@strapi/plugin-users-permissions 4.0.0-next.6 → 4.0.0

package/server/controllers/role.js

@@ -0,0 +1,77 @@
+'use strict';
+
+const _ = require('lodash');
+const { ApplicationError, ValidationError } = require('@strapi/utils').errors;
+const { getService } = require('../utils');
+const { validateDeleteRoleBody } = require('./validation/user');
+
+module.exports = {
+  /**
+   * Default action.
+   *
+   * @return {Object}
+   */
+  async createRole(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      throw new ValidationError('Request body cannot be empty');
+    }
+
+    await getService('role').createRole(ctx.request.body);
+
+    ctx.send({ ok: true });
+  },
+
+  async getRole(ctx) {
+    const { id } = ctx.params;
+
+    const role = await getService('role').getRole(id);
+
+    if (!role) {
+      return ctx.notFound();
+    }
+
+    ctx.send({ role });
+  },
+
+  async getRoles(ctx) {
+    const roles = await getService('role').getRoles();
+
+    ctx.send({ roles });
+  },
+
+  async updateRole(ctx) {
+    const roleID = ctx.params.role;
+
+    if (_.isEmpty(ctx.request.body)) {
+      throw new ValidationError('Request body cannot be empty');
+    }
+
+    await getService('role').updateRole(roleID, ctx.request.body);
+
+    ctx.send({ ok: true });
+  },
+
+  async deleteRole(ctx) {
+    const roleID = ctx.params.role;
+
+    if (!roleID) {
+      await validateDeleteRoleBody(ctx.params);
+    }
+
+    // Fetch public role.
+    const publicRole = await strapi
+      .query('plugin::users-permissions.role')
+      .findOne({ where: { type: 'public' } });
+
+    const publicRoleID = publicRole.id;
+
+    // Prevent from removing the public role.
+    if (roleID.toString() === publicRoleID.toString()) {
+      throw new ApplicationError('Cannot delete public role');
+    }
+
+    await getService('role').deleteRole(roleID, publicRoleID);
+
+    ctx.send({ ok: true });
+  },
+};

package/server/controllers/settings.js

@@ -0,0 +1,85 @@
+'use strict';
+
+const _ = require('lodash');
+const { ValidationError } = require('@strapi/utils').errors;
+const { getService } = require('../utils');
+const { isValidEmailTemplate } = require('./validation/email-template');
+
+module.exports = {
+  async getEmailTemplate(ctx) {
+    ctx.send(await strapi.store({ type: 'plugin', name: 'users-permissions', key: 'email' }).get());
+  },
+
+  async updateEmailTemplate(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      throw new ValidationError('Request body cannot be empty');
+    }
+
+    const emailTemplates = ctx.request.body['email-templates'];
+
+    for (let key in emailTemplates) {
+      const template = emailTemplates[key].options.message;
+
+      if (!isValidEmailTemplate(template)) {
+        throw new ValidationError('Invalid template');
+      }
+    }
+
+    await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'email' })
+      .set({ value: emailTemplates });
+
+    ctx.send({ ok: true });
+  },
+
+  async getAdvancedSettings(ctx) {
+    const settings = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+
+    const roles = await getService('role').getRoles();
+
+    ctx.send({ settings, roles });
+  },
+
+  async updateAdvancedSettings(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      throw new ValidationError('Request body cannot be empty');
+    }
+
+    await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .set({ value: ctx.request.body });
+
+    ctx.send({ ok: true });
+  },
+
+  async getProviders(ctx) {
+    const providers = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
+      .get();
+
+    for (const provider in providers) {
+      if (provider !== 'email') {
+        providers[provider].redirectUri = strapi
+          .plugin('users-permissions')
+          .service('providers')
+          .buildRedirectUri(provider);
+      }
+    }
+
+    ctx.send(providers);
+  },
+
+  async updateProviders(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      throw new ValidationError('Request body cannot be empty');
+    }
+
+    await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
+      .set({ value: ctx.request.body.providers });
+
+    ctx.send({ ok: true });
+  },
+};

package/server/controllers/user.js

@@ -0,0 +1,191 @@
+'use strict';
+
+/**
+ * User.js controller
+ *
+ * @description: A set of functions called "actions" for managing `User`.
+ */
+
+const _ = require('lodash');
+const utils = require('@strapi/utils');
+const { getService } = require('../utils');
+const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
+
+const { sanitize } = utils;
+const { ApplicationError, ValidationError } = utils.errors;
+
+const sanitizeOutput = (user, ctx) => {
+  const schema = strapi.getModel('plugin::users-permissions.user');
+  const { auth } = ctx.state;
+
+  return sanitize.contentAPI.output(user, schema, { auth });
+};
+
+module.exports = {
+  /**
+   * Create a/an user record.
+   * @return {Object}
+   */
+  async create(ctx) {
+    const advanced = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+
+    await validateCreateUserBody(ctx.request.body);
+
+    const { email, username, role } = ctx.request.body;
+
+    const userWithSameUsername = await strapi
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { username } });
+
+    if (userWithSameUsername) {
+      if (!email) throw new ApplicationError('Username already taken');
+    }
+
+    if (advanced.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: email.toLowerCase() } });
+
+      if (userWithSameEmail) {
+        throw new ApplicationError('Email already taken');
+      }
+    }
+
+    const user = {
+      ...ctx.request.body,
+      provider: 'local',
+    };
+
+    user.email = _.toLower(user.email);
+
+    if (!role) {
+      const defaultRole = await strapi
+        .query('plugin::users-permissions.role')
+        .findOne({ where: { type: advanced.default_role } });
+
+      user.role = defaultRole.id;
+    }
+
+    try {
+      const data = await getService('user').add(user);
+      const sanitizedData = await sanitizeOutput(data, ctx);
+
+      ctx.created(sanitizedData);
+    } catch (error) {
+      throw new ApplicationError(error.message);
+    }
+  },
+
+  /**
+   * Update a/an user record.
+   * @return {Object}
+   */
+  async update(ctx) {
+    const advancedConfigs = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+
+    const { id } = ctx.params;
+    const { email, username, password } = ctx.request.body;
+
+    const user = await getService('user').fetch({ id });
+
+    await validateUpdateUserBody(ctx.request.body);
+
+    if (user.provider === 'local' && _.has(ctx.request.body, 'password') && !password) {
+      throw new ValidationError('password.notNull');
+    }
+
+    if (_.has(ctx.request.body, 'username')) {
+      const userWithSameUsername = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { username } });
+
+      if (userWithSameUsername && userWithSameUsername.id != id) {
+        throw new ApplicationError('Username already taken');
+      }
+    }
+
+    if (_.has(ctx.request.body, 'email') && advancedConfigs.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: email.toLowerCase() } });
+
+      if (userWithSameEmail && userWithSameEmail.id != id) {
+        throw new ApplicationError('Email already taken');
+      }
+      ctx.request.body.email = ctx.request.body.email.toLowerCase();
+    }
+
+    let updateData = {
+      ...ctx.request.body,
+    };
+
+    const data = await getService('user').edit({ id }, updateData);
+    const sanitizedData = await sanitizeOutput(data, ctx);
+
+    ctx.send(sanitizedData);
+  },
+
+  /**
+   * Retrieve user records.
+   * @return {Object|Array}
+   */
+  async find(ctx, next, { populate } = {}) {
+    const users = await getService('user').fetchAll(ctx.query, populate);
+
+    ctx.body = await Promise.all(users.map(user => sanitizeOutput(user, ctx)));
+  },
+
+  /**
+   * Retrieve a user record.
+   * @return {Object}
+   */
+  async findOne(ctx) {
+    const { id } = ctx.params;
+    let data = await getService('user').fetch({ id });
+
+    if (data) {
+      data = await sanitizeOutput(data, ctx);
+    }
+
+    ctx.body = data;
+  },
+
+  /**
+   * Retrieve user count.
+   * @return {Number}
+   */
+  async count(ctx) {
+    ctx.body = await getService('user').count(ctx.query);
+  },
+
+  /**
+   * Destroy a/an user record.
+   * @return {Object}
+   */
+  async destroy(ctx) {
+    const { id } = ctx.params;
+
+    const data = await getService('user').remove({ id });
+    const sanitizedUser = await sanitizeOutput(data, ctx);
+
+    ctx.send(sanitizedUser);
+  },
+
+  /**
+   * Retrieve authenticated user.
+   * @return {Object|Array}
+   */
+  async me(ctx) {
+    const user = ctx.state.user;
+
+    if (!user) {
+      return ctx.unauthorized();
+    }
+
+    ctx.body = await sanitizeOutput(user, ctx);
+  },
+};

package/server/controllers/validation/auth.js

@@ -0,0 +1,29 @@
+'use strict';
+
+const { yup, validateYupSchema } = require('@strapi/utils');
+
+const callbackBodySchema = yup.object().shape({
+  identifier: yup.string().required(),
+  password: yup.string().required(),
+});
+
+const registerBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .required(),
+  password: yup.string().required(),
+});
+
+const sendEmailConfirmationBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .required(),
+});
+
+module.exports = {
+  validateCallbackBody: validateYupSchema(callbackBodySchema),
+  validateRegisterBody: validateYupSchema(registerBodySchema),
+  validateSendEmailConfirmationBody: validateYupSchema(sendEmailConfirmationBodySchema),
+};

package/server/controllers/validation/user.js

@@ -0,0 +1,38 @@
+'use strict';
+
+const { yup, validateYupSchema } = require('@strapi/utils');
+
+const deleteRoleSchema = yup.object().shape({
+  role: yup.strapiID().required(),
+});
+
+const createUserBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .required(),
+  username: yup
+    .string()
+    .min(1)
+    .required(),
+  password: yup
+    .string()
+    .min(1)
+    .required(),
+  role: yup.strapiID(),
+});
+
+const updateUserBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .min(1),
+  username: yup.string().min(1),
+  password: yup.string().min(1),
+});
+
+module.exports = {
+  validateCreateUserBody: validateYupSchema(createUserBodySchema),
+  validateUpdateUserBody: validateYupSchema(updateUserBodySchema),
+  validateDeleteRoleBody: validateYupSchema(deleteRoleSchema),
+};

package/server/graphql/index.js

@@ -0,0 +1,44 @@
+'use strict';
+
+const getTypes = require('./types');
+const getQueries = require('./queries');
+const getMutations = require('./mutations');
+const getResolversConfig = require('./resolvers-configs');
+
+module.exports = ({ strapi }) => {
+  const { config: graphQLConfig } = strapi.plugin('graphql');
+  const extensionService = strapi.plugin('graphql').service('extension');
+
+  const isShadowCRUDEnabled = graphQLConfig('shadowCRUD', true);
+
+  if (!isShadowCRUDEnabled) {
+    return;
+  }
+
+  // Disable Permissions queries & mutations but allow the
+  // type to be used/selected in filters or nested resolvers
+  extensionService
+    .shadowCRUD('plugin::users-permissions.permission')
+    .disableQueries()
+    .disableMutations();
+
+  // Disable User & Role's Create/Update/Delete actions so they can be replaced
+  const actionsToDisable = ['create', 'update', 'delete'];
+
+  extensionService.shadowCRUD('plugin::users-permissions.user').disableActions(actionsToDisable);
+  extensionService.shadowCRUD('plugin::users-permissions.role').disableActions(actionsToDisable);
+
+  // Register new types & resolvers config
+  extensionService.use(({ nexus }) => {
+    const types = getTypes({ strapi, nexus });
+    const queries = getQueries({ strapi, nexus });
+    const mutations = getMutations({ strapi, nexus });
+    const resolversConfig = getResolversConfig({ strapi });
+
+    return {
+      types: [types, queries, mutations],
+
+      resolversConfig,
+    };
+  });
+};

package/server/graphql/mutations/auth/email-confirmation.js

@@ -0,0 +1,39 @@
+'use strict';
+
+const { toPlainObject } = require('lodash/fp');
+
+const { checkBadRequest } = require('../../utils');
+
+module.exports = ({ nexus, strapi }) => {
+  const { nonNull } = nexus;
+
+  return {
+    type: 'UsersPermissionsLoginPayload',
+
+    args: {
+      confirmation: nonNull('String'),
+    },
+
+    description: 'Confirm an email users email address',
+
+    async resolve(parent, args, context) {
+      const { koaContext } = context;
+
+      koaContext.request.body = toPlainObject(args);
+
+      await strapi
+        .plugin('users-permissions')
+        .controller('auth')
+        .emailConfirmation(koaContext, null, true);
+
+      const output = koaContext.body;
+
+      checkBadRequest(output);
+
+      return {
+        user: output.user || output,
+        jwt: output.jwt,
+      };
+    },
+  };
+};

package/server/graphql/mutations/auth/forgot-password.js

@@ -0,0 +1,38 @@
+'use strict';
+
+const { toPlainObject } = require('lodash/fp');
+
+const { checkBadRequest } = require('../../utils');
+
+module.exports = ({ nexus, strapi }) => {
+  const { nonNull } = nexus;
+
+  return {
+    type: 'UsersPermissionsPasswordPayload',
+
+    args: {
+      email: nonNull('String'),
+    },
+
+    description: 'Request a reset password token',
+
+    async resolve(parent, args, context) {
+      const { koaContext } = context;
+
+      koaContext.request.body = toPlainObject(args);
+
+      await strapi
+        .plugin('users-permissions')
+        .controller('auth')
+        .forgotPassword(koaContext);
+
+      const output = koaContext.body;
+
+      checkBadRequest(output);
+
+      return {
+        ok: output.ok || output,
+      };
+    },
+  };
+};

package/server/graphql/mutations/auth/login.js

@@ -0,0 +1,38 @@
+'use strict';
+
+const { toPlainObject } = require('lodash/fp');
+
+const { checkBadRequest } = require('../../utils');
+
+module.exports = ({ nexus, strapi }) => {
+  const { nonNull } = nexus;
+
+  return {
+    type: nonNull('UsersPermissionsLoginPayload'),
+
+    args: {
+      input: nonNull('UsersPermissionsLoginInput'),
+    },
+
+    async resolve(parent, args, context) {
+      const { koaContext } = context;
+
+      koaContext.params = { provider: args.input.provider };
+      koaContext.request.body = toPlainObject(args.input);
+
+      await strapi
+        .plugin('users-permissions')
+        .controller('auth')
+        .callback(koaContext);
+
+      const output = koaContext.body;
+
+      checkBadRequest(output);
+
+      return {
+        user: output.user || output,
+        jwt: output.jwt,
+      };
+    },
+  };
+};

package/server/graphql/mutations/auth/register.js

@@ -0,0 +1,39 @@
+'use strict';
+
+const { toPlainObject } = require('lodash/fp');
+
+const { checkBadRequest } = require('../../utils');
+
+module.exports = ({ nexus, strapi }) => {
+  const { nonNull } = nexus;
+
+  return {
+    type: nonNull('UsersPermissionsLoginPayload'),
+
+    args: {
+      input: nonNull('UsersPermissionsRegisterInput'),
+    },
+
+    description: 'Register a user',
+
+    async resolve(parent, args, context) {
+      const { koaContext } = context;
+
+      koaContext.request.body = toPlainObject(args.input);
+
+      await strapi
+        .plugin('users-permissions')
+        .controller('auth')
+        .register(koaContext);
+
+      const output = koaContext.body;
+
+      checkBadRequest(output);
+
+      return {
+        user: output.user || output,
+        jwt: output.jwt,
+      };
+    },
+  };
+};

package/server/graphql/mutations/auth/reset-password.js

@@ -0,0 +1,41 @@
+'use strict';
+
+const { toPlainObject } = require('lodash/fp');
+
+const { checkBadRequest } = require('../../utils');
+
+module.exports = ({ nexus, strapi }) => {
+  const { nonNull } = nexus;
+
+  return {
+    type: 'UsersPermissionsLoginPayload',
+
+    args: {
+      password: nonNull('String'),
+      passwordConfirmation: nonNull('String'),
+      code: nonNull('String'),
+    },
+
+    description: 'Reset user password. Confirm with a code (resetToken from forgotPassword)',
+
+    async resolve(parent, args, context) {
+      const { koaContext } = context;
+
+      koaContext.request.body = toPlainObject(args);
+
+      await strapi
+        .plugin('users-permissions')
+        .controller('auth')
+        .forgotPassword(koaContext);
+
+      const output = koaContext.body;
+
+      checkBadRequest(output);
+
+      return {
+        user: output.user || output,
+        jwt: output.jwt,
+      };
+    },
+  };
+};

package/server/graphql/mutations/crud/role/create-role.js

@@ -0,0 +1,37 @@
+'use strict';
+
+const { toPlainObject } = require('lodash/fp');
+
+const usersPermissionsRoleUID = 'plugin::users-permissions.role';
+
+module.exports = ({ nexus, strapi }) => {
+  const { getContentTypeInputName } = strapi.plugin('graphql').service('utils').naming;
+  const { nonNull } = nexus;
+
+  const roleContentType = strapi.getModel(usersPermissionsRoleUID);
+
+  const roleInputName = getContentTypeInputName(roleContentType);
+
+  return {
+    type: 'UsersPermissionsCreateRolePayload',
+
+    args: {
+      data: nonNull(roleInputName),
+    },
+
+    description: 'Create a new role',
+
+    async resolve(parent, args, context) {
+      const { koaContext } = context;
+
+      koaContext.request.body = toPlainObject(args.data);
+
+      await strapi
+        .plugin('users-permissions')
+        .controller('role')
+        .createRole(koaContext);
+
+      return { ok: true };
+    },
+  };
+};