<*[]|*>}
- */
-const createMany = async (permissions) => {
-  const createdPermissions = [];
-  for (const permission of permissions) {
-    const newPerm = await strapi.query('admin::permission').create({ data: permission });
-    createdPermissions.push(newPerm);
-  }
-
-  const permissionsToReturn = permissionDomain.toPermission(createdPermissions);
-  strapi.eventHub.emit('permission.create', { permissions: permissionsToReturn });
-
-  return permissionsToReturn;
-};
-
-/**
- * Update a permission
- * @returns {Promise<*[]|*>}
- * @param params
- * @param attributes
- */
-const update = async (params, attributes) => {
-  const updatedPermission = await strapi
-    .query('admin::permission')
-    .update({ where: params, data: attributes });
-
-  const permissionToReturn = permissionDomain.toPermission(updatedPermission);
-  strapi.eventHub.emit('permission.update', { permissions: permissionToReturn });
-
-  return permissionToReturn;
-};
-
-/**
- * Find assigned permissions in the database
- * @param params query params to find the permissions
- * @returns {Promise<Permission[]>}
- */
-const findMany = async (params = {}) => {
-  const rawPermissions = await strapi.query('admin::permission').findMany(params);
-
-  return permissionDomain.toPermission(rawPermissions);
-};
-
-/**
- * Find all permissions for a user
- * @param user - user
- * @returns {Promise<Permission[]>}
- */
-const findUserPermissions = async (user) => {
-  return findMany({ where: { role: { users: { id: user.id } } } });
-};
-
-const filterPermissionsToRemove = async (permissions) => {
-  const { actionProvider } = getService('permission');
-
-  const permissionsToRemove = [];
-
-  for (const permission of permissions) {
-    const { subjects, options = {} } = actionProvider.get(permission.action) || {};
-    const { applyToProperties } = options;
-
-    const invalidProperties = await Promise.all(
-      (applyToProperties || []).map(async (property) => {
-        const applies = await actionProvider.appliesToProperty(
-          property,
-          permission.action,
-          permission.subject
-        );
-
-        return applies && isNil(permissionDomain.getProperty(property, permission));
-      })
-    );
-
-    const isRegisteredAction = actionProvider.has(permission.action);
-    const hasInvalidProperties = isArray(applyToProperties) && invalidProperties.every(eq(true));
-    const isInvalidSubject = isArray(subjects) && !subjects.includes(permission.subject);
-
-    // If the permission has an invalid action, an invalid subject or invalid properties, then add it to the toBeRemoved collection
-    if (!isRegisteredAction || isInvalidSubject || hasInvalidProperties) {
-      permissionsToRemove.push(permission);
-    }
-  }
-
-  return permissionsToRemove;
-};
-
-/**
- * Removes permissions in database that don't exist anymore
- * @returns {Promise<>}
- */
-const cleanPermissionsInDatabase = async () => {
-  const pageSize = 200;
-
-  const contentTypeService = getService('content-type');
-
-  const total = await strapi.query('admin::permission').count();
-  const pageCount = Math.ceil(total / pageSize);
-
-  for (let page = 0; page < pageCount; page += 1) {
-    // 1. Find invalid permissions and collect their ID to delete them later
-    const results = await strapi
-      .query('admin::permission')
-      .findMany({ limit: pageSize, offset: page * pageSize });
-
-    const permissions = permissionDomain.toPermission(results);
-    const permissionsToRemove = await filterPermissionsToRemove(permissions);
-    const permissionsIdToRemove = map(prop('id'), permissionsToRemove);
-
-    // 2. Clean permissions' fields (add required ones, remove the non-existing ones)
-    const remainingPermissions = permissions.filter(
-      (permission) => !permissionsIdToRemove.includes(permission.id)
-    );
-
-    const permissionsWithCleanFields =
-      contentTypeService.cleanPermissionFields(remainingPermissions);
-
-    // Update only the ones that need to be updated
-    const permissionsNeedingToBeUpdated = differenceWith(
-      (a, b) => {
-        return a.id === b.id && xor(a.properties.fields, b.properties.fields).length === 0;
-      },
-      permissionsWithCleanFields,
-      remainingPermissions
-    );
-
-    const updatePromiseProvider = (permission) => {
-      return update({ id: permission.id }, permission);
-    };
-
-    // Execute all the queries, update the database
-    await Promise.all([
-      deleteByIds(permissionsIdToRemove),
-      pmap(permissionsNeedingToBeUpdated, updatePromiseProvider, {
-        concurrency: 100,
-        stopOnError: true,
-      }),
-    ]);
-  }
-};
-
-module.exports = {
-  createMany,
-  findMany,
-  deleteByRolesIds,
-  deleteByIds,
-  findUserPermissions,
-  cleanPermissionsInDatabase,
-};