npm - @strapi/admin - Versions diffs - 4.6.0-beta.1 → 4.6.0-beta.2 - Mend

@strapi/admin 4.6.0-beta.1 → 4.6.0-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (461) hide show

package/ee/server/config/admin-actions.js ADDED Viewed

@@ -0,0 +1,32 @@
+'use strict';
+module.exports = {
+  sso: [
+    {
+      uid: 'provider-login.read',
+      displayName: 'Read',
+      pluginName: 'admin',
+      section: 'settings',
+      category: 'single sign on',
+      subCategory: 'options',
+    },
+    {
+      uid: 'provider-login.update',
+      displayName: 'Update',
+      pluginName: 'admin',
+      section: 'settings',
+      category: 'single sign on',
+      subCategory: 'options',
+    },
+  ],
+  auditLogs: [
+    {
+      uid: 'audit-logs.read',
+      displayName: 'Read',
+      pluginName: 'admin',
+      section: 'settings',
+      category: 'audit logs',
+      subCategory: 'options',
+    },
+  ],
+};

package/ee/server/controllers/audit-logs.js ADDED Viewed

@@ -0,0 +1,24 @@
+'use strict';
+const { validateFindMany } = require('../validation/audit-logs');
+module.exports = {
+  async findMany(ctx) {
+    const { query } = ctx.request;
+    await validateFindMany(query);
+    const auditLogs = strapi.container.get('audit-logs');
+    const body = await auditLogs.findMany(query);
+    ctx.body = body;
+  },
+  async findOne(ctx) {
+    const { id } = ctx.params;
+    const auditLogs = strapi.container.get('audit-logs');
+    const body = await auditLogs.findOne(id);
+    ctx.body = body;
+  },
+};

package/ee/server/controllers/authentication/middlewares.js CHANGED Viewed

@@ -103,7 +103,8 @@ const redirectWithAuth = (ctx) => {
   const cookiesOptions = { httpOnly: false, secure: isProduction, overwrite: true };
-  strapi.eventHub.emit('admin.auth.success', { user, provider });
+  const sanitizedUser = getService('user').sanitizeUser(user);
+  strapi.eventHub.emit('admin.auth.success', { user: sanitizedUser, provider });
   ctx.cookies.set('jwtToken', jwt, cookiesOptions);
   ctx.redirect(redirectUrls.success);

package/ee/server/controllers/index.js CHANGED Viewed

@@ -5,4 +5,5 @@ module.exports = {
   permission: require('./permission'),
   role: require('./role'),
   user: require('./user'),
+  auditLogs: require('./audit-logs'),
 };

package/ee/server/destroy.js ADDED Viewed

@@ -0,0 +1,12 @@
+'use strict';
+const { features } = require('@strapi/strapi/lib/utils/ee');
+const executeCEDestroy = require('../../server/destroy');
+module.exports = async ({ strapi }) => {
+  if (features.isEnabled('audit-logs')) {
+    strapi.container.get('audit-logs').destroy();
+  }
+  await executeCEDestroy();
+};

package/ee/server/index.js CHANGED Viewed

@@ -1,7 +1,9 @@
 'use strict';
 module.exports = {
+  register: require('./register'),
   bootstrap: require('./bootstrap'),
+  destroy: require('./destroy'),
   routes: require('./routes'),
   services: require('./services'),
   controllers: require('./controllers'),

package/ee/server/register.js ADDED Viewed

@@ -0,0 +1,15 @@
+'use strict';
+const { features } = require('@strapi/strapi/lib/utils/ee');
+const executeCERegister = require('../../server/register');
+const createAuditLogsService = require('./services/audit-logs');
+module.exports = async ({ strapi }) => {
+  if (features.isEnabled('audit-logs')) {
+    const auditLogsService = createAuditLogsService(strapi);
+    strapi.container.register('audit-logs', auditLogsService);
+    await auditLogsService.register();
+  }
+  await executeCERegister({ strapi });
+};

package/ee/server/routes/features-routes.js CHANGED Viewed

@@ -43,4 +43,24 @@ module.exports = {
       },
     },
   ],
+  'audit-logs': [
+    {
+      method: 'GET',
+      path: '/audit-logs',
+      handler: 'auditLogs.findMany',
+      config: {
+        // @TODO: Check to right permissions
+        policies: ['admin::isAuthenticatedAdmin'],
+      },
+    },
+    {
+      method: 'GET',
+      path: '/audit-logs/:id',
+      handler: 'auditLogs.findOne',
+      config: {
+        // @TODO: Check to right permissions
+        policies: ['admin::isAuthenticatedAdmin'],
+      },
+    },
+  ],
 };

package/ee/server/services/audit-logs.js ADDED Viewed

@@ -0,0 +1,135 @@
+'use strict';
+const localProvider = require('@strapi/provider-audit-logs-local');
+const { scheduleJob } = require('node-schedule');
+const defaultEvents = [
+  'entry.create',
+  'entry.update',
+  'entry.delete',
+  'entry.publish',
+  'entry.unpublish',
+  'media.create',
+  'media.update',
+  'media.delete',
+  'user.create',
+  'user.update',
+  'user.delete',
+  'admin.auth.success',
+  'admin.logout',
+  'content-type.create',
+  'content-type.update',
+  'content-type.delete',
+  'component.create',
+  'component.update',
+  'component.delete',
+  'role.create',
+  'role.update',
+  'role.delete',
+  'permission.create',
+  'permission.update',
+  'permission.delete',
+];
+const getSanitizedUser = (user) => ({
+  id: user.id,
+  email: user.email,
+  fullname: `${user.firstname} ${user.lastname}`,
+});
+const getEventMap = (defaultEvents) => {
+  const getDefaultPayload = (...args) => args[0];
+  // Use the default payload for all default events
+  return defaultEvents.reduce((acc, event) => {
+    acc[event] = getDefaultPayload;
+    return acc;
+  }, {});
+};
+const createAuditLogsService = (strapi) => {
+  // NOTE: providers should be able to replace getEventMap to add or remove events
+  const eventMap = getEventMap(defaultEvents);
+  const processEvent = (name, ...args) => {
+    const getPayload = eventMap[name];
+    // Ignore the event if it's not in the map
+    if (!getPayload) {
+      return null;
+    }
+    return {
+      action: name,
+      date: new Date().toISOString(),
+      payload: getPayload(...args) || {},
+      userId: strapi.requestContext.get()?.state?.user?.id,
+    };
+  };
+  async function handleEvent(name, ...args) {
+    const processedEvent = processEvent(name, ...args);
+    if (processedEvent) {
+      await this._provider.saveEvent(processedEvent);
+    }
+  }
+  return {
+    async register() {
+      this._provider = await localProvider.register({ strapi });
+      this._eventHubUnsubscribe = strapi.eventHub.subscribe(handleEvent.bind(this));
+      this._deleteExpiredJob = scheduleJob('0 0 * * *', this._provider.deleteExpiredEvents);
+      return this;
+    },
+    async findMany(query) {
+      const { results, pagination } = await this._provider.findMany(query);
+      const sanitizedResults = results.map((result) => {
+        const { user, ...rest } = result;
+        return {
+          ...rest,
+          user: user ? getSanitizedUser(user) : null,
+        };
+      });
+      return {
+        results: sanitizedResults,
+        pagination,
+      };
+    },
+    async findOne(id) {
+      const result = await this._provider.findOne(id);
+      if (!result) {
+        return null;
+      }
+      const { user, ...rest } = result;
+      return {
+        ...rest,
+        user: user ? getSanitizedUser(user) : null,
+      };
+    },
+    unsubscribe() {
+      if (this._eventHubUnsubscribe) {
+        this._eventHubUnsubscribe();
+      }
+      if (this._deleteExpiredJob) {
+        this._deleteExpiredJob.cancel();
+      }
+      return this;
+    },
+    destroy() {
+      return this.unsubscribe();
+    },
+  };
+};
+module.exports = createAuditLogsService;

package/ee/server/validation/audit-logs.js ADDED Viewed

@@ -0,0 +1,18 @@
+'use strict';
+const { yup, validateYupSchema } = require('@strapi/utils');
+const ALLOWED_SORT_STRINGS = ['action:ASC', 'action:DESC', 'date:ASC', 'date:DESC'];
+const validateFindManySchema = yup
+  .object()
+  .shape({
+    page: yup.number().integer().min(1),
+    pageSize: yup.number().integer().min(1).max(100),
+    sort: yup.mixed().oneOf(ALLOWED_SORT_STRINGS),
+  })
+  .required();
+module.exports = {
+  validateFindMany: validateYupSchema(validateFindManySchema, { strict: false }),
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/admin",
-  "version": "4.6.0-beta.1",
+  "version": "4.6.0-beta.2",
   "description": "Strapi Admin",
   "repository": {
     "type": "git",
@@ -44,25 +44,33 @@
     "@babel/preset-react": "7.18.6",
     "@babel/runtime": "7.18.9",
     "@casl/ability": "^5.4.3",
-    "@fingerprintjs/fingerprintjs": "3.3.3",
-    "@pmmmwh/react-refresh-webpack-plugin": "0.5.7",
-    "@strapi/babel-plugin-switch-ee-ce": "4.6.0-beta.1",
-    "@strapi/design-system": "1.4.1",
-    "@strapi/helper-plugin": "4.6.0-beta.1",
-    "@strapi/icons": "1.4.1",
-    "@strapi/permissions": "4.6.0-beta.1",
-    "@strapi/typescript-utils": "4.6.0-beta.1",
-    "@strapi/utils": "4.6.0-beta.1",
-    "axios": "0.27.2",
+    "@fingerprintjs/fingerprintjs": "3.3.6",
+    "@fortawesome/fontawesome-free": "^5.15.3",
+    "@fortawesome/fontawesome-svg-core": "6.2.0",
+    "@fortawesome/free-brands-svg-icons": "^5.15.3",
+    "@fortawesome/free-solid-svg-icons": "^5.15.3",
+    "@fortawesome/react-fontawesome": "^0.2.0",
+    "@pmmmwh/react-refresh-webpack-plugin": "0.5.10",
+    "@strapi/babel-plugin-switch-ee-ce": "4.6.0-beta.2",
+    "@strapi/data-transfer": "4.6.0-beta.2",
+    "@strapi/design-system": "0.0.0-jsoninput.0",
+    "@strapi/helper-plugin": "4.6.0-beta.2",
+    "@strapi/icons": "1.4.2",
+    "@strapi/permissions": "4.6.0-beta.2",
+    "@strapi/provider-audit-logs-local": "4.6.0-beta.2",
+    "@strapi/typescript-utils": "4.6.0-beta.2",
+    "@strapi/utils": "4.6.0-beta.2",
+    "axios": "1.2.2",
     "babel-loader": "8.2.5",
     "babel-plugin-styled-components": "2.0.2",
     "bcryptjs": "2.4.3",
+    "browserslist-to-esbuild": "1.2.0",
     "chalk": "^4.1.1",
     "chokidar": "^3.5.1",
-    "codemirror": "^5.65.8",
+    "codemirror": "^5.65.11",
     "cross-env": "^7.0.3",
     "css-loader": "6.7.2",
-    "date-fns": "2.29.2",
+    "date-fns": "2.29.3",
     "dotenv": "8.5.1",
     "esbuild-loader": "^2.20.0",
     "execa": "^1.0.0",
@@ -79,10 +87,11 @@
     "immer": "9.0.15",
     "invariant": "^2.2.4",
     "js-cookie": "2.2.1",
-    "jsonwebtoken": "8.5.1",
+    "jsonwebtoken": "9.0.0",
     "koa-compose": "4.1.0",
     "koa-passport": "5.0.0",
     "koa-static": "5.0.0",
+    "koa2-ratelimit": "^1.1.2",
     "lodash": "4.17.21",
     "markdown-it": "^12.3.2",
     "markdown-it-abbr": "^1.0.4",
@@ -98,6 +107,7 @@
     "mini-css-extract-plugin": "2.4.4",
     "msw": "0.49.1",
     "node-polyfill-webpack-plugin": "2.0.1",
+    "node-schedule": "2.1.0",
     "p-map": "4.0.0",
     "passport-local": "1.0.0",
     "prop-types": "^15.7.2",
@@ -160,5 +170,5 @@
       }
     }
   },
-  "gitHead": "2c0bcabdf0bf2a269fed50c6f23ba777845968a0"
+  "gitHead": "b852090f931cd21868c4016f24db2f9fdfc7a7ab"
 }

package/server/controllers/authentication.js CHANGED Viewed

@@ -32,7 +32,8 @@ module.exports = {
         ctx.state.user = user;
-        strapi.eventHub.emit('admin.auth.success', { user, provider: 'local' });
+        const sanitizedUser = getService('user').sanitizeUser(user);
+        strapi.eventHub.emit('admin.auth.success', { user: sanitizedUser, provider: 'local' });
         return next();
       })(ctx, next);
@@ -156,4 +157,10 @@ module.exports = {
       },
     };
   },
+  logout(ctx) {
+    const sanitizedUser = getService('user').sanitizeUser(ctx.state.user);
+    strapi.eventHub.emit('admin.logout', { user: sanitizedUser });
+    ctx.body = { data: {} };
+  },
 };

package/server/index.js CHANGED Viewed

@@ -10,6 +10,7 @@ const routes = require('./routes');
 const services = require('./services');
 const controllers = require('./controllers');
 const contentTypes = require('./content-types');
+const middlewares = require('./middlewares');
 module.exports = {
   register,
@@ -21,4 +22,5 @@ module.exports = {
   services,
   controllers,
   contentTypes,
+  middlewares,
 };

package/server/middlewares/index.js ADDED Viewed

@@ -0,0 +1,7 @@
+'use strict';
+const rateLimit = require('./rateLimit');
+module.exports = {
+  rateLimit,
+};

package/server/middlewares/rateLimit.js ADDED Viewed

@@ -0,0 +1,43 @@
+'use strict';
+const utils = require('@strapi/utils');
+const { has, toLower } = require('lodash/fp');
+const { RateLimitError } = utils.errors;
+module.exports =
+  (config, { strapi }) =>
+  async (ctx, next) => {
+    let rateLimitConfig = strapi.config.get('admin.rateLimit');
+    if (!rateLimitConfig) {
+      rateLimitConfig = {
+        enabled: true,
+      };
+    }
+    if (!has('enabled', rateLimitConfig)) {
+      rateLimitConfig.enabled = true;
+    }
+    if (rateLimitConfig.enabled === true) {
+      const rateLimit = require('koa2-ratelimit').RateLimit;
+      const userEmail = toLower(ctx.request.body.email) || 'unknownEmail';
+      const loadConfig = {
+        interval: { min: 5 },
+        max: 5,
+        prefixKey: `${userEmail}:${ctx.request.path}:${ctx.request.ip}`,
+        handler() {
+          throw new RateLimitError();
+        },
+        ...rateLimitConfig,
+        ...config,
+      };
+      return rateLimit.middleware(loadConfig)(ctx, next);
+    }
+    return next();
+  };

package/server/register.js CHANGED Viewed

@@ -1,5 +1,7 @@
 'use strict';
+const { register: registerDataTransferRoute } = require('@strapi/data-transfer/lib/strapi');
 const registerAdminPanelRoute = require('./routes/serve-admin-panel');
 const adminAuthStrategy = require('./strategies/admin');
 const apiTokenAuthStrategy = require('./strategies/api-token');
@@ -14,4 +16,11 @@ module.exports = ({ strapi }) => {
   if (strapi.config.serveAdminPanel) {
     registerAdminPanelRoute({ strapi });
   }
+  if (
+    process.env.STRAPI_EXPERIMENTAL === 'true' &&
+    process.env.STRAPI_DISABLE_REMOTE_DATA_TRANSFER !== 'true'
+  ) {
+    registerDataTransferRoute(strapi);
+  }
 };

package/server/routes/authentication.js CHANGED Viewed

@@ -5,7 +5,10 @@ module.exports = [
     method: 'POST',
     path: '/login',
     handler: 'authentication.login',
-    config: { auth: false },
+    config: {
+      auth: false,
+      middlewares: ['admin::rateLimit'],
+    },
   },
   {
     method: 'POST',
@@ -43,4 +46,12 @@ module.exports = [
     handler: 'authentication.resetPassword',
     config: { auth: false },
   },
+  {
+    method: 'POST',
+    path: '/logout',
+    handler: 'authentication.logout',
+    config: {
+      policies: ['admin::isAuthenticatedAdmin'],
+    },
+  },
 ];

package/server/routes/roles.js CHANGED Viewed

@@ -1,14 +1,6 @@
 'use strict';
 module.exports = [
-  {
-    method: 'POST',
-    path: '/users/batch-delete',
-    handler: 'user.deleteMany',
-    config: {
-      policies: [{ name: 'admin::hasPermissions', config: { actions: ['admin::users.delete'] } }],
-    },
-  },
   {
     method: 'GET',
     path: '/roles/:id/permissions',

package/server/services/permission/queries.js CHANGED Viewed

@@ -44,9 +44,12 @@ const deleteByRolesIds = async (rolesIds) => {
  * @returns {Promise<array>}
  */
 const deleteByIds = async (ids) => {
+  const result = [];
   for (const id of ids) {
-    await strapi.query('admin::permission').delete({ where: { id } });
+    const queryResult = await strapi.query('admin::permission').delete({ where: { id } });
+    result.push(queryResult);
   }
+  strapi.eventHub.emit('permission.delete', { permissions: result });
 };
 /**
@@ -61,7 +64,10 @@ const createMany = async (permissions) => {
     createdPermissions.push(newPerm);
   }
-  return permissionDomain.toPermission(createdPermissions);
+  const permissionsToReturn = permissionDomain.toPermission(createdPermissions);
+  strapi.eventHub.emit('permission.create', { permissions: permissionsToReturn });
+  return permissionsToReturn;
 };
 /**
@@ -75,7 +81,10 @@ const update = async (params, attributes) => {
     .query('admin::permission')
     .update({ where: params, data: attributes });
-  return permissionDomain.toPermission(updatedPermission);
+  const permissionToReturn = permissionDomain.toPermission(updatedPermission);
+  strapi.eventHub.emit('permission.update', { permissions: permissionToReturn });
+  return permissionToReturn;
 };
 /**

package/server/services/role.js CHANGED Viewed

@@ -64,7 +64,10 @@ const create = async (attributes) => {
     code: attributes.code || autoGeneratedCode,
   };
-  return strapi.query('admin::role').create({ data: rolesWithCode });
+  const result = await strapi.query('admin::role').create({ data: rolesWithCode });
+  strapi.eventHub.emit('role.create', { role: sanitizeRole(result) });
+  return result;
 };
 /**
@@ -137,7 +140,12 @@ const update = async (params, attributes) => {
     }
   }
-  return strapi.query('admin::role').update({ where: params, data: sanitizedAttributes });
+  const result = await strapi
+    .query('admin::role')
+    .update({ where: params, data: sanitizedAttributes });
+  strapi.eventHub.emit('role.update', { role: sanitizeRole(result) });
+  return result;
 };
 /**
@@ -194,6 +202,7 @@ const deleteByIds = async (ids = []) => {
     const deletedRole = await strapi.query('admin::role').delete({ where: { id } });
     if (deletedRole) {
+      strapi.eventHub.emit('role.delete', { role: deletedRole });
       deletedRoles.push(deletedRole);
     }
   }

package/server/services/user.js CHANGED Viewed

@@ -43,6 +43,8 @@ const create = async (attributes) => {
   getService('metrics').sendDidInviteUser();
+  strapi.eventHub.emit('user.create', { user: sanitizeUser(createdUser) });
   return createdUser;
 };
@@ -76,7 +78,7 @@ const updateById = async (id, attributes) => {
   if (_.has(attributes, 'password')) {
     const hashedPassword = await getService('auth').hashPassword(attributes.password);
-    return strapi.query('admin::user').update({
+    const updatedUser = await strapi.query('admin::user').update({
       where: { id },
       data: {
         ...attributes,
@@ -84,13 +86,21 @@ const updateById = async (id, attributes) => {
       },
       populate: ['roles'],
     });
+    strapi.eventHub.emit('user.update', { user: sanitizeUser(updatedUser) });
+    return updatedUser;
   }
-  return strapi.query('admin::user').update({
+  const updatedUser = await strapi.query('admin::user').update({
     where: { id },
     data: attributes,
     populate: ['roles'],
   });
+  strapi.eventHub.emit('user.update', { user: sanitizeUser(updatedUser) });
+  return updatedUser;
 };
 /**
@@ -226,7 +236,13 @@ const deleteById = async (id) => {
     }
   }
-  return strapi.query('admin::user').delete({ where: { id }, populate: ['roles'] });
+  const deletedUser = await strapi
+    .query('admin::user')
+    .delete({ where: { id }, populate: ['roles'] });
+  strapi.eventHub.emit('user.delete', { user: sanitizeUser(deletedUser) });
+  return deletedUser;
 };
 /** Delete a user
@@ -257,6 +273,10 @@ const deleteByIds = async (ids) => {
     deletedUsers.push(deletedUser);
   }
+  strapi.eventHub.emit('user.delete', {
+    users: deletedUsers.map((deletedUser) => sanitizeUser(deletedUser)),
+  });
   return deletedUsers;
 };