npm - @strapi/plugin-users-permissions - Versions diffs - 4.0.0-next.6 → 4.0.0 - Mend

@strapi/plugin-users-permissions 4.0.0-next.6 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (196) hide show

package/admin/src/components/BoundRoute/getMethodColor.js +41 -0
package/admin/src/components/BoundRoute/index.js +40 -24
package/admin/src/components/FormModal/Input/index.js +121 -0
package/admin/src/components/FormModal/index.js +123 -0
package/admin/src/components/Permissions/PermissionRow/CheckboxWrapper.js +19 -26
package/admin/src/components/Permissions/PermissionRow/SubCategory.js +118 -0
package/admin/src/components/Permissions/PermissionRow/index.js +9 -48
package/admin/src/components/Permissions/index.js +36 -24
package/admin/src/components/Permissions/init.js +1 -6
package/admin/src/components/Policies/index.js +46 -47
package/admin/src/components/UsersPermissions/index.js +29 -26
package/admin/src/components/UsersPermissions/init.js +1 -2
package/admin/src/hooks/useFetchRole/index.js +17 -7
package/admin/src/hooks/useForm/index.js +3 -29
package/admin/src/hooks/useForm/reducer.js +2 -21
package/admin/src/hooks/usePlugins/index.js +12 -21
package/admin/src/hooks/usePlugins/reducer.js +0 -3
package/admin/src/index.js +29 -34
package/admin/src/pages/AdvancedSettings/index.js +210 -193
package/admin/src/pages/AdvancedSettings/utils/api.js +13 -0
package/admin/src/pages/AdvancedSettings/utils/layout.js +96 -0
package/admin/src/pages/AdvancedSettings/utils/schema.js +22 -0
package/admin/src/pages/EmailTemplates/components/EmailForm.js +173 -0
package/admin/src/pages/EmailTemplates/components/EmailTable.js +116 -0
package/admin/src/pages/EmailTemplates/index.js +125 -198
package/admin/src/pages/EmailTemplates/utils/api.js +13 -0
package/admin/src/pages/Providers/index.js +208 -216
package/admin/src/pages/Providers/utils/api.js +21 -0
package/admin/src/pages/Providers/utils/forms.js +168 -126
package/admin/src/pages/Roles/CreatePage/index.js +155 -147
package/admin/src/pages/Roles/EditPage/index.js +162 -134
package/admin/src/pages/Roles/ListPage/components/TableBody.js +96 -0
package/admin/src/pages/Roles/ListPage/index.js +176 -156
package/admin/src/pages/Roles/ListPage/utils/api.js +28 -0
package/admin/src/pages/Roles/index.js +14 -8
package/admin/src/permissions.js +12 -14
package/admin/src/translations/ar.json +0 -8
package/admin/src/translations/cs.json +0 -8
package/admin/src/translations/de.json +0 -8
package/admin/src/translations/dk.json +0 -8
package/admin/src/translations/en.json +33 -12
package/admin/src/translations/es.json +0 -8
package/admin/src/translations/fr.json +0 -8
package/admin/src/translations/id.json +0 -8
package/admin/src/translations/it.json +0 -8
package/admin/src/translations/ja.json +0 -8
package/admin/src/translations/ko.json +0 -8
package/admin/src/translations/ms.json +0 -8
package/admin/src/translations/nl.json +0 -8
package/admin/src/translations/pl.json +0 -8
package/admin/src/translations/pt-BR.json +0 -8
package/admin/src/translations/pt.json +0 -8
package/admin/src/translations/ru.json +0 -8
package/admin/src/translations/sk.json +0 -8
package/admin/src/translations/sv.json +0 -8
package/admin/src/translations/th.json +0 -8
package/admin/src/translations/tr.json +0 -8
package/admin/src/translations/uk.json +0 -8
package/admin/src/translations/vi.json +0 -8
package/admin/src/translations/zh-Hans.json +5 -14
package/admin/src/translations/zh.json +0 -8
package/admin/src/utils/axiosInstance.js +36 -0
package/admin/src/utils/formatPluginName.js +26 -0
package/admin/src/utils/index.js +1 -0
package/documentation/1.0.0/overrides/users-permissions-Role.json +6 -6
package/documentation/1.0.0/overrides/users-permissions-User.json +7 -7
package/package.json +30 -29
package/{config/functions/bootstrap.js → server/bootstrap/index.js} +26 -33
package/{config → server/bootstrap}/users-permissions-actions.js +0 -0
package/server/config.js +23 -0
package/server/content-types/index.js +11 -0
package/server/content-types/permission/index.js +34 -0
package/server/content-types/role/index.js +51 -0
package/server/content-types/user/index.js +72 -0
package/{models/User.config.js → server/content-types/user/schema-config.js} +0 -0
package/server/controllers/auth.js +440 -0
package/server/controllers/content-manager-user.js +183 -0
package/server/controllers/index.js +17 -0
package/server/controllers/permissions.js +26 -0
package/server/controllers/role.js +77 -0
package/server/controllers/settings.js +85 -0
package/server/controllers/user.js +191 -0
package/server/controllers/validation/auth.js +29 -0
package/{controllers → server/controllers}/validation/email-template.js +0 -0
package/server/controllers/validation/user.js +38 -0
package/server/graphql/index.js +44 -0
package/server/graphql/mutations/auth/email-confirmation.js +39 -0
package/server/graphql/mutations/auth/forgot-password.js +38 -0
package/server/graphql/mutations/auth/login.js +38 -0
package/server/graphql/mutations/auth/register.js +39 -0
package/server/graphql/mutations/auth/reset-password.js +41 -0
package/server/graphql/mutations/crud/role/create-role.js +37 -0
package/server/graphql/mutations/crud/role/delete-role.js +28 -0
package/server/graphql/mutations/crud/role/update-role.js +38 -0
package/server/graphql/mutations/crud/user/create-user.js +48 -0
package/server/graphql/mutations/crud/user/delete-user.js +42 -0
package/server/graphql/mutations/crud/user/update-user.js +49 -0
package/server/graphql/mutations/index.js +42 -0
package/server/graphql/queries/index.js +13 -0
package/server/graphql/queries/me.js +17 -0
package/server/graphql/resolvers-configs.js +37 -0
package/server/graphql/types/create-role-payload.js +11 -0
package/server/graphql/types/delete-role-payload.js +11 -0
package/server/graphql/types/index.js +21 -0
package/server/graphql/types/login-input.js +13 -0
package/server/graphql/types/login-payload.js +12 -0
package/server/graphql/types/me-role.js +14 -0
package/server/graphql/types/me.js +16 -0
package/server/graphql/types/password-payload.js +11 -0
package/server/graphql/types/register-input.js +13 -0
package/server/graphql/types/update-role-payload.js +11 -0
package/server/graphql/utils.js +27 -0
package/server/index.js +21 -0
package/server/middlewares/index.js +7 -0
package/{config/policies → server/middlewares}/rateLimit.js +4 -8
package/server/register.js +11 -0
package/server/routes/admin/index.js +10 -0
package/server/routes/admin/permissions.js +20 -0
package/server/routes/admin/role.js +79 -0
package/server/routes/admin/settings.js +95 -0
package/server/routes/content-api/auth.js +73 -0
package/server/routes/content-api/index.js +11 -0
package/server/routes/content-api/permissions.js +9 -0
package/server/routes/content-api/role.js +29 -0
package/server/routes/content-api/user.js +61 -0
package/server/routes/index.js +6 -0
package/server/services/index.js +15 -0
package/server/services/jwt.js +55 -0
package/server/services/providers.js +599 -0
package/server/services/role.js +177 -0
package/{services → server/services}/user.js +32 -35
package/server/services/users-permissions.js +233 -0
package/server/strategies/users-permissions.js +123 -0
package/{utils → server/utils}/index.d.ts +6 -1
package/server/utils/index.js +9 -0
package/strapi-admin.js +3 -0
package/strapi-server.js +3 -0
package/admin/src/assets/images/logo.svg +0 -1
package/admin/src/components/BaselineAlignement/index.js +0 -33
package/admin/src/components/Bloc/index.js +0 -10
package/admin/src/components/BoundRoute/Components.js +0 -78
package/admin/src/components/ContainerFluid/index.js +0 -13
package/admin/src/components/FormBloc/index.js +0 -61
package/admin/src/components/IntlInput/index.js +0 -38
package/admin/src/components/ListBaselineAlignment/index.js +0 -8
package/admin/src/components/ListRow/Components.js +0 -74
package/admin/src/components/ListRow/index.js +0 -35
package/admin/src/components/ModalForm/Wrapper.js +0 -12
package/admin/src/components/ModalForm/index.js +0 -59
package/admin/src/components/Permissions/ListWrapper.js +0 -9
package/admin/src/components/Permissions/PermissionRow/BaselineAlignment.js +0 -7
package/admin/src/components/Permissions/PermissionRow/RowStyle.js +0 -28
package/admin/src/components/Permissions/PermissionRow/SubCategory/ConditionsButtonWrapper.js +0 -13
package/admin/src/components/Permissions/PermissionRow/SubCategory/PolicyWrapper.js +0 -8
package/admin/src/components/Permissions/PermissionRow/SubCategory/SubCategoryWrapper.js +0 -26
package/admin/src/components/Permissions/PermissionRow/SubCategory/index.js +0 -116
package/admin/src/components/Policies/Components.js +0 -26
package/admin/src/components/PrefixedIcon/index.js +0 -27
package/admin/src/components/Roles/EmptyRole/BaselineAlignment.js +0 -7
package/admin/src/components/Roles/EmptyRole/index.js +0 -27
package/admin/src/components/Roles/RoleListWrapper/index.js +0 -17
package/admin/src/components/Roles/RoleRow/RoleDescription.js +0 -9
package/admin/src/components/Roles/RoleRow/index.js +0 -45
package/admin/src/components/Roles/index.js +0 -3
package/admin/src/components/SizedInput/index.js +0 -24
package/admin/src/pages/AdvancedSettings/reducer.js +0 -65
package/admin/src/pages/AdvancedSettings/utils/form.js +0 -52
package/admin/src/pages/EmailTemplates/CustomTextInput.js +0 -105
package/admin/src/pages/EmailTemplates/Wrapper.js +0 -36
package/admin/src/pages/EmailTemplates/reducer.js +0 -58
package/admin/src/pages/EmailTemplates/utils/forms.js +0 -81
package/admin/src/pages/Roles/ListPage/BaselineAlignment.js +0 -8
package/config/layout.js +0 -10
package/config/policies/isAuthenticated.js +0 -9
package/config/policies/permissions.js +0 -94
package/config/request.json +0 -6
package/config/routes.json +0 -381
package/config/schema.graphql.js +0 -284
package/config/security.json +0 -5
package/controllers/auth.js +0 -596
package/controllers/user/admin.js +0 -230
package/controllers/user/api.js +0 -174
package/controllers/user.js +0 -117
package/controllers/users-permissions.js +0 -271
package/middlewares/users-permissions/defaults.json +0 -5
package/middlewares/users-permissions/index.js +0 -40
package/models/Permission.js +0 -7
package/models/Permission.settings.json +0 -45
package/models/Role.js +0 -7
package/models/Role.settings.json +0 -43
package/models/User.js +0 -7
package/models/User.settings.json +0 -63
package/services/jwt.js +0 -65
package/services/providers.js +0 -598
package/services/users-permissions.js +0 -429
package/utils/index.js +0 -11

package/server/controllers/auth.js ADDED Viewed

@@ -0,0 +1,440 @@
+'use strict';
+/**
+ * Auth.js controller
+ *
+ * @description: A set of functions called "actions" for managing `Auth`.
+ */
+/* eslint-disable no-useless-escape */
+const crypto = require('crypto');
+const _ = require('lodash');
+const utils = require('@strapi/utils');
+const { getService } = require('../utils');
+const {
+  validateCallbackBody,
+  validateRegisterBody,
+  validateSendEmailConfirmationBody,
+} = require('./validation/auth');
+const { sanitize } = utils;
+const { ApplicationError, ValidationError } = utils.errors;
+const emailRegExp = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
+const sanitizeUser = (user, ctx) => {
+  const { auth } = ctx.state;
+  const userSchema = strapi.getModel('plugin::users-permissions.user');
+  return sanitize.contentAPI.output(user, userSchema, { auth });
+};
+module.exports = {
+  async callback(ctx) {
+    const provider = ctx.params.provider || 'local';
+    const params = ctx.request.body;
+    const store = await strapi.store({ type: 'plugin', name: 'users-permissions' });
+    if (provider === 'local') {
+      if (!_.get(await store.get({ key: 'grant' }), 'email.enabled')) {
+        throw new ApplicationError('This provider is disabled');
+      }
+      await validateCallbackBody(params);
+      const query = { provider };
+      // Check if the provided identifier is an email or not.
+      const isEmail = emailRegExp.test(params.identifier);
+      // Set the identifier to the appropriate query field.
+      if (isEmail) {
+        query.email = params.identifier.toLowerCase();
+      } else {
+        query.username = params.identifier;
+      }
+      // Check if the user exists.
+      const user = await strapi.query('plugin::users-permissions.user').findOne({ where: query });
+      if (!user) {
+        throw new ValidationError('Invalid identifier or password');
+      }
+      if (
+        _.get(await store.get({ key: 'advanced' }), 'email_confirmation') &&
+        user.confirmed !== true
+      ) {
+        throw new ApplicationError('Your account email is not confirmed');
+      }
+      if (user.blocked === true) {
+        throw new ApplicationError('Your account has been blocked by an administrator');
+      }
+      // The user never authenticated with the `local` provider.
+      if (!user.password) {
+        throw new ApplicationError(
+          'This user never set a local password, please login with the provider used during account creation'
+        );
+      }
+      const validPassword = await getService('user').validatePassword(
+        params.password,
+        user.password
+      );
+      if (!validPassword) {
+        throw new ValidationError('Invalid identifier or password');
+      } else {
+        ctx.send({
+          jwt: getService('jwt').issue({
+            id: user.id,
+          }),
+          user: await sanitizeUser(user, ctx),
+        });
+      }
+    } else {
+      if (!_.get(await store.get({ key: 'grant' }), [provider, 'enabled'])) {
+        throw new ApplicationError('This provider is disabled');
+      }
+      // Connect the user with the third-party provider.
+      let user;
+      let error;
+      try {
+        [user, error] = await getService('providers').connect(provider, ctx.query);
+      } catch ([user, error]) {
+        throw new ApplicationError(error.message);
+      }
+      if (!user) {
+        throw new ApplicationError(error.message);
+      }
+      ctx.send({
+        jwt: getService('jwt').issue({ id: user.id }),
+        user: await sanitizeUser(user, ctx),
+      });
+    }
+  },
+  async resetPassword(ctx) {
+    const params = _.assign({}, ctx.request.body, ctx.params);
+    if (
+      params.password &&
+      params.passwordConfirmation &&
+      params.password === params.passwordConfirmation &&
+      params.code
+    ) {
+      const user = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { resetPasswordToken: `${params.code}` } });
+      if (!user) {
+        throw new ValidationError('Incorrect code provided');
+      }
+      const password = await getService('user').hashPassword({ password: params.password });
+      // Update the user.
+      await strapi
+        .query('plugin::users-permissions.user')
+        .update({ where: { id: user.id }, data: { resetPasswordToken: null, password } });
+      ctx.send({
+        jwt: getService('jwt').issue({ id: user.id }),
+        user: await sanitizeUser(user, ctx),
+      });
+    } else if (
+      params.password &&
+      params.passwordConfirmation &&
+      params.password !== params.passwordConfirmation
+    ) {
+      throw new ValidationError('Passwords do not match');
+    } else {
+      throw new ValidationError('Incorrect params provided');
+    }
+  },
+  async connect(ctx, next) {
+    const grant = require('grant-koa');
+    const providers = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
+      .get();
+    const apiPrefix = strapi.config.get('api.rest.prefix');
+    const grantConfig = {
+      defaults: {
+        prefix: `${apiPrefix}/connect`,
+      },
+      ...providers,
+    };
+    const [requestPath] = ctx.request.url.split('?');
+    const provider = requestPath.split('/connect/')[1].split('/')[0];
+    if (!_.get(grantConfig[provider], 'enabled')) {
+      throw new ApplicationError('This provider is disabled');
+    }
+    if (!strapi.config.server.url.startsWith('http')) {
+      strapi.log.warn(
+        'You are using a third party provider for login. Make sure to set an absolute url in config/server.js. More info here: https://docs.strapi.io/developer-docs/latest/plugins/users-permissions.html#setting-up-the-server-url'
+      );
+    }
+    // Ability to pass OAuth callback dynamically
+    grantConfig[provider].callback = _.get(ctx, 'query.callback') || grantConfig[provider].callback;
+    grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);
+    return grant(grantConfig)(ctx, next);
+  },
+  async forgotPassword(ctx) {
+    let { email } = ctx.request.body;
+    // Check if the provided email is valid or not.
+    const isEmail = emailRegExp.test(email);
+    if (isEmail) {
+      email = email.toLowerCase();
+    } else {
+      throw new ValidationError('Please provide a valid email address');
+    }
+    const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });
+    // Find the user by email.
+    const user = await strapi
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { email: email.toLowerCase() } });
+    // User not found.
+    if (!user) {
+      throw new ApplicationError('This email does not exist');
+    }
+    // User blocked
+    if (user.blocked) {
+      throw new ApplicationError('This user is disabled');
+    }
+    // Generate random token.
+    const resetPasswordToken = crypto.randomBytes(64).toString('hex');
+    const settings = await pluginStore.get({ key: 'email' }).then(storeEmail => {
+      try {
+        return storeEmail['reset_password'].options;
+      } catch (error) {
+        return {};
+      }
+    });
+    const advanced = await pluginStore.get({
+      key: 'advanced',
+    });
+    const userInfo = await sanitizeUser(user, ctx);
+    settings.message = await getService('users-permissions').template(settings.message, {
+      URL: advanced.email_reset_password,
+      USER: userInfo,
+      TOKEN: resetPasswordToken,
+    });
+    settings.object = await getService('users-permissions').template(settings.object, {
+      USER: userInfo,
+    });
+    try {
+      // Send an email to the user.
+      await strapi
+        .plugin('email')
+        .service('email')
+        .send({
+          to: user.email,
+          from:
+            settings.from.email || settings.from.name
+              ? `${settings.from.name} <${settings.from.email}>`
+              : undefined,
+          replyTo: settings.response_email,
+          subject: settings.object,
+          text: settings.message,
+          html: settings.message,
+        });
+    } catch (err) {
+      throw new ApplicationError(err.message);
+    }
+    // Update the user.
+    await strapi
+      .query('plugin::users-permissions.user')
+      .update({ where: { id: user.id }, data: { resetPasswordToken } });
+    ctx.send({ ok: true });
+  },
+  async register(ctx) {
+    const pluginStore = await strapi.store({ type: 'plugin', name: 'users-permissions' });
+    const settings = await pluginStore.get({
+      key: 'advanced',
+    });
+    if (!settings.allow_register) {
+      throw new ApplicationError('Register action is currently disabled');
+    }
+    const params = {
+      ..._.omit(ctx.request.body, ['confirmed', 'confirmationToken', 'resetPasswordToken']),
+      provider: 'local',
+    };
+    await validateRegisterBody(params);
+    // Throw an error if the password selected by the user
+    // contains more than three times the symbol '$'.
+    if (getService('user').isHashed(params.password)) {
+      throw new ValidationError(
+        'Your password cannot contain more than three times the symbol `$`'
+      );
+    }
+    const role = await strapi
+      .query('plugin::users-permissions.role')
+      .findOne({ where: { type: settings.default_role } });
+    if (!role) {
+      throw new ApplicationError('Impossible to find the default role');
+    }
+    // Check if the provided email is valid or not.
+    const isEmail = emailRegExp.test(params.email);
+    if (isEmail) {
+      params.email = params.email.toLowerCase();
+    } else {
+      throw new ValidationError('Please provide a valid email address');
+    }
+    params.role = role.id;
+    params.password = await getService('user').hashPassword(params);
+    const user = await strapi.query('plugin::users-permissions.user').findOne({
+      where: { email: params.email },
+    });
+    if (user && user.provider === params.provider) {
+      throw new ApplicationError('Email is already taken');
+    }
+    if (user && user.provider !== params.provider && settings.unique_email) {
+      throw new ApplicationError('Email is already taken');
+    }
+    try {
+      if (!settings.email_confirmation) {
+        params.confirmed = true;
+      }
+      const user = await strapi.query('plugin::users-permissions.user').create({ data: params });
+      const sanitizedUser = await sanitizeUser(user, ctx);
+      if (settings.email_confirmation) {
+        try {
+          await getService('user').sendConfirmationEmail(sanitizedUser);
+        } catch (err) {
+          throw new ApplicationError(err.message);
+        }
+        return ctx.send({ user: sanitizedUser });
+      }
+      const jwt = getService('jwt').issue(_.pick(user, ['id']));
+      return ctx.send({
+        jwt,
+        user: sanitizedUser,
+      });
+    } catch (err) {
+      if (_.includes(err.message, 'username')) {
+        throw new ApplicationError('Username already taken');
+      } else {
+        throw new ApplicationError('Email already taken');
+      }
+    }
+  },
+  async emailConfirmation(ctx, next, returnUser) {
+    const { confirmation: confirmationToken } = ctx.query;
+    const userService = getService('user');
+    const jwtService = getService('jwt');
+    if (_.isEmpty(confirmationToken)) {
+      throw new ValidationError('token.invalid');
+    }
+    const user = await userService.fetch({ confirmationToken }, []);
+    if (!user) {
+      throw new ValidationError('token.invalid');
+    }
+    await userService.edit({ id: user.id }, { confirmed: true, confirmationToken: null });
+    if (returnUser) {
+      ctx.send({
+        jwt: jwtService.issue({ id: user.id }),
+        user: await sanitizeUser(user, ctx),
+      });
+    } else {
+      const settings = await strapi
+        .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+        .get();
+      ctx.redirect(settings.email_confirmation_redirection || '/');
+    }
+  },
+  async sendEmailConfirmation(ctx) {
+    const params = _.assign(ctx.request.body);
+    await validateSendEmailConfirmationBody(params);
+    const isEmail = emailRegExp.test(params.email);
+    if (isEmail) {
+      params.email = params.email.toLowerCase();
+    } else {
+      throw new ValidationError('wrong.email');
+    }
+    const user = await strapi.query('plugin::users-permissions.user').findOne({
+      where: { email: params.email },
+    });
+    if (user.confirmed) {
+      throw new ApplicationError('already.confirmed');
+    }
+    if (user.blocked) {
+      throw new ApplicationError('blocked.user');
+    }
+    try {
+      await getService('user').sendConfirmationEmail(user);
+      ctx.send({
+        email: user.email,
+        sent: true,
+      });
+    } catch (err) {
+      throw new ApplicationError(err.message);
+    }
+  },
+};

package/server/controllers/content-manager-user.js ADDED Viewed

@@ -0,0 +1,183 @@
+'use strict';
+const _ = require('lodash');
+const { contentTypes: contentTypesUtils } = require('@strapi/utils');
+const {
+  ApplicationError,
+  ValidationError,
+  NotFoundError,
+  ForbiddenError,
+} = require('@strapi/utils').errors;
+const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
+const { UPDATED_BY_ATTRIBUTE, CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;
+const userModel = 'plugin::users-permissions.user';
+const ACTIONS = {
+  read: 'plugin::content-manager.explorer.read',
+  create: 'plugin::content-manager.explorer.create',
+  edit: 'plugin::content-manager.explorer.update',
+  delete: 'plugin::content-manager.explorer.delete',
+};
+const findEntityAndCheckPermissions = async (ability, action, model, id) => {
+  const entity = await strapi.query(userModel).findOne({
+    where: { id },
+    populate: [`${CREATED_BY_ATTRIBUTE}.roles`],
+  });
+  if (_.isNil(entity)) {
+    throw new NotFoundError();
+  }
+  const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });
+  if (pm.ability.cannot(pm.action, pm.toSubject(entity))) {
+    throw new ForbiddenError();
+  }
+  const entityWithoutCreatorRoles = _.omit(entity, `${CREATED_BY_ATTRIBUTE}.roles`);
+  return { pm, entity: entityWithoutCreatorRoles };
+};
+module.exports = {
+  /**
+   * Create a/an user record.
+   * @return {Object}
+   */
+  async create(ctx) {
+    const { body } = ctx.request;
+    const { user: admin, userAbility } = ctx.state;
+    const { email, username } = body;
+    const pm = strapi.admin.services.permission.createPermissionsManager({
+      ability: userAbility,
+      action: ACTIONS.create,
+      model: userModel,
+    });
+    if (!pm.isAllowed) {
+      return ctx.forbidden();
+    }
+    const sanitizedBody = await pm.pickPermittedFieldsOf(body, { subject: userModel });
+    const advanced = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+    await validateCreateUserBody(ctx.request.body);
+    const userWithSameUsername = await strapi
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { username } });
+    if (userWithSameUsername) {
+      throw new ApplicationError('Username already taken');
+    }
+    if (advanced.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: email.toLowerCase() } });
+      if (userWithSameEmail) {
+        throw new ApplicationError('Email already taken');
+      }
+    }
+    const user = {
+      ...sanitizedBody,
+      provider: 'local',
+      [CREATED_BY_ATTRIBUTE]: admin.id,
+      [UPDATED_BY_ATTRIBUTE]: admin.id,
+    };
+    user.email = _.toLower(user.email);
+    if (!user.role) {
+      const defaultRole = await strapi
+        .query('plugin::users-permissions.role')
+        .findOne({ where: { type: advanced.default_role } });
+      user.role = defaultRole.id;
+    }
+    try {
+      const data = await strapi
+        .service('plugin::content-manager.entity-manager')
+        .create(user, userModel);
+      const sanitizedData = await pm.sanitizeOutput(data, { action: ACTIONS.read });
+      ctx.created(sanitizedData);
+    } catch (error) {
+      throw new ApplicationError(error.message);
+    }
+  },
+  /**
+   * Update a/an user record.
+   * @return {Object}
+   */
+  async update(ctx) {
+    const { id } = ctx.params;
+    const { body } = ctx.request;
+    const { user: admin, userAbility } = ctx.state;
+    const advancedConfigs = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+    const { email, username, password } = body;
+    let pm;
+    let user;
+    const { pm: permissionManager, entity } = await findEntityAndCheckPermissions(
+      userAbility,
+      ACTIONS.edit,
+      userModel,
+      id
+    );
+    pm = permissionManager;
+    user = entity;
+    await validateUpdateUserBody(ctx.request.body);
+    if (_.has(body, 'password') && !password && user.provider === 'local') {
+      throw new ValidationError('password.notNull');
+    }
+    if (_.has(body, 'username')) {
+      const userWithSameUsername = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { username } });
+      if (userWithSameUsername && userWithSameUsername.id != id) {
+        throw new ApplicationError('Username already taken');
+      }
+    }
+    if (_.has(body, 'email') && advancedConfigs.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: _.toLower(email) } });
+      if (userWithSameEmail && userWithSameEmail.id != id) {
+        throw new ApplicationError('Email already taken');
+      }
+      body.email = _.toLower(body.email);
+    }
+    const sanitizedData = await pm.pickPermittedFieldsOf(body, { subject: pm.toSubject(user) });
+    const updateData = _.omit({ ...sanitizedData, updatedBy: admin.id }, 'createdBy');
+    const data = await strapi
+      .service('plugin::content-manager.entity-manager')
+      .update({ id }, updateData, userModel);
+    ctx.body = await pm.sanitizeOutput(data, { action: ACTIONS.read });
+  },
+};

package/server/controllers/index.js ADDED Viewed

@@ -0,0 +1,17 @@
+'use strict';
+const auth = require('./auth');
+const user = require('./user');
+const role = require('./role');
+const permissions = require('./permissions');
+const settings = require('./settings');
+const contentmanageruser = require('./content-manager-user');
+module.exports = {
+  auth,
+  user,
+  role,
+  permissions,
+  settings,
+  contentmanageruser,
+};

package/server/controllers/permissions.js ADDED Viewed

@@ -0,0 +1,26 @@
+'use strict';
+const _ = require('lodash');
+const { getService } = require('../utils');
+module.exports = {
+  async getPermissions(ctx) {
+    const permissions = await getService('users-permissions').getActions();
+    ctx.send({ permissions });
+  },
+  async getPolicies(ctx) {
+    const policies = _.keys(strapi.plugin('users-permissions').policies);
+    ctx.send({
+      policies: _.without(policies, 'permissions'),
+    });
+  },
+  async getRoutes(ctx) {
+    const routes = await getService('users-permissions').getRoutes();
+    ctx.send({ routes });
+  },
+};