npm - @strapi/admin - Versions diffs - 5.37.1 → 5.38.1 - Mend

@strapi/admin 5.37.1 → 5.38.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (992) hide show

package/dist/server/server/src/services/permission/permissions-manager/query-builders.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"query-builders.js","sources":["../../../../../../../server/src/services/permission/permissions-manager/query-builders.ts"],"sourcesContent":["// TODO: migration\nimport _ from 'lodash';\nimport { rulesToQuery } from '@casl/ability/extra';\n\nconst operatorsMap = {\n $in: '$in',\n $nin: '$notIn',\n $exists: '$notNull',\n $gte: '$gte',\n $gt: '$gt',\n $lte: '$lte',\n $lt: '$lt',\n $eq: '$eq',\n $ne: '$ne',\n $and: '$and',\n $or: '$or',\n $not: '$not',\n} as const;\n\nconst mapKey = (key: keyof typeof operatorsMap) => {\n if (_.isString(key) && key.startsWith('$') && key in operatorsMap) {\n return operatorsMap[key];\n }\n return key;\n};\n\nconst buildCaslQuery = (ability: unknown, action: unknown, model: unknown) => {\n // @ts-expect-error casl types\n return rulesToQuery(ability, action, model, (o) => o.conditions);\n};\n\nconst buildStrapiQuery = (caslQuery: unknown) => {\n return unwrapDeep(caslQuery);\n};\n\nconst unwrapDeep = (obj: any): unknown => {\n if (!_.isPlainObject(obj) && !_.isArray(obj)) {\n return obj;\n }\n if (_.isArray(obj)) {\n return obj.map((v: unknown) => unwrapDeep(v));\n }\n\n return _.reduce(\n obj,\n (acc, v, k: any) => {\n const key = mapKey(k);\n\n if (_.isPlainObject(v)) {\n if ('$elemMatch' in v) {\n _.setWith(acc, key, unwrapDeep(v.$elemMatch));\n } else {\n _.setWith(acc, key, unwrapDeep(v));\n }\n } else if (_.isArray(v)) {\n // prettier-ignore\n _.setWith(acc, key, v.map(v => unwrapDeep(v)));\n } else {\n _.setWith(acc, key, v);\n }\n\n return acc;\n },\n {}\n );\n};\n\nexport { buildCaslQuery, buildStrapiQuery };\n"],"names":["operatorsMap","$in","$nin","$exists","$gte","$gt","$lte","$lt","$eq","$ne","$and","$or","$not","mapKey","key","_","isString","startsWith","buildCaslQuery","ability","action","model","rulesToQuery","o","conditions","buildStrapiQuery","caslQuery","unwrapDeep","obj","isPlainObject","isArray","map","v","reduce","acc","k","setWith","$elemMatch"],"mappings":";;;;;AAAA;AAIA,MAAMA,~~YAAe~~,~~GAAA~~;IACnBC,~~GAAK~~,~~EAAA~~,KAAA;IACLC,~~IAAM~~,~~EAAA~~,QAAA;IACNC,~~OAAS~~,~~EAAA~~,UAAA;IACTC,~~IAAM~~,~~EAAA~~,MAAA;IACNC,~~GAAK~~,~~EAAA~~,KAAA;IACLC,~~IAAM~~,~~EAAA~~,MAAA;IACNC,~~GAAK~~,~~EAAA~~,KAAA;IACLC,~~GAAK~~,~~EAAA~~,KAAA;IACLC,~~GAAK~~,~~EAAA~~,KAAA;IACLC,~~IAAM~~,~~EAAA~~,MAAA;IACNC,~~GAAK~~,~~EAAA~~,KAAA;IACLC,~~IAAM~~,~~EAAA~~;AACR,CAAA;AAEA,MAAMC,SAAS,CAACC,GAAAA,GAAAA;IACd,IAAIC,CAAAA,CAAEC,QAAQ,CAACF,GAAAA,CAAAA,IAAQA,IAAIG,UAAU,CAAC,~~GAAQH~~,~~CAAAA~~,~~IAAAA~~,GAAAA,IAAOd,~~YAAc~~,~~EAAA~~;QACjE,OAAOA,YAAY,CAACc,~~GAAI~~,~~CAAA~~;AAC1B;IACA,OAAOA,GAAAA;AACT,CAAA;~~AAEMI~~,~~MAAAA~~,cAAAA,GAAiB,CAACC,OAAAA,EAAkBC,~~MAAiBC~~,~~EAAAA~~,KAAAA,GAAAA;;AAEzD,IAAA,OAAOC,mBAAaH,~~OAASC~~,~~EAAAA~~,MAAAA,EAAQC,OAAO,CAACE,CAAAA,GAAMA,EAAEC,UAAU,CAAA;AACjE;AAEA,MAAMC,mBAAmB,CAACC,SAAAA,GAAAA;AACxB,IAAA,OAAOC,~~UAAWD~~,~~CAAAA~~,SAAAA,CAAAA;AACpB;AAEA,MAAMC,aAAa,CAACC,GAAAA,GAAAA;IAClB,IAAI,CAACb,EAAEc,aAAa,CAACD,QAAQ,CAACb,CAAAA,CAAEe,OAAO,CAACF,~~GAAM~~,~~CAAA~~,~~EAAA~~;QAC5C,OAAOA,GAAAA;AACT;IACA,IAAIb,CAAAA,CAAEe,OAAO,CAACF,~~GAAM~~,~~CAAA~~,~~EAAA~~;AAClB,QAAA,OAAOA,~~GAAIG~~,~~CAAAA~~,GAAG,CAAC,CAACC,IAAeL,~~UAAWK~~,~~CAAAA~~,CAAAA,CAAAA,CAAAA;AAC5C;AAEA,IAAA,OAAOjB,EAAEkB,MAAM,CACbL,~~GACA~~,~~EAAA~~,CAACM,KAAKF,~~CAAGG~~,~~EAAAA~~,CAAAA,GAAAA;AACP,QAAA,MAAMrB,MAAMD,~~MAAOsB~~,~~CAAAA~~,CAAAA,CAAAA;QAEnB,IAAIpB,CAAAA,CAAEc,aAAa,CAACG,~~CAAI~~,~~CAAA~~,~~EAAA~~;AACtB,YAAA,IAAI,gBAAgBA,~~CAAG~~,~~EAAA~~;AACrBjB,gBAAAA,CAAAA,CAAEqB,OAAO,CAACF,GAAAA,EAAKpB,~~GAAKa~~,~~EAAAA~~,UAAAA,CAAWK,EAAEK,UAAU,CAAA,CAAA;~~aACtC~~,~~MAAA~~;AACLtB,gBAAAA,CAAAA,CAAEqB,OAAO,CAACF,~~GAAKpB~~,~~EAAAA~~,GAAAA,EAAKa,~~UAAWK~~,~~CAAAA~~,CAAAA,CAAAA,CAAAA;AACjC;AACF,~~SAAA~~,MAAO,IAAIjB,CAAAA,CAAEe,OAAO,CAACE,~~CAAI~~,~~CAAA~~,~~EAAA~~;;YAEvBjB,CAAEqB,~~CAAAA,~~OAAO,CAACF,~~GAAKpB~~,~~EAAAA~~,GAAAA,EAAKkB,EAAED,GAAG,CAACC,CAAAA,CAAAA,GAAKL,~~UAAWK~~,~~CAAAA~~,CAAAA,CAAAA,CAAAA,CAAAA;~~SACrC~~,~~MAAA~~;YACLjB,CAAEqB,~~CAAAA,~~OAAO,CAACF,GAAAA,EAAKpB,~~GAAKkB~~,~~EAAAA~~,CAAAA,CAAAA;AACtB;QAEA,OAAOE,GAAAA;AACT,~~KAAA~~,EACA,EAAC,CAAA;AAEL,CAAA;;;;;"}
1	+ {"version":3,"file":"query-builders.js","sources":["../../../../../../../server/src/services/permission/permissions-manager/query-builders.ts"],"sourcesContent":["// TODO: migration\nimport _ from 'lodash';\nimport { rulesToQuery } from '@casl/ability/extra';\n\nconst operatorsMap = {\n $in: '$in',\n $nin: '$notIn',\n $exists: '$notNull',\n $gte: '$gte',\n $gt: '$gt',\n $lte: '$lte',\n $lt: '$lt',\n $eq: '$eq',\n $ne: '$ne',\n $and: '$and',\n $or: '$or',\n $not: '$not',\n} as const;\n\nconst mapKey = (key: keyof typeof operatorsMap) => {\n if (_.isString(key) && key.startsWith('$') && key in operatorsMap) {\n return operatorsMap[key];\n }\n return key;\n};\n\nconst buildCaslQuery = (ability: unknown, action: unknown, model: unknown) => {\n // @ts-expect-error casl types\n return rulesToQuery(ability, action, model, (o) => o.conditions);\n};\n\nconst buildStrapiQuery = (caslQuery: unknown) => {\n return unwrapDeep(caslQuery);\n};\n\nconst unwrapDeep = (obj: any): unknown => {\n if (!_.isPlainObject(obj) && !_.isArray(obj)) {\n return obj;\n }\n if (_.isArray(obj)) {\n return obj.map((v: unknown) => unwrapDeep(v));\n }\n\n return _.reduce(\n obj,\n (acc, v, k: any) => {\n const key = mapKey(k);\n\n if (_.isPlainObject(v)) {\n if ('$elemMatch' in v) {\n _.setWith(acc, key, unwrapDeep(v.$elemMatch));\n } else {\n _.setWith(acc, key, unwrapDeep(v));\n }\n } else if (_.isArray(v)) {\n // prettier-ignore\n _.setWith(acc, key, v.map(v => unwrapDeep(v)));\n } else {\n _.setWith(acc, key, v);\n }\n\n return acc;\n },\n {}\n );\n};\n\nexport { buildCaslQuery, buildStrapiQuery };\n"],"names":["operatorsMap","$in","$nin","$exists","$gte","$gt","$lte","$lt","$eq","$ne","$and","$or","$not","mapKey","key","_","isString","startsWith","buildCaslQuery","ability","action","model","rulesToQuery","o","conditions","buildStrapiQuery","caslQuery","unwrapDeep","obj","isPlainObject","isArray","map","v","reduce","acc","k","setWith","$elemMatch"],"mappings":";;;;;AAAA;AAIA,MAAMA,YAAAA,GAAe;IACnBC,GAAAA,EAAK,KAAA;IACLC,IAAAA,EAAM,QAAA;IACNC,OAAAA,EAAS,UAAA;IACTC,IAAAA,EAAM,MAAA;IACNC,GAAAA,EAAK,KAAA;IACLC,IAAAA,EAAM,MAAA;IACNC,GAAAA,EAAK,KAAA;IACLC,GAAAA,EAAK,KAAA;IACLC,GAAAA,EAAK,KAAA;IACLC,IAAAA,EAAM,MAAA;IACNC,GAAAA,EAAK,KAAA;IACLC,IAAAA,EAAM;AACR,CAAA;AAEA,MAAMC,SAAS,CAACC,GAAAA,GAAAA;IACd,IAAIC,CAAAA,CAAEC,QAAQ,CAACF,GAAAA,CAAAA,IAAQA,IAAIG,UAAU,CAAC,GAAA,CAAA,IAAQH,GAAAA,IAAOd,YAAAA,EAAc;QACjE,OAAOA,YAAY,CAACc,GAAAA,CAAI;AAC1B,IAAA;IACA,OAAOA,GAAAA;AACT,CAAA;AAEA,MAAMI,cAAAA,GAAiB,CAACC,OAAAA,EAAkBC,MAAAA,EAAiBC,KAAAA,GAAAA;;AAEzD,IAAA,OAAOC,mBAAaH,OAAAA,EAASC,MAAAA,EAAQC,OAAO,CAACE,CAAAA,GAAMA,EAAEC,UAAU,CAAA;AACjE;AAEA,MAAMC,mBAAmB,CAACC,SAAAA,GAAAA;AACxB,IAAA,OAAOC,UAAAA,CAAWD,SAAAA,CAAAA;AACpB;AAEA,MAAMC,aAAa,CAACC,GAAAA,GAAAA;IAClB,IAAI,CAACb,EAAEc,aAAa,CAACD,QAAQ,CAACb,CAAAA,CAAEe,OAAO,CAACF,GAAAA,CAAAA,EAAM;QAC5C,OAAOA,GAAAA;AACT,IAAA;IACA,IAAIb,CAAAA,CAAEe,OAAO,CAACF,GAAAA,CAAAA,EAAM;AAClB,QAAA,OAAOA,GAAAA,CAAIG,GAAG,CAAC,CAACC,IAAeL,UAAAA,CAAWK,CAAAA,CAAAA,CAAAA;AAC5C,IAAA;AAEA,IAAA,OAAOjB,EAAEkB,MAAM,CACbL,GAAAA,EACA,CAACM,KAAKF,CAAAA,EAAGG,CAAAA,GAAAA;AACP,QAAA,MAAMrB,MAAMD,MAAAA,CAAOsB,CAAAA,CAAAA;QAEnB,IAAIpB,CAAAA,CAAEc,aAAa,CAACG,CAAAA,CAAAA,EAAI;AACtB,YAAA,IAAI,gBAAgBA,CAAAA,EAAG;AACrBjB,gBAAAA,CAAAA,CAAEqB,OAAO,CAACF,GAAAA,EAAKpB,GAAAA,EAAKa,UAAAA,CAAWK,EAAEK,UAAU,CAAA,CAAA;YAC7C,CAAA,MAAO;AACLtB,gBAAAA,CAAAA,CAAEqB,OAAO,CAACF,GAAAA,EAAKpB,GAAAA,EAAKa,UAAAA,CAAWK,CAAAA,CAAAA,CAAAA;AACjC,YAAA;AACF,QAAA,CAAA,MAAO,IAAIjB,CAAAA,CAAEe,OAAO,CAACE,CAAAA,CAAAA,EAAI;;YAEvBjB,CAAAA,CAAEqB,OAAO,CAACF,GAAAA,EAAKpB,GAAAA,EAAKkB,EAAED,GAAG,CAACC,CAAAA,CAAAA,GAAKL,UAAAA,CAAWK,CAAAA,CAAAA,CAAAA,CAAAA;QAC5C,CAAA,MAAO;YACLjB,CAAAA,CAAEqB,OAAO,CAACF,GAAAA,EAAKpB,GAAAA,EAAKkB,CAAAA,CAAAA;AACtB,QAAA;QAEA,OAAOE,GAAAA;AACT,IAAA,CAAA,EACA,EAAC,CAAA;AAEL,CAAA;;;;;"}

package/dist/server/server/src/services/permission/permissions-manager/query-builders.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"query-builders.mjs","sources":["../../../../../../../server/src/services/permission/permissions-manager/query-builders.ts"],"sourcesContent":["// TODO: migration\nimport _ from 'lodash';\nimport { rulesToQuery } from '@casl/ability/extra';\n\nconst operatorsMap = {\n $in: '$in',\n $nin: '$notIn',\n $exists: '$notNull',\n $gte: '$gte',\n $gt: '$gt',\n $lte: '$lte',\n $lt: '$lt',\n $eq: '$eq',\n $ne: '$ne',\n $and: '$and',\n $or: '$or',\n $not: '$not',\n} as const;\n\nconst mapKey = (key: keyof typeof operatorsMap) => {\n if (_.isString(key) && key.startsWith('$') && key in operatorsMap) {\n return operatorsMap[key];\n }\n return key;\n};\n\nconst buildCaslQuery = (ability: unknown, action: unknown, model: unknown) => {\n // @ts-expect-error casl types\n return rulesToQuery(ability, action, model, (o) => o.conditions);\n};\n\nconst buildStrapiQuery = (caslQuery: unknown) => {\n return unwrapDeep(caslQuery);\n};\n\nconst unwrapDeep = (obj: any): unknown => {\n if (!_.isPlainObject(obj) && !_.isArray(obj)) {\n return obj;\n }\n if (_.isArray(obj)) {\n return obj.map((v: unknown) => unwrapDeep(v));\n }\n\n return _.reduce(\n obj,\n (acc, v, k: any) => {\n const key = mapKey(k);\n\n if (_.isPlainObject(v)) {\n if ('$elemMatch' in v) {\n _.setWith(acc, key, unwrapDeep(v.$elemMatch));\n } else {\n _.setWith(acc, key, unwrapDeep(v));\n }\n } else if (_.isArray(v)) {\n // prettier-ignore\n _.setWith(acc, key, v.map(v => unwrapDeep(v)));\n } else {\n _.setWith(acc, key, v);\n }\n\n return acc;\n },\n {}\n );\n};\n\nexport { buildCaslQuery, buildStrapiQuery };\n"],"names":["operatorsMap","$in","$nin","$exists","$gte","$gt","$lte","$lt","$eq","$ne","$and","$or","$not","mapKey","key","_","isString","startsWith","buildCaslQuery","ability","action","model","rulesToQuery","o","conditions","buildStrapiQuery","caslQuery","unwrapDeep","obj","isPlainObject","isArray","map","v","reduce","acc","k","setWith","$elemMatch"],"mappings":";;;AAAA;AAIA,MAAMA,~~YAAe~~,~~GAAA~~;IACnBC,~~GAAK~~,~~EAAA~~,KAAA;IACLC,~~IAAM~~,~~EAAA~~,QAAA;IACNC,~~OAAS~~,~~EAAA~~,UAAA;IACTC,~~IAAM~~,~~EAAA~~,MAAA;IACNC,~~GAAK~~,~~EAAA~~,KAAA;IACLC,~~IAAM~~,~~EAAA~~,MAAA;IACNC,~~GAAK~~,~~EAAA~~,KAAA;IACLC,~~GAAK~~,~~EAAA~~,KAAA;IACLC,~~GAAK~~,~~EAAA~~,KAAA;IACLC,~~IAAM~~,~~EAAA~~,MAAA;IACNC,~~GAAK~~,~~EAAA~~,KAAA;IACLC,~~IAAM~~,~~EAAA~~;AACR,CAAA;AAEA,MAAMC,SAAS,CAACC,GAAAA,GAAAA;IACd,IAAIC,UAAAA,CAAEC,QAAQ,CAACF,GAAAA,CAAAA,IAAQA,IAAIG,UAAU,CAAC,~~GAAQH~~,~~CAAAA~~,~~IAAAA~~,GAAAA,IAAOd,~~YAAc~~,~~EAAA~~;QACjE,OAAOA,YAAY,CAACc,~~GAAI~~,~~CAAA~~;AAC1B;IACA,OAAOA,GAAAA;AACT,CAAA;~~AAEMI~~,~~MAAAA~~,cAAAA,GAAiB,CAACC,OAAAA,EAAkBC,~~MAAiBC~~,~~EAAAA~~,KAAAA,GAAAA;;AAEzD,IAAA,OAAOC,aAAaH,~~OAASC~~,~~EAAAA~~,MAAAA,EAAQC,OAAO,CAACE,CAAAA,GAAMA,EAAEC,UAAU,CAAA;AACjE;AAEA,MAAMC,mBAAmB,CAACC,SAAAA,GAAAA;AACxB,IAAA,OAAOC,~~UAAWD~~,~~CAAAA~~,SAAAA,CAAAA;AACpB;AAEA,MAAMC,aAAa,CAACC,GAAAA,GAAAA;IAClB,IAAI,CAACb,WAAEc,aAAa,CAACD,QAAQ,CAACb,UAAAA,CAAEe,OAAO,CAACF,~~GAAM~~,~~CAAA~~,~~EAAA~~;QAC5C,OAAOA,GAAAA;AACT;IACA,IAAIb,UAAAA,CAAEe,OAAO,CAACF,~~GAAM~~,~~CAAA~~,~~EAAA~~;AAClB,QAAA,OAAOA,~~GAAIG~~,~~CAAAA~~,GAAG,CAAC,CAACC,IAAeL,~~UAAWK~~,~~CAAAA~~,CAAAA,CAAAA,CAAAA;AAC5C;AAEA,IAAA,OAAOjB,WAAEkB,MAAM,CACbL,~~GACA~~,~~EAAA~~,CAACM,KAAKF,~~CAAGG~~,~~EAAAA~~,CAAAA,GAAAA;AACP,QAAA,MAAMrB,MAAMD,~~MAAOsB~~,~~CAAAA~~,CAAAA,CAAAA;QAEnB,IAAIpB,UAAAA,CAAEc,aAAa,CAACG,~~CAAI~~,~~CAAA~~,~~EAAA~~;AACtB,YAAA,IAAI,gBAAgBA,~~CAAG~~,~~EAAA~~;AACrBjB,gBAAAA,UAAAA,CAAEqB,OAAO,CAACF,GAAAA,EAAKpB,~~GAAKa~~,~~EAAAA~~,UAAAA,CAAWK,EAAEK,UAAU,CAAA,CAAA;~~aACtC~~,~~MAAA~~;AACLtB,gBAAAA,UAAAA,CAAEqB,OAAO,CAACF,~~GAAKpB~~,~~EAAAA~~,GAAAA,EAAKa,~~UAAWK~~,~~CAAAA~~,CAAAA,CAAAA,CAAAA;AACjC;AACF,~~SAAA~~,MAAO,IAAIjB,UAAAA,CAAEe,OAAO,CAACE,~~CAAI~~,~~CAAA~~,~~EAAA~~;;YAEvBjB,~~UAAEqB~~,~~CAAAA~~,OAAO,CAACF,~~GAAKpB~~,~~EAAAA~~,GAAAA,EAAKkB,EAAED,GAAG,CAACC,CAAAA,CAAAA,GAAKL,~~UAAWK~~,~~CAAAA~~,CAAAA,CAAAA,CAAAA,CAAAA;~~SACrC~~,~~MAAA~~;YACLjB,~~UAAEqB~~,~~CAAAA~~,OAAO,CAACF,GAAAA,EAAKpB,~~GAAKkB~~,~~EAAAA~~,CAAAA,CAAAA;AACtB;QAEA,OAAOE,GAAAA;AACT,~~KAAA~~,EACA,EAAC,CAAA;AAEL,CAAA;;;;"}
1	+ {"version":3,"file":"query-builders.mjs","sources":["../../../../../../../server/src/services/permission/permissions-manager/query-builders.ts"],"sourcesContent":["// TODO: migration\nimport _ from 'lodash';\nimport { rulesToQuery } from '@casl/ability/extra';\n\nconst operatorsMap = {\n $in: '$in',\n $nin: '$notIn',\n $exists: '$notNull',\n $gte: '$gte',\n $gt: '$gt',\n $lte: '$lte',\n $lt: '$lt',\n $eq: '$eq',\n $ne: '$ne',\n $and: '$and',\n $or: '$or',\n $not: '$not',\n} as const;\n\nconst mapKey = (key: keyof typeof operatorsMap) => {\n if (_.isString(key) && key.startsWith('$') && key in operatorsMap) {\n return operatorsMap[key];\n }\n return key;\n};\n\nconst buildCaslQuery = (ability: unknown, action: unknown, model: unknown) => {\n // @ts-expect-error casl types\n return rulesToQuery(ability, action, model, (o) => o.conditions);\n};\n\nconst buildStrapiQuery = (caslQuery: unknown) => {\n return unwrapDeep(caslQuery);\n};\n\nconst unwrapDeep = (obj: any): unknown => {\n if (!_.isPlainObject(obj) && !_.isArray(obj)) {\n return obj;\n }\n if (_.isArray(obj)) {\n return obj.map((v: unknown) => unwrapDeep(v));\n }\n\n return _.reduce(\n obj,\n (acc, v, k: any) => {\n const key = mapKey(k);\n\n if (_.isPlainObject(v)) {\n if ('$elemMatch' in v) {\n _.setWith(acc, key, unwrapDeep(v.$elemMatch));\n } else {\n _.setWith(acc, key, unwrapDeep(v));\n }\n } else if (_.isArray(v)) {\n // prettier-ignore\n _.setWith(acc, key, v.map(v => unwrapDeep(v)));\n } else {\n _.setWith(acc, key, v);\n }\n\n return acc;\n },\n {}\n );\n};\n\nexport { buildCaslQuery, buildStrapiQuery };\n"],"names":["operatorsMap","$in","$nin","$exists","$gte","$gt","$lte","$lt","$eq","$ne","$and","$or","$not","mapKey","key","_","isString","startsWith","buildCaslQuery","ability","action","model","rulesToQuery","o","conditions","buildStrapiQuery","caslQuery","unwrapDeep","obj","isPlainObject","isArray","map","v","reduce","acc","k","setWith","$elemMatch"],"mappings":";;;AAAA;AAIA,MAAMA,YAAAA,GAAe;IACnBC,GAAAA,EAAK,KAAA;IACLC,IAAAA,EAAM,QAAA;IACNC,OAAAA,EAAS,UAAA;IACTC,IAAAA,EAAM,MAAA;IACNC,GAAAA,EAAK,KAAA;IACLC,IAAAA,EAAM,MAAA;IACNC,GAAAA,EAAK,KAAA;IACLC,GAAAA,EAAK,KAAA;IACLC,GAAAA,EAAK,KAAA;IACLC,IAAAA,EAAM,MAAA;IACNC,GAAAA,EAAK,KAAA;IACLC,IAAAA,EAAM;AACR,CAAA;AAEA,MAAMC,SAAS,CAACC,GAAAA,GAAAA;IACd,IAAIC,UAAAA,CAAEC,QAAQ,CAACF,GAAAA,CAAAA,IAAQA,IAAIG,UAAU,CAAC,GAAA,CAAA,IAAQH,GAAAA,IAAOd,YAAAA,EAAc;QACjE,OAAOA,YAAY,CAACc,GAAAA,CAAI;AAC1B,IAAA;IACA,OAAOA,GAAAA;AACT,CAAA;AAEA,MAAMI,cAAAA,GAAiB,CAACC,OAAAA,EAAkBC,MAAAA,EAAiBC,KAAAA,GAAAA;;AAEzD,IAAA,OAAOC,aAAaH,OAAAA,EAASC,MAAAA,EAAQC,OAAO,CAACE,CAAAA,GAAMA,EAAEC,UAAU,CAAA;AACjE;AAEA,MAAMC,mBAAmB,CAACC,SAAAA,GAAAA;AACxB,IAAA,OAAOC,UAAAA,CAAWD,SAAAA,CAAAA;AACpB;AAEA,MAAMC,aAAa,CAACC,GAAAA,GAAAA;IAClB,IAAI,CAACb,WAAEc,aAAa,CAACD,QAAQ,CAACb,UAAAA,CAAEe,OAAO,CAACF,GAAAA,CAAAA,EAAM;QAC5C,OAAOA,GAAAA;AACT,IAAA;IACA,IAAIb,UAAAA,CAAEe,OAAO,CAACF,GAAAA,CAAAA,EAAM;AAClB,QAAA,OAAOA,GAAAA,CAAIG,GAAG,CAAC,CAACC,IAAeL,UAAAA,CAAWK,CAAAA,CAAAA,CAAAA;AAC5C,IAAA;AAEA,IAAA,OAAOjB,WAAEkB,MAAM,CACbL,GAAAA,EACA,CAACM,KAAKF,CAAAA,EAAGG,CAAAA,GAAAA;AACP,QAAA,MAAMrB,MAAMD,MAAAA,CAAOsB,CAAAA,CAAAA;QAEnB,IAAIpB,UAAAA,CAAEc,aAAa,CAACG,CAAAA,CAAAA,EAAI;AACtB,YAAA,IAAI,gBAAgBA,CAAAA,EAAG;AACrBjB,gBAAAA,UAAAA,CAAEqB,OAAO,CAACF,GAAAA,EAAKpB,GAAAA,EAAKa,UAAAA,CAAWK,EAAEK,UAAU,CAAA,CAAA;YAC7C,CAAA,MAAO;AACLtB,gBAAAA,UAAAA,CAAEqB,OAAO,CAACF,GAAAA,EAAKpB,GAAAA,EAAKa,UAAAA,CAAWK,CAAAA,CAAAA,CAAAA;AACjC,YAAA;AACF,QAAA,CAAA,MAAO,IAAIjB,UAAAA,CAAEe,OAAO,CAACE,CAAAA,CAAAA,EAAI;;YAEvBjB,UAAAA,CAAEqB,OAAO,CAACF,GAAAA,EAAKpB,GAAAA,EAAKkB,EAAED,GAAG,CAACC,CAAAA,CAAAA,GAAKL,UAAAA,CAAWK,CAAAA,CAAAA,CAAAA,CAAAA;QAC5C,CAAA,MAAO;YACLjB,UAAAA,CAAEqB,OAAO,CAACF,GAAAA,EAAKpB,GAAAA,EAAKkB,CAAAA,CAAAA;AACtB,QAAA;QAEA,OAAOE,GAAAA;AACT,IAAA,CAAA,EACA,EAAC,CAAA;AAEL,CAAA;;;;"}

package/dist/server/server/src/services/permission/permissions-manager/sanitize.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"sanitize.js","sources":["../../../../../../../server/src/services/permission/permissions-manager/sanitize.ts"],"sourcesContent":["import { subject as asSubject } from '@casl/ability';\nimport {\n defaults,\n omit,\n isArray,\n isEmpty,\n uniq,\n intersection,\n pick,\n getOr,\n isObject,\n cloneDeep,\n} from 'lodash/fp';\n\nimport type { UID } from '@strapi/types';\n\nimport {\n contentTypes,\n traverseEntity,\n sanitize,\n async,\n traverse,\n createModelCache,\n} from '@strapi/utils';\nimport { createPermissionFieldsCache } from './permission-fields';\nimport { ADMIN_USER_ALLOWED_FIELDS } from '../../../domain/user';\n\nconst {\n visitors: { removePassword, expandWildcardPopulate },\n} = sanitize;\n\nconst {\n constants,\n isScalarAttribute,\n getNonVisibleAttributes,\n getNonWritableAttributes,\n getWritableAttributes,\n} = contentTypes;\nconst {\n ID_ATTRIBUTE,\n DOC_ID_ATTRIBUTE,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n CREATED_BY_ATTRIBUTE,\n UPDATED_BY_ATTRIBUTE,\n} = constants;\n\nconst COMPONENT_FIELDS = ['__component'];\nconst STATIC_FIELDS = [ID_ATTRIBUTE, DOC_ID_ATTRIBUTE];\n\nexport default ({ action, ability, model }: any) => {\n const schema = strapi.getModel(model);\n\n const { removeDisallowedFields } = sanitize.visitors;\n\n // Create request-scoped model cache to avoid redundant getModel() calls\n const modelCache = createModelCache(strapi.getModel.bind(strapi));\n\n const ctx = {\n schema,\n getModel: modelCache.getModel,\n };\n\n const createSanitizeQuery = (options = {} as any) => {\n const { fields } = options;\n\n // TODO: sanitize relations to admin users in all sanitizers\n const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);\n\n const createSanitizeFilters = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFilters(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFilters(omitDisallowedAdminUserFields, ctx),\n traverse.traverseQueryFilters(omitHiddenFields, ctx),\n traverse.traverseQueryFilters(removePassword, ctx),\n traverse.traverseQueryFilters(({ key, value }, { remove }) => {\n if (isObject(value) && isEmpty(value)) {\n remove(key);\n }\n }, ctx)\n );\n\n const createSanitizeSort = (ctx: any) =>\n async.pipe(\n traverse.traverseQuerySort(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQuerySort(omitDisallowedAdminUserFields, ctx),\n traverse.traverseQuerySort(omitHiddenFields, ctx),\n traverse.traverseQuerySort(removePassword, ctx),\n traverse.traverseQuerySort(({ key, attribute, value }, { remove }) => {\n if (!isScalarAttribute(attribute) && isEmpty(value)) {\n remove(key);\n }\n }, ctx)\n );\n\n const createSanitizeFields = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFields(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFields(omitHiddenFields, ctx),\n traverse.traverseQueryFields(removePassword, ctx)\n );\n\n const sanitizeFilters = createSanitizeFilters(ctx);\n const sanitizeSort = createSanitizeSort(ctx);\n const sanitizeFields = createSanitizeFields(ctx);\n\n /** Sanitize nested filters, sort, and fields inside populate. /\n const sanitizeNestedPopulate = async (\n { key, value, schema, attribute, getModel }: any,\n { set }: any\n ) => {\n if (attribute) {\n return;\n }\n\n const nestedCtx = { schema, getModel };\n\n if (key === 'sort') {\n const sanitizedSort = await createSanitizeSort(nestedCtx)(value);\n set(key, sanitizedSort);\n }\n\n if (key === 'filters') {\n const sanitizedFilters = await createSanitizeFilters(nestedCtx)(value);\n set(key, sanitizedFilters);\n }\n\n if (key === 'fields') {\n const sanitizedFields = await createSanitizeFields(nestedCtx)(value);\n set(key, sanitizedFields);\n }\n };\n\n const sanitizePopulate = async.pipe(\n traverse.traverseQueryPopulate(expandWildcardPopulate, ctx),\n traverse.traverseQueryPopulate(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryPopulate(omitDisallowedAdminUserFields, ctx),\n traverse.traverseQueryPopulate(omitHiddenFields, ctx),\n traverse.traverseQueryPopulate(removePassword, ctx),\n traverse.traverseQueryPopulate(sanitizeNestedPopulate, ctx)\n );\n\n return async (query: any) => {\n const sanitizedQuery = cloneDeep(query);\n\n const [sanitizedFilters, sanitizedSort, sanitizedPopulate, sanitizedFields] =\n await Promise.all([\n query.filters ? sanitizeFilters(query.filters) : undefined,\n query.sort ? sanitizeSort(query.sort) : undefined,\n query.populate ? sanitizePopulate(query.populate) : undefined,\n query.fields ? sanitizeFields(query.fields) : undefined,\n ]);\n\n if (sanitizedFilters !== undefined) sanitizedQuery.filters = sanitizedFilters;\n if (sanitizedSort !== undefined) sanitizedQuery.sort = sanitizedSort;\n if (sanitizedPopulate !== undefined) sanitizedQuery.populate = sanitizedPopulate;\n if (sanitizedFields !== undefined) sanitizedQuery.fields = sanitizedFields;\n\n return sanitizedQuery;\n };\n };\n\n const createSanitizeOutput = (options = {} as any) => {\n const { fields } = options;\n\n const permittedFields = fields.shouldIncludeAll ? null : getOutputFields(fields.permitted);\n\n return async.pipe(\n // Remove fields hidden from the admin\n traverseEntity(omitHiddenFields, ctx),\n // Remove unallowed fields from admin::user relations\n traverseEntity(pickAllowedAdminUserFields, ctx),\n // Remove not allowed fields (RBAC)\n traverseEntity(removeDisallowedFields(permittedFields), ctx),\n // Remove all fields of type 'password'\n sanitize.sanitizers.sanitizePasswords({\n schema,\n getModel(uid: string) {\n return strapi.getModel(uid as UID.Schema);\n },\n })\n );\n };\n\n const createSanitizeInput = (options = {} as any) => {\n const { fields } = options;\n\n const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);\n\n return async.pipe(\n // Remove fields hidden from the admin\n traverseEntity(omitHiddenFields, ctx),\n // Remove not allowed fields (RBAC)\n traverseEntity(removeDisallowedFields(permittedFields), ctx),\n // Remove roles from createdBy & updatedBy fields\n omitCreatorRoles\n );\n };\n\n const wrapSanitize = (createSanitizeFunction: any) => {\n const { getPermissionFields } = createPermissionFieldsCache(ability);\n\n // TODO\n // @ts-expect-error define the correct return type\n const wrappedSanitize = async (data: unknown, options = {} as any) => {\n if (isArray(data)) {\n return Promise.all(data.map((entity: unknown) => wrappedSanitize(entity, options)));\n }\n\n const { subject, action: actionOverride } = getDefaultOptions(data, options);\n\n const { permittedFields, hasAtLeastOneRegistered, shouldIncludeAll } = getPermissionFields(\n actionOverride,\n subject\n );\n\n const sanitizeOptions = {\n ...options,\n fields: {\n shouldIncludeAll,\n permitted: permittedFields,\n hasAtLeastOneRegistered,\n },\n };\n\n const sanitizeFunction = createSanitizeFunction(sanitizeOptions);\n\n return sanitizeFunction(data);\n };\n\n return wrappedSanitize;\n };\n\n const getDefaultOptions = (data: any, options: unknown) => {\n return defaults({ subject: asSubject(model, data), action }, options);\n };\n\n /\n Omit creator fields' (createdBy & updatedBy) roles from the admin API responses\n /\n const omitCreatorRoles = omit([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);\n\n /\n Visitor used to remove hidden fields from the admin API responses\n /\n const omitHiddenFields = ({ key, schema }: any, { remove }: any) => {\n const isHidden = getOr(false, ['config', 'attributes', key, 'hidden'], schema);\n\n if (isHidden) {\n remove(key);\n }\n };\n\n /\n Visitor used to only select needed fields from the admin users entities & avoid leaking sensitive information\n /\n const pickAllowedAdminUserFields = ({ attribute, key, value }: any, { set }: any) => {\n const pickAllowedFields = pick(ADMIN_USER_ALLOWED_FIELDS);\n if (!attribute) {\n return;\n }\n\n if (attribute.type === 'relation' && attribute.target === 'admin::user' && value) {\n if (Array.isArray(value)) {\n set(key, value.map(pickAllowedFields));\n } else {\n set(key, pickAllowedFields(value));\n }\n }\n };\n\n /\n Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information\n */\n const omitDisallowedAdminUserFields = ({ key, attribute, schema }: any, { remove }: any) => {\n if (schema.uid === 'admin::user' && attribute && !ADMIN_USER_ALLOWED_FIELDS.includes(key)) {\n remove(key);\n }\n };\n\n const getInputFields = (fields = []) => {\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n const writableAttributes = getWritableAttributes(schema);\n\n const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);\n\n return uniq([...fields, ...COMPONENT_FIELDS, ...nonVisibleWritableAttributes]);\n };\n\n const getOutputFields = (fields = []) => {\n const nonWritableAttributes = getNonWritableAttributes(schema);\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n\n return uniq([\n ...fields,\n ...STATIC_FIELDS,\n ...COMPONENT_FIELDS,\n ...nonWritableAttributes,\n ...nonVisibleAttributes,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n ]);\n };\n\n const getQueryFields = (fields = []) => {\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n const writableAttributes = getWritableAttributes(schema);\n\n const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);\n\n return uniq([\n ...fields,\n ...STATIC_FIELDS,\n ...COMPONENT_FIELDS,\n ...nonVisibleWritableAttributes,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n CREATED_BY_ATTRIBUTE,\n UPDATED_BY_ATTRIBUTE,\n ]);\n };\n\n return {\n sanitizeOutput: wrapSanitize(createSanitizeOutput),\n sanitizeInput: wrapSanitize(createSanitizeInput),\n sanitizeQuery: wrapSanitize(createSanitizeQuery),\n };\n};\n"],"names":["visitors","removePassword","expandWildcardPopulate","sanitize","constants","isScalarAttribute","getNonVisibleAttributes","getNonWritableAttributes","getWritableAttributes","contentTypes","ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","CREATED_AT_ATTRIBUTE","UPDATED_AT_ATTRIBUTE","PUBLISHED_AT_ATTRIBUTE","CREATED_BY_ATTRIBUTE","UPDATED_BY_ATTRIBUTE","COMPONENT_FIELDS","STATIC_FIELDS","action","ability","model","schema","strapi","getModel","removeDisallowedFields","modelCache","createModelCache","bind","ctx","createSanitizeQuery","options","fields","permittedFields","shouldIncludeAll","getQueryFields","permitted","createSanitizeFilters","async","pipe","traverse","traverseQueryFilters","omitDisallowedAdminUserFields","omitHiddenFields","key","value","remove","isObject","isEmpty","createSanitizeSort","traverseQuerySort","attribute","createSanitizeFields","traverseQueryFields","sanitizeFilters","sanitizeSort","sanitizeFields","sanitizeNestedPopulate","set","nestedCtx","sanitizedSort","sanitizedFilters","sanitizedFields","sanitizePopulate","traverseQueryPopulate","query","sanitizedQuery","cloneDeep","sanitizedPopulate","Promise","all","filters","undefined","sort","populate","createSanitizeOutput","getOutputFields","traverseEntity","pickAllowedAdminUserFields","sanitizers","sanitizePasswords","uid","createSanitizeInput","getInputFields","omitCreatorRoles","wrapSanitize","createSanitizeFunction","getPermissionFields","createPermissionFieldsCache","wrappedSanitize","data","isArray","map","entity","subject","actionOverride","getDefaultOptions","hasAtLeastOneRegistered","sanitizeOptions","sanitizeFunction","defaults","asSubject","omit","isHidden","getOr","pickAllowedFields","pick","ADMIN_USER_ALLOWED_FIELDS","type","target","Array","includes","nonVisibleAttributes","writableAttributes","nonVisibleWritableAttributes","intersection","uniq","nonWritableAttributes","sanitizeOutput","sanitizeInput","sanitizeQuery"],"mappings":";;;;;;;;AA2BA,MAAM,EACJA,UAAU,EAAEC,cAAc,EAAEC,sBAAsB,EAAE,EACrD,GAAGC,cAAAA;AAEJ,MAAM,EACJC,SAAS,EACTC,iBAAiB,EACjBC,uBAAuB,EACvBC,wBAAwB,EACxBC,qBAAqB,EACtB,GAAGC,kBAAAA;AACJ,MAAM,EACJC,YAAY,EACZC,gBAAgB,EAChBC,oBAAoB,EACpBC,oBAAoB,EACpBC,sBAAsB,EACtBC,oBAAoB,EACpBC,oBAAoB,EACrB,GAAGZ,SAAAA;AAEJ,MAAMa,gBAAmB,GAAA;AAAC,IAAA;AAAc,CAAA;AACxC,MAAMC,aAAgB,GAAA;AAACR,IAAAA,YAAAA;AAAcC,IAAAA;AAAiB,CAAA;AAEtD,4BAAe,CAAA,CAAC,EAAEQ,MAAM,WAAEC,SAAO,EAAEC,KAAK,EAAO,GAAA;IAC7C,MAAMC,MAAAA,GAASC,MAAOC,CAAAA,QAAQ,CAACH,KAAAA,CAAAA;AAE/B,IAAA,MAAM,EAAEI,sBAAsB,EAAE,GAAGtB,eAASH,QAAQ;;AAGpD,IAAA,MAAM0B,aAAaC,sBAAiBJ,CAAAA,MAAAA,CAAOC,QAAQ,CAACI,IAAI,CAACL,MAAAA,CAAAA,CAAAA;AAEzD,IAAA,MAAMM,GAAM,GAAA;AACVP,QAAAA,MAAAA;AACAE,QAAAA,QAAAA,EAAUE,WAAWF;AACvB,KAAA;AAEA,IAAA,MAAMM,mBAAsB,GAAA,CAACC,OAAU,GAAA,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;;AAGnB,QAAA,MAAME,kBAAkBD,MAAOE,CAAAA,gBAAgB,GAAG,IAAOC,GAAAA,cAAAA,CAAeH,OAAOI,SAAS,CAAA;AAExF,QAAA,MAAMC,wBAAwB,CAACR,GAAAA,GAC7BS,WAAMC,CAAAA,IAAI,CACRC,cAASC,CAAAA,oBAAoB,CAAChB,sBAAAA,CAAuBQ,kBAAkBJ,GACvEW,CAAAA,EAAAA,cAAAA,CAASC,oBAAoB,CAACC,6BAAAA,EAA+Bb,MAC7DW,cAASC,CAAAA,oBAAoB,CAACE,gBAAAA,EAAkBd,MAChDW,cAASC,CAAAA,oBAAoB,CAACxC,cAAgB4B,EAAAA,GAAAA,CAAAA,EAC9CW,eAASC,oBAAoB,CAAC,CAAC,EAAEG,GAAG,EAAEC,KAAK,EAAE,EAAE,EAAEC,MAAM,EAAE,GAAA;gBACvD,IAAIC,WAAAA,CAASF,KAAUG,CAAAA,IAAAA,UAAAA,CAAQH,KAAQ,CAAA,EAAA;oBACrCC,MAAOF,CAAAA,GAAAA,CAAAA;AACT;aACCf,EAAAA,GAAAA,CAAAA,CAAAA;AAGP,QAAA,MAAMoB,qBAAqB,CAACpB,GAAAA,GAC1BS,YAAMC,IAAI,CACRC,eAASU,iBAAiB,CAACzB,sBAAuBQ,CAAAA,eAAAA,CAAAA,EAAkBJ,MACpEW,cAASU,CAAAA,iBAAiB,CAACR,6BAA+Bb,EAAAA,GAAAA,CAAAA,EAC1DW,eAASU,iBAAiB,CAACP,gBAAkBd,EAAAA,GAAAA,CAAAA,EAC7CW,eAASU,iBAAiB,CAACjD,gBAAgB4B,GAC3CW,CAAAA,EAAAA,cAAAA,CAASU,iBAAiB,CAAC,CAAC,EAAEN,GAAG,EAAEO,SAAS,EAAEN,KAAK,EAAE,EAAE,EAAEC,MAAM,EAAE,GAAA;AAC/D,gBAAA,IAAI,CAACzC,iBAAAA,CAAkB8C,SAAcH,CAAAA,IAAAA,UAAAA,CAAQH,KAAQ,CAAA,EAAA;oBACnDC,MAAOF,CAAAA,GAAAA,CAAAA;AACT;aACCf,EAAAA,GAAAA,CAAAA,CAAAA;QAGP,MAAMuB,oBAAAA,GAAuB,CAACvB,GAC5BS,GAAAA,WAAAA,CAAMC,IAAI,CACRC,cAAAA,CAASa,mBAAmB,CAAC5B,sBAAAA,CAAuBQ,kBAAkBJ,GACtEW,CAAAA,EAAAA,cAAAA,CAASa,mBAAmB,CAACV,gBAAAA,EAAkBd,MAC/CW,cAASa,CAAAA,mBAAmB,CAACpD,cAAgB4B,EAAAA,GAAAA,CAAAA,CAAAA;AAGjD,QAAA,MAAMyB,kBAAkBjB,qBAAsBR,CAAAA,GAAAA,CAAAA;AAC9C,QAAA,MAAM0B,eAAeN,kBAAmBpB,CAAAA,GAAAA,CAAAA;AACxC,QAAA,MAAM2B,iBAAiBJ,oBAAqBvB,CAAAA,GAAAA,CAAAA;AAE5C,0EACA,MAAM4B,sBAAAA,GAAyB,OAC7B,EAAEb,GAAG,EAAEC,KAAK,EAAEvB,MAAM,EAAE6B,SAAS,EAAE3B,QAAQ,EAAO,EAChD,EAAEkC,GAAG,EAAO,GAAA;AAEZ,YAAA,IAAIP,SAAW,EAAA;AACb,gBAAA;AACF;AAEA,YAAA,MAAMQ,SAAY,GAAA;AAAErC,gBAAAA,MAAAA;AAAQE,gBAAAA;AAAS,aAAA;AAErC,YAAA,IAAIoB,QAAQ,MAAQ,EAAA;gBAClB,MAAMgB,aAAAA,GAAgB,MAAMX,kBAAAA,CAAmBU,SAAWd,CAAAA,CAAAA,KAAAA,CAAAA;AAC1Da,gBAAAA,GAAAA,CAAId,GAAKgB,EAAAA,aAAAA,CAAAA;AACX;AAEA,YAAA,IAAIhB,QAAQ,SAAW,EAAA;gBACrB,MAAMiB,gBAAAA,GAAmB,MAAMxB,qBAAAA,CAAsBsB,SAAWd,CAAAA,CAAAA,KAAAA,CAAAA;AAChEa,gBAAAA,GAAAA,CAAId,GAAKiB,EAAAA,gBAAAA,CAAAA;AACX;AAEA,YAAA,IAAIjB,QAAQ,QAAU,EAAA;gBACpB,MAAMkB,eAAAA,GAAkB,MAAMV,oBAAAA,CAAqBO,SAAWd,CAAAA,CAAAA,KAAAA,CAAAA;AAC9Da,gBAAAA,GAAAA,CAAId,GAAKkB,EAAAA,eAAAA,CAAAA;AACX;AACF,SAAA;AAEA,QAAA,MAAMC,gBAAmBzB,GAAAA,WAAAA,CAAMC,IAAI,CACjCC,eAASwB,qBAAqB,CAAC9D,sBAAwB2B,EAAAA,GAAAA,CAAAA,EACvDW,cAASwB,CAAAA,qBAAqB,CAACvC,sBAAAA,CAAuBQ,kBAAkBJ,GACxEW,CAAAA,EAAAA,cAAAA,CAASwB,qBAAqB,CAACtB,6BAA+Bb,EAAAA,GAAAA,CAAAA,EAC9DW,cAASwB,CAAAA,qBAAqB,CAACrB,gBAAkBd,EAAAA,GAAAA,CAAAA,EACjDW,cAASwB,CAAAA,qBAAqB,CAAC/D,cAAgB4B,EAAAA,GAAAA,CAAAA,EAC/CW,cAASwB,CAAAA,qBAAqB,CAACP,sBAAwB5B,EAAAA,GAAAA,CAAAA,CAAAA;AAGzD,QAAA,OAAO,OAAOoC,KAAAA,GAAAA;AACZ,YAAA,MAAMC,iBAAiBC,YAAUF,CAAAA,KAAAA,CAAAA;YAEjC,MAAM,CAACJ,kBAAkBD,aAAeQ,EAAAA,iBAAAA,EAAmBN,gBAAgB,GACzE,MAAMO,OAAQC,CAAAA,GAAG,CAAC;AAChBL,gBAAAA,KAAAA,CAAMM,OAAO,GAAGjB,eAAgBW,CAAAA,KAAAA,CAAMM,OAAO,CAAIC,GAAAA,SAAAA;AACjDP,gBAAAA,KAAAA,CAAMQ,IAAI,GAAGlB,YAAaU,CAAAA,KAAAA,CAAMQ,IAAI,CAAID,GAAAA,SAAAA;AACxCP,gBAAAA,KAAAA,CAAMS,QAAQ,GAAGX,gBAAiBE,CAAAA,KAAAA,CAAMS,QAAQ,CAAIF,GAAAA,SAAAA;AACpDP,gBAAAA,KAAAA,CAAMjC,MAAM,GAAGwB,cAAeS,CAAAA,KAAAA,CAAMjC,MAAM,CAAIwC,GAAAA;AAC/C,aAAA,CAAA;AAEH,YAAA,IAAIX,gBAAqBW,KAAAA,SAAAA,EAAWN,cAAeK,CAAAA,OAAO,GAAGV,gBAAAA;AAC7D,YAAA,IAAID,aAAkBY,KAAAA,SAAAA,EAAWN,cAAeO,CAAAA,IAAI,GAAGb,aAAAA;AACvD,YAAA,IAAIQ,iBAAsBI,KAAAA,SAAAA,EAAWN,cAAeQ,CAAAA,QAAQ,GAAGN,iBAAAA;AAC/D,YAAA,IAAIN,eAAoBU,KAAAA,SAAAA,EAAWN,cAAelC,CAAAA,MAAM,GAAG8B,eAAAA;YAE3D,OAAOI,cAAAA;AACT,SAAA;AACF,KAAA;AAEA,IAAA,MAAMS,oBAAuB,GAAA,CAAC5C,OAAU,GAAA,EAAS,GAAA;QAC/C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;AAEnB,QAAA,MAAME,kBAAkBD,MAAOE,CAAAA,gBAAgB,GAAG,IAAO0C,GAAAA,eAAAA,CAAgB5C,OAAOI,SAAS,CAAA;QAEzF,OAAOE,WAAAA,CAAMC,IAAI;QAEfsC,oBAAelC,CAAAA,gBAAAA,EAAkBd;QAEjCgD,oBAAeC,CAAAA,0BAAAA,EAA4BjD;QAE3CgD,oBAAepD,CAAAA,sBAAAA,CAAuBQ,eAAkBJ,CAAAA,EAAAA,GAAAA,CAAAA;QAExD1B,cAAS4E,CAAAA,UAAU,CAACC,iBAAiB,CAAC;AACpC1D,YAAAA,MAAAA;AACAE,YAAAA,QAAAA,CAAAA,CAASyD,GAAW,EAAA;gBAClB,OAAO1D,MAAAA,CAAOC,QAAQ,CAACyD,GAAAA,CAAAA;AACzB;AACF,SAAA,CAAA,CAAA;AAEJ,KAAA;AAEA,IAAA,MAAMC,mBAAsB,GAAA,CAACnD,OAAU,GAAA,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;AAEnB,QAAA,MAAME,kBAAkBD,MAAOE,CAAAA,gBAAgB,GAAG,IAAOiD,GAAAA,cAAAA,CAAenD,OAAOI,SAAS,CAAA;QAExF,OAAOE,WAAAA,CAAMC,IAAI;QAEfsC,oBAAelC,CAAAA,gBAAAA,EAAkBd;QAEjCgD,oBAAepD,CAAAA,sBAAAA,CAAuBQ,eAAkBJ,CAAAA,EAAAA,GAAAA,CAAAA;AAExDuD,QAAAA,gBAAAA,CAAAA;AAEJ,KAAA;AAEA,IAAA,MAAMC,eAAe,CAACC,sBAAAA,GAAAA;AACpB,QAAA,MAAM,EAAEC,mBAAmB,EAAE,GAAGC,4CAA4BpE,CAAAA,SAAAA,CAAAA;;;AAI5D,QAAA,MAAMqE,eAAkB,GAAA,OAAOC,IAAe3D,EAAAA,OAAAA,GAAU,EAAS,GAAA;AAC/D,YAAA,IAAI4D,WAAQD,IAAO,CAAA,EAAA;gBACjB,OAAOrB,OAAAA,CAAQC,GAAG,CAACoB,IAAAA,CAAKE,GAAG,CAAC,CAACC,MAAoBJ,GAAAA,eAAAA,CAAgBI,MAAQ9D,EAAAA,OAAAA,CAAAA,CAAAA,CAAAA;AAC3E;YAEA,MAAM,EAAE+D,OAAO,EAAE3E,MAAAA,EAAQ4E,cAAc,EAAE,GAAGC,kBAAkBN,IAAM3D,EAAAA,OAAAA,CAAAA;YAEpE,MAAM,EAAEE,eAAe,EAAEgE,uBAAuB,EAAE/D,gBAAgB,EAAE,GAAGqD,mBAAAA,CACrEQ,cACAD,EAAAA,OAAAA,CAAAA;AAGF,YAAA,MAAMI,eAAkB,GAAA;AACtB,gBAAA,GAAGnE,OAAO;gBACVC,MAAQ,EAAA;AACNE,oBAAAA,gBAAAA;oBACAE,SAAWH,EAAAA,eAAAA;AACXgE,oBAAAA;AACF;AACF,aAAA;AAEA,YAAA,MAAME,mBAAmBb,sBAAuBY,CAAAA,eAAAA,CAAAA;AAEhD,YAAA,OAAOC,gBAAiBT,CAAAA,IAAAA,CAAAA;AAC1B,SAAA;QAEA,OAAOD,eAAAA;AACT,KAAA;IAEA,MAAMO,iBAAAA,GAAoB,CAACN,IAAW3D,EAAAA,OAAAA,GAAAA;AACpC,QAAA,OAAOqE,WAAS,CAAA;AAAEN,YAAAA,OAAAA,EAASO,gBAAUhF,KAAOqE,EAAAA,IAAAA,CAAAA;AAAOvE,YAAAA;SAAUY,EAAAA,OAAAA,CAAAA;AAC/D,KAAA;AAEA;;MAGA,MAAMqD,mBAAmBkB,OAAK,CAAA;QAAC,CAAGvF,EAAAA,oBAAAA,CAAqB,MAAM,CAAC;QAAE,CAAGC,EAAAA,oBAAAA,CAAqB,MAAM;AAAE,KAAA,CAAA;AAEhG;;MAGA,MAAM2B,gBAAmB,GAAA,CAAC,EAAEC,GAAG,EAAEtB,MAAM,EAAO,EAAE,EAAEwB,MAAM,EAAO,GAAA;QAC7D,MAAMyD,QAAAA,GAAWC,SAAM,KAAO,EAAA;AAAC,YAAA,QAAA;AAAU,YAAA,YAAA;AAAc5D,YAAAA,GAAAA;AAAK,YAAA;SAAS,EAAEtB,MAAAA,CAAAA;AAEvE,QAAA,IAAIiF,QAAU,EAAA;YACZzD,MAAOF,CAAAA,GAAAA,CAAAA;AACT;AACF,KAAA;AAEA;;AAEC,MACD,MAAMkC,0BAAAA,GAA6B,CAAC,EAAE3B,SAAS,EAAEP,GAAG,EAAEC,KAAK,EAAO,EAAE,EAAEa,GAAG,EAAO,GAAA;AAC9E,QAAA,MAAM+C,oBAAoBC,OAAKC,CAAAA,8BAAAA,CAAAA;AAC/B,QAAA,IAAI,CAACxD,SAAW,EAAA;AACd,YAAA;AACF;QAEA,IAAIA,SAAAA,CAAUyD,IAAI,KAAK,UAAA,IAAczD,UAAU0D,MAAM,KAAK,iBAAiBhE,KAAO,EAAA;YAChF,IAAIiE,KAAAA,CAAMnB,OAAO,CAAC9C,KAAQ,CAAA,EAAA;gBACxBa,GAAId,CAAAA,GAAAA,EAAKC,KAAM+C,CAAAA,GAAG,CAACa,iBAAAA,CAAAA,CAAAA;aACd,MAAA;AACL/C,gBAAAA,GAAAA,CAAId,KAAK6D,iBAAkB5D,CAAAA,KAAAA,CAAAA,CAAAA;AAC7B;AACF;AACF,KAAA;AAEA;;AAEC,MACD,MAAMH,6BAAAA,GAAgC,CAAC,EAAEE,GAAG,EAAEO,SAAS,EAAE7B,MAAM,EAAO,EAAE,EAAEwB,MAAM,EAAO,GAAA;QACrF,IAAIxB,MAAAA,CAAO2D,GAAG,KAAK,aAAA,IAAiB9B,aAAa,CAACwD,8BAAAA,CAA0BI,QAAQ,CAACnE,GAAM,CAAA,EAAA;YACzFE,MAAOF,CAAAA,GAAAA,CAAAA;AACT;AACF,KAAA;IAEA,MAAMuC,cAAAA,GAAiB,CAACnD,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,MAAMgF,uBAAuB1G,uBAAwBgB,CAAAA,MAAAA,CAAAA;AACrD,QAAA,MAAM2F,qBAAqBzG,qBAAsBc,CAAAA,MAAAA,CAAAA;QAEjD,MAAM4F,4BAAAA,GAA+BC,gBAAaH,oBAAsBC,EAAAA,kBAAAA,CAAAA;AAExE,QAAA,OAAOG,OAAK,CAAA;AAAIpF,YAAAA,GAAAA,MAAAA;AAAWf,YAAAA,GAAAA,gBAAAA;AAAqBiG,YAAAA,GAAAA;AAA6B,SAAA,CAAA;AAC/E,KAAA;IAEA,MAAMtC,eAAAA,GAAkB,CAAC5C,MAAAA,GAAS,EAAE,GAAA;AAClC,QAAA,MAAMqF,wBAAwB9G,wBAAyBe,CAAAA,MAAAA,CAAAA;AACvD,QAAA,MAAM0F,uBAAuB1G,uBAAwBgB,CAAAA,MAAAA,CAAAA;AAErD,QAAA,OAAO8F,OAAK,CAAA;AACPpF,YAAAA,GAAAA,MAAAA;AACAd,YAAAA,GAAAA,aAAAA;AACAD,YAAAA,GAAAA,gBAAAA;AACAoG,YAAAA,GAAAA,qBAAAA;AACAL,YAAAA,GAAAA,oBAAAA;AACHpG,YAAAA,oBAAAA;AACAC,YAAAA;AACD,SAAA,CAAA;AACH,KAAA;IAEA,MAAMsB,cAAAA,GAAiB,CAACH,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,MAAMgF,uBAAuB1G,uBAAwBgB,CAAAA,MAAAA,CAAAA;AACrD,QAAA,MAAM2F,qBAAqBzG,qBAAsBc,CAAAA,MAAAA,CAAAA;QAEjD,MAAM4F,4BAAAA,GAA+BC,gBAAaH,oBAAsBC,EAAAA,kBAAAA,CAAAA;AAExE,QAAA,OAAOG,OAAK,CAAA;AACPpF,YAAAA,GAAAA,MAAAA;AACAd,YAAAA,GAAAA,aAAAA;AACAD,YAAAA,GAAAA,gBAAAA;AACAiG,YAAAA,GAAAA,4BAAAA;AACHtG,YAAAA,oBAAAA;AACAC,YAAAA,oBAAAA;AACAC,YAAAA,sBAAAA;AACAC,YAAAA,oBAAAA;AACAC,YAAAA;AACD,SAAA,CAAA;AACH,KAAA;IAEA,OAAO;AACLsG,QAAAA,cAAAA,EAAgBjC,YAAaV,CAAAA,oBAAAA,CAAAA;AAC7B4C,QAAAA,aAAAA,EAAelC,YAAaH,CAAAA,mBAAAA,CAAAA;AAC5BsC,QAAAA,aAAAA,EAAenC,YAAavD,CAAAA,mBAAAA;AAC9B,KAAA;AACF,CAAA;;;;"}
1	+ {"version":3,"file":"sanitize.js","sources":["../../../../../../../server/src/services/permission/permissions-manager/sanitize.ts"],"sourcesContent":["import { subject as asSubject } from '@casl/ability';\nimport {\n defaults,\n omit,\n isArray,\n isEmpty,\n uniq,\n intersection,\n pick,\n getOr,\n isObject,\n cloneDeep,\n} from 'lodash/fp';\n\nimport type { UID } from '@strapi/types';\n\nimport {\n contentTypes,\n traverseEntity,\n sanitize,\n async,\n traverse,\n createModelCache,\n} from '@strapi/utils';\nimport { createPermissionFieldsCache } from './permission-fields';\nimport { ADMIN_USER_ALLOWED_FIELDS } from '../../../domain/user';\n\nconst {\n visitors: { removePassword, expandWildcardPopulate },\n} = sanitize;\n\nconst {\n constants,\n isScalarAttribute,\n getNonVisibleAttributes,\n getNonWritableAttributes,\n getWritableAttributes,\n} = contentTypes;\nconst {\n ID_ATTRIBUTE,\n DOC_ID_ATTRIBUTE,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n CREATED_BY_ATTRIBUTE,\n UPDATED_BY_ATTRIBUTE,\n} = constants;\n\nconst COMPONENT_FIELDS = ['__component'];\nconst STATIC_FIELDS = [ID_ATTRIBUTE, DOC_ID_ATTRIBUTE];\n\nexport default ({ action, ability, model }: any) => {\n const schema = strapi.getModel(model);\n\n const { removeDisallowedFields } = sanitize.visitors;\n\n // Create request-scoped model cache to avoid redundant getModel() calls\n const modelCache = createModelCache(strapi.getModel.bind(strapi));\n\n const ctx = {\n schema,\n getModel: modelCache.getModel,\n };\n\n const createSanitizeQuery = (options = {} as any) => {\n const { fields } = options;\n\n // TODO: sanitize relations to admin users in all sanitizers\n const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);\n\n const createSanitizeFilters = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFilters(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFilters(omitDisallowedAdminUserFields, ctx),\n traverse.traverseQueryFilters(omitHiddenFields, ctx),\n traverse.traverseQueryFilters(removePassword, ctx),\n traverse.traverseQueryFilters(({ key, value }, { remove }) => {\n if (isObject(value) && isEmpty(value)) {\n remove(key);\n }\n }, ctx)\n );\n\n const createSanitizeSort = (ctx: any) =>\n async.pipe(\n traverse.traverseQuerySort(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQuerySort(omitDisallowedAdminUserFields, ctx),\n traverse.traverseQuerySort(omitHiddenFields, ctx),\n traverse.traverseQuerySort(removePassword, ctx),\n traverse.traverseQuerySort(({ key, attribute, value }, { remove }) => {\n if (!isScalarAttribute(attribute) && isEmpty(value)) {\n remove(key);\n }\n }, ctx)\n );\n\n const createSanitizeFields = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFields(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFields(omitHiddenFields, ctx),\n traverse.traverseQueryFields(removePassword, ctx)\n );\n\n const sanitizeFilters = createSanitizeFilters(ctx);\n const sanitizeSort = createSanitizeSort(ctx);\n const sanitizeFields = createSanitizeFields(ctx);\n\n /** Sanitize nested filters, sort, and fields inside populate. /\n const sanitizeNestedPopulate = async (\n { key, value, schema, attribute, getModel }: any,\n { set }: any\n ) => {\n if (attribute) {\n return;\n }\n\n const nestedCtx = { schema, getModel };\n\n if (key === 'sort') {\n const sanitizedSort = await createSanitizeSort(nestedCtx)(value);\n set(key, sanitizedSort);\n }\n\n if (key === 'filters') {\n const sanitizedFilters = await createSanitizeFilters(nestedCtx)(value);\n set(key, sanitizedFilters);\n }\n\n if (key === 'fields') {\n const sanitizedFields = await createSanitizeFields(nestedCtx)(value);\n set(key, sanitizedFields);\n }\n };\n\n const sanitizePopulate = async.pipe(\n traverse.traverseQueryPopulate(expandWildcardPopulate, ctx),\n traverse.traverseQueryPopulate(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryPopulate(omitDisallowedAdminUserFields, ctx),\n traverse.traverseQueryPopulate(omitHiddenFields, ctx),\n traverse.traverseQueryPopulate(removePassword, ctx),\n traverse.traverseQueryPopulate(sanitizeNestedPopulate, ctx)\n );\n\n return async (query: any) => {\n const sanitizedQuery = cloneDeep(query);\n\n const [sanitizedFilters, sanitizedSort, sanitizedPopulate, sanitizedFields] =\n await Promise.all([\n query.filters ? sanitizeFilters(query.filters) : undefined,\n query.sort ? sanitizeSort(query.sort) : undefined,\n query.populate ? sanitizePopulate(query.populate) : undefined,\n query.fields ? sanitizeFields(query.fields) : undefined,\n ]);\n\n if (sanitizedFilters !== undefined) sanitizedQuery.filters = sanitizedFilters;\n if (sanitizedSort !== undefined) sanitizedQuery.sort = sanitizedSort;\n if (sanitizedPopulate !== undefined) sanitizedQuery.populate = sanitizedPopulate;\n if (sanitizedFields !== undefined) sanitizedQuery.fields = sanitizedFields;\n\n return sanitizedQuery;\n };\n };\n\n const createSanitizeOutput = (options = {} as any) => {\n const { fields } = options;\n\n const permittedFields = fields.shouldIncludeAll ? null : getOutputFields(fields.permitted);\n\n return async.pipe(\n // Remove fields hidden from the admin\n traverseEntity(omitHiddenFields, ctx),\n // Remove unallowed fields from admin::user relations\n traverseEntity(pickAllowedAdminUserFields, ctx),\n // Remove not allowed fields (RBAC)\n traverseEntity(removeDisallowedFields(permittedFields), ctx),\n // Remove all fields of type 'password'\n sanitize.sanitizers.sanitizePasswords({\n schema,\n getModel(uid: string) {\n return strapi.getModel(uid as UID.Schema);\n },\n })\n );\n };\n\n const createSanitizeInput = (options = {} as any) => {\n const { fields } = options;\n\n const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);\n\n return async.pipe(\n // Remove fields hidden from the admin\n traverseEntity(omitHiddenFields, ctx),\n // Remove not allowed fields (RBAC)\n traverseEntity(removeDisallowedFields(permittedFields), ctx),\n // Remove roles from createdBy & updatedBy fields\n omitCreatorRoles\n );\n };\n\n const wrapSanitize = (createSanitizeFunction: any) => {\n const { getPermissionFields } = createPermissionFieldsCache(ability);\n\n // TODO\n // @ts-expect-error define the correct return type\n const wrappedSanitize = async (data: unknown, options = {} as any) => {\n if (isArray(data)) {\n return Promise.all(data.map((entity: unknown) => wrappedSanitize(entity, options)));\n }\n\n const { subject, action: actionOverride } = getDefaultOptions(data, options);\n\n const { permittedFields, hasAtLeastOneRegistered, shouldIncludeAll } = getPermissionFields(\n actionOverride,\n subject\n );\n\n const sanitizeOptions = {\n ...options,\n fields: {\n shouldIncludeAll,\n permitted: permittedFields,\n hasAtLeastOneRegistered,\n },\n };\n\n const sanitizeFunction = createSanitizeFunction(sanitizeOptions);\n\n return sanitizeFunction(data);\n };\n\n return wrappedSanitize;\n };\n\n const getDefaultOptions = (data: any, options: unknown) => {\n return defaults({ subject: asSubject(model, data), action }, options);\n };\n\n /\n Omit creator fields' (createdBy & updatedBy) roles from the admin API responses\n /\n const omitCreatorRoles = omit([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);\n\n /\n Visitor used to remove hidden fields from the admin API responses\n /\n const omitHiddenFields = ({ key, schema }: any, { remove }: any) => {\n const isHidden = getOr(false, ['config', 'attributes', key, 'hidden'], schema);\n\n if (isHidden) {\n remove(key);\n }\n };\n\n /\n Visitor used to only select needed fields from the admin users entities & avoid leaking sensitive information\n /\n const pickAllowedAdminUserFields = ({ attribute, key, value }: any, { set }: any) => {\n const pickAllowedFields = pick(ADMIN_USER_ALLOWED_FIELDS);\n if (!attribute) {\n return;\n }\n\n if (attribute.type === 'relation' && attribute.target === 'admin::user' && value) {\n if (Array.isArray(value)) {\n set(key, value.map(pickAllowedFields));\n } else {\n set(key, pickAllowedFields(value));\n }\n }\n };\n\n /\n Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information\n */\n const omitDisallowedAdminUserFields = ({ key, attribute, schema }: any, { remove }: any) => {\n if (schema.uid === 'admin::user' && attribute && !ADMIN_USER_ALLOWED_FIELDS.includes(key)) {\n remove(key);\n }\n };\n\n const getInputFields = (fields = []) => {\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n const writableAttributes = getWritableAttributes(schema);\n\n const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);\n\n return uniq([...fields, ...COMPONENT_FIELDS, ...nonVisibleWritableAttributes]);\n };\n\n const getOutputFields = (fields = []) => {\n const nonWritableAttributes = getNonWritableAttributes(schema);\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n\n return uniq([\n ...fields,\n ...STATIC_FIELDS,\n ...COMPONENT_FIELDS,\n ...nonWritableAttributes,\n ...nonVisibleAttributes,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n ]);\n };\n\n const getQueryFields = (fields = []) => {\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n const writableAttributes = getWritableAttributes(schema);\n\n const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);\n\n return uniq([\n ...fields,\n ...STATIC_FIELDS,\n ...COMPONENT_FIELDS,\n ...nonVisibleWritableAttributes,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n CREATED_BY_ATTRIBUTE,\n UPDATED_BY_ATTRIBUTE,\n ]);\n };\n\n return {\n sanitizeOutput: wrapSanitize(createSanitizeOutput),\n sanitizeInput: wrapSanitize(createSanitizeInput),\n sanitizeQuery: wrapSanitize(createSanitizeQuery),\n };\n};\n"],"names":["visitors","removePassword","expandWildcardPopulate","sanitize","constants","isScalarAttribute","getNonVisibleAttributes","getNonWritableAttributes","getWritableAttributes","contentTypes","ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","CREATED_AT_ATTRIBUTE","UPDATED_AT_ATTRIBUTE","PUBLISHED_AT_ATTRIBUTE","CREATED_BY_ATTRIBUTE","UPDATED_BY_ATTRIBUTE","COMPONENT_FIELDS","STATIC_FIELDS","action","ability","model","schema","strapi","getModel","removeDisallowedFields","modelCache","createModelCache","bind","ctx","createSanitizeQuery","options","fields","permittedFields","shouldIncludeAll","getQueryFields","permitted","createSanitizeFilters","async","pipe","traverse","traverseQueryFilters","omitDisallowedAdminUserFields","omitHiddenFields","key","value","remove","isObject","isEmpty","createSanitizeSort","traverseQuerySort","attribute","createSanitizeFields","traverseQueryFields","sanitizeFilters","sanitizeSort","sanitizeFields","sanitizeNestedPopulate","set","nestedCtx","sanitizedSort","sanitizedFilters","sanitizedFields","sanitizePopulate","traverseQueryPopulate","query","sanitizedQuery","cloneDeep","sanitizedPopulate","Promise","all","filters","undefined","sort","populate","createSanitizeOutput","getOutputFields","traverseEntity","pickAllowedAdminUserFields","sanitizers","sanitizePasswords","uid","createSanitizeInput","getInputFields","omitCreatorRoles","wrapSanitize","createSanitizeFunction","getPermissionFields","createPermissionFieldsCache","wrappedSanitize","data","isArray","map","entity","subject","actionOverride","getDefaultOptions","hasAtLeastOneRegistered","sanitizeOptions","sanitizeFunction","defaults","asSubject","omit","isHidden","getOr","pickAllowedFields","pick","ADMIN_USER_ALLOWED_FIELDS","type","target","Array","includes","nonVisibleAttributes","writableAttributes","nonVisibleWritableAttributes","intersection","uniq","nonWritableAttributes","sanitizeOutput","sanitizeInput","sanitizeQuery"],"mappings":";;;;;;;;AA2BA,MAAM,EACJA,UAAU,EAAEC,cAAc,EAAEC,sBAAsB,EAAE,EACrD,GAAGC,cAAAA;AAEJ,MAAM,EACJC,SAAS,EACTC,iBAAiB,EACjBC,uBAAuB,EACvBC,wBAAwB,EACxBC,qBAAqB,EACtB,GAAGC,kBAAAA;AACJ,MAAM,EACJC,YAAY,EACZC,gBAAgB,EAChBC,oBAAoB,EACpBC,oBAAoB,EACpBC,sBAAsB,EACtBC,oBAAoB,EACpBC,oBAAoB,EACrB,GAAGZ,SAAAA;AAEJ,MAAMa,gBAAAA,GAAmB;AAAC,IAAA;AAAc,CAAA;AACxC,MAAMC,aAAAA,GAAgB;AAACR,IAAAA,YAAAA;AAAcC,IAAAA;AAAiB,CAAA;AAEtD,4BAAe,CAAA,CAAC,EAAEQ,MAAM,WAAEC,SAAO,EAAEC,KAAK,EAAO,GAAA;IAC7C,MAAMC,MAAAA,GAASC,MAAAA,CAAOC,QAAQ,CAACH,KAAAA,CAAAA;AAE/B,IAAA,MAAM,EAAEI,sBAAsB,EAAE,GAAGtB,eAASH,QAAQ;;AAGpD,IAAA,MAAM0B,aAAaC,sBAAAA,CAAiBJ,MAAAA,CAAOC,QAAQ,CAACI,IAAI,CAACL,MAAAA,CAAAA,CAAAA;AAEzD,IAAA,MAAMM,GAAAA,GAAM;AACVP,QAAAA,MAAAA;AACAE,QAAAA,QAAAA,EAAUE,WAAWF;AACvB,KAAA;AAEA,IAAA,MAAMM,mBAAAA,GAAsB,CAACC,OAAAA,GAAU,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;;AAGnB,QAAA,MAAME,kBAAkBD,MAAAA,CAAOE,gBAAgB,GAAG,IAAA,GAAOC,cAAAA,CAAeH,OAAOI,SAAS,CAAA;AAExF,QAAA,MAAMC,wBAAwB,CAACR,GAAAA,GAC7BS,WAAAA,CAAMC,IAAI,CACRC,cAAAA,CAASC,oBAAoB,CAAChB,sBAAAA,CAAuBQ,kBAAkBJ,GAAAA,CAAAA,EACvEW,cAAAA,CAASC,oBAAoB,CAACC,6BAAAA,EAA+Bb,MAC7DW,cAAAA,CAASC,oBAAoB,CAACE,gBAAAA,EAAkBd,MAChDW,cAAAA,CAASC,oBAAoB,CAACxC,cAAAA,EAAgB4B,GAAAA,CAAAA,EAC9CW,eAASC,oBAAoB,CAAC,CAAC,EAAEG,GAAG,EAAEC,KAAK,EAAE,EAAE,EAAEC,MAAM,EAAE,GAAA;gBACvD,IAAIC,WAAAA,CAASF,KAAAA,CAAAA,IAAUG,UAAAA,CAAQH,KAAAA,CAAAA,EAAQ;oBACrCC,MAAAA,CAAOF,GAAAA,CAAAA;AACT,gBAAA;YACF,CAAA,EAAGf,GAAAA,CAAAA,CAAAA;AAGP,QAAA,MAAMoB,qBAAqB,CAACpB,GAAAA,GAC1BS,YAAMC,IAAI,CACRC,eAASU,iBAAiB,CAACzB,sBAAAA,CAAuBQ,eAAAA,CAAAA,EAAkBJ,MACpEW,cAAAA,CAASU,iBAAiB,CAACR,6BAAAA,EAA+Bb,GAAAA,CAAAA,EAC1DW,eAASU,iBAAiB,CAACP,gBAAAA,EAAkBd,GAAAA,CAAAA,EAC7CW,eAASU,iBAAiB,CAACjD,gBAAgB4B,GAAAA,CAAAA,EAC3CW,cAAAA,CAASU,iBAAiB,CAAC,CAAC,EAAEN,GAAG,EAAEO,SAAS,EAAEN,KAAK,EAAE,EAAE,EAAEC,MAAM,EAAE,GAAA;AAC/D,gBAAA,IAAI,CAACzC,iBAAAA,CAAkB8C,SAAAA,CAAAA,IAAcH,UAAAA,CAAQH,KAAAA,CAAAA,EAAQ;oBACnDC,MAAAA,CAAOF,GAAAA,CAAAA;AACT,gBAAA;YACF,CAAA,EAAGf,GAAAA,CAAAA,CAAAA;QAGP,MAAMuB,oBAAAA,GAAuB,CAACvB,GAAAA,GAC5BS,WAAAA,CAAMC,IAAI,CACRC,cAAAA,CAASa,mBAAmB,CAAC5B,sBAAAA,CAAuBQ,kBAAkBJ,GAAAA,CAAAA,EACtEW,cAAAA,CAASa,mBAAmB,CAACV,gBAAAA,EAAkBd,MAC/CW,cAAAA,CAASa,mBAAmB,CAACpD,cAAAA,EAAgB4B,GAAAA,CAAAA,CAAAA;AAGjD,QAAA,MAAMyB,kBAAkBjB,qBAAAA,CAAsBR,GAAAA,CAAAA;AAC9C,QAAA,MAAM0B,eAAeN,kBAAAA,CAAmBpB,GAAAA,CAAAA;AACxC,QAAA,MAAM2B,iBAAiBJ,oBAAAA,CAAqBvB,GAAAA,CAAAA;AAE5C,0EACA,MAAM4B,sBAAAA,GAAyB,OAC7B,EAAEb,GAAG,EAAEC,KAAK,EAAEvB,MAAM,EAAE6B,SAAS,EAAE3B,QAAQ,EAAO,EAChD,EAAEkC,GAAG,EAAO,GAAA;AAEZ,YAAA,IAAIP,SAAAA,EAAW;AACb,gBAAA;AACF,YAAA;AAEA,YAAA,MAAMQ,SAAAA,GAAY;AAAErC,gBAAAA,MAAAA;AAAQE,gBAAAA;AAAS,aAAA;AAErC,YAAA,IAAIoB,QAAQ,MAAA,EAAQ;gBAClB,MAAMgB,aAAAA,GAAgB,MAAMX,kBAAAA,CAAmBU,SAAAA,CAAAA,CAAWd,KAAAA,CAAAA;AAC1Da,gBAAAA,GAAAA,CAAId,GAAAA,EAAKgB,aAAAA,CAAAA;AACX,YAAA;AAEA,YAAA,IAAIhB,QAAQ,SAAA,EAAW;gBACrB,MAAMiB,gBAAAA,GAAmB,MAAMxB,qBAAAA,CAAsBsB,SAAAA,CAAAA,CAAWd,KAAAA,CAAAA;AAChEa,gBAAAA,GAAAA,CAAId,GAAAA,EAAKiB,gBAAAA,CAAAA;AACX,YAAA;AAEA,YAAA,IAAIjB,QAAQ,QAAA,EAAU;gBACpB,MAAMkB,eAAAA,GAAkB,MAAMV,oBAAAA,CAAqBO,SAAAA,CAAAA,CAAWd,KAAAA,CAAAA;AAC9Da,gBAAAA,GAAAA,CAAId,GAAAA,EAAKkB,eAAAA,CAAAA;AACX,YAAA;AACF,QAAA,CAAA;AAEA,QAAA,MAAMC,gBAAAA,GAAmBzB,WAAAA,CAAMC,IAAI,CACjCC,eAASwB,qBAAqB,CAAC9D,sBAAAA,EAAwB2B,GAAAA,CAAAA,EACvDW,cAAAA,CAASwB,qBAAqB,CAACvC,sBAAAA,CAAuBQ,kBAAkBJ,GAAAA,CAAAA,EACxEW,cAAAA,CAASwB,qBAAqB,CAACtB,6BAAAA,EAA+Bb,GAAAA,CAAAA,EAC9DW,cAAAA,CAASwB,qBAAqB,CAACrB,gBAAAA,EAAkBd,GAAAA,CAAAA,EACjDW,cAAAA,CAASwB,qBAAqB,CAAC/D,cAAAA,EAAgB4B,GAAAA,CAAAA,EAC/CW,cAAAA,CAASwB,qBAAqB,CAACP,sBAAAA,EAAwB5B,GAAAA,CAAAA,CAAAA;AAGzD,QAAA,OAAO,OAAOoC,KAAAA,GAAAA;AACZ,YAAA,MAAMC,iBAAiBC,YAAAA,CAAUF,KAAAA,CAAAA;YAEjC,MAAM,CAACJ,kBAAkBD,aAAAA,EAAeQ,iBAAAA,EAAmBN,gBAAgB,GACzE,MAAMO,OAAAA,CAAQC,GAAG,CAAC;AAChBL,gBAAAA,KAAAA,CAAMM,OAAO,GAAGjB,eAAAA,CAAgBW,KAAAA,CAAMM,OAAO,CAAA,GAAIC,SAAAA;AACjDP,gBAAAA,KAAAA,CAAMQ,IAAI,GAAGlB,YAAAA,CAAaU,KAAAA,CAAMQ,IAAI,CAAA,GAAID,SAAAA;AACxCP,gBAAAA,KAAAA,CAAMS,QAAQ,GAAGX,gBAAAA,CAAiBE,KAAAA,CAAMS,QAAQ,CAAA,GAAIF,SAAAA;AACpDP,gBAAAA,KAAAA,CAAMjC,MAAM,GAAGwB,cAAAA,CAAeS,KAAAA,CAAMjC,MAAM,CAAA,GAAIwC;AAC/C,aAAA,CAAA;AAEH,YAAA,IAAIX,gBAAAA,KAAqBW,SAAAA,EAAWN,cAAAA,CAAeK,OAAO,GAAGV,gBAAAA;AAC7D,YAAA,IAAID,aAAAA,KAAkBY,SAAAA,EAAWN,cAAAA,CAAeO,IAAI,GAAGb,aAAAA;AACvD,YAAA,IAAIQ,iBAAAA,KAAsBI,SAAAA,EAAWN,cAAAA,CAAeQ,QAAQ,GAAGN,iBAAAA;AAC/D,YAAA,IAAIN,eAAAA,KAAoBU,SAAAA,EAAWN,cAAAA,CAAelC,MAAM,GAAG8B,eAAAA;YAE3D,OAAOI,cAAAA;AACT,QAAA,CAAA;AACF,IAAA,CAAA;AAEA,IAAA,MAAMS,oBAAAA,GAAuB,CAAC5C,OAAAA,GAAU,EAAS,GAAA;QAC/C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;AAEnB,QAAA,MAAME,kBAAkBD,MAAAA,CAAOE,gBAAgB,GAAG,IAAA,GAAO0C,eAAAA,CAAgB5C,OAAOI,SAAS,CAAA;QAEzF,OAAOE,WAAAA,CAAMC,IAAI;QAEfsC,oBAAAA,CAAelC,gBAAAA,EAAkBd;QAEjCgD,oBAAAA,CAAeC,0BAAAA,EAA4BjD;QAE3CgD,oBAAAA,CAAepD,sBAAAA,CAAuBQ,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA;QAExD1B,cAAAA,CAAS4E,UAAU,CAACC,iBAAiB,CAAC;AACpC1D,YAAAA,MAAAA;AACAE,YAAAA,QAAAA,CAAAA,CAASyD,GAAW,EAAA;gBAClB,OAAO1D,MAAAA,CAAOC,QAAQ,CAACyD,GAAAA,CAAAA;AACzB,YAAA;AACF,SAAA,CAAA,CAAA;AAEJ,IAAA,CAAA;AAEA,IAAA,MAAMC,mBAAAA,GAAsB,CAACnD,OAAAA,GAAU,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;AAEnB,QAAA,MAAME,kBAAkBD,MAAAA,CAAOE,gBAAgB,GAAG,IAAA,GAAOiD,cAAAA,CAAenD,OAAOI,SAAS,CAAA;QAExF,OAAOE,WAAAA,CAAMC,IAAI;QAEfsC,oBAAAA,CAAelC,gBAAAA,EAAkBd;QAEjCgD,oBAAAA,CAAepD,sBAAAA,CAAuBQ,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA;AAExDuD,QAAAA,gBAAAA,CAAAA;AAEJ,IAAA,CAAA;AAEA,IAAA,MAAMC,eAAe,CAACC,sBAAAA,GAAAA;AACpB,QAAA,MAAM,EAAEC,mBAAmB,EAAE,GAAGC,4CAAAA,CAA4BpE,SAAAA,CAAAA;;;AAI5D,QAAA,MAAMqE,eAAAA,GAAkB,OAAOC,IAAAA,EAAe3D,OAAAA,GAAU,EAAS,GAAA;AAC/D,YAAA,IAAI4D,WAAQD,IAAAA,CAAAA,EAAO;gBACjB,OAAOrB,OAAAA,CAAQC,GAAG,CAACoB,IAAAA,CAAKE,GAAG,CAAC,CAACC,MAAAA,GAAoBJ,eAAAA,CAAgBI,MAAAA,EAAQ9D,OAAAA,CAAAA,CAAAA,CAAAA;AAC3E,YAAA;YAEA,MAAM,EAAE+D,OAAO,EAAE3E,MAAAA,EAAQ4E,cAAc,EAAE,GAAGC,kBAAkBN,IAAAA,EAAM3D,OAAAA,CAAAA;YAEpE,MAAM,EAAEE,eAAe,EAAEgE,uBAAuB,EAAE/D,gBAAgB,EAAE,GAAGqD,mBAAAA,CACrEQ,cAAAA,EACAD,OAAAA,CAAAA;AAGF,YAAA,MAAMI,eAAAA,GAAkB;AACtB,gBAAA,GAAGnE,OAAO;gBACVC,MAAAA,EAAQ;AACNE,oBAAAA,gBAAAA;oBACAE,SAAAA,EAAWH,eAAAA;AACXgE,oBAAAA;AACF;AACF,aAAA;AAEA,YAAA,MAAME,mBAAmBb,sBAAAA,CAAuBY,eAAAA,CAAAA;AAEhD,YAAA,OAAOC,gBAAAA,CAAiBT,IAAAA,CAAAA;AAC1B,QAAA,CAAA;QAEA,OAAOD,eAAAA;AACT,IAAA,CAAA;IAEA,MAAMO,iBAAAA,GAAoB,CAACN,IAAAA,EAAW3D,OAAAA,GAAAA;AACpC,QAAA,OAAOqE,WAAAA,CAAS;AAAEN,YAAAA,OAAAA,EAASO,gBAAUhF,KAAAA,EAAOqE,IAAAA,CAAAA;AAAOvE,YAAAA;SAAO,EAAGY,OAAAA,CAAAA;AAC/D,IAAA,CAAA;AAEA;;MAGA,MAAMqD,mBAAmBkB,OAAAA,CAAK;QAAC,CAAA,EAAGvF,oBAAAA,CAAqB,MAAM,CAAC;QAAE,CAAA,EAAGC,oBAAAA,CAAqB,MAAM;AAAE,KAAA,CAAA;AAEhG;;MAGA,MAAM2B,gBAAAA,GAAmB,CAAC,EAAEC,GAAG,EAAEtB,MAAM,EAAO,EAAE,EAAEwB,MAAM,EAAO,GAAA;QAC7D,MAAMyD,QAAAA,GAAWC,SAAM,KAAA,EAAO;AAAC,YAAA,QAAA;AAAU,YAAA,YAAA;AAAc5D,YAAAA,GAAAA;AAAK,YAAA;SAAS,EAAEtB,MAAAA,CAAAA;AAEvE,QAAA,IAAIiF,QAAAA,EAAU;YACZzD,MAAAA,CAAOF,GAAAA,CAAAA;AACT,QAAA;AACF,IAAA,CAAA;AAEA;;AAEC,MACD,MAAMkC,0BAAAA,GAA6B,CAAC,EAAE3B,SAAS,EAAEP,GAAG,EAAEC,KAAK,EAAO,EAAE,EAAEa,GAAG,EAAO,GAAA;AAC9E,QAAA,MAAM+C,oBAAoBC,OAAAA,CAAKC,8BAAAA,CAAAA;AAC/B,QAAA,IAAI,CAACxD,SAAAA,EAAW;AACd,YAAA;AACF,QAAA;QAEA,IAAIA,SAAAA,CAAUyD,IAAI,KAAK,UAAA,IAAczD,UAAU0D,MAAM,KAAK,iBAAiBhE,KAAAA,EAAO;YAChF,IAAIiE,KAAAA,CAAMnB,OAAO,CAAC9C,KAAAA,CAAAA,EAAQ;gBACxBa,GAAAA,CAAId,GAAAA,EAAKC,KAAAA,CAAM+C,GAAG,CAACa,iBAAAA,CAAAA,CAAAA;YACrB,CAAA,MAAO;AACL/C,gBAAAA,GAAAA,CAAId,KAAK6D,iBAAAA,CAAkB5D,KAAAA,CAAAA,CAAAA;AAC7B,YAAA;AACF,QAAA;AACF,IAAA,CAAA;AAEA;;AAEC,MACD,MAAMH,6BAAAA,GAAgC,CAAC,EAAEE,GAAG,EAAEO,SAAS,EAAE7B,MAAM,EAAO,EAAE,EAAEwB,MAAM,EAAO,GAAA;QACrF,IAAIxB,MAAAA,CAAO2D,GAAG,KAAK,aAAA,IAAiB9B,aAAa,CAACwD,8BAAAA,CAA0BI,QAAQ,CAACnE,GAAAA,CAAAA,EAAM;YACzFE,MAAAA,CAAOF,GAAAA,CAAAA;AACT,QAAA;AACF,IAAA,CAAA;IAEA,MAAMuC,cAAAA,GAAiB,CAACnD,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,MAAMgF,uBAAuB1G,uBAAAA,CAAwBgB,MAAAA,CAAAA;AACrD,QAAA,MAAM2F,qBAAqBzG,qBAAAA,CAAsBc,MAAAA,CAAAA;QAEjD,MAAM4F,4BAAAA,GAA+BC,gBAAaH,oBAAAA,EAAsBC,kBAAAA,CAAAA;AAExE,QAAA,OAAOG,OAAAA,CAAK;AAAIpF,YAAAA,GAAAA,MAAAA;AAAWf,YAAAA,GAAAA,gBAAAA;AAAqBiG,YAAAA,GAAAA;AAA6B,SAAA,CAAA;AAC/E,IAAA,CAAA;IAEA,MAAMtC,eAAAA,GAAkB,CAAC5C,MAAAA,GAAS,EAAE,GAAA;AAClC,QAAA,MAAMqF,wBAAwB9G,wBAAAA,CAAyBe,MAAAA,CAAAA;AACvD,QAAA,MAAM0F,uBAAuB1G,uBAAAA,CAAwBgB,MAAAA,CAAAA;AAErD,QAAA,OAAO8F,OAAAA,CAAK;AACPpF,YAAAA,GAAAA,MAAAA;AACAd,YAAAA,GAAAA,aAAAA;AACAD,YAAAA,GAAAA,gBAAAA;AACAoG,YAAAA,GAAAA,qBAAAA;AACAL,YAAAA,GAAAA,oBAAAA;AACHpG,YAAAA,oBAAAA;AACAC,YAAAA;AACD,SAAA,CAAA;AACH,IAAA,CAAA;IAEA,MAAMsB,cAAAA,GAAiB,CAACH,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,MAAMgF,uBAAuB1G,uBAAAA,CAAwBgB,MAAAA,CAAAA;AACrD,QAAA,MAAM2F,qBAAqBzG,qBAAAA,CAAsBc,MAAAA,CAAAA;QAEjD,MAAM4F,4BAAAA,GAA+BC,gBAAaH,oBAAAA,EAAsBC,kBAAAA,CAAAA;AAExE,QAAA,OAAOG,OAAAA,CAAK;AACPpF,YAAAA,GAAAA,MAAAA;AACAd,YAAAA,GAAAA,aAAAA;AACAD,YAAAA,GAAAA,gBAAAA;AACAiG,YAAAA,GAAAA,4BAAAA;AACHtG,YAAAA,oBAAAA;AACAC,YAAAA,oBAAAA;AACAC,YAAAA,sBAAAA;AACAC,YAAAA,oBAAAA;AACAC,YAAAA;AACD,SAAA,CAAA;AACH,IAAA,CAAA;IAEA,OAAO;AACLsG,QAAAA,cAAAA,EAAgBjC,YAAAA,CAAaV,oBAAAA,CAAAA;AAC7B4C,QAAAA,aAAAA,EAAelC,YAAAA,CAAaH,mBAAAA,CAAAA;AAC5BsC,QAAAA,aAAAA,EAAenC,YAAAA,CAAavD,mBAAAA;AAC9B,KAAA;AACF,CAAA;;;;"}

package/dist/server/server/src/services/permission/permissions-manager/sanitize.mjs CHANGED Viewed

@@ -1,6 +1,6 @@
 import { subject } from '@casl/ability';
-import { omit, isArray, defaults, cloneDeep, getOr, pick, intersection, uniq, isObject, isEmpty } from 'lodash/fp';
-import { sanitize, createModelCache, contentTypes, async, traverse, traverseEntity } from '@strapi/utils';
+import { omit, isArray, defaults, cloneDeep, intersection, uniq, isObject, isEmpty, getOr, pick } from 'lodash/fp';
+import { sanitize, contentTypes, createModelCache, async, traverse, traverseEntity } from '@strapi/utils';
 import { createPermissionFieldsCache } from './permission-fields.mjs';
 import { ADMIN_USER_ALLOWED_FIELDS } from '../../../domain/user.mjs';

package/dist/server/server/src/services/permission/permissions-manager/sanitize.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"sanitize.mjs","sources":["../../../../../../../server/src/services/permission/permissions-manager/sanitize.ts"],"sourcesContent":["import { subject as asSubject } from '@casl/ability';\nimport {\n defaults,\n omit,\n isArray,\n isEmpty,\n uniq,\n intersection,\n pick,\n getOr,\n isObject,\n cloneDeep,\n} from 'lodash/fp';\n\nimport type { UID } from '@strapi/types';\n\nimport {\n contentTypes,\n traverseEntity,\n sanitize,\n async,\n traverse,\n createModelCache,\n} from '@strapi/utils';\nimport { createPermissionFieldsCache } from './permission-fields';\nimport { ADMIN_USER_ALLOWED_FIELDS } from '../../../domain/user';\n\nconst {\n visitors: { removePassword, expandWildcardPopulate },\n} = sanitize;\n\nconst {\n constants,\n isScalarAttribute,\n getNonVisibleAttributes,\n getNonWritableAttributes,\n getWritableAttributes,\n} = contentTypes;\nconst {\n ID_ATTRIBUTE,\n DOC_ID_ATTRIBUTE,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n CREATED_BY_ATTRIBUTE,\n UPDATED_BY_ATTRIBUTE,\n} = constants;\n\nconst COMPONENT_FIELDS = ['__component'];\nconst STATIC_FIELDS = [ID_ATTRIBUTE, DOC_ID_ATTRIBUTE];\n\nexport default ({ action, ability, model }: any) => {\n const schema = strapi.getModel(model);\n\n const { removeDisallowedFields } = sanitize.visitors;\n\n // Create request-scoped model cache to avoid redundant getModel() calls\n const modelCache = createModelCache(strapi.getModel.bind(strapi));\n\n const ctx = {\n schema,\n getModel: modelCache.getModel,\n };\n\n const createSanitizeQuery = (options = {} as any) => {\n const { fields } = options;\n\n // TODO: sanitize relations to admin users in all sanitizers\n const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);\n\n const createSanitizeFilters = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFilters(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFilters(omitDisallowedAdminUserFields, ctx),\n traverse.traverseQueryFilters(omitHiddenFields, ctx),\n traverse.traverseQueryFilters(removePassword, ctx),\n traverse.traverseQueryFilters(({ key, value }, { remove }) => {\n if (isObject(value) && isEmpty(value)) {\n remove(key);\n }\n }, ctx)\n );\n\n const createSanitizeSort = (ctx: any) =>\n async.pipe(\n traverse.traverseQuerySort(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQuerySort(omitDisallowedAdminUserFields, ctx),\n traverse.traverseQuerySort(omitHiddenFields, ctx),\n traverse.traverseQuerySort(removePassword, ctx),\n traverse.traverseQuerySort(({ key, attribute, value }, { remove }) => {\n if (!isScalarAttribute(attribute) && isEmpty(value)) {\n remove(key);\n }\n }, ctx)\n );\n\n const createSanitizeFields = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFields(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFields(omitHiddenFields, ctx),\n traverse.traverseQueryFields(removePassword, ctx)\n );\n\n const sanitizeFilters = createSanitizeFilters(ctx);\n const sanitizeSort = createSanitizeSort(ctx);\n const sanitizeFields = createSanitizeFields(ctx);\n\n /** Sanitize nested filters, sort, and fields inside populate. /\n const sanitizeNestedPopulate = async (\n { key, value, schema, attribute, getModel }: any,\n { set }: any\n ) => {\n if (attribute) {\n return;\n }\n\n const nestedCtx = { schema, getModel };\n\n if (key === 'sort') {\n const sanitizedSort = await createSanitizeSort(nestedCtx)(value);\n set(key, sanitizedSort);\n }\n\n if (key === 'filters') {\n const sanitizedFilters = await createSanitizeFilters(nestedCtx)(value);\n set(key, sanitizedFilters);\n }\n\n if (key === 'fields') {\n const sanitizedFields = await createSanitizeFields(nestedCtx)(value);\n set(key, sanitizedFields);\n }\n };\n\n const sanitizePopulate = async.pipe(\n traverse.traverseQueryPopulate(expandWildcardPopulate, ctx),\n traverse.traverseQueryPopulate(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryPopulate(omitDisallowedAdminUserFields, ctx),\n traverse.traverseQueryPopulate(omitHiddenFields, ctx),\n traverse.traverseQueryPopulate(removePassword, ctx),\n traverse.traverseQueryPopulate(sanitizeNestedPopulate, ctx)\n );\n\n return async (query: any) => {\n const sanitizedQuery = cloneDeep(query);\n\n const [sanitizedFilters, sanitizedSort, sanitizedPopulate, sanitizedFields] =\n await Promise.all([\n query.filters ? sanitizeFilters(query.filters) : undefined,\n query.sort ? sanitizeSort(query.sort) : undefined,\n query.populate ? sanitizePopulate(query.populate) : undefined,\n query.fields ? sanitizeFields(query.fields) : undefined,\n ]);\n\n if (sanitizedFilters !== undefined) sanitizedQuery.filters = sanitizedFilters;\n if (sanitizedSort !== undefined) sanitizedQuery.sort = sanitizedSort;\n if (sanitizedPopulate !== undefined) sanitizedQuery.populate = sanitizedPopulate;\n if (sanitizedFields !== undefined) sanitizedQuery.fields = sanitizedFields;\n\n return sanitizedQuery;\n };\n };\n\n const createSanitizeOutput = (options = {} as any) => {\n const { fields } = options;\n\n const permittedFields = fields.shouldIncludeAll ? null : getOutputFields(fields.permitted);\n\n return async.pipe(\n // Remove fields hidden from the admin\n traverseEntity(omitHiddenFields, ctx),\n // Remove unallowed fields from admin::user relations\n traverseEntity(pickAllowedAdminUserFields, ctx),\n // Remove not allowed fields (RBAC)\n traverseEntity(removeDisallowedFields(permittedFields), ctx),\n // Remove all fields of type 'password'\n sanitize.sanitizers.sanitizePasswords({\n schema,\n getModel(uid: string) {\n return strapi.getModel(uid as UID.Schema);\n },\n })\n );\n };\n\n const createSanitizeInput = (options = {} as any) => {\n const { fields } = options;\n\n const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);\n\n return async.pipe(\n // Remove fields hidden from the admin\n traverseEntity(omitHiddenFields, ctx),\n // Remove not allowed fields (RBAC)\n traverseEntity(removeDisallowedFields(permittedFields), ctx),\n // Remove roles from createdBy & updatedBy fields\n omitCreatorRoles\n );\n };\n\n const wrapSanitize = (createSanitizeFunction: any) => {\n const { getPermissionFields } = createPermissionFieldsCache(ability);\n\n // TODO\n // @ts-expect-error define the correct return type\n const wrappedSanitize = async (data: unknown, options = {} as any) => {\n if (isArray(data)) {\n return Promise.all(data.map((entity: unknown) => wrappedSanitize(entity, options)));\n }\n\n const { subject, action: actionOverride } = getDefaultOptions(data, options);\n\n const { permittedFields, hasAtLeastOneRegistered, shouldIncludeAll } = getPermissionFields(\n actionOverride,\n subject\n );\n\n const sanitizeOptions = {\n ...options,\n fields: {\n shouldIncludeAll,\n permitted: permittedFields,\n hasAtLeastOneRegistered,\n },\n };\n\n const sanitizeFunction = createSanitizeFunction(sanitizeOptions);\n\n return sanitizeFunction(data);\n };\n\n return wrappedSanitize;\n };\n\n const getDefaultOptions = (data: any, options: unknown) => {\n return defaults({ subject: asSubject(model, data), action }, options);\n };\n\n /\n Omit creator fields' (createdBy & updatedBy) roles from the admin API responses\n /\n const omitCreatorRoles = omit([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);\n\n /\n Visitor used to remove hidden fields from the admin API responses\n /\n const omitHiddenFields = ({ key, schema }: any, { remove }: any) => {\n const isHidden = getOr(false, ['config', 'attributes', key, 'hidden'], schema);\n\n if (isHidden) {\n remove(key);\n }\n };\n\n /\n Visitor used to only select needed fields from the admin users entities & avoid leaking sensitive information\n /\n const pickAllowedAdminUserFields = ({ attribute, key, value }: any, { set }: any) => {\n const pickAllowedFields = pick(ADMIN_USER_ALLOWED_FIELDS);\n if (!attribute) {\n return;\n }\n\n if (attribute.type === 'relation' && attribute.target === 'admin::user' && value) {\n if (Array.isArray(value)) {\n set(key, value.map(pickAllowedFields));\n } else {\n set(key, pickAllowedFields(value));\n }\n }\n };\n\n /\n Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information\n */\n const omitDisallowedAdminUserFields = ({ key, attribute, schema }: any, { remove }: any) => {\n if (schema.uid === 'admin::user' && attribute && !ADMIN_USER_ALLOWED_FIELDS.includes(key)) {\n remove(key);\n }\n };\n\n const getInputFields = (fields = []) => {\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n const writableAttributes = getWritableAttributes(schema);\n\n const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);\n\n return uniq([...fields, ...COMPONENT_FIELDS, ...nonVisibleWritableAttributes]);\n };\n\n const getOutputFields = (fields = []) => {\n const nonWritableAttributes = getNonWritableAttributes(schema);\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n\n return uniq([\n ...fields,\n ...STATIC_FIELDS,\n ...COMPONENT_FIELDS,\n ...nonWritableAttributes,\n ...nonVisibleAttributes,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n ]);\n };\n\n const getQueryFields = (fields = []) => {\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n const writableAttributes = getWritableAttributes(schema);\n\n const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);\n\n return uniq([\n ...fields,\n ...STATIC_FIELDS,\n ...COMPONENT_FIELDS,\n ...nonVisibleWritableAttributes,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n CREATED_BY_ATTRIBUTE,\n UPDATED_BY_ATTRIBUTE,\n ]);\n };\n\n return {\n sanitizeOutput: wrapSanitize(createSanitizeOutput),\n sanitizeInput: wrapSanitize(createSanitizeInput),\n sanitizeQuery: wrapSanitize(createSanitizeQuery),\n };\n};\n"],"names":["visitors","removePassword","expandWildcardPopulate","sanitize","constants","isScalarAttribute","getNonVisibleAttributes","getNonWritableAttributes","getWritableAttributes","contentTypes","ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","CREATED_AT_ATTRIBUTE","UPDATED_AT_ATTRIBUTE","PUBLISHED_AT_ATTRIBUTE","CREATED_BY_ATTRIBUTE","UPDATED_BY_ATTRIBUTE","COMPONENT_FIELDS","STATIC_FIELDS","action","ability","model","schema","strapi","getModel","removeDisallowedFields","modelCache","createModelCache","bind","ctx","createSanitizeQuery","options","fields","permittedFields","shouldIncludeAll","getQueryFields","permitted","createSanitizeFilters","async","pipe","traverse","traverseQueryFilters","omitDisallowedAdminUserFields","omitHiddenFields","key","value","remove","isObject","isEmpty","createSanitizeSort","traverseQuerySort","attribute","createSanitizeFields","traverseQueryFields","sanitizeFilters","sanitizeSort","sanitizeFields","sanitizeNestedPopulate","set","nestedCtx","sanitizedSort","sanitizedFilters","sanitizedFields","sanitizePopulate","traverseQueryPopulate","query","sanitizedQuery","cloneDeep","sanitizedPopulate","Promise","all","filters","undefined","sort","populate","createSanitizeOutput","getOutputFields","traverseEntity","pickAllowedAdminUserFields","sanitizers","sanitizePasswords","uid","createSanitizeInput","getInputFields","omitCreatorRoles","wrapSanitize","createSanitizeFunction","getPermissionFields","createPermissionFieldsCache","wrappedSanitize","data","isArray","map","entity","subject","actionOverride","getDefaultOptions","hasAtLeastOneRegistered","sanitizeOptions","sanitizeFunction","defaults","asSubject","omit","isHidden","getOr","pickAllowedFields","pick","ADMIN_USER_ALLOWED_FIELDS","type","target","Array","includes","nonVisibleAttributes","writableAttributes","nonVisibleWritableAttributes","intersection","uniq","nonWritableAttributes","sanitizeOutput","sanitizeInput","sanitizeQuery"],"mappings":";;;;;;AA2BA,MAAM,EACJA,UAAU,EAAEC,cAAc,EAAEC,sBAAsB,EAAE,EACrD,GAAGC,QAAAA;AAEJ,MAAM,EACJC,SAAS,EACTC,iBAAiB,EACjBC,uBAAuB,EACvBC,wBAAwB,EACxBC,qBAAqB,EACtB,GAAGC,YAAAA;AACJ,MAAM,EACJC,YAAY,EACZC,gBAAgB,EAChBC,oBAAoB,EACpBC,oBAAoB,EACpBC,sBAAsB,EACtBC,oBAAoB,EACpBC,oBAAoB,EACrB,GAAGZ,SAAAA;AAEJ,MAAMa,gBAAmB,GAAA;AAAC,IAAA;AAAc,CAAA;AACxC,MAAMC,aAAgB,GAAA;AAACR,IAAAA,YAAAA;AAAcC,IAAAA;AAAiB,CAAA;AAEtD,4BAAe,CAAA,CAAC,EAAEQ,MAAM,EAAEC,OAAO,EAAEC,KAAK,EAAO,GAAA;IAC7C,MAAMC,MAAAA,GAASC,MAAOC,CAAAA,QAAQ,CAACH,KAAAA,CAAAA;AAE/B,IAAA,MAAM,EAAEI,sBAAsB,EAAE,GAAGtB,SAASH,QAAQ;;AAGpD,IAAA,MAAM0B,aAAaC,gBAAiBJ,CAAAA,MAAAA,CAAOC,QAAQ,CAACI,IAAI,CAACL,MAAAA,CAAAA,CAAAA;AAEzD,IAAA,MAAMM,GAAM,GAAA;AACVP,QAAAA,MAAAA;AACAE,QAAAA,QAAAA,EAAUE,WAAWF;AACvB,KAAA;AAEA,IAAA,MAAMM,mBAAsB,GAAA,CAACC,OAAU,GAAA,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;;AAGnB,QAAA,MAAME,kBAAkBD,MAAOE,CAAAA,gBAAgB,GAAG,IAAOC,GAAAA,cAAAA,CAAeH,OAAOI,SAAS,CAAA;AAExF,QAAA,MAAMC,wBAAwB,CAACR,GAAAA,GAC7BS,KAAMC,CAAAA,IAAI,CACRC,QAASC,CAAAA,oBAAoB,CAAChB,sBAAAA,CAAuBQ,kBAAkBJ,GACvEW,CAAAA,EAAAA,QAAAA,CAASC,oBAAoB,CAACC,6BAAAA,EAA+Bb,MAC7DW,QAASC,CAAAA,oBAAoB,CAACE,gBAAAA,EAAkBd,MAChDW,QAASC,CAAAA,oBAAoB,CAACxC,cAAgB4B,EAAAA,GAAAA,CAAAA,EAC9CW,SAASC,oBAAoB,CAAC,CAAC,EAAEG,GAAG,EAAEC,KAAK,EAAE,EAAE,EAAEC,MAAM,EAAE,GAAA;gBACvD,IAAIC,QAAAA,CAASF,KAAUG,CAAAA,IAAAA,OAAAA,CAAQH,KAAQ,CAAA,EAAA;oBACrCC,MAAOF,CAAAA,GAAAA,CAAAA;AACT;aACCf,EAAAA,GAAAA,CAAAA,CAAAA;AAGP,QAAA,MAAMoB,qBAAqB,CAACpB,GAAAA,GAC1BS,MAAMC,IAAI,CACRC,SAASU,iBAAiB,CAACzB,sBAAuBQ,CAAAA,eAAAA,CAAAA,EAAkBJ,MACpEW,QAASU,CAAAA,iBAAiB,CAACR,6BAA+Bb,EAAAA,GAAAA,CAAAA,EAC1DW,SAASU,iBAAiB,CAACP,gBAAkBd,EAAAA,GAAAA,CAAAA,EAC7CW,SAASU,iBAAiB,CAACjD,gBAAgB4B,GAC3CW,CAAAA,EAAAA,QAAAA,CAASU,iBAAiB,CAAC,CAAC,EAAEN,GAAG,EAAEO,SAAS,EAAEN,KAAK,EAAE,EAAE,EAAEC,MAAM,EAAE,GAAA;AAC/D,gBAAA,IAAI,CAACzC,iBAAAA,CAAkB8C,SAAcH,CAAAA,IAAAA,OAAAA,CAAQH,KAAQ,CAAA,EAAA;oBACnDC,MAAOF,CAAAA,GAAAA,CAAAA;AACT;aACCf,EAAAA,GAAAA,CAAAA,CAAAA;QAGP,MAAMuB,oBAAAA,GAAuB,CAACvB,GAC5BS,GAAAA,KAAAA,CAAMC,IAAI,CACRC,QAAAA,CAASa,mBAAmB,CAAC5B,sBAAAA,CAAuBQ,kBAAkBJ,GACtEW,CAAAA,EAAAA,QAAAA,CAASa,mBAAmB,CAACV,gBAAAA,EAAkBd,MAC/CW,QAASa,CAAAA,mBAAmB,CAACpD,cAAgB4B,EAAAA,GAAAA,CAAAA,CAAAA;AAGjD,QAAA,MAAMyB,kBAAkBjB,qBAAsBR,CAAAA,GAAAA,CAAAA;AAC9C,QAAA,MAAM0B,eAAeN,kBAAmBpB,CAAAA,GAAAA,CAAAA;AACxC,QAAA,MAAM2B,iBAAiBJ,oBAAqBvB,CAAAA,GAAAA,CAAAA;AAE5C,0EACA,MAAM4B,sBAAAA,GAAyB,OAC7B,EAAEb,GAAG,EAAEC,KAAK,EAAEvB,MAAM,EAAE6B,SAAS,EAAE3B,QAAQ,EAAO,EAChD,EAAEkC,GAAG,EAAO,GAAA;AAEZ,YAAA,IAAIP,SAAW,EAAA;AACb,gBAAA;AACF;AAEA,YAAA,MAAMQ,SAAY,GAAA;AAAErC,gBAAAA,MAAAA;AAAQE,gBAAAA;AAAS,aAAA;AAErC,YAAA,IAAIoB,QAAQ,MAAQ,EAAA;gBAClB,MAAMgB,aAAAA,GAAgB,MAAMX,kBAAAA,CAAmBU,SAAWd,CAAAA,CAAAA,KAAAA,CAAAA;AAC1Da,gBAAAA,GAAAA,CAAId,GAAKgB,EAAAA,aAAAA,CAAAA;AACX;AAEA,YAAA,IAAIhB,QAAQ,SAAW,EAAA;gBACrB,MAAMiB,gBAAAA,GAAmB,MAAMxB,qBAAAA,CAAsBsB,SAAWd,CAAAA,CAAAA,KAAAA,CAAAA;AAChEa,gBAAAA,GAAAA,CAAId,GAAKiB,EAAAA,gBAAAA,CAAAA;AACX;AAEA,YAAA,IAAIjB,QAAQ,QAAU,EAAA;gBACpB,MAAMkB,eAAAA,GAAkB,MAAMV,oBAAAA,CAAqBO,SAAWd,CAAAA,CAAAA,KAAAA,CAAAA;AAC9Da,gBAAAA,GAAAA,CAAId,GAAKkB,EAAAA,eAAAA,CAAAA;AACX;AACF,SAAA;AAEA,QAAA,MAAMC,gBAAmBzB,GAAAA,KAAAA,CAAMC,IAAI,CACjCC,SAASwB,qBAAqB,CAAC9D,sBAAwB2B,EAAAA,GAAAA,CAAAA,EACvDW,QAASwB,CAAAA,qBAAqB,CAACvC,sBAAAA,CAAuBQ,kBAAkBJ,GACxEW,CAAAA,EAAAA,QAAAA,CAASwB,qBAAqB,CAACtB,6BAA+Bb,EAAAA,GAAAA,CAAAA,EAC9DW,QAASwB,CAAAA,qBAAqB,CAACrB,gBAAkBd,EAAAA,GAAAA,CAAAA,EACjDW,QAASwB,CAAAA,qBAAqB,CAAC/D,cAAgB4B,EAAAA,GAAAA,CAAAA,EAC/CW,QAASwB,CAAAA,qBAAqB,CAACP,sBAAwB5B,EAAAA,GAAAA,CAAAA,CAAAA;AAGzD,QAAA,OAAO,OAAOoC,KAAAA,GAAAA;AACZ,YAAA,MAAMC,iBAAiBC,SAAUF,CAAAA,KAAAA,CAAAA;YAEjC,MAAM,CAACJ,kBAAkBD,aAAeQ,EAAAA,iBAAAA,EAAmBN,gBAAgB,GACzE,MAAMO,OAAQC,CAAAA,GAAG,CAAC;AAChBL,gBAAAA,KAAAA,CAAMM,OAAO,GAAGjB,eAAgBW,CAAAA,KAAAA,CAAMM,OAAO,CAAIC,GAAAA,SAAAA;AACjDP,gBAAAA,KAAAA,CAAMQ,IAAI,GAAGlB,YAAaU,CAAAA,KAAAA,CAAMQ,IAAI,CAAID,GAAAA,SAAAA;AACxCP,gBAAAA,KAAAA,CAAMS,QAAQ,GAAGX,gBAAiBE,CAAAA,KAAAA,CAAMS,QAAQ,CAAIF,GAAAA,SAAAA;AACpDP,gBAAAA,KAAAA,CAAMjC,MAAM,GAAGwB,cAAeS,CAAAA,KAAAA,CAAMjC,MAAM,CAAIwC,GAAAA;AAC/C,aAAA,CAAA;AAEH,YAAA,IAAIX,gBAAqBW,KAAAA,SAAAA,EAAWN,cAAeK,CAAAA,OAAO,GAAGV,gBAAAA;AAC7D,YAAA,IAAID,aAAkBY,KAAAA,SAAAA,EAAWN,cAAeO,CAAAA,IAAI,GAAGb,aAAAA;AACvD,YAAA,IAAIQ,iBAAsBI,KAAAA,SAAAA,EAAWN,cAAeQ,CAAAA,QAAQ,GAAGN,iBAAAA;AAC/D,YAAA,IAAIN,eAAoBU,KAAAA,SAAAA,EAAWN,cAAelC,CAAAA,MAAM,GAAG8B,eAAAA;YAE3D,OAAOI,cAAAA;AACT,SAAA;AACF,KAAA;AAEA,IAAA,MAAMS,oBAAuB,GAAA,CAAC5C,OAAU,GAAA,EAAS,GAAA;QAC/C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;AAEnB,QAAA,MAAME,kBAAkBD,MAAOE,CAAAA,gBAAgB,GAAG,IAAO0C,GAAAA,eAAAA,CAAgB5C,OAAOI,SAAS,CAAA;QAEzF,OAAOE,KAAAA,CAAMC,IAAI;QAEfsC,cAAelC,CAAAA,gBAAAA,EAAkBd;QAEjCgD,cAAeC,CAAAA,0BAAAA,EAA4BjD;QAE3CgD,cAAepD,CAAAA,sBAAAA,CAAuBQ,eAAkBJ,CAAAA,EAAAA,GAAAA,CAAAA;QAExD1B,QAAS4E,CAAAA,UAAU,CAACC,iBAAiB,CAAC;AACpC1D,YAAAA,MAAAA;AACAE,YAAAA,QAAAA,CAAAA,CAASyD,GAAW,EAAA;gBAClB,OAAO1D,MAAAA,CAAOC,QAAQ,CAACyD,GAAAA,CAAAA;AACzB;AACF,SAAA,CAAA,CAAA;AAEJ,KAAA;AAEA,IAAA,MAAMC,mBAAsB,GAAA,CAACnD,OAAU,GAAA,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;AAEnB,QAAA,MAAME,kBAAkBD,MAAOE,CAAAA,gBAAgB,GAAG,IAAOiD,GAAAA,cAAAA,CAAenD,OAAOI,SAAS,CAAA;QAExF,OAAOE,KAAAA,CAAMC,IAAI;QAEfsC,cAAelC,CAAAA,gBAAAA,EAAkBd;QAEjCgD,cAAepD,CAAAA,sBAAAA,CAAuBQ,eAAkBJ,CAAAA,EAAAA,GAAAA,CAAAA;AAExDuD,QAAAA,gBAAAA,CAAAA;AAEJ,KAAA;AAEA,IAAA,MAAMC,eAAe,CAACC,sBAAAA,GAAAA;AACpB,QAAA,MAAM,EAAEC,mBAAmB,EAAE,GAAGC,2BAA4BpE,CAAAA,OAAAA,CAAAA;;;AAI5D,QAAA,MAAMqE,eAAkB,GAAA,OAAOC,IAAe3D,EAAAA,OAAAA,GAAU,EAAS,GAAA;AAC/D,YAAA,IAAI4D,QAAQD,IAAO,CAAA,EAAA;gBACjB,OAAOrB,OAAAA,CAAQC,GAAG,CAACoB,IAAAA,CAAKE,GAAG,CAAC,CAACC,MAAoBJ,GAAAA,eAAAA,CAAgBI,MAAQ9D,EAAAA,OAAAA,CAAAA,CAAAA,CAAAA;AAC3E;YAEA,MAAM,EAAE+D,OAAO,EAAE3E,MAAAA,EAAQ4E,cAAc,EAAE,GAAGC,kBAAkBN,IAAM3D,EAAAA,OAAAA,CAAAA;YAEpE,MAAM,EAAEE,eAAe,EAAEgE,uBAAuB,EAAE/D,gBAAgB,EAAE,GAAGqD,mBAAAA,CACrEQ,cACAD,EAAAA,OAAAA,CAAAA;AAGF,YAAA,MAAMI,eAAkB,GAAA;AACtB,gBAAA,GAAGnE,OAAO;gBACVC,MAAQ,EAAA;AACNE,oBAAAA,gBAAAA;oBACAE,SAAWH,EAAAA,eAAAA;AACXgE,oBAAAA;AACF;AACF,aAAA;AAEA,YAAA,MAAME,mBAAmBb,sBAAuBY,CAAAA,eAAAA,CAAAA;AAEhD,YAAA,OAAOC,gBAAiBT,CAAAA,IAAAA,CAAAA;AAC1B,SAAA;QAEA,OAAOD,eAAAA;AACT,KAAA;IAEA,MAAMO,iBAAAA,GAAoB,CAACN,IAAW3D,EAAAA,OAAAA,GAAAA;AACpC,QAAA,OAAOqE,QAAS,CAAA;AAAEN,YAAAA,OAAAA,EAASO,QAAUhF,KAAOqE,EAAAA,IAAAA,CAAAA;AAAOvE,YAAAA;SAAUY,EAAAA,OAAAA,CAAAA;AAC/D,KAAA;AAEA;;MAGA,MAAMqD,mBAAmBkB,IAAK,CAAA;QAAC,CAAGvF,EAAAA,oBAAAA,CAAqB,MAAM,CAAC;QAAE,CAAGC,EAAAA,oBAAAA,CAAqB,MAAM;AAAE,KAAA,CAAA;AAEhG;;MAGA,MAAM2B,gBAAmB,GAAA,CAAC,EAAEC,GAAG,EAAEtB,MAAM,EAAO,EAAE,EAAEwB,MAAM,EAAO,GAAA;QAC7D,MAAMyD,QAAAA,GAAWC,MAAM,KAAO,EAAA;AAAC,YAAA,QAAA;AAAU,YAAA,YAAA;AAAc5D,YAAAA,GAAAA;AAAK,YAAA;SAAS,EAAEtB,MAAAA,CAAAA;AAEvE,QAAA,IAAIiF,QAAU,EAAA;YACZzD,MAAOF,CAAAA,GAAAA,CAAAA;AACT;AACF,KAAA;AAEA;;AAEC,MACD,MAAMkC,0BAAAA,GAA6B,CAAC,EAAE3B,SAAS,EAAEP,GAAG,EAAEC,KAAK,EAAO,EAAE,EAAEa,GAAG,EAAO,GAAA;AAC9E,QAAA,MAAM+C,oBAAoBC,IAAKC,CAAAA,yBAAAA,CAAAA;AAC/B,QAAA,IAAI,CAACxD,SAAW,EAAA;AACd,YAAA;AACF;QAEA,IAAIA,SAAAA,CAAUyD,IAAI,KAAK,UAAA,IAAczD,UAAU0D,MAAM,KAAK,iBAAiBhE,KAAO,EAAA;YAChF,IAAIiE,KAAAA,CAAMnB,OAAO,CAAC9C,KAAQ,CAAA,EAAA;gBACxBa,GAAId,CAAAA,GAAAA,EAAKC,KAAM+C,CAAAA,GAAG,CAACa,iBAAAA,CAAAA,CAAAA;aACd,MAAA;AACL/C,gBAAAA,GAAAA,CAAId,KAAK6D,iBAAkB5D,CAAAA,KAAAA,CAAAA,CAAAA;AAC7B;AACF;AACF,KAAA;AAEA;;AAEC,MACD,MAAMH,6BAAAA,GAAgC,CAAC,EAAEE,GAAG,EAAEO,SAAS,EAAE7B,MAAM,EAAO,EAAE,EAAEwB,MAAM,EAAO,GAAA;QACrF,IAAIxB,MAAAA,CAAO2D,GAAG,KAAK,aAAA,IAAiB9B,aAAa,CAACwD,yBAAAA,CAA0BI,QAAQ,CAACnE,GAAM,CAAA,EAAA;YACzFE,MAAOF,CAAAA,GAAAA,CAAAA;AACT;AACF,KAAA;IAEA,MAAMuC,cAAAA,GAAiB,CAACnD,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,MAAMgF,uBAAuB1G,uBAAwBgB,CAAAA,MAAAA,CAAAA;AACrD,QAAA,MAAM2F,qBAAqBzG,qBAAsBc,CAAAA,MAAAA,CAAAA;QAEjD,MAAM4F,4BAAAA,GAA+BC,aAAaH,oBAAsBC,EAAAA,kBAAAA,CAAAA;AAExE,QAAA,OAAOG,IAAK,CAAA;AAAIpF,YAAAA,GAAAA,MAAAA;AAAWf,YAAAA,GAAAA,gBAAAA;AAAqBiG,YAAAA,GAAAA;AAA6B,SAAA,CAAA;AAC/E,KAAA;IAEA,MAAMtC,eAAAA,GAAkB,CAAC5C,MAAAA,GAAS,EAAE,GAAA;AAClC,QAAA,MAAMqF,wBAAwB9G,wBAAyBe,CAAAA,MAAAA,CAAAA;AACvD,QAAA,MAAM0F,uBAAuB1G,uBAAwBgB,CAAAA,MAAAA,CAAAA;AAErD,QAAA,OAAO8F,IAAK,CAAA;AACPpF,YAAAA,GAAAA,MAAAA;AACAd,YAAAA,GAAAA,aAAAA;AACAD,YAAAA,GAAAA,gBAAAA;AACAoG,YAAAA,GAAAA,qBAAAA;AACAL,YAAAA,GAAAA,oBAAAA;AACHpG,YAAAA,oBAAAA;AACAC,YAAAA;AACD,SAAA,CAAA;AACH,KAAA;IAEA,MAAMsB,cAAAA,GAAiB,CAACH,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,MAAMgF,uBAAuB1G,uBAAwBgB,CAAAA,MAAAA,CAAAA;AACrD,QAAA,MAAM2F,qBAAqBzG,qBAAsBc,CAAAA,MAAAA,CAAAA;QAEjD,MAAM4F,4BAAAA,GAA+BC,aAAaH,oBAAsBC,EAAAA,kBAAAA,CAAAA;AAExE,QAAA,OAAOG,IAAK,CAAA;AACPpF,YAAAA,GAAAA,MAAAA;AACAd,YAAAA,GAAAA,aAAAA;AACAD,YAAAA,GAAAA,gBAAAA;AACAiG,YAAAA,GAAAA,4BAAAA;AACHtG,YAAAA,oBAAAA;AACAC,YAAAA,oBAAAA;AACAC,YAAAA,sBAAAA;AACAC,YAAAA,oBAAAA;AACAC,YAAAA;AACD,SAAA,CAAA;AACH,KAAA;IAEA,OAAO;AACLsG,QAAAA,cAAAA,EAAgBjC,YAAaV,CAAAA,oBAAAA,CAAAA;AAC7B4C,QAAAA,aAAAA,EAAelC,YAAaH,CAAAA,mBAAAA,CAAAA;AAC5BsC,QAAAA,aAAAA,EAAenC,YAAavD,CAAAA,mBAAAA;AAC9B,KAAA;AACF,CAAA;;;;"}
1	+ {"version":3,"file":"sanitize.mjs","sources":["../../../../../../../server/src/services/permission/permissions-manager/sanitize.ts"],"sourcesContent":["import { subject as asSubject } from '@casl/ability';\nimport {\n defaults,\n omit,\n isArray,\n isEmpty,\n uniq,\n intersection,\n pick,\n getOr,\n isObject,\n cloneDeep,\n} from 'lodash/fp';\n\nimport type { UID } from '@strapi/types';\n\nimport {\n contentTypes,\n traverseEntity,\n sanitize,\n async,\n traverse,\n createModelCache,\n} from '@strapi/utils';\nimport { createPermissionFieldsCache } from './permission-fields';\nimport { ADMIN_USER_ALLOWED_FIELDS } from '../../../domain/user';\n\nconst {\n visitors: { removePassword, expandWildcardPopulate },\n} = sanitize;\n\nconst {\n constants,\n isScalarAttribute,\n getNonVisibleAttributes,\n getNonWritableAttributes,\n getWritableAttributes,\n} = contentTypes;\nconst {\n ID_ATTRIBUTE,\n DOC_ID_ATTRIBUTE,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n CREATED_BY_ATTRIBUTE,\n UPDATED_BY_ATTRIBUTE,\n} = constants;\n\nconst COMPONENT_FIELDS = ['__component'];\nconst STATIC_FIELDS = [ID_ATTRIBUTE, DOC_ID_ATTRIBUTE];\n\nexport default ({ action, ability, model }: any) => {\n const schema = strapi.getModel(model);\n\n const { removeDisallowedFields } = sanitize.visitors;\n\n // Create request-scoped model cache to avoid redundant getModel() calls\n const modelCache = createModelCache(strapi.getModel.bind(strapi));\n\n const ctx = {\n schema,\n getModel: modelCache.getModel,\n };\n\n const createSanitizeQuery = (options = {} as any) => {\n const { fields } = options;\n\n // TODO: sanitize relations to admin users in all sanitizers\n const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);\n\n const createSanitizeFilters = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFilters(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFilters(omitDisallowedAdminUserFields, ctx),\n traverse.traverseQueryFilters(omitHiddenFields, ctx),\n traverse.traverseQueryFilters(removePassword, ctx),\n traverse.traverseQueryFilters(({ key, value }, { remove }) => {\n if (isObject(value) && isEmpty(value)) {\n remove(key);\n }\n }, ctx)\n );\n\n const createSanitizeSort = (ctx: any) =>\n async.pipe(\n traverse.traverseQuerySort(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQuerySort(omitDisallowedAdminUserFields, ctx),\n traverse.traverseQuerySort(omitHiddenFields, ctx),\n traverse.traverseQuerySort(removePassword, ctx),\n traverse.traverseQuerySort(({ key, attribute, value }, { remove }) => {\n if (!isScalarAttribute(attribute) && isEmpty(value)) {\n remove(key);\n }\n }, ctx)\n );\n\n const createSanitizeFields = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFields(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFields(omitHiddenFields, ctx),\n traverse.traverseQueryFields(removePassword, ctx)\n );\n\n const sanitizeFilters = createSanitizeFilters(ctx);\n const sanitizeSort = createSanitizeSort(ctx);\n const sanitizeFields = createSanitizeFields(ctx);\n\n /** Sanitize nested filters, sort, and fields inside populate. /\n const sanitizeNestedPopulate = async (\n { key, value, schema, attribute, getModel }: any,\n { set }: any\n ) => {\n if (attribute) {\n return;\n }\n\n const nestedCtx = { schema, getModel };\n\n if (key === 'sort') {\n const sanitizedSort = await createSanitizeSort(nestedCtx)(value);\n set(key, sanitizedSort);\n }\n\n if (key === 'filters') {\n const sanitizedFilters = await createSanitizeFilters(nestedCtx)(value);\n set(key, sanitizedFilters);\n }\n\n if (key === 'fields') {\n const sanitizedFields = await createSanitizeFields(nestedCtx)(value);\n set(key, sanitizedFields);\n }\n };\n\n const sanitizePopulate = async.pipe(\n traverse.traverseQueryPopulate(expandWildcardPopulate, ctx),\n traverse.traverseQueryPopulate(removeDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryPopulate(omitDisallowedAdminUserFields, ctx),\n traverse.traverseQueryPopulate(omitHiddenFields, ctx),\n traverse.traverseQueryPopulate(removePassword, ctx),\n traverse.traverseQueryPopulate(sanitizeNestedPopulate, ctx)\n );\n\n return async (query: any) => {\n const sanitizedQuery = cloneDeep(query);\n\n const [sanitizedFilters, sanitizedSort, sanitizedPopulate, sanitizedFields] =\n await Promise.all([\n query.filters ? sanitizeFilters(query.filters) : undefined,\n query.sort ? sanitizeSort(query.sort) : undefined,\n query.populate ? sanitizePopulate(query.populate) : undefined,\n query.fields ? sanitizeFields(query.fields) : undefined,\n ]);\n\n if (sanitizedFilters !== undefined) sanitizedQuery.filters = sanitizedFilters;\n if (sanitizedSort !== undefined) sanitizedQuery.sort = sanitizedSort;\n if (sanitizedPopulate !== undefined) sanitizedQuery.populate = sanitizedPopulate;\n if (sanitizedFields !== undefined) sanitizedQuery.fields = sanitizedFields;\n\n return sanitizedQuery;\n };\n };\n\n const createSanitizeOutput = (options = {} as any) => {\n const { fields } = options;\n\n const permittedFields = fields.shouldIncludeAll ? null : getOutputFields(fields.permitted);\n\n return async.pipe(\n // Remove fields hidden from the admin\n traverseEntity(omitHiddenFields, ctx),\n // Remove unallowed fields from admin::user relations\n traverseEntity(pickAllowedAdminUserFields, ctx),\n // Remove not allowed fields (RBAC)\n traverseEntity(removeDisallowedFields(permittedFields), ctx),\n // Remove all fields of type 'password'\n sanitize.sanitizers.sanitizePasswords({\n schema,\n getModel(uid: string) {\n return strapi.getModel(uid as UID.Schema);\n },\n })\n );\n };\n\n const createSanitizeInput = (options = {} as any) => {\n const { fields } = options;\n\n const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);\n\n return async.pipe(\n // Remove fields hidden from the admin\n traverseEntity(omitHiddenFields, ctx),\n // Remove not allowed fields (RBAC)\n traverseEntity(removeDisallowedFields(permittedFields), ctx),\n // Remove roles from createdBy & updatedBy fields\n omitCreatorRoles\n );\n };\n\n const wrapSanitize = (createSanitizeFunction: any) => {\n const { getPermissionFields } = createPermissionFieldsCache(ability);\n\n // TODO\n // @ts-expect-error define the correct return type\n const wrappedSanitize = async (data: unknown, options = {} as any) => {\n if (isArray(data)) {\n return Promise.all(data.map((entity: unknown) => wrappedSanitize(entity, options)));\n }\n\n const { subject, action: actionOverride } = getDefaultOptions(data, options);\n\n const { permittedFields, hasAtLeastOneRegistered, shouldIncludeAll } = getPermissionFields(\n actionOverride,\n subject\n );\n\n const sanitizeOptions = {\n ...options,\n fields: {\n shouldIncludeAll,\n permitted: permittedFields,\n hasAtLeastOneRegistered,\n },\n };\n\n const sanitizeFunction = createSanitizeFunction(sanitizeOptions);\n\n return sanitizeFunction(data);\n };\n\n return wrappedSanitize;\n };\n\n const getDefaultOptions = (data: any, options: unknown) => {\n return defaults({ subject: asSubject(model, data), action }, options);\n };\n\n /\n Omit creator fields' (createdBy & updatedBy) roles from the admin API responses\n /\n const omitCreatorRoles = omit([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);\n\n /\n Visitor used to remove hidden fields from the admin API responses\n /\n const omitHiddenFields = ({ key, schema }: any, { remove }: any) => {\n const isHidden = getOr(false, ['config', 'attributes', key, 'hidden'], schema);\n\n if (isHidden) {\n remove(key);\n }\n };\n\n /\n Visitor used to only select needed fields from the admin users entities & avoid leaking sensitive information\n /\n const pickAllowedAdminUserFields = ({ attribute, key, value }: any, { set }: any) => {\n const pickAllowedFields = pick(ADMIN_USER_ALLOWED_FIELDS);\n if (!attribute) {\n return;\n }\n\n if (attribute.type === 'relation' && attribute.target === 'admin::user' && value) {\n if (Array.isArray(value)) {\n set(key, value.map(pickAllowedFields));\n } else {\n set(key, pickAllowedFields(value));\n }\n }\n };\n\n /\n Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information\n */\n const omitDisallowedAdminUserFields = ({ key, attribute, schema }: any, { remove }: any) => {\n if (schema.uid === 'admin::user' && attribute && !ADMIN_USER_ALLOWED_FIELDS.includes(key)) {\n remove(key);\n }\n };\n\n const getInputFields = (fields = []) => {\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n const writableAttributes = getWritableAttributes(schema);\n\n const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);\n\n return uniq([...fields, ...COMPONENT_FIELDS, ...nonVisibleWritableAttributes]);\n };\n\n const getOutputFields = (fields = []) => {\n const nonWritableAttributes = getNonWritableAttributes(schema);\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n\n return uniq([\n ...fields,\n ...STATIC_FIELDS,\n ...COMPONENT_FIELDS,\n ...nonWritableAttributes,\n ...nonVisibleAttributes,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n ]);\n };\n\n const getQueryFields = (fields = []) => {\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n const writableAttributes = getWritableAttributes(schema);\n\n const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);\n\n return uniq([\n ...fields,\n ...STATIC_FIELDS,\n ...COMPONENT_FIELDS,\n ...nonVisibleWritableAttributes,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n CREATED_BY_ATTRIBUTE,\n UPDATED_BY_ATTRIBUTE,\n ]);\n };\n\n return {\n sanitizeOutput: wrapSanitize(createSanitizeOutput),\n sanitizeInput: wrapSanitize(createSanitizeInput),\n sanitizeQuery: wrapSanitize(createSanitizeQuery),\n };\n};\n"],"names":["visitors","removePassword","expandWildcardPopulate","sanitize","constants","isScalarAttribute","getNonVisibleAttributes","getNonWritableAttributes","getWritableAttributes","contentTypes","ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","CREATED_AT_ATTRIBUTE","UPDATED_AT_ATTRIBUTE","PUBLISHED_AT_ATTRIBUTE","CREATED_BY_ATTRIBUTE","UPDATED_BY_ATTRIBUTE","COMPONENT_FIELDS","STATIC_FIELDS","action","ability","model","schema","strapi","getModel","removeDisallowedFields","modelCache","createModelCache","bind","ctx","createSanitizeQuery","options","fields","permittedFields","shouldIncludeAll","getQueryFields","permitted","createSanitizeFilters","async","pipe","traverse","traverseQueryFilters","omitDisallowedAdminUserFields","omitHiddenFields","key","value","remove","isObject","isEmpty","createSanitizeSort","traverseQuerySort","attribute","createSanitizeFields","traverseQueryFields","sanitizeFilters","sanitizeSort","sanitizeFields","sanitizeNestedPopulate","set","nestedCtx","sanitizedSort","sanitizedFilters","sanitizedFields","sanitizePopulate","traverseQueryPopulate","query","sanitizedQuery","cloneDeep","sanitizedPopulate","Promise","all","filters","undefined","sort","populate","createSanitizeOutput","getOutputFields","traverseEntity","pickAllowedAdminUserFields","sanitizers","sanitizePasswords","uid","createSanitizeInput","getInputFields","omitCreatorRoles","wrapSanitize","createSanitizeFunction","getPermissionFields","createPermissionFieldsCache","wrappedSanitize","data","isArray","map","entity","subject","actionOverride","getDefaultOptions","hasAtLeastOneRegistered","sanitizeOptions","sanitizeFunction","defaults","asSubject","omit","isHidden","getOr","pickAllowedFields","pick","ADMIN_USER_ALLOWED_FIELDS","type","target","Array","includes","nonVisibleAttributes","writableAttributes","nonVisibleWritableAttributes","intersection","uniq","nonWritableAttributes","sanitizeOutput","sanitizeInput","sanitizeQuery"],"mappings":";;;;;;AA2BA,MAAM,EACJA,UAAU,EAAEC,cAAc,EAAEC,sBAAsB,EAAE,EACrD,GAAGC,QAAAA;AAEJ,MAAM,EACJC,SAAS,EACTC,iBAAiB,EACjBC,uBAAuB,EACvBC,wBAAwB,EACxBC,qBAAqB,EACtB,GAAGC,YAAAA;AACJ,MAAM,EACJC,YAAY,EACZC,gBAAgB,EAChBC,oBAAoB,EACpBC,oBAAoB,EACpBC,sBAAsB,EACtBC,oBAAoB,EACpBC,oBAAoB,EACrB,GAAGZ,SAAAA;AAEJ,MAAMa,gBAAAA,GAAmB;AAAC,IAAA;AAAc,CAAA;AACxC,MAAMC,aAAAA,GAAgB;AAACR,IAAAA,YAAAA;AAAcC,IAAAA;AAAiB,CAAA;AAEtD,4BAAe,CAAA,CAAC,EAAEQ,MAAM,EAAEC,OAAO,EAAEC,KAAK,EAAO,GAAA;IAC7C,MAAMC,MAAAA,GAASC,MAAAA,CAAOC,QAAQ,CAACH,KAAAA,CAAAA;AAE/B,IAAA,MAAM,EAAEI,sBAAsB,EAAE,GAAGtB,SAASH,QAAQ;;AAGpD,IAAA,MAAM0B,aAAaC,gBAAAA,CAAiBJ,MAAAA,CAAOC,QAAQ,CAACI,IAAI,CAACL,MAAAA,CAAAA,CAAAA;AAEzD,IAAA,MAAMM,GAAAA,GAAM;AACVP,QAAAA,MAAAA;AACAE,QAAAA,QAAAA,EAAUE,WAAWF;AACvB,KAAA;AAEA,IAAA,MAAMM,mBAAAA,GAAsB,CAACC,OAAAA,GAAU,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;;AAGnB,QAAA,MAAME,kBAAkBD,MAAAA,CAAOE,gBAAgB,GAAG,IAAA,GAAOC,cAAAA,CAAeH,OAAOI,SAAS,CAAA;AAExF,QAAA,MAAMC,wBAAwB,CAACR,GAAAA,GAC7BS,KAAAA,CAAMC,IAAI,CACRC,QAAAA,CAASC,oBAAoB,CAAChB,sBAAAA,CAAuBQ,kBAAkBJ,GAAAA,CAAAA,EACvEW,QAAAA,CAASC,oBAAoB,CAACC,6BAAAA,EAA+Bb,MAC7DW,QAAAA,CAASC,oBAAoB,CAACE,gBAAAA,EAAkBd,MAChDW,QAAAA,CAASC,oBAAoB,CAACxC,cAAAA,EAAgB4B,GAAAA,CAAAA,EAC9CW,SAASC,oBAAoB,CAAC,CAAC,EAAEG,GAAG,EAAEC,KAAK,EAAE,EAAE,EAAEC,MAAM,EAAE,GAAA;gBACvD,IAAIC,QAAAA,CAASF,KAAAA,CAAAA,IAAUG,OAAAA,CAAQH,KAAAA,CAAAA,EAAQ;oBACrCC,MAAAA,CAAOF,GAAAA,CAAAA;AACT,gBAAA;YACF,CAAA,EAAGf,GAAAA,CAAAA,CAAAA;AAGP,QAAA,MAAMoB,qBAAqB,CAACpB,GAAAA,GAC1BS,MAAMC,IAAI,CACRC,SAASU,iBAAiB,CAACzB,sBAAAA,CAAuBQ,eAAAA,CAAAA,EAAkBJ,MACpEW,QAAAA,CAASU,iBAAiB,CAACR,6BAAAA,EAA+Bb,GAAAA,CAAAA,EAC1DW,SAASU,iBAAiB,CAACP,gBAAAA,EAAkBd,GAAAA,CAAAA,EAC7CW,SAASU,iBAAiB,CAACjD,gBAAgB4B,GAAAA,CAAAA,EAC3CW,QAAAA,CAASU,iBAAiB,CAAC,CAAC,EAAEN,GAAG,EAAEO,SAAS,EAAEN,KAAK,EAAE,EAAE,EAAEC,MAAM,EAAE,GAAA;AAC/D,gBAAA,IAAI,CAACzC,iBAAAA,CAAkB8C,SAAAA,CAAAA,IAAcH,OAAAA,CAAQH,KAAAA,CAAAA,EAAQ;oBACnDC,MAAAA,CAAOF,GAAAA,CAAAA;AACT,gBAAA;YACF,CAAA,EAAGf,GAAAA,CAAAA,CAAAA;QAGP,MAAMuB,oBAAAA,GAAuB,CAACvB,GAAAA,GAC5BS,KAAAA,CAAMC,IAAI,CACRC,QAAAA,CAASa,mBAAmB,CAAC5B,sBAAAA,CAAuBQ,kBAAkBJ,GAAAA,CAAAA,EACtEW,QAAAA,CAASa,mBAAmB,CAACV,gBAAAA,EAAkBd,MAC/CW,QAAAA,CAASa,mBAAmB,CAACpD,cAAAA,EAAgB4B,GAAAA,CAAAA,CAAAA;AAGjD,QAAA,MAAMyB,kBAAkBjB,qBAAAA,CAAsBR,GAAAA,CAAAA;AAC9C,QAAA,MAAM0B,eAAeN,kBAAAA,CAAmBpB,GAAAA,CAAAA;AACxC,QAAA,MAAM2B,iBAAiBJ,oBAAAA,CAAqBvB,GAAAA,CAAAA;AAE5C,0EACA,MAAM4B,sBAAAA,GAAyB,OAC7B,EAAEb,GAAG,EAAEC,KAAK,EAAEvB,MAAM,EAAE6B,SAAS,EAAE3B,QAAQ,EAAO,EAChD,EAAEkC,GAAG,EAAO,GAAA;AAEZ,YAAA,IAAIP,SAAAA,EAAW;AACb,gBAAA;AACF,YAAA;AAEA,YAAA,MAAMQ,SAAAA,GAAY;AAAErC,gBAAAA,MAAAA;AAAQE,gBAAAA;AAAS,aAAA;AAErC,YAAA,IAAIoB,QAAQ,MAAA,EAAQ;gBAClB,MAAMgB,aAAAA,GAAgB,MAAMX,kBAAAA,CAAmBU,SAAAA,CAAAA,CAAWd,KAAAA,CAAAA;AAC1Da,gBAAAA,GAAAA,CAAId,GAAAA,EAAKgB,aAAAA,CAAAA;AACX,YAAA;AAEA,YAAA,IAAIhB,QAAQ,SAAA,EAAW;gBACrB,MAAMiB,gBAAAA,GAAmB,MAAMxB,qBAAAA,CAAsBsB,SAAAA,CAAAA,CAAWd,KAAAA,CAAAA;AAChEa,gBAAAA,GAAAA,CAAId,GAAAA,EAAKiB,gBAAAA,CAAAA;AACX,YAAA;AAEA,YAAA,IAAIjB,QAAQ,QAAA,EAAU;gBACpB,MAAMkB,eAAAA,GAAkB,MAAMV,oBAAAA,CAAqBO,SAAAA,CAAAA,CAAWd,KAAAA,CAAAA;AAC9Da,gBAAAA,GAAAA,CAAId,GAAAA,EAAKkB,eAAAA,CAAAA;AACX,YAAA;AACF,QAAA,CAAA;AAEA,QAAA,MAAMC,gBAAAA,GAAmBzB,KAAAA,CAAMC,IAAI,CACjCC,SAASwB,qBAAqB,CAAC9D,sBAAAA,EAAwB2B,GAAAA,CAAAA,EACvDW,QAAAA,CAASwB,qBAAqB,CAACvC,sBAAAA,CAAuBQ,kBAAkBJ,GAAAA,CAAAA,EACxEW,QAAAA,CAASwB,qBAAqB,CAACtB,6BAAAA,EAA+Bb,GAAAA,CAAAA,EAC9DW,QAAAA,CAASwB,qBAAqB,CAACrB,gBAAAA,EAAkBd,GAAAA,CAAAA,EACjDW,QAAAA,CAASwB,qBAAqB,CAAC/D,cAAAA,EAAgB4B,GAAAA,CAAAA,EAC/CW,QAAAA,CAASwB,qBAAqB,CAACP,sBAAAA,EAAwB5B,GAAAA,CAAAA,CAAAA;AAGzD,QAAA,OAAO,OAAOoC,KAAAA,GAAAA;AACZ,YAAA,MAAMC,iBAAiBC,SAAAA,CAAUF,KAAAA,CAAAA;YAEjC,MAAM,CAACJ,kBAAkBD,aAAAA,EAAeQ,iBAAAA,EAAmBN,gBAAgB,GACzE,MAAMO,OAAAA,CAAQC,GAAG,CAAC;AAChBL,gBAAAA,KAAAA,CAAMM,OAAO,GAAGjB,eAAAA,CAAgBW,KAAAA,CAAMM,OAAO,CAAA,GAAIC,SAAAA;AACjDP,gBAAAA,KAAAA,CAAMQ,IAAI,GAAGlB,YAAAA,CAAaU,KAAAA,CAAMQ,IAAI,CAAA,GAAID,SAAAA;AACxCP,gBAAAA,KAAAA,CAAMS,QAAQ,GAAGX,gBAAAA,CAAiBE,KAAAA,CAAMS,QAAQ,CAAA,GAAIF,SAAAA;AACpDP,gBAAAA,KAAAA,CAAMjC,MAAM,GAAGwB,cAAAA,CAAeS,KAAAA,CAAMjC,MAAM,CAAA,GAAIwC;AAC/C,aAAA,CAAA;AAEH,YAAA,IAAIX,gBAAAA,KAAqBW,SAAAA,EAAWN,cAAAA,CAAeK,OAAO,GAAGV,gBAAAA;AAC7D,YAAA,IAAID,aAAAA,KAAkBY,SAAAA,EAAWN,cAAAA,CAAeO,IAAI,GAAGb,aAAAA;AACvD,YAAA,IAAIQ,iBAAAA,KAAsBI,SAAAA,EAAWN,cAAAA,CAAeQ,QAAQ,GAAGN,iBAAAA;AAC/D,YAAA,IAAIN,eAAAA,KAAoBU,SAAAA,EAAWN,cAAAA,CAAelC,MAAM,GAAG8B,eAAAA;YAE3D,OAAOI,cAAAA;AACT,QAAA,CAAA;AACF,IAAA,CAAA;AAEA,IAAA,MAAMS,oBAAAA,GAAuB,CAAC5C,OAAAA,GAAU,EAAS,GAAA;QAC/C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;AAEnB,QAAA,MAAME,kBAAkBD,MAAAA,CAAOE,gBAAgB,GAAG,IAAA,GAAO0C,eAAAA,CAAgB5C,OAAOI,SAAS,CAAA;QAEzF,OAAOE,KAAAA,CAAMC,IAAI;QAEfsC,cAAAA,CAAelC,gBAAAA,EAAkBd;QAEjCgD,cAAAA,CAAeC,0BAAAA,EAA4BjD;QAE3CgD,cAAAA,CAAepD,sBAAAA,CAAuBQ,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA;QAExD1B,QAAAA,CAAS4E,UAAU,CAACC,iBAAiB,CAAC;AACpC1D,YAAAA,MAAAA;AACAE,YAAAA,QAAAA,CAAAA,CAASyD,GAAW,EAAA;gBAClB,OAAO1D,MAAAA,CAAOC,QAAQ,CAACyD,GAAAA,CAAAA;AACzB,YAAA;AACF,SAAA,CAAA,CAAA;AAEJ,IAAA,CAAA;AAEA,IAAA,MAAMC,mBAAAA,GAAsB,CAACnD,OAAAA,GAAU,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;AAEnB,QAAA,MAAME,kBAAkBD,MAAAA,CAAOE,gBAAgB,GAAG,IAAA,GAAOiD,cAAAA,CAAenD,OAAOI,SAAS,CAAA;QAExF,OAAOE,KAAAA,CAAMC,IAAI;QAEfsC,cAAAA,CAAelC,gBAAAA,EAAkBd;QAEjCgD,cAAAA,CAAepD,sBAAAA,CAAuBQ,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA;AAExDuD,QAAAA,gBAAAA,CAAAA;AAEJ,IAAA,CAAA;AAEA,IAAA,MAAMC,eAAe,CAACC,sBAAAA,GAAAA;AACpB,QAAA,MAAM,EAAEC,mBAAmB,EAAE,GAAGC,2BAAAA,CAA4BpE,OAAAA,CAAAA;;;AAI5D,QAAA,MAAMqE,eAAAA,GAAkB,OAAOC,IAAAA,EAAe3D,OAAAA,GAAU,EAAS,GAAA;AAC/D,YAAA,IAAI4D,QAAQD,IAAAA,CAAAA,EAAO;gBACjB,OAAOrB,OAAAA,CAAQC,GAAG,CAACoB,IAAAA,CAAKE,GAAG,CAAC,CAACC,MAAAA,GAAoBJ,eAAAA,CAAgBI,MAAAA,EAAQ9D,OAAAA,CAAAA,CAAAA,CAAAA;AAC3E,YAAA;YAEA,MAAM,EAAE+D,OAAO,EAAE3E,MAAAA,EAAQ4E,cAAc,EAAE,GAAGC,kBAAkBN,IAAAA,EAAM3D,OAAAA,CAAAA;YAEpE,MAAM,EAAEE,eAAe,EAAEgE,uBAAuB,EAAE/D,gBAAgB,EAAE,GAAGqD,mBAAAA,CACrEQ,cAAAA,EACAD,OAAAA,CAAAA;AAGF,YAAA,MAAMI,eAAAA,GAAkB;AACtB,gBAAA,GAAGnE,OAAO;gBACVC,MAAAA,EAAQ;AACNE,oBAAAA,gBAAAA;oBACAE,SAAAA,EAAWH,eAAAA;AACXgE,oBAAAA;AACF;AACF,aAAA;AAEA,YAAA,MAAME,mBAAmBb,sBAAAA,CAAuBY,eAAAA,CAAAA;AAEhD,YAAA,OAAOC,gBAAAA,CAAiBT,IAAAA,CAAAA;AAC1B,QAAA,CAAA;QAEA,OAAOD,eAAAA;AACT,IAAA,CAAA;IAEA,MAAMO,iBAAAA,GAAoB,CAACN,IAAAA,EAAW3D,OAAAA,GAAAA;AACpC,QAAA,OAAOqE,QAAAA,CAAS;AAAEN,YAAAA,OAAAA,EAASO,QAAUhF,KAAAA,EAAOqE,IAAAA,CAAAA;AAAOvE,YAAAA;SAAO,EAAGY,OAAAA,CAAAA;AAC/D,IAAA,CAAA;AAEA;;MAGA,MAAMqD,mBAAmBkB,IAAAA,CAAK;QAAC,CAAA,EAAGvF,oBAAAA,CAAqB,MAAM,CAAC;QAAE,CAAA,EAAGC,oBAAAA,CAAqB,MAAM;AAAE,KAAA,CAAA;AAEhG;;MAGA,MAAM2B,gBAAAA,GAAmB,CAAC,EAAEC,GAAG,EAAEtB,MAAM,EAAO,EAAE,EAAEwB,MAAM,EAAO,GAAA;QAC7D,MAAMyD,QAAAA,GAAWC,MAAM,KAAA,EAAO;AAAC,YAAA,QAAA;AAAU,YAAA,YAAA;AAAc5D,YAAAA,GAAAA;AAAK,YAAA;SAAS,EAAEtB,MAAAA,CAAAA;AAEvE,QAAA,IAAIiF,QAAAA,EAAU;YACZzD,MAAAA,CAAOF,GAAAA,CAAAA;AACT,QAAA;AACF,IAAA,CAAA;AAEA;;AAEC,MACD,MAAMkC,0BAAAA,GAA6B,CAAC,EAAE3B,SAAS,EAAEP,GAAG,EAAEC,KAAK,EAAO,EAAE,EAAEa,GAAG,EAAO,GAAA;AAC9E,QAAA,MAAM+C,oBAAoBC,IAAAA,CAAKC,yBAAAA,CAAAA;AAC/B,QAAA,IAAI,CAACxD,SAAAA,EAAW;AACd,YAAA;AACF,QAAA;QAEA,IAAIA,SAAAA,CAAUyD,IAAI,KAAK,UAAA,IAAczD,UAAU0D,MAAM,KAAK,iBAAiBhE,KAAAA,EAAO;YAChF,IAAIiE,KAAAA,CAAMnB,OAAO,CAAC9C,KAAAA,CAAAA,EAAQ;gBACxBa,GAAAA,CAAId,GAAAA,EAAKC,KAAAA,CAAM+C,GAAG,CAACa,iBAAAA,CAAAA,CAAAA;YACrB,CAAA,MAAO;AACL/C,gBAAAA,GAAAA,CAAId,KAAK6D,iBAAAA,CAAkB5D,KAAAA,CAAAA,CAAAA;AAC7B,YAAA;AACF,QAAA;AACF,IAAA,CAAA;AAEA;;AAEC,MACD,MAAMH,6BAAAA,GAAgC,CAAC,EAAEE,GAAG,EAAEO,SAAS,EAAE7B,MAAM,EAAO,EAAE,EAAEwB,MAAM,EAAO,GAAA;QACrF,IAAIxB,MAAAA,CAAO2D,GAAG,KAAK,aAAA,IAAiB9B,aAAa,CAACwD,yBAAAA,CAA0BI,QAAQ,CAACnE,GAAAA,CAAAA,EAAM;YACzFE,MAAAA,CAAOF,GAAAA,CAAAA;AACT,QAAA;AACF,IAAA,CAAA;IAEA,MAAMuC,cAAAA,GAAiB,CAACnD,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,MAAMgF,uBAAuB1G,uBAAAA,CAAwBgB,MAAAA,CAAAA;AACrD,QAAA,MAAM2F,qBAAqBzG,qBAAAA,CAAsBc,MAAAA,CAAAA;QAEjD,MAAM4F,4BAAAA,GAA+BC,aAAaH,oBAAAA,EAAsBC,kBAAAA,CAAAA;AAExE,QAAA,OAAOG,IAAAA,CAAK;AAAIpF,YAAAA,GAAAA,MAAAA;AAAWf,YAAAA,GAAAA,gBAAAA;AAAqBiG,YAAAA,GAAAA;AAA6B,SAAA,CAAA;AAC/E,IAAA,CAAA;IAEA,MAAMtC,eAAAA,GAAkB,CAAC5C,MAAAA,GAAS,EAAE,GAAA;AAClC,QAAA,MAAMqF,wBAAwB9G,wBAAAA,CAAyBe,MAAAA,CAAAA;AACvD,QAAA,MAAM0F,uBAAuB1G,uBAAAA,CAAwBgB,MAAAA,CAAAA;AAErD,QAAA,OAAO8F,IAAAA,CAAK;AACPpF,YAAAA,GAAAA,MAAAA;AACAd,YAAAA,GAAAA,aAAAA;AACAD,YAAAA,GAAAA,gBAAAA;AACAoG,YAAAA,GAAAA,qBAAAA;AACAL,YAAAA,GAAAA,oBAAAA;AACHpG,YAAAA,oBAAAA;AACAC,YAAAA;AACD,SAAA,CAAA;AACH,IAAA,CAAA;IAEA,MAAMsB,cAAAA,GAAiB,CAACH,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,MAAMgF,uBAAuB1G,uBAAAA,CAAwBgB,MAAAA,CAAAA;AACrD,QAAA,MAAM2F,qBAAqBzG,qBAAAA,CAAsBc,MAAAA,CAAAA;QAEjD,MAAM4F,4BAAAA,GAA+BC,aAAaH,oBAAAA,EAAsBC,kBAAAA,CAAAA;AAExE,QAAA,OAAOG,IAAAA,CAAK;AACPpF,YAAAA,GAAAA,MAAAA;AACAd,YAAAA,GAAAA,aAAAA;AACAD,YAAAA,GAAAA,gBAAAA;AACAiG,YAAAA,GAAAA,4BAAAA;AACHtG,YAAAA,oBAAAA;AACAC,YAAAA,oBAAAA;AACAC,YAAAA,sBAAAA;AACAC,YAAAA,oBAAAA;AACAC,YAAAA;AACD,SAAA,CAAA;AACH,IAAA,CAAA;IAEA,OAAO;AACLsG,QAAAA,cAAAA,EAAgBjC,YAAAA,CAAaV,oBAAAA,CAAAA;AAC7B4C,QAAAA,aAAAA,EAAelC,YAAAA,CAAaH,mBAAAA,CAAAA;AAC5BsC,QAAAA,aAAAA,EAAenC,YAAAA,CAAavD,mBAAAA;AAC9B,KAAA;AACF,CAAA;;;;"}

package/dist/server/server/src/services/permission/permissions-manager/validate.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"validate.js","sources":["../../../../../../../server/src/services/permission/permissions-manager/validate.ts"],"sourcesContent":["import { subject as asSubject } from '@casl/ability';\nimport { defaults, omit, isArray, isEmpty, uniq, intersection, getOr, isObject } from 'lodash/fp';\n\nimport {\n contentTypes,\n traverseEntity,\n traverse,\n validate,\n async,\n errors,\n createModelCache,\n} from '@strapi/utils';\nimport { createPermissionFieldsCache } from './permission-fields';\n\nimport { ADMIN_USER_ALLOWED_FIELDS } from '../../../domain/user';\n\nconst { ValidationError } = errors;\nconst { throwPassword, throwDisallowedFields } = validate.visitors;\n\nconst { constants, isScalarAttribute, getNonVisibleAttributes, getWritableAttributes } =\n contentTypes;\nconst {\n ID_ATTRIBUTE,\n DOC_ID_ATTRIBUTE,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n CREATED_BY_ATTRIBUTE,\n UPDATED_BY_ATTRIBUTE,\n} = constants;\n\nconst COMPONENT_FIELDS = ['__component'];\n\nconst STATIC_FIELDS = [ID_ATTRIBUTE, DOC_ID_ATTRIBUTE];\n\nconst throwInvalidKey = ({ key, path }: { key: string; path?: string \| null }) => {\n const msg = path && path !== key ? `Invalid key ${key} at ${path}` : `Invalid key ${key}`;\n\n throw new ValidationError(msg);\n};\n\nexport default ({ action, ability, model }: any) => {\n const schema = strapi.getModel(model);\n\n // Create request-scoped model cache to avoid redundant getModel() calls\n const modelCache = createModelCache(strapi.getModel.bind(strapi));\n\n const ctx = {\n schema,\n getModel: modelCache.getModel,\n };\n\n const createValidateQuery = (options = {} as any) => {\n const { fields } = options;\n\n // TODO: validate relations to admin users in all validators\n const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);\n\n const createValidateFilters = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFilters(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFilters(throwDisallowedAdminUserFields, ctx),\n traverse.traverseQueryFilters(throwPassword, ctx),\n traverse.traverseQueryFilters(({ key, value, path }) => {\n if (isObject(value) && isEmpty(value)) {\n throwInvalidKey({ key, path: path.attribute });\n }\n }, ctx)\n );\n\n const createValidateSort = (ctx: any) =>\n async.pipe(\n traverse.traverseQuerySort(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQuerySort(throwDisallowedAdminUserFields, ctx),\n traverse.traverseQuerySort(throwPassword, ctx),\n traverse.traverseQuerySort(({ key, attribute, value, path }) => {\n if (!isScalarAttribute(attribute) && isEmpty(value)) {\n throwInvalidKey({ key, path: path.attribute });\n }\n }, ctx)\n );\n\n const createValidateFields = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFields(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFields(throwPassword, ctx)\n );\n\n const validateFilters = createValidateFilters(ctx);\n const validateSort = createValidateSort(ctx);\n const validateFields = createValidateFields(ctx);\n\n const validateNestedPopulate = async ({ key, value, schema, attribute, getModel }: any) => {\n if (attribute) {\n return;\n }\n\n const nestedCtx = { schema, getModel };\n\n if (key === 'sort') {\n await createValidateSort(nestedCtx)(value);\n }\n\n if (key === 'filters') {\n await createValidateFilters(nestedCtx)(value);\n }\n\n if (key === 'fields') {\n await createValidateFields(nestedCtx)(value);\n }\n };\n\n const validatePopulate = async.pipe(\n traverse.traverseQueryPopulate(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryPopulate(throwDisallowedAdminUserFields, ctx),\n traverse.traverseQueryPopulate(throwHiddenFields, ctx),\n traverse.traverseQueryPopulate(throwPassword, ctx),\n traverse.traverseQueryPopulate(validateNestedPopulate, ctx)\n );\n\n return async (query: any) => {\n if (query.filters) {\n await validateFilters(query.filters);\n }\n\n if (query.sort) {\n await validateSort(query.sort);\n }\n\n if (query.fields) {\n await validateFields(query.fields);\n }\n\n // a wildcard is always valid; its conversion will be handled by the entity service and can be optimized with sanitizer\n if (query.populate && query.populate !== '') {\n await validatePopulate(query.populate);\n }\n\n return true;\n };\n };\n\n const createValidateInput = (options = {} as any) => {\n const { fields } = options;\n\n const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);\n\n return async.pipe(\n // Remove fields hidden from the admin\n traverseEntity(throwHiddenFields, ctx),\n // Remove not allowed fields (RBAC)\n traverseEntity(throwDisallowedFields(permittedFields), ctx),\n // Remove roles from createdBy & updatedBy fields\n omitCreatorRoles\n );\n };\n\n const wrapValidate = (createValidateFunction: any) => {\n const { getPermissionFields } = createPermissionFieldsCache(ability);\n\n // TODO\n // @ts-expect-error define the correct return type\n const wrappedValidate = async (data, options = {}): Promise<unknown> => {\n if (isArray(data)) {\n return Promise.all(data.map((entity: unknown) => wrappedValidate(entity, options)));\n }\n\n const { subject, action: actionOverride } = getDefaultOptions(data, options);\n\n const { permittedFields, hasAtLeastOneRegistered, shouldIncludeAll } = getPermissionFields(\n actionOverride,\n subject\n );\n\n const validateOptions = {\n ...options,\n fields: {\n shouldIncludeAll,\n permitted: permittedFields,\n hasAtLeastOneRegistered,\n },\n };\n\n const validateFunction = createValidateFunction(validateOptions);\n\n return validateFunction(data);\n };\n\n return wrappedValidate;\n };\n\n const getDefaultOptions = (data: any, options: unknown) => {\n return defaults({ subject: asSubject(model, data), action }, options);\n };\n\n /\n Omit creator fields' (createdBy & updatedBy) roles from the admin API responses\n /\n const omitCreatorRoles = omit([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);\n\n /\n Visitor used to remove hidden fields from the admin API responses\n /\n const throwHiddenFields = ({ key, schema, path }: any) => {\n const isHidden = getOr(false, ['config', 'attributes', key, 'hidden'], schema);\n\n if (isHidden) {\n throwInvalidKey({ key, path: path.attribute });\n }\n };\n\n /\n Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information\n */\n const throwDisallowedAdminUserFields = ({ key, attribute, schema, path }: any) => {\n if (schema.uid === 'admin::user' && attribute && !ADMIN_USER_ALLOWED_FIELDS.includes(key)) {\n throwInvalidKey({ key, path: path.attribute });\n }\n };\n\n const getInputFields = (fields = []) => {\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n const writableAttributes = getWritableAttributes(schema);\n\n const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);\n\n return uniq([...fields, ...COMPONENT_FIELDS, ...nonVisibleWritableAttributes]);\n };\n\n const getQueryFields = (fields = []) => {\n return uniq([\n ...fields,\n ...STATIC_FIELDS,\n ...COMPONENT_FIELDS,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n ]);\n };\n\n return {\n validateQuery: wrapValidate(createValidateQuery),\n validateInput: wrapValidate(createValidateInput),\n };\n};\n"],"names":["ValidationError","errors","throwPassword","throwDisallowedFields","validate","visitors","constants","isScalarAttribute","getNonVisibleAttributes","getWritableAttributes","contentTypes","ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","CREATED_AT_ATTRIBUTE","UPDATED_AT_ATTRIBUTE","PUBLISHED_AT_ATTRIBUTE","CREATED_BY_ATTRIBUTE","UPDATED_BY_ATTRIBUTE","COMPONENT_FIELDS","STATIC_FIELDS","throwInvalidKey","key","path","msg","action","ability","model","schema","strapi","getModel","modelCache","createModelCache","bind","ctx","createValidateQuery","options","fields","permittedFields","shouldIncludeAll","getQueryFields","permitted","createValidateFilters","async","pipe","traverse","traverseQueryFilters","throwDisallowedAdminUserFields","value","isObject","isEmpty","attribute","createValidateSort","traverseQuerySort","createValidateFields","traverseQueryFields","validateFilters","validateSort","validateFields","validateNestedPopulate","nestedCtx","validatePopulate","traverseQueryPopulate","throwHiddenFields","query","filters","sort","populate","createValidateInput","getInputFields","traverseEntity","omitCreatorRoles","wrapValidate","createValidateFunction","getPermissionFields","createPermissionFieldsCache","wrappedValidate","data","isArray","Promise","all","map","entity","subject","actionOverride","getDefaultOptions","hasAtLeastOneRegistered","validateOptions","validateFunction","defaults","asSubject","omit","isHidden","getOr","uid","ADMIN_USER_ALLOWED_FIELDS","includes","nonVisibleAttributes","writableAttributes","nonVisibleWritableAttributes","intersection","uniq","validateQuery","validateInput"],"mappings":";;;;;;;;AAgBA,MAAM,EAAEA,eAAe,EAAE,GAAGC,YAAAA;AAC5B,MAAM,EAAEC,aAAa,EAAEC,qBAAqB,EAAE,GAAGC,eAASC,QAAQ;AAElE,MAAM,EAAEC,SAAS,EAAEC,iBAAiB,EAAEC,uBAAuB,EAAEC,qBAAqB,EAAE,GACpFC,kBAAAA;AACF,MAAM,EACJC,YAAY,EACZC,gBAAgB,EAChBC,oBAAoB,EACpBC,oBAAoB,EACpBC,sBAAsB,EACtBC,oBAAoB,EACpBC,oBAAoB,EACrB,GAAGX,SAAAA;AAEJ,MAAMY,gBAAmB,GAAA;AAAC,IAAA;AAAc,CAAA;AAExC,MAAMC,aAAgB,GAAA;AAACR,IAAAA,YAAAA;AAAcC,IAAAA;AAAiB,CAAA;AAEtD,MAAMQ,kBAAkB,CAAC,EAAEC,GAAG,EAAEC,IAAI,EAAyC,GAAA;AAC3E,IAAA,MAAMC,GAAMD,GAAAA,IAAAA,IAAQA,IAASD,KAAAA,GAAAA,GAAM,CAAC,YAAY,EAAEA,GAAI,CAAA,IAAI,EAAEC,IAAM,CAAA,CAAA,GAAG,CAAC,YAAY,EAAED,GAAK,CAAA,CAAA;AAEzF,IAAA,MAAM,IAAIrB,eAAgBuB,CAAAA,GAAAA,CAAAA;AAC5B,CAAA;AAEA,4BAAe,CAAA,CAAC,EAAEC,MAAM,WAAEC,SAAO,EAAEC,KAAK,EAAO,GAAA;IAC7C,MAAMC,MAAAA,GAASC,MAAOC,CAAAA,QAAQ,CAACH,KAAAA,CAAAA;;AAG/B,IAAA,MAAMI,aAAaC,sBAAiBH,CAAAA,MAAAA,CAAOC,QAAQ,CAACG,IAAI,CAACJ,MAAAA,CAAAA,CAAAA;AAEzD,IAAA,MAAMK,GAAM,GAAA;AACVN,QAAAA,MAAAA;AACAE,QAAAA,QAAAA,EAAUC,WAAWD;AACvB,KAAA;AAEA,IAAA,MAAMK,mBAAsB,GAAA,CAACC,OAAU,GAAA,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;;AAGnB,QAAA,MAAME,kBAAkBD,MAAOE,CAAAA,gBAAgB,GAAG,IAAOC,GAAAA,cAAAA,CAAeH,OAAOI,SAAS,CAAA;AAExF,QAAA,MAAMC,qBAAwB,GAAA,CAACR,GAC7BS,GAAAA,WAAAA,CAAMC,IAAI,CACRC,cAAAA,CAASC,oBAAoB,CAAC1C,qBAAsBkC,CAAAA,eAAAA,CAAAA,EAAkBJ,GACtEW,CAAAA,EAAAA,cAAAA,CAASC,oBAAoB,CAACC,8BAAAA,EAAgCb,GAC9DW,CAAAA,EAAAA,cAAAA,CAASC,oBAAoB,CAAC3C,aAAe+B,EAAAA,GAAAA,CAAAA,EAC7CW,eAASC,oBAAoB,CAAC,CAAC,EAAExB,GAAG,EAAE0B,KAAK,EAAEzB,IAAI,EAAE,GAAA;gBACjD,IAAI0B,WAAAA,CAASD,KAAUE,CAAAA,IAAAA,UAAAA,CAAQF,KAAQ,CAAA,EAAA;oBACrC3B,eAAgB,CAAA;AAAEC,wBAAAA,GAAAA;AAAKC,wBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,qBAAA,CAAA;AAC9C;aACCjB,EAAAA,GAAAA,CAAAA,CAAAA;AAGP,QAAA,MAAMkB,kBAAqB,GAAA,CAAClB,GAC1BS,GAAAA,WAAAA,CAAMC,IAAI,CACRC,cAAAA,CAASQ,iBAAiB,CAACjD,sBAAsBkC,eAAkBJ,CAAAA,EAAAA,GAAAA,CAAAA,EACnEW,cAASQ,CAAAA,iBAAiB,CAACN,8BAAgCb,EAAAA,GAAAA,CAAAA,EAC3DW,cAASQ,CAAAA,iBAAiB,CAAClD,aAAAA,EAAe+B,GAC1CW,CAAAA,EAAAA,cAAAA,CAASQ,iBAAiB,CAAC,CAAC,EAAE/B,GAAG,EAAE6B,SAAS,EAAEH,KAAK,EAAEzB,IAAI,EAAE,GAAA;AACzD,gBAAA,IAAI,CAACf,iBAAAA,CAAkB2C,SAAcD,CAAAA,IAAAA,UAAAA,CAAQF,KAAQ,CAAA,EAAA;oBACnD3B,eAAgB,CAAA;AAAEC,wBAAAA,GAAAA;AAAKC,wBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,qBAAA,CAAA;AAC9C;aACCjB,EAAAA,GAAAA,CAAAA,CAAAA;AAGP,QAAA,MAAMoB,oBAAuB,GAAA,CAACpB,GAC5BS,GAAAA,WAAAA,CAAMC,IAAI,CACRC,cAAAA,CAASU,mBAAmB,CAACnD,sBAAsBkC,eAAkBJ,CAAAA,EAAAA,GAAAA,CAAAA,EACrEW,cAASU,CAAAA,mBAAmB,CAACpD,aAAe+B,EAAAA,GAAAA,CAAAA,CAAAA;AAGhD,QAAA,MAAMsB,kBAAkBd,qBAAsBR,CAAAA,GAAAA,CAAAA;AAC9C,QAAA,MAAMuB,eAAeL,kBAAmBlB,CAAAA,GAAAA,CAAAA;AACxC,QAAA,MAAMwB,iBAAiBJ,oBAAqBpB,CAAAA,GAAAA,CAAAA;AAE5C,QAAA,MAAMyB,sBAAyB,GAAA,OAAO,EAAErC,GAAG,EAAE0B,KAAK,EAAEpB,MAAM,EAAEuB,SAAS,EAAErB,QAAQ,EAAO,GAAA;AACpF,YAAA,IAAIqB,SAAW,EAAA;AACb,gBAAA;AACF;AAEA,YAAA,MAAMS,SAAY,GAAA;AAAEhC,gBAAAA,MAAAA;AAAQE,gBAAAA;AAAS,aAAA;AAErC,YAAA,IAAIR,QAAQ,MAAQ,EAAA;AAClB,gBAAA,MAAM8B,mBAAmBQ,SAAWZ,CAAAA,CAAAA,KAAAA,CAAAA;AACtC;AAEA,YAAA,IAAI1B,QAAQ,SAAW,EAAA;AACrB,gBAAA,MAAMoB,sBAAsBkB,SAAWZ,CAAAA,CAAAA,KAAAA,CAAAA;AACzC;AAEA,YAAA,IAAI1B,QAAQ,QAAU,EAAA;AACpB,gBAAA,MAAMgC,qBAAqBM,SAAWZ,CAAAA,CAAAA,KAAAA,CAAAA;AACxC;AACF,SAAA;AAEA,QAAA,MAAMa,gBAAmBlB,GAAAA,WAAAA,CAAMC,IAAI,CACjCC,cAASiB,CAAAA,qBAAqB,CAAC1D,qBAAAA,CAAsBkC,eAAkBJ,CAAAA,EAAAA,GAAAA,CAAAA,EACvEW,cAASiB,CAAAA,qBAAqB,CAACf,8BAAAA,EAAgCb,GAC/DW,CAAAA,EAAAA,cAAAA,CAASiB,qBAAqB,CAACC,iBAAmB7B,EAAAA,GAAAA,CAAAA,EAClDW,cAASiB,CAAAA,qBAAqB,CAAC3D,aAAAA,EAAe+B,GAC9CW,CAAAA,EAAAA,cAAAA,CAASiB,qBAAqB,CAACH,sBAAwBzB,EAAAA,GAAAA,CAAAA,CAAAA;AAGzD,QAAA,OAAO,OAAO8B,KAAAA,GAAAA;YACZ,IAAIA,KAAAA,CAAMC,OAAO,EAAE;gBACjB,MAAMT,eAAAA,CAAgBQ,MAAMC,OAAO,CAAA;AACrC;YAEA,IAAID,KAAAA,CAAME,IAAI,EAAE;gBACd,MAAMT,YAAAA,CAAaO,MAAME,IAAI,CAAA;AAC/B;YAEA,IAAIF,KAAAA,CAAM3B,MAAM,EAAE;gBAChB,MAAMqB,cAAAA,CAAeM,MAAM3B,MAAM,CAAA;AACnC;;AAGA,YAAA,IAAI2B,MAAMG,QAAQ,IAAIH,KAAMG,CAAAA,QAAQ,KAAK,GAAK,EAAA;gBAC5C,MAAMN,gBAAAA,CAAiBG,MAAMG,QAAQ,CAAA;AACvC;YAEA,OAAO,IAAA;AACT,SAAA;AACF,KAAA;AAEA,IAAA,MAAMC,mBAAsB,GAAA,CAAChC,OAAU,GAAA,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;AAEnB,QAAA,MAAME,kBAAkBD,MAAOE,CAAAA,gBAAgB,GAAG,IAAO8B,GAAAA,cAAAA,CAAehC,OAAOI,SAAS,CAAA;QAExF,OAAOE,WAAAA,CAAMC,IAAI;QAEf0B,oBAAeP,CAAAA,iBAAAA,EAAmB7B;QAElCoC,oBAAelE,CAAAA,qBAAAA,CAAsBkC,eAAkBJ,CAAAA,EAAAA,GAAAA,CAAAA;AAEvDqC,QAAAA,gBAAAA,CAAAA;AAEJ,KAAA;AAEA,IAAA,MAAMC,eAAe,CAACC,sBAAAA,GAAAA;AACpB,QAAA,MAAM,EAAEC,mBAAmB,EAAE,GAAGC,4CAA4BjD,CAAAA,SAAAA,CAAAA;;;AAI5D,QAAA,MAAMkD,eAAkB,GAAA,OAAOC,IAAMzC,EAAAA,OAAAA,GAAU,EAAE,GAAA;AAC/C,YAAA,IAAI0C,WAAQD,IAAO,CAAA,EAAA;gBACjB,OAAOE,OAAAA,CAAQC,GAAG,CAACH,IAAAA,CAAKI,GAAG,CAAC,CAACC,MAAoBN,GAAAA,eAAAA,CAAgBM,MAAQ9C,EAAAA,OAAAA,CAAAA,CAAAA,CAAAA;AAC3E;YAEA,MAAM,EAAE+C,OAAO,EAAE1D,MAAAA,EAAQ2D,cAAc,EAAE,GAAGC,kBAAkBR,IAAMzC,EAAAA,OAAAA,CAAAA;YAEpE,MAAM,EAAEE,eAAe,EAAEgD,uBAAuB,EAAE/C,gBAAgB,EAAE,GAAGmC,mBAAAA,CACrEU,cACAD,EAAAA,OAAAA,CAAAA;AAGF,YAAA,MAAMI,eAAkB,GAAA;AACtB,gBAAA,GAAGnD,OAAO;gBACVC,MAAQ,EAAA;AACNE,oBAAAA,gBAAAA;oBACAE,SAAWH,EAAAA,eAAAA;AACXgD,oBAAAA;AACF;AACF,aAAA;AAEA,YAAA,MAAME,mBAAmBf,sBAAuBc,CAAAA,eAAAA,CAAAA;AAEhD,YAAA,OAAOC,gBAAiBX,CAAAA,IAAAA,CAAAA;AAC1B,SAAA;QAEA,OAAOD,eAAAA;AACT,KAAA;IAEA,MAAMS,iBAAAA,GAAoB,CAACR,IAAWzC,EAAAA,OAAAA,GAAAA;AACpC,QAAA,OAAOqD,WAAS,CAAA;AAAEN,YAAAA,OAAAA,EAASO,gBAAU/D,KAAOkD,EAAAA,IAAAA,CAAAA;AAAOpD,YAAAA;SAAUW,EAAAA,OAAAA,CAAAA;AAC/D,KAAA;AAEA;;MAGA,MAAMmC,mBAAmBoB,OAAK,CAAA;QAAC,CAAG1E,EAAAA,oBAAAA,CAAqB,MAAM,CAAC;QAAE,CAAGC,EAAAA,oBAAAA,CAAqB,MAAM;AAAE,KAAA,CAAA;AAEhG;;MAGA,MAAM6C,oBAAoB,CAAC,EAAEzC,GAAG,EAAEM,MAAM,EAAEL,IAAI,EAAO,GAAA;QACnD,MAAMqE,QAAAA,GAAWC,SAAM,KAAO,EAAA;AAAC,YAAA,QAAA;AAAU,YAAA,YAAA;AAAcvE,YAAAA,GAAAA;AAAK,YAAA;SAAS,EAAEM,MAAAA,CAAAA;AAEvE,QAAA,IAAIgE,QAAU,EAAA;YACZvE,eAAgB,CAAA;AAAEC,gBAAAA,GAAAA;AAAKC,gBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,aAAA,CAAA;AAC9C;AACF,KAAA;AAEA;;MAGA,MAAMJ,8BAAiC,GAAA,CAAC,EAAEzB,GAAG,EAAE6B,SAAS,EAAEvB,MAAM,EAAEL,IAAI,EAAO,GAAA;QAC3E,IAAIK,MAAAA,CAAOkE,GAAG,KAAK,aAAA,IAAiB3C,aAAa,CAAC4C,8BAAAA,CAA0BC,QAAQ,CAAC1E,GAAM,CAAA,EAAA;YACzFD,eAAgB,CAAA;AAAEC,gBAAAA,GAAAA;AAAKC,gBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,aAAA,CAAA;AAC9C;AACF,KAAA;IAEA,MAAMkB,cAAAA,GAAiB,CAAChC,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,MAAM4D,uBAAuBxF,uBAAwBmB,CAAAA,MAAAA,CAAAA;AACrD,QAAA,MAAMsE,qBAAqBxF,qBAAsBkB,CAAAA,MAAAA,CAAAA;QAEjD,MAAMuE,4BAAAA,GAA+BC,gBAAaH,oBAAsBC,EAAAA,kBAAAA,CAAAA;AAExE,QAAA,OAAOG,OAAK,CAAA;AAAIhE,YAAAA,GAAAA,MAAAA;AAAWlB,YAAAA,GAAAA,gBAAAA;AAAqBgF,YAAAA,GAAAA;AAA6B,SAAA,CAAA;AAC/E,KAAA;IAEA,MAAM3D,cAAAA,GAAiB,CAACH,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,OAAOgE,OAAK,CAAA;AACPhE,YAAAA,GAAAA,MAAAA;AACAjB,YAAAA,GAAAA,aAAAA;AACAD,YAAAA,GAAAA,gBAAAA;AACHL,YAAAA,oBAAAA;AACAC,YAAAA,oBAAAA;AACAC,YAAAA;AACD,SAAA,CAAA;AACH,KAAA;IAEA,OAAO;AACLsF,QAAAA,aAAAA,EAAe9B,YAAarC,CAAAA,mBAAAA,CAAAA;AAC5BoE,QAAAA,aAAAA,EAAe/B,YAAaJ,CAAAA,mBAAAA;AAC9B,KAAA;AACF,CAAA;;;;"}
1	+ {"version":3,"file":"validate.js","sources":["../../../../../../../server/src/services/permission/permissions-manager/validate.ts"],"sourcesContent":["import { subject as asSubject } from '@casl/ability';\nimport { defaults, omit, isArray, isEmpty, uniq, intersection, getOr, isObject } from 'lodash/fp';\n\nimport {\n contentTypes,\n traverseEntity,\n traverse,\n validate,\n async,\n errors,\n createModelCache,\n} from '@strapi/utils';\nimport { createPermissionFieldsCache } from './permission-fields';\n\nimport { ADMIN_USER_ALLOWED_FIELDS } from '../../../domain/user';\n\nconst { ValidationError } = errors;\nconst { throwPassword, throwDisallowedFields } = validate.visitors;\n\nconst { constants, isScalarAttribute, getNonVisibleAttributes, getWritableAttributes } =\n contentTypes;\nconst {\n ID_ATTRIBUTE,\n DOC_ID_ATTRIBUTE,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n CREATED_BY_ATTRIBUTE,\n UPDATED_BY_ATTRIBUTE,\n} = constants;\n\nconst COMPONENT_FIELDS = ['__component'];\n\nconst STATIC_FIELDS = [ID_ATTRIBUTE, DOC_ID_ATTRIBUTE];\n\nconst throwInvalidKey = ({ key, path }: { key: string; path?: string \| null }) => {\n const msg = path && path !== key ? `Invalid key ${key} at ${path}` : `Invalid key ${key}`;\n\n throw new ValidationError(msg);\n};\n\nexport default ({ action, ability, model }: any) => {\n const schema = strapi.getModel(model);\n\n // Create request-scoped model cache to avoid redundant getModel() calls\n const modelCache = createModelCache(strapi.getModel.bind(strapi));\n\n const ctx = {\n schema,\n getModel: modelCache.getModel,\n };\n\n const createValidateQuery = (options = {} as any) => {\n const { fields } = options;\n\n // TODO: validate relations to admin users in all validators\n const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);\n\n const createValidateFilters = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFilters(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFilters(throwDisallowedAdminUserFields, ctx),\n traverse.traverseQueryFilters(throwPassword, ctx),\n traverse.traverseQueryFilters(({ key, value, path }) => {\n if (isObject(value) && isEmpty(value)) {\n throwInvalidKey({ key, path: path.attribute });\n }\n }, ctx)\n );\n\n const createValidateSort = (ctx: any) =>\n async.pipe(\n traverse.traverseQuerySort(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQuerySort(throwDisallowedAdminUserFields, ctx),\n traverse.traverseQuerySort(throwPassword, ctx),\n traverse.traverseQuerySort(({ key, attribute, value, path }) => {\n if (!isScalarAttribute(attribute) && isEmpty(value)) {\n throwInvalidKey({ key, path: path.attribute });\n }\n }, ctx)\n );\n\n const createValidateFields = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFields(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFields(throwPassword, ctx)\n );\n\n const validateFilters = createValidateFilters(ctx);\n const validateSort = createValidateSort(ctx);\n const validateFields = createValidateFields(ctx);\n\n const validateNestedPopulate = async ({ key, value, schema, attribute, getModel }: any) => {\n if (attribute) {\n return;\n }\n\n const nestedCtx = { schema, getModel };\n\n if (key === 'sort') {\n await createValidateSort(nestedCtx)(value);\n }\n\n if (key === 'filters') {\n await createValidateFilters(nestedCtx)(value);\n }\n\n if (key === 'fields') {\n await createValidateFields(nestedCtx)(value);\n }\n };\n\n const validatePopulate = async.pipe(\n traverse.traverseQueryPopulate(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryPopulate(throwDisallowedAdminUserFields, ctx),\n traverse.traverseQueryPopulate(throwHiddenFields, ctx),\n traverse.traverseQueryPopulate(throwPassword, ctx),\n traverse.traverseQueryPopulate(validateNestedPopulate, ctx)\n );\n\n return async (query: any) => {\n if (query.filters) {\n await validateFilters(query.filters);\n }\n\n if (query.sort) {\n await validateSort(query.sort);\n }\n\n if (query.fields) {\n await validateFields(query.fields);\n }\n\n // a wildcard is always valid; its conversion will be handled by the entity service and can be optimized with sanitizer\n if (query.populate && query.populate !== '') {\n await validatePopulate(query.populate);\n }\n\n return true;\n };\n };\n\n const createValidateInput = (options = {} as any) => {\n const { fields } = options;\n\n const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);\n\n return async.pipe(\n // Remove fields hidden from the admin\n traverseEntity(throwHiddenFields, ctx),\n // Remove not allowed fields (RBAC)\n traverseEntity(throwDisallowedFields(permittedFields), ctx),\n // Remove roles from createdBy & updatedBy fields\n omitCreatorRoles\n );\n };\n\n const wrapValidate = (createValidateFunction: any) => {\n const { getPermissionFields } = createPermissionFieldsCache(ability);\n\n // TODO\n // @ts-expect-error define the correct return type\n const wrappedValidate = async (data, options = {}): Promise<unknown> => {\n if (isArray(data)) {\n return Promise.all(data.map((entity: unknown) => wrappedValidate(entity, options)));\n }\n\n const { subject, action: actionOverride } = getDefaultOptions(data, options);\n\n const { permittedFields, hasAtLeastOneRegistered, shouldIncludeAll } = getPermissionFields(\n actionOverride,\n subject\n );\n\n const validateOptions = {\n ...options,\n fields: {\n shouldIncludeAll,\n permitted: permittedFields,\n hasAtLeastOneRegistered,\n },\n };\n\n const validateFunction = createValidateFunction(validateOptions);\n\n return validateFunction(data);\n };\n\n return wrappedValidate;\n };\n\n const getDefaultOptions = (data: any, options: unknown) => {\n return defaults({ subject: asSubject(model, data), action }, options);\n };\n\n /\n Omit creator fields' (createdBy & updatedBy) roles from the admin API responses\n /\n const omitCreatorRoles = omit([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);\n\n /\n Visitor used to remove hidden fields from the admin API responses\n /\n const throwHiddenFields = ({ key, schema, path }: any) => {\n const isHidden = getOr(false, ['config', 'attributes', key, 'hidden'], schema);\n\n if (isHidden) {\n throwInvalidKey({ key, path: path.attribute });\n }\n };\n\n /\n Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information\n */\n const throwDisallowedAdminUserFields = ({ key, attribute, schema, path }: any) => {\n if (schema.uid === 'admin::user' && attribute && !ADMIN_USER_ALLOWED_FIELDS.includes(key)) {\n throwInvalidKey({ key, path: path.attribute });\n }\n };\n\n const getInputFields = (fields = []) => {\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n const writableAttributes = getWritableAttributes(schema);\n\n const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);\n\n return uniq([...fields, ...COMPONENT_FIELDS, ...nonVisibleWritableAttributes]);\n };\n\n const getQueryFields = (fields = []) => {\n return uniq([\n ...fields,\n ...STATIC_FIELDS,\n ...COMPONENT_FIELDS,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n ]);\n };\n\n return {\n validateQuery: wrapValidate(createValidateQuery),\n validateInput: wrapValidate(createValidateInput),\n };\n};\n"],"names":["ValidationError","errors","throwPassword","throwDisallowedFields","validate","visitors","constants","isScalarAttribute","getNonVisibleAttributes","getWritableAttributes","contentTypes","ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","CREATED_AT_ATTRIBUTE","UPDATED_AT_ATTRIBUTE","PUBLISHED_AT_ATTRIBUTE","CREATED_BY_ATTRIBUTE","UPDATED_BY_ATTRIBUTE","COMPONENT_FIELDS","STATIC_FIELDS","throwInvalidKey","key","path","msg","action","ability","model","schema","strapi","getModel","modelCache","createModelCache","bind","ctx","createValidateQuery","options","fields","permittedFields","shouldIncludeAll","getQueryFields","permitted","createValidateFilters","async","pipe","traverse","traverseQueryFilters","throwDisallowedAdminUserFields","value","isObject","isEmpty","attribute","createValidateSort","traverseQuerySort","createValidateFields","traverseQueryFields","validateFilters","validateSort","validateFields","validateNestedPopulate","nestedCtx","validatePopulate","traverseQueryPopulate","throwHiddenFields","query","filters","sort","populate","createValidateInput","getInputFields","traverseEntity","omitCreatorRoles","wrapValidate","createValidateFunction","getPermissionFields","createPermissionFieldsCache","wrappedValidate","data","isArray","Promise","all","map","entity","subject","actionOverride","getDefaultOptions","hasAtLeastOneRegistered","validateOptions","validateFunction","defaults","asSubject","omit","isHidden","getOr","uid","ADMIN_USER_ALLOWED_FIELDS","includes","nonVisibleAttributes","writableAttributes","nonVisibleWritableAttributes","intersection","uniq","validateQuery","validateInput"],"mappings":";;;;;;;;AAgBA,MAAM,EAAEA,eAAe,EAAE,GAAGC,YAAAA;AAC5B,MAAM,EAAEC,aAAa,EAAEC,qBAAqB,EAAE,GAAGC,eAASC,QAAQ;AAElE,MAAM,EAAEC,SAAS,EAAEC,iBAAiB,EAAEC,uBAAuB,EAAEC,qBAAqB,EAAE,GACpFC,kBAAAA;AACF,MAAM,EACJC,YAAY,EACZC,gBAAgB,EAChBC,oBAAoB,EACpBC,oBAAoB,EACpBC,sBAAsB,EACtBC,oBAAoB,EACpBC,oBAAoB,EACrB,GAAGX,SAAAA;AAEJ,MAAMY,gBAAAA,GAAmB;AAAC,IAAA;AAAc,CAAA;AAExC,MAAMC,aAAAA,GAAgB;AAACR,IAAAA,YAAAA;AAAcC,IAAAA;AAAiB,CAAA;AAEtD,MAAMQ,kBAAkB,CAAC,EAAEC,GAAG,EAAEC,IAAI,EAAyC,GAAA;AAC3E,IAAA,MAAMC,GAAAA,GAAMD,IAAAA,IAAQA,IAAAA,KAASD,GAAAA,GAAM,CAAC,YAAY,EAAEA,GAAAA,CAAI,IAAI,EAAEC,IAAAA,CAAAA,CAAM,GAAG,CAAC,YAAY,EAAED,GAAAA,CAAAA,CAAK;AAEzF,IAAA,MAAM,IAAIrB,eAAAA,CAAgBuB,GAAAA,CAAAA;AAC5B,CAAA;AAEA,4BAAe,CAAA,CAAC,EAAEC,MAAM,WAAEC,SAAO,EAAEC,KAAK,EAAO,GAAA;IAC7C,MAAMC,MAAAA,GAASC,MAAAA,CAAOC,QAAQ,CAACH,KAAAA,CAAAA;;AAG/B,IAAA,MAAMI,aAAaC,sBAAAA,CAAiBH,MAAAA,CAAOC,QAAQ,CAACG,IAAI,CAACJ,MAAAA,CAAAA,CAAAA;AAEzD,IAAA,MAAMK,GAAAA,GAAM;AACVN,QAAAA,MAAAA;AACAE,QAAAA,QAAAA,EAAUC,WAAWD;AACvB,KAAA;AAEA,IAAA,MAAMK,mBAAAA,GAAsB,CAACC,OAAAA,GAAU,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;;AAGnB,QAAA,MAAME,kBAAkBD,MAAAA,CAAOE,gBAAgB,GAAG,IAAA,GAAOC,cAAAA,CAAeH,OAAOI,SAAS,CAAA;AAExF,QAAA,MAAMC,qBAAAA,GAAwB,CAACR,GAAAA,GAC7BS,WAAAA,CAAMC,IAAI,CACRC,cAAAA,CAASC,oBAAoB,CAAC1C,qBAAAA,CAAsBkC,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA,EACtEW,cAAAA,CAASC,oBAAoB,CAACC,8BAAAA,EAAgCb,GAAAA,CAAAA,EAC9DW,cAAAA,CAASC,oBAAoB,CAAC3C,aAAAA,EAAe+B,GAAAA,CAAAA,EAC7CW,eAASC,oBAAoB,CAAC,CAAC,EAAExB,GAAG,EAAE0B,KAAK,EAAEzB,IAAI,EAAE,GAAA;gBACjD,IAAI0B,WAAAA,CAASD,KAAAA,CAAAA,IAAUE,UAAAA,CAAQF,KAAAA,CAAAA,EAAQ;oBACrC3B,eAAAA,CAAgB;AAAEC,wBAAAA,GAAAA;AAAKC,wBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,qBAAA,CAAA;AAC9C,gBAAA;YACF,CAAA,EAAGjB,GAAAA,CAAAA,CAAAA;AAGP,QAAA,MAAMkB,kBAAAA,GAAqB,CAAClB,GAAAA,GAC1BS,WAAAA,CAAMC,IAAI,CACRC,cAAAA,CAASQ,iBAAiB,CAACjD,sBAAsBkC,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA,EACnEW,cAAAA,CAASQ,iBAAiB,CAACN,8BAAAA,EAAgCb,GAAAA,CAAAA,EAC3DW,cAAAA,CAASQ,iBAAiB,CAAClD,aAAAA,EAAe+B,GAAAA,CAAAA,EAC1CW,cAAAA,CAASQ,iBAAiB,CAAC,CAAC,EAAE/B,GAAG,EAAE6B,SAAS,EAAEH,KAAK,EAAEzB,IAAI,EAAE,GAAA;AACzD,gBAAA,IAAI,CAACf,iBAAAA,CAAkB2C,SAAAA,CAAAA,IAAcD,UAAAA,CAAQF,KAAAA,CAAAA,EAAQ;oBACnD3B,eAAAA,CAAgB;AAAEC,wBAAAA,GAAAA;AAAKC,wBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,qBAAA,CAAA;AAC9C,gBAAA;YACF,CAAA,EAAGjB,GAAAA,CAAAA,CAAAA;AAGP,QAAA,MAAMoB,oBAAAA,GAAuB,CAACpB,GAAAA,GAC5BS,WAAAA,CAAMC,IAAI,CACRC,cAAAA,CAASU,mBAAmB,CAACnD,sBAAsBkC,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA,EACrEW,cAAAA,CAASU,mBAAmB,CAACpD,aAAAA,EAAe+B,GAAAA,CAAAA,CAAAA;AAGhD,QAAA,MAAMsB,kBAAkBd,qBAAAA,CAAsBR,GAAAA,CAAAA;AAC9C,QAAA,MAAMuB,eAAeL,kBAAAA,CAAmBlB,GAAAA,CAAAA;AACxC,QAAA,MAAMwB,iBAAiBJ,oBAAAA,CAAqBpB,GAAAA,CAAAA;AAE5C,QAAA,MAAMyB,sBAAAA,GAAyB,OAAO,EAAErC,GAAG,EAAE0B,KAAK,EAAEpB,MAAM,EAAEuB,SAAS,EAAErB,QAAQ,EAAO,GAAA;AACpF,YAAA,IAAIqB,SAAAA,EAAW;AACb,gBAAA;AACF,YAAA;AAEA,YAAA,MAAMS,SAAAA,GAAY;AAAEhC,gBAAAA,MAAAA;AAAQE,gBAAAA;AAAS,aAAA;AAErC,YAAA,IAAIR,QAAQ,MAAA,EAAQ;AAClB,gBAAA,MAAM8B,mBAAmBQ,SAAAA,CAAAA,CAAWZ,KAAAA,CAAAA;AACtC,YAAA;AAEA,YAAA,IAAI1B,QAAQ,SAAA,EAAW;AACrB,gBAAA,MAAMoB,sBAAsBkB,SAAAA,CAAAA,CAAWZ,KAAAA,CAAAA;AACzC,YAAA;AAEA,YAAA,IAAI1B,QAAQ,QAAA,EAAU;AACpB,gBAAA,MAAMgC,qBAAqBM,SAAAA,CAAAA,CAAWZ,KAAAA,CAAAA;AACxC,YAAA;AACF,QAAA,CAAA;AAEA,QAAA,MAAMa,gBAAAA,GAAmBlB,WAAAA,CAAMC,IAAI,CACjCC,cAAAA,CAASiB,qBAAqB,CAAC1D,qBAAAA,CAAsBkC,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA,EACvEW,cAAAA,CAASiB,qBAAqB,CAACf,8BAAAA,EAAgCb,GAAAA,CAAAA,EAC/DW,cAAAA,CAASiB,qBAAqB,CAACC,iBAAAA,EAAmB7B,GAAAA,CAAAA,EAClDW,cAAAA,CAASiB,qBAAqB,CAAC3D,aAAAA,EAAe+B,GAAAA,CAAAA,EAC9CW,cAAAA,CAASiB,qBAAqB,CAACH,sBAAAA,EAAwBzB,GAAAA,CAAAA,CAAAA;AAGzD,QAAA,OAAO,OAAO8B,KAAAA,GAAAA;YACZ,IAAIA,KAAAA,CAAMC,OAAO,EAAE;gBACjB,MAAMT,eAAAA,CAAgBQ,MAAMC,OAAO,CAAA;AACrC,YAAA;YAEA,IAAID,KAAAA,CAAME,IAAI,EAAE;gBACd,MAAMT,YAAAA,CAAaO,MAAME,IAAI,CAAA;AAC/B,YAAA;YAEA,IAAIF,KAAAA,CAAM3B,MAAM,EAAE;gBAChB,MAAMqB,cAAAA,CAAeM,MAAM3B,MAAM,CAAA;AACnC,YAAA;;AAGA,YAAA,IAAI2B,MAAMG,QAAQ,IAAIH,KAAAA,CAAMG,QAAQ,KAAK,GAAA,EAAK;gBAC5C,MAAMN,gBAAAA,CAAiBG,MAAMG,QAAQ,CAAA;AACvC,YAAA;YAEA,OAAO,IAAA;AACT,QAAA,CAAA;AACF,IAAA,CAAA;AAEA,IAAA,MAAMC,mBAAAA,GAAsB,CAAChC,OAAAA,GAAU,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;AAEnB,QAAA,MAAME,kBAAkBD,MAAAA,CAAOE,gBAAgB,GAAG,IAAA,GAAO8B,cAAAA,CAAehC,OAAOI,SAAS,CAAA;QAExF,OAAOE,WAAAA,CAAMC,IAAI;QAEf0B,oBAAAA,CAAeP,iBAAAA,EAAmB7B;QAElCoC,oBAAAA,CAAelE,qBAAAA,CAAsBkC,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA;AAEvDqC,QAAAA,gBAAAA,CAAAA;AAEJ,IAAA,CAAA;AAEA,IAAA,MAAMC,eAAe,CAACC,sBAAAA,GAAAA;AACpB,QAAA,MAAM,EAAEC,mBAAmB,EAAE,GAAGC,4CAAAA,CAA4BjD,SAAAA,CAAAA;;;AAI5D,QAAA,MAAMkD,eAAAA,GAAkB,OAAOC,IAAAA,EAAMzC,OAAAA,GAAU,EAAE,GAAA;AAC/C,YAAA,IAAI0C,WAAQD,IAAAA,CAAAA,EAAO;gBACjB,OAAOE,OAAAA,CAAQC,GAAG,CAACH,IAAAA,CAAKI,GAAG,CAAC,CAACC,MAAAA,GAAoBN,eAAAA,CAAgBM,MAAAA,EAAQ9C,OAAAA,CAAAA,CAAAA,CAAAA;AAC3E,YAAA;YAEA,MAAM,EAAE+C,OAAO,EAAE1D,MAAAA,EAAQ2D,cAAc,EAAE,GAAGC,kBAAkBR,IAAAA,EAAMzC,OAAAA,CAAAA;YAEpE,MAAM,EAAEE,eAAe,EAAEgD,uBAAuB,EAAE/C,gBAAgB,EAAE,GAAGmC,mBAAAA,CACrEU,cAAAA,EACAD,OAAAA,CAAAA;AAGF,YAAA,MAAMI,eAAAA,GAAkB;AACtB,gBAAA,GAAGnD,OAAO;gBACVC,MAAAA,EAAQ;AACNE,oBAAAA,gBAAAA;oBACAE,SAAAA,EAAWH,eAAAA;AACXgD,oBAAAA;AACF;AACF,aAAA;AAEA,YAAA,MAAME,mBAAmBf,sBAAAA,CAAuBc,eAAAA,CAAAA;AAEhD,YAAA,OAAOC,gBAAAA,CAAiBX,IAAAA,CAAAA;AAC1B,QAAA,CAAA;QAEA,OAAOD,eAAAA;AACT,IAAA,CAAA;IAEA,MAAMS,iBAAAA,GAAoB,CAACR,IAAAA,EAAWzC,OAAAA,GAAAA;AACpC,QAAA,OAAOqD,WAAAA,CAAS;AAAEN,YAAAA,OAAAA,EAASO,gBAAU/D,KAAAA,EAAOkD,IAAAA,CAAAA;AAAOpD,YAAAA;SAAO,EAAGW,OAAAA,CAAAA;AAC/D,IAAA,CAAA;AAEA;;MAGA,MAAMmC,mBAAmBoB,OAAAA,CAAK;QAAC,CAAA,EAAG1E,oBAAAA,CAAqB,MAAM,CAAC;QAAE,CAAA,EAAGC,oBAAAA,CAAqB,MAAM;AAAE,KAAA,CAAA;AAEhG;;MAGA,MAAM6C,oBAAoB,CAAC,EAAEzC,GAAG,EAAEM,MAAM,EAAEL,IAAI,EAAO,GAAA;QACnD,MAAMqE,QAAAA,GAAWC,SAAM,KAAA,EAAO;AAAC,YAAA,QAAA;AAAU,YAAA,YAAA;AAAcvE,YAAAA,GAAAA;AAAK,YAAA;SAAS,EAAEM,MAAAA,CAAAA;AAEvE,QAAA,IAAIgE,QAAAA,EAAU;YACZvE,eAAAA,CAAgB;AAAEC,gBAAAA,GAAAA;AAAKC,gBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,aAAA,CAAA;AAC9C,QAAA;AACF,IAAA,CAAA;AAEA;;MAGA,MAAMJ,8BAAAA,GAAiC,CAAC,EAAEzB,GAAG,EAAE6B,SAAS,EAAEvB,MAAM,EAAEL,IAAI,EAAO,GAAA;QAC3E,IAAIK,MAAAA,CAAOkE,GAAG,KAAK,aAAA,IAAiB3C,aAAa,CAAC4C,8BAAAA,CAA0BC,QAAQ,CAAC1E,GAAAA,CAAAA,EAAM;YACzFD,eAAAA,CAAgB;AAAEC,gBAAAA,GAAAA;AAAKC,gBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,aAAA,CAAA;AAC9C,QAAA;AACF,IAAA,CAAA;IAEA,MAAMkB,cAAAA,GAAiB,CAAChC,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,MAAM4D,uBAAuBxF,uBAAAA,CAAwBmB,MAAAA,CAAAA;AACrD,QAAA,MAAMsE,qBAAqBxF,qBAAAA,CAAsBkB,MAAAA,CAAAA;QAEjD,MAAMuE,4BAAAA,GAA+BC,gBAAaH,oBAAAA,EAAsBC,kBAAAA,CAAAA;AAExE,QAAA,OAAOG,OAAAA,CAAK;AAAIhE,YAAAA,GAAAA,MAAAA;AAAWlB,YAAAA,GAAAA,gBAAAA;AAAqBgF,YAAAA,GAAAA;AAA6B,SAAA,CAAA;AAC/E,IAAA,CAAA;IAEA,MAAM3D,cAAAA,GAAiB,CAACH,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,OAAOgE,OAAAA,CAAK;AACPhE,YAAAA,GAAAA,MAAAA;AACAjB,YAAAA,GAAAA,aAAAA;AACAD,YAAAA,GAAAA,gBAAAA;AACHL,YAAAA,oBAAAA;AACAC,YAAAA,oBAAAA;AACAC,YAAAA;AACD,SAAA,CAAA;AACH,IAAA,CAAA;IAEA,OAAO;AACLsF,QAAAA,aAAAA,EAAe9B,YAAAA,CAAarC,mBAAAA,CAAAA;AAC5BoE,QAAAA,aAAAA,EAAe/B,YAAAA,CAAaJ,mBAAAA;AAC9B,KAAA;AACF,CAAA;;;;"}

package/dist/server/server/src/services/permission/permissions-manager/validate.mjs CHANGED Viewed

@@ -1,6 +1,6 @@
 import { subject } from '@casl/ability';
-import { omit, isArray, defaults, getOr, intersection, uniq, isObject, isEmpty } from 'lodash/fp';
-import { validate, createModelCache, contentTypes, async, traverse, traverseEntity, errors } from '@strapi/utils';
+import { omit, isArray, defaults, intersection, uniq, getOr, isObject, isEmpty } from 'lodash/fp';
+import { errors, validate, contentTypes, createModelCache, async, traverseEntity, traverse } from '@strapi/utils';
 import { createPermissionFieldsCache } from './permission-fields.mjs';
 import { ADMIN_USER_ALLOWED_FIELDS } from '../../../domain/user.mjs';

package/dist/server/server/src/services/permission/permissions-manager/validate.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"validate.mjs","sources":["../../../../../../../server/src/services/permission/permissions-manager/validate.ts"],"sourcesContent":["import { subject as asSubject } from '@casl/ability';\nimport { defaults, omit, isArray, isEmpty, uniq, intersection, getOr, isObject } from 'lodash/fp';\n\nimport {\n contentTypes,\n traverseEntity,\n traverse,\n validate,\n async,\n errors,\n createModelCache,\n} from '@strapi/utils';\nimport { createPermissionFieldsCache } from './permission-fields';\n\nimport { ADMIN_USER_ALLOWED_FIELDS } from '../../../domain/user';\n\nconst { ValidationError } = errors;\nconst { throwPassword, throwDisallowedFields } = validate.visitors;\n\nconst { constants, isScalarAttribute, getNonVisibleAttributes, getWritableAttributes } =\n contentTypes;\nconst {\n ID_ATTRIBUTE,\n DOC_ID_ATTRIBUTE,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n CREATED_BY_ATTRIBUTE,\n UPDATED_BY_ATTRIBUTE,\n} = constants;\n\nconst COMPONENT_FIELDS = ['__component'];\n\nconst STATIC_FIELDS = [ID_ATTRIBUTE, DOC_ID_ATTRIBUTE];\n\nconst throwInvalidKey = ({ key, path }: { key: string; path?: string \| null }) => {\n const msg = path && path !== key ? `Invalid key ${key} at ${path}` : `Invalid key ${key}`;\n\n throw new ValidationError(msg);\n};\n\nexport default ({ action, ability, model }: any) => {\n const schema = strapi.getModel(model);\n\n // Create request-scoped model cache to avoid redundant getModel() calls\n const modelCache = createModelCache(strapi.getModel.bind(strapi));\n\n const ctx = {\n schema,\n getModel: modelCache.getModel,\n };\n\n const createValidateQuery = (options = {} as any) => {\n const { fields } = options;\n\n // TODO: validate relations to admin users in all validators\n const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);\n\n const createValidateFilters = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFilters(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFilters(throwDisallowedAdminUserFields, ctx),\n traverse.traverseQueryFilters(throwPassword, ctx),\n traverse.traverseQueryFilters(({ key, value, path }) => {\n if (isObject(value) && isEmpty(value)) {\n throwInvalidKey({ key, path: path.attribute });\n }\n }, ctx)\n );\n\n const createValidateSort = (ctx: any) =>\n async.pipe(\n traverse.traverseQuerySort(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQuerySort(throwDisallowedAdminUserFields, ctx),\n traverse.traverseQuerySort(throwPassword, ctx),\n traverse.traverseQuerySort(({ key, attribute, value, path }) => {\n if (!isScalarAttribute(attribute) && isEmpty(value)) {\n throwInvalidKey({ key, path: path.attribute });\n }\n }, ctx)\n );\n\n const createValidateFields = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFields(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFields(throwPassword, ctx)\n );\n\n const validateFilters = createValidateFilters(ctx);\n const validateSort = createValidateSort(ctx);\n const validateFields = createValidateFields(ctx);\n\n const validateNestedPopulate = async ({ key, value, schema, attribute, getModel }: any) => {\n if (attribute) {\n return;\n }\n\n const nestedCtx = { schema, getModel };\n\n if (key === 'sort') {\n await createValidateSort(nestedCtx)(value);\n }\n\n if (key === 'filters') {\n await createValidateFilters(nestedCtx)(value);\n }\n\n if (key === 'fields') {\n await createValidateFields(nestedCtx)(value);\n }\n };\n\n const validatePopulate = async.pipe(\n traverse.traverseQueryPopulate(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryPopulate(throwDisallowedAdminUserFields, ctx),\n traverse.traverseQueryPopulate(throwHiddenFields, ctx),\n traverse.traverseQueryPopulate(throwPassword, ctx),\n traverse.traverseQueryPopulate(validateNestedPopulate, ctx)\n );\n\n return async (query: any) => {\n if (query.filters) {\n await validateFilters(query.filters);\n }\n\n if (query.sort) {\n await validateSort(query.sort);\n }\n\n if (query.fields) {\n await validateFields(query.fields);\n }\n\n // a wildcard is always valid; its conversion will be handled by the entity service and can be optimized with sanitizer\n if (query.populate && query.populate !== '') {\n await validatePopulate(query.populate);\n }\n\n return true;\n };\n };\n\n const createValidateInput = (options = {} as any) => {\n const { fields } = options;\n\n const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);\n\n return async.pipe(\n // Remove fields hidden from the admin\n traverseEntity(throwHiddenFields, ctx),\n // Remove not allowed fields (RBAC)\n traverseEntity(throwDisallowedFields(permittedFields), ctx),\n // Remove roles from createdBy & updatedBy fields\n omitCreatorRoles\n );\n };\n\n const wrapValidate = (createValidateFunction: any) => {\n const { getPermissionFields } = createPermissionFieldsCache(ability);\n\n // TODO\n // @ts-expect-error define the correct return type\n const wrappedValidate = async (data, options = {}): Promise<unknown> => {\n if (isArray(data)) {\n return Promise.all(data.map((entity: unknown) => wrappedValidate(entity, options)));\n }\n\n const { subject, action: actionOverride } = getDefaultOptions(data, options);\n\n const { permittedFields, hasAtLeastOneRegistered, shouldIncludeAll } = getPermissionFields(\n actionOverride,\n subject\n );\n\n const validateOptions = {\n ...options,\n fields: {\n shouldIncludeAll,\n permitted: permittedFields,\n hasAtLeastOneRegistered,\n },\n };\n\n const validateFunction = createValidateFunction(validateOptions);\n\n return validateFunction(data);\n };\n\n return wrappedValidate;\n };\n\n const getDefaultOptions = (data: any, options: unknown) => {\n return defaults({ subject: asSubject(model, data), action }, options);\n };\n\n /\n Omit creator fields' (createdBy & updatedBy) roles from the admin API responses\n /\n const omitCreatorRoles = omit([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);\n\n /\n Visitor used to remove hidden fields from the admin API responses\n /\n const throwHiddenFields = ({ key, schema, path }: any) => {\n const isHidden = getOr(false, ['config', 'attributes', key, 'hidden'], schema);\n\n if (isHidden) {\n throwInvalidKey({ key, path: path.attribute });\n }\n };\n\n /\n Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information\n */\n const throwDisallowedAdminUserFields = ({ key, attribute, schema, path }: any) => {\n if (schema.uid === 'admin::user' && attribute && !ADMIN_USER_ALLOWED_FIELDS.includes(key)) {\n throwInvalidKey({ key, path: path.attribute });\n }\n };\n\n const getInputFields = (fields = []) => {\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n const writableAttributes = getWritableAttributes(schema);\n\n const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);\n\n return uniq([...fields, ...COMPONENT_FIELDS, ...nonVisibleWritableAttributes]);\n };\n\n const getQueryFields = (fields = []) => {\n return uniq([\n ...fields,\n ...STATIC_FIELDS,\n ...COMPONENT_FIELDS,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n ]);\n };\n\n return {\n validateQuery: wrapValidate(createValidateQuery),\n validateInput: wrapValidate(createValidateInput),\n };\n};\n"],"names":["ValidationError","errors","throwPassword","throwDisallowedFields","validate","visitors","constants","isScalarAttribute","getNonVisibleAttributes","getWritableAttributes","contentTypes","ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","CREATED_AT_ATTRIBUTE","UPDATED_AT_ATTRIBUTE","PUBLISHED_AT_ATTRIBUTE","CREATED_BY_ATTRIBUTE","UPDATED_BY_ATTRIBUTE","COMPONENT_FIELDS","STATIC_FIELDS","throwInvalidKey","key","path","msg","action","ability","model","schema","strapi","getModel","modelCache","createModelCache","bind","ctx","createValidateQuery","options","fields","permittedFields","shouldIncludeAll","getQueryFields","permitted","createValidateFilters","async","pipe","traverse","traverseQueryFilters","throwDisallowedAdminUserFields","value","isObject","isEmpty","attribute","createValidateSort","traverseQuerySort","createValidateFields","traverseQueryFields","validateFilters","validateSort","validateFields","validateNestedPopulate","nestedCtx","validatePopulate","traverseQueryPopulate","throwHiddenFields","query","filters","sort","populate","createValidateInput","getInputFields","traverseEntity","omitCreatorRoles","wrapValidate","createValidateFunction","getPermissionFields","createPermissionFieldsCache","wrappedValidate","data","isArray","Promise","all","map","entity","subject","actionOverride","getDefaultOptions","hasAtLeastOneRegistered","validateOptions","validateFunction","defaults","asSubject","omit","isHidden","getOr","uid","ADMIN_USER_ALLOWED_FIELDS","includes","nonVisibleAttributes","writableAttributes","nonVisibleWritableAttributes","intersection","uniq","validateQuery","validateInput"],"mappings":";;;;;;AAgBA,MAAM,EAAEA,eAAe,EAAE,GAAGC,MAAAA;AAC5B,MAAM,EAAEC,aAAa,EAAEC,qBAAqB,EAAE,GAAGC,SAASC,QAAQ;AAElE,MAAM,EAAEC,SAAS,EAAEC,iBAAiB,EAAEC,uBAAuB,EAAEC,qBAAqB,EAAE,GACpFC,YAAAA;AACF,MAAM,EACJC,YAAY,EACZC,gBAAgB,EAChBC,oBAAoB,EACpBC,oBAAoB,EACpBC,sBAAsB,EACtBC,oBAAoB,EACpBC,oBAAoB,EACrB,GAAGX,SAAAA;AAEJ,MAAMY,gBAAmB,GAAA;AAAC,IAAA;AAAc,CAAA;AAExC,MAAMC,aAAgB,GAAA;AAACR,IAAAA,YAAAA;AAAcC,IAAAA;AAAiB,CAAA;AAEtD,MAAMQ,kBAAkB,CAAC,EAAEC,GAAG,EAAEC,IAAI,EAAyC,GAAA;AAC3E,IAAA,MAAMC,GAAMD,GAAAA,IAAAA,IAAQA,IAASD,KAAAA,GAAAA,GAAM,CAAC,YAAY,EAAEA,GAAI,CAAA,IAAI,EAAEC,IAAM,CAAA,CAAA,GAAG,CAAC,YAAY,EAAED,GAAK,CAAA,CAAA;AAEzF,IAAA,MAAM,IAAIrB,eAAgBuB,CAAAA,GAAAA,CAAAA;AAC5B,CAAA;AAEA,4BAAe,CAAA,CAAC,EAAEC,MAAM,EAAEC,OAAO,EAAEC,KAAK,EAAO,GAAA;IAC7C,MAAMC,MAAAA,GAASC,MAAOC,CAAAA,QAAQ,CAACH,KAAAA,CAAAA;;AAG/B,IAAA,MAAMI,aAAaC,gBAAiBH,CAAAA,MAAAA,CAAOC,QAAQ,CAACG,IAAI,CAACJ,MAAAA,CAAAA,CAAAA;AAEzD,IAAA,MAAMK,GAAM,GAAA;AACVN,QAAAA,MAAAA;AACAE,QAAAA,QAAAA,EAAUC,WAAWD;AACvB,KAAA;AAEA,IAAA,MAAMK,mBAAsB,GAAA,CAACC,OAAU,GAAA,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;;AAGnB,QAAA,MAAME,kBAAkBD,MAAOE,CAAAA,gBAAgB,GAAG,IAAOC,GAAAA,cAAAA,CAAeH,OAAOI,SAAS,CAAA;AAExF,QAAA,MAAMC,qBAAwB,GAAA,CAACR,GAC7BS,GAAAA,KAAAA,CAAMC,IAAI,CACRC,QAAAA,CAASC,oBAAoB,CAAC1C,qBAAsBkC,CAAAA,eAAAA,CAAAA,EAAkBJ,GACtEW,CAAAA,EAAAA,QAAAA,CAASC,oBAAoB,CAACC,8BAAAA,EAAgCb,GAC9DW,CAAAA,EAAAA,QAAAA,CAASC,oBAAoB,CAAC3C,aAAe+B,EAAAA,GAAAA,CAAAA,EAC7CW,SAASC,oBAAoB,CAAC,CAAC,EAAExB,GAAG,EAAE0B,KAAK,EAAEzB,IAAI,EAAE,GAAA;gBACjD,IAAI0B,QAAAA,CAASD,KAAUE,CAAAA,IAAAA,OAAAA,CAAQF,KAAQ,CAAA,EAAA;oBACrC3B,eAAgB,CAAA;AAAEC,wBAAAA,GAAAA;AAAKC,wBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,qBAAA,CAAA;AAC9C;aACCjB,EAAAA,GAAAA,CAAAA,CAAAA;AAGP,QAAA,MAAMkB,kBAAqB,GAAA,CAAClB,GAC1BS,GAAAA,KAAAA,CAAMC,IAAI,CACRC,QAAAA,CAASQ,iBAAiB,CAACjD,sBAAsBkC,eAAkBJ,CAAAA,EAAAA,GAAAA,CAAAA,EACnEW,QAASQ,CAAAA,iBAAiB,CAACN,8BAAgCb,EAAAA,GAAAA,CAAAA,EAC3DW,QAASQ,CAAAA,iBAAiB,CAAClD,aAAAA,EAAe+B,GAC1CW,CAAAA,EAAAA,QAAAA,CAASQ,iBAAiB,CAAC,CAAC,EAAE/B,GAAG,EAAE6B,SAAS,EAAEH,KAAK,EAAEzB,IAAI,EAAE,GAAA;AACzD,gBAAA,IAAI,CAACf,iBAAAA,CAAkB2C,SAAcD,CAAAA,IAAAA,OAAAA,CAAQF,KAAQ,CAAA,EAAA;oBACnD3B,eAAgB,CAAA;AAAEC,wBAAAA,GAAAA;AAAKC,wBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,qBAAA,CAAA;AAC9C;aACCjB,EAAAA,GAAAA,CAAAA,CAAAA;AAGP,QAAA,MAAMoB,oBAAuB,GAAA,CAACpB,GAC5BS,GAAAA,KAAAA,CAAMC,IAAI,CACRC,QAAAA,CAASU,mBAAmB,CAACnD,sBAAsBkC,eAAkBJ,CAAAA,EAAAA,GAAAA,CAAAA,EACrEW,QAASU,CAAAA,mBAAmB,CAACpD,aAAe+B,EAAAA,GAAAA,CAAAA,CAAAA;AAGhD,QAAA,MAAMsB,kBAAkBd,qBAAsBR,CAAAA,GAAAA,CAAAA;AAC9C,QAAA,MAAMuB,eAAeL,kBAAmBlB,CAAAA,GAAAA,CAAAA;AACxC,QAAA,MAAMwB,iBAAiBJ,oBAAqBpB,CAAAA,GAAAA,CAAAA;AAE5C,QAAA,MAAMyB,sBAAyB,GAAA,OAAO,EAAErC,GAAG,EAAE0B,KAAK,EAAEpB,MAAM,EAAEuB,SAAS,EAAErB,QAAQ,EAAO,GAAA;AACpF,YAAA,IAAIqB,SAAW,EAAA;AACb,gBAAA;AACF;AAEA,YAAA,MAAMS,SAAY,GAAA;AAAEhC,gBAAAA,MAAAA;AAAQE,gBAAAA;AAAS,aAAA;AAErC,YAAA,IAAIR,QAAQ,MAAQ,EAAA;AAClB,gBAAA,MAAM8B,mBAAmBQ,SAAWZ,CAAAA,CAAAA,KAAAA,CAAAA;AACtC;AAEA,YAAA,IAAI1B,QAAQ,SAAW,EAAA;AACrB,gBAAA,MAAMoB,sBAAsBkB,SAAWZ,CAAAA,CAAAA,KAAAA,CAAAA;AACzC;AAEA,YAAA,IAAI1B,QAAQ,QAAU,EAAA;AACpB,gBAAA,MAAMgC,qBAAqBM,SAAWZ,CAAAA,CAAAA,KAAAA,CAAAA;AACxC;AACF,SAAA;AAEA,QAAA,MAAMa,gBAAmBlB,GAAAA,KAAAA,CAAMC,IAAI,CACjCC,QAASiB,CAAAA,qBAAqB,CAAC1D,qBAAAA,CAAsBkC,eAAkBJ,CAAAA,EAAAA,GAAAA,CAAAA,EACvEW,QAASiB,CAAAA,qBAAqB,CAACf,8BAAAA,EAAgCb,GAC/DW,CAAAA,EAAAA,QAAAA,CAASiB,qBAAqB,CAACC,iBAAmB7B,EAAAA,GAAAA,CAAAA,EAClDW,QAASiB,CAAAA,qBAAqB,CAAC3D,aAAAA,EAAe+B,GAC9CW,CAAAA,EAAAA,QAAAA,CAASiB,qBAAqB,CAACH,sBAAwBzB,EAAAA,GAAAA,CAAAA,CAAAA;AAGzD,QAAA,OAAO,OAAO8B,KAAAA,GAAAA;YACZ,IAAIA,KAAAA,CAAMC,OAAO,EAAE;gBACjB,MAAMT,eAAAA,CAAgBQ,MAAMC,OAAO,CAAA;AACrC;YAEA,IAAID,KAAAA,CAAME,IAAI,EAAE;gBACd,MAAMT,YAAAA,CAAaO,MAAME,IAAI,CAAA;AAC/B;YAEA,IAAIF,KAAAA,CAAM3B,MAAM,EAAE;gBAChB,MAAMqB,cAAAA,CAAeM,MAAM3B,MAAM,CAAA;AACnC;;AAGA,YAAA,IAAI2B,MAAMG,QAAQ,IAAIH,KAAMG,CAAAA,QAAQ,KAAK,GAAK,EAAA;gBAC5C,MAAMN,gBAAAA,CAAiBG,MAAMG,QAAQ,CAAA;AACvC;YAEA,OAAO,IAAA;AACT,SAAA;AACF,KAAA;AAEA,IAAA,MAAMC,mBAAsB,GAAA,CAAChC,OAAU,GAAA,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;AAEnB,QAAA,MAAME,kBAAkBD,MAAOE,CAAAA,gBAAgB,GAAG,IAAO8B,GAAAA,cAAAA,CAAehC,OAAOI,SAAS,CAAA;QAExF,OAAOE,KAAAA,CAAMC,IAAI;QAEf0B,cAAeP,CAAAA,iBAAAA,EAAmB7B;QAElCoC,cAAelE,CAAAA,qBAAAA,CAAsBkC,eAAkBJ,CAAAA,EAAAA,GAAAA,CAAAA;AAEvDqC,QAAAA,gBAAAA,CAAAA;AAEJ,KAAA;AAEA,IAAA,MAAMC,eAAe,CAACC,sBAAAA,GAAAA;AACpB,QAAA,MAAM,EAAEC,mBAAmB,EAAE,GAAGC,2BAA4BjD,CAAAA,OAAAA,CAAAA;;;AAI5D,QAAA,MAAMkD,eAAkB,GAAA,OAAOC,IAAMzC,EAAAA,OAAAA,GAAU,EAAE,GAAA;AAC/C,YAAA,IAAI0C,QAAQD,IAAO,CAAA,EAAA;gBACjB,OAAOE,OAAAA,CAAQC,GAAG,CAACH,IAAAA,CAAKI,GAAG,CAAC,CAACC,MAAoBN,GAAAA,eAAAA,CAAgBM,MAAQ9C,EAAAA,OAAAA,CAAAA,CAAAA,CAAAA;AAC3E;YAEA,MAAM,EAAE+C,OAAO,EAAE1D,MAAAA,EAAQ2D,cAAc,EAAE,GAAGC,kBAAkBR,IAAMzC,EAAAA,OAAAA,CAAAA;YAEpE,MAAM,EAAEE,eAAe,EAAEgD,uBAAuB,EAAE/C,gBAAgB,EAAE,GAAGmC,mBAAAA,CACrEU,cACAD,EAAAA,OAAAA,CAAAA;AAGF,YAAA,MAAMI,eAAkB,GAAA;AACtB,gBAAA,GAAGnD,OAAO;gBACVC,MAAQ,EAAA;AACNE,oBAAAA,gBAAAA;oBACAE,SAAWH,EAAAA,eAAAA;AACXgD,oBAAAA;AACF;AACF,aAAA;AAEA,YAAA,MAAME,mBAAmBf,sBAAuBc,CAAAA,eAAAA,CAAAA;AAEhD,YAAA,OAAOC,gBAAiBX,CAAAA,IAAAA,CAAAA;AAC1B,SAAA;QAEA,OAAOD,eAAAA;AACT,KAAA;IAEA,MAAMS,iBAAAA,GAAoB,CAACR,IAAWzC,EAAAA,OAAAA,GAAAA;AACpC,QAAA,OAAOqD,QAAS,CAAA;AAAEN,YAAAA,OAAAA,EAASO,QAAU/D,KAAOkD,EAAAA,IAAAA,CAAAA;AAAOpD,YAAAA;SAAUW,EAAAA,OAAAA,CAAAA;AAC/D,KAAA;AAEA;;MAGA,MAAMmC,mBAAmBoB,IAAK,CAAA;QAAC,CAAG1E,EAAAA,oBAAAA,CAAqB,MAAM,CAAC;QAAE,CAAGC,EAAAA,oBAAAA,CAAqB,MAAM;AAAE,KAAA,CAAA;AAEhG;;MAGA,MAAM6C,oBAAoB,CAAC,EAAEzC,GAAG,EAAEM,MAAM,EAAEL,IAAI,EAAO,GAAA;QACnD,MAAMqE,QAAAA,GAAWC,MAAM,KAAO,EAAA;AAAC,YAAA,QAAA;AAAU,YAAA,YAAA;AAAcvE,YAAAA,GAAAA;AAAK,YAAA;SAAS,EAAEM,MAAAA,CAAAA;AAEvE,QAAA,IAAIgE,QAAU,EAAA;YACZvE,eAAgB,CAAA;AAAEC,gBAAAA,GAAAA;AAAKC,gBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,aAAA,CAAA;AAC9C;AACF,KAAA;AAEA;;MAGA,MAAMJ,8BAAiC,GAAA,CAAC,EAAEzB,GAAG,EAAE6B,SAAS,EAAEvB,MAAM,EAAEL,IAAI,EAAO,GAAA;QAC3E,IAAIK,MAAAA,CAAOkE,GAAG,KAAK,aAAA,IAAiB3C,aAAa,CAAC4C,yBAAAA,CAA0BC,QAAQ,CAAC1E,GAAM,CAAA,EAAA;YACzFD,eAAgB,CAAA;AAAEC,gBAAAA,GAAAA;AAAKC,gBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,aAAA,CAAA;AAC9C;AACF,KAAA;IAEA,MAAMkB,cAAAA,GAAiB,CAAChC,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,MAAM4D,uBAAuBxF,uBAAwBmB,CAAAA,MAAAA,CAAAA;AACrD,QAAA,MAAMsE,qBAAqBxF,qBAAsBkB,CAAAA,MAAAA,CAAAA;QAEjD,MAAMuE,4BAAAA,GAA+BC,aAAaH,oBAAsBC,EAAAA,kBAAAA,CAAAA;AAExE,QAAA,OAAOG,IAAK,CAAA;AAAIhE,YAAAA,GAAAA,MAAAA;AAAWlB,YAAAA,GAAAA,gBAAAA;AAAqBgF,YAAAA,GAAAA;AAA6B,SAAA,CAAA;AAC/E,KAAA;IAEA,MAAM3D,cAAAA,GAAiB,CAACH,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,OAAOgE,IAAK,CAAA;AACPhE,YAAAA,GAAAA,MAAAA;AACAjB,YAAAA,GAAAA,aAAAA;AACAD,YAAAA,GAAAA,gBAAAA;AACHL,YAAAA,oBAAAA;AACAC,YAAAA,oBAAAA;AACAC,YAAAA;AACD,SAAA,CAAA;AACH,KAAA;IAEA,OAAO;AACLsF,QAAAA,aAAAA,EAAe9B,YAAarC,CAAAA,mBAAAA,CAAAA;AAC5BoE,QAAAA,aAAAA,EAAe/B,YAAaJ,CAAAA,mBAAAA;AAC9B,KAAA;AACF,CAAA;;;;"}
1	+ {"version":3,"file":"validate.mjs","sources":["../../../../../../../server/src/services/permission/permissions-manager/validate.ts"],"sourcesContent":["import { subject as asSubject } from '@casl/ability';\nimport { defaults, omit, isArray, isEmpty, uniq, intersection, getOr, isObject } from 'lodash/fp';\n\nimport {\n contentTypes,\n traverseEntity,\n traverse,\n validate,\n async,\n errors,\n createModelCache,\n} from '@strapi/utils';\nimport { createPermissionFieldsCache } from './permission-fields';\n\nimport { ADMIN_USER_ALLOWED_FIELDS } from '../../../domain/user';\n\nconst { ValidationError } = errors;\nconst { throwPassword, throwDisallowedFields } = validate.visitors;\n\nconst { constants, isScalarAttribute, getNonVisibleAttributes, getWritableAttributes } =\n contentTypes;\nconst {\n ID_ATTRIBUTE,\n DOC_ID_ATTRIBUTE,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n CREATED_BY_ATTRIBUTE,\n UPDATED_BY_ATTRIBUTE,\n} = constants;\n\nconst COMPONENT_FIELDS = ['__component'];\n\nconst STATIC_FIELDS = [ID_ATTRIBUTE, DOC_ID_ATTRIBUTE];\n\nconst throwInvalidKey = ({ key, path }: { key: string; path?: string \| null }) => {\n const msg = path && path !== key ? `Invalid key ${key} at ${path}` : `Invalid key ${key}`;\n\n throw new ValidationError(msg);\n};\n\nexport default ({ action, ability, model }: any) => {\n const schema = strapi.getModel(model);\n\n // Create request-scoped model cache to avoid redundant getModel() calls\n const modelCache = createModelCache(strapi.getModel.bind(strapi));\n\n const ctx = {\n schema,\n getModel: modelCache.getModel,\n };\n\n const createValidateQuery = (options = {} as any) => {\n const { fields } = options;\n\n // TODO: validate relations to admin users in all validators\n const permittedFields = fields.shouldIncludeAll ? null : getQueryFields(fields.permitted);\n\n const createValidateFilters = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFilters(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFilters(throwDisallowedAdminUserFields, ctx),\n traverse.traverseQueryFilters(throwPassword, ctx),\n traverse.traverseQueryFilters(({ key, value, path }) => {\n if (isObject(value) && isEmpty(value)) {\n throwInvalidKey({ key, path: path.attribute });\n }\n }, ctx)\n );\n\n const createValidateSort = (ctx: any) =>\n async.pipe(\n traverse.traverseQuerySort(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQuerySort(throwDisallowedAdminUserFields, ctx),\n traverse.traverseQuerySort(throwPassword, ctx),\n traverse.traverseQuerySort(({ key, attribute, value, path }) => {\n if (!isScalarAttribute(attribute) && isEmpty(value)) {\n throwInvalidKey({ key, path: path.attribute });\n }\n }, ctx)\n );\n\n const createValidateFields = (ctx: any) =>\n async.pipe(\n traverse.traverseQueryFields(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryFields(throwPassword, ctx)\n );\n\n const validateFilters = createValidateFilters(ctx);\n const validateSort = createValidateSort(ctx);\n const validateFields = createValidateFields(ctx);\n\n const validateNestedPopulate = async ({ key, value, schema, attribute, getModel }: any) => {\n if (attribute) {\n return;\n }\n\n const nestedCtx = { schema, getModel };\n\n if (key === 'sort') {\n await createValidateSort(nestedCtx)(value);\n }\n\n if (key === 'filters') {\n await createValidateFilters(nestedCtx)(value);\n }\n\n if (key === 'fields') {\n await createValidateFields(nestedCtx)(value);\n }\n };\n\n const validatePopulate = async.pipe(\n traverse.traverseQueryPopulate(throwDisallowedFields(permittedFields), ctx),\n traverse.traverseQueryPopulate(throwDisallowedAdminUserFields, ctx),\n traverse.traverseQueryPopulate(throwHiddenFields, ctx),\n traverse.traverseQueryPopulate(throwPassword, ctx),\n traverse.traverseQueryPopulate(validateNestedPopulate, ctx)\n );\n\n return async (query: any) => {\n if (query.filters) {\n await validateFilters(query.filters);\n }\n\n if (query.sort) {\n await validateSort(query.sort);\n }\n\n if (query.fields) {\n await validateFields(query.fields);\n }\n\n // a wildcard is always valid; its conversion will be handled by the entity service and can be optimized with sanitizer\n if (query.populate && query.populate !== '') {\n await validatePopulate(query.populate);\n }\n\n return true;\n };\n };\n\n const createValidateInput = (options = {} as any) => {\n const { fields } = options;\n\n const permittedFields = fields.shouldIncludeAll ? null : getInputFields(fields.permitted);\n\n return async.pipe(\n // Remove fields hidden from the admin\n traverseEntity(throwHiddenFields, ctx),\n // Remove not allowed fields (RBAC)\n traverseEntity(throwDisallowedFields(permittedFields), ctx),\n // Remove roles from createdBy & updatedBy fields\n omitCreatorRoles\n );\n };\n\n const wrapValidate = (createValidateFunction: any) => {\n const { getPermissionFields } = createPermissionFieldsCache(ability);\n\n // TODO\n // @ts-expect-error define the correct return type\n const wrappedValidate = async (data, options = {}): Promise<unknown> => {\n if (isArray(data)) {\n return Promise.all(data.map((entity: unknown) => wrappedValidate(entity, options)));\n }\n\n const { subject, action: actionOverride } = getDefaultOptions(data, options);\n\n const { permittedFields, hasAtLeastOneRegistered, shouldIncludeAll } = getPermissionFields(\n actionOverride,\n subject\n );\n\n const validateOptions = {\n ...options,\n fields: {\n shouldIncludeAll,\n permitted: permittedFields,\n hasAtLeastOneRegistered,\n },\n };\n\n const validateFunction = createValidateFunction(validateOptions);\n\n return validateFunction(data);\n };\n\n return wrappedValidate;\n };\n\n const getDefaultOptions = (data: any, options: unknown) => {\n return defaults({ subject: asSubject(model, data), action }, options);\n };\n\n /\n Omit creator fields' (createdBy & updatedBy) roles from the admin API responses\n /\n const omitCreatorRoles = omit([`${CREATED_BY_ATTRIBUTE}.roles`, `${UPDATED_BY_ATTRIBUTE}.roles`]);\n\n /\n Visitor used to remove hidden fields from the admin API responses\n /\n const throwHiddenFields = ({ key, schema, path }: any) => {\n const isHidden = getOr(false, ['config', 'attributes', key, 'hidden'], schema);\n\n if (isHidden) {\n throwInvalidKey({ key, path: path.attribute });\n }\n };\n\n /\n Visitor used to omit disallowed fields from the admin users entities & avoid leaking sensitive information\n */\n const throwDisallowedAdminUserFields = ({ key, attribute, schema, path }: any) => {\n if (schema.uid === 'admin::user' && attribute && !ADMIN_USER_ALLOWED_FIELDS.includes(key)) {\n throwInvalidKey({ key, path: path.attribute });\n }\n };\n\n const getInputFields = (fields = []) => {\n const nonVisibleAttributes = getNonVisibleAttributes(schema);\n const writableAttributes = getWritableAttributes(schema);\n\n const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);\n\n return uniq([...fields, ...COMPONENT_FIELDS, ...nonVisibleWritableAttributes]);\n };\n\n const getQueryFields = (fields = []) => {\n return uniq([\n ...fields,\n ...STATIC_FIELDS,\n ...COMPONENT_FIELDS,\n CREATED_AT_ATTRIBUTE,\n UPDATED_AT_ATTRIBUTE,\n PUBLISHED_AT_ATTRIBUTE,\n ]);\n };\n\n return {\n validateQuery: wrapValidate(createValidateQuery),\n validateInput: wrapValidate(createValidateInput),\n };\n};\n"],"names":["ValidationError","errors","throwPassword","throwDisallowedFields","validate","visitors","constants","isScalarAttribute","getNonVisibleAttributes","getWritableAttributes","contentTypes","ID_ATTRIBUTE","DOC_ID_ATTRIBUTE","CREATED_AT_ATTRIBUTE","UPDATED_AT_ATTRIBUTE","PUBLISHED_AT_ATTRIBUTE","CREATED_BY_ATTRIBUTE","UPDATED_BY_ATTRIBUTE","COMPONENT_FIELDS","STATIC_FIELDS","throwInvalidKey","key","path","msg","action","ability","model","schema","strapi","getModel","modelCache","createModelCache","bind","ctx","createValidateQuery","options","fields","permittedFields","shouldIncludeAll","getQueryFields","permitted","createValidateFilters","async","pipe","traverse","traverseQueryFilters","throwDisallowedAdminUserFields","value","isObject","isEmpty","attribute","createValidateSort","traverseQuerySort","createValidateFields","traverseQueryFields","validateFilters","validateSort","validateFields","validateNestedPopulate","nestedCtx","validatePopulate","traverseQueryPopulate","throwHiddenFields","query","filters","sort","populate","createValidateInput","getInputFields","traverseEntity","omitCreatorRoles","wrapValidate","createValidateFunction","getPermissionFields","createPermissionFieldsCache","wrappedValidate","data","isArray","Promise","all","map","entity","subject","actionOverride","getDefaultOptions","hasAtLeastOneRegistered","validateOptions","validateFunction","defaults","asSubject","omit","isHidden","getOr","uid","ADMIN_USER_ALLOWED_FIELDS","includes","nonVisibleAttributes","writableAttributes","nonVisibleWritableAttributes","intersection","uniq","validateQuery","validateInput"],"mappings":";;;;;;AAgBA,MAAM,EAAEA,eAAe,EAAE,GAAGC,MAAAA;AAC5B,MAAM,EAAEC,aAAa,EAAEC,qBAAqB,EAAE,GAAGC,SAASC,QAAQ;AAElE,MAAM,EAAEC,SAAS,EAAEC,iBAAiB,EAAEC,uBAAuB,EAAEC,qBAAqB,EAAE,GACpFC,YAAAA;AACF,MAAM,EACJC,YAAY,EACZC,gBAAgB,EAChBC,oBAAoB,EACpBC,oBAAoB,EACpBC,sBAAsB,EACtBC,oBAAoB,EACpBC,oBAAoB,EACrB,GAAGX,SAAAA;AAEJ,MAAMY,gBAAAA,GAAmB;AAAC,IAAA;AAAc,CAAA;AAExC,MAAMC,aAAAA,GAAgB;AAACR,IAAAA,YAAAA;AAAcC,IAAAA;AAAiB,CAAA;AAEtD,MAAMQ,kBAAkB,CAAC,EAAEC,GAAG,EAAEC,IAAI,EAAyC,GAAA;AAC3E,IAAA,MAAMC,GAAAA,GAAMD,IAAAA,IAAQA,IAAAA,KAASD,GAAAA,GAAM,CAAC,YAAY,EAAEA,GAAAA,CAAI,IAAI,EAAEC,IAAAA,CAAAA,CAAM,GAAG,CAAC,YAAY,EAAED,GAAAA,CAAAA,CAAK;AAEzF,IAAA,MAAM,IAAIrB,eAAAA,CAAgBuB,GAAAA,CAAAA;AAC5B,CAAA;AAEA,4BAAe,CAAA,CAAC,EAAEC,MAAM,EAAEC,OAAO,EAAEC,KAAK,EAAO,GAAA;IAC7C,MAAMC,MAAAA,GAASC,MAAAA,CAAOC,QAAQ,CAACH,KAAAA,CAAAA;;AAG/B,IAAA,MAAMI,aAAaC,gBAAAA,CAAiBH,MAAAA,CAAOC,QAAQ,CAACG,IAAI,CAACJ,MAAAA,CAAAA,CAAAA;AAEzD,IAAA,MAAMK,GAAAA,GAAM;AACVN,QAAAA,MAAAA;AACAE,QAAAA,QAAAA,EAAUC,WAAWD;AACvB,KAAA;AAEA,IAAA,MAAMK,mBAAAA,GAAsB,CAACC,OAAAA,GAAU,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;;AAGnB,QAAA,MAAME,kBAAkBD,MAAAA,CAAOE,gBAAgB,GAAG,IAAA,GAAOC,cAAAA,CAAeH,OAAOI,SAAS,CAAA;AAExF,QAAA,MAAMC,qBAAAA,GAAwB,CAACR,GAAAA,GAC7BS,KAAAA,CAAMC,IAAI,CACRC,QAAAA,CAASC,oBAAoB,CAAC1C,qBAAAA,CAAsBkC,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA,EACtEW,QAAAA,CAASC,oBAAoB,CAACC,8BAAAA,EAAgCb,GAAAA,CAAAA,EAC9DW,QAAAA,CAASC,oBAAoB,CAAC3C,aAAAA,EAAe+B,GAAAA,CAAAA,EAC7CW,SAASC,oBAAoB,CAAC,CAAC,EAAExB,GAAG,EAAE0B,KAAK,EAAEzB,IAAI,EAAE,GAAA;gBACjD,IAAI0B,QAAAA,CAASD,KAAAA,CAAAA,IAAUE,OAAAA,CAAQF,KAAAA,CAAAA,EAAQ;oBACrC3B,eAAAA,CAAgB;AAAEC,wBAAAA,GAAAA;AAAKC,wBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,qBAAA,CAAA;AAC9C,gBAAA;YACF,CAAA,EAAGjB,GAAAA,CAAAA,CAAAA;AAGP,QAAA,MAAMkB,kBAAAA,GAAqB,CAAClB,GAAAA,GAC1BS,KAAAA,CAAMC,IAAI,CACRC,QAAAA,CAASQ,iBAAiB,CAACjD,sBAAsBkC,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA,EACnEW,QAAAA,CAASQ,iBAAiB,CAACN,8BAAAA,EAAgCb,GAAAA,CAAAA,EAC3DW,QAAAA,CAASQ,iBAAiB,CAAClD,aAAAA,EAAe+B,GAAAA,CAAAA,EAC1CW,QAAAA,CAASQ,iBAAiB,CAAC,CAAC,EAAE/B,GAAG,EAAE6B,SAAS,EAAEH,KAAK,EAAEzB,IAAI,EAAE,GAAA;AACzD,gBAAA,IAAI,CAACf,iBAAAA,CAAkB2C,SAAAA,CAAAA,IAAcD,OAAAA,CAAQF,KAAAA,CAAAA,EAAQ;oBACnD3B,eAAAA,CAAgB;AAAEC,wBAAAA,GAAAA;AAAKC,wBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,qBAAA,CAAA;AAC9C,gBAAA;YACF,CAAA,EAAGjB,GAAAA,CAAAA,CAAAA;AAGP,QAAA,MAAMoB,oBAAAA,GAAuB,CAACpB,GAAAA,GAC5BS,KAAAA,CAAMC,IAAI,CACRC,QAAAA,CAASU,mBAAmB,CAACnD,sBAAsBkC,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA,EACrEW,QAAAA,CAASU,mBAAmB,CAACpD,aAAAA,EAAe+B,GAAAA,CAAAA,CAAAA;AAGhD,QAAA,MAAMsB,kBAAkBd,qBAAAA,CAAsBR,GAAAA,CAAAA;AAC9C,QAAA,MAAMuB,eAAeL,kBAAAA,CAAmBlB,GAAAA,CAAAA;AACxC,QAAA,MAAMwB,iBAAiBJ,oBAAAA,CAAqBpB,GAAAA,CAAAA;AAE5C,QAAA,MAAMyB,sBAAAA,GAAyB,OAAO,EAAErC,GAAG,EAAE0B,KAAK,EAAEpB,MAAM,EAAEuB,SAAS,EAAErB,QAAQ,EAAO,GAAA;AACpF,YAAA,IAAIqB,SAAAA,EAAW;AACb,gBAAA;AACF,YAAA;AAEA,YAAA,MAAMS,SAAAA,GAAY;AAAEhC,gBAAAA,MAAAA;AAAQE,gBAAAA;AAAS,aAAA;AAErC,YAAA,IAAIR,QAAQ,MAAA,EAAQ;AAClB,gBAAA,MAAM8B,mBAAmBQ,SAAAA,CAAAA,CAAWZ,KAAAA,CAAAA;AACtC,YAAA;AAEA,YAAA,IAAI1B,QAAQ,SAAA,EAAW;AACrB,gBAAA,MAAMoB,sBAAsBkB,SAAAA,CAAAA,CAAWZ,KAAAA,CAAAA;AACzC,YAAA;AAEA,YAAA,IAAI1B,QAAQ,QAAA,EAAU;AACpB,gBAAA,MAAMgC,qBAAqBM,SAAAA,CAAAA,CAAWZ,KAAAA,CAAAA;AACxC,YAAA;AACF,QAAA,CAAA;AAEA,QAAA,MAAMa,gBAAAA,GAAmBlB,KAAAA,CAAMC,IAAI,CACjCC,QAAAA,CAASiB,qBAAqB,CAAC1D,qBAAAA,CAAsBkC,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA,EACvEW,QAAAA,CAASiB,qBAAqB,CAACf,8BAAAA,EAAgCb,GAAAA,CAAAA,EAC/DW,QAAAA,CAASiB,qBAAqB,CAACC,iBAAAA,EAAmB7B,GAAAA,CAAAA,EAClDW,QAAAA,CAASiB,qBAAqB,CAAC3D,aAAAA,EAAe+B,GAAAA,CAAAA,EAC9CW,QAAAA,CAASiB,qBAAqB,CAACH,sBAAAA,EAAwBzB,GAAAA,CAAAA,CAAAA;AAGzD,QAAA,OAAO,OAAO8B,KAAAA,GAAAA;YACZ,IAAIA,KAAAA,CAAMC,OAAO,EAAE;gBACjB,MAAMT,eAAAA,CAAgBQ,MAAMC,OAAO,CAAA;AACrC,YAAA;YAEA,IAAID,KAAAA,CAAME,IAAI,EAAE;gBACd,MAAMT,YAAAA,CAAaO,MAAME,IAAI,CAAA;AAC/B,YAAA;YAEA,IAAIF,KAAAA,CAAM3B,MAAM,EAAE;gBAChB,MAAMqB,cAAAA,CAAeM,MAAM3B,MAAM,CAAA;AACnC,YAAA;;AAGA,YAAA,IAAI2B,MAAMG,QAAQ,IAAIH,KAAAA,CAAMG,QAAQ,KAAK,GAAA,EAAK;gBAC5C,MAAMN,gBAAAA,CAAiBG,MAAMG,QAAQ,CAAA;AACvC,YAAA;YAEA,OAAO,IAAA;AACT,QAAA,CAAA;AACF,IAAA,CAAA;AAEA,IAAA,MAAMC,mBAAAA,GAAsB,CAAChC,OAAAA,GAAU,EAAS,GAAA;QAC9C,MAAM,EAAEC,MAAM,EAAE,GAAGD,OAAAA;AAEnB,QAAA,MAAME,kBAAkBD,MAAAA,CAAOE,gBAAgB,GAAG,IAAA,GAAO8B,cAAAA,CAAehC,OAAOI,SAAS,CAAA;QAExF,OAAOE,KAAAA,CAAMC,IAAI;QAEf0B,cAAAA,CAAeP,iBAAAA,EAAmB7B;QAElCoC,cAAAA,CAAelE,qBAAAA,CAAsBkC,eAAAA,CAAAA,EAAkBJ,GAAAA,CAAAA;AAEvDqC,QAAAA,gBAAAA,CAAAA;AAEJ,IAAA,CAAA;AAEA,IAAA,MAAMC,eAAe,CAACC,sBAAAA,GAAAA;AACpB,QAAA,MAAM,EAAEC,mBAAmB,EAAE,GAAGC,2BAAAA,CAA4BjD,OAAAA,CAAAA;;;AAI5D,QAAA,MAAMkD,eAAAA,GAAkB,OAAOC,IAAAA,EAAMzC,OAAAA,GAAU,EAAE,GAAA;AAC/C,YAAA,IAAI0C,QAAQD,IAAAA,CAAAA,EAAO;gBACjB,OAAOE,OAAAA,CAAQC,GAAG,CAACH,IAAAA,CAAKI,GAAG,CAAC,CAACC,MAAAA,GAAoBN,eAAAA,CAAgBM,MAAAA,EAAQ9C,OAAAA,CAAAA,CAAAA,CAAAA;AAC3E,YAAA;YAEA,MAAM,EAAE+C,OAAO,EAAE1D,MAAAA,EAAQ2D,cAAc,EAAE,GAAGC,kBAAkBR,IAAAA,EAAMzC,OAAAA,CAAAA;YAEpE,MAAM,EAAEE,eAAe,EAAEgD,uBAAuB,EAAE/C,gBAAgB,EAAE,GAAGmC,mBAAAA,CACrEU,cAAAA,EACAD,OAAAA,CAAAA;AAGF,YAAA,MAAMI,eAAAA,GAAkB;AACtB,gBAAA,GAAGnD,OAAO;gBACVC,MAAAA,EAAQ;AACNE,oBAAAA,gBAAAA;oBACAE,SAAAA,EAAWH,eAAAA;AACXgD,oBAAAA;AACF;AACF,aAAA;AAEA,YAAA,MAAME,mBAAmBf,sBAAAA,CAAuBc,eAAAA,CAAAA;AAEhD,YAAA,OAAOC,gBAAAA,CAAiBX,IAAAA,CAAAA;AAC1B,QAAA,CAAA;QAEA,OAAOD,eAAAA;AACT,IAAA,CAAA;IAEA,MAAMS,iBAAAA,GAAoB,CAACR,IAAAA,EAAWzC,OAAAA,GAAAA;AACpC,QAAA,OAAOqD,QAAAA,CAAS;AAAEN,YAAAA,OAAAA,EAASO,QAAU/D,KAAAA,EAAOkD,IAAAA,CAAAA;AAAOpD,YAAAA;SAAO,EAAGW,OAAAA,CAAAA;AAC/D,IAAA,CAAA;AAEA;;MAGA,MAAMmC,mBAAmBoB,IAAAA,CAAK;QAAC,CAAA,EAAG1E,oBAAAA,CAAqB,MAAM,CAAC;QAAE,CAAA,EAAGC,oBAAAA,CAAqB,MAAM;AAAE,KAAA,CAAA;AAEhG;;MAGA,MAAM6C,oBAAoB,CAAC,EAAEzC,GAAG,EAAEM,MAAM,EAAEL,IAAI,EAAO,GAAA;QACnD,MAAMqE,QAAAA,GAAWC,MAAM,KAAA,EAAO;AAAC,YAAA,QAAA;AAAU,YAAA,YAAA;AAAcvE,YAAAA,GAAAA;AAAK,YAAA;SAAS,EAAEM,MAAAA,CAAAA;AAEvE,QAAA,IAAIgE,QAAAA,EAAU;YACZvE,eAAAA,CAAgB;AAAEC,gBAAAA,GAAAA;AAAKC,gBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,aAAA,CAAA;AAC9C,QAAA;AACF,IAAA,CAAA;AAEA;;MAGA,MAAMJ,8BAAAA,GAAiC,CAAC,EAAEzB,GAAG,EAAE6B,SAAS,EAAEvB,MAAM,EAAEL,IAAI,EAAO,GAAA;QAC3E,IAAIK,MAAAA,CAAOkE,GAAG,KAAK,aAAA,IAAiB3C,aAAa,CAAC4C,yBAAAA,CAA0BC,QAAQ,CAAC1E,GAAAA,CAAAA,EAAM;YACzFD,eAAAA,CAAgB;AAAEC,gBAAAA,GAAAA;AAAKC,gBAAAA,IAAAA,EAAMA,KAAK4B;AAAU,aAAA,CAAA;AAC9C,QAAA;AACF,IAAA,CAAA;IAEA,MAAMkB,cAAAA,GAAiB,CAAChC,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,MAAM4D,uBAAuBxF,uBAAAA,CAAwBmB,MAAAA,CAAAA;AACrD,QAAA,MAAMsE,qBAAqBxF,qBAAAA,CAAsBkB,MAAAA,CAAAA;QAEjD,MAAMuE,4BAAAA,GAA+BC,aAAaH,oBAAAA,EAAsBC,kBAAAA,CAAAA;AAExE,QAAA,OAAOG,IAAAA,CAAK;AAAIhE,YAAAA,GAAAA,MAAAA;AAAWlB,YAAAA,GAAAA,gBAAAA;AAAqBgF,YAAAA,GAAAA;AAA6B,SAAA,CAAA;AAC/E,IAAA,CAAA;IAEA,MAAM3D,cAAAA,GAAiB,CAACH,MAAAA,GAAS,EAAE,GAAA;AACjC,QAAA,OAAOgE,IAAAA,CAAK;AACPhE,YAAAA,GAAAA,MAAAA;AACAjB,YAAAA,GAAAA,aAAAA;AACAD,YAAAA,GAAAA,gBAAAA;AACHL,YAAAA,oBAAAA;AACAC,YAAAA,oBAAAA;AACAC,YAAAA;AACD,SAAA,CAAA;AACH,IAAA,CAAA;IAEA,OAAO;AACLsF,QAAAA,aAAAA,EAAe9B,YAAAA,CAAarC,mBAAAA,CAAAA;AAC5BoE,QAAAA,aAAAA,EAAe/B,YAAAA,CAAaJ,mBAAAA;AAC9B,KAAA;AACF,CAAA;;;;"}

package/dist/server/server/src/services/permission/queries.js CHANGED Viewed

@@ -2,8 +2,8 @@
 var fp = require('lodash/fp');
 var pmap = require('p-map');
-var index$1 = require('../../utils/index.js');
-var index = require('../../domain/permission/index.js');
+var index = require('../../utils/index.js');
+var index$1 = require('../../domain/permission/index.js');
 /**
  * Delete permissions of roles in database
@@ -51,7 +51,7 @@ var index = require('../../domain/permission/index.js');
         });
         createdPermissions.push(newPerm);
     }
-    const permissionsToReturn = index.default.toPermission(createdPermissions);
+    const permissionsToReturn = index$1.default.toPermission(createdPermissions);
     strapi.eventHub.emit('permission.create', {
         permissions: permissionsToReturn
     });
@@ -66,7 +66,7 @@ var index = require('../../domain/permission/index.js');
         where: params,
         data: attributes
     });
-    const permissionToReturn = index.default.toPermission(updatedPermission);
+    const permissionToReturn = index$1.default.toPermission(updatedPermission);
     strapi.eventHub.emit('permission.update', {
         permissions: permissionToReturn
     });
@@ -77,7 +77,7 @@ var index = require('../../domain/permission/index.js');
  * @param params query params to find the permissions
  */ const findMany = async (params = {})=>{
     const rawPermissions = await strapi.db.query('admin::permission').findMany(params);
-    return index.default.toPermission(rawPermissions);
+    return index$1.default.toPermission(rawPermissions);
 };
 /**
  * Find all permissions for a user
@@ -94,14 +94,14 @@ var index = require('../../domain/permission/index.js');
     });
 };
 const filterPermissionsToRemove = async (permissions)=>{
-    const { actionProvider } = index$1.getService('permission');
+    const { actionProvider } = index.getService('permission');
     const permissionsToRemove = [];
     for (const permission of permissions){
         const { subjects, options = {} } = actionProvider.get(permission.action) || {};
         const { applyToProperties } = options;
         const invalidProperties = await Promise.all((applyToProperties || []).map(async (property)=>{
             const applies = await actionProvider.appliesToProperty(property, permission.action, permission.subject);
-            return applies && fp.isNil(index.default.getProperty(property, permission));
+            return applies && fp.isNil(index$1.default.getProperty(property, permission));
         }));
         const isRegisteredAction = actionProvider.has(permission.action);
         const hasInvalidProperties = fp.isArray(applyToProperties) && invalidProperties.every(fp.eq(true));
@@ -117,7 +117,7 @@ const filterPermissionsToRemove = async (permissions)=>{
  * Removes permissions in database that don't exist anymore
  */ const cleanPermissionsInDatabase = async ()=>{
     const pageSize = 200;
-    const contentTypeService = index$1.getService('content-type');
+    const contentTypeService = index.getService('content-type');
     const total = await strapi.db.query('admin::permission').count();
     const pageCount = Math.ceil(total / pageSize);
     for(let page = 0; page < pageCount; page += 1){
@@ -126,7 +126,7 @@ const filterPermissionsToRemove = async (permissions)=>{
             limit: pageSize,
             offset: page * pageSize
         });
-        const permissions = index.default.toPermission(results);
+        const permissions = index$1.default.toPermission(results);
         const permissionsToRemove = await filterPermissionsToRemove(permissions);
         const permissionsIdToRemove = fp.map(fp.prop('id'), permissionsToRemove);
         // 2. Clean permissions' fields (add required ones, remove the non-existing ones)