@strapi/plugin-users-permissions 4.0.7 → 4.0.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "4.0.7",
+  "version": "4.0.8",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -28,8 +28,8 @@
   },
   "dependencies": {
     "@purest/providers": "^1.0.2",
-    "@strapi/helper-plugin": "4.0.7",
-    "@strapi/utils": "4.0.7",
+    "@strapi/helper-plugin": "4.0.8",
+    "@strapi/utils": "4.0.8",
     "bcryptjs": "2.4.3",
     "grant-koa": "5.4.8",
     "jsonwebtoken": "^8.1.0",
@@ -61,5 +61,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "af0cba8c5b2ba7b371523e8f55413ef0fce98e1e"
+  "gitHead": "669bb2f0440d3b21a23c8d665fdba98bd3d8cc71"
 }

package/server/bootstrap/index.js

@@ -8,6 +8,7 @@
  * run jobs, or perform some special logic.
  */
 const _ = require('lodash');
+const urljoin = require('url-join');
 const uuid = require('uuid/v4');
 const { getService } = require('../utils');
 
@@ -41,7 +42,7 @@ module.exports = async ({ strapi }) => {
 
 const initGrant = async pluginStore => {
   const apiPrefix = strapi.config.get('api.rest.prefix');
-  const baseURL = `${strapi.config.server.url}/${apiPrefix}/auth`;
+  const baseURL = urljoin(strapi.config.server.url, apiPrefix, 'auth');
 
   const grantConfig = {
     email: {

package/server/strategies/users-permissions.js

@@ -67,40 +67,25 @@ const authenticate = async ctx => {
 const verify = async (auth, config) => {
   const { credentials: user } = auth;
 
-  // public accesss
-  if (!user) {
-    // test against public role
-    const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
-      where: {
-        role: { type: 'public' },
-      },
-    });
-
-    const allowedActions = map('action', publicPermissions);
-
-    // A non authenticated user cannot access routes that do not have a scope
-    if (!config.scope) {
+  if (!config.scope) {
+    if (!user) {
+      // A non authenticated user cannot access routes that do not have a scope
       throw new UnauthorizedError();
+    } else {
+      // An authenticated user can access non scoped routes
+      return;
     }
-
-    const isAllowed = castArray(config.scope).every(scope => allowedActions.includes(scope));
-
-    if (!isAllowed) {
-      throw new ForbiddenError();
-    }
-
-    return;
   }
 
-  const permissions = await strapi.query('plugin::users-permissions.permission').findMany({
-    where: { role: user.role.id },
-  });
+  let allowedActions = auth.allowedActions;
 
-  const allowedActions = map('action', permissions);
+  if (!allowedActions) {
+    const permissions = await strapi.query('plugin::users-permissions.permission').findMany({
+      where: { role: user ? user.role.id : { type: 'public' } },
+    });
 
-  // An authenticated user can access non scoped routes
-  if (!config.scope) {
-    return;
+    allowedActions = map('action', permissions);
+    auth.allowedActions = allowedActions;
   }
 
   const isAllowed = castArray(config.scope).every(scope => allowedActions.includes(scope));
@@ -108,12 +93,6 @@ const verify = async (auth, config) => {
   if (!isAllowed) {
     throw new ForbiddenError();
   }
-
-  // TODO: if we need to keep policies for u&p execution
-  // Execute the policies.
-  // if (permission.policy) {
-  //   return await strapi.plugin('users-permissions').policy(permission.policy)(ctx, next);
-  // }
 };
 
 module.exports = {