@strapi/admin 4.4.0-beta.1 → 4.4.0-beta.3

package/server/services/permission/engine.js

@@ -1,36 +1,107 @@
 'use strict';
 
-const { curry, isArray, isEmpty, difference } = require('lodash/fp');
-const permissions = require('@strapi/permissions');
-
+const {
+  curry,
+  map,
+  filter,
+  propEq,
+  isFunction,
+  isBoolean,
+  isArray,
+  isNil,
+  isEmpty,
+  isObject,
+  prop,
+  merge,
+  pick,
+  difference,
+  cloneDeep,
+} = require('lodash/fp');
+const { AbilityBuilder, Ability } = require('@casl/ability');
+const sift = require('sift');
 const permissionDomain = require('../../domain/permission/index');
 const { getService } = require('../../utils');
+const {
+  createEngineHooks,
+  createWillEvaluateContext,
+  createWillRegisterContext,
+} = require('./engine-hooks');
+
+const allowedOperations = [
+  '$or',
+  '$and',
+  '$eq',
+  '$ne',
+  '$in',
+  '$nin',
+  '$lt',
+  '$lte',
+  '$gt',
+  '$gte',
+  '$exists',
+  '$elemMatch',
+];
+const operations = pick(allowedOperations, sift);
+
+const conditionsMatcher = (conditions) => {
+  return sift.createQueryTester(conditions, { operations });
+};
+
+module.exports = (conditionProvider) => {
+  const state = {
+    hooks: createEngineHooks(),
+  };
+
+  return {
+    hooks: state.hooks,
+
+    /**
+     * Generate an ability based on the given user (using associated roles & permissions)
+     * @param user
+     * @param options
+     * @returns {Promise<Ability>}
+     */
+    async generateUserAbility(user, options) {
+      const permissions = await getService('permission').findUserPermissions(user);
+      const abilityCreator = this.generateAbilityCreatorFor(user);
 
-module.exports = (params) => {
-  const { providers } = params;
+      return abilityCreator(permissions, options);
+    },
 
-  const engine = permissions.engine
-    .new({ providers })
     /**
-     * Validate the permission's action exists in the action registry
+     * Create an ability factory for a specific user
+     * @param user
+     * @returns {function(*, *): Promise<Ability>}
      */
-    .on('before-format::validate.permission', ({ permission }) => {
-      const action = providers.action.get(permission.action);
+    generateAbilityCreatorFor(user) {
+      return async (permissions, options) => {
+        const { can, build } = new AbilityBuilder(Ability);
+
+        for (const permission of permissions) {
+          const registerFn = this.createRegisterFunction(can, permission, user);
+
+          await this.evaluate({ permission, user, options, registerFn });
+        }
+
+        return build({ conditionsMatcher });
+      };
+    },
+
+    /**
+     * Validate, invalidate and transform the permission attributes
+     * @param {Permission} permission
+     * @returns {null|Permission}
+     */
+    formatPermission(permission) {
+      const { actionProvider } = getService('permission');
+
+      const action = actionProvider.get(permission.action);
 
       // If the action isn't registered into the action provider, then ignore the permission
       if (!action) {
-        strapi.log.debug(
-          `Unknown action "${permission.action}" supplied when registering a new permission in engine`
-        );
-        return false;
+        return null;
       }
-    })
 
-    /**
-     * Remove invalid properties from the permission based on the action (applyToProperties)
-     */
-    .on('format.permission', (permission) => {
-      const action = providers.action.get(permission.action);
       const properties = permission.properties || {};
 
       // Only keep the properties allowed by the action (action.applyToProperties)
@@ -45,34 +116,153 @@ module.exports = (params) => {
         permission
       );
 
+      // If the `fields` property is an empty array, then ignore the permission
+      const { fields } = properties;
+
+      if (isArray(fields) && isEmpty(fields)) {
+        return null;
+      }
+
       return permissionWithSanitizedProperties;
-    })
+    },
 
     /**
-     * Ignore the permission if the fields property is an empty array (access to no field)
+     * Update the permission components through various processing
+     * @param {Permission} permission
+     * @returns {Promise<void>}
      */
-    .on('after-format::validate.permission', ({ permission }) => {
-      const { fields } = permission.properties;
+    async applyPermissionProcessors(permission) {
+      const context = createWillEvaluateContext(permission);
 
-      if (isArray(fields) && isEmpty(fields)) {
-        return false;
+      // 1. Trigger willEvaluatePermission hook and await transformation operated on the permission
+      await state.hooks.willEvaluatePermission.call(context);
+    },
+
+    /**
+     * Register new rules using `registerFn` based on valid permission's conditions
+     * @param options {object}
+     * @param options.permission {object}
+     * @param options.user {object}
+     * @param options.options {object | undefined}
+     * @param options.registerFn {Function}
+     * @returns {Promise<void>}
+     */
+    async evaluate(options) {
+      const { user, registerFn, options: conditionOptions } = options;
+
+      // Assert options.permission validity and format it
+      const permission = this.formatPermission(options.permission);
+
+      // If options.permission is invalid, then ignore the permission
+      if (permission === null) {
+        return;
       }
-    });
 
-  return {
-    get hooks() {
-      return engine.hooks;
+      await this.applyPermissionProcessors(permission);
+
+      // Extract the up-to-date components from the permission
+      const { action, subject, properties = {}, conditions } = permission;
+
+      // Register the permission if there is no condition
+      if (isEmpty(conditions)) {
+        return registerFn({ action, subject, fields: properties.fields });
+      }
+
+      /** Set of functions used to resolve + evaluate conditions & register the permission if allowed */
+
+      // 1. Replace each condition name by its associated value
+      const resolveConditions = map(conditionProvider.get);
+
+      // 2. Filter conditions, only keep those whose handler is a function
+      const filterValidConditions = filter((condition) => isFunction(condition.handler));
+
+      // 3. Evaluate the conditions handler and returns an object
+      // containing both the original condition and its result
+      const evaluateConditions = (conditions) => {
+        return Promise.all(
+          conditions.map(async (condition) => ({
+            condition,
+            result: await condition.handler(
+              user,
+              merge(conditionOptions, { permission: cloneDeep(permission) })
+            ),
+          }))
+        );
+      };
+
+      // 4. Only keeps booleans or objects as condition's result
+      const filterValidResults = filter(({ result }) => isBoolean(result) || isObject(result));
+
+      /**/
+
+      const evaluatedConditions = await Promise.resolve(conditions)
+        .then(resolveConditions)
+        .then(filterValidConditions)
+        .then(evaluateConditions)
+        .then(filterValidResults);
+
+      // Utils
+      const resultPropEq = propEq('result');
+      const pickResults = map(prop('result'));
+
+      if (evaluatedConditions.every(resultPropEq(false))) {
+        return;
+      }
+
+      // If there is no condition or if one of them return true, register the permission as is
+      if (isEmpty(evaluatedConditions) || evaluatedConditions.some(resultPropEq(true))) {
+        return registerFn({ action, subject, fields: properties.fields });
+      }
+
+      const results = pickResults(evaluatedConditions).filter(isObject);
+
+      if (isEmpty(results)) {
+        return registerFn({ action, subject, fields: properties.fields });
+      }
+
+      // Register the permission
+      return registerFn({
+        action,
+        subject,
+        fields: properties.fields,
+        condition: { $and: [{ $or: results }] },
+      });
     },
 
     /**
-     * Generate an ability based on the given user (using associated roles & permissions)
-     * @param user
-     * @returns {Promise<Ability>}
+     * Encapsulate a register function with custom params to fit `evaluatePermission`'s syntax
+     * @param can
+     * @param {Permission} permission
+     * @param {object} user
+     * @returns {function}
      */
-    async generateUserAbility(user) {
-      const permissions = await getService('permission').findUserPermissions(user);
+    createRegisterFunction(can, permission, user) {
+      const registerToCasl = (caslPermission) => {
+        const { action, subject, fields, condition } = caslPermission;
+
+        can(
+          action,
+          isNil(subject) ? 'all' : subject,
+          fields,
+          isObject(condition) ? condition : undefined
+        );
+      };
+
+      const runWillRegisterHook = async (caslPermission) => {
+        const hookContext = createWillRegisterContext(caslPermission, {
+          permission,
+          user,
+        });
+
+        await state.hooks.willRegisterPermission.call(hookContext);
+
+        return caslPermission;
+      };
 
-      return engine.generateAbility(permissions, user);
+      return async (caslPermission) => {
+        await runWillRegisterHook(caslPermission);
+        registerToCasl(caslPermission);
+      };
     },
 
     /**

package/server/services/permission.js

@@ -10,14 +10,11 @@ const permissionQueries = require('./permission/queries');
 
 const actionProvider = createActionProvider();
 const conditionProvider = createConditionProvider();
+const engine = createPermissionEngine(conditionProvider);
 const sectionsBuilder = createSectionsBuilder();
 
 const sanitizePermission = domain.sanitizePermissionFields;
 
-const engine = createPermissionEngine({
-  providers: { action: actionProvider, condition: conditionProvider },
-});
-
 module.exports = {
   // Queries / Actions
   ...permissionQueries,

package/server/strategies/admin.js

@@ -33,16 +33,10 @@ const authenticate = async (ctx) => {
 
   const userAbility = await getService('permission').engine.generateUserAbility(user);
 
-  // TODO: use the ability from ctx.state.auth instead of
-  // ctx.state.userAbility, and remove the assign below
   ctx.state.userAbility = userAbility;
   ctx.state.user = user;
 
-  return {
-    authenticated: true,
-    credentials: user,
-    ability: userAbility,
-  };
+  return { authenticated: true, credentials: user };
 };
 
 /** @type {import('.').AuthStrategy} */

package/server/strategies/api-token.js

@@ -1,6 +1,5 @@
 'use strict';
 
-const { castArray, isNil } = require('lodash/fp');
 const { UnauthorizedError, ForbiddenError } = require('@strapi/utils').errors;
 const constants = require('../services/constants');
 const { getService } = require('../utils');
@@ -21,10 +20,7 @@ const extractToken = (ctx) => {
   return null;
 };
 
-/**
- * Authenticate the validity of the token
- *
- *  @type {import('.').AuthenticateFunction} */
+/** @type {import('.').AuthenticateFunction} */
 const authenticate = async (ctx) => {
   const apiTokenService = getService('api-token');
   const token = extractToken(ctx);
@@ -37,89 +33,33 @@ const authenticate = async (ctx) => {
     accessKey: apiTokenService.hash(token),
   });
 
-  // token not found
   if (!apiToken) {
     return { authenticated: false };
   }
 
-  const currentDate = new Date();
-
-  if (!isNil(apiToken.expiresAt)) {
-    const expirationDate = new Date(apiToken.expiresAt);
-    // token has expired
-    if (expirationDate < currentDate) {
-      return { authenticated: false, error: new UnauthorizedError('Token expired') };
-    }
-  }
-
-  // update lastUsedAt
-  await apiTokenService.update(apiToken.id, {
-    lastUsedAt: currentDate,
-  });
-
-  if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
-    const ability = await strapi.contentAPI.permissions.engine.generateAbility(
-      apiToken.permissions.map((action) => ({ action }))
-    );
-
-    return { authenticated: true, ability, credentials: apiToken };
-  }
-
   return { authenticated: true, credentials: apiToken };
 };
 
-/**
- * Verify the token has the required abilities for the requested scope
- *
- *  @type {import('.').VerifyFunction} */
+/** @type {import('.').VerifyFunction} */
 const verify = (auth, config) => {
-  const { credentials: apiToken, ability } = auth;
+  const { credentials: apiToken } = auth;
 
   if (!apiToken) {
-    throw new UnauthorizedError('Token not found');
-  }
-
-  const currentDate = new Date();
-
-  if (!isNil(apiToken.expiresAt)) {
-    const expirationDate = new Date(apiToken.expiresAt);
-    // token has expired
-    if (expirationDate < currentDate) {
-      throw new UnauthorizedError('Token expired');
-    }
+    throw new UnauthorizedError();
   }
 
-  // Full access
   if (apiToken.type === constants.API_TOKEN_TYPE.FULL_ACCESS) {
     return;
   }
 
-  // Read only
-  if (apiToken.type === constants.API_TOKEN_TYPE.READ_ONLY) {
-    /**
-     * If you don't have `full-access` you can only access `find` and `findOne`
-     * scopes. If the route has no scope, then you can't get access to it.
-     */
-    const scopes = castArray(config.scope);
-
-    if (config.scope && scopes.every(isReadScope)) {
-      return;
-    }
-  }
+  /**
+   * If you don't have `full-access` you can only access `find` and `findOne`
+   * scopes. If the route has no scope, then you can't get access to it.
+   */
 
-  // Custom
-  else if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
-    if (!ability) {
-      throw new ForbiddenError();
-    }
-
-    const scopes = castArray(config.scope);
-
-    const isAllowed = scopes.every((scope) => ability.can(scope));
-
-    if (isAllowed) {
-      return;
-    }
+  const scopes = Array.isArray(config.scope) ? config.scope : [config.scope];
+  if (config.scope && scopes.every(isReadScope)) {
+    return;
   }
 
   throw new ForbiddenError();

package/server/validation/api-tokens.js

@@ -9,16 +9,8 @@ const apiTokenCreationSchema = yup
     name: yup.string().min(1).required(),
     description: yup.string().optional(),
     type: yup.string().oneOf(Object.values(constants.API_TOKEN_TYPE)).required(),
-    permissions: yup.array().of(yup.string()).nullable(),
-    lifespan: yup
-      .number()
-      .integer()
-      .min(1)
-      .oneOf(Object.values(constants.API_TOKEN_LIFESPANS))
-      .nullable(),
   })
-  .noUnknown()
-  .strict();
+  .noUnknown();
 
 const apiTokenUpdateSchema = yup
   .object()
@@ -26,10 +18,8 @@ const apiTokenUpdateSchema = yup
     name: yup.string().min(1).notNull(),
     description: yup.string().nullable(),
     type: yup.string().oneOf(Object.values(constants.API_TOKEN_TYPE)).notNull(),
-    permissions: yup.array().of(yup.string()).nullable(),
   })
-  .noUnknown()
-  .strict();
+  .noUnknown();
 
 module.exports = {
   validateApiTokenCreationInput: validateYupSchema(apiTokenCreationSchema),

package/server/validation/common-validators.js

@@ -16,7 +16,7 @@ const getActionFromProvider = (actionId) => {
 
 const email = yup.string().email().lowercase();
 
-const firstname = yup.string().min(1);
+const firstname = yup.string().trim().min(1);
 
 const lastname = yup.string();
 

package/admin/src/contexts/ApiTokenPermissions/index.js

@@ -1,24 +0,0 @@
-import React, { createContext, useContext } from 'react';
-import PropTypes from 'prop-types';
-
-const ApiTokenPermissionsContext = createContext({});
-
-const ApiTokenPermissionsContextProvider = ({ children, ...rest }) => {
-  return (
-    <ApiTokenPermissionsContext.Provider value={rest}>
-      {children}
-    </ApiTokenPermissionsContext.Provider>
-  );
-};
-
-const useApiTokenPermissionsContext = () => useContext(ApiTokenPermissionsContext);
-
-ApiTokenPermissionsContextProvider.propTypes = {
-  children: PropTypes.node.isRequired,
-};
-
-export {
-  ApiTokenPermissionsContext,
-  ApiTokenPermissionsContextProvider,
-  useApiTokenPermissionsContext,
-};

package/admin/src/hooks/useRegenerate/index.js

@@ -1,34 +0,0 @@
-import { useState } from 'react';
-import { get } from 'lodash';
-import { useNotification } from '@strapi/helper-plugin';
-import { axiosInstance } from '../../core/utils';
-
-const useRegenerate = (id, onRegenerate) => {
-  const [isLoadingConfirmation, setIsLoadingConfirmation] = useState(false);
-  const toggleNotification = useNotification();
-
-  const regenerateData = async () => {
-    try {
-      const {
-        data: {
-          data: { accessKey },
-        },
-      } = await axiosInstance.post(`/admin/api-tokens/${id}/regenerate`);
-      setIsLoadingConfirmation(false);
-      onRegenerate(accessKey);
-    } catch (error) {
-      setIsLoadingConfirmation(false);
-      toggleNotification({
-        type: 'warning',
-        message: get(error, 'response.data.message', 'notification.error'),
-      });
-    }
-  };
-
-  return {
-    regenerateData,
-    isLoadingConfirmation,
-  };
-};
-
-export default useRegenerate;

package/admin/src/pages/SettingsPage/pages/ApiTokens/EditView/components/ActionBoundRoutes/index.js

@@ -1,56 +0,0 @@
-import React from 'react';
-import { useIntl } from 'react-intl';
-import { Typography } from '@strapi/design-system/Typography';
-import { Stack } from '@strapi/design-system/Stack';
-import { GridItem } from '@strapi/design-system/Grid';
-import BoundRoute from '../BoundRoute';
-import { useApiTokenPermissionsContext } from '../../../../../../../contexts/ApiTokenPermissions';
-
-const ActionBoundRoutes = () => {
-  const {
-    value: { selectedAction, routes },
-  } = useApiTokenPermissionsContext();
-  const { formatMessage } = useIntl();
-  const actionSection = selectedAction?.split('.')[0];
-
-  return (
-    <GridItem
-      col={5}
-      background="neutral150"
-      paddingTop={6}
-      paddingBottom={6}
-      paddingLeft={7}
-      paddingRight={7}
-      style={{ minHeight: '100%' }}
-    >
-      {selectedAction ? (
-        <Stack spacing={2}>
-          {routes[actionSection]?.map((route) => {
-            return route.config.auth?.scope?.includes(selectedAction) ||
-              route.handler === selectedAction ? (
-              <BoundRoute key={route.handler} route={route} />
-            ) : null;
-          })}
-        </Stack>
-      ) : (
-        <Stack spacing={2}>
-          <Typography variant="delta" as="h3">
-            {formatMessage({
-              id: 'Settings.apiTokens.createPage.permissions.header.title',
-              defaultMessage: 'Advanced settings',
-            })}
-          </Typography>
-          <Typography as="p" textColor="neutral600">
-            {formatMessage({
-              id: 'Settings.apiTokens.createPage.permissions.header.hint',
-              defaultMessage:
-                "Select the application's actions or the plugin's actions and click on the cog icon to display the bound route",
-            })}
-          </Typography>
-        </Stack>
-      )}
-    </GridItem>
-  );
-};
-
-export default ActionBoundRoutes;

package/admin/src/pages/SettingsPage/pages/ApiTokens/EditView/components/BoundRoute/getMethodColor.js

@@ -1,41 +0,0 @@
-const getMethodColor = (verb) => {
-  switch (verb) {
-    case 'POST': {
-      return {
-        text: 'success600',
-        border: 'success200',
-        background: 'success100',
-      };
-    }
-    case 'GET': {
-      return {
-        text: 'secondary600',
-        border: 'secondary200',
-        background: 'secondary100',
-      };
-    }
-    case 'PUT': {
-      return {
-        text: 'warning600',
-        border: 'warning200',
-        background: 'warning100',
-      };
-    }
-    case 'DELETE': {
-      return {
-        text: 'danger600',
-        border: 'danger200',
-        background: 'danger100',
-      };
-    }
-    default: {
-      return {
-        text: 'neutral600',
-        border: 'neutral200',
-        background: 'neutral100',
-      };
-    }
-  }
-};
-
-export default getMethodColor;