@strapi/admin 4.5.0-alpha.0 → 4.5.0

package/server/services/permission/engine.js

@@ -1,107 +1,36 @@
 'use strict';
 
-const {
-  curry,
-  map,
-  filter,
-  propEq,
-  isFunction,
-  isBoolean,
-  isArray,
-  isNil,
-  isEmpty,
-  isObject,
-  prop,
-  merge,
-  pick,
-  difference,
-  cloneDeep,
-} = require('lodash/fp');
-const { AbilityBuilder, Ability } = require('@casl/ability');
-const sift = require('sift');
+const { curry, isArray, isEmpty, difference } = require('lodash/fp');
+const permissions = require('@strapi/permissions');
+
 const permissionDomain = require('../../domain/permission/index');
 const { getService } = require('../../utils');
-const {
-  createEngineHooks,
-  createWillEvaluateContext,
-  createWillRegisterContext,
-} = require('./engine-hooks');
-
-const allowedOperations = [
-  '$or',
-  '$and',
-  '$eq',
-  '$ne',
-  '$in',
-  '$nin',
-  '$lt',
-  '$lte',
-  '$gt',
-  '$gte',
-  '$exists',
-  '$elemMatch',
-];
-const operations = pick(allowedOperations, sift);
-
-const conditionsMatcher = (conditions) => {
-  return sift.createQueryTester(conditions, { operations });
-};
-
-module.exports = (conditionProvider) => {
-  const state = {
-    hooks: createEngineHooks(),
-  };
-
-  return {
-    hooks: state.hooks,
-
-    /**
-     * Generate an ability based on the given user (using associated roles & permissions)
-     * @param user
-     * @param options
-     * @returns {Promise<Ability>}
-     */
-    async generateUserAbility(user, options) {
-      const permissions = await getService('permission').findUserPermissions(user);
-      const abilityCreator = this.generateAbilityCreatorFor(user);
 
-      return abilityCreator(permissions, options);
-    },
+module.exports = (params) => {
+  const { providers } = params;
 
+  const engine = permissions.engine
+    .new({ providers })
     /**
-     * Create an ability factory for a specific user
-     * @param user
-     * @returns {function(*, *): Promise<Ability>}
+     * Validate the permission's action exists in the action registry
      */
-    generateAbilityCreatorFor(user) {
-      return async (permissions, options) => {
-        const { can, build } = new AbilityBuilder(Ability);
-
-        for (const permission of permissions) {
-          const registerFn = this.createRegisterFunction(can, permission, user);
-
-          await this.evaluate({ permission, user, options, registerFn });
-        }
-
-        return build({ conditionsMatcher });
-      };
-    },
-
-    /**
-     * Validate, invalidate and transform the permission attributes
-     * @param {Permission} permission
-     * @returns {null|Permission}
-     */
-    formatPermission(permission) {
-      const { actionProvider } = getService('permission');
-
-      const action = actionProvider.get(permission.action);
+    .on('before-format::validate.permission', ({ permission }) => {
+      const action = providers.action.get(permission.action);
 
       // If the action isn't registered into the action provider, then ignore the permission
       if (!action) {
-        return null;
+        strapi.log.debug(
+          `Unknown action "${permission.action}" supplied when registering a new permission in engine`
+        );
+        return false;
       }
+    })
 
+    /**
+     * Remove invalid properties from the permission based on the action (applyToProperties)
+     */
+    .on('format.permission', (permission) => {
+      const action = providers.action.get(permission.action);
       const properties = permission.properties || {};
 
       // Only keep the properties allowed by the action (action.applyToProperties)
@@ -116,153 +45,34 @@ module.exports = (conditionProvider) => {
         permission
       );
 
-      // If the `fields` property is an empty array, then ignore the permission
-      const { fields } = properties;
-
-      if (isArray(fields) && isEmpty(fields)) {
-        return null;
-      }
-
       return permissionWithSanitizedProperties;
-    },
-
-    /**
-     * Update the permission components through various processing
-     * @param {Permission} permission
-     * @returns {Promise<void>}
-     */
-    async applyPermissionProcessors(permission) {
-      const context = createWillEvaluateContext(permission);
-
-      // 1. Trigger willEvaluatePermission hook and await transformation operated on the permission
-      await state.hooks.willEvaluatePermission.call(context);
-    },
+    })
 
     /**
-     * Register new rules using `registerFn` based on valid permission's conditions
-     * @param options {object}
-     * @param options.permission {object}
-     * @param options.user {object}
-     * @param options.options {object | undefined}
-     * @param options.registerFn {Function}
-     * @returns {Promise<void>}
+     * Ignore the permission if the fields property is an empty array (access to no field)
      */
-    async evaluate(options) {
-      const { user, registerFn, options: conditionOptions } = options;
-
-      // Assert options.permission validity and format it
-      const permission = this.formatPermission(options.permission);
-
-      // If options.permission is invalid, then ignore the permission
-      if (permission === null) {
-        return;
-      }
-
-      await this.applyPermissionProcessors(permission);
-
-      // Extract the up-to-date components from the permission
-      const { action, subject, properties = {}, conditions } = permission;
-
-      // Register the permission if there is no condition
-      if (isEmpty(conditions)) {
-        return registerFn({ action, subject, fields: properties.fields });
-      }
-
-      /** Set of functions used to resolve + evaluate conditions & register the permission if allowed */
-
-      // 1. Replace each condition name by its associated value
-      const resolveConditions = map(conditionProvider.get);
-
-      // 2. Filter conditions, only keep those whose handler is a function
-      const filterValidConditions = filter((condition) => isFunction(condition.handler));
-
-      // 3. Evaluate the conditions handler and returns an object
-      // containing both the original condition and its result
-      const evaluateConditions = (conditions) => {
-        return Promise.all(
-          conditions.map(async (condition) => ({
-            condition,
-            result: await condition.handler(
-              user,
-              merge(conditionOptions, { permission: cloneDeep(permission) })
-            ),
-          }))
-        );
-      };
-
-      // 4. Only keeps booleans or objects as condition's result
-      const filterValidResults = filter(({ result }) => isBoolean(result) || isObject(result));
-
-      /**/
-
-      const evaluatedConditions = await Promise.resolve(conditions)
-        .then(resolveConditions)
-        .then(filterValidConditions)
-        .then(evaluateConditions)
-        .then(filterValidResults);
+    .on('after-format::validate.permission', ({ permission }) => {
+      const { fields } = permission.properties;
 
-      // Utils
-      const resultPropEq = propEq('result');
-      const pickResults = map(prop('result'));
-
-      if (evaluatedConditions.every(resultPropEq(false))) {
-        return;
-      }
-
-      // If there is no condition or if one of them return true, register the permission as is
-      if (isEmpty(evaluatedConditions) || evaluatedConditions.some(resultPropEq(true))) {
-        return registerFn({ action, subject, fields: properties.fields });
-      }
-
-      const results = pickResults(evaluatedConditions).filter(isObject);
-
-      if (isEmpty(results)) {
-        return registerFn({ action, subject, fields: properties.fields });
+      if (isArray(fields) && isEmpty(fields)) {
+        return false;
       }
+    });
 
-      // Register the permission
-      return registerFn({
-        action,
-        subject,
-        fields: properties.fields,
-        condition: { $and: [{ $or: results }] },
-      });
+  return {
+    get hooks() {
+      return engine.hooks;
     },
 
     /**
-     * Encapsulate a register function with custom params to fit `evaluatePermission`'s syntax
-     * @param can
-     * @param {Permission} permission
-     * @param {object} user
-     * @returns {function}
+     * Generate an ability based on the given user (using associated roles & permissions)
+     * @param user
+     * @returns {Promise<Ability>}
      */
-    createRegisterFunction(can, permission, user) {
-      const registerToCasl = (caslPermission) => {
-        const { action, subject, fields, condition } = caslPermission;
-
-        can(
-          action,
-          isNil(subject) ? 'all' : subject,
-          fields,
-          isObject(condition) ? condition : undefined
-        );
-      };
-
-      const runWillRegisterHook = async (caslPermission) => {
-        const hookContext = createWillRegisterContext(caslPermission, {
-          permission,
-          user,
-        });
-
-        await state.hooks.willRegisterPermission.call(hookContext);
-
-        return caslPermission;
-      };
+    async generateUserAbility(user) {
+      const permissions = await getService('permission').findUserPermissions(user);
 
-      return async (caslPermission) => {
-        await runWillRegisterHook(caslPermission);
-        registerToCasl(caslPermission);
-      };
+      return engine.generateAbility(permissions, user);
     },
 
     /**

package/server/services/permission.js

@@ -10,11 +10,14 @@ const permissionQueries = require('./permission/queries');
 
 const actionProvider = createActionProvider();
 const conditionProvider = createConditionProvider();
-const engine = createPermissionEngine(conditionProvider);
 const sectionsBuilder = createSectionsBuilder();
 
 const sanitizePermission = domain.sanitizePermissionFields;
 
+const engine = createPermissionEngine({
+  providers: { action: actionProvider, condition: conditionProvider },
+});
+
 module.exports = {
   // Queries / Actions
   ...permissionQueries,

package/server/strategies/admin.js

@@ -33,10 +33,16 @@ const authenticate = async (ctx) => {
 
   const userAbility = await getService('permission').engine.generateUserAbility(user);
 
+  // TODO: use the ability from ctx.state.auth instead of
+  // ctx.state.userAbility, and remove the assign below
   ctx.state.userAbility = userAbility;
   ctx.state.user = user;
 
-  return { authenticated: true, credentials: user };
+  return {
+    authenticated: true,
+    credentials: user,
+    ability: userAbility,
+  };
 };
 
 /** @type {import('.').AuthStrategy} */

package/server/strategies/api-token.js

@@ -1,5 +1,6 @@
 'use strict';
 
+const { castArray, isNil } = require('lodash/fp');
 const { UnauthorizedError, ForbiddenError } = require('@strapi/utils').errors;
 const constants = require('../services/constants');
 const { getService } = require('../utils');
@@ -20,7 +21,10 @@ const extractToken = (ctx) => {
   return null;
 };
 
-/** @type {import('.').AuthenticateFunction} */
+/**
+ * Authenticate the validity of the token
+ *
+ *  @type {import('.').AuthenticateFunction} */
 const authenticate = async (ctx) => {
   const apiTokenService = getService('api-token');
   const token = extractToken(ctx);
@@ -33,33 +37,90 @@ const authenticate = async (ctx) => {
     accessKey: apiTokenService.hash(token),
   });
 
+  // token not found
   if (!apiToken) {
     return { authenticated: false };
   }
 
+  const currentDate = new Date();
+
+  if (!isNil(apiToken.expiresAt)) {
+    const expirationDate = new Date(apiToken.expiresAt);
+    // token has expired
+    if (expirationDate < currentDate) {
+      return { authenticated: false, error: new UnauthorizedError('Token expired') };
+    }
+  }
+
+  // update lastUsedAt
+  await strapi.query('admin::api-token').update({
+    where: { id: apiToken.id },
+    data: { lastUsedAt: currentDate },
+  });
+
+  if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
+    const ability = await strapi.contentAPI.permissions.engine.generateAbility(
+      apiToken.permissions.map((action) => ({ action }))
+    );
+
+    return { authenticated: true, ability, credentials: apiToken };
+  }
+
   return { authenticated: true, credentials: apiToken };
 };
 
-/** @type {import('.').VerifyFunction} */
+/**
+ * Verify the token has the required abilities for the requested scope
+ *
+ *  @type {import('.').VerifyFunction} */
 const verify = (auth, config) => {
-  const { credentials: apiToken } = auth;
+  const { credentials: apiToken, ability } = auth;
 
   if (!apiToken) {
-    throw new UnauthorizedError();
+    throw new UnauthorizedError('Token not found');
+  }
+
+  const currentDate = new Date();
+
+  if (!isNil(apiToken.expiresAt)) {
+    const expirationDate = new Date(apiToken.expiresAt);
+    // token has expired
+    if (expirationDate < currentDate) {
+      throw new UnauthorizedError('Token expired');
+    }
   }
 
+  // Full access
   if (apiToken.type === constants.API_TOKEN_TYPE.FULL_ACCESS) {
     return;
   }
 
-  /**
-   * If you don't have `full-access` you can only access `find` and `findOne`
-   * scopes. If the route has no scope, then you can't get access to it.
-   */
+  // Read only
+  if (apiToken.type === constants.API_TOKEN_TYPE.READ_ONLY) {
+    /**
+     * If you don't have `full-access` you can only access `find` and `findOne`
+     * scopes. If the route has no scope, then you can't get access to it.
+     */
+    const scopes = castArray(config.scope);
 
-  const scopes = Array.isArray(config.scope) ? config.scope : [config.scope];
-  if (config.scope && scopes.every(isReadScope)) {
-    return;
+    if (config.scope && scopes.every(isReadScope)) {
+      return;
+    }
+  }
+
+  // Custom
+  else if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
+    if (!ability) {
+      throw new ForbiddenError();
+    }
+
+    const scopes = castArray(config.scope);
+
+    const isAllowed = scopes.every((scope) => ability.can(scope));
+
+    if (isAllowed) {
+      return;
+    }
   }
 
   throw new ForbiddenError();

package/server/validation/api-tokens.js

@@ -9,8 +9,16 @@ const apiTokenCreationSchema = yup
     name: yup.string().min(1).required(),
     description: yup.string().optional(),
     type: yup.string().oneOf(Object.values(constants.API_TOKEN_TYPE)).required(),
+    permissions: yup.array().of(yup.string()).nullable(),
+    lifespan: yup
+      .number()
+      .integer()
+      .min(1)
+      .oneOf(Object.values(constants.API_TOKEN_LIFESPANS))
+      .nullable(),
   })
-  .noUnknown();
+  .noUnknown()
+  .strict();
 
 const apiTokenUpdateSchema = yup
   .object()
@@ -18,8 +26,10 @@ const apiTokenUpdateSchema = yup
     name: yup.string().min(1).notNull(),
     description: yup.string().nullable(),
     type: yup.string().oneOf(Object.values(constants.API_TOKEN_TYPE)).notNull(),
+    permissions: yup.array().of(yup.string()).nullable(),
   })
-  .noUnknown();
+  .noUnknown()
+  .strict();
 
 module.exports = {
   validateApiTokenCreationInput: validateYupSchema(apiTokenCreationSchema),

package/utils/create-plugins-exclude-path.js

@@ -0,0 +1,40 @@
+'use strict';
+
+const { sep, join } = require('path');
+
+const NODE_MODULES = 'node_modules';
+/**
+ * @param {string[]} pluginsPath – an array of paths to the plugins from the user's directory
+ * @returns {RegExp} a regex that will exclude _all_ node_modules except for the plugins in the pluginsPath array.
+ */
+const createPluginsExcludePath = (pluginsPath = []) => {
+  /**
+   * converts the full path to just the plugin path
+   * e.g. `/Users/username/strapi/node_modules/@scope/plugin-name`
+   * to `@scope/plugin-name`
+   */
+  const tsxPlugins = pluginsPath.reduce((acc, curr) => {
+    const dirPaths = curr.split(sep);
+
+    const nodeModulePathIndex = dirPaths.findIndex((val) => val === NODE_MODULES);
+
+    if (nodeModulePathIndex > 0) {
+      const pluginNodeModulePath = dirPaths.slice(nodeModulePathIndex + 1);
+      return [...acc, join(...pluginNodeModulePath)];
+    }
+
+    return acc;
+  }, []);
+
+  /**
+   * If there aren't any plugins in the node_modules array, just return the node_modules regex
+   * without complicating it.
+   */
+  if (tsxPlugins.length === 0) {
+    return /node_modules/;
+  }
+
+  return new RegExp(`${NODE_MODULES}/(?!(${tsxPlugins.join('|')}))`);
+};
+
+module.exports = createPluginsExcludePath;

package/utils/get-custom-app-config-file.js

@@ -11,6 +11,11 @@ const { isUsingTypeScript } = require('@strapi/typescript-utils');
  */
 const getCustomAppConfigFile = async (dir) => {
   const adminSrcPath = join(dir, 'src', 'admin');
+
+  if (!fse.pathExistsSync(adminSrcPath)) {
+    return undefined;
+  }
+
   const useTypeScript = await isUsingTypeScript(adminSrcPath, 'tsconfig.json');
 
   const files = await fse.readdir(adminSrcPath);

package/webpack.alias.js

@@ -37,21 +37,8 @@ const aliasExactMatch = [
   'yup',
 ];
 
-const alias = [
-  'react-select/animated',
-  'react-select/async',
-  'react-select/async-creatable',
-  'react-select/base',
-  'react-select/creatable',
-];
-
 // See https://webpack.js.org/configuration/resolve/
 module.exports = {
-  ...alias.reduce((acc, name) => {
-    acc[name] = require.resolve(name);
-    return acc;
-  }, {}),
-
   ...aliasExactMatch.reduce((acc, name) => {
     acc[`${name}$`] = require.resolve(name);
     return acc;

package/webpack.config.js

@@ -13,6 +13,7 @@ const ReactRefreshWebpackPlugin = require('@pmmmwh/react-refresh-webpack-plugin'
 
 const alias = require('./webpack.alias');
 const getClientEnvironment = require('./env');
+const createPluginsExcludePath = require('./utils/create-plugins-exclude-path');
 
 const EE_REGEX = /from.* ['"]ee_else_ce\//;
 
@@ -49,6 +50,8 @@ module.exports = ({
       ]
     : [];
 
+  const excludeRegex = createPluginsExcludePath(pluginsPath);
+
   return {
     mode: isProduction ? 'production' : 'development',
     bail: !!isProduction,
@@ -82,7 +85,7 @@ module.exports = ({
           test: /\.tsx?$/,
           loader: require.resolve('esbuild-loader'),
           include: [cacheDir, ...pluginsPath],
-          exclude: /node_modules/,
+          exclude: excludeRegex,
           options: {
             loader: 'tsx',
             target: 'es2015',

package/admin/src/assets/images/icon_made-by-strapi.svg

@@ -1,5 +0,0 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-<rect x="3" y="3" width="18" height="18" rx="4" fill="#4945FF"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M15.8075 7.625H9.03058V11.1792H12.2533C12.4977 11.1792 12.6958 11.3773 12.6958 11.6216V14.8444H16.25V8.06746C16.25 7.82309 16.0519 7.625 15.8075 7.625Z" fill="white"/>
-<path opacity="0.4" fill-rule="evenodd" clip-rule="evenodd" d="M9.0308 7.625V11.1792H6.01073C5.81364 11.1792 5.71494 10.9409 5.8543 10.8015L9.0308 7.625ZM13.0735 18.0209C12.9342 18.1603 12.6959 18.0616 12.6959 17.8645V14.8444H16.25L13.0735 18.0209ZM12.4746 11.1792H9.03058V14.4019C9.03058 14.6463 9.22868 14.8444 9.47304 14.8444H12.6958V11.4004C12.6958 11.2782 12.5968 11.1792 12.4746 11.1792Z" fill="#DAD9FF"/>
-</svg>

package/admin/src/content-manager/components/State/index.js

@@ -1,37 +0,0 @@
-import React from 'react';
-import PropTypes from 'prop-types';
-import { useIntl } from 'react-intl';
-import { Typography } from '@strapi/design-system/Typography';
-import { Box } from '@strapi/design-system/Box';
-import { getTrad } from '../../utils';
-
-const State = ({ isPublished }) => {
-  const { formatMessage } = useIntl();
-  const content = formatMessage({
-    id: getTrad(`containers.List.${isPublished ? 'published' : 'draft'}`),
-  });
-  const background = isPublished ? 'success100' : 'secondary100';
-  const textColor = isPublished ? 'success700' : 'secondary700';
-
-  return (
-    <Box
-      background={background}
-      hasRadius
-      paddingTop={1}
-      paddingBottom={1}
-      paddingLeft={2}
-      paddingRight={2}
-      style={{ width: 'fit-content' }}
-    >
-      <Typography fontWeight="bold" textColor={textColor}>
-        {content}
-      </Typography>
-    </Box>
-  );
-};
-
-State.propTypes = {
-  isPublished: PropTypes.bool.isRequired,
-};
-
-export default State;