npm - @strapi/plugin-users-permissions - Versions diffs - 0.0.0-next.e41415e8ff5f565ff959667d5c5ba4f20bee013c → 0.0.0-next.e5b87a54008c9de2b3286a4774635dcf69895d9b - Mend

@strapi/plugin-users-permissions 0.0.0-next.e41415e8ff5f565ff959667d5c5ba4f20bee013c → 0.0.0-next.e5b87a54008c9de2b3286a4774635dcf69895d9b

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (688) hide show

package/server/controllers/auth.js CHANGED Viewed

@@ -9,6 +9,7 @@
 /* eslint-disable no-useless-escape */
 const crypto = require('crypto');
 const _ = require('lodash');
+const { concat, compact, isArray } = require('lodash/fp');
 const utils = require('@strapi/utils');
 const { getService } = require('../utils');
 const {
@@ -21,17 +22,22 @@ const {
   validateChangePasswordBody,
 } = require('./validation/auth');
-const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
-const { ApplicationError, ValidationError } = utils.errors;
+const { ApplicationError, ValidationError, ForbiddenError } = utils.errors;
 const sanitizeUser = (user, ctx) => {
   const { auth } = ctx.state;
   const userSchema = strapi.getModel('plugin::users-permissions.user');
-  return sanitize.contentAPI.output(user, userSchema, { auth });
+  return strapi.contentAPI.sanitize.output(user, userSchema, { auth });
 };
-module.exports = {
+const extractDeviceId = (requestBody) => {
+  const { deviceId } = requestBody || {};
+  return typeof deviceId === 'string' && deviceId.length > 0 ? deviceId : undefined;
+};
+module.exports = ({ strapi }) => ({
   async callback(ctx) {
     const provider = ctx.params.provider || 'local';
     const params = ctx.request.body;
@@ -51,7 +57,7 @@ module.exports = {
       const { identifier } = params;
       // Check if the user exists.
-      const user = await strapi.query('plugin::users-permissions.user').findOne({
+      const user = await strapi.db.query('plugin::users-permissions.user').findOne({
         where: {
           provider,
           $or: [{ email: identifier.toLowerCase() }, { username: identifier }],
@@ -86,6 +92,51 @@ module.exports = {
         throw new ApplicationError('Your account has been blocked by an administrator');
       }
+      const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+      if (mode === 'refresh') {
+        const deviceId = extractDeviceId(ctx.request.body);
+        const refresh = await strapi
+          .sessionManager('users-permissions')
+          .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+        const access = await strapi
+          .sessionManager('users-permissions')
+          .generateAccessToken(refresh.token);
+        if ('error' in access) {
+          throw new ApplicationError('Invalid credentials');
+        }
+        const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+        const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+        if (upSessions?.httpOnly || requestHttpOnly) {
+          const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+          const isProduction = process.env.NODE_ENV === 'production';
+          const isSecure =
+            typeof upSessions.cookie?.secure === 'boolean'
+              ? upSessions.cookie?.secure
+              : isProduction;
+          const cookieOptions = {
+            httpOnly: true,
+            secure: isSecure,
+            sameSite: upSessions.cookie?.sameSite ?? 'lax',
+            path: upSessions.cookie?.path ?? '/',
+            domain: upSessions.cookie?.domain,
+            overwrite: true,
+          };
+          ctx.cookies.set(cookieName, refresh.token, cookieOptions);
+          return ctx.send({ jwt: access.token, user: await sanitizeUser(user, ctx) });
+        }
+        return ctx.send({
+          jwt: access.token,
+          refreshToken: refresh.token,
+          user: await sanitizeUser(user, ctx),
+        });
+      }
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -96,6 +147,53 @@ module.exports = {
     try {
       const user = await getService('providers').connect(provider, ctx.query);
+      if (user.blocked) {
+        throw new ForbiddenError('Your account has been blocked by an administrator');
+      }
+      const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+      if (mode === 'refresh') {
+        const deviceId = extractDeviceId(ctx.request.body);
+        const refresh = await strapi
+          .sessionManager('users-permissions')
+          .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+        const access = await strapi
+          .sessionManager('users-permissions')
+          .generateAccessToken(refresh.token);
+        if ('error' in access) {
+          throw new ApplicationError('Invalid credentials');
+        }
+        const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+        const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+        if (upSessions?.httpOnly || requestHttpOnly) {
+          const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+          const isProduction = process.env.NODE_ENV === 'production';
+          const isSecure =
+            typeof upSessions.cookie?.secure === 'boolean'
+              ? upSessions.cookie?.secure
+              : isProduction;
+          const cookieOptions = {
+            httpOnly: true,
+            secure: isSecure,
+            sameSite: upSessions.cookie?.sameSite ?? 'lax',
+            path: upSessions.cookie?.path ?? '/',
+            domain: upSessions.cookie?.domain,
+            overwrite: true,
+          };
+          ctx.cookies.set(cookieName, refresh.token, cookieOptions);
+          return ctx.send({ jwt: access.token, user: await sanitizeUser(user, ctx) });
+        }
+        return ctx.send({
+          jwt: access.token,
+          refreshToken: refresh.token,
+          user: await sanitizeUser(user, ctx),
+        });
+      }
       return ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -110,13 +208,17 @@ module.exports = {
       throw new ApplicationError('You must be authenticated to reset your password');
     }
-    const { currentPassword, password } = await validateChangePasswordBody(ctx.request.body);
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
-    const user = await strapi.entityService.findOne(
-      'plugin::users-permissions.user',
-      ctx.state.user.id
+    const { currentPassword, password } = await validateChangePasswordBody(
+      ctx.request.body,
+      validations
     );
+    const user = await strapi.db
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { id: ctx.state.user.id } });
     const validPassword = await getService('user').validatePassword(currentPassword, user.password);
     if (!validPassword) {
@@ -129,22 +231,51 @@ module.exports = {
     await getService('user').edit(user.id, { password });
-    ctx.send({
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body);
+      // Invalidate all sessions when password changes for security
+      await strapi.sessionManager('users-permissions').invalidateRefreshToken(String(user.id));
+      const newDeviceId = deviceId || crypto.randomUUID();
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), newDeviceId, { type: 'refresh' });
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+      return ctx.send({
+        jwt: access.token,
+        refreshToken: refresh.token,
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+    return ctx.send({
       jwt: getService('jwt').issue({ id: user.id }),
       user: await sanitizeUser(user, ctx),
     });
   },
   async resetPassword(ctx) {
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
     const { password, passwordConfirmation, code } = await validateResetPasswordBody(
-      ctx.request.body
+      ctx.request.body,
+      validations
     );
     if (password !== passwordConfirmation) {
       throw new ValidationError('Passwords do not match');
     }
-    const user = await strapi
+    const user = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { resetPasswordToken: code } });
@@ -157,15 +288,119 @@ module.exports = {
       password,
     });
-    // Update the user.
-    ctx.send({
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body);
+      // Invalidate all sessions when password is reset for security
+      await strapi.sessionManager('users-permissions').invalidateRefreshToken(String(user.id));
+      const newDeviceId = deviceId || crypto.randomUUID();
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), newDeviceId, { type: 'refresh' });
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+      return ctx.send({
+        jwt: access.token,
+        refreshToken: refresh.token,
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+    return ctx.send({
       jwt: getService('jwt').issue({ id: user.id }),
       user: await sanitizeUser(user, ctx),
     });
   },
+  async refresh(ctx) {
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode !== 'refresh') {
+      return ctx.notFound();
+    }
+    const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+    const cookieName = upSessions?.cookie?.name || 'strapi_up_refresh';
+    // Check for refresh token in cookie first (if httpOnly is configured), then in body
+    let refreshToken = ctx.cookies.get(cookieName);
+    if (!refreshToken) {
+      refreshToken = ctx.request.body?.refreshToken;
+    }
+    if (!refreshToken || typeof refreshToken !== 'string') {
+      return ctx.badRequest('Missing refresh token');
+    }
+    const rotation = await strapi
+      .sessionManager('users-permissions')
+      .rotateRefreshToken(refreshToken);
+    if ('error' in rotation) {
+      return ctx.unauthorized('Invalid refresh token');
+    }
+    const result = await strapi
+      .sessionManager('users-permissions')
+      .generateAccessToken(rotation.token);
+    if ('error' in result) {
+      return ctx.unauthorized('Invalid refresh token');
+    }
+    const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+    if (upSessions?.httpOnly || requestHttpOnly) {
+      const isProduction = process.env.NODE_ENV === 'production';
+      const isSecure =
+        typeof upSessions.cookie?.secure === 'boolean' ? upSessions.cookie?.secure : isProduction;
+      const cookieOptions = {
+        httpOnly: true,
+        secure: isSecure,
+        sameSite: upSessions.cookie?.sameSite ?? 'lax',
+        path: upSessions.cookie?.path ?? '/',
+        domain: upSessions.cookie?.domain,
+        overwrite: true,
+      };
+      ctx.cookies.set(cookieName, rotation.token, cookieOptions);
+      return ctx.send({ jwt: result.token });
+    }
+    return ctx.send({ jwt: result.token, refreshToken: rotation.token });
+  },
+  async logout(ctx) {
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode !== 'refresh') {
+      return ctx.notFound();
+    }
+    // Invalidate all sessions for the authenticated user, or by deviceId if provided
+    if (!ctx.state.user) {
+      return ctx.unauthorized('Missing authentication');
+    }
+    const deviceId = extractDeviceId(ctx.request.body);
+    try {
+      await strapi
+        .sessionManager('users-permissions')
+        .invalidateRefreshToken(String(ctx.state.user.id), deviceId);
+    } catch (err) {
+      strapi.log.error('UP logout failed', err);
+    }
+    const upSessions = strapi.config.get('plugin::users-permissions.sessions');
+    const requestHttpOnly = ctx.request.header['x-strapi-refresh-cookie'] === 'httpOnly';
+    if (upSessions?.httpOnly || requestHttpOnly) {
+      const cookieName = upSessions.cookie?.name || 'strapi_up_refresh';
+      ctx.cookies.set(cookieName, '', { expires: new Date(0) });
+    }
+    return ctx.send({ ok: true });
+  },
   async connect(ctx, next) {
-    const grant = require('grant-koa');
+    const grant = require('grant').koa();
     const providers = await strapi
       .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
@@ -193,10 +428,28 @@ module.exports = {
     }
     // Ability to pass OAuth callback dynamically
-    grantConfig[provider].callback =
-      _.get(ctx, 'query.callback') ||
-      _.get(ctx, 'session.grant.dynamic.callback') ||
-      grantConfig[provider].callback;
+    const queryCustomCallback = _.get(ctx, 'query.callback');
+    const dynamicSessionCallback = _.get(ctx, 'session.grant.dynamic.callback');
+    const customCallback = queryCustomCallback ?? dynamicSessionCallback;
+    // The custom callback is validated to make sure it's not redirecting to an unwanted actor.
+    if (customCallback !== undefined) {
+      try {
+        // We're extracting the callback validator from the plugin config since it can be user-customized
+        const { validate: validateCallback } = strapi
+          .plugin('users-permissions')
+          .config('callback');
+        await validateCallback(customCallback, grantConfig[provider]);
+        grantConfig[provider].callback = customCallback;
+      } catch (e) {
+        throw new ValidationError('Invalid callback URL provided', { callback: customCallback });
+      }
+    }
+    // Build a valid redirect URI for the current provider
     grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);
     return grant(grantConfig)(ctx, next);
@@ -211,7 +464,7 @@ module.exports = {
     const advancedSettings = await pluginStore.get({ key: 'advanced' });
     // Find the user by email.
-    const user = await strapi
+    const user = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { email: email.toLowerCase() } });
@@ -229,8 +482,8 @@ module.exports = {
       resetPasswordSettings.message,
       {
         URL: advancedSettings.email_reset_password,
-        SERVER_URL: getAbsoluteServerUrl(strapi.config),
-        ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
+        SERVER_URL: strapi.config.get('server.absoluteUrl'),
+        ADMIN_URL: strapi.config.get('admin.absoluteUrl'),
         USER: userInfo,
         TOKEN: resetPasswordToken,
       }
@@ -273,26 +526,32 @@ module.exports = {
       throw new ApplicationError('Register action is currently disabled');
     }
+    const { register } = strapi.config.get('plugin::users-permissions');
+    const alwaysAllowedKeys = ['username', 'password', 'email'];
+    // Note that we intentionally do not filter allowedFields to allow a project to explicitly accept private or other Strapi field on registration
+    const allowedKeys = compact(
+      concat(alwaysAllowedKeys, isArray(register?.allowedFields) ? register.allowedFields : [])
+    );
+    // Check if there are any keys in requestBody that are not in allowedKeys
+    const invalidKeys = Object.keys(ctx.request.body).filter((key) => !allowedKeys.includes(key));
+    if (invalidKeys.length > 0) {
+      // If there are invalid keys, throw an error
+      throw new ValidationError(`Invalid parameters: ${invalidKeys.join(', ')}`);
+    }
     const params = {
-      ..._.omit(ctx.request.body, [
-        'confirmed',
-        'blocked',
-        'confirmationToken',
-        'resetPasswordToken',
-        'provider',
-        'id',
-        'createdAt',
-        'updatedAt',
-        'createdBy',
-        'updatedBy',
-        'role',
-      ]),
+      ..._.pick(ctx.request.body, allowedKeys),
       provider: 'local',
     };
-    await validateRegisterBody(params);
+    const validations = strapi.config.get('plugin::users-permissions.validationRules');
+    await validateRegisterBody(params, validations);
-    const role = await strapi
+    const role = await strapi.db
       .query('plugin::users-permissions.role')
       .findOne({ where: { type: settings.default_role } });
@@ -311,7 +570,7 @@ module.exports = {
       ],
     };
-    const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+    const conflictingUserCount = await strapi.db.query('plugin::users-permissions.user').count({
       where: { ...identifierFilter, provider },
     });
@@ -320,7 +579,7 @@ module.exports = {
     }
     if (settings.unique_email) {
-      const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+      const conflictingUserCount = await strapi.db.query('plugin::users-permissions.user').count({
         where: { ...identifierFilter },
       });
@@ -345,18 +604,33 @@ module.exports = {
       try {
         await getService('user').sendConfirmationEmail(sanitizedUser);
       } catch (err) {
-        throw new ApplicationError(err.message);
+        strapi.log.error(err);
+        throw new ApplicationError('Error sending confirmation email');
       }
       return ctx.send({ user: sanitizedUser });
     }
-    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    const mode = strapi.config.get('plugin::users-permissions.jwtManagement', 'legacy-support');
+    if (mode === 'refresh') {
+      const deviceId = extractDeviceId(ctx.request.body) || crypto.randomUUID();
-    return ctx.send({
-      jwt,
-      user: sanitizedUser,
-    });
+      const refresh = await strapi
+        .sessionManager('users-permissions')
+        .generateRefreshToken(String(user.id), deviceId, { type: 'refresh' });
+      const access = await strapi
+        .sessionManager('users-permissions')
+        .generateAccessToken(refresh.token);
+      if ('error' in access) {
+        throw new ApplicationError('Invalid credentials');
+      }
+      return ctx.send({ jwt: access.token, refreshToken: refresh.token, user: sanitizedUser });
+    }
+    const jwt = getService('jwt').issue(_.pick(user, ['id']));
+    return ctx.send({ jwt, user: sanitizedUser });
   },
   async emailConfirmation(ctx, next, returnUser) {
@@ -390,7 +664,7 @@ module.exports = {
   async sendEmailConfirmation(ctx) {
     const { email } = await validateSendEmailConfirmationBody(ctx.request.body);
-    const user = await strapi.query('plugin::users-permissions.user').findOne({
+    const user = await strapi.db.query('plugin::users-permissions.user').findOne({
       where: { email: email.toLowerCase() },
     });
@@ -413,4 +687,4 @@ module.exports = {
       sent: true,
     });
   },
-};
+});

package/server/controllers/content-manager-user.js CHANGED Viewed

@@ -2,8 +2,7 @@
 const _ = require('lodash');
 const { contentTypes: contentTypesUtils } = require('@strapi/utils');
-const { ApplicationError, ValidationError, NotFoundError, ForbiddenError } =
-  require('@strapi/utils').errors;
+const { ApplicationError, NotFoundError, ForbiddenError } = require('@strapi/utils').errors;
 const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 const { UPDATED_BY_ATTRIBUTE, CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;
@@ -17,24 +16,25 @@ const ACTIONS = {
 };
 const findEntityAndCheckPermissions = async (ability, action, model, id) => {
-  const entity = await strapi.query(userModel).findOne({
-    where: { id },
+  const doc = await strapi.service('plugin::content-manager.document-manager').findOne(id, model, {
     populate: [`${CREATED_BY_ATTRIBUTE}.roles`],
   });
-  if (_.isNil(entity)) {
+  if (_.isNil(doc)) {
     throw new NotFoundError();
   }
-  const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });
+  const pm = strapi
+    .service('admin::permission')
+    .createPermissionsManager({ ability, action, model });
-  if (pm.ability.cannot(pm.action, pm.toSubject(entity))) {
+  if (pm.ability.cannot(pm.action, pm.toSubject(doc))) {
     throw new ForbiddenError();
   }
-  const entityWithoutCreatorRoles = _.omit(entity, `${CREATED_BY_ATTRIBUTE}.roles`);
+  const docWithoutCreatorRoles = _.omit(doc, `${CREATED_BY_ATTRIBUTE}.roles`);
-  return { pm, entity: entityWithoutCreatorRoles };
+  return { pm, doc: docWithoutCreatorRoles };
 };
 module.exports = {
@@ -48,7 +48,7 @@ module.exports = {
     const { email, username } = body;
-    const pm = strapi.admin.services.permission.createPermissionsManager({
+    const pm = strapi.service('admin::permission').createPermissionsManager({
       ability: userAbility,
       action: ACTIONS.create,
       model: userModel,
@@ -66,7 +66,7 @@ module.exports = {
     await validateCreateUserBody(ctx.request.body);
-    const userWithSameUsername = await strapi
+    const userWithSameUsername = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { username } });
@@ -75,7 +75,7 @@ module.exports = {
     }
     if (advanced.unique_email) {
-      const userWithSameEmail = await strapi
+      const userWithSameEmail = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { email: email.toLowerCase() } });
@@ -93,18 +93,11 @@ module.exports = {
     user.email = _.toLower(user.email);
-    if (!user.role) {
-      const defaultRole = await strapi
-        .query('plugin::users-permissions.role')
-        .findOne({ where: { type: advanced.default_role } });
-      user.role = defaultRole.id;
-    }
     try {
       const data = await strapi
-        .service('plugin::content-manager.entity-manager')
-        .create(user, userModel);
+        .service('plugin::content-manager.document-manager')
+        .create(userModel, { data: user });
       const sanitizedData = await pm.sanitizeOutput(data, { action: ACTIONS.read });
       ctx.created(sanitizedData);
@@ -118,7 +111,7 @@ module.exports = {
    */
   async update(ctx) {
-    const { id } = ctx.params;
+    const { id: documentId } = ctx.params;
     const { body } = ctx.request;
     const { user: admin, userAbility } = ctx.state;
@@ -128,38 +121,40 @@ module.exports = {
     const { email, username, password } = body;
-    const { pm, entity } = await findEntityAndCheckPermissions(
+    const { pm, doc } = await findEntityAndCheckPermissions(
       userAbility,
       ACTIONS.edit,
       userModel,
-      id
+      documentId
     );
-    const user = entity;
+    const user = doc;
     await validateUpdateUserBody(ctx.request.body);
-    if (_.has(body, 'password') && !password && user.provider === 'local') {
-      throw new ValidationError('password.notNull');
+    if (_.has(body, 'password') && (password == null || password === '')) {
+      delete body.password;
     }
     if (_.has(body, 'username')) {
-      const userWithSameUsername = await strapi
+      const userWithSameUsername = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { username } });
-      if (userWithSameUsername && _.toString(userWithSameUsername.id) !== _.toString(id)) {
+      if (userWithSameUsername && _.toString(userWithSameUsername.id) !== _.toString(user.id)) {
         throw new ApplicationError('Username already taken');
       }
     }
     if (_.has(body, 'email') && advancedConfigs.unique_email) {
-      const userWithSameEmail = await strapi
+      const userWithSameEmail = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { email: _.toLower(email) } });
-      if (userWithSameEmail && _.toString(userWithSameEmail.id) !== _.toString(id)) {
+      if (userWithSameEmail && _.toString(userWithSameEmail.id) !== _.toString(user.id)) {
         throw new ApplicationError('Email already taken');
       }
       body.email = _.toLower(body.email);
     }
@@ -167,8 +162,10 @@ module.exports = {
     const updateData = _.omit({ ...sanitizedData, updatedBy: admin.id }, 'createdBy');
     const data = await strapi
-      .service('plugin::content-manager.entity-manager')
-      .update({ id }, updateData, userModel);
+      .service('plugin::content-manager.document-manager')
+      .update(documentId, userModel, {
+        data: updateData,
+      });
     ctx.body = await pm.sanitizeOutput(data, { action: ACTIONS.read });
   },