npm - @strapi/permissions - Versions diffs - 0.0.0 - Mend

@strapi/permissions 0.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/LICENSE +22 -0
package/README.md +109 -0
package/index.d.ts +54 -0
package/lib/domain/index.js +7 -0
package/lib/domain/permission/index.js +68 -0
package/lib/engine/abilities/casl-ability.js +57 -0
package/lib/engine/abilities/index.js +7 -0
package/lib/engine/hooks.js +97 -0
package/lib/engine/index.js +209 -0
package/lib/index.js +9 -0
package/package.json +36 -0

package/LICENSE ADDED Viewed

@@ -0,0 +1,22 @@
+Copyright (c) 2015-present Strapi Solutions SAS
+Portions of the Strapi software are licensed as follows:
+* All software that resides under an "ee/" directory (the “EE Software”), if that directory exists, is licensed under the license defined in "ee/LICENSE".
+* All software outside of the above-mentioned directories or restrictions above is available under the "MIT Expat" license as set forth below.
+MIT Expat License
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,109 @@
+# Strapi Permissions
+Highly customizable permission engine made for Strapi
+## Get Started
+```sh
+yarn add @strapi/permissions
+```
+```javascript
+const permissions = require('@strapi/permissions');
+const engine = permissions.engine.new({ providers });
+const ability = await engine.generateAbility([
+  { action: 'read' },
+  { action: 'delete', subject: 'foo' },
+  { action: 'update', subject: 'bar', properties: { fields: ['foobar'] } },
+  {
+    action: 'create',
+    subject: 'foo',
+    properties: { fields: ['foobar'] },
+    conditions: ['isAuthor'],
+  },
+]);
+ability.can('read'); // true
+ability.can('publish'); // false
+ability.can('update', 'foo'); // false
+ability.can('update', 'bar'); // true
+```
+- You need to give both an action and a condition provider as parameters when instantiating a new permission engine instance. They must be contained in a `providers` object property.
+- You can also pass an `abilityBuilderFactory` to customize what kind of ability the `generateAbility` method will return. By default it'll use a `@casl/ability` builder.
+You can also register to some hooks for each engine instance.
+See `lib/engine/hooks.js` -> `createEngineHooks` for available hooks.
+```javascript
+const permissions = require('@strapi/permissions');
+const engine = permissions.engine
+  .new({ providers })
+  .on('before-format::validate.permission', ({ permission }) => {
+    if (permission.action === 'read') {
+      return false;
+    }
+  });
+const ability = await engine.generateAbility([
+  { action: 'read' },
+  { action: 'delete', subject: 'foo' },
+  { action: 'update', subject: 'bar', properties: { fields: ['foobar'] } },
+  {
+    action: 'create',
+    subject: 'foo',
+    properties: { fields: ['foobar'] },
+    conditions: ['isAuthor'],
+  },
+]);
+ability.can('read'); // false since the validation hook prevents the engine from registering the permission
+ability.can('publish'); // false
+ability.can('update', 'foo'); // false
+ability.can('update', 'bar'); // true
+```
+The `format.permission` hook can be used to modify the permission.
+```javascript
+const permissions = require('@strapi/permissions');
+const engine = permissions.engine
+  .new({ providers })
+  .on('before-format::validate.permission', ({ permission }) => {
+    if (permission.action === 'modify') {
+      return false;
+    }
+  })
+  .on('after-format::validate.permission', ({ permission }) => {
+    if (permission.action === 'update') {
+      return false;
+    }
+  })
+  .on('format.permission', ({ permission }) => {
+    if (permission.action === 'update') {
+      return {
+        ...permission,
+        action: 'modify',
+      };
+    }
+    if (permission.action === 'delete') {
+      return {
+        ...permission,
+        action: 'remove',
+      };
+    }
+    return permission;
+  });
+const ability = await engine.generateAbility([{ action: 'update' }, { action: 'delete' }]);
+ability.can('update'); // false
+ability.can('modify'); // true, because create was changed to 'modify'
+ability.can('delete'); // false, doesn't exist because it was changed by format.permission
+ability.can('remove'); // true, before-format::validate.permission validates before format.permission changed it
+```

package/index.d.ts ADDED Viewed

@@ -0,0 +1,54 @@
+import { hooks, providerFactory } from '@strapi/utils';
+interface Permission {
+  action: string;
+  subject?: string | object | null;
+  properties?: object;
+  conditions?: string[];
+}
+type Provider = ReturnType<typeof providerFactory>;
+interface BaseAction {
+  actionId: string;
+}
+interface BaseCondition {
+  name: string;
+  handler(...params: unknown[]): boolean | object;
+}
+interface ActionProvider<T extends Action = Action> extends Provider {}
+interface ConditionProvider<T extends Condition = Condition> extends Provider {}
+interface PermissionEngineHooks {
+  'before-format::validate.permission': ReturnType<typeof hooks.createAsyncBailHook>;
+  'format.permission': ReturnType<typeof hooks.createAsyncSeriesWaterfallHook>;
+  'after-format::validate.permission': ReturnType<typeof hooks.createAsyncBailHook>;
+  'before-evaluate.permission': ReturnType<typeof hooks.createAsyncSeriesHook>;
+  'before-register.permission': ReturnType<typeof hooks.createAsyncSeriesHook>;
+}
+type PermissionEngineHookName = keyof PermissionEngineHooks;
+interface PermissionEngine {
+  hooks: object;
+  on(hook: PermissionEngineHookName, handler: Function): PermissionEngine;
+  generateAbility(permissions: Permission[], options?: object): Ability;
+  createRegisterFunction(can: Function, options: object): Function;
+}
+interface BaseAbility {
+  can: Function;
+}
+interface AbilityBuilder {
+  can(permission: Permission): void | Promise<void>;
+  build(): BaseAbility | Promise<BaseAbility>;
+}
+interface PermissionEngineParams {
+  providers: { action: ActionProvider; condition: ConditionProvider };
+  abilityBuilderFactory(): AbilityBuilder;
+}

package/lib/domain/index.js ADDED Viewed

@@ -0,0 +1,7 @@
+'use strict';
+const permission = require('./permission');
+module.exports = {
+  permission,
+};

package/lib/domain/permission/index.js ADDED Viewed

@@ -0,0 +1,68 @@
+'use strict';
+const _ = require('lodash/fp');
+const PERMISSION_FIELDS = ['action', 'subject', 'properties', 'conditions'];
+const sanitizePermissionFields = _.pick(PERMISSION_FIELDS);
+/**
+ * @typedef {import("../../..").Permission} Permission
+ */
+/**
+ * Creates a permission with default values for optional properties
+ *
+ * @return {Pick<Permission, 'conditions' | 'properties' | 'subject'>}
+ */
+const getDefaultPermission = () => ({
+  conditions: [],
+  properties: {},
+  subject: null,
+});
+/**
+ * Create a new permission based on given attributes
+ *
+ * @param {object} attributes
+ *
+ * @return {Permission}
+ */
+const create = _.pipe(_.pick(PERMISSION_FIELDS), _.merge(getDefaultPermission()));
+/**
+ * Add a condition to a permission
+ *
+ * @param {string} condition The condition to add
+ * @param {Permission} permission The permission on which we want to add the condition
+ *
+ * @return {Permission}
+ */
+const addCondition = _.curry((condition, permission) => {
+  const { conditions } = permission;
+  const newConditions = Array.isArray(conditions)
+    ? _.uniq(conditions.concat(condition))
+    : [condition];
+  return _.set('conditions', newConditions, permission);
+});
+/**
+ * Gets a property or a part of a property from a permission.
+ *
+ * @function
+ *
+ * @param {string} property - The property to get
+ * @param {Permission} permission - The permission on which we want to access the property
+ *
+ * @return {Permission}
+ */
+const getProperty = _.curry((property, permission) => _.get(`properties.${property}`, permission));
+module.exports = {
+  create,
+  sanitizePermissionFields,
+  addCondition,
+  getProperty,
+};

package/lib/engine/abilities/casl-ability.js ADDED Viewed

@@ -0,0 +1,57 @@
+'use strict';
+const sift = require('sift');
+const { AbilityBuilder, Ability } = require('@casl/ability');
+const { pick, isNil, isObject } = require('lodash/fp');
+const allowedOperations = [
+  '$or',
+  '$and',
+  '$eq',
+  '$ne',
+  '$in',
+  '$nin',
+  '$lt',
+  '$lte',
+  '$gt',
+  '$gte',
+  '$exists',
+  '$elemMatch',
+];
+const operations = pick(allowedOperations, sift);
+const conditionsMatcher = (conditions) => {
+  return sift.createQueryTester(conditions, { operations });
+};
+/**
+ * Casl Ability Builder.
+ */
+const caslAbilityBuilder = () => {
+  const { can, build, ...rest } = new AbilityBuilder(Ability);
+  return {
+    can(permission) {
+      const { action, subject, properties = {}, condition } = permission;
+      const { fields } = properties;
+      return can(
+        action,
+        isNil(subject) ? 'all' : subject,
+        fields,
+        isObject(condition) ? condition : undefined
+      );
+    },
+    build() {
+      return build({ conditionsMatcher });
+    },
+    ...rest,
+  };
+};
+module.exports = {
+  caslAbilityBuilder,
+};

package/lib/engine/abilities/index.js ADDED Viewed

@@ -0,0 +1,7 @@
+'use strict';
+const { caslAbilityBuilder } = require('./casl-ability');
+module.exports = {
+  caslAbilityBuilder,
+};

package/lib/engine/hooks.js ADDED Viewed

@@ -0,0 +1,97 @@
+'use strict';
+const { cloneDeep, has } = require('lodash/fp');
+const { hooks } = require('@strapi/utils');
+const domain = require('../domain');
+/**
+ * Create a hook map used by the permission Engine
+ *
+ * @return {import('../..').PermissionEngineHooks}
+ */
+const createEngineHooks = () => ({
+  'before-format::validate.permission': hooks.createAsyncBailHook(),
+  'format.permission': hooks.createAsyncSeriesWaterfallHook(),
+  'after-format::validate.permission': hooks.createAsyncBailHook(),
+  'before-evaluate.permission': hooks.createAsyncSeriesHook(),
+  'before-register.permission': hooks.createAsyncSeriesHook(),
+});
+/**
+ * Create a context from a domain {@link Permission} used by the validate hooks
+ * @param {Permission} permission
+ * @return {{ readonly permission: Permission }}
+ */
+const createValidateContext = (permission) => ({
+  get permission() {
+    return cloneDeep(permission);
+  },
+});
+/**
+ * Create a context from a domain {@link Permission} used by the before valuate hook
+ * @param {Permission} permission
+ * @return {{readonly permission: Permission, addCondition(string): this}}
+ */
+const createBeforeEvaluateContext = (permission) => ({
+  get permission() {
+    return cloneDeep(permission);
+  },
+  addCondition(condition) {
+    Object.assign(permission, domain.permission.addCondition(condition, permission));
+    return this;
+  },
+});
+/**
+ * Create a context from a casl Permission & some options
+ * @param caslPermission
+ * @param {object} options
+ * @param {Permission} options.permission
+ * @param {object} options.user
+ */
+const createWillRegisterContext = ({ permission, options }) => ({
+  ...options,
+  get permission() {
+    return cloneDeep(permission);
+  },
+  condition: {
+    and(rawConditionObject) {
+      if (!permission.condition) {
+        Object.assign(permission, { condition: { $and: [] } });
+      }
+      permission.condition.$and.push(rawConditionObject);
+      return this;
+    },
+    or(rawConditionObject) {
+      if (!permission.condition) {
+        Object.assign(permission, { condition: { $and: [] } });
+      }
+      const orClause = permission.condition.$and.find(has('$or'));
+      if (orClause) {
+        orClause.$or.push(rawConditionObject);
+      } else {
+        permission.condition.$and.push({ $or: [rawConditionObject] });
+      }
+      return this;
+    },
+  },
+});
+module.exports = {
+  createEngineHooks,
+  createValidateContext,
+  createBeforeEvaluateContext,
+  createWillRegisterContext,
+};

package/lib/engine/index.js ADDED Viewed

@@ -0,0 +1,209 @@
+'use strict';
+const _ = require('lodash/fp');
+const abilities = require('./abilities');
+const {
+  createEngineHooks,
+  createWillRegisterContext,
+  createBeforeEvaluateContext,
+  createValidateContext,
+} = require('./hooks');
+/**
+ * @typedef {import("../..").PermissionEngine} PermissionEngine
+ * @typedef {import("../..").ActionProvider} ActionProvider
+ * @typedef {import("../..").ConditionProvider} ConditionProvider
+ * @typedef {import("../..").PermissionEngineParams} PermissionEngineParams
+ * @typedef {import("../..").Permission} Permission
+ */
+/**
+ * Create a default state object for the engine
+ */
+const createEngineState = () => {
+  const hooks = createEngineHooks();
+  return { hooks };
+};
+module.exports = {
+  abilities,
+  /**
+   * Create a new instance of a permission engine
+   *
+   * @param {PermissionEngineParams} params
+   *
+   * @return {PermissionEngine}
+   */
+  new(params) {
+    const { providers, abilityBuilderFactory = abilities.caslAbilityBuilder } = params;
+    const state = createEngineState();
+    const runValidationHook = async (hook, context) => state.hooks[hook].call(context);
+    /**
+     * Evaluate a permission using local and registered behaviors (using hooks).
+     * Validate, format (add condition, etc...), evaluate (evaluate conditions) and register a permission
+     *
+     * @param {object} params
+     * @param {object} params.options
+     * @param {Function} params.register
+     * @param {Permission} params.permission
+     */
+    const evaluate = async (params) => {
+      const { options, register } = params;
+      const preFormatValidation = await runValidationHook(
+        'before-format::validate.permission',
+        createBeforeEvaluateContext(params.permission)
+      );
+      if (preFormatValidation === false) {
+        return;
+      }
+      const permission = await state.hooks['format.permission'].call(params.permission);
+      const afterFormatValidation = await runValidationHook(
+        'after-format::validate.permission',
+        createValidateContext(permission)
+      );
+      if (afterFormatValidation === false) {
+        return;
+      }
+      await state.hooks['before-evaluate.permission'].call(createBeforeEvaluateContext(permission));
+      const { action, subject, properties, conditions = [] } = permission;
+      if (conditions.length === 0) {
+        return register({ action, subject, properties });
+      }
+      const resolveConditions = _.map(providers.condition.get);
+      const removeInvalidConditions = _.filter((condition) => _.isFunction(condition.handler));
+      const evaluateConditions = (conditions) => {
+        return Promise.all(
+          conditions.map(async (condition) => ({
+            condition,
+            result: await condition.handler(
+              _.merge(options, { permission: _.cloneDeep(permission) })
+            ),
+          }))
+        );
+      };
+      const removeInvalidResults = _.filter(
+        ({ result }) => _.isBoolean(result) || _.isObject(result)
+      );
+      const evaluatedConditions = await Promise.resolve(conditions)
+        .then(resolveConditions)
+        .then(removeInvalidConditions)
+        .then(evaluateConditions)
+        .then(removeInvalidResults);
+      const resultPropEq = _.propEq('result');
+      const pickResults = _.map(_.prop('result'));
+      if (evaluatedConditions.every(resultPropEq(false))) {
+        return;
+      }
+      if (_.isEmpty(evaluatedConditions) || evaluatedConditions.some(resultPropEq(true))) {
+        return register({ action, subject, properties });
+      }
+      const results = pickResults(evaluatedConditions).filter(_.isObject);
+      if (_.isEmpty(results)) {
+        return register({ action, subject, properties });
+      }
+      return register({
+        action,
+        subject,
+        properties,
+        condition: { $and: [{ $or: results }] },
+      });
+    };
+    return {
+      get hooks() {
+        return state.hooks;
+      },
+      /**
+       * Create a register function that wraps a `can` function
+       * used to register a permission in the ability builder
+       *
+       * @param {Function} can
+       * @param {object} options
+       *
+       * @return {Function}
+       */
+      createRegisterFunction(can, options) {
+        return async (permission) => {
+          const hookContext = createWillRegisterContext({ options, permission });
+          await state.hooks['before-register.permission'].call(hookContext);
+          return can(permission);
+        };
+      },
+      /**
+       * Register a new handler for a given hook
+       *
+       * @param {string} hook
+       * @param {Function} handler
+       *
+       * @return {this}
+       */
+      on(hook, handler) {
+        const validHooks = Object.keys(state.hooks);
+        const isValidHook = validHooks.includes(hook);
+        if (!isValidHook) {
+          throw new Error(
+            `Invalid hook supplied when trying to register an handler to the permission engine. Got "${hook}" but expected one of ${validHooks.join(
+              ', '
+            )}`
+          );
+        }
+        state.hooks[hook].register(handler);
+        return this;
+      },
+      /**
+       * Generate an ability based on the instance's
+       * ability builder and the given permissions
+       *
+       * @param {Permission[]} permissions
+       * @param {object} [options]
+       *
+       * @return {object}
+       */
+      async generateAbility(permissions, options = {}) {
+        const { can, build } = abilityBuilderFactory();
+        for (const permission of permissions) {
+          const register = this.createRegisterFunction(can, options);
+          await evaluate({ permission, options, register });
+        }
+        return build();
+      },
+    };
+  },
+};

package/lib/index.js ADDED Viewed

@@ -0,0 +1,9 @@
+'use strict';
+const domain = require('./domain');
+const engine = require('./engine');
+module.exports = {
+  domain,
+  engine,
+};

package/package.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "name": "@strapi/permissions",
+  "version": "0.0.0",
+  "description": "Strapi's permission layer.",
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/strapi/strapi.git"
+  },
+  "license": "SEE LICENSE IN LICENSE",
+  "author": {
+    "name": "Strapi Solutions SAS",
+    "email": "hi@strapi.io",
+    "url": "https://strapi.io"
+  },
+  "maintainers": [
+    {
+      "name": "Strapi Solutions SAS",
+      "email": "hi@strapi.io",
+      "url": "https://strapi.io"
+    }
+  ],
+  "main": "./lib/index.js",
+  "scripts": {
+    "test:unit": "jest --verbose"
+  },
+  "dependencies": {
+    "@strapi/utils": "4.3.8",
+    "lodash": "4.17.21",
+    "@casl/ability": "5.4.4",
+    "sift": "16.0.0"
+  },
+  "engines": {
+    "node": ">=14.19.1 <=18.x.x",
+    "npm": ">=6.0.0"
+  }
+}