@strapi/plugin-users-permissions 4.0.0-beta.11 → 4.0.0-beta.15

package/admin/src/components/BoundRoute/index.js

@@ -1,13 +1,19 @@
 import React from 'react';
+import styled from 'styled-components';
 import { Stack } from '@strapi/design-system/Stack';
 import { Box } from '@strapi/design-system/Box';
-import { H3, Text } from '@strapi/design-system/Text';
+import { Typography } from '@strapi/design-system/Typography';
 import map from 'lodash/map';
 import tail from 'lodash/tail';
 import { useIntl } from 'react-intl';
 import PropTypes from 'prop-types';
 import getMethodColor from './getMethodColor';
 
+const MethodBox = styled(Box)`
+  margin: -1px;
+  border-radius: ${({ theme }) => theme.spaces[1]} 0 0 ${({ theme }) => theme.spaces[1]};
+`;
+
 function BoundRoute({ route }) {
   const { formatMessage } = useIntl();
 
@@ -18,41 +24,31 @@ function BoundRoute({ route }) {
 
   return (
     <Stack size={2}>
-      <H3>
+      <Typography variant="delta" as="h3">
         {formatMessage({
           id: 'users-permissions.BoundRoute.title',
           defaultMessage: 'Bound route to',
         })}
         &nbsp;
         <span>{controller}</span>
-        <Text style={{ fontSize: 'inherit', fontWeight: 'inherit' }} textColor="primary600">
+        <Typography variant="delta" textColor="primary600">
           .{action}
-        </Text>
-      </H3>
-      <Box hasRadius background="neutral0" borderColor="neutral200">
-        <Box
-          color={colors.text}
-          background={colors.background}
-          borderColor={colors.border}
-          padding={2}
-          hasRadius
-          style={{
-            display: 'inline-block',
-            margin: '-1px',
-            borderTopRightRadius: 0,
-            borderBottomRightRadius: 0,
-          }}
-        >
-          <Text bold>{method}</Text>
-        </Box>
-        <Box style={{ display: 'inline-block' }} paddingLeft={2} paddingRight={2}>
+        </Typography>
+      </Typography>
+      <Stack horizontal hasRadius background="neutral0" borderColor="neutral200" size={0}>
+        <MethodBox background={colors.background} borderColor={colors.border} padding={2}>
+          <Typography fontWeight="bold" textColor={colors.text}>
+            {method}
+          </Typography>
+        </MethodBox>
+        <Box paddingLeft={2} paddingRight={2}>
           {map(formattedRoute, value => (
-            <Text key={value} textColor={value.includes(':') ? 'neutral600' : 'neutral900'}>
+            <Typography key={value} textColor={value.includes(':') ? 'neutral600' : 'neutral900'}>
               /{value}
-            </Text>
+            </Typography>
           ))}
         </Box>
-      </Box>
+      </Stack>
     </Stack>
   );
 }

package/admin/src/components/Permissions/PermissionRow/SubCategory.js

@@ -5,7 +5,7 @@ import PropTypes from 'prop-types';
 import { Box } from '@strapi/design-system/Box';
 import { Checkbox } from '@strapi/design-system/Checkbox';
 import { Flex } from '@strapi/design-system/Flex';
-import { TableLabel } from '@strapi/design-system/Text';
+import { Typography } from '@strapi/design-system/Typography';
 import { Grid, GridItem } from '@strapi/design-system/Grid';
 import CogIcon from '@strapi/icons/Cog';
 import { useIntl } from 'react-intl';
@@ -61,7 +61,9 @@ const SubCategory = ({ subCategory }) => {
     <Box>
       <Flex justifyContent="space-between" alignItems="center">
         <Box paddingRight={4}>
-          <TableLabel textColor="neutral600">{subCategory.label}</TableLabel>
+          <Typography variant="sigma" textColor="neutral600">
+            {subCategory.label}
+          </Typography>
         </Box>
         <Border />
         <Box paddingLeft={4}>

package/admin/src/components/Policies/index.js

@@ -1,6 +1,6 @@
 import React from 'react';
 import { useIntl } from 'react-intl';
-import { H3, Text } from '@strapi/design-system/Text';
+import { Typography } from '@strapi/design-system/Typography';
 import { Stack } from '@strapi/design-system/Stack';
 import { GridItem } from '@strapi/design-system/Grid';
 import { get, isEmpty, takeRight, toLower, without } from 'lodash';
@@ -35,19 +35,19 @@ const Policies = () => {
         </Stack>
       ) : (
         <Stack size={2}>
-          <H3>
+          <Typography variant="delta" as="h3">
             {formatMessage({
               id: 'users-permissions.Policies.header.title',
               defaultMessage: 'Advanced settings',
             })}
-          </H3>
-          <Text as="p" textColor="neutral600">
+          </Typography>
+          <Typography as="p" textColor="neutral600">
             {formatMessage({
               id: 'users-permissions.Policies.header.hint',
               defaultMessage:
                 "Select the application's actions or the plugin's actions and click on the cog icon to display the bound route",
             })}
-          </Text>
+          </Typography>
         </Stack>
       )}
     </GridItem>

package/admin/src/components/UsersPermissions/index.js

@@ -1,6 +1,6 @@
 import React, { memo, useReducer, useCallback, forwardRef, useImperativeHandle } from 'react';
 import PropTypes from 'prop-types';
-import { H3, Text } from '@strapi/design-system/Text';
+import { Typography } from '@strapi/design-system/Typography';
 import { Stack } from '@strapi/design-system/Stack';
 import { Grid, GridItem } from '@strapi/design-system/Grid';
 import { useIntl } from 'react-intl';
@@ -67,18 +67,18 @@ const UsersPermissions = forwardRef(({ permissions, routes }, ref) => {
         <GridItem col={7} paddingTop={6} paddingBottom={6} paddingLeft={7} paddingRight={7}>
           <Stack size={4}>
             <Stack size={2}>
-              <H3 as="h2">
+              <Typography variant="delta" as="h2">
                 {formatMessage({
                   id: getTrad('Plugins.header.title'),
                   defaultMessage: 'Permissions',
                 })}
-              </H3>
-              <Text as="p" textColor="neutral600">
+              </Typography>
+              <Typography as="p" textColor="neutral600">
                 {formatMessage({
                   id: getTrad('Plugins.header.description'),
                   defaultMessage: 'Only actions bound by a route are listed below.',
                 })}
-              </Text>
+              </Typography>
             </Stack>
             <Permissions />
           </Stack>

package/admin/src/pages/AdvancedSettings/index.js

@@ -20,7 +20,7 @@ import { Button } from '@strapi/design-system/Button';
 import { Box } from '@strapi/design-system/Box';
 import { Stack } from '@strapi/design-system/Stack';
 import { Select, Option } from '@strapi/design-system/Select';
-import { H3 } from '@strapi/design-system/Text';
+import { Typography } from '@strapi/design-system/Typography';
 import { Grid, GridItem } from '@strapi/design-system/Grid';
 import Check from '@strapi/icons/Check';
 import pluginPermissions from '../../permissions';
@@ -169,12 +169,12 @@ const AdvancedSettingsPage = () => {
                   paddingRight={7}
                 >
                   <Stack size={4}>
-                    <H3>
+                    <Typography variant="delta" as="h2">
                       {formatMessage({
                         id: getTrad('Form.title.advancedSettings'),
                         defaultMessage: 'Settings',
                       })}
-                    </H3>
+                    </Typography>
                     <Grid gap={6}>
                       <GridItem col={6} s={12}>
                         <Select

package/admin/src/pages/EmailTemplates/components/EmailTable.js

@@ -3,7 +3,7 @@ import PropTypes from 'prop-types';
 import { useIntl } from 'react-intl';
 import { Table, Thead, Tbody, Tr, Td, Th } from '@strapi/design-system/Table';
 import { VisuallyHidden } from '@strapi/design-system/VisuallyHidden';
-import { Text, TableLabel } from '@strapi/design-system/Text';
+import { Typography } from '@strapi/design-system/Typography';
 import { IconButton } from '@strapi/design-system/IconButton';
 import Pencil from '@strapi/icons/Pencil';
 import Reload from '@strapi/icons/Refresh';
@@ -27,12 +27,12 @@ const EmailTable = ({ canUpdate, onEditClick }) => {
             </VisuallyHidden>
           </Th>
           <Th>
-            <TableLabel textColor="neutral600">
+            <Typography variant="sigma" textColor="neutral600">
               {formatMessage({
                 id: getTrad('Email.template.table.name.label'),
                 defaultMessage: 'name',
               })}
-            </TableLabel>
+            </Typography>
           </Th>
           <Th width="1%">
             <VisuallyHidden>
@@ -55,12 +55,12 @@ const EmailTable = ({ canUpdate, onEditClick }) => {
             />
           </Td>
           <Td>
-            <Text>
+            <Typography>
               {formatMessage({
                 id: getTrad('Email.template.reset_password'),
                 defaultMessage: 'Reset password',
               })}
-            </Text>
+            </Typography>
           </Td>
           <Td {...stopPropagation}>
             <IconButton
@@ -84,12 +84,12 @@ const EmailTable = ({ canUpdate, onEditClick }) => {
             />
           </Td>
           <Td>
-            <Text>
+            <Typography>
               {formatMessage({
                 id: getTrad('Email.template.email_confirmation'),
                 defaultMessage: 'Email address confirmation',
               })}
-            </Text>
+            </Typography>
           </Td>
           <Td {...stopPropagation}>
             <IconButton

package/admin/src/pages/Providers/index.js

@@ -19,7 +19,7 @@ import { HeaderLayout, Layout, ContentLayout } from '@strapi/design-system/Layou
 import { Main } from '@strapi/design-system/Main';
 import { useNotifyAT } from '@strapi/design-system/LiveRegions';
 import { Table, Thead, Tr, Th, Tbody, Td } from '@strapi/design-system/Table';
-import { Text, TableLabel } from '@strapi/design-system/Text';
+import { Typography } from '@strapi/design-system/Typography';
 import { VisuallyHidden } from '@strapi/design-system/VisuallyHidden';
 import { IconButton } from '@strapi/design-system/IconButton';
 import Pencil from '@strapi/icons/Pencil';
@@ -167,31 +167,31 @@ export const ProvidersPage = () => {
               <Thead>
                 <Tr>
                   <Th>
-                    <TableLabel textColor="neutral600">
+                    <Typography variant="sigma" textColor="neutral600">
                       <VisuallyHidden>
                         {formatMessage({ id: getTrad('Providers.image'), defaultMessage: 'Image' })}
                       </VisuallyHidden>
-                    </TableLabel>
+                    </Typography>
                   </Th>
                   <Th>
-                    <TableLabel textColor="neutral600">
+                    <Typography variant="sigma" textColor="neutral600">
                       {formatMessage({ id: getTrad('Providers.name'), defaultMessage: 'Name' })}
-                    </TableLabel>
+                    </Typography>
                   </Th>
                   <Th>
-                    <TableLabel textColor="neutral600">
+                    <Typography variant="sigma" textColor="neutral600">
                       {formatMessage({ id: getTrad('Providers.status'), defaultMessage: 'Status' })}
-                    </TableLabel>
+                    </Typography>
                   </Th>
                   <Th>
-                    <TableLabel>
+                    <Typography variant="sigma">
                       <VisuallyHidden>
                         {formatMessage({
                           id: getTrad('Providers.settings'),
                           defaultMessage: 'Settings',
                         })}
                       </VisuallyHidden>
-                    </TableLabel>
+                    </Typography>
                   </Th>
                 </Tr>
               </Thead>
@@ -208,12 +208,12 @@ export const ProvidersPage = () => {
                       <FontAwesomeIcon icon={provider.icon} />
                     </Td>
                     <Td width="45%">
-                      <Text highlighted textColor="neutral800">
+                      <Typography fontWeight="semiBold" textColor="neutral800">
                         {provider.name}
-                      </Text>
+                      </Typography>
                     </Td>
                     <Td width="65%">
-                      <Text
+                      <Typography
                         textColor={provider.enabled ? 'success600' : 'danger600'}
                         data-testid={`enable-${provider.name}`}
                       >
@@ -226,7 +226,7 @@ export const ProvidersPage = () => {
                               id: getTrad('Providers.disabled'),
                               defaultMessage: 'Disabled',
                             })}
-                      </Text>
+                      </Typography>
                     </Td>
                     <Td {...stopPropagation}>
                       {canUpdate && (

package/admin/src/pages/Roles/CreatePage/index.js

@@ -7,7 +7,7 @@ import { Stack } from '@strapi/design-system/Stack';
 import { Box } from '@strapi/design-system/Box';
 import { TextInput } from '@strapi/design-system/TextInput';
 import { Textarea } from '@strapi/design-system/Textarea';
-import { H3 } from '@strapi/design-system/Text';
+import { Typography } from '@strapi/design-system/Typography';
 import Check from '@strapi/icons/Check';
 import { GridItem, Grid } from '@strapi/design-system/Grid';
 import { Formik } from 'formik';
@@ -113,12 +113,12 @@ const EditPage = () => {
                   paddingRight={7}
                 >
                   <Stack size={4}>
-                    <H3 as="h2">
+                    <Typography variant="delta" as="h2">
                       {formatMessage({
                         id: getTrad('EditPage.form.roles'),
                         defaultMessage: 'Role details',
                       })}
-                    </H3>
+                    </Typography>
                     <Grid gap={4}>
                       <GridItem col={6}>
                         <TextInput

package/admin/src/pages/Roles/EditPage/index.js

@@ -6,7 +6,7 @@ import { Stack } from '@strapi/design-system/Stack';
 import { Box } from '@strapi/design-system/Box';
 import { TextInput } from '@strapi/design-system/TextInput';
 import { Textarea } from '@strapi/design-system/Textarea';
-import { H3 } from '@strapi/design-system/Text';
+import { Typography } from '@strapi/design-system/Typography';
 import ArrowLeft from '@strapi/icons/ArrowLeft';
 import Check from '@strapi/icons/Check';
 import { Link } from '@strapi/design-system/Link';
@@ -126,12 +126,12 @@ const EditPage = () => {
                   paddingRight={7}
                 >
                   <Stack size={4}>
-                    <H3 as="h2">
+                    <Typography variant="delta" as="h2">
                       {formatMessage({
                         id: getTrad('EditPage.form.roles'),
                         defaultMessage: 'Role details',
                       })}
-                    </H3>
+                    </Typography>
                     <Grid gap={4}>
                       <GridItem col={6}>
                         <TextInput

package/admin/src/pages/Roles/ListPage/components/TableBody.js

@@ -1,7 +1,7 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 import { IconButton } from '@strapi/design-system/IconButton';
-import { Text } from '@strapi/design-system/Text';
+import { Typography } from '@strapi/design-system/Typography';
 import { Flex } from '@strapi/design-system/Flex';
 import { Tbody, Tr, Td } from '@strapi/design-system/Table';
 import Pencil from '@strapi/icons/Pencil';
@@ -34,18 +34,18 @@ const TableBody = ({ sortedRoles, canDelete, permissions, setRoleToDelete, onDel
       {sortedRoles?.map(role => (
         <Tr key={role.name} {...onRowClick({ fn: () => handleClickEdit(role.id) })}>
           <Td width="20%">
-            <Text>{role.name}</Text>
+            <Typography>{role.name}</Typography>
           </Td>
           <Td width="50%">
-            <Text>{role.description}</Text>
+            <Typography>{role.description}</Typography>
           </Td>
           <Td width="30%">
-            <Text>
+            <Typography>
               {`${role.nb_users} ${formatMessage({
                 id: getTrad('Roles.users'),
                 defaultMessage: 'users',
               }).toLowerCase()}`}
-            </Text>
+            </Typography>
           </Td>
           <Td>
             <Flex justifyContent="end" {...stopPropagation}>

package/admin/src/pages/Roles/ListPage/index.js

@@ -1,19 +1,11 @@
 import React, { useMemo, useState } from 'react';
-import {
-  Button,
-  HeaderLayout,
-  Layout,
-  Main,
-  Table,
-  Tr,
-  Thead,
-  Th,
-  TableLabel,
-  useNotifyAT,
-  ContentLayout,
-  ActionLayout,
-  VisuallyHidden,
-} from '@strapi/design-system';
+import { Button } from '@strapi/design-system/Button';
+import { HeaderLayout, Layout, ContentLayout, ActionLayout } from '@strapi/design-system/Layout';
+import { Main } from '@strapi/design-system/Main';
+import { Table, Tr, Thead, Th } from '@strapi/design-system/Table';
+import { VisuallyHidden } from '@strapi/design-system/VisuallyHidden';
+import { Typography } from '@strapi/design-system/Typography';
+import { useNotifyAT } from '@strapi/design-system/LiveRegions';
 import Plus from '@strapi/icons/Plus';
 import {
   useTracking,
@@ -166,25 +158,25 @@ const RoleListPage = () => {
               <Thead>
                 <Tr>
                   <Th>
-                    <TableLabel textColor="neutral600">
+                    <Typography variant="sigma" textColor="neutral600">
                       {formatMessage({ id: getTrad('Roles.name'), defaultMessage: 'Name' })}
-                    </TableLabel>
+                    </Typography>
                   </Th>
                   <Th>
-                    <TableLabel textColor="neutral600">
+                    <Typography variant="sigma" textColor="neutral600">
                       {formatMessage({
                         id: getTrad('Roles.description'),
                         defaultMessage: 'Description',
                       })}
-                    </TableLabel>
+                    </Typography>
                   </Th>
                   <Th>
-                    <TableLabel textColor="neutral600">
+                    <Typography variant="sigma" textColor="neutral600">
                       {formatMessage({
                         id: getTrad('Roles.users'),
                         defaultMessage: 'Users',
                       })}
-                    </TableLabel>
+                    </Typography>
                   </Th>
                   <Th>
                     <VisuallyHidden>

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "4.0.0-beta.11",
+  "version": "4.0.0-beta.15",
   "description": "Protect your API with a full-authentication process based on JWT",
   "strapi": {
     "displayName": "Roles & Permissions",
     "name": "users-permissions",
-    "description": "users-permissions.plugin.description",
+    "description": "Protect your API with a full authentication process based on JWT. This plugin comes also with an ACL strategy that allows you to manage the permissions between the groups of users.",
     "required": true,
     "kind": "plugin"
   },
@@ -14,8 +14,8 @@
   },
   "dependencies": {
     "@purest/providers": "^1.0.2",
-    "@strapi/helper-plugin": "4.0.0-beta.11",
-    "@strapi/utils": "4.0.0-beta.11",
+    "@strapi/helper-plugin": "4.0.0-beta.15",
+    "@strapi/utils": "4.0.0-beta.15",
     "bcryptjs": "2.4.3",
     "grant-koa": "5.4.8",
     "jsonwebtoken": "^8.1.0",
@@ -28,7 +28,6 @@
     "react-redux": "7.2.3",
     "react-router": "^5.2.0",
     "react-router-dom": "5.2.0",
-    "reactstrap": "8.4.1",
     "redux-saga": "^0.16.0",
     "request": "^2.83.0",
     "uuid": "^3.1.0"
@@ -57,5 +56,5 @@
     "npm": ">=6.0.0"
   },
   "license": "SEE LICENSE IN LICENSE",
-  "gitHead": "5b04fa152dc597fc3aa80afb25796217b60403f3"
+  "gitHead": "c69713bf7f437a7cee66ffdeed95227d6246a872"
 }

package/server/config.js

@@ -13,8 +13,8 @@ module.exports = {
     layout: {
       user: {
         actions: {
-          create: 'User.create', // Use the User plugin's controller.
-          update: 'User.update',
+          create: 'contentManagerUser.create', // Use the User plugin's controller.
+          update: 'contentManagerUser.update',
         },
       },
     },

package/server/content-types/permission/index.js

@@ -13,6 +13,9 @@ module.exports = {
     'content-manager': {
       visible: false,
     },
+    'content-type-builder': {
+      visible: false,
+    },
   },
   attributes: {
     action: {

package/server/content-types/role/index.js

@@ -13,6 +13,9 @@ module.exports = {
     'content-manager': {
       visible: false,
     },
+    'content-type-builder': {
+      visible: false,
+    },
   },
   attributes: {
     name: {

package/server/controllers/{user/admin.js → content-manager-user.js}

@@ -8,8 +8,7 @@ const {
   NotFoundError,
   ForbiddenError,
 } = require('@strapi/utils').errors;
-const { getService } = require('../../utils');
-const { validateCreateUserBody, validateUpdateUserBody } = require('../validation/user');
+const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
 const { UPDATED_BY_ATTRIBUTE, CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;
 
@@ -22,7 +21,10 @@ const ACTIONS = {
 };
 
 const findEntityAndCheckPermissions = async (ability, action, model, id) => {
-  const entity = await strapi.query('plugin::users-permissions.user').findOne({ where: { id } });
+  const entity = await strapi.query(userModel).findOne({
+    where: { id },
+    populate: [`${CREATED_BY_ATTRIBUTE}.roles`],
+  });
 
   if (_.isNil(entity)) {
     throw new NotFoundError();
@@ -30,21 +32,13 @@ const findEntityAndCheckPermissions = async (ability, action, model, id) => {
 
   const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });
 
-  const roles = _.has(entity, `${CREATED_BY_ATTRIBUTE}.id`)
-    ? await strapi.query('admin::role').findMany({
-        where: {
-          users: { id: entity[CREATED_BY_ATTRIBUTE].id },
-        },
-      })
-    : [];
-
-  const entityWithRoles = _.set(_.cloneDeep(entity), `${CREATED_BY_ATTRIBUTE}.roles`, roles);
-
-  if (pm.ability.cannot(pm.action, pm.toSubject(entityWithRoles))) {
+  if (pm.ability.cannot(pm.action, pm.toSubject(entity))) {
     throw new ForbiddenError();
   }
 
-  return { pm, entity };
+  const entityWithoutCreatorRoles = _.omit(entity, `${CREATED_BY_ATTRIBUTE}.roles`);
+
+  return { pm, entity: entityWithoutCreatorRoles };
 };
 
 module.exports = {
@@ -112,7 +106,9 @@ module.exports = {
     }
 
     try {
-      const data = await getService('user').add(user);
+      const data = await strapi
+        .service('plugin::content-manager.entity-manager')
+        .create(user, userModel);
       const sanitizedData = await pm.sanitizeOutput(data, { action: ACTIONS.read });
 
       ctx.created(sanitizedData);
@@ -178,7 +174,9 @@ module.exports = {
     const sanitizedData = await pm.pickPermittedFieldsOf(body, { subject: pm.toSubject(user) });
     const updateData = _.omit({ ...sanitizedData, updatedBy: admin.id }, 'createdBy');
 
-    const data = await getService('user').edit({ id }, updateData);
+    const data = await strapi
+      .service('plugin::content-manager.entity-manager')
+      .update({ id }, updateData, userModel);
 
     ctx.body = await pm.sanitizeOutput(data, { action: ACTIONS.read });
   },

package/server/controllers/index.js

@@ -5,6 +5,7 @@ const user = require('./user');
 const role = require('./role');
 const permissions = require('./permissions');
 const settings = require('./settings');
+const contentmanageruser = require('./content-manager-user');
 
 module.exports = {
   auth,
@@ -12,4 +13,5 @@ module.exports = {
   role,
   permissions,
   settings,
+  contentmanageruser,
 };

package/server/controllers/user.js

@@ -7,40 +7,127 @@
  */
 
 const _ = require('lodash');
-const { sanitize } = require('@strapi/utils');
+const utils = require('@strapi/utils');
 const { getService } = require('../utils');
-const adminUserController = require('./user/admin');
-const apiUserController = require('./user/api');
+const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
-const sanitizeUser = (user, ctx) => {
+const { sanitize } = utils;
+const { ApplicationError, ValidationError } = utils.errors;
+
+const sanitizeOutput = (user, ctx) => {
+  const schema = strapi.getModel('plugin::users-permissions.user');
   const { auth } = ctx.state;
-  const userSchema = strapi.getModel('plugin::users-permissions.user');
 
-  return sanitize.contentAPI.output(user, userSchema, { auth });
+  return sanitize.contentAPI.output(user, schema, { auth });
 };
 
-const resolveController = ctx => {
-  const {
-    state: { isAuthenticatedAdmin },
-  } = ctx;
+module.exports = {
+  /**
+   * Create a/an user record.
+   * @return {Object}
+   */
+  async create(ctx) {
+    const advanced = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+
+    await validateCreateUserBody(ctx.request.body);
 
-  return isAuthenticatedAdmin ? adminUserController : apiUserController;
-};
+    const { email, username, role } = ctx.request.body;
 
-const resolveControllerMethod = method => ctx => {
-  const controller = resolveController(ctx);
-  const callbackFn = controller[method];
+    const userWithSameUsername = await strapi
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { username } });
 
-  if (!_.isFunction(callbackFn)) {
-    return ctx.notFound();
-  }
+    if (userWithSameUsername) {
+      if (!email) throw new ApplicationError('Username already taken');
+    }
 
-  return callbackFn(ctx);
-};
+    if (advanced.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: email.toLowerCase() } });
 
-module.exports = {
-  create: resolveControllerMethod('create'),
-  update: resolveControllerMethod('update'),
+      if (userWithSameEmail) {
+        throw new ApplicationError('Email already taken');
+      }
+    }
+
+    const user = {
+      ...ctx.request.body,
+      provider: 'local',
+    };
+
+    user.email = _.toLower(user.email);
+
+    if (!role) {
+      const defaultRole = await strapi
+        .query('plugin::users-permissions.role')
+        .findOne({ where: { type: advanced.default_role } });
+
+      user.role = defaultRole.id;
+    }
+
+    try {
+      const data = await getService('user').add(user);
+      const sanitizedData = await sanitizeOutput(data, ctx);
+
+      ctx.created(sanitizedData);
+    } catch (error) {
+      throw new ApplicationError(error.message);
+    }
+  },
+
+  /**
+   * Update a/an user record.
+   * @return {Object}
+   */
+  async update(ctx) {
+    const advancedConfigs = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+
+    const { id } = ctx.params;
+    const { email, username, password } = ctx.request.body;
+
+    const user = await getService('user').fetch({ id });
+
+    await validateUpdateUserBody(ctx.request.body);
+
+    if (user.provider === 'local' && _.has(ctx.request.body, 'password') && !password) {
+      throw new ValidationError('password.notNull');
+    }
+
+    if (_.has(ctx.request.body, 'username')) {
+      const userWithSameUsername = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { username } });
+
+      if (userWithSameUsername && userWithSameUsername.id != id) {
+        throw new ApplicationError('Username already taken');
+      }
+    }
+
+    if (_.has(ctx.request.body, 'email') && advancedConfigs.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: email.toLowerCase() } });
+
+      if (userWithSameEmail && userWithSameEmail.id != id) {
+        throw new ApplicationError('Email already taken');
+      }
+      ctx.request.body.email = ctx.request.body.email.toLowerCase();
+    }
+
+    let updateData = {
+      ...ctx.request.body,
+    };
+
+    const data = await getService('user').edit({ id }, updateData);
+    const sanitizedData = await sanitizeOutput(data, ctx);
+
+    ctx.send(sanitizedData);
+  },
 
   /**
    * Retrieve user records.
@@ -49,7 +136,7 @@ module.exports = {
   async find(ctx, next, { populate } = {}) {
     const users = await getService('user').fetchAll(ctx.query, populate);
 
-    ctx.body = await Promise.all(users.map(user => sanitizeUser(user, ctx)));
+    ctx.body = await Promise.all(users.map(user => sanitizeOutput(user, ctx)));
   },
 
   /**
@@ -61,7 +148,7 @@ module.exports = {
     let data = await getService('user').fetch({ id });
 
     if (data) {
-      data = await sanitizeUser(data, ctx);
+      data = await sanitizeOutput(data, ctx);
     }
 
     ctx.body = data;
@@ -83,7 +170,7 @@ module.exports = {
     const { id } = ctx.params;
 
     const data = await getService('user').remove({ id });
-    const sanitizedUser = await sanitizeUser(data, ctx);
+    const sanitizedUser = await sanitizeOutput(data, ctx);
 
     ctx.send(sanitizedUser);
   },
@@ -99,6 +186,6 @@ module.exports = {
       return ctx.unauthorized();
     }
 
-    ctx.body = await sanitizeUser(user, ctx);
+    ctx.body = await sanitizeOutput(user, ctx);
   },
 };

package/server/controllers/validation/user.js

@@ -6,24 +6,21 @@ const deleteRoleSchema = yup.object().shape({
   role: yup.strapiID().required(),
 });
 
-const createUserBodySchema = yup
-  .object()
-  .shape({
-    email: yup
-      .string()
-      .email()
-      .required(),
-    username: yup
-      .string()
-      .min(1)
-      .required(),
-    password: yup
-      .string()
-      .min(1)
-      .required(),
-    role: yup.strapiID(),
-  })
-  .noUnknown();
+const createUserBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .required(),
+  username: yup
+    .string()
+    .min(1)
+    .required(),
+  password: yup
+    .string()
+    .min(1)
+    .required(),
+  role: yup.strapiID(),
+});
 
 const updateUserBodySchema = yup.object().shape({
   email: yup

package/server/services/jwt.js

@@ -8,32 +8,23 @@
 
 const _ = require('lodash');
 const jwt = require('jsonwebtoken');
-const { ValidationError } = require('@strapi/utils').errors;
 
 module.exports = ({ strapi }) => ({
   getToken(ctx) {
-    const params = _.assign({}, ctx.request.body, ctx.request.query);
-
-    let token = '';
+    let token;
 
     if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
-      const parts = ctx.request.header.authorization.split(' ');
+      const parts = ctx.request.header.authorization.split(/\s+/);
 
-      if (parts.length === 2) {
-        const scheme = parts[0];
-        const credentials = parts[1];
-        if (/^Bearer$/i.test(scheme)) {
-          token = credentials;
-        }
-      } else {
-        throw new ValidationError(
-          'Invalid authorization header format. Format is Authorization: Bearer [token]'
-        );
+      if (parts[0].toLowerCase() !== 'bearer' || parts.length !== 2) {
+        return null;
       }
-    } else if (params.token) {
-      token = params.token;
+
+      token = parts[1];
+    } else if (ctx.query.access_token) {
+      token = ctx.query.access_token;
     } else {
-      throw new ValidationError('No authorization header was found');
+      return null;
     }
 
     return this.verify(token);

package/server/services/user.js

@@ -9,7 +9,7 @@
 const crypto = require('crypto');
 const bcrypt = require('bcryptjs');
 
-const { getAbsoluteServerUrl } = require('@strapi/utils');
+const { getAbsoluteServerUrl, sanitize } = require('@strapi/utils');
 const { getService } = require('../utils');
 
 module.exports = ({ strapi }) => ({
@@ -121,22 +121,28 @@ module.exports = ({ strapi }) => ({
   async sendConfirmationEmail(user) {
     const userPermissionService = getService('users-permissions');
     const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });
+    const userSchema = strapi.getModel('plugin::users-permissions.user');
 
     const settings = await pluginStore
       .get({ key: 'email' })
       .then(storeEmail => storeEmail['email_confirmation'].options);
 
+    // Sanitize the template's user information
+    const sanitizedUserInfo = await sanitize.sanitizers.defaultSanitizeOutput(userSchema, user);
+
     const confirmationToken = crypto.randomBytes(20).toString('hex');
 
     await this.edit({ id: user.id }, { confirmationToken });
 
     settings.message = await userPermissionService.template(settings.message, {
       URL: `${getAbsoluteServerUrl(strapi.config)}/auth/email-confirmation`,
-      USER: user,
+      USER: sanitizedUserInfo,
       CODE: confirmationToken,
     });
 
-    settings.object = await userPermissionService.template(settings.object, { USER: user });
+    settings.object = await userPermissionService.template(settings.object, {
+      USER: sanitizedUserInfo,
+    });
 
     // Send an email to the user.
     await strapi

package/server/strategies/users-permissions.js

@@ -10,9 +10,11 @@ const getAdvancedSettings = () => {
 };
 
 const authenticate = async ctx => {
-  if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
-    try {
-      const { id } = await getService('jwt').getToken(ctx);
+  try {
+    const token = await getService('jwt').getToken(ctx);
+
+    if (token) {
+      const { id } = token;
 
       if (id === undefined) {
         return { authenticated: false };
@@ -41,25 +43,25 @@ const authenticate = async ctx => {
         authenticated: true,
         credentials: user,
       };
-    } catch (err) {
-      return { authenticated: false };
     }
-  }
 
-  const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
-    where: {
-      role: { type: 'public' },
-    },
-  });
+    const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
+      where: {
+        role: { type: 'public' },
+      },
+    });
+
+    if (publicPermissions.length === 0) {
+      return { authenticated: false };
+    }
 
-  if (publicPermissions.length === 0) {
+    return {
+      authenticated: true,
+      credentials: null,
+    };
+  } catch (err) {
     return { authenticated: false };
   }
-
-  return {
-    authenticated: true,
-    credentials: null,
-  };
 };
 
 const verify = async (auth, config) => {

package/server/controllers/user/api.js

@@ -1,125 +0,0 @@
-'use strict';
-
-const _ = require('lodash');
-const utils = require('@strapi/utils');
-const { getService } = require('../../utils');
-const { validateCreateUserBody, validateUpdateUserBody } = require('../validation/user');
-
-const { sanitize } = utils;
-const { ApplicationError, ValidationError } = utils.errors;
-
-const sanitizeOutput = (user, ctx) => {
-  const schema = strapi.getModel('plugin::users-permissions.user');
-  const { auth } = ctx.state;
-
-  return sanitize.contentAPI.output(user, schema, { auth });
-};
-
-module.exports = {
-  /**
-   * Create a/an user record.
-   * @return {Object}
-   */
-  async create(ctx) {
-    const advanced = await strapi
-      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
-      .get();
-
-    await validateCreateUserBody(ctx.request.body);
-
-    const { email, username, role } = ctx.request.body;
-
-    const userWithSameUsername = await strapi
-      .query('plugin::users-permissions.user')
-      .findOne({ where: { username } });
-
-    if (userWithSameUsername) {
-      if (!email) throw new ApplicationError('Username already taken');
-    }
-
-    if (advanced.unique_email) {
-      const userWithSameEmail = await strapi
-        .query('plugin::users-permissions.user')
-        .findOne({ where: { email: email.toLowerCase() } });
-
-      if (userWithSameEmail) {
-        throw new ApplicationError('Email already taken');
-      }
-    }
-
-    const user = {
-      ...ctx.request.body,
-      provider: 'local',
-    };
-
-    user.email = _.toLower(user.email);
-
-    if (!role) {
-      const defaultRole = await strapi
-        .query('plugin::users-permissions.role')
-        .findOne({ where: { type: advanced.default_role } });
-
-      user.role = defaultRole.id;
-    }
-
-    try {
-      const data = await getService('user').add(user);
-      const sanitizedData = await sanitizeOutput(data, ctx);
-
-      ctx.created(sanitizedData);
-    } catch (error) {
-      throw new ApplicationError(error.message);
-    }
-  },
-
-  /**
-   * Update a/an user record.
-   * @return {Object}
-   */
-  async update(ctx) {
-    const advancedConfigs = await strapi
-      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
-      .get();
-
-    const { id } = ctx.params;
-    const { email, username, password } = ctx.request.body;
-
-    const user = await getService('user').fetch({ id });
-
-    await validateUpdateUserBody(ctx.request.body);
-
-    if (user.provider === 'local' && _.has(ctx.request.body, 'password') && !password) {
-      throw new ValidationError('password.notNull');
-    }
-
-    if (_.has(ctx.request.body, 'username')) {
-      const userWithSameUsername = await strapi
-        .query('plugin::users-permissions.user')
-        .findOne({ where: { username } });
-
-      if (userWithSameUsername && userWithSameUsername.id != id) {
-        throw new ApplicationError('Username already taken');
-      }
-    }
-
-    if (_.has(ctx.request.body, 'email') && advancedConfigs.unique_email) {
-      const userWithSameEmail = await strapi
-        .query('plugin::users-permissions.user')
-        .findOne({ where: { email: email.toLowerCase() } });
-
-      if (userWithSameEmail && userWithSameEmail.id != id) {
-        throw new ApplicationError('Email already taken');
-      }
-      ctx.request.body.email = ctx.request.body.email.toLowerCase();
-    }
-
-    let updateData = {
-      ...ctx.request.body,
-    };
-
-    const data = await getService('user').edit({ id }, updateData);
-    const sanitizedData = await sanitizeOutput(data, ctx);
-
-    ctx.send(sanitizedData);
-  },
-};

package/server/controllers/validation/role.js

@@ -1,36 +0,0 @@
-'use strict';
-
-const { yup, validateYupSchema } = require('@strapi/utils');
-
-const createUserBodySchema = yup
-  .object()
-  .shape({
-    email: yup
-      .string()
-      .email()
-      .required(),
-    username: yup
-      .string()
-      .min(1)
-      .required(),
-    password: yup
-      .string()
-      .min(1)
-      .required(),
-    role: yup.strapiID(),
-  })
-  .noUnknown();
-
-const updateUserBodySchema = yup.object().shape({
-  email: yup
-    .string()
-    .email()
-    .min(1),
-  username: yup.string().min(1),
-  password: yup.string().min(1),
-});
-
-module.exports = {
-  validateCreateUserBody: validateYupSchema(createUserBodySchema),
-  validateUpdateUserBody: validateYupSchema(updateUserBodySchema),
-};