npm - @strapi/admin - Versions diffs - 4.4.0-alpha.0 → 4.4.0-beta.1 - Mend

@strapi/admin 4.4.0-alpha.0 → 4.4.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (138) hide show

package/server/services/permission/engine.js CHANGED Viewed

@@ -1,107 +1,36 @@
 'use strict';
-const {
-  curry,
-  map,
-  filter,
-  propEq,
-  isFunction,
-  isBoolean,
-  isArray,
-  isNil,
-  isEmpty,
-  isObject,
-  prop,
-  merge,
-  pick,
-  difference,
-  cloneDeep,
-} = require('lodash/fp');
-const { AbilityBuilder, Ability } = require('@casl/ability');
-const sift = require('sift');
+const { curry, isArray, isEmpty, difference } = require('lodash/fp');
+const permissions = require('@strapi/permissions');
 const permissionDomain = require('../../domain/permission/index');
 const { getService } = require('../../utils');
-const {
-  createEngineHooks,
-  createWillEvaluateContext,
-  createWillRegisterContext,
-} = require('./engine-hooks');
-const allowedOperations = [
-  '$or',
-  '$and',
-  '$eq',
-  '$ne',
-  '$in',
-  '$nin',
-  '$lt',
-  '$lte',
-  '$gt',
-  '$gte',
-  '$exists',
-  '$elemMatch',
-];
-const operations = pick(allowedOperations, sift);
-const conditionsMatcher = (conditions) => {
-  return sift.createQueryTester(conditions, { operations });
-};
-module.exports = (conditionProvider) => {
-  const state = {
-    hooks: createEngineHooks(),
-  };
-  return {
-    hooks: state.hooks,
-    /**
-     * Generate an ability based on the given user (using associated roles & permissions)
-     * @param user
-     * @param options
-     * @returns {Promise<Ability>}
-     */
-    async generateUserAbility(user, options) {
-      const permissions = await getService('permission').findUserPermissions(user);
-      const abilityCreator = this.generateAbilityCreatorFor(user);
-      return abilityCreator(permissions, options);
-    },
+module.exports = (params) => {
+  const { providers } = params;
+  const engine = permissions.engine
+    .new({ providers })
     /**
-     * Create an ability factory for a specific user
-     * @param user
-     * @returns {function(*, *): Promise<Ability>}
+     * Validate the permission's action exists in the action registry
      */
-    generateAbilityCreatorFor(user) {
-      return async (permissions, options) => {
-        const { can, build } = new AbilityBuilder(Ability);
-        for (const permission of permissions) {
-          const registerFn = this.createRegisterFunction(can, permission, user);
-          await this.evaluate({ permission, user, options, registerFn });
-        }
-        return build({ conditionsMatcher });
-      };
-    },
-    /**
-     * Validate, invalidate and transform the permission attributes
-     * @param {Permission} permission
-     * @returns {null|Permission}
-     */
-    formatPermission(permission) {
-      const { actionProvider } = getService('permission');
-      const action = actionProvider.get(permission.action);
+    .on('before-format::validate.permission', ({ permission }) => {
+      const action = providers.action.get(permission.action);
       // If the action isn't registered into the action provider, then ignore the permission
       if (!action) {
-        return null;
+        strapi.log.debug(
+          `Unknown action "${permission.action}" supplied when registering a new permission in engine`
+        );
+        return false;
       }
+    })
+    /**
+     * Remove invalid properties from the permission based on the action (applyToProperties)
+     */
+    .on('format.permission', (permission) => {
+      const action = providers.action.get(permission.action);
       const properties = permission.properties || {};
       // Only keep the properties allowed by the action (action.applyToProperties)
@@ -116,153 +45,34 @@ module.exports = (conditionProvider) => {
         permission
       );
-      // If the `fields` property is an empty array, then ignore the permission
-      const { fields } = properties;
-      if (isArray(fields) && isEmpty(fields)) {
-        return null;
-      }
       return permissionWithSanitizedProperties;
-    },
-    /**
-     * Update the permission components through various processing
-     * @param {Permission} permission
-     * @returns {Promise<void>}
-     */
-    async applyPermissionProcessors(permission) {
-      const context = createWillEvaluateContext(permission);
-      // 1. Trigger willEvaluatePermission hook and await transformation operated on the permission
-      await state.hooks.willEvaluatePermission.call(context);
-    },
+    })
     /**
-     * Register new rules using `registerFn` based on valid permission's conditions
-     * @param options {object}
-     * @param options.permission {object}
-     * @param options.user {object}
-     * @param options.options {object | undefined}
-     * @param options.registerFn {Function}
-     * @returns {Promise<void>}
+     * Ignore the permission if the fields property is an empty array (access to no field)
      */
-    async evaluate(options) {
-      const { user, registerFn, options: conditionOptions } = options;
-      // Assert options.permission validity and format it
-      const permission = this.formatPermission(options.permission);
-      // If options.permission is invalid, then ignore the permission
-      if (permission === null) {
-        return;
-      }
-      await this.applyPermissionProcessors(permission);
-      // Extract the up-to-date components from the permission
-      const { action, subject, properties = {}, conditions } = permission;
-      // Register the permission if there is no condition
-      if (isEmpty(conditions)) {
-        return registerFn({ action, subject, fields: properties.fields });
-      }
-      /** Set of functions used to resolve + evaluate conditions & register the permission if allowed */
-      // 1. Replace each condition name by its associated value
-      const resolveConditions = map(conditionProvider.get);
-      // 2. Filter conditions, only keep those whose handler is a function
-      const filterValidConditions = filter((condition) => isFunction(condition.handler));
-      // 3. Evaluate the conditions handler and returns an object
-      // containing both the original condition and its result
-      const evaluateConditions = (conditions) => {
-        return Promise.all(
-          conditions.map(async (condition) => ({
-            condition,
-            result: await condition.handler(
-              user,
-              merge(conditionOptions, { permission: cloneDeep(permission) })
-            ),
-          }))
-        );
-      };
-      // 4. Only keeps booleans or objects as condition's result
-      const filterValidResults = filter(({ result }) => isBoolean(result) || isObject(result));
-      /**/
-      const evaluatedConditions = await Promise.resolve(conditions)
-        .then(resolveConditions)
-        .then(filterValidConditions)
-        .then(evaluateConditions)
-        .then(filterValidResults);
+    .on('after-format::validate.permission', ({ permission }) => {
+      const { fields } = permission.properties;
-      // Utils
-      const resultPropEq = propEq('result');
-      const pickResults = map(prop('result'));
-      if (evaluatedConditions.every(resultPropEq(false))) {
-        return;
-      }
-      // If there is no condition or if one of them return true, register the permission as is
-      if (isEmpty(evaluatedConditions) || evaluatedConditions.some(resultPropEq(true))) {
-        return registerFn({ action, subject, fields: properties.fields });
-      }
-      const results = pickResults(evaluatedConditions).filter(isObject);
-      if (isEmpty(results)) {
-        return registerFn({ action, subject, fields: properties.fields });
+      if (isArray(fields) && isEmpty(fields)) {
+        return false;
       }
+    });
-      // Register the permission
-      return registerFn({
-        action,
-        subject,
-        fields: properties.fields,
-        condition: { $and: [{ $or: results }] },
-      });
+  return {
+    get hooks() {
+      return engine.hooks;
     },
     /**
-     * Encapsulate a register function with custom params to fit `evaluatePermission`'s syntax
-     * @param can
-     * @param {Permission} permission
-     * @param {object} user
-     * @returns {function}
+     * Generate an ability based on the given user (using associated roles & permissions)
+     * @param user
+     * @returns {Promise<Ability>}
      */
-    createRegisterFunction(can, permission, user) {
-      const registerToCasl = (caslPermission) => {
-        const { action, subject, fields, condition } = caslPermission;
-        can(
-          action,
-          isNil(subject) ? 'all' : subject,
-          fields,
-          isObject(condition) ? condition : undefined
-        );
-      };
-      const runWillRegisterHook = async (caslPermission) => {
-        const hookContext = createWillRegisterContext(caslPermission, {
-          permission,
-          user,
-        });
-        await state.hooks.willRegisterPermission.call(hookContext);
-        return caslPermission;
-      };
+    async generateUserAbility(user) {
+      const permissions = await getService('permission').findUserPermissions(user);
-      return async (caslPermission) => {
-        await runWillRegisterHook(caslPermission);
-        registerToCasl(caslPermission);
-      };
+      return engine.generateAbility(permissions, user);
     },
     /**

package/server/services/permission/permissions-manager/query-builers.js CHANGED Viewed

@@ -49,9 +49,10 @@ const unwrapDeep = (obj) => {
       if (_.isPlainObject(v)) {
         if ('$elemMatch' in v) {
-          v = v.$elemMatch; // removing this key
+          _.setWith(acc, key, unwrapDeep(v.$elemMatch));
+        } else {
+          _.setWith(acc, key, unwrapDeep(v));
         }
-        _.setWith(acc, key, unwrapDeep(v));
       } else if (_.isArray(v)) {
         // prettier-ignore
         _.setWith(acc, key, v.map(v => unwrapDeep(v)));

package/server/services/permission/queries.js CHANGED Viewed

@@ -144,7 +144,7 @@ const cleanPermissionsInDatabase = async () => {
   const total = await strapi.query('admin::permission').count();
   const pageCount = Math.ceil(total / pageSize);
-  for (let page = 0; page < pageCount; page++) {
+  for (let page = 0; page < pageCount; page += 1) {
     // 1. Find invalid permissions and collect their ID to delete them later
     const results = await strapi
       .query('admin::permission')

package/server/services/permission.js CHANGED Viewed

@@ -10,11 +10,14 @@ const permissionQueries = require('./permission/queries');
 const actionProvider = createActionProvider();
 const conditionProvider = createConditionProvider();
-const engine = createPermissionEngine(conditionProvider);
 const sectionsBuilder = createSectionsBuilder();
 const sanitizePermission = domain.sanitizePermissionFields;
+const engine = createPermissionEngine({
+  providers: { action: actionProvider, condition: conditionProvider },
+});
 module.exports = {
   // Queries / Actions
   ...permissionQueries,

package/server/strategies/admin.js CHANGED Viewed

@@ -33,10 +33,16 @@ const authenticate = async (ctx) => {
   const userAbility = await getService('permission').engine.generateUserAbility(user);
+  // TODO: use the ability from ctx.state.auth instead of
+  // ctx.state.userAbility, and remove the assign below
   ctx.state.userAbility = userAbility;
   ctx.state.user = user;
-  return { authenticated: true, credentials: user };
+  return {
+    authenticated: true,
+    credentials: user,
+    ability: userAbility,
+  };
 };
 /** @type {import('.').AuthStrategy} */

package/server/strategies/api-token.js CHANGED Viewed

@@ -1,5 +1,6 @@
 'use strict';
+const { castArray, isNil } = require('lodash/fp');
 const { UnauthorizedError, ForbiddenError } = require('@strapi/utils').errors;
 const constants = require('../services/constants');
 const { getService } = require('../utils');
@@ -20,7 +21,10 @@ const extractToken = (ctx) => {
   return null;
 };
-/** @type {import('.').AuthenticateFunction} */
+/**
+ * Authenticate the validity of the token
+ *
+ *  @type {import('.').AuthenticateFunction} */
 const authenticate = async (ctx) => {
   const apiTokenService = getService('api-token');
   const token = extractToken(ctx);
@@ -33,33 +37,89 @@ const authenticate = async (ctx) => {
     accessKey: apiTokenService.hash(token),
   });
+  // token not found
   if (!apiToken) {
     return { authenticated: false };
   }
+  const currentDate = new Date();
+  if (!isNil(apiToken.expiresAt)) {
+    const expirationDate = new Date(apiToken.expiresAt);
+    // token has expired
+    if (expirationDate < currentDate) {
+      return { authenticated: false, error: new UnauthorizedError('Token expired') };
+    }
+  }
+  // update lastUsedAt
+  await apiTokenService.update(apiToken.id, {
+    lastUsedAt: currentDate,
+  });
+  if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
+    const ability = await strapi.contentAPI.permissions.engine.generateAbility(
+      apiToken.permissions.map((action) => ({ action }))
+    );
+    return { authenticated: true, ability, credentials: apiToken };
+  }
   return { authenticated: true, credentials: apiToken };
 };
-/** @type {import('.').VerifyFunction} */
+/**
+ * Verify the token has the required abilities for the requested scope
+ *
+ *  @type {import('.').VerifyFunction} */
 const verify = (auth, config) => {
-  const { credentials: apiToken } = auth;
+  const { credentials: apiToken, ability } = auth;
   if (!apiToken) {
-    throw new UnauthorizedError();
+    throw new UnauthorizedError('Token not found');
+  }
+  const currentDate = new Date();
+  if (!isNil(apiToken.expiresAt)) {
+    const expirationDate = new Date(apiToken.expiresAt);
+    // token has expired
+    if (expirationDate < currentDate) {
+      throw new UnauthorizedError('Token expired');
+    }
   }
+  // Full access
   if (apiToken.type === constants.API_TOKEN_TYPE.FULL_ACCESS) {
     return;
   }
-  /**
-   * If you don't have `full-access` you can only access `find` and `findOne`
-   * scopes. If the route has no scope, then you can't get access to it.
-   */
+  // Read only
+  if (apiToken.type === constants.API_TOKEN_TYPE.READ_ONLY) {
+    /**
+     * If you don't have `full-access` you can only access `find` and `findOne`
+     * scopes. If the route has no scope, then you can't get access to it.
+     */
+    const scopes = castArray(config.scope);
-  const scopes = Array.isArray(config.scope) ? config.scope : [config.scope];
-  if (config.scope && scopes.every(isReadScope)) {
-    return;
+    if (config.scope && scopes.every(isReadScope)) {
+      return;
+    }
+  }
+  // Custom
+  else if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
+    if (!ability) {
+      throw new ForbiddenError();
+    }
+    const scopes = castArray(config.scope);
+    const isAllowed = scopes.every((scope) => ability.can(scope));
+    if (isAllowed) {
+      return;
+    }
   }
   throw new ForbiddenError();

package/server/validation/api-tokens.js CHANGED Viewed

@@ -9,8 +9,16 @@ const apiTokenCreationSchema = yup
     name: yup.string().min(1).required(),
     description: yup.string().optional(),
     type: yup.string().oneOf(Object.values(constants.API_TOKEN_TYPE)).required(),
+    permissions: yup.array().of(yup.string()).nullable(),
+    lifespan: yup
+      .number()
+      .integer()
+      .min(1)
+      .oneOf(Object.values(constants.API_TOKEN_LIFESPANS))
+      .nullable(),
   })
-  .noUnknown();
+  .noUnknown()
+  .strict();
 const apiTokenUpdateSchema = yup
   .object()
@@ -18,8 +26,10 @@ const apiTokenUpdateSchema = yup
     name: yup.string().min(1).notNull(),
     description: yup.string().nullable(),
     type: yup.string().oneOf(Object.values(constants.API_TOKEN_TYPE)).notNull(),
+    permissions: yup.array().of(yup.string()).nullable(),
   })
-  .noUnknown();
+  .noUnknown()
+  .strict();
 module.exports = {
   validateApiTokenCreationInput: validateYupSchema(apiTokenCreationSchema),

package/server/validation/common-functions/check-fields-are-correctly-nested.js CHANGED Viewed

@@ -12,7 +12,7 @@ const checkFieldsAreCorrectlyNested = (fields) => {
   }
   let failed = false;
-  for (let indexA = 0; indexA < fields.length; indexA++) {
+  for (let indexA = 0; indexA < fields.length; indexA += 1) {
     failed = fields
       .slice(indexA + 1)
       .some(

package/admin/src/core/apis/CustomFields.js DELETED Viewed

@@ -1,80 +0,0 @@
-import invariant from 'invariant';
-const ALLOWED_TYPES = [
-  'biginteger',
-  'boolean',
-  'date',
-  'datetime',
-  'decimal',
-  'email',
-  'enumeration',
-  'float',
-  'integer',
-  'json',
-  'password',
-  'richtext',
-  'string',
-  'text',
-  'time',
-  'timestamp',
-  'uid',
-];
-class CustomFields {
-  constructor() {
-    this.customFields = {};
-  }
-  register(customFields) {
-    if (Array.isArray(customFields)) {
-      // If several custom fields are passed, register them one by one
-      customFields.forEach(customField => {
-        this.register(customField);
-      });
-    } else {
-      // Handle individual custom field
-      const { name, pluginId, type, intlLabel, intlDescription, components } = customFields;
-      // Ensure required attributes are provided
-      invariant(name, 'A name must be provided');
-      invariant(type, 'A type must be provided');
-      invariant(intlLabel, 'An intlLabel must be provided');
-      invariant(intlDescription, 'An intlDescription must be provided');
-      invariant(components, 'A components object must be provided');
-      invariant(components.Input, 'An Input component must be provided');
-      // Ensure the type is valid
-      invariant(
-        ALLOWED_TYPES.includes(type),
-        `Custom field type: '${type}' is not a valid Strapi type or it can't be used with a Custom Field`
-      );
-      // Ensure name has no special characters
-      const isValidObjectKey = /^(?![0-9])[a-zA-Z0-9$_-]+$/g;
-      invariant(
-        isValidObjectKey.test(name),
-        `Custom field name: '${name}' is not a valid object key`
-      );
-      // When no plugin is specified, default to the global namespace
-      const uid = pluginId ? `plugin::${pluginId}.${name}` : `global::${name}`;
-      // Ensure the uid is unique
-      const uidAlreadyUsed = Object.prototype.hasOwnProperty.call(this.customFields, uid);
-      invariant(!uidAlreadyUsed, `Custom field: '${uid}' has already been registered`);
-      this.customFields[uid] = customFields;
-    }
-  }
-  getAll() {
-    return this.customFields;
-  }
-  get(uid) {
-    return this.customFields[uid];
-  }
-}
-// Export an instance since it's a singleton
-export default new CustomFields();