@strapi/plugin-users-permissions 4.6.0-beta.0 → 4.6.0-beta.2

package/admin/src/pages/Providers/index.js

@@ -14,7 +14,6 @@ import {
 } from '@strapi/helper-plugin';
 import has from 'lodash/has';
 import upperFirst from 'lodash/upperFirst';
-import { FontAwesomeIcon } from '@fortawesome/react-fontawesome';
 import { HeaderLayout, Layout, ContentLayout } from '@strapi/design-system/Layout';
 import { Main } from '@strapi/design-system/Main';
 import { useNotifyAT } from '@strapi/design-system/LiveRegions';
@@ -163,16 +162,9 @@ export const ProvidersPage = () => {
           <LoadingIndicatorPage />
         ) : (
           <ContentLayout>
-            <Table colCount={4} rowCount={rowCount + 1}>
+            <Table colCount={3} rowCount={rowCount + 1}>
               <Thead>
                 <Tr>
-                  <Th>
-                    <Typography variant="sigma" textColor="neutral600">
-                      <VisuallyHidden>
-                        {formatMessage({ id: getTrad('Providers.image'), defaultMessage: 'Image' })}
-                      </VisuallyHidden>
-                    </Typography>
-                  </Th>
                   <Th>
                     <Typography variant="sigma" textColor="neutral600">
                       {formatMessage({ id: 'global.name', defaultMessage: 'Name' })}
@@ -204,9 +196,6 @@ export const ProvidersPage = () => {
                       condition: canUpdate,
                     })}
                   >
-                    <Td width="">
-                      <FontAwesomeIcon icon={provider.icon} />
-                    </Td>
                     <Td width="45%">
                       <Typography fontWeight="semiBold" textColor="neutral800">
                         {provider.name}

package/admin/src/translations/dk.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "Redigér e-mail skabeloner",
   "PopUpForm.header.edit.providers": "Redigér udbydere",
   "Providers.data.loaded": "Providers hentet",
-  "Providers.image": "Billede",
   "Providers.status": "Status",
   "Roles.empty": "Du har endnu ingen roller.",
   "Roles.empty.search": "Ingen roller matcher søgningen.",

package/admin/src/translations/en.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "Edit email template",
   "PopUpForm.header.edit.providers": "Edit Provider",
   "Providers.data.loaded": "Providers have been loaded",
-  "Providers.image": "Image",
   "Providers.status": "Status",
   "Roles.empty": "You don't have any roles yet.",
   "Roles.empty.search": "No roles match the search.",

package/admin/src/translations/es.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "Editar Plantillas de Email",
   "PopUpForm.header.edit.providers": "Editar proveedor",
   "Providers.data.loaded": "Los proveedores se han cargado",
-  "Providers.image": "Imagen",
   "Providers.status": "Estado",
   "Roles.empty": "Aún no tienes ningún rol.",
   "Roles.empty.search": "Ningún rol coincide con la búsqueda.",

package/admin/src/translations/ko.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "이메일 템플릿 수정",
   "PopUpForm.header.edit.providers": "프로바이더 수정",
   "Providers.data.loaded": "프로바이더를 불러왔습니다.",
-  "Providers.image": "이미지",
   "Providers.status": "상태",
   "Roles.empty": "아직 역할이 없습니다.",
   "Roles.empty.search": "검색과 일치하는 역할이 없습니다.",

package/admin/src/translations/pl.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "Zmień szablony e-mail",
   "PopUpForm.header.edit.providers": "Edytuj dostawcę",
   "Providers.data.loaded": "Dostawcy zostali załadowani",
-  "Providers.image": "Obrazek",
   "Providers.status": "Status",
   "Roles.empty": "Nie masz jeszcze żadnych ról.",
   "Roles.empty.search": "Żadne role nie pasują do wyszukiwania.",

package/admin/src/translations/sv.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "Redigera e-postmallar",
   "PopUpForm.header.edit.providers": "Redigera tjänst",
   "Providers.data.loaded": "Tjänster har laddats in",
-  "Providers.image": "Bild",
   "Providers.status": "Status",
   "Roles.empty": "Du har inga roller än.",
   "Roles.empty.search": "Inga roller matchar sökningen.",

package/admin/src/translations/tr.json

@@ -10,6 +10,16 @@
   "EditForm.inputToggle.label.email-confirmation": "E-posta onayını etkinleştir",
   "EditForm.inputToggle.label.email-confirmation-redirection": "Yönlendirme URL'si",
   "EditForm.inputToggle.label.sign-up": "Kayıtları etkinleştir",
+  "EditForm.inputToggle.placeholder.email-confirmation-redirection": "ör: https://yourfrontend.com/email-confirmation-redirection",
+  "EditForm.inputToggle.placeholder.email-reset-password": "ör: https://yourfrontend.com/reset-password",
+  "EditPage.form.roles": "Rol detayları",
+  "Email.template.data.loaded": "E-posta şablonları yüklendi",
+  "Email.template.email_confirmation": "E-posta adresi doğrulaması",
+  "Email.template.form.edit.label": "Şablonu düzenle",
+  "Email.template.table.action.label": "eylem",
+  "Email.template.table.icon.label": "ikon",
+  "Email.template.table.name.label": "ad",
+  "Form.advancedSettings.data.loaded": "Gelişmiş ayarlar verisi yüklendi",
   "HeaderNav.link.advancedSettings": "Gelişmiş Ayarlar",
   "HeaderNav.link.emailTemplates": "E-posta Şablonları",
   "HeaderNav.link.providers": "Sağlayıcıları",
@@ -19,12 +29,14 @@
   "Policies.header.hint": "Uygulamanın eylemlerini veya eklentinin eylemlerini seçin ve bağlı rotayı görüntülemek için dişli çark simgesini tıklayın",
   "Policies.header.title": "Gelişmiş Ayarlar",
   "PopUpForm.Email.email_templates.inputDescription": "Değişkenleri nasıl kullanacağınızdan emin değilseniz, {link}",
+  "PopUpForm.Email.link.documentation": "dokümantasyonu kontrol et.",
   "PopUpForm.Email.options.from.email.label": "Gönderenin E-posta",
   "PopUpForm.Email.options.from.email.placeholder": "kai@doe.com",
   "PopUpForm.Email.options.from.name.label": "Gönderenin adı",
   "PopUpForm.Email.options.from.name.placeholder": "Kai Doe",
   "PopUpForm.Email.options.message.label": "Mesaj",
   "PopUpForm.Email.options.object.label": "Konu",
+  "PopUpForm.Email.options.object.placeholder": "%APP_NAME% için e-posta adresini doğrula",
   "PopUpForm.Email.options.response_email.label": "Yanıt e-postası",
   "PopUpForm.Email.options.response_email.placeholder": "kai@doe.com",
   "PopUpForm.Providers.enabled.description": "Devre dışı bırakıldıysa kullanıcılar bu sağlayıcıyı kullanamaz.",
@@ -32,13 +44,38 @@
   "PopUpForm.Providers.key.label": "Web istemcisi ID",
   "PopUpForm.Providers.key.placeholder": "METİN",
   "PopUpForm.Providers.redirectURL.front-end.label": "Arayüz uygulamanızın yönlendirme URL'si",
+  "PopUpForm.Providers.redirectURL.label": "{provider} uygulama ayarlarına ekleyeceğin yönlendirme URLi",
   "PopUpForm.Providers.secret.label": "Web istemcisi Secret",
   "PopUpForm.Providers.secret.placeholder": "METİN",
   "PopUpForm.Providers.subdomain.label": "Host URI (Subdomain)",
   "PopUpForm.Providers.subdomain.placeholder": "my.subdomain.com",
   "PopUpForm.header.edit.email-templates": "E-posta Şablonlarını Düzenle",
+  "PopUpForm.header.edit.providers": "Sağlayıcıyı Düzenle",
+  "Providers.data.loaded": "Sağlayıcılar yüklendi",
+  "Providers.image": "Görsel",
+  "Providers.status": "Durum",
+  "Roles.empty": "Henüz hiç rolün yok.",
+  "Roles.empty.search": "Aramaya uygun rol bulunmadı.",
+  "Settings.roles.deleted": "Rol silindi",
+  "Settings.roles.edited": "Rol düzenlendi",
+  "Settings.section-label": "Kullanıcılar ve İzinler eklentisi",
+  "components.Input.error.validation.email": "Bu geçersiz bir e-posta",
+  "components.Input.error.validation.json": "Bu JSON biçimine uymuyor",
+  "components.Input.error.validation.max": "Değer çok yüksek.",
+  "components.Input.error.validation.maxLength": "Değer çok uzun.",
+  "components.Input.error.validation.min": "Değer çok düşük.",
+  "components.Input.error.validation.minLength": "Değer çok kısa.",
+  "components.Input.error.validation.minSupMax": "Üst olamaz",
+  "components.Input.error.validation.regex": "Değer RegExp'e uymuyor.",
+  "components.Input.error.validation.required": "Değer gerekli.",
+  "components.Input.error.validation.unique": "Değer zaten kullanılıyor.",
   "notification.success.submit": "Ayarlar güncellendi",
+  "page.title": "Ayarlar - Roller",
   "plugin.description.long": "Servisinizi JWT'ye dayalı tam bir kimlik doğrulama işlemi ile koruyun. Bu eklenti, kullanıcı grupları arasındaki izinleri yönetmenize izin veren bir ACL stratejisiyle de gelir.",
   "plugin.description.short": "Servisinizi JWT'ye dayalı tam bir kimlik doğrulama işlemi ile koruyun",
-  "plugin.name": "Roller & İzinler"
+  "plugin.name": "Roller ve İzinler",
+  "popUpWarning.button.cancel": "İptal Et",
+  "popUpWarning.button.confirm": "Onayla",
+  "popUpWarning.title": "Lütfen onayla",
+  "popUpWarning.warning.cancel": "Değişiklikleri iptal etmek istediğinden emin misin?"
 }

package/admin/src/translations/zh.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "編輯郵件範本",
   "PopUpForm.header.edit.providers": "編輯供應者",
   "Providers.data.loaded": "已載入供應者",
-  "Providers.image": "圖片",
   "Providers.status": "狀態",
   "Roles.empty": "您目前沒有任何角色。",
   "Roles.empty.search": "沒有符合搜尋的角色。",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "4.6.0-beta.0",
+  "version": "4.6.0-beta.2",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -27,11 +27,11 @@
     "test:front:watch:ce": "cross-env IS_EE=false jest --config ./jest.config.front.js --watchAll"
   },
   "dependencies": {
-    "@strapi/helper-plugin": "4.6.0-beta.0",
-    "@strapi/utils": "4.6.0-beta.0",
+    "@strapi/helper-plugin": "4.6.0-beta.2",
+    "@strapi/utils": "4.6.0-beta.2",
     "bcryptjs": "2.4.3",
     "grant-koa": "5.4.8",
-    "jsonwebtoken": "^8.1.0",
+    "jsonwebtoken": "9.0.0",
     "koa": "^2.13.4",
     "koa2-ratelimit": "^1.1.2",
     "lodash": "4.17.21",
@@ -64,5 +64,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "c0c3365ad801d088a6ab6c4eb95a014078429747"
+  "gitHead": "b852090f931cd21868c4016f24db2f9fdfc7a7ab"
 }

package/server/controllers/validation/email-template.js

@@ -1,8 +1,17 @@
 'use strict';
 
-const _ = require('lodash');
+const { trim } = require('lodash/fp');
+const {
+  template: { createLooseInterpolationRegExp, createStrictInterpolationRegExp },
+} = require('@strapi/utils');
+
+const invalidPatternsRegexes = [
+  // Ignore "evaluation" patterns: <% ... %>
+  /<%[^=]([\s\S]*?)%>/m,
+  // Ignore basic string interpolations
+  /\${([^{}]*)}/m,
+];
 
-const invalidPatternsRegexes = [/<%[^=]([^<>%]*)%>/m, /\${([^{}]*)}/m];
 const authorizedKeys = [
   'URL',
   'ADMIN_URL',
@@ -19,27 +28,42 @@ const matchAll = (pattern, src) => {
   let match;
 
   const regexPatternWithGlobal = RegExp(pattern, 'g');
+
   // eslint-disable-next-line no-cond-assign
   while ((match = regexPatternWithGlobal.exec(src))) {
     const [, group] = match;
 
-    matches.push(_.trim(group));
+    matches.push(trim(group));
   }
+
   return matches;
 };
 
 const isValidEmailTemplate = (template) => {
+  // Check for known invalid patterns
   for (const reg of invalidPatternsRegexes) {
     if (reg.test(template)) {
       return false;
     }
   }
 
-  const matches = matchAll(/<%=([^<>%=]*)%>/, template);
-  for (const match of matches) {
-    if (!authorizedKeys.includes(match)) {
-      return false;
-    }
+  const interpolation = {
+    // Strict interpolation pattern to match only valid groups
+    strict: createStrictInterpolationRegExp(authorizedKeys),
+    // Weak interpolation pattern to match as many group as possible.
+    loose: createLooseInterpolationRegExp(),
+  };
+
+  // Compute both strict & loose matches
+  const strictMatches = matchAll(interpolation.strict, template);
+  const looseMatches = matchAll(interpolation.loose, template);
+
+  // If we have more matches with the loose RegExp than with the strict one,
+  // then it means that at least one of the interpolation group is invalid
+  // Note: In the future, if we wanted to give more details for error formatting
+  // purposes, we could return the difference between the two arrays
+  if (looseMatches.length > strictMatches.length) {
+    return false;
   }
 
   return true;

package/server/services/user.js

@@ -109,17 +109,25 @@ module.exports = ({ strapi }) => ({
     await this.edit(user.id, { confirmationToken });
 
     const apiPrefix = strapi.config.get('api.rest.prefix');
-    settings.message = await userPermissionService.template(settings.message, {
-      URL: urlJoin(getAbsoluteServerUrl(strapi.config), apiPrefix, '/auth/email-confirmation'),
-      SERVER_URL: getAbsoluteServerUrl(strapi.config),
-      ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
-      USER: sanitizedUserInfo,
-      CODE: confirmationToken,
-    });
 
-    settings.object = await userPermissionService.template(settings.object, {
-      USER: sanitizedUserInfo,
-    });
+    try {
+      settings.message = await userPermissionService.template(settings.message, {
+        URL: urlJoin(getAbsoluteServerUrl(strapi.config), apiPrefix, '/auth/email-confirmation'),
+        SERVER_URL: getAbsoluteServerUrl(strapi.config),
+        ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
+        USER: sanitizedUserInfo,
+        CODE: confirmationToken,
+      });
+
+      settings.object = await userPermissionService.template(settings.object, {
+        USER: sanitizedUserInfo,
+      });
+    } catch {
+      strapi.log.error(
+        '[plugin::users-permissions.sendConfirmationEmail]: Failed to generate a template for "user confirmation email". Please make sure your email template is valid and does not contain invalid characters or patterns'
+      );
+      return;
+    }
 
     // Send an email to the user.
     await strapi

package/server/services/users-permissions.js

@@ -3,6 +3,11 @@
 const _ = require('lodash');
 const { filter, map, pipe, prop } = require('lodash/fp');
 const urlJoin = require('url-join');
+const {
+  template: { createStrictInterpolationRegExp },
+  errors,
+  keysDeep,
+} = require('@strapi/utils');
 
 const { getService } = require('../utils');
 
@@ -230,7 +235,15 @@ module.exports = ({ strapi }) => ({
   },
 
   template(layout, data) {
-    const compiledObject = _.template(layout);
-    return compiledObject(data);
+    const allowedTemplateVariables = keysDeep(data);
+
+    // Create a strict interpolation RegExp based on possible variable names
+    const interpolate = createStrictInterpolationRegExp(allowedTemplateVariables, 'g');
+
+    try {
+      return _.template(layout, { interpolate, evaluate: false, escape: false })(data);
+    } catch (e) {
+      throw new errors.ApplicationError('Invalid email template');
+    }
   },
 });