@strapi/plugin-users-permissions 4.0.4 → 4.0.8

package/admin/src/components/FormModal/Input/index.js

@@ -28,12 +28,12 @@ const Input = ({
 
   const label = formatMessage(
     { id: intlLabel.id, defaultMessage: intlLabel.defaultMessage },
-    { ...intlLabel.values }
+    { provider: providerToEditName, ...intlLabel.values }
   );
   const hint = description
     ? formatMessage(
         { id: description.id, defaultMessage: description.defaultMessage },
-        { ...description.values }
+        { provider: providerToEditName, ...description.values }
       )
     : '';
 

package/admin/src/pages/Providers/utils/forms.js

@@ -23,9 +23,6 @@ const keyLabel = { id: getTrad('PopUpForm.Providers.key.label'), defaultMessage:
 const hintLabel = {
   id: getTrad('PopUpForm.Providers.redirectURL.label'),
   defaultMessage: 'The redirect URL to add in your {provider} application configurations',
-  values: {
-    provider: 'VK',
-  },
 };
 const textPlaceholder = {
   id: getTrad('PopUpForm.Providers.key.placeholder'),

package/admin/src/translations/dk.json

@@ -44,5 +44,51 @@
   "notification.success.submit": "Indstillingerne er blevet opdateret",
   "plugin.description.long": "Beskyt din API med fuld godkendelse med JWT. Dette plugin kommer også med en ACL strategi som tillader dig at håndtere rettigeheder mellem grupper af brugere.",
   "plugin.description.short": "Beskyt din API med fuld godkendelse med JWT",
-  "plugin.name": "Roller & rettigheder"
+  "plugin.name": "Roller & rettigheder",
+  "EditForm.inputToggle.placeholder.email-confirmation-redirection": "f.eks. https://hjemmeside.dk/nulstil-kodeord",
+  "EditForm.inputToggle.placeholder.email-reset-password": "f.eks. https://hjemmeside.dk/nulstil-kodeord",
+  "EditPage.form.roles": "Rolle detaljer",
+  "Email.template.data.loaded": "E-mail skabeloner er hentet",
+  "Email.template.form.edit.label": "Redigér en skabelon",
+  "Email.template.table.action.label": "handling",
+  "Email.template.table.icon.label": "ikon",
+  "Email.template.table.name.label": "navn",
+  "Form.advancedSettings.data.loaded": "Avancerede indstillinger hentet",
+  "Form.save": "Gem",
+  "Form.title.advancedSettings": "Indstillinger",
+  "PopUpForm.Email.options.object.placeholder": "Bekræft venligst din e-mail adresse for %APP_NAME%",
+  "PopUpForm.Providers.redirectURL.front-end.label": "Omstillings URL til din font-end app",
+  "PopUpForm.Providers.redirectURL.label": "Omstillings URL som tilføjes til din {provider} applikation konfigurationer",
+  "PopUpForm.Providers.subdomain.label": "Host URI (Subdomain)",
+  "PopUpForm.Providers.subdomain.placeholder": "mit.subdomain.dk",
+  "Providers.data.loaded": "Providers hentet",
+  "Providers.disabled": "Deaktiveret",
+  "Providers.enabled": "Aktiveret",
+  "Providers.image": "Billede",
+  "Providers.name": "Navn",
+  "Providers.settings": "Indstillinger",
+  "Providers.status": "Status",
+  "Roles.description": "Beskrivelse",
+  "Roles.empty": "Du har endnu ingen roller.",
+  "Roles.empty.search": "Ingen roller matcher søgningen.",
+  "Roles.name": "Navn",
+  "Roles.users": "Brugere",
+  "Settings.roles.deleted": "Rolle slettet",
+  "Settings.roles.edited": "Rolle redigeret",
+  "Settings.section-label": "Brugere & Tilladelser plugin",
+  "components.Input.error.validation.email": "Dette er en ugyldig e.mail",
+  "components.Input.error.validation.json": "Dette stemmer ikke med JSON formatet",
+  "components.Input.error.validation.max": "Værdien er for høj.",
+  "components.Input.error.validation.maxLength": "Værdien er for lang.",
+  "components.Input.error.validation.min": "Værdien er for lav.",
+  "components.Input.error.validation.minLength": "Værdien er for kort.",
+  "components.Input.error.validation.minSupMax": "Kan ikke være overlegen",
+  "components.Input.error.validation.regex": "Værdien stemmer ikke overens med regex.",
+  "components.Input.error.validation.required": "Værdien er påkrævet.",
+  "components.Input.error.validation.unique": "Værdien er allerede brugt.",
+  "page.title": "Indstillinger - Roller",
+  "popUpWarning.button.cancel": "Annuller",
+  "popUpWarning.button.confirm": "Bekræft",
+  "popUpWarning.title": "Bekræft venligst",
+  "popUpWarning.warning.cancel": "Er du sikker på at du vil annullere dine ændringer?"
 }

package/admin/src/translations/es.json

@@ -12,8 +12,19 @@
   "EditForm.inputToggle.label.email-confirmation-redirection": "URL de redirección",
   "EditForm.inputToggle.label.email-reset-password": "Página de reestablecer la contraseña",
   "EditForm.inputToggle.label.sign-up": "Habilitar inscripciones",
+  "EditForm.inputToggle.placeholder.email-confirmation-redirection": "ej: https://tufrontend.com/restablecer-contrasena",
+  "EditForm.inputToggle.placeholder.email-reset-password": "ej: https://tufrontend.com/restablecer-contrasena",
+  "EditPage.form.roles": "Detalles del rol",
+  "Email.template.data.loaded": "Se han cargado las plantillas de correo electrónico",
   "Email.template.email_confirmation": "Confirmación de dirección de correo electrónico",
+  "Email.template.form.edit.label": "Editar una plantilla",
   "Email.template.reset_password": "Restablecer la contraseña",
+  "Email.template.table.action.label": "acción",
+  "Email.template.table.icon.label": "icono",
+  "Email.template.table.name.label": "nombre",
+  "Form.advancedSettings.data.loaded": "Se han cargado los datos de configuración avanzada",
+  "Form.save": "Guardar",
+  "Form.title.advancedSettings": "Ajustes",
   "HeaderNav.link.advancedSettings": "Ajustes avanzados",
   "HeaderNav.link.emailTemplates": "Plantillas de email",
   "HeaderNav.link.providers": "Proveedores",
@@ -42,14 +53,37 @@
   "PopUpForm.Providers.redirectURL.label": "La URL de redireccionamiento para agregar en las configuraciones de su aplicación de {proveedor}",
   "PopUpForm.Providers.secret.label": "Secreto Cliente",
   "PopUpForm.Providers.secret.placeholder": "TEXTO",
-  "PopUpForm.Providers.subdomain.label": "Host URI (Subdomain)",
-  "PopUpForm.Providers.subdomain.placeholder": "my.subdomain.com",
+  "PopUpForm.Providers.subdomain.label": "URI de host (subdominio)",
+  "PopUpForm.Providers.subdomain.placeholder": "mi.subdominio.com",
   "PopUpForm.header.edit.email-templates": "Editar Plantillas de Email",
   "PopUpForm.header.edit.providers": "Editar proveedor",
+  "Providers.data.loaded": "Los proveedores se han cargado",
+  "Providers.disabled": "Deshabilitado",
+  "Providers.enabled": "Habilitado",
+  "Providers.image": "Imagen",
+  "Providers.name": "Nombre",
+  "Providers.settings": "Ajustes",
+  "Providers.status": "Estado",
+  "Roles.description": "Descripción",
+  "Roles.empty": "Aún no tienes ningún rol.",
+  "Roles.empty.search": "Ningún rol coincide con la búsqueda.",
+  "Roles.name": "Nombre",
+  "Roles.users": "Usuarios",
   "Settings.roles.deleted": "Rol eliminado",
   "Settings.roles.edited": "Rol editado",
   "Settings.section-label": "Plugin de Usuarios y Permisos",
+  "components.Input.error.validation.email": "El correo electrónico inválido",
+  "components.Input.error.validation.json": "No coincide con el formato JSON",
+  "components.Input.error.validation.max": "El valor es demasiado alto.",
+  "components.Input.error.validation.maxLength": "El valor es demasiado largo.",
+  "components.Input.error.validation.min": "El valor es demasiado bajo.",
+  "components.Input.error.validation.minLength": "El valor es demasiado corto.",
+  "components.Input.error.validation.minSupMax": "No puede ser superior",
+  "components.Input.error.validation.regex": "El valor no coincide con la expresión regular.",
+  "components.Input.error.validation.required": "Este valor es obligatorio.",
+  "components.Input.error.validation.unique": "Este valor ya se utiliza.",
   "notification.success.submit": "Los ajustes se han actualizado",
+  "page.title": "Configuración - Roles",
   "plugin.description.long": "Proteja su API con un proceso de autenticación completo basado en JWT. Este plugin viene también con una estrategia ACL que le permite administrar los permisos entre los grupos de usuarios.",
   "plugin.description.short": "Proteja su API con un proceso de autenticación completo basado en JWT",
   "plugin.name": "Roles y Permisos",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "4.0.4",
+  "version": "4.0.8",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -28,8 +28,8 @@
   },
   "dependencies": {
     "@purest/providers": "^1.0.2",
-    "@strapi/helper-plugin": "4.0.4",
-    "@strapi/utils": "4.0.4",
+    "@strapi/helper-plugin": "4.0.8",
+    "@strapi/utils": "4.0.8",
     "bcryptjs": "2.4.3",
     "grant-koa": "5.4.8",
     "jsonwebtoken": "^8.1.0",
@@ -61,5 +61,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "d81919ac2272948b3f5d3b25a4cf8cc7b6994460"
+  "gitHead": "669bb2f0440d3b21a23c8d665fdba98bd3d8cc71"
 }

package/server/bootstrap/index.js

@@ -8,6 +8,7 @@
  * run jobs, or perform some special logic.
  */
 const _ = require('lodash');
+const urljoin = require('url-join');
 const uuid = require('uuid/v4');
 const { getService } = require('../utils');
 
@@ -31,14 +32,17 @@ module.exports = async ({ strapi }) => {
     strapi.config.set('plugin.users-permissions.jwtSecret', jwtSecret);
 
     if (!process.env.JWT_SECRET) {
-      strapi.fs.appendFile('.env', `JWT_SECRET=${jwtSecret}\n`);
+      strapi.fs.appendFile(process.env.ENV_PATH || '.env', `JWT_SECRET=${jwtSecret}\n`);
+      strapi.log.info(
+        'The Users & Permissions plugin automatically generated a jwt secret and stored it in your .env file under the name JWT_SECRET.'
+      );
     }
   }
 };
 
 const initGrant = async pluginStore => {
   const apiPrefix = strapi.config.get('api.rest.prefix');
-  const baseURL = `${strapi.config.server.url}/${apiPrefix}/auth`;
+  const baseURL = urljoin(strapi.config.server.url, apiPrefix, 'auth');
 
   const grantConfig = {
     email: {

package/server/controllers/auth.js

@@ -137,13 +137,8 @@ module.exports = {
         throw new ValidationError('Incorrect code provided');
       }
 
-      const password = await getService('user').hashPassword({ password: params.password });
-
+      await getService('user').edit(user.id, { resetPasswordToken: null, password: params.password });
       // Update the user.
-      await strapi
-        .query('plugin::users-permissions.user')
-        .update({ where: { id: user.id }, data: { resetPasswordToken: null, password } });
-
       ctx.send({
         jwt: getService('jwt').issue({ id: user.id }),
         user: await sanitizeUser(user, ctx),
@@ -188,7 +183,10 @@ module.exports = {
     }
 
     // Ability to pass OAuth callback dynamically
-    grantConfig[provider].callback = _.get(ctx, 'query.callback') || grantConfig[provider].callback;
+    grantConfig[provider].callback =
+      _.get(ctx, 'query.callback') ||
+      _.get(ctx, 'session.grant.dynamic.callback') ||
+      grantConfig[provider].callback;
     grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);
 
     return grant(grantConfig)(ctx, next);
@@ -322,7 +320,6 @@ module.exports = {
     }
 
     params.role = role.id;
-    params.password = await getService('user').hashPassword(params);
 
     const user = await strapi.query('plugin::users-permissions.user').findOne({
       where: { email: params.email },
@@ -341,7 +338,7 @@ module.exports = {
         params.confirmed = true;
       }
 
-      const user = await strapi.query('plugin::users-permissions.user').create({ data: params });
+    const user = await getService('user').add(params);
 
       const sanitizedUser = await sanitizeUser(user, ctx);
 
@@ -364,8 +361,11 @@ module.exports = {
     } catch (err) {
       if (_.includes(err.message, 'username')) {
         throw new ApplicationError('Username already taken');
-      } else {
+      } else if (_.includes(err.message, 'email')) {
         throw new ApplicationError('Email already taken');
+      } else {
+        strapi.log.error(err);
+        throw new ApplicationError('An error occurred during account creation');
       }
     }
   },

package/server/services/jwt.js

@@ -21,8 +21,6 @@ module.exports = ({ strapi }) => ({
       }
 
       token = parts[1];
-    } else if (ctx.query.access_token) {
-      token = ctx.query.access_token;
     } else {
       return null;
     }

package/server/services/user.js

@@ -8,6 +8,7 @@
 
 const crypto = require('crypto');
 const bcrypt = require('bcryptjs');
+const urlJoin = require('url-join');
 
 const { getAbsoluteServerUrl, sanitize } = require('@strapi/utils');
 const { getService } = require('../utils');
@@ -34,13 +35,10 @@ module.exports = ({ strapi }) => ({
    * @return {Promise}
    */
   async add(values) {
-    if (values.password) {
-      values.password = await getService('user').hashPassword(values);
-    }
-
-    return strapi
-      .query('plugin::users-permissions.user')
-      .create({ data: values, populate: ['role'] });
+    return strapi.entityService.create('plugin::users-permissions.user', {
+      data: values,
+      populate: ['role'],
+    });
   },
 
   /**
@@ -50,18 +48,10 @@ module.exports = ({ strapi }) => ({
    * @return {Promise}
    */
   async edit(userId, params = {}) {
-    if (params.password) {
-      params.password = await getService('user').hashPassword(params);
-    }
-
-    return strapi.entityService.update(
-      'plugin::users-permissions.user',
-      userId,
-      {
-        data: params,
-        populate: ['role']
-      }
-    );
+    return strapi.entityService.update('plugin::users-permissions.user', userId, {
+      data: params,
+      populate: ['role'],
+    });
   },
 
   /**
@@ -90,21 +80,13 @@ module.exports = ({ strapi }) => ({
     return strapi.query('plugin::users-permissions.user').findMany({ where: params, populate });
   },
 
-  hashPassword(user = {}) {
-    return new Promise((resolve, reject) => {
-      if (!user.password || this.isHashed(user.password)) {
-        resolve(null);
-      } else {
-        bcrypt.hash(`${user.password}`, 10, (err, hash) => {
-          if (err) {
-            return reject(err);
-          }
-          resolve(hash);
-        });
-      }
-    });
+  /**
+   * Promise to remove a/an user.
+   * @return {Promise}
+   */
+  async remove(params) {
+    return strapi.query('plugin::users-permissions.user').delete({ where: params });
   },
-
   isHashed(password) {
     if (typeof password !== 'string' || !password) {
       return false;
@@ -113,14 +95,6 @@ module.exports = ({ strapi }) => ({
     return password.split('$').length === 4;
   },
 
-  /**
-   * Promise to remove a/an user.
-   * @return {Promise}
-   */
-  async remove(params) {
-    return strapi.query('plugin::users-permissions.user').delete({ where: params });
-  },
-
   validatePassword(password, hash) {
     return bcrypt.compare(password, hash);
   },
@@ -141,8 +115,9 @@ module.exports = ({ strapi }) => ({
 
     await this.edit(user.id, { confirmationToken });
 
+    const apiPrefix = strapi.config.get('api.rest.prefix');
     settings.message = await userPermissionService.template(settings.message, {
-      URL: `${getAbsoluteServerUrl(strapi.config)}/auth/email-confirmation`,
+      URL: urlJoin(getAbsoluteServerUrl(strapi.config), apiPrefix, '/auth/email-confirmation'),
       USER: sanitizedUserInfo,
       CODE: confirmationToken,
     });

package/server/services/users-permissions.js

@@ -2,6 +2,7 @@
 
 const _ = require('lodash');
 const { filter, map, pipe, prop } = require('lodash/fp');
+const urlJoin = require('url-join');
 
 const { getService } = require('../utils');
 
@@ -112,9 +113,10 @@ module.exports = ({ strapi }) => ({
         return;
       }
 
+      const apiPrefix = strapi.config.get('api.rest.prefix');
       routesMap[`api::${apiName}`] = routes.map(route => ({
         ...route,
-        path: `/api${route.path}`,
+        path: urlJoin(apiPrefix, route.path),
       }));
     });
 
@@ -133,9 +135,10 @@ module.exports = ({ strapi }) => ({
         return;
       }
 
+      const apiPrefix = strapi.config.get('api.rest.prefix');
       routesMap[`plugin::${pluginName}`] = routes.map(route => ({
         ...route,
-        path: `/api${route.path}`,
+        path: urlJoin(apiPrefix, route.path),
       }));
     });
 

package/server/strategies/users-permissions.js

@@ -67,40 +67,25 @@ const authenticate = async ctx => {
 const verify = async (auth, config) => {
   const { credentials: user } = auth;
 
-  // public accesss
-  if (!user) {
-    // test against public role
-    const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
-      where: {
-        role: { type: 'public' },
-      },
-    });
-
-    const allowedActions = map('action', publicPermissions);
-
-    // A non authenticated user cannot access routes that do not have a scope
-    if (!config.scope) {
+  if (!config.scope) {
+    if (!user) {
+      // A non authenticated user cannot access routes that do not have a scope
       throw new UnauthorizedError();
+    } else {
+      // An authenticated user can access non scoped routes
+      return;
     }
-
-    const isAllowed = castArray(config.scope).every(scope => allowedActions.includes(scope));
-
-    if (!isAllowed) {
-      throw new ForbiddenError();
-    }
-
-    return;
   }
 
-  const permissions = await strapi.query('plugin::users-permissions.permission').findMany({
-    where: { role: user.role.id },
-  });
+  let allowedActions = auth.allowedActions;
 
-  const allowedActions = map('action', permissions);
+  if (!allowedActions) {
+    const permissions = await strapi.query('plugin::users-permissions.permission').findMany({
+      where: { role: user ? user.role.id : { type: 'public' } },
+    });
 
-  // An authenticated user can access non scoped routes
-  if (!config.scope) {
-    return;
+    allowedActions = map('action', permissions);
+    auth.allowedActions = allowedActions;
   }
 
   const isAllowed = castArray(config.scope).every(scope => allowedActions.includes(scope));
@@ -108,12 +93,6 @@ const verify = async (auth, config) => {
   if (!isAllowed) {
     throw new ForbiddenError();
   }
-
-  // TODO: if we need to keep policies for u&p execution
-  // Execute the policies.
-  // if (permission.policy) {
-  //   return await strapi.plugin('users-permissions').policy(permission.policy)(ctx, next);
-  // }
 };
 
 module.exports = {