npm - @strapi/plugin-users-permissions - Versions diffs - 4.0.0-beta.2 → 4.0.0-beta.20 - Mend

@strapi/plugin-users-permissions 4.0.0-beta.2 → 4.0.0-beta.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (46) hide show

package/admin/src/components/BoundRoute/index.js +23 -27
package/admin/src/components/FormModal/Input/index.js +2 -2
package/admin/src/components/FormModal/index.js +10 -5
package/admin/src/components/Permissions/PermissionRow/CheckboxWrapper.js +1 -1
package/admin/src/components/Permissions/PermissionRow/SubCategory.js +12 -10
package/admin/src/components/Permissions/PermissionRow/index.js +1 -1
package/admin/src/components/Permissions/index.js +12 -8
package/admin/src/components/Policies/index.js +12 -9
package/admin/src/components/UsersPermissions/index.js +12 -15
package/admin/src/index.js +0 -8
package/admin/src/pages/AdvancedSettings/index.js +13 -13
package/admin/src/pages/EmailTemplates/components/EmailForm.js +10 -5
package/admin/src/pages/EmailTemplates/components/EmailTable.js +16 -16
package/admin/src/pages/EmailTemplates/index.js +3 -3
package/admin/src/pages/Providers/index.js +21 -21
package/admin/src/pages/Providers/utils/api.js +1 -1
package/admin/src/pages/Roles/CreatePage/index.js +13 -13
package/admin/src/pages/Roles/EditPage/index.js +23 -13
package/admin/src/pages/Roles/ListPage/components/TableBody.js +14 -10
package/admin/src/pages/Roles/ListPage/index.js +19 -25
package/documentation/1.0.0/overrides/users-permissions-User.json +7 -7
package/package.json +29 -30
package/server/bootstrap/index.js +17 -17
package/server/config.js +2 -2
package/server/content-types/permission/index.js +3 -0
package/server/content-types/role/index.js +3 -0
package/server/controllers/auth.js +73 -215
package/server/controllers/{user/admin.js → content-manager-user.js} +44 -75
package/server/controllers/index.js +2 -0
package/server/controllers/role.js +7 -7
package/server/controllers/settings.js +5 -4
package/server/controllers/user.js +118 -28
package/server/controllers/validation/auth.js +29 -0
package/server/controllers/validation/user.js +38 -0
package/server/middlewares/rateLimit.js +1 -1
package/server/routes/admin/role.js +5 -5
package/server/routes/admin/settings.js +6 -6
package/server/routes/content-api/auth.js +5 -7
package/server/services/jwt.js +9 -17
package/server/services/providers.js +13 -10
package/server/services/role.js +5 -10
package/server/services/user.js +8 -6
package/server/services/users-permissions.js +56 -45
package/server/strategies/users-permissions.js +23 -22
package/admin/src/assets/images/logo.svg +0 -1
package/server/controllers/user/api.js +0 -158

package/server/routes/admin/settings.js CHANGED Viewed

@@ -9,7 +9,7 @@ module.exports = [
       policies: [
         {
           name: 'admin::hasPermissions',
-          options: {
+          config: {
             actions: ['plugin::users-permissions.email-templates.read'],
           },
         },
@@ -24,7 +24,7 @@ module.exports = [
       policies: [
         {
           name: 'admin::hasPermissions',
-          options: {
+          config: {
             actions: ['plugin::users-permissions.email-templates.update'],
           },
         },
@@ -39,7 +39,7 @@ module.exports = [
       policies: [
         {
           name: 'admin::hasPermissions',
-          options: {
+          config: {
             actions: ['plugin::users-permissions.advanced-settings.read'],
           },
         },
@@ -54,7 +54,7 @@ module.exports = [
       policies: [
         {
           name: 'admin::hasPermissions',
-          options: {
+          config: {
             actions: ['plugin::users-permissions.advanced-settings.update'],
           },
         },
@@ -69,7 +69,7 @@ module.exports = [
       policies: [
         {
           name: 'admin::hasPermissions',
-          options: {
+          config: {
             actions: ['plugin::users-permissions.providers.read'],
           },
         },
@@ -85,7 +85,7 @@ module.exports = [
       policies: [
         {
           name: 'admin::hasPermissions',
-          options: {
+          config: {
             actions: ['plugin::users-permissions.providers.update'],
           },
         },

package/server/routes/content-api/auth.js CHANGED Viewed

@@ -1,14 +1,12 @@
 'use strict';
-const { rateLimit } = require('../../middlewares');
 module.exports = [
   {
     method: 'GET',
     path: '/connect/(.*)',
     handler: 'auth.connect',
     config: {
-      middlewares: [rateLimit],
+      middlewares: ['plugin::users-permissions.rateLimit'],
       prefix: '',
     },
   },
@@ -17,7 +15,7 @@ module.exports = [
     path: '/auth/local',
     handler: 'auth.callback',
     config: {
-      middlewares: [rateLimit],
+      middlewares: ['plugin::users-permissions.rateLimit'],
       prefix: '',
     },
   },
@@ -26,7 +24,7 @@ module.exports = [
     path: '/auth/local/register',
     handler: 'auth.register',
     config: {
-      middlewares: [rateLimit],
+      middlewares: ['plugin::users-permissions.rateLimit'],
       prefix: '',
     },
   },
@@ -43,7 +41,7 @@ module.exports = [
     path: '/auth/forgot-password',
     handler: 'auth.forgotPassword',
     config: {
-      middlewares: [rateLimit],
+      middlewares: ['plugin::users-permissions.rateLimit'],
       prefix: '',
     },
   },
@@ -52,7 +50,7 @@ module.exports = [
     path: '/auth/reset-password',
     handler: 'auth.resetPassword',
     config: {
-      middlewares: [rateLimit],
+      middlewares: ['plugin::users-permissions.rateLimit'],
       prefix: '',
     },
   },

package/server/services/jwt.js CHANGED Viewed

@@ -11,28 +11,20 @@ const jwt = require('jsonwebtoken');
 module.exports = ({ strapi }) => ({
   getToken(ctx) {
-    const params = _.assign({}, ctx.request.body, ctx.request.query);
-    let token = '';
+    let token;
     if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
-      const parts = ctx.request.header.authorization.split(' ');
+      const parts = ctx.request.header.authorization.split(/\s+/);
-      if (parts.length === 2) {
-        const scheme = parts[0];
-        const credentials = parts[1];
-        if (/^Bearer$/i.test(scheme)) {
-          token = credentials;
-        }
-      } else {
-        throw new Error(
-          'Invalid authorization header format. Format is Authorization: Bearer [token]'
-        );
+      if (parts[0].toLowerCase() !== 'bearer' || parts.length !== 2) {
+        return null;
       }
-    } else if (params.token) {
-      token = params.token;
+      token = parts[1];
+    } else if (ctx.query.access_token) {
+      token = ctx.query.access_token;
     } else {
-      throw new Error('No authorization header was found');
+      return null;
     }
     return this.verify(token);

package/server/services/providers.js CHANGED Viewed

@@ -7,6 +7,7 @@
 // Public node modules.
 const _ = require('lodash');
 const jwt = require('jsonwebtoken');
+const urlJoin = require('url-join');
 const { getAbsoluteServerUrl } = require('@strapi/utils');
@@ -27,7 +28,7 @@ module.exports = ({ strapi }) => {
   const getProfile = async (provider, query, callback) => {
     const access_token = query.access_token || query.code || query.oauth_token;
-    const grant = await strapi
+    const providers = await strapi
       .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
       .get();
@@ -200,8 +201,8 @@ module.exports = ({ strapi }) => {
         const twitter = purest({
           provider: 'twitter',
           config: purestConfig,
-          key: grant.twitter.key,
-          secret: grant.twitter.secret,
+          key: providers.twitter.key,
+          secret: providers.twitter.secret,
         });
         twitter
@@ -224,8 +225,8 @@ module.exports = ({ strapi }) => {
       case 'instagram': {
         const instagram = purest({
           provider: 'instagram',
-          key: grant.instagram.key,
-          secret: grant.instagram.secret,
+          key: providers.instagram.key,
+          secret: providers.instagram.secret,
           config: purestConfig,
         });
@@ -297,7 +298,7 @@ module.exports = ({ strapi }) => {
         twitch
           .get('users')
-          .auth(access_token, grant.twitch.key)
+          .auth(access_token, providers.twitch.key)
           .request((err, res, body) => {
             if (err) {
               callback(err);
@@ -402,7 +403,7 @@ module.exports = ({ strapi }) => {
       }
       case 'auth0': {
         const purestAuth0Conf = {};
-        purestAuth0Conf[`https://${grant.auth0.subdomain}.auth0.com`] = {
+        purestAuth0Conf[`https://${providers.auth0.subdomain}.auth0.com`] = {
           __domain: {
             auth: {
               auth: { bearer: '[0]' },
@@ -441,7 +442,7 @@ module.exports = ({ strapi }) => {
         break;
       }
       case 'cas': {
-        const provider_url = 'https://' + _.get(grant['cas'], 'subdomain');
+        const provider_url = 'https://' + _.get(providers.cas, 'subdomain');
         const cas = purest({
           provider: 'cas',
           config: {
@@ -586,8 +587,10 @@ module.exports = ({ strapi }) => {
     });
   };
-  const buildRedirectUri = (provider = '') =>
-    `${getAbsoluteServerUrl(strapi.config)}/api/connect/${provider}/callback`;
+  const buildRedirectUri = (provider = '') => {
+    const apiPrefix = strapi.config.get('api.rest.prefix');
+    return urlJoin(getAbsoluteServerUrl(strapi.config), apiPrefix, 'connect', provider, 'callback');
+  };
   return {
     connect,

package/server/services/role.js CHANGED Viewed

@@ -1,6 +1,7 @@
 'use strict';
 const _ = require('lodash');
+const { NotFoundError } = require('@strapi/utils').errors;
 const { getService } = require('../utils');
 module.exports = ({ strapi }) => ({
@@ -40,13 +41,13 @@ module.exports = ({ strapi }) => ({
     await Promise.all(createPromises);
   },
-  async getRole(roleID, plugins) {
+  async getRole(roleID) {
     const role = await strapi
       .query('plugin::users-permissions.role')
       .findOne({ where: { id: roleID }, populate: ['permissions'] });
     if (!role) {
-      throw new Error('Role not found');
+      throw new NotFoundError('Role not found');
     }
     const allActions = getService('users-permissions').getActions();
@@ -59,12 +60,6 @@ module.exports = ({ strapi }) => ({
         enabled: true,
         policy: '',
       });
-      if (permission.action.startsWith('plugin')) {
-        const [, pluginName] = type.split('::');
-        allActions[type].information = plugins.find(plugin => plugin.id === pluginName) || {};
-      }
     });
     return {
@@ -91,7 +86,7 @@ module.exports = ({ strapi }) => ({
       .findOne({ where: { id: roleID }, populate: ['permissions'] });
     if (!role) {
-      throw new Error('Role not found');
+      throw new NotFoundError('Role not found');
     }
     await strapi.query('plugin::users-permissions.role').update({
@@ -153,7 +148,7 @@ module.exports = ({ strapi }) => ({
       .findOne({ where: { id: roleID }, populate: ['users', 'permissions'] });
     if (!role) {
-      throw new Error('Role not found');
+      throw new NotFoundError('Role not found');
     }
     // Move users to guest role.

package/server/services/user.js CHANGED Viewed

@@ -9,7 +9,7 @@
 const crypto = require('crypto');
 const bcrypt = require('bcryptjs');
-const { sanitizeEntity, getAbsoluteServerUrl } = require('@strapi/utils');
+const { getAbsoluteServerUrl, sanitize } = require('@strapi/utils');
 const { getService } = require('../utils');
 module.exports = ({ strapi }) => ({
@@ -121,14 +121,14 @@ module.exports = ({ strapi }) => ({
   async sendConfirmationEmail(user) {
     const userPermissionService = getService('users-permissions');
     const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });
+    const userSchema = strapi.getModel('plugin::users-permissions.user');
     const settings = await pluginStore
       .get({ key: 'email' })
       .then(storeEmail => storeEmail['email_confirmation'].options);
-    const userInfo = sanitizeEntity(user, {
-      model: strapi.getModel('plugin::users-permissions.user'),
-    });
+    // Sanitize the template's user information
+    const sanitizedUserInfo = await sanitize.sanitizers.defaultSanitizeOutput(userSchema, user);
     const confirmationToken = crypto.randomBytes(20).toString('hex');
@@ -136,11 +136,13 @@ module.exports = ({ strapi }) => ({
     settings.message = await userPermissionService.template(settings.message, {
       URL: `${getAbsoluteServerUrl(strapi.config)}/auth/email-confirmation`,
-      USER: userInfo,
+      USER: sanitizedUserInfo,
       CODE: confirmationToken,
     });
-    settings.object = await userPermissionService.template(settings.object, { USER: userInfo });
+    settings.object = await userPermissionService.template(settings.object, {
+      USER: sanitizedUserInfo,
+    });
     // Send an email to the user.
     await strapi

package/server/services/users-permissions.js CHANGED Viewed

@@ -28,63 +28,74 @@ const transformRoutePrefixFor = pluginName => route => {
 };
 module.exports = ({ strapi }) => ({
-  getPlugins(lang = 'en') {
-    const request = require('request');
-    return new Promise(resolve => {
-      request(
-        {
-          uri: `https://marketplace.strapi.io/plugins?lang=${lang}`,
-          json: true,
-          timeout: 3000,
-          headers: {
-            'cache-control': 'max-age=3600',
-          },
-        },
-        (err, response, body) => {
-          if (err || response.statusCode !== 200) {
-            return resolve([]);
-          }
-          resolve(body);
-        }
-      );
-    });
-  },
-  // TODO: Filter on content-api only
   getActions({ defaultEnable = false } = {}) {
     const actionMap = {};
+    const isContentApi = action => {
+      if (!_.has(action, Symbol.for('__type__'))) {
+        return false;
+      }
+      return action[Symbol.for('__type__')].includes('content-api');
+    };
     _.forEach(strapi.api, (api, apiName) => {
-      const controllers = _.mapValues(api.controllers, controller => {
-        return _.mapValues(controller, () => {
-          return {
-            enabled: defaultEnable,
-            policy: '',
-          };
-        });
-      });
+      const controllers = _.reduce(
+        api.controllers,
+        (acc, controller, controllerName) => {
+          const contentApiActions = _.pickBy(controller, isContentApi);
+          if (_.isEmpty(contentApiActions)) {
+            return acc;
+          }
+          acc[controllerName] = _.mapValues(contentApiActions, () => {
+            return {
+              enabled: defaultEnable,
+              policy: '',
+            };
+          });
-      actionMap[`api::${apiName}`] = { controllers };
+          return acc;
+        },
+        {}
+      );
+      if (!_.isEmpty(controllers)) {
+        actionMap[`api::${apiName}`] = { controllers };
+      }
     });
     _.forEach(strapi.plugins, (plugin, pluginName) => {
-      const controllers = _.mapValues(plugin.controllers, controller => {
-        return _.mapValues(controller, () => {
-          return {
-            enabled: defaultEnable,
-            policy: '',
-          };
-        });
-      });
+      const controllers = _.reduce(
+        plugin.controllers,
+        (acc, controller, controllerName) => {
+          const contentApiActions = _.pickBy(controller, isContentApi);
+          if (_.isEmpty(contentApiActions)) {
+            return acc;
+          }
-      actionMap[`plugin::${pluginName}`] = { controllers };
+          acc[controllerName] = _.mapValues(contentApiActions, () => {
+            return {
+              enabled: defaultEnable,
+              policy: '',
+            };
+          });
+          return acc;
+        },
+        {}
+      );
+      if (!_.isEmpty(controllers)) {
+        actionMap[`plugin::${pluginName}`] = { controllers };
+      }
     });
     return actionMap;
   },
-  // TODO: Filter on content-api only
   async getRoutes() {
     const routesMap = {};
@@ -95,7 +106,7 @@ module.exports = ({ strapi }) => ({
         }
         return route;
-      });
+      }).filter(route => route.info.type === 'content-api');
       if (routes.length === 0) {
         return;
@@ -116,7 +127,7 @@ module.exports = ({ strapi }) => ({
         }
         return transformPrefix(route);
-      });
+      }).filter(route => route.info.type === 'content-api');
       if (routes.length === 0) {
         return;

package/server/strategies/users-permissions.js CHANGED Viewed

@@ -1,6 +1,7 @@
 'use strict';
 const { castArray, map } = require('lodash/fp');
+const { ForbiddenError, UnauthorizedError } = require('@strapi/utils').errors;
 const { getService } = require('../utils');
@@ -9,9 +10,11 @@ const getAdvancedSettings = () => {
 };
 const authenticate = async ctx => {
-  if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
-    try {
-      const { id } = await getService('jwt').getToken(ctx);
+  try {
+    const token = await getService('jwt').getToken(ctx);
+    if (token) {
+      const { id } = token;
       if (id === undefined) {
         return { authenticated: false };
@@ -40,30 +43,28 @@ const authenticate = async ctx => {
         authenticated: true,
         credentials: user,
       };
-    } catch (err) {
-      return { authenticated: false };
     }
-  }
-  const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
-    where: {
-      role: { type: 'public' },
-    },
-  });
+    const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
+      where: {
+        role: { type: 'public' },
+      },
+    });
-  if (publicPermissions.length === 0) {
+    if (publicPermissions.length === 0) {
+      return { authenticated: false };
+    }
+    return {
+      authenticated: true,
+      credentials: null,
+    };
+  } catch (err) {
     return { authenticated: false };
   }
-  return {
-    authenticated: true,
-    credentials: null,
-  };
 };
 const verify = async (auth, config) => {
-  const { errors } = strapi.container.get('auth');
   const { credentials: user } = auth;
   // public accesss
@@ -79,13 +80,13 @@ const verify = async (auth, config) => {
     // A non authenticated user cannot access routes that do not have a scope
     if (!config.scope) {
-      throw new errors.UnauthorizedError();
+      throw new UnauthorizedError();
     }
     const isAllowed = castArray(config.scope).every(scope => allowedActions.includes(scope));
     if (!isAllowed) {
-      throw new errors.ForbiddenError();
+      throw new ForbiddenError();
     }
     return;
@@ -105,7 +106,7 @@ const verify = async (auth, config) => {
   const isAllowed = castArray(config.scope).every(scope => allowedActions.includes(scope));
   if (!isAllowed) {
-    throw new errors.ForbiddenError();
+    throw new ForbiddenError();
   }
   // TODO: if we need to keep policies for u&p execution

package/admin/src/assets/images/logo.svg DELETED Viewed

	@@ -1 +0,0 @@
1	- <svg width="24" height="24" xmlns="http://www.w3.org/2000/svg"><text transform="translate(-24 -6)" fill="#4B515A" fill-rule="evenodd" font-size="24" font-family="AppleColorEmoji, Apple Color Emoji"><tspan x="24" y="28">🔐</tspan></text></svg>