npm - @strapi/content-manager - Versions diffs - 0.0.0-experimental.f31889311d753b5f7d95198ae84d8fce1d156cd6 → 0.0.0-experimental.f74ae50eea1ce95176f088dba837e95b60fa2a4d - Mend

@strapi/content-manager 0.0.0-experimental.f31889311d753b5f7d95198ae84d8fce1d156cd6 → 0.0.0-experimental.f74ae50eea1ce95176f088dba837e95b60fa2a4d

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (117) hide show

package/dist/server/index.mjs CHANGED Viewed

@@ -173,7 +173,9 @@ const createServiceUtils = ({ strapi: strapi2 }) => {
     return strapi2.db.query("plugin::upload.file").findOne({ where: { id: versionRelationData.id } });
   };
   const localesService = strapi2.plugin("i18n")?.service("locales");
+  const i18nContentTypeService = strapi2.plugin("i18n")?.service("content-types");
   const getDefaultLocale = async () => localesService ? localesService.getDefaultLocale() : null;
+  const isLocalizedContentType = (model) => i18nContentTypeService ? i18nContentTypeService.isLocalizedContentType(model) : false;
   const getLocaleDictionary = async () => {
     if (!localesService)
       return {};
@@ -291,6 +293,7 @@ const createServiceUtils = ({ strapi: strapi2 }) => {
     getRelationRestoreValue,
     getMediaRestoreValue,
     getDefaultLocale,
+    isLocalizedContentType,
     getLocaleDictionary,
     getRetentionDays,
     getVersionStatus,
@@ -313,7 +316,13 @@ const createHistoryService = ({ strapi: strapi2 }) => {
       });
     },
     async findVersionsPage(params) {
-      const locale = params.query.locale || await serviceUtils.getDefaultLocale();
+      const model = strapi2.getModel(params.query.contentType);
+      const isLocalizedContentType = serviceUtils.isLocalizedContentType(model);
+      const defaultLocale = await serviceUtils.getDefaultLocale();
+      let locale = null;
+      if (isLocalizedContentType) {
+        locale = params.query.locale || defaultLocale;
+      }
       const [{ results, pagination: pagination2 }, localeDictionary] = await Promise.all([
         query.findPage({
           ...params.query,
@@ -529,11 +538,13 @@ const createLifecyclesService = ({ strapi: strapi2 }) => {
         }
         const uid2 = context.contentType.uid;
         const schemas = getSchemas(uid2);
+        const model = strapi2.getModel(uid2);
+        const isLocalizedContentType = serviceUtils.isLocalizedContentType(model);
         const localeEntries = await strapi2.db.query(uid2).findMany({
           where: {
             documentId,
-            locale: { $in: locales },
-            publishedAt: null
+            ...isLocalizedContentType ? { locale: { $in: locales } } : {},
+            ...contentTypes$1.hasDraftAndPublish(strapi2.contentTypes[uid2]) ? { publishedAt: null } : {}
           },
           populate: serviceUtils.getDeepPopulate(
             uid2,
@@ -1193,6 +1204,11 @@ const { createPolicy } = policy;
 const hasPermissions = createPolicy({
   name: "plugin::content-manager.hasPermissions",
   validator: validateHasPermissionsInput,
+  /**
+   * NOTE: Action aliases are currently not checked at this level (policy).
+   *       This is currently the intended behavior to avoid changing the behavior of API related permissions.
+   *       If you want to add support for it, please create a dedicated RFC with a list of potential side effect this could have.
+   */
   handler(ctx, config = {}) {
     const { actions = [], hasAtLeastOne = false } = config;
     const { userAbility } = ctx.state;
@@ -1745,7 +1761,7 @@ const collectionTypes = {
         permissionChecker2,
         model,
         // @ts-expect-error TODO: fix
-        { id, locale, publishedAt: null },
+        { documentId: id, locale, publishedAt: null },
         { availableLocales: true, availableStatus: false }
       );
       ctx.body = { data: {}, meta };
@@ -1882,11 +1898,17 @@ const collectionTypes = {
       }
       const isUpdate = !isCreate;
       if (isUpdate) {
-        document = await documentManager2.findOne(id, model, { populate, locale });
-        if (!document) {
+        const documentExists = documentManager2.exists(model, id);
+        if (!documentExists) {
           throw new errors.NotFoundError("Document not found");
         }
-        if (permissionChecker2.can.update(document)) {
+        document = await documentManager2.findOne(id, model, { populate, locale });
+        if (!document) {
+          if (permissionChecker2.cannot.create({ locale }) || permissionChecker2.cannot.publish({ locale })) {
+            throw new errors.ForbiddenError();
+          }
+          document = await updateDocument(ctx);
+        } else if (permissionChecker2.can.update(document)) {
           await updateDocument(ctx);
         }
       }
@@ -1948,7 +1970,9 @@ const collectionTypes = {
     if (permissionChecker2.cannot.unpublish()) {
       return ctx.forbidden();
     }
-    const { locale } = await getDocumentLocaleAndStatus(body, model);
+    const { locale } = await getDocumentLocaleAndStatus(body, model, {
+      allowMultipleLocales: true
+    });
     const entityPromises = documentIds.map(
       (documentId) => documentManager2.findLocales(documentId, model, { locale, isPublished: true })
     );
@@ -2299,20 +2323,13 @@ const sanitizeMainField = (model, mainField, userAbility) => {
     userAbility,
     model: model.uid
   });
-  if (!isListable(model, mainField)) {
+  const isMainFieldListable = isListable(model, mainField);
+  const canReadMainField = permissionChecker2.can.read(null, mainField);
+  if (!isMainFieldListable || !canReadMainField) {
     return "id";
   }
-  if (permissionChecker2.cannot.read(null, mainField)) {
-    if (model.uid === "plugin::users-permissions.role") {
-      const userPermissionChecker = getService$1("permission-checker").create({
-        userAbility,
-        model: "plugin::users-permissions.user"
-      });
-      if (userPermissionChecker.can.read()) {
-        return "name";
-      }
-    }
-    return "id";
+  if (model.uid === "plugin::users-permissions.role") {
+    return "name";
   }
   return mainField;
 };
@@ -2512,8 +2529,9 @@ const relations = {
       } else {
         where.id = id;
       }
-      if (status) {
-        where[`${alias}.published_at`] = getPublishedAtClause(status, targetUid);
+      const publishedAt = getPublishedAtClause(status, targetUid);
+      if (!isEmpty(publishedAt)) {
+        where[`${alias}.published_at`] = publishedAt;
       }
       if (filterByLocale) {
         where[`${alias}.locale`] = locale;
@@ -2570,9 +2588,7 @@ const relations = {
     addFiltersClause(permissionQuery, { id: { $in: loadedIds } });
     const sanitizedRes = await loadRelations({ id: entryId }, targetField, {
       ...strapi.get("query-params").transform(targetUid, permissionQuery),
-      ordering: "desc",
-      page: ctx.request.query.page,
-      pageSize: ctx.request.query.pageSize
+      ordering: "desc"
     });
     const relationsUnion = uniqBy("id", concat(sanitizedRes.results, res.results));
     ctx.body = {
@@ -2659,7 +2675,7 @@ const singleTypes = {
         permissionChecker2,
         model,
         // @ts-expect-error - fix types
-        { id: document.documentId, locale, publishedAt: null },
+        { documentId: document.documentId, locale, publishedAt: null },
         { availableLocales: true, availableStatus: false }
       );
       ctx.body = { data: {}, meta };
@@ -3478,12 +3494,27 @@ const createPermissionChecker = (strapi2) => ({ userAbility, model }) => {
     ability: userAbility,
     model
   });
-  const toSubject = (entity) => entity ? permissionsManager.toSubject(entity, model) : model;
+  const { actionProvider } = strapi2.service("admin::permission");
+  const toSubject = (entity) => {
+    return entity ? permissionsManager.toSubject(entity, model) : model;
+  };
   const can = (action, entity, field) => {
-    return userAbility.can(action, toSubject(entity), field);
+    const subject = toSubject(entity);
+    const aliases = actionProvider.unstable_aliases(action, model);
+    return (
+      // Test the original action to see if it passes
+      userAbility.can(action, subject, field) || // Else try every known alias if at least one of them succeed, then the user "can"
+      aliases.some((alias) => userAbility.can(alias, subject, field))
+    );
   };
   const cannot = (action, entity, field) => {
-    return userAbility.cannot(action, toSubject(entity), field);
+    const subject = toSubject(entity);
+    const aliases = actionProvider.unstable_aliases(action, model);
+    return (
+      // Test both the original action
+      userAbility.cannot(action, subject, field) && // and every known alias, if all of them fail (cannot), then the user truly "cannot"
+      aliases.every((alias) => userAbility.cannot(alias, subject, field))
+    );
   };
   const sanitizeOutput = (data, { action = ACTIONS.read } = {}) => {
     return permissionsManager.sanitizeOutput(data, { subject: toSubject(data), action });