npm - @strapi/plugin-users-permissions - Versions diffs - 0.0.0-4fc90398602f - Mend

@strapi/plugin-users-permissions 0.0.0-4fc90398602f

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (168) hide show

package/LICENSE +22 -0
package/README.md +1 -0
package/admin/src/components/BoundRoute/getMethodColor.js +41 -0
package/admin/src/components/BoundRoute/index.js +72 -0
package/admin/src/components/FormModal/Input/index.js +121 -0
package/admin/src/components/FormModal/index.js +121 -0
package/admin/src/components/Permissions/PermissionRow/CheckboxWrapper.js +30 -0
package/admin/src/components/Permissions/PermissionRow/SubCategory.js +114 -0
package/admin/src/components/Permissions/PermissionRow/index.js +53 -0
package/admin/src/components/Permissions/index.js +56 -0
package/admin/src/components/Permissions/init.js +9 -0
package/admin/src/components/Permissions/reducer.js +27 -0
package/admin/src/components/Policies/index.js +60 -0
package/admin/src/components/UsersPermissions/index.js +94 -0
package/admin/src/components/UsersPermissions/init.js +10 -0
package/admin/src/components/UsersPermissions/reducer.js +60 -0
package/admin/src/contexts/UsersPermissionsContext/index.js +17 -0
package/admin/src/hooks/index.js +5 -0
package/admin/src/hooks/useFetchRole/index.js +64 -0
package/admin/src/hooks/useFetchRole/reducer.js +31 -0
package/admin/src/hooks/useForm/index.js +70 -0
package/admin/src/hooks/useForm/reducer.js +40 -0
package/admin/src/hooks/usePlugins/index.js +65 -0
package/admin/src/hooks/usePlugins/init.js +5 -0
package/admin/src/hooks/usePlugins/reducer.js +34 -0
package/admin/src/hooks/useRolesList/index.js +63 -0
package/admin/src/hooks/useRolesList/init.js +5 -0
package/admin/src/hooks/useRolesList/reducer.js +31 -0
package/admin/src/index.js +123 -0
package/admin/src/pages/AdvancedSettings/index.js +238 -0
package/admin/src/pages/AdvancedSettings/utils/api.js +13 -0
package/admin/src/pages/AdvancedSettings/utils/layout.js +96 -0
package/admin/src/pages/AdvancedSettings/utils/schema.js +19 -0
package/admin/src/pages/EmailTemplates/components/EmailForm.js +173 -0
package/admin/src/pages/EmailTemplates/components/EmailTable.js +121 -0
package/admin/src/pages/EmailTemplates/index.js +162 -0
package/admin/src/pages/EmailTemplates/utils/api.js +13 -0
package/admin/src/pages/EmailTemplates/utils/schema.js +22 -0
package/admin/src/pages/Providers/index.js +274 -0
package/admin/src/pages/Providers/reducer.js +54 -0
package/admin/src/pages/Providers/utils/api.js +21 -0
package/admin/src/pages/Providers/utils/createProvidersArray.js +21 -0
package/admin/src/pages/Providers/utils/forms.js +244 -0
package/admin/src/pages/Roles/CreatePage/index.js +177 -0
package/admin/src/pages/Roles/CreatePage/utils/schema.js +9 -0
package/admin/src/pages/Roles/EditPage/index.js +190 -0
package/admin/src/pages/Roles/EditPage/utils/schema.js +9 -0
package/admin/src/pages/Roles/ListPage/components/TableBody.js +96 -0
package/admin/src/pages/Roles/ListPage/index.js +216 -0
package/admin/src/pages/Roles/ListPage/utils/api.js +28 -0
package/admin/src/pages/Roles/ProtectedCreatePage/index.js +12 -0
package/admin/src/pages/Roles/ProtectedEditPage/index.js +12 -0
package/admin/src/pages/Roles/ProtectedListPage/index.js +15 -0
package/admin/src/pages/Roles/index.js +27 -0
package/admin/src/permissions.js +31 -0
package/admin/src/pluginId.js +5 -0
package/admin/src/translations/ar.json +40 -0
package/admin/src/translations/cs.json +46 -0
package/admin/src/translations/de.json +58 -0
package/admin/src/translations/dk.json +83 -0
package/admin/src/translations/en.json +83 -0
package/admin/src/translations/es.json +83 -0
package/admin/src/translations/fr.json +46 -0
package/admin/src/translations/id.json +58 -0
package/admin/src/translations/it.json +58 -0
package/admin/src/translations/ja.json +44 -0
package/admin/src/translations/ko.json +83 -0
package/admin/src/translations/ms.json +45 -0
package/admin/src/translations/nl.json +44 -0
package/admin/src/translations/pl.json +83 -0
package/admin/src/translations/pt-BR.json +40 -0
package/admin/src/translations/pt.json +44 -0
package/admin/src/translations/ru.json +58 -0
package/admin/src/translations/sk.json +46 -0
package/admin/src/translations/sv.json +58 -0
package/admin/src/translations/th.json +56 -0
package/admin/src/translations/tr.json +44 -0
package/admin/src/translations/uk.json +45 -0
package/admin/src/translations/vi.json +46 -0
package/admin/src/translations/zh-Hans.json +62 -0
package/admin/src/translations/zh.json +44 -0
package/admin/src/utils/axiosInstance.js +36 -0
package/admin/src/utils/cleanPermissions.js +25 -0
package/admin/src/utils/formatPluginName.js +26 -0
package/admin/src/utils/formatPolicies.js +8 -0
package/admin/src/utils/getRequestURL.js +5 -0
package/admin/src/utils/getTrad.js +5 -0
package/admin/src/utils/index.js +5 -0
package/documentation/content-api.yaml +848 -0
package/jest.config.front.js +10 -0
package/package.json +60 -0
package/server/bootstrap/grant-config.js +123 -0
package/server/bootstrap/index.js +133 -0
package/server/bootstrap/users-permissions-actions.js +80 -0
package/server/config.js +23 -0
package/server/content-types/index.js +11 -0
package/server/content-types/permission/index.js +34 -0
package/server/content-types/role/index.js +51 -0
package/server/content-types/user/index.js +72 -0
package/server/content-types/user/schema-config.js +15 -0
package/server/controllers/auth.js +398 -0
package/server/controllers/content-manager-user.js +175 -0
package/server/controllers/index.js +17 -0
package/server/controllers/permissions.js +26 -0
package/server/controllers/role.js +77 -0
package/server/controllers/settings.js +85 -0
package/server/controllers/user.js +198 -0
package/server/controllers/validation/auth.js +57 -0
package/server/controllers/validation/email-template.js +50 -0
package/server/controllers/validation/user.js +26 -0
package/server/graphql/index.js +44 -0
package/server/graphql/mutations/auth/change-password.js +38 -0
package/server/graphql/mutations/auth/email-confirmation.js +39 -0
package/server/graphql/mutations/auth/forgot-password.js +35 -0
package/server/graphql/mutations/auth/login.js +35 -0
package/server/graphql/mutations/auth/register.js +36 -0
package/server/graphql/mutations/auth/reset-password.js +38 -0
package/server/graphql/mutations/crud/role/create-role.js +34 -0
package/server/graphql/mutations/crud/role/delete-role.js +25 -0
package/server/graphql/mutations/crud/role/update-role.js +35 -0
package/server/graphql/mutations/crud/user/create-user.js +45 -0
package/server/graphql/mutations/crud/user/delete-user.js +39 -0
package/server/graphql/mutations/crud/user/update-user.js +46 -0
package/server/graphql/mutations/index.js +43 -0
package/server/graphql/queries/index.js +13 -0
package/server/graphql/queries/me.js +17 -0
package/server/graphql/resolvers-configs.js +42 -0
package/server/graphql/types/create-role-payload.js +11 -0
package/server/graphql/types/delete-role-payload.js +11 -0
package/server/graphql/types/index.js +21 -0
package/server/graphql/types/login-input.js +13 -0
package/server/graphql/types/login-payload.js +12 -0
package/server/graphql/types/me-role.js +14 -0
package/server/graphql/types/me.js +16 -0
package/server/graphql/types/password-payload.js +11 -0
package/server/graphql/types/register-input.js +13 -0
package/server/graphql/types/update-role-payload.js +11 -0
package/server/graphql/utils.js +27 -0
package/server/index.js +21 -0
package/server/middlewares/index.js +7 -0
package/server/middlewares/rateLimit.js +27 -0
package/server/register.js +23 -0
package/server/routes/admin/index.js +10 -0
package/server/routes/admin/permissions.js +20 -0
package/server/routes/admin/role.js +79 -0
package/server/routes/admin/settings.js +95 -0
package/server/routes/content-api/auth.js +82 -0
package/server/routes/content-api/index.js +11 -0
package/server/routes/content-api/permissions.js +9 -0
package/server/routes/content-api/role.js +29 -0
package/server/routes/content-api/user.js +60 -0
package/server/routes/index.js +6 -0
package/server/services/index.js +17 -0
package/server/services/jwt.js +55 -0
package/server/services/providers-registry.js +292 -0
package/server/services/providers.js +115 -0
package/server/services/role.js +177 -0
package/server/services/user.js +140 -0
package/server/services/users-permissions.js +236 -0
package/server/strategies/users-permissions.js +102 -0
package/server/utils/index.d.ts +16 -0
package/server/utils/index.js +12 -0
package/server/utils/sanitize/index.js +9 -0
package/server/utils/sanitize/sanitizers.js +19 -0
package/server/utils/sanitize/visitors/index.js +5 -0
package/server/utils/sanitize/visitors/remove-user-relation-from-role-entities.js +11 -0
package/strapi-admin.js +3 -0
package/strapi-server.js +3 -0

package/server/controllers/auth.js ADDED Viewed

@@ -0,0 +1,398 @@
+'use strict';
+/**
+ * Auth.js controller
+ *
+ * @description: A set of functions called "actions" for managing `Auth`.
+ */
+/* eslint-disable no-useless-escape */
+const crypto = require('crypto');
+const _ = require('lodash');
+const utils = require('@strapi/utils');
+const { getService } = require('../utils');
+const {
+  validateCallbackBody,
+  validateRegisterBody,
+  validateSendEmailConfirmationBody,
+  validateForgotPasswordBody,
+  validateResetPasswordBody,
+  validateEmailConfirmationBody,
+  validateChangePasswordBody,
+} = require('./validation/auth');
+const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
+const { ApplicationError, ValidationError } = utils.errors;
+const sanitizeUser = (user, ctx) => {
+  const { auth } = ctx.state;
+  const userSchema = strapi.getModel('plugin::users-permissions.user');
+  return sanitize.contentAPI.output(user, userSchema, { auth });
+};
+module.exports = {
+  async callback(ctx) {
+    const provider = ctx.params.provider || 'local';
+    const params = ctx.request.body;
+    const store = strapi.store({ type: 'plugin', name: 'users-permissions' });
+    const grantSettings = await store.get({ key: 'grant' });
+    const grantProvider = provider === 'local' ? 'email' : provider;
+    if (!_.get(grantSettings, [grantProvider, 'enabled'])) {
+      throw new ApplicationError('This provider is disabled');
+    }
+    if (provider === 'local') {
+      await validateCallbackBody(params);
+      const { identifier } = params;
+      // Check if the user exists.
+      const user = await strapi.query('plugin::users-permissions.user').findOne({
+        where: {
+          provider,
+          $or: [{ email: identifier.toLowerCase() }, { username: identifier }],
+        },
+      });
+      if (!user) {
+        throw new ValidationError('Invalid identifier or password');
+      }
+      if (!user.password) {
+        throw new ValidationError('Invalid identifier or password');
+      }
+      const validPassword = await getService('user').validatePassword(
+        params.password,
+        user.password
+      );
+      if (!validPassword) {
+        throw new ValidationError('Invalid identifier or password');
+      }
+      const advancedSettings = await store.get({ key: 'advanced' });
+      const requiresConfirmation = _.get(advancedSettings, 'email_confirmation');
+      if (requiresConfirmation && user.confirmed !== true) {
+        throw new ApplicationError('Your account email is not confirmed');
+      }
+      if (user.blocked === true) {
+        throw new ApplicationError('Your account has been blocked by an administrator');
+      }
+      return ctx.send({
+        jwt: getService('jwt').issue({ id: user.id }),
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+  },
+  async changePassword(ctx) {
+    if (!ctx.state.user) {
+      throw new ApplicationError('You must be authenticated to reset your password');
+    }
+    const { currentPassword, password } = await validateChangePasswordBody(ctx.request.body);
+    const user = await strapi.entityService.findOne(
+      'plugin::users-permissions.user',
+      ctx.state.user.id
+    );
+    const validPassword = await getService('user').validatePassword(currentPassword, user.password);
+    if (!validPassword) {
+      throw new ValidationError('The provided current password is invalid');
+    }
+    if (currentPassword === password) {
+      throw new ValidationError('Your new password must be different than your current password');
+    }
+    await getService('user').edit(user.id, { password });
+    ctx.send({
+      jwt: getService('jwt').issue({ id: user.id }),
+      user: await sanitizeUser(user, ctx),
+    });
+  },
+  async resetPassword(ctx) {
+    const { password, passwordConfirmation, code } = await validateResetPasswordBody(
+      ctx.request.body
+    );
+    if (password !== passwordConfirmation) {
+      throw new ValidationError('Passwords do not match');
+    }
+    const user = await strapi
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { resetPasswordToken: code } });
+    if (!user) {
+      throw new ValidationError('Incorrect code provided');
+    }
+    await getService('user').edit(user.id, {
+      resetPasswordToken: null,
+      password,
+    });
+    // Update the user.
+    ctx.send({
+      jwt: getService('jwt').issue({ id: user.id }),
+      user: await sanitizeUser(user, ctx),
+    });
+  },
+  async connect(ctx, next) {
+    const grant = require('grant-koa');
+    const providers = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
+      .get();
+    const apiPrefix = strapi.config.get('api.rest.prefix');
+    const grantConfig = {
+      defaults: {
+        prefix: `${apiPrefix}/connect`,
+      },
+      ...providers,
+    };
+    const [requestPath] = ctx.request.url.split('?');
+    const provider = requestPath.split('/connect/')[1].split('/')[0];
+    if (!_.get(grantConfig[provider], 'enabled')) {
+      throw new ApplicationError('This provider is disabled');
+    }
+    if (!strapi.config.server.url.startsWith('http')) {
+      strapi.log.warn(
+        'You are using a third party provider for login. Make sure to set an absolute url in config/server.js. More info here: https://docs.strapi.io/developer-docs/latest/plugins/users-permissions.html#setting-up-the-server-url'
+      );
+    }
+    // Ability to pass OAuth callback dynamically
+    grantConfig[provider].callback =
+      _.get(ctx, 'query.callback') ||
+      _.get(ctx, 'session.grant.dynamic.callback') ||
+      grantConfig[provider].callback;
+    grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);
+    return grant(grantConfig)(ctx, next);
+  },
+  async forgotPassword(ctx) {
+    const { email } = await validateForgotPasswordBody(ctx.request.body);
+    const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });
+    const emailSettings = await pluginStore.get({ key: 'email' });
+    const advancedSettings = await pluginStore.get({ key: 'advanced' });
+    // Find the user by email.
+    const user = await strapi
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { email: email.toLowerCase() } });
+    if (!user || user.blocked) {
+      return ctx.send({ ok: true });
+    }
+    // Generate random token.
+    const userInfo = await sanitizeUser(user, ctx);
+    const resetPasswordToken = crypto.randomBytes(64).toString('hex');
+    const resetPasswordSettings = _.get(emailSettings, 'reset_password.options', {});
+    const emailBody = await getService('users-permissions').template(
+      resetPasswordSettings.message,
+      {
+        URL: advancedSettings.email_reset_password,
+        SERVER_URL: getAbsoluteServerUrl(strapi.config),
+        ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
+        USER: userInfo,
+        TOKEN: resetPasswordToken,
+      }
+    );
+    const emailObject = await getService('users-permissions').template(
+      resetPasswordSettings.object,
+      {
+        USER: userInfo,
+      }
+    );
+    const emailToSend = {
+      to: user.email,
+      from:
+        resetPasswordSettings.from.email || resetPasswordSettings.from.name
+          ? `${resetPasswordSettings.from.name} <${resetPasswordSettings.from.email}>`
+          : undefined,
+      replyTo: resetPasswordSettings.response_email,
+      subject: emailObject,
+      text: emailBody,
+      html: emailBody,
+    };
+    // NOTE: Update the user before sending the email so an Admin can generate the link if the email fails
+    await getService('user').edit(user.id, { resetPasswordToken });
+    // Send an email to the user.
+    await strapi.plugin('email').service('email').send(emailToSend);
+    ctx.send({ ok: true });
+  },
+  async register(ctx) {
+    const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });
+    const settings = await pluginStore.get({ key: 'advanced' });
+    if (!settings.allow_register) {
+      throw new ApplicationError('Register action is currently disabled');
+    }
+    const params = {
+      ..._.omit(ctx.request.body, [
+        'confirmed',
+        'blocked',
+        'confirmationToken',
+        'resetPasswordToken',
+        'provider',
+      ]),
+      provider: 'local',
+    };
+    await validateRegisterBody(params);
+    const role = await strapi
+      .query('plugin::users-permissions.role')
+      .findOne({ where: { type: settings.default_role } });
+    if (!role) {
+      throw new ApplicationError('Impossible to find the default role');
+    }
+    const { email, username, provider } = params;
+    const identifierFilter = {
+      $or: [
+        { email: email.toLowerCase() },
+        { username: email.toLowerCase() },
+        { username },
+        { email: username },
+      ],
+    };
+    const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+      where: { ...identifierFilter, provider },
+    });
+    if (conflictingUserCount > 0) {
+      throw new ApplicationError('Email or Username are already taken');
+    }
+    if (settings.unique_email) {
+      const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+        where: { ...identifierFilter },
+      });
+      if (conflictingUserCount > 0) {
+        throw new ApplicationError('Email or Username are already taken');
+      }
+    }
+    const newUser = {
+      ...params,
+      role: role.id,
+      email: email.toLowerCase(),
+      username,
+      confirmed: !settings.email_confirmation,
+    };
+    const user = await getService('user').add(newUser);
+    const sanitizedUser = await sanitizeUser(user, ctx);
+    if (settings.email_confirmation) {
+      try {
+        await getService('user').sendConfirmationEmail(sanitizedUser);
+      } catch (err) {
+        throw new ApplicationError(err.message);
+      }
+      return ctx.send({ user: sanitizedUser });
+    }
+    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    return ctx.send({
+      jwt,
+      user: sanitizedUser,
+    });
+  },
+  async emailConfirmation(ctx, next, returnUser) {
+    const { confirmation: confirmationToken } = await validateEmailConfirmationBody(ctx.query);
+    const userService = getService('user');
+    const jwtService = getService('jwt');
+    const [user] = await userService.fetchAll({ filters: { confirmationToken } });
+    if (!user) {
+      throw new ValidationError('Invalid token');
+    }
+    await userService.edit(user.id, { confirmed: true, confirmationToken: null });
+    if (returnUser) {
+      ctx.send({
+        jwt: jwtService.issue({ id: user.id }),
+        user: await sanitizeUser(user, ctx),
+      });
+    } else {
+      const settings = await strapi
+        .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+        .get();
+      ctx.redirect(settings.email_confirmation_redirection || '/');
+    }
+  },
+  async sendEmailConfirmation(ctx) {
+    const { email } = await validateSendEmailConfirmationBody(ctx.request.body);
+    const user = await strapi.query('plugin::users-permissions.user').findOne({
+      where: { email: email.toLowerCase() },
+    });
+    if (!user) {
+      return ctx.send({ email, sent: true });
+    }
+    if (user.confirmed) {
+      throw new ApplicationError('Already confirmed');
+    }
+    if (user.blocked) {
+      throw new ApplicationError('User blocked');
+    }
+    await getService('user').sendConfirmationEmail(user);
+    ctx.send({
+      email: user.email,
+      sent: true,
+    });
+  },
+};

package/server/controllers/content-manager-user.js ADDED Viewed

@@ -0,0 +1,175 @@
+'use strict';
+const _ = require('lodash');
+const { contentTypes: contentTypesUtils } = require('@strapi/utils');
+const { ApplicationError, ValidationError, NotFoundError, ForbiddenError } =
+  require('@strapi/utils').errors;
+const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
+const { UPDATED_BY_ATTRIBUTE, CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;
+const userModel = 'plugin::users-permissions.user';
+const ACTIONS = {
+  read: 'plugin::content-manager.explorer.read',
+  create: 'plugin::content-manager.explorer.create',
+  edit: 'plugin::content-manager.explorer.update',
+  delete: 'plugin::content-manager.explorer.delete',
+};
+const findEntityAndCheckPermissions = async (ability, action, model, id) => {
+  const entity = await strapi.query(userModel).findOne({
+    where: { id },
+    populate: [`${CREATED_BY_ATTRIBUTE}.roles`],
+  });
+  if (_.isNil(entity)) {
+    throw new NotFoundError();
+  }
+  const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });
+  if (pm.ability.cannot(pm.action, pm.toSubject(entity))) {
+    throw new ForbiddenError();
+  }
+  const entityWithoutCreatorRoles = _.omit(entity, `${CREATED_BY_ATTRIBUTE}.roles`);
+  return { pm, entity: entityWithoutCreatorRoles };
+};
+module.exports = {
+  /**
+   * Create a/an user record.
+   * @return {Object}
+   */
+  async create(ctx) {
+    const { body } = ctx.request;
+    const { user: admin, userAbility } = ctx.state;
+    const { email, username } = body;
+    const pm = strapi.admin.services.permission.createPermissionsManager({
+      ability: userAbility,
+      action: ACTIONS.create,
+      model: userModel,
+    });
+    if (!pm.isAllowed) {
+      return ctx.forbidden();
+    }
+    const sanitizedBody = await pm.pickPermittedFieldsOf(body, { subject: userModel });
+    const advanced = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+    await validateCreateUserBody(ctx.request.body);
+    const userWithSameUsername = await strapi
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { username } });
+    if (userWithSameUsername) {
+      throw new ApplicationError('Username already taken');
+    }
+    if (advanced.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: email.toLowerCase() } });
+      if (userWithSameEmail) {
+        throw new ApplicationError('Email already taken');
+      }
+    }
+    const user = {
+      ...sanitizedBody,
+      provider: 'local',
+      [CREATED_BY_ATTRIBUTE]: admin.id,
+      [UPDATED_BY_ATTRIBUTE]: admin.id,
+    };
+    user.email = _.toLower(user.email);
+    if (!user.role) {
+      const defaultRole = await strapi
+        .query('plugin::users-permissions.role')
+        .findOne({ where: { type: advanced.default_role } });
+      user.role = defaultRole.id;
+    }
+    try {
+      const data = await strapi
+        .service('plugin::content-manager.entity-manager')
+        .create(user, userModel);
+      const sanitizedData = await pm.sanitizeOutput(data, { action: ACTIONS.read });
+      ctx.created(sanitizedData);
+    } catch (error) {
+      throw new ApplicationError(error.message);
+    }
+  },
+  /**
+   * Update a/an user record.
+   * @return {Object}
+   */
+  async update(ctx) {
+    const { id } = ctx.params;
+    const { body } = ctx.request;
+    const { user: admin, userAbility } = ctx.state;
+    const advancedConfigs = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+    const { email, username, password } = body;
+    const { pm, entity } = await findEntityAndCheckPermissions(
+      userAbility,
+      ACTIONS.edit,
+      userModel,
+      id
+    );
+    const user = entity;
+    await validateUpdateUserBody(ctx.request.body);
+    if (_.has(body, 'password') && !password && user.provider === 'local') {
+      throw new ValidationError('password.notNull');
+    }
+    if (_.has(body, 'username')) {
+      const userWithSameUsername = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { username } });
+      if (userWithSameUsername && userWithSameUsername.id != id) {
+        throw new ApplicationError('Username already taken');
+      }
+    }
+    if (_.has(body, 'email') && advancedConfigs.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: _.toLower(email) } });
+      if (userWithSameEmail && userWithSameEmail.id != id) {
+        throw new ApplicationError('Email already taken');
+      }
+      body.email = _.toLower(body.email);
+    }
+    const sanitizedData = await pm.pickPermittedFieldsOf(body, { subject: pm.toSubject(user) });
+    const updateData = _.omit({ ...sanitizedData, updatedBy: admin.id }, 'createdBy');
+    const data = await strapi
+      .service('plugin::content-manager.entity-manager')
+      .update({ id }, updateData, userModel);
+    ctx.body = await pm.sanitizeOutput(data, { action: ACTIONS.read });
+  },
+};

package/server/controllers/index.js ADDED Viewed

@@ -0,0 +1,17 @@
+'use strict';
+const auth = require('./auth');
+const user = require('./user');
+const role = require('./role');
+const permissions = require('./permissions');
+const settings = require('./settings');
+const contentmanageruser = require('./content-manager-user');
+module.exports = {
+  auth,
+  user,
+  role,
+  permissions,
+  settings,
+  contentmanageruser,
+};

package/server/controllers/permissions.js ADDED Viewed

@@ -0,0 +1,26 @@
+'use strict';
+const _ = require('lodash');
+const { getService } = require('../utils');
+module.exports = {
+  async getPermissions(ctx) {
+    const permissions = await getService('users-permissions').getActions();
+    ctx.send({ permissions });
+  },
+  async getPolicies(ctx) {
+    const policies = _.keys(strapi.plugin('users-permissions').policies);
+    ctx.send({
+      policies: _.without(policies, 'permissions'),
+    });
+  },
+  async getRoutes(ctx) {
+    const routes = await getService('users-permissions').getRoutes();
+    ctx.send({ routes });
+  },
+};

package/server/controllers/role.js ADDED Viewed

@@ -0,0 +1,77 @@
+'use strict';
+const _ = require('lodash');
+const { ApplicationError, ValidationError } = require('@strapi/utils').errors;
+const { getService } = require('../utils');
+const { validateDeleteRoleBody } = require('./validation/user');
+module.exports = {
+  /**
+   * Default action.
+   *
+   * @return {Object}
+   */
+  async createRole(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      throw new ValidationError('Request body cannot be empty');
+    }
+    await getService('role').createRole(ctx.request.body);
+    ctx.send({ ok: true });
+  },
+  async findOne(ctx) {
+    const { id } = ctx.params;
+    const role = await getService('role').findOne(id);
+    if (!role) {
+      return ctx.notFound();
+    }
+    ctx.send({ role });
+  },
+  async find(ctx) {
+    const roles = await getService('role').find();
+    ctx.send({ roles });
+  },
+  async updateRole(ctx) {
+    const roleID = ctx.params.role;
+    if (_.isEmpty(ctx.request.body)) {
+      throw new ValidationError('Request body cannot be empty');
+    }
+    await getService('role').updateRole(roleID, ctx.request.body);
+    ctx.send({ ok: true });
+  },
+  async deleteRole(ctx) {
+    const roleID = ctx.params.role;
+    if (!roleID) {
+      await validateDeleteRoleBody(ctx.params);
+    }
+    // Fetch public role.
+    const publicRole = await strapi
+      .query('plugin::users-permissions.role')
+      .findOne({ where: { type: 'public' } });
+    const publicRoleID = publicRole.id;
+    // Prevent from removing the public role.
+    if (roleID.toString() === publicRoleID.toString()) {
+      throw new ApplicationError('Cannot delete public role');
+    }
+    await getService('role').deleteRole(roleID, publicRoleID);
+    ctx.send({ ok: true });
+  },
+};