@strapi/plugin-users-permissions 0.0.0-next.d62456ea471e44d21b938f21f0e91a567cdc6483 → 0.0.0-next.d6c661f8ab4a198d3e4c6a387b9b8f267a100766

package/server/controllers/auth.js

@@ -11,9 +11,6 @@ const crypto = require('crypto');
 const _ = require('lodash');
 const { concat, compact, isArray } = require('lodash/fp');
 const utils = require('@strapi/utils');
-const {
-  contentTypes: { getNonWritableAttributes },
-} = require('@strapi/utils');
 const { getService } = require('../utils');
 const {
   validateCallbackBody,
@@ -25,17 +22,22 @@ const {
   validateChangePasswordBody,
 } = require('./validation/auth');
 
-const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
 const { ApplicationError, ValidationError, ForbiddenError } = utils.errors;
 
 const sanitizeUser = (user, ctx) => {
   const { auth } = ctx.state;
   const userSchema = strapi.getModel('plugin::users-permissions.user');
 
-  return sanitize.contentAPI.output(user, userSchema, { auth });
+  return strapi.contentAPI.sanitize.output(user, userSchema, { auth });
 };
 
-module.exports = {
+const extractDeviceId = (requestBody) => {
+  const { deviceId } = requestBody || {};
+
+  return typeof deviceId === 'string' && deviceId.length > 0 ? deviceId : undefined;
+};
+
+module.exports = ({ strapi }) => ({
   async callback(ctx) {
     const provider = ctx.params.provider || 'local';
     const params = ctx.request.body;
@@ -55,7 +57,7 @@ module.exports = {
       const { identifier } = params;
 
       // Check if the user exists.
-      const user = await strapi.query('plugin::users-permissions.user').findOne({
+      const user = await strapi.db.query('plugin::users-permissions.user').findOne({
         where: {
           provider,
           $or: [{ email: identifier.toLowerCase() }, { username: identifier }],
@@ -90,6 +92,45 @@ module.exports = {
         throw new ApplicationError('Your account has been blocked by an administrator');
       }
 
+      const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+      if (mode === 'refresh') {
+        const deviceId = extractDeviceId(ctx.request.body);
+
+        const refresh = await strapi
+          .sessionManager('users-permissions')
+          .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+        const access = await strapi
+          .sessionManager('users-permissions')
+          .generateAccessToken(refresh.token);
+        if ('error' in access) {
+          throw new ApplicationError('Invalid credentials');
+        }
+
+        const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+        const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+        if (upSessions?.httpOnly || requestHttpOnly) {
+          const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+          const cookieOptions = {
+            httpOnly: true,
+            secure: Boolean(upSessions.cookie?.secure),
+            sameSite: upSessions.cookie?.sameSite ?? 'lax',
+            path: upSessions.cookie?.path ?? '/',
+            domain: upSessions.cookie?.domain,
+            overwrite: true,
+          };
+
+          ctx.cookies.set(cookieName, refresh.token, cookieOptions);
+          return ctx.send({ jwt: access.token, user: await sanitizeUser(user, ctx) });
+        }
+
+        return ctx.send({
+          jwt: access.token,
+          refreshToken: refresh.token,
+          user: await sanitizeUser(user, ctx),
+        });
+      }
+
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -104,6 +145,43 @@ module.exports = {
         throw new ForbiddenError('Your account has been blocked by an administrator');
       }
 
+      const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+      if (mode === 'refresh') {
+        const deviceId = extractDeviceId(ctx.request.body);
+
+        const refresh = await strapi
+          .sessionManager('users-permissions')
+          .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+        const access = await strapi
+          .sessionManager('users-permissions')
+          .generateAccessToken(refresh.token);
+        if ('error' in access) {
+          throw new ApplicationError('Invalid credentials');
+        }
+
+        const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+        const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+        if (upSessions?.httpOnly || requestHttpOnly) {
+          const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+          const cookieOptions = {
+            httpOnly: true,
+            secure: Boolean(upSessions.cookie?.secure),
+            sameSite: upSessions.cookie?.sameSite ?? 'lax',
+            path: upSessions.cookie?.path ?? '/',
+            domain: upSessions.cookie?.domain,
+            overwrite: true,
+          };
+          ctx.cookies.set(cookieName, refresh.token, cookieOptions);
+          return ctx.send({ jwt: access.token, user: await sanitizeUser(user, ctx) });
+        }
+        return ctx.send({
+          jwt: access.token,
+          refreshToken: refresh.token,
+          user: await sanitizeUser(user, ctx),
+        });
+      }
+
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -118,13 +196,17 @@ module.exports = {
       throw new ApplicationError('You must be authenticated to reset your password');
     }
 
-    const { currentPassword, password } = await validateChangePasswordBody(ctx.request.body);
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
 
-    const user = await strapi.entityService.findOne(
-      'plugin::users-permissions.user',
-      ctx.state.user.id
+    const { currentPassword, password } = await validateChangePasswordBody(
+      ctx.request.body,
+      validations
     );
 
+    const user = await strapi.db
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { id: ctx.state.user.id } });
+
     const validPassword = await getService('user').validatePassword(currentPassword, user.password);
 
     if (!validPassword) {
@@ -137,22 +219,55 @@ module.exports = {
 
     await getService('user').edit(user.id, { password });
 
-    ctx.send({
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body);
+
+      if (deviceId) {
+        // Invalidate sessions: specific device if deviceId provided
+        await strapi
+          .sessionManager('users-permissions')
+          .invalidateRefreshToken(String(user.id), deviceId);
+      }
+
+      const newDeviceId = deviceId || crypto.randomUUID();
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), newDeviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({
+        jwt: access.token,
+        refreshToken: refresh.token,
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+
+    return ctx.send({
       jwt: getService('jwt').issue({ id: user.id }),
       user: await sanitizeUser(user, ctx),
     });
   },
 
   async resetPassword(ctx) {
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
+
     const { password, passwordConfirmation, code } = await validateResetPasswordBody(
-      ctx.request.body
+      ctx.request.body,
+      validations
     );
 
     if (password !== passwordConfirmation) {
       throw new ValidationError('Passwords do not match');
     }
 
-    const user = await strapi
+    const user = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { resetPasswordToken: code } });
 
@@ -165,15 +280,113 @@ module.exports = {
       password,
     });
 
-    // Update the user.
-    ctx.send({
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body);
+
+      if (deviceId) {
+        // Invalidate sessions: specific device if deviceId provided
+        await strapi
+          .sessionManager('users-permissions')
+          .invalidateRefreshToken(String(user.id), deviceId);
+      }
+
+      const newDeviceId = deviceId || crypto.randomUUID();
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), newDeviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({
+        jwt: access.token,
+        refreshToken: refresh.token,
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+
+    return ctx.send({
       jwt: getService('jwt').issue({ id: user.id }),
       user: await sanitizeUser(user, ctx),
     });
   },
+  async refresh(ctx) {
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode !== 'refresh') {
+      return ctx.notFound();
+    }
+
+    const { refreshToken } = ctx.request.body || {};
+    if (!refreshToken || typeof refreshToken !== 'string') {
+      return ctx.badRequest('Missing refresh token');
+    }
 
+    const rotation = await strapi
+      .sessionManager('users-permissions')
+      .rotateRefreshToken(refreshToken);
+    if ('error' in rotation) {
+      return ctx.unauthorized('Invalid refresh token');
+    }
+
+    const result = await strapi
+      .sessionManager('users-permissions')
+      .generateAccessToken(rotation.token);
+    if ('error' in result) {
+      return ctx.unauthorized('Invalid refresh token');
+    }
+
+    const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+    const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+    if (upSessions?.httpOnly || requestHttpOnly) {
+      const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+      const cookieOptions = {
+        httpOnly: true,
+        secure: Boolean(upSessions.cookie?.secure),
+        sameSite: upSessions.cookie?.sameSite ?? 'lax',
+        path: upSessions.cookie?.path ?? '/',
+        domain: upSessions.cookie?.domain,
+        overwrite: true,
+      };
+      ctx.cookies.set(cookieName, rotation.token, cookieOptions);
+      return ctx.send({ jwt: result.token });
+    }
+    return ctx.send({ jwt: result.token, refreshToken: rotation.token });
+  },
+  async logout(ctx) {
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode !== 'refresh') {
+      return ctx.notFound();
+    }
+
+    // Invalidate all sessions for the authenticated user, or by deviceId if provided
+    if (!ctx.state.user) {
+      return ctx.unauthorized('Missing authentication');
+    }
+
+    const deviceId = extractDeviceId(ctx.request.body);
+    try {
+      await strapi
+        .sessionManager('users-permissions')
+        .invalidateRefreshToken(String(ctx.state.user.id), deviceId);
+    } catch (err) {
+      strapi.log.error('UP logout failed', err);
+    }
+
+    const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+    const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+    if (upSessions?.httpOnly || requestHttpOnly) {
+      const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+      ctx.cookies.set(cookieName, '', { expires: new Date(0) });
+    }
+    return ctx.send({ ok: true });
+  },
   async connect(ctx, next) {
-    const grant = require('grant-koa');
+    const grant = require('grant').koa();
 
     const providers = await strapi
       .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
@@ -201,10 +414,28 @@ module.exports = {
     }
 
     // Ability to pass OAuth callback dynamically
-    grantConfig[provider].callback =
-      _.get(ctx, 'query.callback') ||
-      _.get(ctx, 'session.grant.dynamic.callback') ||
-      grantConfig[provider].callback;
+    const queryCustomCallback = _.get(ctx, 'query.callback');
+    const dynamicSessionCallback = _.get(ctx, 'session.grant.dynamic.callback');
+
+    const customCallback = queryCustomCallback ?? dynamicSessionCallback;
+
+    // The custom callback is validated to make sure it's not redirecting to an unwanted actor.
+    if (customCallback !== undefined) {
+      try {
+        // We're extracting the callback validator from the plugin config since it can be user-customized
+        const { validate: validateCallback } = strapi
+          .plugin('users-permissions')
+          .config('callback');
+
+        await validateCallback(customCallback, grantConfig[provider]);
+
+        grantConfig[provider].callback = customCallback;
+      } catch (e) {
+        throw new ValidationError('Invalid callback URL provided', { callback: customCallback });
+      }
+    }
+
+    // Build a valid redirect URI for the current provider
     grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);
 
     return grant(grantConfig)(ctx, next);
@@ -219,7 +450,7 @@ module.exports = {
     const advancedSettings = await pluginStore.get({ key: 'advanced' });
 
     // Find the user by email.
-    const user = await strapi
+    const user = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { email: email.toLowerCase() } });
 
@@ -237,8 +468,8 @@ module.exports = {
       resetPasswordSettings.message,
       {
         URL: advancedSettings.email_reset_password,
-        SERVER_URL: getAbsoluteServerUrl(strapi.config),
-        ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
+        SERVER_URL: strapi.config.get('server.absoluteUrl'),
+        ADMIN_URL: strapi.config.get('admin.absoluteUrl'),
         USER: userInfo,
         TOKEN: resetPasswordToken,
       }
@@ -281,55 +512,32 @@ module.exports = {
       throw new ApplicationError('Register action is currently disabled');
     }
 
-    const { register } = strapi.config.get('plugin.users-permissions');
+    const { register } = strapi.config.get('plugin::users-permissions');
     const alwaysAllowedKeys = ['username', 'password', 'email'];
-    const userModel = strapi.contentTypes['plugin::users-permissions.user'];
-    const { attributes } = userModel;
-
-    const nonWritable = getNonWritableAttributes(userModel);
 
+    // Note that we intentionally do not filter allowedFields to allow a project to explicitly accept private or other Strapi field on registration
     const allowedKeys = compact(
-      concat(
-        alwaysAllowedKeys,
-        isArray(register?.allowedFields)
-          ? // Note that we do not filter allowedFields in case a user explicitly chooses to allow a private or otherwise omitted field on registration
-            register.allowedFields // if null or undefined, compact will remove it
-          : // to prevent breaking changes, if allowedFields is not set in config, we only remove private and known dangerous user schema fields
-            // TODO V5: allowedFields defaults to [] when undefined and remove this case
-            Object.keys(attributes).filter(
-              (key) =>
-                !nonWritable.includes(key) &&
-                !attributes[key].private &&
-                ![
-                  // many of these are included in nonWritable, but we'll list them again to be safe and since we're removing this code in v5 anyway
-                  // Strapi user schema fields
-                  'confirmed',
-                  'blocked',
-                  'confirmationToken',
-                  'resetPasswordToken',
-                  'provider',
-                  'id',
-                  'role',
-                  // other Strapi fields that might be added
-                  'createdAt',
-                  'updatedAt',
-                  'createdBy',
-                  'updatedBy',
-                  'publishedAt', // d&p
-                  'strapi_reviewWorkflows_stage', // review workflows
-                ].includes(key)
-            )
-      )
+      concat(alwaysAllowedKeys, isArray(register?.allowedFields) ? register.allowedFields : [])
     );
 
+    // Check if there are any keys in requestBody that are not in allowedKeys
+    const invalidKeys = Object.keys(ctx.request.body).filter((key) => !allowedKeys.includes(key));
+
+    if (invalidKeys.length > 0) {
+      // If there are invalid keys, throw an error
+      throw new ValidationError(`Invalid parameters: ${invalidKeys.join(', ')}`);
+    }
+
     const params = {
       ..._.pick(ctx.request.body, allowedKeys),
       provider: 'local',
     };
 
-    await validateRegisterBody(params);
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
 
-    const role = await strapi
+    await validateRegisterBody(params, validations);
+
+    const role = await strapi.db
       .query('plugin::users-permissions.role')
       .findOne({ where: { type: settings.default_role } });
 
@@ -348,7 +556,7 @@ module.exports = {
       ],
     };
 
-    const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+    const conflictingUserCount = await strapi.db.query('plugin::users-permissions.user').count({
       where: { ...identifierFilter, provider },
     });
 
@@ -357,7 +565,7 @@ module.exports = {
     }
 
     if (settings.unique_email) {
-      const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+      const conflictingUserCount = await strapi.db.query('plugin::users-permissions.user').count({
         where: { ...identifierFilter },
       });
 
@@ -382,18 +590,33 @@ module.exports = {
       try {
         await getService('user').sendConfirmationEmail(sanitizedUser);
       } catch (err) {
-        throw new ApplicationError(err.message);
+        strapi.log.error(err);
+        throw new ApplicationError('Error sending confirmation email');
       }
 
       return ctx.send({ user: sanitizedUser });
     }
 
-    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body) || crypto.randomUUID();
 
-    return ctx.send({
-      jwt,
-      user: sanitizedUser,
-    });
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+
+      return ctx.send({ jwt: access.token, refreshToken: refresh.token, user: sanitizedUser });
+    }
+
+    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    return ctx.send({ jwt, user: sanitizedUser });
   },
 
   async emailConfirmation(ctx, next, returnUser) {
@@ -427,7 +650,7 @@ module.exports = {
   async sendEmailConfirmation(ctx) {
     const { email } = await validateSendEmailConfirmationBody(ctx.request.body);
 
-    const user = await strapi.query('plugin::users-permissions.user').findOne({
+    const user = await strapi.db.query('plugin::users-permissions.user').findOne({
       where: { email: email.toLowerCase() },
     });
 
@@ -450,4 +673,4 @@ module.exports = {
       sent: true,
     });
   },
-};
+});

package/server/controllers/content-manager-user.js

@@ -2,8 +2,7 @@
 
 const _ = require('lodash');
 const { contentTypes: contentTypesUtils } = require('@strapi/utils');
-const { ApplicationError, ValidationError, NotFoundError, ForbiddenError } =
-  require('@strapi/utils').errors;
+const { ApplicationError, NotFoundError, ForbiddenError } = require('@strapi/utils').errors;
 const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
 const { UPDATED_BY_ATTRIBUTE, CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;
@@ -17,24 +16,25 @@ const ACTIONS = {
 };
 
 const findEntityAndCheckPermissions = async (ability, action, model, id) => {
-  const entity = await strapi.query(userModel).findOne({
-    where: { id },
+  const doc = await strapi.service('plugin::content-manager.document-manager').findOne(id, model, {
     populate: [`${CREATED_BY_ATTRIBUTE}.roles`],
   });
 
-  if (_.isNil(entity)) {
+  if (_.isNil(doc)) {
     throw new NotFoundError();
   }
 
-  const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });
+  const pm = strapi
+    .service('admin::permission')
+    .createPermissionsManager({ ability, action, model });
 
-  if (pm.ability.cannot(pm.action, pm.toSubject(entity))) {
+  if (pm.ability.cannot(pm.action, pm.toSubject(doc))) {
     throw new ForbiddenError();
   }
 
-  const entityWithoutCreatorRoles = _.omit(entity, `${CREATED_BY_ATTRIBUTE}.roles`);
+  const docWithoutCreatorRoles = _.omit(doc, `${CREATED_BY_ATTRIBUTE}.roles`);
 
-  return { pm, entity: entityWithoutCreatorRoles };
+  return { pm, doc: docWithoutCreatorRoles };
 };
 
 module.exports = {
@@ -48,7 +48,7 @@ module.exports = {
 
     const { email, username } = body;
 
-    const pm = strapi.admin.services.permission.createPermissionsManager({
+    const pm = strapi.service('admin::permission').createPermissionsManager({
       ability: userAbility,
       action: ACTIONS.create,
       model: userModel,
@@ -66,7 +66,7 @@ module.exports = {
 
     await validateCreateUserBody(ctx.request.body);
 
-    const userWithSameUsername = await strapi
+    const userWithSameUsername = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { username } });
 
@@ -75,7 +75,7 @@ module.exports = {
     }
 
     if (advanced.unique_email) {
-      const userWithSameEmail = await strapi
+      const userWithSameEmail = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { email: email.toLowerCase() } });
 
@@ -93,18 +93,11 @@ module.exports = {
 
     user.email = _.toLower(user.email);
 
-    if (!user.role) {
-      const defaultRole = await strapi
-        .query('plugin::users-permissions.role')
-        .findOne({ where: { type: advanced.default_role } });
-
-      user.role = defaultRole.id;
-    }
-
     try {
       const data = await strapi
-        .service('plugin::content-manager.entity-manager')
-        .create(user, userModel);
+        .service('plugin::content-manager.document-manager')
+        .create(userModel, { data: user });
+
       const sanitizedData = await pm.sanitizeOutput(data, { action: ACTIONS.read });
 
       ctx.created(sanitizedData);
@@ -118,7 +111,7 @@ module.exports = {
    */
 
   async update(ctx) {
-    const { id } = ctx.params;
+    const { id: documentId } = ctx.params;
     const { body } = ctx.request;
     const { user: admin, userAbility } = ctx.state;
 
@@ -128,38 +121,40 @@ module.exports = {
 
     const { email, username, password } = body;
 
-    const { pm, entity } = await findEntityAndCheckPermissions(
+    const { pm, doc } = await findEntityAndCheckPermissions(
       userAbility,
       ACTIONS.edit,
       userModel,
-      id
+      documentId
     );
-    const user = entity;
+
+    const user = doc;
 
     await validateUpdateUserBody(ctx.request.body);
 
-    if (_.has(body, 'password') && !password && user.provider === 'local') {
-      throw new ValidationError('password.notNull');
+    if (_.has(body, 'password') && (password == null || password === '')) {
+      delete body.password;
     }
 
     if (_.has(body, 'username')) {
-      const userWithSameUsername = await strapi
+      const userWithSameUsername = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { username } });
 
-      if (userWithSameUsername && _.toString(userWithSameUsername.id) !== _.toString(id)) {
+      if (userWithSameUsername && _.toString(userWithSameUsername.id) !== _.toString(user.id)) {
         throw new ApplicationError('Username already taken');
       }
     }
 
     if (_.has(body, 'email') && advancedConfigs.unique_email) {
-      const userWithSameEmail = await strapi
+      const userWithSameEmail = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { email: _.toLower(email) } });
 
-      if (userWithSameEmail && _.toString(userWithSameEmail.id) !== _.toString(id)) {
+      if (userWithSameEmail && _.toString(userWithSameEmail.id) !== _.toString(user.id)) {
         throw new ApplicationError('Email already taken');
       }
+
       body.email = _.toLower(body.email);
     }
 
@@ -167,8 +162,10 @@ module.exports = {
     const updateData = _.omit({ ...sanitizedData, updatedBy: admin.id }, 'createdBy');
 
     const data = await strapi
-      .service('plugin::content-manager.entity-manager')
-      .update({ id }, updateData, userModel);
+      .service('plugin::content-manager.document-manager')
+      .update(documentId, userModel, {
+        data: updateData,
+      });
 
     ctx.body = await pm.sanitizeOutput(data, { action: ACTIONS.read });
   },