@strapi/plugin-users-permissions 4.0.0-beta.2 → 4.0.0-beta.20

package/server/controllers/{user/admin.js → content-manager-user.js}

@@ -2,15 +2,16 @@
 
 const _ = require('lodash');
 const { contentTypes: contentTypesUtils } = require('@strapi/utils');
-
-const { getService } = require('../../utils');
+const {
+  ApplicationError,
+  ValidationError,
+  NotFoundError,
+  ForbiddenError,
+} = require('@strapi/utils').errors;
+const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
 const { UPDATED_BY_ATTRIBUTE, CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;
 
-const formatError = error => [
-  { messages: [{ id: error.id, message: error.message, field: error.field }] },
-];
-
 const userModel = 'plugin::users-permissions.user';
 const ACTIONS = {
   read: 'plugin::content-manager.explorer.read',
@@ -20,29 +21,24 @@ const ACTIONS = {
 };
 
 const findEntityAndCheckPermissions = async (ability, action, model, id) => {
-  const entity = await strapi.query('plugin::users-permissions.user').findOne({ where: { id } });
+  const entity = await strapi.query(userModel).findOne({
+    where: { id },
+    populate: [`${CREATED_BY_ATTRIBUTE}.roles`],
+  });
 
   if (_.isNil(entity)) {
-    throw strapi.errors.notFound();
+    throw new NotFoundError();
   }
 
   const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });
 
-  const roles = _.has(entity, `${CREATED_BY_ATTRIBUTE}.id`)
-    ? await strapi.query('admin::role').findMany({
-        where: {
-          users: { id: entity[CREATED_BY_ATTRIBUTE].id },
-        },
-      })
-    : [];
-
-  const entityWithRoles = _.set(_.cloneDeep(entity), `${CREATED_BY_ATTRIBUTE}.roles`, roles);
-
-  if (pm.ability.cannot(pm.action, pm.toSubject(entityWithRoles))) {
-    throw strapi.errors.forbidden();
+  if (pm.ability.cannot(pm.action, pm.toSubject(entity))) {
+    throw new ForbiddenError();
   }
 
-  return { pm, entity };
+  const entityWithoutCreatorRoles = _.omit(entity, `${CREATED_BY_ATTRIBUTE}.roles`);
+
+  return { pm, entity: entityWithoutCreatorRoles };
 };
 
 module.exports = {
@@ -54,7 +50,7 @@ module.exports = {
     const { body } = ctx.request;
     const { user: admin, userAbility } = ctx.state;
 
-    const { email, username, password } = body;
+    const { email, username } = body;
 
     const pm = strapi.admin.services.permission.createPermissionsManager({
       ability: userAbility,
@@ -63,32 +59,23 @@ module.exports = {
     });
 
     if (!pm.isAllowed) {
-      throw strapi.errors.forbidden();
+      return ctx.forbidden();
     }
 
-    const sanitizedBody = pm.pickPermittedFieldsOf(body, { subject: userModel });
+    const sanitizedBody = await pm.pickPermittedFieldsOf(body, { subject: userModel });
 
     const advanced = await strapi
       .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
       .get();
 
-    if (!email) return ctx.badRequest('missing.email');
-    if (!username) return ctx.badRequest('missing.username');
-    if (!password) return ctx.badRequest('missing.password');
+    await validateCreateUserBody(ctx.request.body);
 
     const userWithSameUsername = await strapi
       .query('plugin::users-permissions.user')
       .findOne({ where: { username } });
 
     if (userWithSameUsername) {
-      return ctx.badRequest(
-        null,
-        formatError({
-          id: 'Auth.form.error.username.taken',
-          message: 'Username already taken.',
-          field: ['username'],
-        })
-      );
+      throw new ApplicationError('Username already taken');
     }
 
     if (advanced.unique_email) {
@@ -97,15 +84,7 @@ module.exports = {
         .findOne({ where: { email: email.toLowerCase() } });
 
       if (userWithSameEmail) {
-        return ctx.badRequest(
-          null,
-
-          formatError({
-            id: 'Auth.form.error.email.taken',
-            message: 'Email already taken.',
-            field: ['email'],
-          })
-        );
+        throw new ApplicationError('Email already taken');
       }
     }
 
@@ -127,11 +106,14 @@ module.exports = {
     }
 
     try {
-      const data = await getService('user').add(user);
+      const data = await strapi
+        .service('plugin::content-manager.entity-manager')
+        .create(user, userModel);
+      const sanitizedData = await pm.sanitizeOutput(data, { action: ACTIONS.read });
 
-      ctx.created(pm.sanitize(data, { action: ACTIONS.read }));
+      ctx.created(sanitizedData);
     } catch (error) {
-      ctx.badRequest(null, formatError(error));
+      throw new ApplicationError(error.message);
     }
   },
   /**
@@ -150,23 +132,22 @@ module.exports = {
 
     const { email, username, password } = body;
 
-    const { pm, entity: user } = await findEntityAndCheckPermissions(
+    let pm;
+    let user;
+
+    const { pm: permissionManager, entity } = await findEntityAndCheckPermissions(
       userAbility,
       ACTIONS.edit,
       userModel,
       id
     );
+    pm = permissionManager;
+    user = entity;
 
-    if (_.has(body, 'email') && !email) {
-      return ctx.badRequest('email.notNull');
-    }
-
-    if (_.has(body, 'username') && !username) {
-      return ctx.badRequest('username.notNull');
-    }
+    await validateUpdateUserBody(ctx.request.body);
 
     if (_.has(body, 'password') && !password && user.provider === 'local') {
-      return ctx.badRequest('password.notNull');
+      throw new ValidationError('password.notNull');
     }
 
     if (_.has(body, 'username')) {
@@ -175,14 +156,7 @@ module.exports = {
         .findOne({ where: { username } });
 
       if (userWithSameUsername && userWithSameUsername.id != id) {
-        return ctx.badRequest(
-          null,
-          formatError({
-            id: 'Auth.form.error.username.taken',
-            message: 'username.alreadyTaken.',
-            field: ['username'],
-          })
-        );
+        throw new ApplicationError('Username already taken');
       }
     }
 
@@ -192,23 +166,18 @@ module.exports = {
         .findOne({ where: { email: _.toLower(email) } });
 
       if (userWithSameEmail && userWithSameEmail.id != id) {
-        return ctx.badRequest(
-          null,
-          formatError({
-            id: 'Auth.form.error.email.taken',
-            message: 'Email already taken',
-            field: ['email'],
-          })
-        );
+        throw new ApplicationError('Email already taken');
       }
       body.email = _.toLower(body.email);
     }
 
-    const sanitizedData = pm.pickPermittedFieldsOf(body, { subject: pm.toSubject(user) });
+    const sanitizedData = await pm.pickPermittedFieldsOf(body, { subject: pm.toSubject(user) });
     const updateData = _.omit({ ...sanitizedData, updatedBy: admin.id }, 'createdBy');
 
-    const data = await getService('user').edit({ id }, updateData);
+    const data = await strapi
+      .service('plugin::content-manager.entity-manager')
+      .update({ id }, updateData, userModel);
 
-    ctx.body = pm.sanitize(data, { action: ACTIONS.read });
+    ctx.body = await pm.sanitizeOutput(data, { action: ACTIONS.read });
   },
 };

package/server/controllers/index.js

@@ -5,6 +5,7 @@ const user = require('./user');
 const role = require('./role');
 const permissions = require('./permissions');
 const settings = require('./settings');
+const contentmanageruser = require('./content-manager-user');
 
 module.exports = {
   auth,
@@ -12,4 +13,5 @@ module.exports = {
   role,
   permissions,
   settings,
+  contentmanageruser,
 };

package/server/controllers/role.js

@@ -1,7 +1,9 @@
 'use strict';
 
 const _ = require('lodash');
+const { ApplicationError, ValidationError } = require('@strapi/utils').errors;
 const { getService } = require('../utils');
+const { validateDeleteRoleBody } = require('./validation/user');
 
 module.exports = {
   /**
@@ -11,7 +13,7 @@ module.exports = {
    */
   async createRole(ctx) {
     if (_.isEmpty(ctx.request.body)) {
-      return ctx.badRequest('Request body cannot be empty');
+      throw new ValidationError('Request body cannot be empty');
     }
 
     await getService('role').createRole(ctx.request.body);
@@ -21,10 +23,8 @@ module.exports = {
 
   async getRole(ctx) {
     const { id } = ctx.params;
-    const { lang } = ctx.query;
 
-    const plugins = await getService('users-permissions').getPlugins(lang);
-    const role = await getService('role').getRole(id, plugins);
+    const role = await getService('role').getRole(id);
 
     if (!role) {
       return ctx.notFound();
@@ -43,7 +43,7 @@ module.exports = {
     const roleID = ctx.params.role;
 
     if (_.isEmpty(ctx.request.body)) {
-      return ctx.badRequest('Request body cannot be empty');
+      throw new ValidationError('Request body cannot be empty');
     }
 
     await getService('role').updateRole(roleID, ctx.request.body);
@@ -55,7 +55,7 @@ module.exports = {
     const roleID = ctx.params.role;
 
     if (!roleID) {
-      return ctx.badRequest();
+      await validateDeleteRoleBody(ctx.params);
     }
 
     // Fetch public role.
@@ -67,7 +67,7 @@ module.exports = {
 
     // Prevent from removing the public role.
     if (roleID.toString() === publicRoleID.toString()) {
-      return ctx.badRequest('Cannot delete public role');
+      throw new ApplicationError('Cannot delete public role');
     }
 
     await getService('role').deleteRole(roleID, publicRoleID);

package/server/controllers/settings.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const _ = require('lodash');
+const { ValidationError } = require('@strapi/utils').errors;
 const { getService } = require('../utils');
 const { isValidEmailTemplate } = require('./validation/email-template');
 
@@ -11,7 +12,7 @@ module.exports = {
 
   async updateEmailTemplate(ctx) {
     if (_.isEmpty(ctx.request.body)) {
-      return ctx.badRequest('Request body cannot be empty');
+      throw new ValidationError('Request body cannot be empty');
     }
 
     const emailTemplates = ctx.request.body['email-templates'];
@@ -20,7 +21,7 @@ module.exports = {
       const template = emailTemplates[key].options.message;
 
       if (!isValidEmailTemplate(template)) {
-        return ctx.badRequest('Invalid template');
+        throw new ValidationError('Invalid template');
       }
     }
 
@@ -43,7 +44,7 @@ module.exports = {
 
   async updateAdvancedSettings(ctx) {
     if (_.isEmpty(ctx.request.body)) {
-      return ctx.badRequest('Request body cannot be empty');
+      throw new ValidationError('Request body cannot be empty');
     }
 
     await strapi
@@ -72,7 +73,7 @@ module.exports = {
 
   async updateProviders(ctx) {
     if (_.isEmpty(ctx.request.body)) {
-      return ctx.badRequest('Request body cannot be empty');
+      throw new ValidationError('Request body cannot be empty');
     }
 
     await strapi

package/server/controllers/user.js

@@ -7,38 +7,127 @@
  */
 
 const _ = require('lodash');
-const { sanitizeEntity } = require('@strapi/utils');
+const utils = require('@strapi/utils');
 const { getService } = require('../utils');
-const adminUserController = require('./user/admin');
-const apiUserController = require('./user/api');
+const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
-const sanitizeUser = user =>
-  sanitizeEntity(user, {
-    model: strapi.getModel('plugin::users-permissions.user'),
-  });
+const { sanitize } = utils;
+const { ApplicationError, ValidationError } = utils.errors;
 
-const resolveController = ctx => {
-  const {
-    state: { isAuthenticatedAdmin },
-  } = ctx;
+const sanitizeOutput = (user, ctx) => {
+  const schema = strapi.getModel('plugin::users-permissions.user');
+  const { auth } = ctx.state;
 
-  return isAuthenticatedAdmin ? adminUserController : apiUserController;
+  return sanitize.contentAPI.output(user, schema, { auth });
 };
 
-const resolveControllerMethod = method => ctx => {
-  const controller = resolveController(ctx);
-  const callbackFn = controller[method];
+module.exports = {
+  /**
+   * Create a/an user record.
+   * @return {Object}
+   */
+  async create(ctx) {
+    const advanced = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
 
-  if (!_.isFunction(callbackFn)) {
-    return ctx.notFound();
-  }
+    await validateCreateUserBody(ctx.request.body);
 
-  return callbackFn(ctx);
-};
+    const { email, username, role } = ctx.request.body;
 
-module.exports = {
-  create: resolveControllerMethod('create'),
-  update: resolveControllerMethod('update'),
+    const userWithSameUsername = await strapi
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { username } });
+
+    if (userWithSameUsername) {
+      if (!email) throw new ApplicationError('Username already taken');
+    }
+
+    if (advanced.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: email.toLowerCase() } });
+
+      if (userWithSameEmail) {
+        throw new ApplicationError('Email already taken');
+      }
+    }
+
+    const user = {
+      ...ctx.request.body,
+      provider: 'local',
+    };
+
+    user.email = _.toLower(user.email);
+
+    if (!role) {
+      const defaultRole = await strapi
+        .query('plugin::users-permissions.role')
+        .findOne({ where: { type: advanced.default_role } });
+
+      user.role = defaultRole.id;
+    }
+
+    try {
+      const data = await getService('user').add(user);
+      const sanitizedData = await sanitizeOutput(data, ctx);
+
+      ctx.created(sanitizedData);
+    } catch (error) {
+      throw new ApplicationError(error.message);
+    }
+  },
+
+  /**
+   * Update a/an user record.
+   * @return {Object}
+   */
+  async update(ctx) {
+    const advancedConfigs = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+
+    const { id } = ctx.params;
+    const { email, username, password } = ctx.request.body;
+
+    const user = await getService('user').fetch({ id });
+
+    await validateUpdateUserBody(ctx.request.body);
+
+    if (user.provider === 'local' && _.has(ctx.request.body, 'password') && !password) {
+      throw new ValidationError('password.notNull');
+    }
+
+    if (_.has(ctx.request.body, 'username')) {
+      const userWithSameUsername = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { username } });
+
+      if (userWithSameUsername && userWithSameUsername.id != id) {
+        throw new ApplicationError('Username already taken');
+      }
+    }
+
+    if (_.has(ctx.request.body, 'email') && advancedConfigs.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: email.toLowerCase() } });
+
+      if (userWithSameEmail && userWithSameEmail.id != id) {
+        throw new ApplicationError('Email already taken');
+      }
+      ctx.request.body.email = ctx.request.body.email.toLowerCase();
+    }
+
+    let updateData = {
+      ...ctx.request.body,
+    };
+
+    const data = await getService('user').edit({ id }, updateData);
+    const sanitizedData = await sanitizeOutput(data, ctx);
+
+    ctx.send(sanitizedData);
+  },
 
   /**
    * Retrieve user records.
@@ -47,7 +136,7 @@ module.exports = {
   async find(ctx, next, { populate } = {}) {
     const users = await getService('user').fetchAll(ctx.query, populate);
 
-    ctx.body = users.map(sanitizeUser);
+    ctx.body = await Promise.all(users.map(user => sanitizeOutput(user, ctx)));
   },
 
   /**
@@ -59,7 +148,7 @@ module.exports = {
     let data = await getService('user').fetch({ id });
 
     if (data) {
-      data = sanitizeUser(data);
+      data = await sanitizeOutput(data, ctx);
     }
 
     ctx.body = data;
@@ -81,8 +170,9 @@ module.exports = {
     const { id } = ctx.params;
 
     const data = await getService('user').remove({ id });
+    const sanitizedUser = await sanitizeOutput(data, ctx);
 
-    ctx.send(sanitizeUser(data));
+    ctx.send(sanitizedUser);
   },
 
   /**
@@ -93,9 +183,9 @@ module.exports = {
     const user = ctx.state.user;
 
     if (!user) {
-      return ctx.badRequest('Unauthenticated request');
+      return ctx.unauthorized();
     }
 
-    ctx.body = sanitizeUser(user);
+    ctx.body = await sanitizeOutput(user, ctx);
   },
 };

package/server/controllers/validation/auth.js

@@ -0,0 +1,29 @@
+'use strict';
+
+const { yup, validateYupSchema } = require('@strapi/utils');
+
+const callbackBodySchema = yup.object().shape({
+  identifier: yup.string().required(),
+  password: yup.string().required(),
+});
+
+const registerBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .required(),
+  password: yup.string().required(),
+});
+
+const sendEmailConfirmationBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .required(),
+});
+
+module.exports = {
+  validateCallbackBody: validateYupSchema(callbackBodySchema),
+  validateRegisterBody: validateYupSchema(registerBodySchema),
+  validateSendEmailConfirmationBody: validateYupSchema(sendEmailConfirmationBodySchema),
+};

package/server/controllers/validation/user.js

@@ -0,0 +1,38 @@
+'use strict';
+
+const { yup, validateYupSchema } = require('@strapi/utils');
+
+const deleteRoleSchema = yup.object().shape({
+  role: yup.strapiID().required(),
+});
+
+const createUserBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .required(),
+  username: yup
+    .string()
+    .min(1)
+    .required(),
+  password: yup
+    .string()
+    .min(1)
+    .required(),
+  role: yup.strapiID(),
+});
+
+const updateUserBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .min(1),
+  username: yup.string().min(1),
+  password: yup.string().min(1),
+});
+
+module.exports = {
+  validateCreateUserBody: validateYupSchema(createUserBodySchema),
+  validateUpdateUserBody: validateYupSchema(updateUserBodySchema),
+  validateDeleteRoleBody: validateYupSchema(deleteRoleSchema),
+};

package/server/middlewares/rateLimit.js

@@ -1,6 +1,6 @@
 'use strict';
 
-module.exports = async (ctx, next) => {
+module.exports = (config, { strapi }) => async (ctx, next) => {
   const ratelimit = require('koa2-ratelimit').RateLimit;
 
   const message = [

package/server/routes/admin/role.js

@@ -9,7 +9,7 @@ module.exports = [
       policies: [
         {
           name: 'admin::hasPermissions',
-          options: {
+          config: {
             actions: ['plugin::users-permissions.roles.read'],
           },
         },
@@ -24,7 +24,7 @@ module.exports = [
       policies: [
         {
           name: 'admin::hasPermissions',
-          options: {
+          config: {
             actions: ['plugin::users-permissions.roles.read'],
           },
         },
@@ -39,7 +39,7 @@ module.exports = [
       policies: [
         {
           name: 'admin::hasPermissions',
-          options: {
+          config: {
             actions: ['plugin::users-permissions.roles.create'],
           },
         },
@@ -54,7 +54,7 @@ module.exports = [
       policies: [
         {
           name: 'admin::hasPermissions',
-          options: {
+          config: {
             actions: ['plugin::users-permissions.roles.update'],
           },
         },
@@ -69,7 +69,7 @@ module.exports = [
       policies: [
         {
           name: 'admin::hasPermissions',
-          options: {
+          config: {
             actions: ['plugin::users-permissions.roles.delete'],
           },
         },