@strapi/plugin-users-permissions 4.5.0-alpha.0 → 4.5.0

package/documentation/content-api.yaml

@@ -695,7 +695,7 @@ paths:
             type: string
           description: user Id
       responses:
-        "200":
+        '200':
           description: Returns deleted user info
           content:
             application/json:
@@ -868,4 +868,3 @@ components:
                   controllerA:
                     find:
                       enabled: true
-

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "4.5.0-alpha.0",
+  "version": "4.5.0",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -27,13 +27,13 @@
     "test:front:watch:ce": "cross-env IS_EE=false jest --config ./jest.config.front.js --watchAll"
   },
   "dependencies": {
-    "@strapi/helper-plugin": "4.5.0-alpha.0",
-    "@strapi/utils": "4.5.0-alpha.0",
+    "@strapi/helper-plugin": "4.5.0",
+    "@strapi/utils": "4.5.0",
     "bcryptjs": "2.4.3",
     "grant-koa": "5.4.8",
     "jsonwebtoken": "^8.1.0",
     "koa": "^2.13.4",
-    "koa2-ratelimit": "^1.1.1",
+    "koa2-ratelimit": "^1.1.2",
     "lodash": "4.17.21",
     "purest": "4.0.2",
     "react": "^17.0.2",
@@ -64,5 +64,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "c9a98c4dbcf3c4f2a449f8d96e7cbe4cd9b1e0f5"
+  "gitHead": "33debd57010667a3fc5dfa343a673206cfb956e1"
 }

package/server/controllers/validation/user.js

@@ -10,13 +10,37 @@ const createUserBodySchema = yup.object().shape({
   email: yup.string().email().required(),
   username: yup.string().min(1).required(),
   password: yup.string().min(1).required(),
-  role: yup.strapiID(),
+  role: yup.lazy((value) =>
+    typeof value === 'object'
+      ? yup
+          .object()
+          .shape({
+            connect: yup
+              .array()
+              .of(yup.object().shape({ id: yup.strapiID().required() }))
+              .min(1)
+              .required(),
+          })
+          .required()
+      : yup.strapiID().required()
+  ),
 });
 
 const updateUserBodySchema = yup.object().shape({
   email: yup.string().email().min(1),
   username: yup.string().min(1),
   password: yup.string().min(1),
+  role: yup.lazy((value) =>
+    typeof value === 'object'
+      ? yup.object().shape({
+          connect: yup
+            .array()
+            .of(yup.object().shape({ id: yup.strapiID().required() }))
+            .min(1)
+            .required(),
+        })
+      : yup.strapiID()
+  ),
 });
 
 module.exports = {

package/server/services/index.js

@@ -6,6 +6,7 @@ const user = require('./user');
 const role = require('./role');
 const usersPermissions = require('./users-permissions');
 const providersRegistry = require('./providers-registry');
+const permission = require('./permission');
 
 module.exports = {
   jwt,
@@ -14,4 +15,5 @@ module.exports = {
   role,
   user,
   'users-permissions': usersPermissions,
+  permission,
 };

package/server/services/permission.js

@@ -0,0 +1,45 @@
+'use strict';
+
+const PUBLIC_ROLE_FILTER = { role: { type: 'public' } };
+
+module.exports = ({ strapi }) => ({
+  /**
+   * Find permissions associated to a specific role ID
+   *
+   * @param {number} roleID
+   *
+   * @return {object[]}
+   */
+  async findRolePermissions(roleID) {
+    return strapi.entityService.load(
+      'plugin::users-permissions.role',
+      { id: roleID },
+      'permissions'
+    );
+  },
+
+  /**
+   * Find permissions for the public role
+   *
+   * @return {object[]}
+   */
+  async findPublicPermissions() {
+    return strapi.entityService.findMany('plugin::users-permissions.permission', {
+      filters: PUBLIC_ROLE_FILTER,
+    });
+  },
+
+  /**
+   * Transform a Users-Permissions' action into a content API one
+   *
+   * @param {object} permission
+   * @param {string} permission.action
+   *
+   * @return {{ action: string }}
+   */
+  toContentAPIPermission(permission) {
+    const { action } = permission;
+
+    return { action };
+  },
+});

package/server/strategies/users-permissions.js

@@ -1,6 +1,6 @@
 'use strict';
 
-const { castArray, map } = require('lodash/fp');
+const { castArray, map, every, pipe } = require('lodash/fp');
 const { ForbiddenError, UnauthorizedError } = require('@strapi/utils').errors;
 
 const { getService } = require('../utils');
@@ -16,48 +16,61 @@ const authenticate = async (ctx) => {
     if (token) {
       const { id } = token;
 
+      // Invalid token
       if (id === undefined) {
         return { authenticated: false };
       }
 
-      // fetch authenticated user
       const user = await getService('user').fetchAuthenticatedUser(id);
 
+      // No user associated to the token
       if (!user) {
         return { error: 'Invalid credentials' };
       }
 
       const advancedSettings = await getAdvancedSettings();
 
+      // User not confirmed
       if (advancedSettings.email_confirmation && !user.confirmed) {
         return { error: 'Invalid credentials' };
       }
 
+      // User blocked
       if (user.blocked) {
         return { error: 'Invalid credentials' };
       }
 
+      // Fetch user's permissions
+      const permissions = await Promise.resolve(user.role.id)
+        .then(getService('permission').findRolePermissions)
+        .then(map(getService('permission').toContentAPIPermission));
+
+      // Generate an ability (content API engine) based on the given permissions
+      const ability = await strapi.contentAPI.permissions.engine.generateAbility(permissions);
+
       ctx.state.user = user;
 
       return {
         authenticated: true,
         credentials: user,
+        ability,
       };
     }
 
-    const publicPermissions = await strapi.query('plugin::users-permissions.permission').findMany({
-      where: {
-        role: { type: 'public' },
-      },
-    });
+    const publicPermissions = await getService('permission')
+      .findPublicPermissions()
+      .then(map(getService('permission').toContentAPIPermission));
 
     if (publicPermissions.length === 0) {
       return { authenticated: false };
     }
 
+    const ability = await strapi.contentAPI.permissions.engine.generateAbility(publicPermissions);
+
     return {
       authenticated: true,
       credentials: null,
+      ability,
     };
   } catch (err) {
     return { authenticated: false };
@@ -65,7 +78,7 @@ const authenticate = async (ctx) => {
 };
 
 const verify = async (auth, config) => {
-  const { credentials: user } = auth;
+  const { credentials: user, ability } = auth;
 
   if (!config.scope) {
     if (!user) {
@@ -77,18 +90,17 @@ const verify = async (auth, config) => {
     }
   }
 
-  let { allowedActions } = auth;
-
-  if (!allowedActions) {
-    const permissions = await strapi.query('plugin::users-permissions.permission').findMany({
-      where: { role: user ? user.role.id : { type: 'public' } },
-    });
-
-    allowedActions = map('action', permissions);
-    auth.allowedActions = allowedActions;
+  // If no ability have been generated, then consider auth is missing
+  if (!ability) {
+    throw new UnauthorizedError();
   }
 
-  const isAllowed = castArray(config.scope).every((scope) => allowedActions.includes(scope));
+  const isAllowed = pipe(
+    // Make sure we're dealing with an array
+    castArray,
+    // Transform the scope array into an action array
+    every((scope) => ability.can(scope))
+  )(config.scope);
 
   if (!isAllowed) {
     throw new ForbiddenError();

package/server/utils/index.d.ts

@@ -3,6 +3,7 @@ import * as user from '../services/user';
 import * as role from '../services/role';
 import * as jwt from '../services/jwt';
 import * as providers from '../services/providers';
+import * as permission from '../services/permission';
 
 type S = {
   ['users-permissions']: typeof usersPermissions;
@@ -11,6 +12,7 @@ type S = {
   jwt: typeof jwt;
   providers: typeof providers;
   ['providers-registry']: typeof providers;
+  permission: typeof permission;
 };
 
 export function getService<T extends keyof S>(name: T): ReturnType<S[T]>;