@strapi/plugin-users-permissions 4.0.0-next.1 → 4.0.0-next.13

package/server/content-types/role/index.js

@@ -0,0 +1,48 @@
+'use strict';
+
+module.exports = {
+  collectionName: 'up_roles',
+  info: {
+    name: 'role',
+    description: '',
+    singularName: 'role',
+    pluralName: 'roles',
+    displayName: 'Role',
+  },
+  pluginOptions: {
+    'content-manager': {
+      visible: false,
+    },
+  },
+  attributes: {
+    name: {
+      type: 'string',
+      minLength: 3,
+      required: true,
+      configurable: false,
+    },
+    description: {
+      type: 'string',
+      configurable: false,
+    },
+    type: {
+      type: 'string',
+      unique: true,
+      configurable: false,
+    },
+    permissions: {
+      type: 'relation',
+      relation: 'oneToMany',
+      target: 'plugin::users-permissions.permission',
+      mappedBy: 'role',
+      configurable: false,
+    },
+    users: {
+      type: 'relation',
+      relation: 'oneToMany',
+      target: 'plugin::users-permissions.user',
+      mappedBy: 'role',
+      configurable: false,
+    },
+  },
+};

package/server/content-types/user/index.js

@@ -0,0 +1,72 @@
+'use strict';
+
+const schemaConfig = require('./schema-config');
+
+module.exports = {
+  collectionName: 'up_users',
+  info: {
+    name: 'user',
+    description: '',
+    singularName: 'user',
+    pluralName: 'users',
+    displayName: 'User',
+  },
+  options: {
+    draftAndPublish: false,
+    timestamps: true,
+  },
+  attributes: {
+    username: {
+      type: 'string',
+      minLength: 3,
+      unique: true,
+      configurable: false,
+      required: true,
+    },
+    email: {
+      type: 'email',
+      minLength: 6,
+      configurable: false,
+      required: true,
+    },
+    provider: {
+      type: 'string',
+      configurable: false,
+    },
+    password: {
+      type: 'password',
+      minLength: 6,
+      configurable: false,
+      private: true,
+    },
+    resetPasswordToken: {
+      type: 'string',
+      configurable: false,
+      private: true,
+    },
+    confirmationToken: {
+      type: 'string',
+      configurable: false,
+      private: true,
+    },
+    confirmed: {
+      type: 'boolean',
+      default: false,
+      configurable: false,
+    },
+    blocked: {
+      type: 'boolean',
+      default: false,
+      configurable: false,
+    },
+    role: {
+      type: 'relation',
+      relation: 'manyToOne',
+      target: 'plugin::users-permissions.role',
+      inversedBy: 'users',
+      configurable: false,
+    },
+  },
+
+  config: schemaConfig, // TODO: to move to content-manager options
+};

package/{controllers → server/controllers}/auth.js

@@ -9,7 +9,6 @@
 /* eslint-disable no-useless-escape */
 const crypto = require('crypto');
 const _ = require('lodash');
-const grant = require('grant-koa');
 const { sanitizeEntity } = require('@strapi/utils');
 const { getService } = require('../utils');
 
@@ -23,11 +22,7 @@ module.exports = {
     const provider = ctx.params.provider || 'local';
     const params = ctx.request.body;
 
-    const store = await strapi.store({
-      environment: '',
-      type: 'plugin',
-      name: 'users-permissions',
-    });
+    const store = await strapi.store({ type: 'plugin', name: 'users-permissions' });
 
     if (provider === 'local') {
       if (!_.get(await store.get({ key: 'grant' }), 'email.enabled')) {
@@ -69,7 +64,7 @@ module.exports = {
       }
 
       // Check if the user exists.
-      const user = await strapi.query('plugins::users-permissions.user').findOne({ where: query });
+      const user = await strapi.query('plugin::users-permissions.user').findOne({ where: query });
 
       if (!user) {
         return ctx.badRequest(
@@ -116,9 +111,10 @@ module.exports = {
         );
       }
 
-      const validPassword = await strapi.plugins[
-        'users-permissions'
-      ].services.user.validatePassword(params.password, user.password);
+      const validPassword = await getService('user').validatePassword(
+        params.password,
+        user.password
+      );
 
       if (!validPassword) {
         return ctx.badRequest(
@@ -130,11 +126,11 @@ module.exports = {
         );
       } else {
         ctx.send({
-          jwt: strapi.plugins['users-permissions'].services.jwt.issue({
+          jwt: getService('jwt').issue({
             id: user.id,
           }),
-          user: sanitizeEntity(user.toJSON ? user.toJSON() : user, {
-            model: strapi.getModel('plugins::users-permissions.user'),
+          user: sanitizeEntity(user, {
+            model: strapi.getModel('plugin::users-permissions.user'),
           }),
         });
       }
@@ -153,10 +149,7 @@ module.exports = {
       let user;
       let error;
       try {
-        [user, error] = await strapi.plugins['users-permissions'].services.providers.connect(
-          provider,
-          ctx.query
-        );
+        [user, error] = await getService('providers').connect(provider, ctx.query);
       } catch ([user, error]) {
         return ctx.badRequest(null, error === 'array' ? error[0] : error);
       }
@@ -166,11 +159,9 @@ module.exports = {
       }
 
       ctx.send({
-        jwt: strapi.plugins['users-permissions'].services.jwt.issue({
-          id: user.id,
-        }),
-        user: sanitizeEntity(user.toJSON ? user.toJSON() : user, {
-          model: strapi.getModel('plugins::users-permissions.user'),
+        jwt: getService('jwt').issue({ id: user.id }),
+        user: sanitizeEntity(user, {
+          model: strapi.getModel('plugin::users-permissions.user'),
         }),
       });
     }
@@ -186,7 +177,7 @@ module.exports = {
       params.code
     ) {
       const user = await strapi
-        .query('plugins::users-permissions.user')
+        .query('plugin::users-permissions.user')
         .findOne({ where: { resetPasswordToken: `${params.code}` } });
 
       if (!user) {
@@ -203,15 +194,13 @@ module.exports = {
 
       // Update the user.
       await strapi
-        .query('plugins::users-permissions.user')
+        .query('plugin::users-permissions.user')
         .update({ where: { id: user.id }, data: { resetPasswordToken: null, password } });
 
       ctx.send({
-        jwt: strapi.plugins['users-permissions'].services.jwt.issue({
-          id: user.id,
-        }),
-        user: sanitizeEntity(user.toJSON ? user.toJSON() : user, {
-          model: strapi.getModel('plugins::users-permissions.user'),
+        jwt: getService('jwt').issue({ id: user.id }),
+        user: sanitizeEntity(user, {
+          model: strapi.getModel('plugin::users-permissions.user'),
         }),
       });
     } else if (
@@ -238,13 +227,10 @@ module.exports = {
   },
 
   async connect(ctx, next) {
+    const grant = require('grant-koa');
+
     const grantConfig = await strapi
-      .store({
-        environment: '',
-        type: 'plugin',
-        name: 'users-permissions',
-        key: 'grant',
-      })
+      .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
       .get();
 
     const [requestPath] = ctx.request.url.split('?');
@@ -262,9 +248,7 @@ module.exports = {
 
     // Ability to pass OAuth callback dynamically
     grantConfig[provider].callback = _.get(ctx, 'query.callback') || grantConfig[provider].callback;
-    grantConfig[provider].redirect_uri = strapi.plugins[
-      'users-permissions'
-    ].services.providers.buildRedirectUri(provider);
+    grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);
 
     return grant(grantConfig)(ctx, next);
   },
@@ -282,20 +266,16 @@ module.exports = {
         null,
         formatError({
           id: 'Auth.form.error.email.format',
-          message: 'Please provide valid email address.',
+          message: 'Please provide a valid email address.',
         })
       );
     }
 
-    const pluginStore = await strapi.store({
-      environment: '',
-      type: 'plugin',
-      name: 'users-permissions',
-    });
+    const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });
 
     // Find the user by email.
     const user = await strapi
-      .query('plugins::users-permissions.user')
+      .query('plugin::users-permissions.user')
       .findOne({ where: { email: email.toLowerCase() } });
 
     // User not found.
@@ -309,6 +289,17 @@ module.exports = {
       );
     }
 
+    // User blocked
+    if (user.blocked) {
+      return ctx.badRequest(
+        null,
+        formatError({
+          id: 'Auth.form.error.user.blocked',
+          message: 'This user is disabled.',
+        })
+      );
+    }
+
     // Generate random token.
     const resetPasswordToken = crypto.randomBytes(64).toString('hex');
 
@@ -325,7 +316,7 @@ module.exports = {
     });
 
     const userInfo = sanitizeEntity(user, {
-      model: strapi.getModel('plugins::users-permissions.user'),
+      model: strapi.getModel('plugin::users-permissions.user'),
     });
 
     settings.message = await getService('users-permissions').template(settings.message, {
@@ -340,35 +331,34 @@ module.exports = {
 
     try {
       // Send an email to the user.
-      await strapi.plugins['email'].services.email.send({
-        to: user.email,
-        from:
-          settings.from.email || settings.from.name
-            ? `${settings.from.name} <${settings.from.email}>`
-            : undefined,
-        replyTo: settings.response_email,
-        subject: settings.object,
-        text: settings.message,
-        html: settings.message,
-      });
+      await strapi
+        .plugin('email')
+        .service('email')
+        .send({
+          to: user.email,
+          from:
+            settings.from.email || settings.from.name
+              ? `${settings.from.name} <${settings.from.email}>`
+              : undefined,
+          replyTo: settings.response_email,
+          subject: settings.object,
+          text: settings.message,
+          html: settings.message,
+        });
     } catch (err) {
       return ctx.badRequest(null, err);
     }
 
     // Update the user.
     await strapi
-      .query('plugins::users-permissions.user')
+      .query('plugin::users-permissions.user')
       .update({ where: { id: user.id }, data: { resetPasswordToken } });
 
     ctx.send({ ok: true });
   },
 
   async register(ctx) {
-    const pluginStore = await strapi.store({
-      environment: '',
-      type: 'plugin',
-      name: 'users-permissions',
-    });
+    const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });
 
     const settings = await pluginStore.get({
       key: 'advanced',
@@ -424,7 +414,7 @@ module.exports = {
     }
 
     const role = await strapi
-      .query('plugins::users-permissions.role')
+      .query('plugin::users-permissions.role')
       .findOne({ where: { type: settings.default_role } });
 
     if (!role) {
@@ -455,7 +445,7 @@ module.exports = {
     params.role = role.id;
     params.password = await getService('user').hashPassword(params);
 
-    const user = await strapi.query('plugins::users-permissions.user').findOne({
+    const user = await strapi.query('plugin::users-permissions.user').findOne({
       where: { email: params.email },
     });
 
@@ -484,10 +474,10 @@ module.exports = {
         params.confirmed = true;
       }
 
-      const user = await strapi.query('plugins::users-permissions.user').create({ data: params });
+      const user = await strapi.query('plugin::users-permissions.user').create({ data: params });
 
       const sanitizedUser = sanitizeEntity(user, {
-        model: strapi.getModel('plugins::users-permissions.user'),
+        model: strapi.getModel('plugin::users-permissions.user'),
       });
 
       if (settings.email_confirmation) {
@@ -500,7 +490,7 @@ module.exports = {
         return ctx.send({ user: sanitizedUser });
       }
 
-      const jwt = strapi.plugins['users-permissions'].services.jwt.issue(_.pick(user, ['id']));
+      const jwt = getService('jwt').issue(_.pick(user, ['id']));
 
       return ctx.send({
         jwt,
@@ -521,7 +511,8 @@ module.exports = {
   async emailConfirmation(ctx, next, returnUser) {
     const { confirmation: confirmationToken } = ctx.query;
 
-    const { user: userService, jwt: jwtService } = strapi.plugins['users-permissions'].services;
+    const userService = getService('user');
+    const jwtService = getService('jwt');
 
     if (_.isEmpty(confirmationToken)) {
       return ctx.badRequest('token.invalid');
@@ -539,17 +530,12 @@ module.exports = {
       ctx.send({
         jwt: jwtService.issue({ id: user.id }),
         user: sanitizeEntity(user, {
-          model: strapi.getModel('plugins::users-permissions.user'),
+          model: strapi.getModel('plugin::users-permissions.user'),
         }),
       });
     } else {
       const settings = await strapi
-        .store({
-          environment: '',
-          type: 'plugin',
-          name: 'users-permissions',
-          key: 'advanced',
-        })
+        .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
         .get();
 
       ctx.redirect(settings.email_confirmation_redirection || '/');
@@ -571,7 +557,7 @@ module.exports = {
       return ctx.badRequest('wrong.email');
     }
 
-    const user = await strapi.query('plugins::users-permissions.user').findOne({
+    const user = await strapi.query('plugin::users-permissions.user').findOne({
       where: { email: params.email },
     });
 

package/server/controllers/index.js

@@ -0,0 +1,15 @@
+'use strict';
+
+const auth = require('./auth');
+const user = require('./user');
+const role = require('./role');
+const permissions = require('./permissions');
+const settings = require('./settings');
+
+module.exports = {
+  auth,
+  user,
+  role,
+  permissions,
+  settings,
+};

package/server/controllers/permissions.js

@@ -0,0 +1,26 @@
+'use strict';
+
+const _ = require('lodash');
+const { getService } = require('../utils');
+
+module.exports = {
+  async getPermissions(ctx) {
+    const permissions = await getService('users-permissions').getActions();
+
+    ctx.send({ permissions });
+  },
+
+  async getPolicies(ctx) {
+    const policies = _.keys(strapi.plugin('users-permissions').policies);
+
+    ctx.send({
+      policies: _.without(policies, 'permissions'),
+    });
+  },
+
+  async getRoutes(ctx) {
+    const routes = await getService('users-permissions').getRoutes();
+
+    ctx.send({ routes });
+  },
+};

package/server/controllers/role.js

@@ -0,0 +1,77 @@
+'use strict';
+
+const _ = require('lodash');
+const { getService } = require('../utils');
+
+module.exports = {
+  /**
+   * Default action.
+   *
+   * @return {Object}
+   */
+  async createRole(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      return ctx.badRequest('Request body cannot be empty');
+    }
+
+    await getService('role').createRole(ctx.request.body);
+
+    ctx.send({ ok: true });
+  },
+
+  async getRole(ctx) {
+    const { id } = ctx.params;
+    const { lang } = ctx.query;
+
+    const plugins = await getService('users-permissions').getPlugins(lang);
+    const role = await getService('role').getRole(id, plugins);
+
+    if (!role) {
+      return ctx.notFound();
+    }
+
+    ctx.send({ role });
+  },
+
+  async getRoles(ctx) {
+    const roles = await getService('role').getRoles();
+
+    ctx.send({ roles });
+  },
+
+  async updateRole(ctx) {
+    const roleID = ctx.params.role;
+
+    if (_.isEmpty(ctx.request.body)) {
+      return ctx.badRequest('Request body cannot be empty');
+    }
+
+    await getService('role').updateRole(roleID, ctx.request.body);
+
+    ctx.send({ ok: true });
+  },
+
+  async deleteRole(ctx) {
+    const roleID = ctx.params.role;
+
+    if (!roleID) {
+      return ctx.badRequest();
+    }
+
+    // Fetch public role.
+    const publicRole = await strapi
+      .query('plugin::users-permissions.role')
+      .findOne({ where: { type: 'public' } });
+
+    const publicRoleID = publicRole.id;
+
+    // Prevent from removing the public role.
+    if (roleID.toString() === publicRoleID.toString()) {
+      return ctx.badRequest('Cannot delete public role');
+    }
+
+    await getService('role').deleteRole(roleID, publicRoleID);
+
+    ctx.send({ ok: true });
+  },
+};

package/server/controllers/settings.js

@@ -0,0 +1,84 @@
+'use strict';
+
+const _ = require('lodash');
+const { getService } = require('../utils');
+const { isValidEmailTemplate } = require('./validation/email-template');
+
+module.exports = {
+  async getEmailTemplate(ctx) {
+    ctx.send(await strapi.store({ type: 'plugin', name: 'users-permissions', key: 'email' }).get());
+  },
+
+  async updateEmailTemplate(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      return ctx.badRequest('Request body cannot be empty');
+    }
+
+    const emailTemplates = ctx.request.body['email-templates'];
+
+    for (let key in emailTemplates) {
+      const template = emailTemplates[key].options.message;
+
+      if (!isValidEmailTemplate(template)) {
+        return ctx.badRequest('Invalid template');
+      }
+    }
+
+    await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'email' })
+      .set({ value: emailTemplates });
+
+    ctx.send({ ok: true });
+  },
+
+  async getAdvancedSettings(ctx) {
+    const settings = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+
+    const roles = await getService('role').getRoles();
+
+    ctx.send({ settings, roles });
+  },
+
+  async updateAdvancedSettings(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      return ctx.badRequest('Request body cannot be empty');
+    }
+
+    await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .set({ value: ctx.request.body });
+
+    ctx.send({ ok: true });
+  },
+
+  async getProviders(ctx) {
+    const providers = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
+      .get();
+
+    for (const provider in providers) {
+      if (provider !== 'email') {
+        providers[provider].redirectUri = strapi
+          .plugin('users-permissions')
+          .service('providers')
+          .buildRedirectUri(provider);
+      }
+    }
+
+    ctx.send(providers);
+  },
+
+  async updateProviders(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      return ctx.badRequest('Request body cannot be empty');
+    }
+
+    await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
+      .set({ value: ctx.request.body.providers });
+
+    ctx.send({ ok: true });
+  },
+};