@strapi/plugin-users-permissions 4.20.5 → 5.0.0-alpha.1

package/server/bootstrap/index.js

@@ -10,12 +10,9 @@
 const crypto = require('crypto');
 const _ = require('lodash');
 const urljoin = require('url-join');
-const { isArray } = require('lodash/fp');
 const { getService } = require('../utils');
 const getGrantConfig = require('./grant-config');
-
 const usersPermissionsActions = require('./users-permissions-actions');
-const userSchema = require('../content-types/user');
 
 const initGrant = async (pluginStore) => {
   const apiPrefix = strapi.config.get('api.rest.prefix');
@@ -99,27 +96,6 @@ const initAdvancedOptions = async (pluginStore) => {
   }
 };
 
-const userSchemaAdditions = () => {
-  const defaultSchema = Object.keys(userSchema.attributes);
-  const currentSchema = Object.keys(
-    strapi.contentTypes['plugin::users-permissions.user'].attributes
-  );
-
-  // Some dynamic fields may not have been initialized yet, so we need to ignore them
-  // TODO: we should have a global method for finding these
-  const ignoreDiffs = [
-    'createdBy',
-    'createdAt',
-    'updatedBy',
-    'updatedAt',
-    'publishedAt',
-    'strapi_stage',
-    'strapi_assignee',
-  ];
-
-  return currentSchema.filter((key) => !(ignoreDiffs.includes(key) || defaultSchema.includes(key)));
-};
-
 module.exports = async ({ strapi }) => {
   const pluginStore = strapi.store({ type: 'plugin', name: 'users-permissions' });
 
@@ -133,7 +109,7 @@ module.exports = async ({ strapi }) => {
 
   await getService('users-permissions').initialize();
 
-  if (!strapi.config.get('plugin.users-permissions.jwtSecret')) {
+  if (!strapi.config.get('plugin::users-permissions.jwtSecret')) {
     if (process.env.NODE_ENV !== 'development') {
       throw new Error(
         `Missing jwtSecret. Please, set configuration variable "jwtSecret" for the users-permissions plugin in config/plugins.js (ex: you can generate one using Node with \`crypto.randomBytes(16).toString('base64')\`).
@@ -143,7 +119,7 @@ For security reasons, prefer storing the secret in an environment variable and r
 
     const jwtSecret = crypto.randomBytes(16).toString('base64');
 
-    strapi.config.set('plugin.users-permissions.jwtSecret', jwtSecret);
+    strapi.config.set('plugin::users-permissions.jwtSecret', jwtSecret);
 
     if (!process.env.JWT_SECRET) {
       const envPath = process.env.ENV_PATH || '.env';
@@ -153,17 +129,4 @@ For security reasons, prefer storing the secret in an environment variable and r
       );
     }
   }
-
-  // TODO v5: Remove this block of code and default allowedFields to empty array
-  if (!isArray(strapi.config.get('plugin.users-permissions.register.allowedFields'))) {
-    const modifications = userSchemaAdditions();
-    if (modifications.length > 0) {
-      // if there is a potential vulnerability, show a warning
-      strapi.log.warn(
-        `Users-permissions registration has defaulted to accepting the following additional user fields during registration: ${modifications.join(
-          ','
-        )}`
-      );
-    }
-  }
 };

package/server/content-types/user/index.js

@@ -12,7 +12,6 @@ module.exports = {
     displayName: 'User',
   },
   options: {
-    draftAndPublish: false,
     timestamps: true,
   },
   attributes: {

package/server/controllers/auth.js

@@ -11,9 +11,6 @@ const crypto = require('crypto');
 const _ = require('lodash');
 const { concat, compact, isArray } = require('lodash/fp');
 const utils = require('@strapi/utils');
-const {
-  contentTypes: { getNonWritableAttributes },
-} = require('@strapi/utils');
 const { getService } = require('../utils');
 const {
   validateCallbackBody,
@@ -25,7 +22,7 @@ const {
   validateChangePasswordBody,
 } = require('./validation/auth');
 
-const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
+const { sanitize } = utils;
 const { ApplicationError, ValidationError, ForbiddenError } = utils.errors;
 
 const sanitizeUser = (user, ctx) => {
@@ -55,7 +52,7 @@ module.exports = {
       const { identifier } = params;
 
       // Check if the user exists.
-      const user = await strapi.query('plugin::users-permissions.user').findOne({
+      const user = await strapi.db.query('plugin::users-permissions.user').findOne({
         where: {
           provider,
           $or: [{ email: identifier.toLowerCase() }, { username: identifier }],
@@ -120,10 +117,9 @@ module.exports = {
 
     const { currentPassword, password } = await validateChangePasswordBody(ctx.request.body);
 
-    const user = await strapi.entityService.findOne(
-      'plugin::users-permissions.user',
-      ctx.state.user.id
-    );
+    const user = await strapi.db
+      .query('plugin::users-permissions.user')
+      .findOne({ where: { id: ctx.state.user.id } });
 
     const validPassword = await getService('user').validatePassword(currentPassword, user.password);
 
@@ -152,7 +148,7 @@ module.exports = {
       throw new ValidationError('Passwords do not match');
     }
 
-    const user = await strapi
+    const user = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { resetPasswordToken: code } });
 
@@ -219,7 +215,7 @@ module.exports = {
     const advancedSettings = await pluginStore.get({ key: 'advanced' });
 
     // Find the user by email.
-    const user = await strapi
+    const user = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { email: email.toLowerCase() } });
 
@@ -237,8 +233,8 @@ module.exports = {
       resetPasswordSettings.message,
       {
         URL: advancedSettings.email_reset_password,
-        SERVER_URL: getAbsoluteServerUrl(strapi.config),
-        ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
+        SERVER_URL: strapi.config.get('server.absoluteUrl'),
+        ADMIN_URL: strapi.config.get('admin.absoluteUrl'),
         USER: userInfo,
         TOKEN: resetPasswordToken,
       }
@@ -281,47 +277,22 @@ module.exports = {
       throw new ApplicationError('Register action is currently disabled');
     }
 
-    const { register } = strapi.config.get('plugin.users-permissions');
+    const { register } = strapi.config.get('plugin::users-permissions');
     const alwaysAllowedKeys = ['username', 'password', 'email'];
-    const userModel = strapi.contentTypes['plugin::users-permissions.user'];
-    const { attributes } = userModel;
-
-    const nonWritable = getNonWritableAttributes(userModel);
 
+    // Note that we intentionally do not filter allowedFields to allow a project to explicitly accept private or other Strapi field on registration
     const allowedKeys = compact(
-      concat(
-        alwaysAllowedKeys,
-        isArray(register?.allowedFields)
-          ? // Note that we do not filter allowedFields in case a user explicitly chooses to allow a private or otherwise omitted field on registration
-            register.allowedFields // if null or undefined, compact will remove it
-          : // to prevent breaking changes, if allowedFields is not set in config, we only remove private and known dangerous user schema fields
-            // TODO V5: allowedFields defaults to [] when undefined and remove this case
-            Object.keys(attributes).filter(
-              (key) =>
-                !nonWritable.includes(key) &&
-                !attributes[key].private &&
-                ![
-                  // many of these are included in nonWritable, but we'll list them again to be safe and since we're removing this code in v5 anyway
-                  // Strapi user schema fields
-                  'confirmed',
-                  'blocked',
-                  'confirmationToken',
-                  'resetPasswordToken',
-                  'provider',
-                  'id',
-                  'role',
-                  // other Strapi fields that might be added
-                  'createdAt',
-                  'updatedAt',
-                  'createdBy',
-                  'updatedBy',
-                  'publishedAt', // d&p
-                  'strapi_reviewWorkflows_stage', // review workflows
-                ].includes(key)
-            )
-      )
+      concat(alwaysAllowedKeys, isArray(register?.allowedFields) ? register.allowedFields : [])
     );
 
+    // Check if there are any keys in requestBody that are not in allowedKeys
+    const invalidKeys = Object.keys(ctx.request.body).filter((key) => !allowedKeys.includes(key));
+
+    if (invalidKeys.length > 0) {
+      // If there are invalid keys, throw an error
+      throw new ValidationError(`Invalid parameters: ${invalidKeys.join(', ')}`);
+    }
+
     const params = {
       ..._.pick(ctx.request.body, allowedKeys),
       provider: 'local',
@@ -329,7 +300,7 @@ module.exports = {
 
     await validateRegisterBody(params);
 
-    const role = await strapi
+    const role = await strapi.db
       .query('plugin::users-permissions.role')
       .findOne({ where: { type: settings.default_role } });
 
@@ -348,7 +319,7 @@ module.exports = {
       ],
     };
 
-    const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+    const conflictingUserCount = await strapi.db.query('plugin::users-permissions.user').count({
       where: { ...identifierFilter, provider },
     });
 
@@ -357,7 +328,7 @@ module.exports = {
     }
 
     if (settings.unique_email) {
-      const conflictingUserCount = await strapi.query('plugin::users-permissions.user').count({
+      const conflictingUserCount = await strapi.db.query('plugin::users-permissions.user').count({
         where: { ...identifierFilter },
       });
 
@@ -427,7 +398,7 @@ module.exports = {
   async sendEmailConfirmation(ctx) {
     const { email } = await validateSendEmailConfirmationBody(ctx.request.body);
 
-    const user = await strapi.query('plugin::users-permissions.user').findOne({
+    const user = await strapi.db.query('plugin::users-permissions.user').findOne({
       where: { email: email.toLowerCase() },
     });
 

package/server/controllers/content-manager-user.js

@@ -17,24 +17,23 @@ const ACTIONS = {
 };
 
 const findEntityAndCheckPermissions = async (ability, action, model, id) => {
-  const entity = await strapi.query(userModel).findOne({
-    where: { id },
+  const doc = await strapi.service('plugin::content-manager.document-manager').findOne(id, model, {
     populate: [`${CREATED_BY_ATTRIBUTE}.roles`],
   });
 
-  if (_.isNil(entity)) {
+  if (_.isNil(doc)) {
     throw new NotFoundError();
   }
 
   const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });
 
-  if (pm.ability.cannot(pm.action, pm.toSubject(entity))) {
+  if (pm.ability.cannot(pm.action, pm.toSubject(doc))) {
     throw new ForbiddenError();
   }
 
-  const entityWithoutCreatorRoles = _.omit(entity, `${CREATED_BY_ATTRIBUTE}.roles`);
+  const docWithoutCreatorRoles = _.omit(doc, `${CREATED_BY_ATTRIBUTE}.roles`);
 
-  return { pm, entity: entityWithoutCreatorRoles };
+  return { pm, doc: docWithoutCreatorRoles };
 };
 
 module.exports = {
@@ -66,7 +65,7 @@ module.exports = {
 
     await validateCreateUserBody(ctx.request.body);
 
-    const userWithSameUsername = await strapi
+    const userWithSameUsername = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { username } });
 
@@ -75,7 +74,7 @@ module.exports = {
     }
 
     if (advanced.unique_email) {
-      const userWithSameEmail = await strapi
+      const userWithSameEmail = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { email: email.toLowerCase() } });
 
@@ -93,18 +92,11 @@ module.exports = {
 
     user.email = _.toLower(user.email);
 
-    if (!user.role) {
-      const defaultRole = await strapi
-        .query('plugin::users-permissions.role')
-        .findOne({ where: { type: advanced.default_role } });
-
-      user.role = defaultRole.id;
-    }
-
     try {
       const data = await strapi
-        .service('plugin::content-manager.entity-manager')
-        .create(user, userModel);
+        .service('plugin::content-manager.document-manager')
+        .create(userModel, { data: user });
+
       const sanitizedData = await pm.sanitizeOutput(data, { action: ACTIONS.read });
 
       ctx.created(sanitizedData);
@@ -118,7 +110,7 @@ module.exports = {
    */
 
   async update(ctx) {
-    const { id } = ctx.params;
+    const { id: documentId } = ctx.params;
     const { body } = ctx.request;
     const { user: admin, userAbility } = ctx.state;
 
@@ -128,13 +120,14 @@ module.exports = {
 
     const { email, username, password } = body;
 
-    const { pm, entity } = await findEntityAndCheckPermissions(
+    const { pm, doc } = await findEntityAndCheckPermissions(
       userAbility,
       ACTIONS.edit,
       userModel,
-      id
+      documentId
     );
-    const user = entity;
+
+    const user = doc;
 
     await validateUpdateUserBody(ctx.request.body);
 
@@ -143,23 +136,24 @@ module.exports = {
     }
 
     if (_.has(body, 'username')) {
-      const userWithSameUsername = await strapi
+      const userWithSameUsername = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { username } });
 
-      if (userWithSameUsername && _.toString(userWithSameUsername.id) !== _.toString(id)) {
+      if (userWithSameUsername && _.toString(userWithSameUsername.id) !== _.toString(user.id)) {
         throw new ApplicationError('Username already taken');
       }
     }
 
     if (_.has(body, 'email') && advancedConfigs.unique_email) {
-      const userWithSameEmail = await strapi
+      const userWithSameEmail = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { email: _.toLower(email) } });
 
-      if (userWithSameEmail && _.toString(userWithSameEmail.id) !== _.toString(id)) {
+      if (userWithSameEmail && _.toString(userWithSameEmail.id) !== _.toString(user.id)) {
         throw new ApplicationError('Email already taken');
       }
+
       body.email = _.toLower(body.email);
     }
 
@@ -167,8 +161,10 @@ module.exports = {
     const updateData = _.omit({ ...sanitizedData, updatedBy: admin.id }, 'createdBy');
 
     const data = await strapi
-      .service('plugin::content-manager.entity-manager')
-      .update({ id }, updateData, userModel);
+      .service('plugin::content-manager.document-manager')
+      .update(documentId, userModel, {
+        data: updateData,
+      });
 
     ctx.body = await pm.sanitizeOutput(data, { action: ACTIONS.read });
   },

package/server/controllers/role.js

@@ -59,7 +59,7 @@ module.exports = {
     }
 
     // Fetch public role.
-    const publicRole = await strapi
+    const publicRole = await strapi.db
       .query('plugin::users-permissions.role')
       .findOne({ where: { type: 'public' } });
 

package/server/controllers/user.js

@@ -49,7 +49,7 @@ module.exports = {
 
     const { email, username, role } = ctx.request.body;
 
-    const userWithSameUsername = await strapi
+    const userWithSameUsername = await strapi.db
       .query('plugin::users-permissions.user')
       .findOne({ where: { username } });
 
@@ -58,7 +58,7 @@ module.exports = {
     }
 
     if (advanced.unique_email) {
-      const userWithSameEmail = await strapi
+      const userWithSameEmail = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { email: email.toLowerCase() } });
 
@@ -74,7 +74,7 @@ module.exports = {
     };
 
     if (!role) {
-      const defaultRole = await strapi
+      const defaultRole = await strapi.db
         .query('plugin::users-permissions.role')
         .findOne({ where: { type: advanced.default_role } });
 
@@ -115,7 +115,7 @@ module.exports = {
     }
 
     if (_.has(ctx.request.body, 'username')) {
-      const userWithSameUsername = await strapi
+      const userWithSameUsername = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { username } });
 
@@ -125,7 +125,7 @@ module.exports = {
     }
 
     if (_.has(ctx.request.body, 'email') && advancedConfigs.unique_email) {
-      const userWithSameEmail = await strapi
+      const userWithSameEmail = await strapi.db
         .query('plugin::users-permissions.user')
         .findOne({ where: { email: email.toLowerCase() } });
 

package/server/middlewares/rateLimit.js

@@ -9,7 +9,7 @@ const { RateLimitError } = utils.errors;
 module.exports =
   (config, { strapi }) =>
   async (ctx, next) => {
-    let rateLimitConfig = strapi.config.get('plugin.users-permissions.ratelimit');
+    let rateLimitConfig = strapi.config.get('plugin::users-permissions.ratelimit');
 
     if (!rateLimitConfig) {
       rateLimitConfig = {

package/server/register.js

@@ -7,7 +7,7 @@ const authStrategy = require('./strategies/users-permissions');
 const sanitizers = require('./utils/sanitize/sanitizers');
 
 module.exports = ({ strapi }) => {
-  strapi.container.get('auth').register('content-api', authStrategy);
+  strapi.get('auth').register('content-api', authStrategy);
   strapi.sanitizers.add('content-api.output', sanitizers.defaultSanitizeOutput);
 
   if (strapi.plugin('graphql')) {

package/server/services/jwt.js

@@ -29,10 +29,10 @@ module.exports = ({ strapi }) => ({
   },
 
   issue(payload, jwtOptions = {}) {
-    _.defaults(jwtOptions, strapi.config.get('plugin.users-permissions.jwt'));
+    _.defaults(jwtOptions, strapi.config.get('plugin::users-permissions.jwt'));
     return jwt.sign(
       _.clone(payload.toJSON ? payload.toJSON() : payload),
-      strapi.config.get('plugin.users-permissions.jwtSecret'),
+      strapi.config.get('plugin::users-permissions.jwtSecret'),
       jwtOptions
     );
   },
@@ -41,7 +41,7 @@ module.exports = ({ strapi }) => ({
     return new Promise((resolve, reject) => {
       jwt.verify(
         token,
-        strapi.config.get('plugin.users-permissions.jwtSecret'),
+        strapi.config.get('plugin::users-permissions.jwtSecret'),
         {},
         (err, tokenPayload = {}) => {
           if (err) {

package/server/services/permission.js

@@ -11,11 +11,7 @@ module.exports = ({ strapi }) => ({
    * @return {object[]}
    */
   async findRolePermissions(roleID) {
-    return strapi.entityService.load(
-      'plugin::users-permissions.role',
-      { id: roleID },
-      'permissions'
-    );
+    return strapi.db.query('plugin::users-permissions.role').load({ id: roleID }, 'permissions');
   },
 
   /**
@@ -24,8 +20,8 @@ module.exports = ({ strapi }) => ({
    * @return {object[]}
    */
   async findPublicPermissions() {
-    return strapi.entityService.findMany('plugin::users-permissions.permission', {
-      filters: PUBLIC_ROLE_FILTER,
+    return strapi.db.query('plugin::users-permissions.permission').findMany({
+      where: PUBLIC_ROLE_FILTER,
     });
   },
 

package/server/services/providers-registry.js

@@ -331,6 +331,21 @@ const getInitialProviders = ({ purest }) => ({
         };
       });
   },
+  async keycloak({ accessToken, providers }) {
+    const keycloak = purest({ provider: 'keycloak' });
+
+    return keycloak
+      .subdomain(providers.keycloak.subdomain)
+      .get('protocol/openid-connect/userinfo')
+      .auth(accessToken)
+      .request()
+      .then(({ body }) => {
+        return {
+          username: body.preferred_username,
+          email: body.email,
+        };
+      });
+  },
 });
 
 module.exports = () => {

package/server/services/providers.js

@@ -8,7 +8,6 @@
 const _ = require('lodash');
 const urlJoin = require('url-join');
 
-const { getAbsoluteServerUrl } = require('@strapi/utils');
 const { getService } = require('../utils');
 
 module.exports = ({ strapi }) => {
@@ -60,7 +59,7 @@ module.exports = ({ strapi }) => {
       throw new Error('Email was not available.');
     }
 
-    const users = await strapi.query('plugin::users-permissions.user').findMany({
+    const users = await strapi.db.query('plugin::users-permissions.user').findMany({
       where: { email },
     });
 
@@ -83,7 +82,7 @@ module.exports = ({ strapi }) => {
     }
 
     // Retrieve default role.
-    const defaultRole = await strapi
+    const defaultRole = await strapi.db
       .query('plugin::users-permissions.role')
       .findOne({ where: { type: advancedSettings.default_role } });
 
@@ -96,7 +95,7 @@ module.exports = ({ strapi }) => {
       confirmed: true,
     };
 
-    const createdUser = await strapi
+    const createdUser = await strapi.db
       .query('plugin::users-permissions.user')
       .create({ data: newUser });
 
@@ -105,7 +104,13 @@ module.exports = ({ strapi }) => {
 
   const buildRedirectUri = (provider = '') => {
     const apiPrefix = strapi.config.get('api.rest.prefix');
-    return urlJoin(getAbsoluteServerUrl(strapi.config), apiPrefix, 'connect', provider, 'callback');
+    return urlJoin(
+      strapi.config.get('server.absoluteUrl'),
+      apiPrefix,
+      'connect',
+      provider,
+      'callback'
+    );
   };
 
   return {