@strapi/admin 4.4.0-rc.0 → 4.5.0-alpha.0

package/server/services/permission/engine.js

@@ -1,36 +1,107 @@
 'use strict';
 
-const { curry, isArray, isEmpty, difference } = require('lodash/fp');
-const permissions = require('@strapi/permissions');
-
+const {
+  curry,
+  map,
+  filter,
+  propEq,
+  isFunction,
+  isBoolean,
+  isArray,
+  isNil,
+  isEmpty,
+  isObject,
+  prop,
+  merge,
+  pick,
+  difference,
+  cloneDeep,
+} = require('lodash/fp');
+const { AbilityBuilder, Ability } = require('@casl/ability');
+const sift = require('sift');
 const permissionDomain = require('../../domain/permission/index');
 const { getService } = require('../../utils');
+const {
+  createEngineHooks,
+  createWillEvaluateContext,
+  createWillRegisterContext,
+} = require('./engine-hooks');
+
+const allowedOperations = [
+  '$or',
+  '$and',
+  '$eq',
+  '$ne',
+  '$in',
+  '$nin',
+  '$lt',
+  '$lte',
+  '$gt',
+  '$gte',
+  '$exists',
+  '$elemMatch',
+];
+const operations = pick(allowedOperations, sift);
+
+const conditionsMatcher = (conditions) => {
+  return sift.createQueryTester(conditions, { operations });
+};
+
+module.exports = (conditionProvider) => {
+  const state = {
+    hooks: createEngineHooks(),
+  };
+
+  return {
+    hooks: state.hooks,
+
+    /**
+     * Generate an ability based on the given user (using associated roles & permissions)
+     * @param user
+     * @param options
+     * @returns {Promise<Ability>}
+     */
+    async generateUserAbility(user, options) {
+      const permissions = await getService('permission').findUserPermissions(user);
+      const abilityCreator = this.generateAbilityCreatorFor(user);
 
-module.exports = (params) => {
-  const { providers } = params;
+      return abilityCreator(permissions, options);
+    },
 
-  const engine = permissions.engine
-    .new({ providers })
     /**
-     * Validate the permission's action exists in the action registry
+     * Create an ability factory for a specific user
+     * @param user
+     * @returns {function(*, *): Promise<Ability>}
      */
-    .on('before-format::validate.permission', ({ permission }) => {
-      const action = providers.action.get(permission.action);
+    generateAbilityCreatorFor(user) {
+      return async (permissions, options) => {
+        const { can, build } = new AbilityBuilder(Ability);
+
+        for (const permission of permissions) {
+          const registerFn = this.createRegisterFunction(can, permission, user);
+
+          await this.evaluate({ permission, user, options, registerFn });
+        }
+
+        return build({ conditionsMatcher });
+      };
+    },
+
+    /**
+     * Validate, invalidate and transform the permission attributes
+     * @param {Permission} permission
+     * @returns {null|Permission}
+     */
+    formatPermission(permission) {
+      const { actionProvider } = getService('permission');
+
+      const action = actionProvider.get(permission.action);
 
       // If the action isn't registered into the action provider, then ignore the permission
       if (!action) {
-        strapi.log.debug(
-          `Unknown action "${permission.action}" supplied when registering a new permission in engine`
-        );
-        return false;
+        return null;
       }
-    })
 
-    /**
-     * Remove invalid properties from the permission based on the action (applyToProperties)
-     */
-    .on('format.permission', (permission) => {
-      const action = providers.action.get(permission.action);
       const properties = permission.properties || {};
 
       // Only keep the properties allowed by the action (action.applyToProperties)
@@ -45,34 +116,153 @@ module.exports = (params) => {
         permission
       );
 
+      // If the `fields` property is an empty array, then ignore the permission
+      const { fields } = properties;
+
+      if (isArray(fields) && isEmpty(fields)) {
+        return null;
+      }
+
       return permissionWithSanitizedProperties;
-    })
+    },
 
     /**
-     * Ignore the permission if the fields property is an empty array (access to no field)
+     * Update the permission components through various processing
+     * @param {Permission} permission
+     * @returns {Promise<void>}
      */
-    .on('after-format::validate.permission', ({ permission }) => {
-      const { fields } = permission.properties;
+    async applyPermissionProcessors(permission) {
+      const context = createWillEvaluateContext(permission);
 
-      if (isArray(fields) && isEmpty(fields)) {
-        return false;
+      // 1. Trigger willEvaluatePermission hook and await transformation operated on the permission
+      await state.hooks.willEvaluatePermission.call(context);
+    },
+
+    /**
+     * Register new rules using `registerFn` based on valid permission's conditions
+     * @param options {object}
+     * @param options.permission {object}
+     * @param options.user {object}
+     * @param options.options {object | undefined}
+     * @param options.registerFn {Function}
+     * @returns {Promise<void>}
+     */
+    async evaluate(options) {
+      const { user, registerFn, options: conditionOptions } = options;
+
+      // Assert options.permission validity and format it
+      const permission = this.formatPermission(options.permission);
+
+      // If options.permission is invalid, then ignore the permission
+      if (permission === null) {
+        return;
       }
-    });
 
-  return {
-    get hooks() {
-      return engine.hooks;
+      await this.applyPermissionProcessors(permission);
+
+      // Extract the up-to-date components from the permission
+      const { action, subject, properties = {}, conditions } = permission;
+
+      // Register the permission if there is no condition
+      if (isEmpty(conditions)) {
+        return registerFn({ action, subject, fields: properties.fields });
+      }
+
+      /** Set of functions used to resolve + evaluate conditions & register the permission if allowed */
+
+      // 1. Replace each condition name by its associated value
+      const resolveConditions = map(conditionProvider.get);
+
+      // 2. Filter conditions, only keep those whose handler is a function
+      const filterValidConditions = filter((condition) => isFunction(condition.handler));
+
+      // 3. Evaluate the conditions handler and returns an object
+      // containing both the original condition and its result
+      const evaluateConditions = (conditions) => {
+        return Promise.all(
+          conditions.map(async (condition) => ({
+            condition,
+            result: await condition.handler(
+              user,
+              merge(conditionOptions, { permission: cloneDeep(permission) })
+            ),
+          }))
+        );
+      };
+
+      // 4. Only keeps booleans or objects as condition's result
+      const filterValidResults = filter(({ result }) => isBoolean(result) || isObject(result));
+
+      /**/
+
+      const evaluatedConditions = await Promise.resolve(conditions)
+        .then(resolveConditions)
+        .then(filterValidConditions)
+        .then(evaluateConditions)
+        .then(filterValidResults);
+
+      // Utils
+      const resultPropEq = propEq('result');
+      const pickResults = map(prop('result'));
+
+      if (evaluatedConditions.every(resultPropEq(false))) {
+        return;
+      }
+
+      // If there is no condition or if one of them return true, register the permission as is
+      if (isEmpty(evaluatedConditions) || evaluatedConditions.some(resultPropEq(true))) {
+        return registerFn({ action, subject, fields: properties.fields });
+      }
+
+      const results = pickResults(evaluatedConditions).filter(isObject);
+
+      if (isEmpty(results)) {
+        return registerFn({ action, subject, fields: properties.fields });
+      }
+
+      // Register the permission
+      return registerFn({
+        action,
+        subject,
+        fields: properties.fields,
+        condition: { $and: [{ $or: results }] },
+      });
     },
 
     /**
-     * Generate an ability based on the given user (using associated roles & permissions)
-     * @param user
-     * @returns {Promise<Ability>}
+     * Encapsulate a register function with custom params to fit `evaluatePermission`'s syntax
+     * @param can
+     * @param {Permission} permission
+     * @param {object} user
+     * @returns {function}
      */
-    async generateUserAbility(user) {
-      const permissions = await getService('permission').findUserPermissions(user);
+    createRegisterFunction(can, permission, user) {
+      const registerToCasl = (caslPermission) => {
+        const { action, subject, fields, condition } = caslPermission;
+
+        can(
+          action,
+          isNil(subject) ? 'all' : subject,
+          fields,
+          isObject(condition) ? condition : undefined
+        );
+      };
+
+      const runWillRegisterHook = async (caslPermission) => {
+        const hookContext = createWillRegisterContext(caslPermission, {
+          permission,
+          user,
+        });
+
+        await state.hooks.willRegisterPermission.call(hookContext);
+
+        return caslPermission;
+      };
 
-      return engine.generateAbility(permissions, user);
+      return async (caslPermission) => {
+        await runWillRegisterHook(caslPermission);
+        registerToCasl(caslPermission);
+      };
     },
 
     /**

package/server/services/permission.js

@@ -10,14 +10,11 @@ const permissionQueries = require('./permission/queries');
 
 const actionProvider = createActionProvider();
 const conditionProvider = createConditionProvider();
+const engine = createPermissionEngine(conditionProvider);
 const sectionsBuilder = createSectionsBuilder();
 
 const sanitizePermission = domain.sanitizePermissionFields;
 
-const engine = createPermissionEngine({
-  providers: { action: actionProvider, condition: conditionProvider },
-});
-
 module.exports = {
   // Queries / Actions
   ...permissionQueries,

package/server/strategies/admin.js

@@ -33,16 +33,10 @@ const authenticate = async (ctx) => {
 
   const userAbility = await getService('permission').engine.generateUserAbility(user);
 
-  // TODO: use the ability from ctx.state.auth instead of
-  // ctx.state.userAbility, and remove the assign below
   ctx.state.userAbility = userAbility;
   ctx.state.user = user;
 
-  return {
-    authenticated: true,
-    credentials: user,
-    ability: userAbility,
-  };
+  return { authenticated: true, credentials: user };
 };
 
 /** @type {import('.').AuthStrategy} */

package/server/strategies/api-token.js

@@ -1,6 +1,5 @@
 'use strict';
 
-const { castArray, isNil } = require('lodash/fp');
 const { UnauthorizedError, ForbiddenError } = require('@strapi/utils').errors;
 const constants = require('../services/constants');
 const { getService } = require('../utils');
@@ -21,10 +20,7 @@ const extractToken = (ctx) => {
   return null;
 };
 
-/**
- * Authenticate the validity of the token
- *
- *  @type {import('.').AuthenticateFunction} */
+/** @type {import('.').AuthenticateFunction} */
 const authenticate = async (ctx) => {
   const apiTokenService = getService('api-token');
   const token = extractToken(ctx);
@@ -37,89 +33,33 @@ const authenticate = async (ctx) => {
     accessKey: apiTokenService.hash(token),
   });
 
-  // token not found
   if (!apiToken) {
     return { authenticated: false };
   }
 
-  const currentDate = new Date();
-
-  if (!isNil(apiToken.expiresAt)) {
-    const expirationDate = new Date(apiToken.expiresAt);
-    // token has expired
-    if (expirationDate < currentDate) {
-      return { authenticated: false, error: new UnauthorizedError('Token expired') };
-    }
-  }
-
-  // update lastUsedAt
-  await apiTokenService.update(apiToken.id, {
-    lastUsedAt: currentDate,
-  });
-
-  if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
-    const ability = await strapi.contentAPI.permissions.engine.generateAbility(
-      apiToken.permissions.map((action) => ({ action }))
-    );
-
-    return { authenticated: true, ability, credentials: apiToken };
-  }
-
   return { authenticated: true, credentials: apiToken };
 };
 
-/**
- * Verify the token has the required abilities for the requested scope
- *
- *  @type {import('.').VerifyFunction} */
+/** @type {import('.').VerifyFunction} */
 const verify = (auth, config) => {
-  const { credentials: apiToken, ability } = auth;
+  const { credentials: apiToken } = auth;
 
   if (!apiToken) {
-    throw new UnauthorizedError('Token not found');
-  }
-
-  const currentDate = new Date();
-
-  if (!isNil(apiToken.expiresAt)) {
-    const expirationDate = new Date(apiToken.expiresAt);
-    // token has expired
-    if (expirationDate < currentDate) {
-      throw new UnauthorizedError('Token expired');
-    }
+    throw new UnauthorizedError();
   }
 
-  // Full access
   if (apiToken.type === constants.API_TOKEN_TYPE.FULL_ACCESS) {
     return;
   }
 
-  // Read only
-  if (apiToken.type === constants.API_TOKEN_TYPE.READ_ONLY) {
-    /**
-     * If you don't have `full-access` you can only access `find` and `findOne`
-     * scopes. If the route has no scope, then you can't get access to it.
-     */
-    const scopes = castArray(config.scope);
-
-    if (config.scope && scopes.every(isReadScope)) {
-      return;
-    }
-  }
+  /**
+   * If you don't have `full-access` you can only access `find` and `findOne`
+   * scopes. If the route has no scope, then you can't get access to it.
+   */
 
-  // Custom
-  else if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
-    if (!ability) {
-      throw new ForbiddenError();
-    }
-
-    const scopes = castArray(config.scope);
-
-    const isAllowed = scopes.every((scope) => ability.can(scope));
-
-    if (isAllowed) {
-      return;
-    }
+  const scopes = Array.isArray(config.scope) ? config.scope : [config.scope];
+  if (config.scope && scopes.every(isReadScope)) {
+    return;
   }
 
   throw new ForbiddenError();

package/server/validation/api-tokens.js

@@ -9,16 +9,8 @@ const apiTokenCreationSchema = yup
     name: yup.string().min(1).required(),
     description: yup.string().optional(),
     type: yup.string().oneOf(Object.values(constants.API_TOKEN_TYPE)).required(),
-    permissions: yup.array().of(yup.string()).nullable(),
-    lifespan: yup
-      .number()
-      .integer()
-      .min(1)
-      .oneOf(Object.values(constants.API_TOKEN_LIFESPANS))
-      .nullable(),
   })
-  .noUnknown()
-  .strict();
+  .noUnknown();
 
 const apiTokenUpdateSchema = yup
   .object()
@@ -26,10 +18,8 @@ const apiTokenUpdateSchema = yup
     name: yup.string().min(1).notNull(),
     description: yup.string().nullable(),
     type: yup.string().oneOf(Object.values(constants.API_TOKEN_TYPE)).notNull(),
-    permissions: yup.array().of(yup.string()).nullable(),
   })
-  .noUnknown()
-  .strict();
+  .noUnknown();
 
 module.exports = {
   validateApiTokenCreationInput: validateYupSchema(apiTokenCreationSchema),

package/admin/src/content-manager/components/SelectMany/ListItem.js

@@ -1,102 +0,0 @@
-import React, { memo } from 'react';
-import PropTypes from 'prop-types';
-import styled from 'styled-components';
-import { pxToRem, RemoveRoundedButton, Link } from '@strapi/helper-plugin';
-import { useIntl } from 'react-intl';
-import { useLocation } from 'react-router-dom';
-import has from 'lodash/has';
-import isEmpty from 'lodash/isEmpty';
-import { Box } from '@strapi/design-system/Box';
-import { Flex } from '@strapi/design-system/Flex';
-import { Typography } from '@strapi/design-system/Typography';
-import { getTrad } from '../../utils';
-
-const StyledBullet = styled.div`
-  width: ${pxToRem(6)};
-  height: ${pxToRem(6)};
-  background: ${({ theme, isDraft }) => theme.colors[isDraft ? 'secondary600' : 'success600']};
-  border-radius: 50%;
-  cursor: pointer;
-`;
-
-function ListItem({
-  data,
-  displayNavigationLink,
-  isDisabled,
-  mainField,
-  onRemove,
-  searchToPersist,
-  targetModel,
-}) {
-  const { formatMessage } = useIntl();
-  const to = `/content-manager/collectionType/${targetModel}/${data.id}`;
-  let cursor = 'pointer';
-
-  if (isDisabled) {
-    cursor = 'not-allowed';
-  }
-
-  if (!displayNavigationLink) {
-    cursor = 'default';
-  }
-
-  const hasDraftAndPublish = has(data, 'publishedAt');
-  const isDraft = isEmpty(data.publishedAt);
-  const value = data[mainField.name];
-  const draftMessage = {
-    id: getTrad('components.Select.draft-info-title'),
-    defaultMessage: 'State: Draft',
-  };
-  const publishedMessage = {
-    id: getTrad('components.Select.publish-info-title'),
-    defaultMessage: 'State: Published',
-  };
-  const title = isDraft ? formatMessage(draftMessage) : formatMessage(publishedMessage);
-  const { pathname } = useLocation();
-
-  return (
-    <Flex as="li" alignItems="center">
-      <Flex style={{ flex: 1 }} alignItems="center">
-        {hasDraftAndPublish && (
-          <Box paddingRight={2}>
-            <StyledBullet isDraft={isDraft} title={title} />
-          </Box>
-        )}
-        {displayNavigationLink ? (
-          <Link
-            to={{ pathname: to, state: { from: pathname }, search: searchToPersist }}
-            style={{ textTransform: 'none' }}
-          >
-            {value || data.id}
-          </Link>
-        ) : (
-          <Typography variant="pi">{value || data.id}</Typography>
-        )}
-      </Flex>
-      <RemoveRoundedButton onClick={onRemove} label="Remove" style={{ cursor }} />
-    </Flex>
-  );
-}
-
-ListItem.defaultProps = {
-  onRemove() {},
-  searchToPersist: null,
-  targetModel: '',
-};
-
-ListItem.propTypes = {
-  data: PropTypes.object.isRequired,
-  displayNavigationLink: PropTypes.bool.isRequired,
-  isDisabled: PropTypes.bool.isRequired,
-  mainField: PropTypes.shape({
-    name: PropTypes.string.isRequired,
-    schema: PropTypes.shape({
-      type: PropTypes.string.isRequired,
-    }).isRequired,
-  }).isRequired,
-  onRemove: PropTypes.func,
-  searchToPersist: PropTypes.string,
-  targetModel: PropTypes.string,
-};
-
-export default memo(ListItem);