npm - @strapi/plugin-users-permissions - Versions diffs - 0.0.0-next.e3b4cdeebf6e9b0cd5575ff80b8a86715d44ce98 → 0.0.0-next.e61eff51f9834ffdef16bdc236aecab5f837723b - Mend

@strapi/plugin-users-permissions 0.0.0-next.e3b4cdeebf6e9b0cd5575ff80b8a86715d44ce98 → 0.0.0-next.e61eff51f9834ffdef16bdc236aecab5f837723b

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (233) hide show

package/.eslintignore +2 -2
package/.eslintrc +17 -0
package/LICENSE +18 -3
package/admin/src/components/BoundRoute/{index.js → index.jsx} +7 -5
package/admin/src/components/FormModal/Input/{index.js → index.jsx} +38 -34
package/admin/src/components/FormModal/index.jsx +115 -0
package/admin/src/components/Permissions/PermissionRow/{CheckboxWrapper.js → CheckboxWrapper.jsx} +4 -3
package/admin/src/components/Permissions/PermissionRow/{SubCategory.js → SubCategory.jsx} +27 -15
package/admin/src/components/Permissions/PermissionRow/{index.js → index.jsx} +4 -2
package/admin/src/components/Permissions/index.jsx +47 -0
package/admin/src/components/Permissions/reducer.js +1 -1
package/admin/src/components/Policies/{index.js → index.jsx} +10 -7
package/admin/src/components/UsersPermissions/{index.js → index.jsx} +22 -11
package/admin/src/components/UsersPermissions/reducer.js +1 -1
package/admin/src/{permissions.js → constants.js} +1 -3
package/admin/src/contexts/UsersPermissionsContext/{index.js → index.jsx} +1 -0
package/admin/src/index.js +27 -53
package/admin/src/pages/AdvancedSettings/index.jsx +214 -0
package/admin/src/pages/AdvancedSettings/utils/layout.js +20 -35
package/admin/src/pages/AdvancedSettings/utils/schema.js +5 -2
package/admin/src/pages/EmailTemplates/components/EmailForm.jsx +156 -0
package/admin/src/pages/EmailTemplates/components/{EmailTable.js → EmailTable.jsx} +28 -23
package/admin/src/pages/EmailTemplates/index.jsx +148 -0
package/admin/src/pages/EmailTemplates/utils/schema.js +18 -6
package/admin/src/pages/Providers/index.jsx +262 -0
package/admin/src/pages/Providers/utils/forms.js +23 -11
package/admin/src/pages/Roles/constants.js +7 -0
package/admin/src/pages/Roles/hooks/usePlugins.js +78 -0
package/admin/src/pages/Roles/index.jsx +24 -0
package/admin/src/pages/Roles/pages/CreatePage.jsx +194 -0
package/admin/src/pages/Roles/pages/EditPage.jsx +215 -0
package/admin/src/pages/Roles/pages/ListPage/components/TableBody.jsx +119 -0
package/admin/src/pages/Roles/{ListPage/index.js → pages/ListPage/index.jsx} +108 -83
package/admin/src/pluginId.js +2 -2
package/admin/src/translations/en.json +1 -1
package/admin/src/translations/uk.json +41 -4
package/admin/src/translations/zh-Hans.json +80 -80
package/admin/src/utils/index.js +1 -2
package/admin/src/utils/prefixPluginTranslations.js +13 -0
package/dist/admin/chunks/ar-BJwjobLp.js +45 -0
package/dist/admin/chunks/ar-BJwjobLp.js.map +1 -0
package/dist/admin/chunks/ar-G6bUGuUb.mjs +43 -0
package/dist/admin/chunks/ar-G6bUGuUb.mjs.map +1 -0
package/dist/admin/chunks/cs-Bu59JqhG.mjs +49 -0
package/dist/admin/chunks/cs-Bu59JqhG.mjs.map +1 -0
package/dist/admin/chunks/cs-uS_SIEo8.js +51 -0
package/dist/admin/chunks/cs-uS_SIEo8.js.map +1 -0
package/dist/admin/chunks/de-7MVMrqqI.js +63 -0
package/dist/admin/chunks/de-7MVMrqqI.js.map +1 -0
package/dist/admin/chunks/de-B81A69_5.mjs +61 -0
package/dist/admin/chunks/de-B81A69_5.mjs.map +1 -0
package/dist/admin/chunks/dk-BaelzvBE.mjs +85 -0
package/dist/admin/chunks/dk-BaelzvBE.mjs.map +1 -0
package/dist/admin/chunks/dk-DwCLGmy9.js +87 -0
package/dist/admin/chunks/dk-DwCLGmy9.js.map +1 -0
package/dist/admin/chunks/en-BhgCBe7M.mjs +85 -0
package/dist/admin/chunks/en-BhgCBe7M.mjs.map +1 -0
package/dist/admin/chunks/en-DwQjkHi_.js +87 -0
package/dist/admin/chunks/en-DwQjkHi_.js.map +1 -0
package/dist/admin/chunks/es-B0wXmvRj.mjs +85 -0
package/dist/admin/chunks/es-B0wXmvRj.mjs.map +1 -0
package/dist/admin/chunks/es-BOJOedG5.js +87 -0
package/dist/admin/chunks/es-BOJOedG5.js.map +1 -0
package/dist/admin/chunks/fr-BDNWCNs0.js +51 -0
package/dist/admin/chunks/fr-BDNWCNs0.js.map +1 -0
package/dist/admin/chunks/fr-CGYvGUXg.mjs +49 -0
package/dist/admin/chunks/fr-CGYvGUXg.mjs.map +1 -0
package/dist/admin/chunks/id-CNzbwFjA.mjs +61 -0
package/dist/admin/chunks/id-CNzbwFjA.mjs.map +1 -0
package/dist/admin/chunks/id-UqUPykHZ.js +63 -0
package/dist/admin/chunks/id-UqUPykHZ.js.map +1 -0
package/dist/admin/chunks/index--_o6btSC.js +471 -0
package/dist/admin/chunks/index--_o6btSC.js.map +1 -0
package/dist/admin/chunks/index-BBjNJt_G.mjs +448 -0
package/dist/admin/chunks/index-BBjNJt_G.mjs.map +1 -0
package/dist/admin/chunks/index-BgAfLcWs.mjs +1516 -0
package/dist/admin/chunks/index-BgAfLcWs.mjs.map +1 -0
package/dist/admin/chunks/index-CHTUC0LM.mjs +718 -0
package/dist/admin/chunks/index-CHTUC0LM.mjs.map +1 -0
package/dist/admin/chunks/index-CY5JZ38k.mjs +213 -0
package/dist/admin/chunks/index-CY5JZ38k.mjs.map +1 -0
package/dist/admin/chunks/index-Cu1VuLS3.js +741 -0
package/dist/admin/chunks/index-Cu1VuLS3.js.map +1 -0
package/dist/admin/chunks/index-Cy-tPfRk.mjs +279 -0
package/dist/admin/chunks/index-Cy-tPfRk.mjs.map +1 -0
package/dist/admin/chunks/index-DD-Z6c1S.js +217 -0
package/dist/admin/chunks/index-DD-Z6c1S.js.map +1 -0
package/dist/admin/chunks/index-DFnYIqrB.js +301 -0
package/dist/admin/chunks/index-DFnYIqrB.js.map +1 -0
package/dist/admin/chunks/index-DvubCYNe.js +1537 -0
package/dist/admin/chunks/index-DvubCYNe.js.map +1 -0
package/dist/admin/chunks/it-B2H2foTf.mjs +61 -0
package/dist/admin/chunks/it-B2H2foTf.mjs.map +1 -0
package/dist/admin/chunks/it-D5VuyoLU.js +63 -0
package/dist/admin/chunks/it-D5VuyoLU.js.map +1 -0
package/dist/admin/chunks/ja-C0z9d7L9.mjs +47 -0
package/dist/admin/chunks/ja-C0z9d7L9.mjs.map +1 -0
package/dist/admin/chunks/ja-MpqVsCgs.js +49 -0
package/dist/admin/chunks/ja-MpqVsCgs.js.map +1 -0
package/dist/admin/chunks/ko-Bm-grPSc.js +87 -0
package/dist/admin/chunks/ko-Bm-grPSc.js.map +1 -0
package/dist/admin/chunks/ko-CzUgzpeS.mjs +85 -0
package/dist/admin/chunks/ko-CzUgzpeS.mjs.map +1 -0
package/dist/admin/chunks/ms-CCacxjim.mjs +48 -0
package/dist/admin/chunks/ms-CCacxjim.mjs.map +1 -0
package/dist/admin/chunks/ms-D7eyBD5H.js +50 -0
package/dist/admin/chunks/ms-D7eyBD5H.js.map +1 -0
package/dist/admin/chunks/nl-BIOwAQtI.js +49 -0
package/dist/admin/chunks/nl-BIOwAQtI.js.map +1 -0
package/dist/admin/chunks/nl-DDC3nZW-.mjs +47 -0
package/dist/admin/chunks/nl-DDC3nZW-.mjs.map +1 -0
package/dist/admin/chunks/pl-D5BeNrg_.js +87 -0
package/dist/admin/chunks/pl-D5BeNrg_.js.map +1 -0
package/dist/admin/chunks/pl-XkS463rN.mjs +85 -0
package/dist/admin/chunks/pl-XkS463rN.mjs.map +1 -0
package/dist/admin/chunks/pt-BR-8cC7z8Km.mjs +43 -0
package/dist/admin/chunks/pt-BR-8cC7z8Km.mjs.map +1 -0
package/dist/admin/chunks/pt-BR-DxPBzQGx.js +45 -0
package/dist/admin/chunks/pt-BR-DxPBzQGx.js.map +1 -0
package/dist/admin/chunks/pt-DQpEvio8.mjs +47 -0
package/dist/admin/chunks/pt-DQpEvio8.mjs.map +1 -0
package/dist/admin/chunks/pt-kkCwzNvH.js +49 -0
package/dist/admin/chunks/pt-kkCwzNvH.js.map +1 -0
package/dist/admin/chunks/ru-BQ0gHmp3.js +87 -0
package/dist/admin/chunks/ru-BQ0gHmp3.js.map +1 -0
package/dist/admin/chunks/ru-nzL_7Mhg.mjs +85 -0
package/dist/admin/chunks/ru-nzL_7Mhg.mjs.map +1 -0
package/dist/admin/chunks/sk-Ddxc_tZA.mjs +49 -0
package/dist/admin/chunks/sk-Ddxc_tZA.mjs.map +1 -0
package/dist/admin/chunks/sk-nVwAPdYC.js +51 -0
package/dist/admin/chunks/sk-nVwAPdYC.js.map +1 -0
package/dist/admin/chunks/sv-BDfk2A-F.js +87 -0
package/dist/admin/chunks/sv-BDfk2A-F.js.map +1 -0
package/dist/admin/chunks/sv-By3RYpMG.mjs +85 -0
package/dist/admin/chunks/sv-By3RYpMG.mjs.map +1 -0
package/dist/admin/chunks/th-BtTtpHe2.js +61 -0
package/dist/admin/chunks/th-BtTtpHe2.js.map +1 -0
package/dist/admin/chunks/th-COl50vqb.mjs +59 -0
package/dist/admin/chunks/th-COl50vqb.mjs.map +1 -0
package/dist/admin/chunks/tr-80SJU6jg.mjs +84 -0
package/dist/admin/chunks/tr-80SJU6jg.mjs.map +1 -0
package/dist/admin/chunks/tr-Di-Nf7cT.js +86 -0
package/dist/admin/chunks/tr-Di-Nf7cT.js.map +1 -0
package/dist/admin/chunks/uk-DnrIlPwG.mjs +85 -0
package/dist/admin/chunks/uk-DnrIlPwG.mjs.map +1 -0
package/dist/admin/chunks/uk-r5zXTAS7.js +87 -0
package/dist/admin/chunks/uk-r5zXTAS7.js.map +1 -0
package/dist/admin/chunks/vi-69AF03Iv.mjs +49 -0
package/dist/admin/chunks/vi-69AF03Iv.mjs.map +1 -0
package/dist/admin/chunks/vi-D9cCsHsU.js +51 -0
package/dist/admin/chunks/vi-D9cCsHsU.js.map +1 -0
package/dist/admin/chunks/zh-BzSkqxo-.mjs +85 -0
package/dist/admin/chunks/zh-BzSkqxo-.mjs.map +1 -0
package/dist/admin/chunks/zh-BzWgJEzz.js +87 -0
package/dist/admin/chunks/zh-BzWgJEzz.js.map +1 -0
package/dist/admin/chunks/zh-Hans-CKqQbpsM.js +87 -0
package/dist/admin/chunks/zh-Hans-CKqQbpsM.js.map +1 -0
package/dist/admin/chunks/zh-Hans-DmDcSsp7.mjs +85 -0
package/dist/admin/chunks/zh-Hans-DmDcSsp7.mjs.map +1 -0
package/dist/admin/index.js +8 -0
package/dist/admin/index.js.map +1 -0
package/dist/admin/index.mjs +2 -0
package/dist/admin/index.mjs.map +1 -0
package/dist/server/index.js +4766 -0
package/dist/server/index.js.map +1 -0
package/dist/server/index.mjs +4764 -0
package/dist/server/index.mjs.map +1 -0
package/documentation/content-api.yaml +1 -1
package/jest.config.front.js +1 -0
package/package.json +53 -37
package/rollup.config.mjs +52 -0
package/server/bootstrap/index.js +18 -15
package/server/bootstrap/users-permissions-actions.js +6 -0
package/server/config.js +29 -0
package/server/content-types/user/index.js +0 -1
package/server/controllers/auth.js +75 -39
package/server/controllers/content-manager-user.js +28 -30
package/server/controllers/role.js +17 -4
package/server/controllers/user.js +18 -8
package/server/controllers/validation/auth.js +104 -25
package/server/graphql/types/index.js +1 -0
package/server/graphql/types/me.js +1 -0
package/server/graphql/types/user-input.js +20 -0
package/server/middlewares/rateLimit.js +41 -21
package/server/register.js +2 -2
package/server/services/jwt.js +3 -3
package/server/services/permission.js +3 -7
package/server/services/providers-registry.js +469 -261
package/server/services/providers.js +10 -5
package/server/services/role.js +15 -13
package/server/services/user.js +56 -19
package/server/services/users-permissions.js +15 -13
package/server/strategies/users-permissions.js +1 -8
package/server/utils/index.d.ts +2 -1
package/server/utils/sanitize/sanitizers.js +7 -3
package/server/utils/sanitize/visitors/remove-user-relation-from-role-entities.js +2 -2
package/.eslintrc.js +0 -14
package/admin/src/components/FormModal/index.js +0 -123
package/admin/src/components/Permissions/index.js +0 -54
package/admin/src/hooks/index.js +0 -5
package/admin/src/hooks/useFetchRole/index.js +0 -64
package/admin/src/hooks/useFetchRole/reducer.js +0 -31
package/admin/src/hooks/useForm/index.js +0 -67
package/admin/src/hooks/useForm/reducer.js +0 -40
package/admin/src/hooks/usePlugins/index.js +0 -67
package/admin/src/hooks/usePlugins/init.js +0 -5
package/admin/src/hooks/usePlugins/reducer.js +0 -34
package/admin/src/hooks/useRolesList/index.js +0 -62
package/admin/src/hooks/useRolesList/init.js +0 -5
package/admin/src/hooks/useRolesList/reducer.js +0 -31
package/admin/src/pages/AdvancedSettings/index.js +0 -243
package/admin/src/pages/AdvancedSettings/utils/api.js +0 -17
package/admin/src/pages/EmailTemplates/components/EmailForm.js +0 -175
package/admin/src/pages/EmailTemplates/index.js +0 -160
package/admin/src/pages/EmailTemplates/utils/api.js +0 -17
package/admin/src/pages/Providers/index.js +0 -272
package/admin/src/pages/Providers/reducer.js +0 -54
package/admin/src/pages/Providers/utils/api.js +0 -25
package/admin/src/pages/Providers/utils/createProvidersArray.js +0 -21
package/admin/src/pages/Roles/CreatePage/index.js +0 -182
package/admin/src/pages/Roles/CreatePage/utils/schema.js +0 -9
package/admin/src/pages/Roles/EditPage/index.js +0 -194
package/admin/src/pages/Roles/EditPage/utils/schema.js +0 -9
package/admin/src/pages/Roles/ListPage/components/TableBody.js +0 -92
package/admin/src/pages/Roles/ListPage/utils/api.js +0 -31
package/admin/src/pages/Roles/ProtectedCreatePage/index.js +0 -12
package/admin/src/pages/Roles/ProtectedEditPage/index.js +0 -12
package/admin/src/pages/Roles/ProtectedListPage/index.js +0 -15
package/admin/src/pages/Roles/index.js +0 -27
package/admin/src/utils/getRequestURL.js +0 -5
package/server/bootstrap/grant-config.js +0 -131
package/strapi-admin.js +0 -3
package/strapi-server.js +0 -3

package/documentation/content-api.yaml CHANGED Viewed

@@ -93,7 +93,7 @@ paths:
         required: true
       responses:
         200:
-          description: Successfull registration
+          description: Successful registration
           content:
             application/json:
               schema:

package/jest.config.front.js CHANGED Viewed

@@ -3,4 +3,5 @@
 module.exports = {
   preset: '../../../jest-preset.front.js',
   displayName: 'Users & Permissions plugin',
+  setupFilesAfterEnv: ['./admin/src/tests/setup.js'],
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "0.0.0-next.e3b4cdeebf6e9b0cd5575ff80b8a86715d44ce98",
+  "version": "0.0.0-next.e61eff51f9834ffdef16bdc236aecab5f837723b",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -19,58 +19,75 @@
       "url": "https://strapi.io"
     }
   ],
+  "exports": {
+    "./strapi-admin": {
+      "source": "./admin/src/index.js",
+      "import": "./dist/admin/index.mjs",
+      "require": "./dist/admin/index.js",
+      "default": "./dist/admin/index.js"
+    },
+    "./strapi-server": {
+      "source": "./server/index.js",
+      "import": "./dist/server/index.mjs",
+      "require": "./dist/server/index.js",
+      "default": "./dist/server/index.js"
+    },
+    "./package.json": "./package.json"
+  },
   "scripts": {
-    "test:unit": "run -T jest",
-    "test:unit:watch": "run -T jest --watch",
+    "build": "run -T npm-run-all clean build:code",
+    "build:code": "run -T rollup -c",
+    "clean": "run -T rimraf dist",
+    "lint": "run -T eslint .",
     "test:front": "run -T cross-env IS_EE=true jest --config ./jest.config.front.js",
-    "test:front:watch": "run -T cross-env IS_EE=true jest --config ./jest.config.front.js --watchAll",
     "test:front:ce": "run -T cross-env IS_EE=false jest --config ./jest.config.front.js",
+    "test:front:watch": "run -T cross-env IS_EE=true jest --config ./jest.config.front.js --watchAll",
     "test:front:watch:ce": "run -T cross-env IS_EE=false jest --config ./jest.config.front.js --watchAll",
-    "lint": "run -T eslint ."
+    "test:unit": "run -T jest",
+    "test:unit:watch": "run -T jest --watch",
+    "watch": "run -T rollup -c -w"
   },
   "dependencies": {
-    "@strapi/design-system": "1.7.5",
-    "@strapi/helper-plugin": "0.0.0-next.e3b4cdeebf6e9b0cd5575ff80b8a86715d44ce98",
-    "@strapi/icons": "1.7.5",
-    "@strapi/utils": "0.0.0-next.e3b4cdeebf6e9b0cd5575ff80b8a86715d44ce98",
+    "@strapi/design-system": "2.0.0-rc.18",
+    "@strapi/icons": "2.0.0-rc.18",
+    "@strapi/utils": "0.0.0-next.e61eff51f9834ffdef16bdc236aecab5f837723b",
     "bcryptjs": "2.4.3",
-    "formik": "2.2.9",
-    "grant-koa": "5.4.8",
-    "immer": "9.0.19",
+    "formik": "2.4.5",
+    "grant": "^5.4.8",
+    "immer": "9.0.21",
     "jsonwebtoken": "9.0.0",
     "jwk-to-pem": "2.0.5",
-    "koa": "^2.13.4",
-    "koa2-ratelimit": "^1.1.2",
+    "koa": "2.15.2",
+    "koa2-ratelimit": "^1.1.3",
     "lodash": "4.17.21",
-    "prop-types": "^15.7.2",
+    "prop-types": "^15.8.1",
     "purest": "4.0.2",
-    "react-intl": "6.4.1",
-    "react-query": "3.24.3",
-    "react-redux": "8.0.5",
+    "react-intl": "6.6.2",
+    "react-query": "3.39.3",
+    "react-redux": "8.1.3",
     "url-join": "4.0.1",
-    "yup": "^0.32.9"
+    "yup": "0.32.9"
   },
   "devDependencies": {
-    "@testing-library/dom": "8.19.0",
-    "@testing-library/react": "12.1.4",
-    "@testing-library/react-hooks": "8.0.1",
-    "@testing-library/user-event": "14.4.3",
-    "history": "^4.9.0",
-    "msw": "1.2.1",
-    "react": "^17.0.2",
-    "react-dom": "^17.0.2",
-    "react-router-dom": "5.3.4",
-    "react-test-renderer": "^17.0.2",
-    "styled-components": "5.3.3"
+    "@strapi/strapi": "0.0.0-next.e61eff51f9834ffdef16bdc236aecab5f837723b",
+    "@testing-library/dom": "10.1.0",
+    "@testing-library/react": "15.0.7",
+    "@testing-library/user-event": "14.5.2",
+    "msw": "1.3.0",
+    "react": "18.3.1",
+    "react-dom": "18.3.1",
+    "react-router-dom": "6.22.3",
+    "styled-components": "6.1.8"
   },
   "peerDependencies": {
-    "react": "^17.0.2",
-    "react-dom": "^17.0.2",
-    "react-router-dom": "^5.3.4",
-    "styled-components": "^5.3.3"
+    "@strapi/strapi": "^5.0.0",
+    "react": "^17.0.0 || ^18.0.0",
+    "react-dom": "^17.0.0 || ^18.0.0",
+    "react-router-dom": "^6.0.0",
+    "styled-components": "^6.0.0"
   },
   "engines": {
-    "node": ">=14.19.1 <=18.x.x",
+    "node": ">=18.0.0 <=22.x.x",
     "npm": ">=6.0.0"
   },
   "strapi": {
@@ -79,6 +96,5 @@
     "description": "Protect your API with a full authentication process based on JWT. This plugin comes also with an ACL strategy that allows you to manage the permissions between the groups of users.",
     "required": true,
     "kind": "plugin"
-  },
-  "gitHead": "e3b4cdeebf6e9b0cd5575ff80b8a86715d44ce98"
+  }
 }

package/rollup.config.mjs ADDED Viewed

@@ -0,0 +1,52 @@
+import { defineConfig } from 'rollup';
+import path from 'path';
+import { basePlugins } from '../../../rollup.utils.mjs';
+export default defineConfig([
+  {
+    input: path.join(import.meta.dirname, 'admin/src/index.js'),
+    external: (id) => !path.isAbsolute(id) && !id.startsWith('.'),
+    output: [
+      {
+        dir: path.join(import.meta.dirname, 'dist/admin'),
+        entryFileNames: '[name].js',
+        chunkFileNames: 'chunks/[name]-[hash].js',
+        exports: 'auto',
+        format: 'cjs',
+        sourcemap: true,
+      },
+      {
+        dir: path.join(import.meta.dirname, 'dist/admin'),
+        entryFileNames: '[name].mjs',
+        chunkFileNames: 'chunks/[name]-[hash].mjs',
+        exports: 'auto',
+        format: 'esm',
+        sourcemap: true,
+      },
+    ],
+    plugins: [...basePlugins(import.meta.dirname)],
+  },
+  {
+    input: path.join(import.meta.dirname, 'server/index.js'),
+    external: (id) => !path.isAbsolute(id) && !id.startsWith('.'),
+    output: [
+      {
+        dir: path.join(import.meta.dirname, 'dist/server'),
+        entryFileNames: '[name].js',
+        chunkFileNames: 'chunks/[name]-[hash].js',
+        exports: 'auto',
+        format: 'cjs',
+        sourcemap: true,
+      },
+      {
+        dir: path.join(import.meta.dirname, 'dist/server'),
+        entryFileNames: '[name].mjs',
+        chunkFileNames: 'chunks/[name]-[hash].mjs',
+        exports: 'auto',
+        format: 'esm',
+        sourcemap: true,
+      },
+    ],
+    plugins: [...basePlugins(import.meta.dirname)],
+  },
+]);

package/server/bootstrap/index.js CHANGED Viewed

@@ -9,23 +9,26 @@
  */
 const crypto = require('crypto');
 const _ = require('lodash');
-const urljoin = require('url-join');
 const { getService } = require('../utils');
-const getGrantConfig = require('./grant-config');
 const usersPermissionsActions = require('./users-permissions-actions');
 const initGrant = async (pluginStore) => {
-  const apiPrefix = strapi.config.get('api.rest.prefix');
-  const baseURL = urljoin(strapi.config.server.url, apiPrefix, 'auth');
+  const allProviders = getService('providers-registry').getAll();
+  const grantConfig = Object.entries(allProviders).reduce((acc, [name, provider]) => {
+    const { icon, enabled, grantConfig } = provider;
-  const grantConfig = getGrantConfig(baseURL);
+    acc[name] = {
+      icon,
+      enabled,
+      ...grantConfig,
+    };
+    return acc;
+  }, {});
   const prevGrantConfig = (await pluginStore.get({ key: 'grant' })) || {};
-  // store grant auth config to db
-  // when plugin_users-permissions_grant is not existed in db
-  // or we have added/deleted provider here.
-  if (!prevGrantConfig || !_.isEqual(_.keys(prevGrantConfig), _.keys(grantConfig))) {
+  if (!prevGrantConfig || !_.isEqual(prevGrantConfig, grantConfig)) {
     // merge with the previous provider config.
     _.keys(grantConfig).forEach((key) => {
       if (key in prevGrantConfig) {
@@ -104,13 +107,13 @@ module.exports = async ({ strapi }) => {
   await initEmails(pluginStore);
   await initAdvancedOptions(pluginStore);
-  await strapi.admin.services.permission.actionProvider.registerMany(
-    usersPermissionsActions.actions
-  );
+  await strapi
+    .service('admin::permission')
+    .actionProvider.registerMany(usersPermissionsActions.actions);
   await getService('users-permissions').initialize();
-  if (!strapi.config.get('plugin.users-permissions.jwtSecret')) {
+  if (!strapi.config.get('plugin::users-permissions.jwtSecret')) {
     if (process.env.NODE_ENV !== 'development') {
       throw new Error(
         `Missing jwtSecret. Please, set configuration variable "jwtSecret" for the users-permissions plugin in config/plugins.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
@@ -120,7 +123,7 @@ For security reasons, prefer storing the secret in an environment variable and r
     const jwtSecret = crypto.randomBytes(16).toString('base64');
-    strapi.config.set('plugin.users-permissions.jwtSecret', jwtSecret);
+    strapi.config.set('plugin::users-permissions.jwtSecret', jwtSecret);
     if (!process.env.JWT_SECRET) {
       const envPath = process.env.ENV_PATH || '.env';

package/server/bootstrap/users-permissions-actions.js CHANGED Viewed

@@ -16,6 +16,12 @@ module.exports = {
       uid: 'roles.read',
       subCategory: 'roles',
       pluginName: 'users-permissions',
+      aliases: [
+        {
+          actionId: 'plugin::content-manager.explorer.read',
+          subjects: ['plugin::users-permissions.role'],
+        },
+      ],
     },
     {
       section: 'plugins',

package/server/config.js CHANGED Viewed

@@ -18,6 +18,35 @@ module.exports = {
         },
       },
     },
+    callback: {
+      validate(callback, provider) {
+        let uCallback;
+        let uProviderCallback;
+        try {
+          uCallback = new URL(callback);
+          uProviderCallback = new URL(provider.callback);
+        } catch {
+          throw new Error('The callback is not a valid URL');
+        }
+        // Make sure the different origin matches
+        if (uCallback.origin !== uProviderCallback.origin) {
+          throw new Error(
+            `Forbidden callback provided: origins don't match. Please verify your config.`
+          );
+        }
+        // Make sure the different pathname matches
+        if (uCallback.pathname !== uProviderCallback.pathname) {
+          throw new Error(
+            `Forbidden callback provided: pathname don't match. Please verify your config.`
+          );
+        }
+        // NOTE: We're not checking the search parameters on purpose to allow passing different states
+      },
+    },
   }),
   validator() {},
 };

package/server/content-types/user/index.js CHANGED Viewed

@@ -12,7 +12,6 @@ module.exports = {
     displayName: 'User',
   },
   options: {
-    draftAndPublish: false,
     timestamps: true,
   },
   attributes: {

package/server/controllers/auth.js CHANGED Viewed

@@ -9,6 +9,7 @@
 /* eslint-disable no-useless-escape */
 const crypto = require('crypto');
 const _ = require('lodash');
+const { concat, compact, isArray } = require('lodash/fp');
 const utils = require('@strapi/utils');
 const { getService } = require('../utils');
 const {
@@ -21,17 +22,16 @@ const {
   validateChangePasswordBody,
 } = require('./validation/auth');
-const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
-const { ApplicationError, ValidationError } = utils.errors;
+const { ApplicationError, ValidationError, ForbiddenError } = utils.errors;
 const sanitizeUser = (user, ctx) => {
   const { auth } = ctx.state;
   const userSchema = strapi.getModel('plugin::users-permissions.user');
-  return sanitize.contentAPI.output(user, userSchema, { auth });
+  return strapi.contentAPI.sanitize.output(user, userSchema, { auth });
 };
-module.exports = {
+module.exports = ({ strapi }) => ({
   async callback(ctx) {
     const provider = ctx.params.provider || 'local';
     const params = ctx.request.body;
@@ -51,7 +51,7 @@ module.exports = {
       const { identifier } = params;
       // Check if the user exists.
-      const user = await strapi.query('plugin::users-permissions.user').findOne({
+      const user = await strapi.db.query('plugin::users-permissions.user').findOne({
         where: {
           provider,
           $or: [{ email: identifier.toLowerCase() }, { username: identifier }],
@@ -96,6 +96,10 @@ module.exports = {
     try {
       const user = await getService('providers').connect(provider, ctx.query);
+      if (user.blocked) {
+        throw new ForbiddenError('Your account has been blocked by an administrator');
+      }
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -110,13 +114,17 @@ module.exports = {
       throw new ApplicationError('You must be authenticated to reset your password');
     }
-    const { currentPassword, password } = await validateChangePasswordBody(ctx.request.body);
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
-    const user = await strapi.entityService.findOne(
-      'plugin::users-permissions.user',
-      ctx.state.user.id
+    const { currentPassword, password } = await validateChangePasswordBody(
+      ctx.request.body,
+      validations
     );
+    const user = await strapi.db
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { id: ctx.state.user.id } });
     const validPassword = await getService('user').validatePassword(currentPassword, user.password);
     if (!validPassword) {
@@ -136,15 +144,18 @@ module.exports = {
   },
   async resetPassword(ctx) {
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
     const { password, passwordConfirmation, code } = await validateResetPasswordBody(
-      ctx.request.body
+      ctx.request.body,
+      validations
     );
     if (password !== passwordConfirmation) {
       throw new ValidationError('Passwords do not match');
     }
-    const user = await strapi
+    const user = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { resetPasswordToken: code } });
@@ -165,7 +176,7 @@ module.exports = {
   },
   async connect(ctx, next) {
-    const grant = require('grant-koa');
+    const grant = require('grant').koa();
     const providers = await strapi
       .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
@@ -193,10 +204,28 @@ module.exports = {
     }
     // Ability to pass OAuth callback dynamically
-    grantConfig[provider].callback =
-      _.get(ctx, 'query.callback') ||
-      _.get(ctx, 'session.grant.dynamic.callback') ||
-      grantConfig[provider].callback;
+    const queryCustomCallback = _.get(ctx, 'query.callback');
+    const dynamicSessionCallback = _.get(ctx, 'session.grant.dynamic.callback');
+    const customCallback = queryCustomCallback ?? dynamicSessionCallback;
+    // The custom callback is validated to make sure it's not redirecting to an unwanted actor.
+    if (customCallback !== undefined) {
+      try {
+        // We're extracting the callback validator from the plugin config since it can be user-customized
+        const { validate: validateCallback } = strapi
+          .plugin('users-permissions')
+          .config('callback');
+        await validateCallback(customCallback, grantConfig[provider]);
+        grantConfig[provider].callback = customCallback;
+      } catch (e) {
+        throw new ValidationError('Invalid callback URL provided', { callback: customCallback });
+      }
+    }
+    // Build a valid redirect URI for the current provider
     grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);
     return grant(grantConfig)(ctx, next);
@@ -211,7 +240,7 @@ module.exports = {
     const advancedSettings = await pluginStore.get({ key: 'advanced' });
     // Find the user by email.
-    const user = await strapi
+    const user = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { email: email.toLowerCase() } });
@@ -229,8 +258,8 @@ module.exports = {
       resetPasswordSettings.message,
       {
         URL: advancedSettings.email_reset_password,
-        SERVER_URL: getAbsoluteServerUrl(strapi.config),
-        ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
+        SERVER_URL: strapi.config.get('server.absoluteUrl'),
+        ADMIN_URL: strapi.config.get('admin.absoluteUrl'),
         USER: userInfo,
         TOKEN: resetPasswordToken,
       }
@@ -273,26 +302,32 @@ module.exports = {
       throw new ApplicationError('Register action is currently disabled');
     }
+    const { register } = strapi.config.get('plugin::users-permissions');
+    const alwaysAllowedKeys = ['username', 'password', 'email'];
+    // Note that we intentionally do not filter allowedFields to allow a project to explicitly accept private or other Strapi field on registration
+    const allowedKeys = compact(
+      concat(alwaysAllowedKeys, isArray(register?.allowedFields) ? register.allowedFields : [])
+    );
+    // Check if there are any keys in requestBody that are not in allowedKeys
+    const invalidKeys = Object.keys(ctx.request.body).filter((key) => !allowedKeys.includes(key));
+    if (invalidKeys.length > 0) {
+      // If there are invalid keys, throw an error
+      throw new ValidationError(`Invalid parameters: ${invalidKeys.join(', ')}`);
+    }
     const params = {
-      ..._.omit(ctx.request.body, [
-        'confirmed',
-        'blocked',
-        'confirmationToken',
-        'resetPasswordToken',
-        'provider',
-        'id',
-        'createdAt',
-        'updatedAt',
-        'createdBy',
-        'updatedBy',
-        'role',
-      ]),
+      ..._.pick(ctx.request.body, allowedKeys),
       provider: 'local',
     };
-    await validateRegisterBody(params);
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
-    const role = await strapi
+    await validateRegisterBody(params, validations);
+    const role = await strapi.db
       .query('plugin::users-permissions.role')
       .findOne({ where: { type: settings.default_role } });
@@ -311,7 +346,7 @@ module.exports = {
       ],
     };
-    const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+    const conflictingUserCount = await strapi.db.query('plugin::users-permissions.user').count({
       where: { ...identifierFilter, provider },
     });
@@ -320,7 +355,7 @@ module.exports = {
     }
     if (settings.unique_email) {
-      const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+      const conflictingUserCount = await strapi.db.query('plugin::users-permissions.user').count({
         where: { ...identifierFilter },
       });
@@ -345,7 +380,8 @@ module.exports = {
       try {
         await getService('user').sendConfirmationEmail(sanitizedUser);
       } catch (err) {
-        throw new ApplicationError(err.message);
+        strapi.log.error(err);
+        throw new ApplicationError('Error sending confirmation email');
       }
       return ctx.send({ user: sanitizedUser });
@@ -390,7 +426,7 @@ module.exports = {
   async sendEmailConfirmation(ctx) {
     const { email } = await validateSendEmailConfirmationBody(ctx.request.body);
-    const user = await strapi.query('plugin::users-permissions.user').findOne({
+    const user = await strapi.db.query('plugin::users-permissions.user').findOne({
       where: { email: email.toLowerCase() },
     });
@@ -413,4 +449,4 @@ module.exports = {
       sent: true,
     });
   },
-};
+});