@strapi/plugin-users-permissions 4.0.0-next.7 → 4.0.1

package/server/controllers/content-manager-user.js

@@ -0,0 +1,183 @@
+'use strict';
+
+const _ = require('lodash');
+const { contentTypes: contentTypesUtils } = require('@strapi/utils');
+const {
+  ApplicationError,
+  ValidationError,
+  NotFoundError,
+  ForbiddenError,
+} = require('@strapi/utils').errors;
+const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
+
+const { UPDATED_BY_ATTRIBUTE, CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;
+
+const userModel = 'plugin::users-permissions.user';
+const ACTIONS = {
+  read: 'plugin::content-manager.explorer.read',
+  create: 'plugin::content-manager.explorer.create',
+  edit: 'plugin::content-manager.explorer.update',
+  delete: 'plugin::content-manager.explorer.delete',
+};
+
+const findEntityAndCheckPermissions = async (ability, action, model, id) => {
+  const entity = await strapi.query(userModel).findOne({
+    where: { id },
+    populate: [`${CREATED_BY_ATTRIBUTE}.roles`],
+  });
+
+  if (_.isNil(entity)) {
+    throw new NotFoundError();
+  }
+
+  const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });
+
+  if (pm.ability.cannot(pm.action, pm.toSubject(entity))) {
+    throw new ForbiddenError();
+  }
+
+  const entityWithoutCreatorRoles = _.omit(entity, `${CREATED_BY_ATTRIBUTE}.roles`);
+
+  return { pm, entity: entityWithoutCreatorRoles };
+};
+
+module.exports = {
+  /**
+   * Create a/an user record.
+   * @return {Object}
+   */
+  async create(ctx) {
+    const { body } = ctx.request;
+    const { user: admin, userAbility } = ctx.state;
+
+    const { email, username } = body;
+
+    const pm = strapi.admin.services.permission.createPermissionsManager({
+      ability: userAbility,
+      action: ACTIONS.create,
+      model: userModel,
+    });
+
+    if (!pm.isAllowed) {
+      return ctx.forbidden();
+    }
+
+    const sanitizedBody = await pm.pickPermittedFieldsOf(body, { subject: userModel });
+
+    const advanced = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+
+    await validateCreateUserBody(ctx.request.body);
+
+    const userWithSameUsername = await strapi
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { username } });
+
+    if (userWithSameUsername) {
+      throw new ApplicationError('Username already taken');
+    }
+
+    if (advanced.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: email.toLowerCase() } });
+
+      if (userWithSameEmail) {
+        throw new ApplicationError('Email already taken');
+      }
+    }
+
+    const user = {
+      ...sanitizedBody,
+      provider: 'local',
+      [CREATED_BY_ATTRIBUTE]: admin.id,
+      [UPDATED_BY_ATTRIBUTE]: admin.id,
+    };
+
+    user.email = _.toLower(user.email);
+
+    if (!user.role) {
+      const defaultRole = await strapi
+        .query('plugin::users-permissions.role')
+        .findOne({ where: { type: advanced.default_role } });
+
+      user.role = defaultRole.id;
+    }
+
+    try {
+      const data = await strapi
+        .service('plugin::content-manager.entity-manager')
+        .create(user, userModel);
+      const sanitizedData = await pm.sanitizeOutput(data, { action: ACTIONS.read });
+
+      ctx.created(sanitizedData);
+    } catch (error) {
+      throw new ApplicationError(error.message);
+    }
+  },
+  /**
+   * Update a/an user record.
+   * @return {Object}
+   */
+
+  async update(ctx) {
+    const { id } = ctx.params;
+    const { body } = ctx.request;
+    const { user: admin, userAbility } = ctx.state;
+
+    const advancedConfigs = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+
+    const { email, username, password } = body;
+
+    let pm;
+    let user;
+
+    const { pm: permissionManager, entity } = await findEntityAndCheckPermissions(
+      userAbility,
+      ACTIONS.edit,
+      userModel,
+      id
+    );
+    pm = permissionManager;
+    user = entity;
+
+    await validateUpdateUserBody(ctx.request.body);
+
+    if (_.has(body, 'password') && !password && user.provider === 'local') {
+      throw new ValidationError('password.notNull');
+    }
+
+    if (_.has(body, 'username')) {
+      const userWithSameUsername = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { username } });
+
+      if (userWithSameUsername && userWithSameUsername.id != id) {
+        throw new ApplicationError('Username already taken');
+      }
+    }
+
+    if (_.has(body, 'email') && advancedConfigs.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: _.toLower(email) } });
+
+      if (userWithSameEmail && userWithSameEmail.id != id) {
+        throw new ApplicationError('Email already taken');
+      }
+      body.email = _.toLower(body.email);
+    }
+
+    const sanitizedData = await pm.pickPermittedFieldsOf(body, { subject: pm.toSubject(user) });
+    const updateData = _.omit({ ...sanitizedData, updatedBy: admin.id }, 'createdBy');
+
+    const data = await strapi
+      .service('plugin::content-manager.entity-manager')
+      .update({ id }, updateData, userModel);
+
+    ctx.body = await pm.sanitizeOutput(data, { action: ACTIONS.read });
+  },
+};

package/server/controllers/index.js

@@ -1,11 +1,17 @@
 'use strict';
 
-const authController = require('./auth');
-const userController = require('./user');
-const usersPermissionsController = require('./users-permissions');
+const auth = require('./auth');
+const user = require('./user');
+const role = require('./role');
+const permissions = require('./permissions');
+const settings = require('./settings');
+const contentmanageruser = require('./content-manager-user');
 
 module.exports = {
-  auth: authController,
-  user: userController,
-  'users-permissions': usersPermissionsController,
+  auth,
+  user,
+  role,
+  permissions,
+  settings,
+  contentmanageruser,
 };

package/server/controllers/permissions.js

@@ -0,0 +1,26 @@
+'use strict';
+
+const _ = require('lodash');
+const { getService } = require('../utils');
+
+module.exports = {
+  async getPermissions(ctx) {
+    const permissions = await getService('users-permissions').getActions();
+
+    ctx.send({ permissions });
+  },
+
+  async getPolicies(ctx) {
+    const policies = _.keys(strapi.plugin('users-permissions').policies);
+
+    ctx.send({
+      policies: _.without(policies, 'permissions'),
+    });
+  },
+
+  async getRoutes(ctx) {
+    const routes = await getService('users-permissions').getRoutes();
+
+    ctx.send({ routes });
+  },
+};

package/server/controllers/role.js

@@ -0,0 +1,77 @@
+'use strict';
+
+const _ = require('lodash');
+const { ApplicationError, ValidationError } = require('@strapi/utils').errors;
+const { getService } = require('../utils');
+const { validateDeleteRoleBody } = require('./validation/user');
+
+module.exports = {
+  /**
+   * Default action.
+   *
+   * @return {Object}
+   */
+  async createRole(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      throw new ValidationError('Request body cannot be empty');
+    }
+
+    await getService('role').createRole(ctx.request.body);
+
+    ctx.send({ ok: true });
+  },
+
+  async getRole(ctx) {
+    const { id } = ctx.params;
+
+    const role = await getService('role').getRole(id);
+
+    if (!role) {
+      return ctx.notFound();
+    }
+
+    ctx.send({ role });
+  },
+
+  async getRoles(ctx) {
+    const roles = await getService('role').getRoles();
+
+    ctx.send({ roles });
+  },
+
+  async updateRole(ctx) {
+    const roleID = ctx.params.role;
+
+    if (_.isEmpty(ctx.request.body)) {
+      throw new ValidationError('Request body cannot be empty');
+    }
+
+    await getService('role').updateRole(roleID, ctx.request.body);
+
+    ctx.send({ ok: true });
+  },
+
+  async deleteRole(ctx) {
+    const roleID = ctx.params.role;
+
+    if (!roleID) {
+      await validateDeleteRoleBody(ctx.params);
+    }
+
+    // Fetch public role.
+    const publicRole = await strapi
+      .query('plugin::users-permissions.role')
+      .findOne({ where: { type: 'public' } });
+
+    const publicRoleID = publicRole.id;
+
+    // Prevent from removing the public role.
+    if (roleID.toString() === publicRoleID.toString()) {
+      throw new ApplicationError('Cannot delete public role');
+    }
+
+    await getService('role').deleteRole(roleID, publicRoleID);
+
+    ctx.send({ ok: true });
+  },
+};

package/server/controllers/settings.js

@@ -0,0 +1,85 @@
+'use strict';
+
+const _ = require('lodash');
+const { ValidationError } = require('@strapi/utils').errors;
+const { getService } = require('../utils');
+const { isValidEmailTemplate } = require('./validation/email-template');
+
+module.exports = {
+  async getEmailTemplate(ctx) {
+    ctx.send(await strapi.store({ type: 'plugin', name: 'users-permissions', key: 'email' }).get());
+  },
+
+  async updateEmailTemplate(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      throw new ValidationError('Request body cannot be empty');
+    }
+
+    const emailTemplates = ctx.request.body['email-templates'];
+
+    for (let key in emailTemplates) {
+      const template = emailTemplates[key].options.message;
+
+      if (!isValidEmailTemplate(template)) {
+        throw new ValidationError('Invalid template');
+      }
+    }
+
+    await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'email' })
+      .set({ value: emailTemplates });
+
+    ctx.send({ ok: true });
+  },
+
+  async getAdvancedSettings(ctx) {
+    const settings = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+
+    const roles = await getService('role').getRoles();
+
+    ctx.send({ settings, roles });
+  },
+
+  async updateAdvancedSettings(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      throw new ValidationError('Request body cannot be empty');
+    }
+
+    await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .set({ value: ctx.request.body });
+
+    ctx.send({ ok: true });
+  },
+
+  async getProviders(ctx) {
+    const providers = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
+      .get();
+
+    for (const provider in providers) {
+      if (provider !== 'email') {
+        providers[provider].redirectUri = strapi
+          .plugin('users-permissions')
+          .service('providers')
+          .buildRedirectUri(provider);
+      }
+    }
+
+    ctx.send(providers);
+  },
+
+  async updateProviders(ctx) {
+    if (_.isEmpty(ctx.request.body)) {
+      throw new ValidationError('Request body cannot be empty');
+    }
+
+    await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
+      .set({ value: ctx.request.body.providers });
+
+    ctx.send({ ok: true });
+  },
+};

package/server/controllers/user.js

@@ -7,47 +7,136 @@
  */
 
 const _ = require('lodash');
-const { sanitizeEntity } = require('@strapi/utils');
+const utils = require('@strapi/utils');
 const { getService } = require('../utils');
-const adminUserController = require('./user/admin');
-const apiUserController = require('./user/api');
+const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
-const sanitizeUser = user =>
-  sanitizeEntity(user, {
-    model: strapi.getModel('plugin::users-permissions.user'),
-  });
+const { sanitize } = utils;
+const { ApplicationError, ValidationError } = utils.errors;
 
-const resolveController = ctx => {
-  const {
-    state: { isAuthenticatedAdmin },
-  } = ctx;
+const sanitizeOutput = (user, ctx) => {
+  const schema = strapi.getModel('plugin::users-permissions.user');
+  const { auth } = ctx.state;
 
-  return isAuthenticatedAdmin ? adminUserController : apiUserController;
+  return sanitize.contentAPI.output(user, schema, { auth });
 };
 
-const resolveControllerMethod = method => ctx => {
-  const controller = resolveController(ctx);
-  const callbackFn = controller[method];
+module.exports = {
+  /**
+   * Create a/an user record.
+   * @return {Object}
+   */
+  async create(ctx) {
+    const advanced = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
 
-  if (!_.isFunction(callbackFn)) {
-    return ctx.notFound();
-  }
+    await validateCreateUserBody(ctx.request.body);
 
-  return callbackFn(ctx);
-};
+    const { email, username, role } = ctx.request.body;
 
-module.exports = {
-  create: resolveControllerMethod('create'),
-  update: resolveControllerMethod('update'),
+    const userWithSameUsername = await strapi
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { username } });
+
+    if (userWithSameUsername) {
+      if (!email) throw new ApplicationError('Username already taken');
+    }
+
+    if (advanced.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: email.toLowerCase() } });
+
+      if (userWithSameEmail) {
+        throw new ApplicationError('Email already taken');
+      }
+    }
+
+    const user = {
+      ...ctx.request.body,
+      provider: 'local',
+    };
+
+    user.email = _.toLower(user.email);
+
+    if (!role) {
+      const defaultRole = await strapi
+        .query('plugin::users-permissions.role')
+        .findOne({ where: { type: advanced.default_role } });
+
+      user.role = defaultRole.id;
+    }
+
+    try {
+      const data = await getService('user').add(user);
+      const sanitizedData = await sanitizeOutput(data, ctx);
+
+      ctx.created(sanitizedData);
+    } catch (error) {
+      throw new ApplicationError(error.message);
+    }
+  },
+
+  /**
+   * Update a/an user record.
+   * @return {Object}
+   */
+  async update(ctx) {
+    const advancedConfigs = await strapi
+      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
+      .get();
+
+    const { id } = ctx.params;
+    const { email, username, password } = ctx.request.body;
+
+    const user = await getService('user').fetch({ id });
+
+    await validateUpdateUserBody(ctx.request.body);
+
+    if (user.provider === 'local' && _.has(ctx.request.body, 'password') && !password) {
+      throw new ValidationError('password.notNull');
+    }
+
+    if (_.has(ctx.request.body, 'username')) {
+      const userWithSameUsername = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { username } });
+
+      if (userWithSameUsername && userWithSameUsername.id != id) {
+        throw new ApplicationError('Username already taken');
+      }
+    }
+
+    if (_.has(ctx.request.body, 'email') && advancedConfigs.unique_email) {
+      const userWithSameEmail = await strapi
+        .query('plugin::users-permissions.user')
+        .findOne({ where: { email: email.toLowerCase() } });
+
+      if (userWithSameEmail && userWithSameEmail.id != id) {
+        throw new ApplicationError('Email already taken');
+      }
+      ctx.request.body.email = ctx.request.body.email.toLowerCase();
+    }
+
+    let updateData = {
+      ...ctx.request.body,
+    };
+
+    const data = await getService('user').edit({ id }, updateData);
+    const sanitizedData = await sanitizeOutput(data, ctx);
+
+    ctx.send(sanitizedData);
+  },
 
   /**
    * Retrieve user records.
    * @return {Object|Array}
    */
   async find(ctx, next, { populate } = {}) {
-    const users = await getService('user').fetchAll(ctx.query, populate);
+    const users = await getService('user').fetchAll(ctx.query.filters, populate);
 
-    ctx.body = users.map(sanitizeUser);
+    ctx.body = await Promise.all(users.map(user => sanitizeOutput(user, ctx)));
   },
 
   /**
@@ -59,10 +148,9 @@ module.exports = {
     let data = await getService('user').fetch({ id });
 
     if (data) {
-      data = sanitizeUser(data);
+      data = await sanitizeOutput(data, ctx);
     }
 
-    // Send 200 `ok`
     ctx.body = data;
   },
 
@@ -82,23 +170,9 @@ module.exports = {
     const { id } = ctx.params;
 
     const data = await getService('user').remove({ id });
+    const sanitizedUser = await sanitizeOutput(data, ctx);
 
-    ctx.send(sanitizeUser(data));
-  },
-
-  async destroyAll(ctx) {
-    const {
-      request: { query },
-    } = ctx;
-
-    const toRemove = Object.values(_.omit(query, 'source'));
-
-    // FIXME: delete many
-    const finalQuery = { id: toRemove };
-
-    const data = await getService('user').removeAll(finalQuery);
-
-    ctx.send(data);
+    ctx.send(sanitizedUser);
   },
 
   /**
@@ -109,9 +183,9 @@ module.exports = {
     const user = ctx.state.user;
 
     if (!user) {
-      return ctx.badRequest(null, [{ messages: [{ id: 'No authorization header was found' }] }]);
+      return ctx.unauthorized();
     }
 
-    ctx.body = sanitizeUser(user);
+    ctx.body = await sanitizeOutput(user, ctx);
   },
 };

package/server/controllers/validation/auth.js

@@ -0,0 +1,29 @@
+'use strict';
+
+const { yup, validateYupSchema } = require('@strapi/utils');
+
+const callbackBodySchema = yup.object().shape({
+  identifier: yup.string().required(),
+  password: yup.string().required(),
+});
+
+const registerBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .required(),
+  password: yup.string().required(),
+});
+
+const sendEmailConfirmationBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .required(),
+});
+
+module.exports = {
+  validateCallbackBody: validateYupSchema(callbackBodySchema),
+  validateRegisterBody: validateYupSchema(registerBodySchema),
+  validateSendEmailConfirmationBody: validateYupSchema(sendEmailConfirmationBodySchema),
+};

package/server/controllers/validation/user.js

@@ -0,0 +1,38 @@
+'use strict';
+
+const { yup, validateYupSchema } = require('@strapi/utils');
+
+const deleteRoleSchema = yup.object().shape({
+  role: yup.strapiID().required(),
+});
+
+const createUserBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .required(),
+  username: yup
+    .string()
+    .min(1)
+    .required(),
+  password: yup
+    .string()
+    .min(1)
+    .required(),
+  role: yup.strapiID(),
+});
+
+const updateUserBodySchema = yup.object().shape({
+  email: yup
+    .string()
+    .email()
+    .min(1),
+  username: yup.string().min(1),
+  password: yup.string().min(1),
+});
+
+module.exports = {
+  validateCreateUserBody: validateYupSchema(createUserBodySchema),
+  validateUpdateUserBody: validateYupSchema(updateUserBodySchema),
+  validateDeleteRoleBody: validateYupSchema(deleteRoleSchema),
+};