@strapi/plugin-users-permissions 4.4.0-rc.1 → 4.5.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/documentation/content-api.yaml +2 -1
  2. package/package.json +4 -4
  3. package/server/services/index.js +0 -2
  4. package/server/strategies/users-permissions.js +18 -30
  5. package/server/utils/index.d.ts +0 -2
  6. package/server/services/permission.js +0 -45
package/documentation/content-api.yaml CHANGED
@@ -695,7 +695,7 @@ paths:
695
695
  type: string
696
696
  description: user Id
697
697
  responses:
698
- '200':
698
+ "200":
699
699
  description: Returns deleted user info
700
700
  content:
701
701
  application/json:
@@ -868,3 +868,4 @@ components:
868
868
  controllerA:
869
869
  find:
870
870
  enabled: true
871
+
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@strapi/plugin-users-permissions",
3
- "version": "4.4.0-rc.1",
3
+ "version": "4.5.0-alpha.0",
4
4
  "description": "Protect your API with a full-authentication process based on JWT",
5
5
  "repository": {
6
6
  "type": "git",
@@ -27,8 +27,8 @@
27
27
  "test:front:watch:ce": "cross-env IS_EE=false jest --config ./jest.config.front.js --watchAll"
28
28
  },
29
29
  "dependencies": {
30
- "@strapi/helper-plugin": "4.4.0-rc.1",
31
- "@strapi/utils": "4.4.0-rc.1",
30
+ "@strapi/helper-plugin": "4.5.0-alpha.0",
31
+ "@strapi/utils": "4.5.0-alpha.0",
32
32
  "bcryptjs": "2.4.3",
33
33
  "grant-koa": "5.4.8",
34
34
  "jsonwebtoken": "^8.1.0",
@@ -64,5 +64,5 @@
64
64
  "required": true,
65
65
  "kind": "plugin"
66
66
  },
67
- "gitHead": "00c788873a5b25b63ccdeaad6b0781d26c26d90d"
67
+ "gitHead": "c9a98c4dbcf3c4f2a449f8d96e7cbe4cd9b1e0f5"
68
68
  }
package/server/services/index.js CHANGED
@@ -6,7 +6,6 @@ const user = require('./user');
6
6
  const role = require('./role');
7
7
  const usersPermissions = require('./users-permissions');
8
8
  const providersRegistry = require('./providers-registry');
9
- const permission = require('./permission');
10
9
 
11
10
  module.exports = {
12
11
  jwt,
@@ -15,5 +14,4 @@ module.exports = {
15
14
  role,
16
15
  user,
17
16
  'users-permissions': usersPermissions,
18
- permission,
19
17
  };
package/server/strategies/users-permissions.js CHANGED
@@ -1,6 +1,6 @@
1
1
  'use strict';
2
2
 
3
- const { castArray, map, every, pipe } = require('lodash/fp');
3
+ const { castArray, map } = require('lodash/fp');
4
4
  const { ForbiddenError, UnauthorizedError } = require('@strapi/utils').errors;
5
5
 
6
6
  const { getService } = require('../utils');
@@ -16,61 +16,48 @@ const authenticate = async (ctx) => {
16
16
  if (token) {
17
17
  const { id } = token;
18
18
 
19
- // Invalid token
20
19
  if (id === undefined) {
21
20
  return { authenticated: false };
22
21
  }
23
22
 
23
+ // fetch authenticated user
24
24
  const user = await getService('user').fetchAuthenticatedUser(id);
25
25
 
26
- // No user associated to the token
27
26
  if (!user) {
28
27
  return { error: 'Invalid credentials' };
29
28
  }
30
29
 
31
30
  const advancedSettings = await getAdvancedSettings();
32
31
 
33
- // User not confirmed
34
32
  if (advancedSettings.email_confirmation && !user.confirmed) {
35
33
  return { error: 'Invalid credentials' };
36
34
  }
37
35
 
38
- // User blocked
39
36
  if (user.blocked) {
40
37
  return { error: 'Invalid credentials' };
41
38
  }
42
39
 
43
- // Fetch user's permissions
44
- const permissions = await Promise.resolve(user.role.id)
45
- .then(getService('permission').findRolePermissions)
46
- .then(map(getService('permission').toContentAPIPermission));
47
-
48
- // Generate an ability (content API engine) based on the given permissions
49
- const ability = await strapi.contentAPI.permissions.engine.generateAbility(permissions);
50
-
51
40
  ctx.state.user = user;
52
41
 
53
42
  return {
54
43
  authenticated: true,
55
44
  credentials: user,
56
- ability,
57
45
  };
58
46
  }
59
47
 
60
- const publicPermissions = await getService('permission')
61
- .findPublicPermissions()
62
- .then(map(getService('permission').toContentAPIPermission));
48
+ const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
49
+ where: {
50
+ role: { type: 'public' },
51
+ },
52
+ });
63
53
 
64
54
  if (publicPermissions.length === 0) {
65
55
  return { authenticated: false };
66
56
  }
67
57
 
68
- const ability = await strapi.contentAPI.permissions.engine.generateAbility(publicPermissions);
69
-
70
58
  return {
71
59
  authenticated: true,
72
60
  credentials: null,
73
- ability,
74
61
  };
75
62
  } catch (err) {
76
63
  return { authenticated: false };
@@ -78,7 +65,7 @@ const authenticate = async (ctx) => {
78
65
  };
79
66
 
80
67
  const verify = async (auth, config) => {
81
- const { credentials: user, ability } = auth;
68
+ const { credentials: user } = auth;
82
69
 
83
70
  if (!config.scope) {
84
71
  if (!user) {
@@ -90,17 +77,18 @@ const verify = async (auth, config) => {
90
77
  }
91
78
  }
92
79
 
93
- // If no ability have been generated, then consider auth is missing
94
- if (!ability) {
95
- throw new UnauthorizedError();
80
+ let { allowedActions } = auth;
81
+
82
+ if (!allowedActions) {
83
+ const permissions = await strapi.query('plugin::users-permissions.permission').findMany({
84
+ where: { role: user ? user.role.id : { type: 'public' } },
85
+ });
86
+
87
+ allowedActions = map('action', permissions);
88
+ auth.allowedActions = allowedActions;
96
89
  }
97
90
 
98
- const isAllowed = pipe(
99
- // Make sure we're dealing with an array
100
- castArray,
101
- // Transform the scope array into an action array
102
- every((scope) => ability.can(scope))
103
- )(config.scope);
91
+ const isAllowed = castArray(config.scope).every((scope) => allowedActions.includes(scope));
104
92
 
105
93
  if (!isAllowed) {
106
94
  throw new ForbiddenError();
package/server/utils/index.d.ts CHANGED
@@ -3,7 +3,6 @@ import * as user from '../services/user';
3
3
  import * as role from '../services/role';
4
4
  import * as jwt from '../services/jwt';
5
5
  import * as providers from '../services/providers';
6
- import * as permission from '../services/permission';
7
6
 
8
7
  type S = {
9
8
  ['users-permissions']: typeof usersPermissions;
@@ -12,7 +11,6 @@ type S = {
12
11
  jwt: typeof jwt;
13
12
  providers: typeof providers;
14
13
  ['providers-registry']: typeof providers;
15
- permission: typeof permission;
16
14
  };
17
15
 
18
16
  export function getService<T extends keyof S>(name: T): ReturnType<S[T]>;
package/server/services/permission.js DELETED
@@ -1,45 +0,0 @@
1
- 'use strict';
2
-
3
- const PUBLIC_ROLE_FILTER = { role: { type: 'public' } };
4
-
5
- module.exports = ({ strapi }) => ({
6
- /**
7
- * Find permissions associated to a specific role ID
8
- *
9
- * @param {number} roleID
10
- *
11
- * @return {object[]}
12
- */
13
- async findRolePermissions(roleID) {
14
- return strapi.entityService.load(
15
- 'plugin::users-permissions.role',
16
- { id: roleID },
17
- 'permissions'
18
- );
19
- },
20
-
21
- /**
22
- * Find permissions for the public role
23
- *
24
- * @return {object[]}
25
- */
26
- async findPublicPermissions() {
27
- return strapi.entityService.findMany('plugin::users-permissions.permission', {
28
- where: PUBLIC_ROLE_FILTER,
29
- });
30
- },
31
-
32
- /**
33
- * Transform a Users-Permissions' action into a content API one
34
- *
35
- * @param {object} permission
36
- * @param {string} permission.action
37
- *
38
- * @return {{ action: string }}
39
- */
40
- toContentAPIPermission(permission) {
41
- const { action } = permission;
42
-
43
- return { action };
44
- },
45
- });