@strapi/utils 4.0.0-beta.2 → 4.0.0-beta.20

package/lib/config.js

@@ -3,7 +3,10 @@
 const _ = require('lodash');
 const { getCommonPath } = require('./string-formatting');
 
-const getConfigUrls = (serverConfig, forAdminBuild = false) => {
+const getConfigUrls = (config, forAdminBuild = false) => {
+  const serverConfig = config.get('server');
+  const adminConfig = config.get('admin');
+
   // Defines serverUrl value
   let serverUrl = _.get(serverConfig, 'url', '');
   serverUrl = _.trim(serverUrl, '/ ');
@@ -23,7 +26,7 @@ const getConfigUrls = (serverConfig, forAdminBuild = false) => {
   }
 
   // Defines adminUrl value
-  let adminUrl = _.get(serverConfig, 'admin.url', '/admin');
+  let adminUrl = _.get(adminConfig, 'url', '/admin');
   adminUrl = _.trim(adminUrl, '/ ');
   if (typeof adminUrl !== 'string') {
     throw new Error('Invalid admin url config. Make sure the url is a non-empty string.');
@@ -60,7 +63,7 @@ const getConfigUrls = (serverConfig, forAdminBuild = false) => {
 };
 
 const getAbsoluteUrl = adminOrServer => (config, forAdminBuild = false) => {
-  const { serverUrl, adminUrl } = getConfigUrls(config.get('server'), forAdminBuild);
+  const { serverUrl, adminUrl } = getConfigUrls(config, forAdminBuild);
   let url = adminOrServer === 'server' ? serverUrl : adminUrl;
 
   if (url.startsWith('http')) {

package/lib/content-types.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const _ = require('lodash');
+const { has } = require('lodash/fp');
 
 const SINGLE_TYPE = 'singleType';
 const COLLECTION_TYPE = 'collectionType';
@@ -31,8 +32,18 @@ const constants = {
   COLLECTION_TYPE,
 };
 
-const getTimestamps = () => {
-  return [CREATED_AT_ATTRIBUTE, UPDATED_AT_ATTRIBUTE];
+const getTimestamps = model => {
+  const attributes = [];
+
+  if (has(CREATED_AT_ATTRIBUTE, model.attributes)) {
+    attributes.push(CREATED_AT_ATTRIBUTE);
+  }
+
+  if (has(UPDATED_AT_ATTRIBUTE, model.attributes)) {
+    attributes.push(UPDATED_AT_ATTRIBUTE);
+  }
+
+  return attributes;
 };
 
 const getNonWritableAttributes = (model = {}) => {
@@ -42,7 +53,7 @@ const getNonWritableAttributes = (model = {}) => {
     []
   );
 
-  return _.uniq([ID_ATTRIBUTE, ...getTimestamps(), ...nonWritableAttributes]);
+  return _.uniq([ID_ATTRIBUTE, ...getTimestamps(model), ...nonWritableAttributes]);
 };
 
 const getWritableAttributes = (model = {}) => {
@@ -60,7 +71,7 @@ const getNonVisibleAttributes = model => {
     []
   );
 
-  return _.uniq([ID_ATTRIBUTE, ...getTimestamps(), ...nonVisibleAttributes]);
+  return _.uniq([ID_ATTRIBUTE, ...getTimestamps(model), ...nonVisibleAttributes]);
 };
 
 const getVisibleAttributes = model => {
@@ -137,6 +148,7 @@ module.exports = {
   isWritableAttribute,
   getNonVisibleAttributes,
   getVisibleAttributes,
+  getTimestamps,
   isVisibleAttribute,
   hasDraftAndPublish,
   isDraft,

package/lib/convert-query-params.js

@@ -2,13 +2,14 @@
 
 /**
  * Converts the standard Strapi REST query params to a more usable format for querying
- * You can read more here: https://strapi.io/documentation/developer-docs/latest/developer-resources/content-api/content-api.html#filters
+ * You can read more here: https://docs.strapi.io/developer-docs/latest/developer-resources/database-apis-reference/rest-api.html#filters
  */
-
+const { has } = require('lodash/fp');
 const _ = require('lodash');
 const parseType = require('./parse-type');
+const contentTypesUtils = require('./content-types');
 
-const QUERY_OPERATORS = ['_where', '_or', '_and'];
+const { PUBLISHED_AT_ATTRIBUTE } = contentTypesUtils.constants;
 
 class InvalidOrderError extends Error {
   constructor() {
@@ -132,13 +133,15 @@ const convertPopulateQueryParams = (populate, depth = 0) => {
 
   if (Array.isArray(populate)) {
     // map convert
-    return populate.flatMap(value => {
-      if (typeof value !== 'string') {
-        throw new InvalidPopulateError();
-      }
+    return _.uniq(
+      populate.flatMap(value => {
+        if (typeof value !== 'string') {
+          throw new InvalidPopulateError();
+        }
 
-      return value.split(',').map(value => _.trim(value));
-    });
+        return value.split(',').map(value => _.trim(value));
+      })
+    );
   }
 
   if (_.isPlainObject(populate)) {
@@ -146,6 +149,7 @@ const convertPopulateQueryParams = (populate, depth = 0) => {
     for (const key in populate) {
       transformedPopulate[key] = convertNestedPopulate(populate[key]);
     }
+
     return transformedPopulate;
   }
 
@@ -212,9 +216,31 @@ const convertFieldsQueryParams = (fields, depth = 0) => {
   throw new Error('Invalid fields parameter. Expected a string or an array of strings');
 };
 
-// NOTE: We could validate the parameters are on existing / non private attributes
 const convertFiltersQueryParams = filters => filters;
 
+const convertPublicationStateParams = (type, params = {}, query = {}) => {
+  if (!type) {
+    return;
+  }
+
+  const { publicationState } = params;
+
+  if (!_.isNil(publicationState)) {
+    if (!contentTypesUtils.constants.DP_PUB_STATES.includes(publicationState)) {
+      throw new Error(
+        `Invalid publicationState. Expected one of 'preview','live' received: ${publicationState}.`
+      );
+    }
+
+    // NOTE: this is the query layer filters not the entity service filters
+    query.filters = ({ meta }) => {
+      if (publicationState === 'live' && has(PUBLISHED_AT_ATTRIBUTE, meta.attributes)) {
+        return { [PUBLISHED_AT_ATTRIBUTE]: { $notNull: true } };
+      }
+    };
+  }
+};
+
 module.exports = {
   convertSortQueryParams,
   convertStartQueryParams,
@@ -222,5 +248,5 @@ module.exports = {
   convertPopulateQueryParams,
   convertFiltersQueryParams,
   convertFieldsQueryParams,
-  QUERY_OPERATORS,
+  convertPublicationStateParams,
 };

package/lib/errors.js

@@ -0,0 +1,82 @@
+'use strict';
+
+const { HttpError } = require('http-errors');
+const { formatYupErrors } = require('./format-yup-error');
+
+/* ApplicationError */
+class ApplicationError extends Error {
+  constructor(message, details = {}) {
+    super();
+    this.name = 'ApplicationError';
+    this.message = message || 'An application error occured';
+    this.details = details;
+  }
+}
+
+class ValidationError extends ApplicationError {
+  constructor(message, details) {
+    super(message, details);
+    this.name = 'ValidationError';
+  }
+}
+
+class YupValidationError extends ValidationError {
+  constructor(yupError, message) {
+    super();
+    const { errors, message: yupMessage } = formatYupErrors(yupError);
+    this.message = message || yupMessage;
+    this.details = { errors };
+  }
+}
+
+class PaginationError extends ApplicationError {
+  constructor(message, details) {
+    super(message, details);
+    this.name = 'PaginationError';
+    this.message = message || 'Invalid pagination';
+  }
+}
+
+class NotFoundError extends ApplicationError {
+  constructor(message, details) {
+    super(message, details);
+    this.name = 'NotFoundError';
+    this.message = message || 'Entity not found';
+  }
+}
+
+class ForbiddenError extends ApplicationError {
+  constructor(message, details) {
+    super(message, details);
+    this.name = 'ForbiddenError';
+    this.message = message || 'Forbidden access';
+  }
+}
+
+class PayloadTooLargeError extends ApplicationError {
+  constructor(message, details) {
+    super(message, details);
+    this.name = 'PayloadTooLargeError';
+    this.message = message || 'Entity too large';
+  }
+}
+
+class UnauthorizedError extends ApplicationError {
+  constructor(message, details) {
+    super(message, details);
+    this.name = 'UnauthorizedError';
+    this.message = message || 'Unauthorized';
+  }
+}
+
+module.exports = {
+  HttpError,
+  ApplicationError,
+  ValidationError,
+  YupValidationError,
+  PaginationError,
+  NotFoundError,
+  ForbiddenError,
+  PayloadTooLargeError,
+  UnauthorizedError,
+};

package/lib/format-yup-error.js

@@ -0,0 +1,20 @@
+'use strict';
+
+const { isEmpty, toPath } = require('lodash/fp');
+
+const formatYupInnerError = yupError => ({
+  path: toPath(yupError.path),
+  message: yupError.message,
+  name: yupError.name,
+});
+
+const formatYupErrors = yupError => ({
+  errors: isEmpty(yupError.inner)
+    ? [formatYupInnerError(yupError)]
+    : yupError.inner.map(formatYupInnerError),
+  message: yupError.message,
+});
+
+module.exports = {
+  formatYupErrors,
+};

package/lib/hooks.js

@@ -82,7 +82,7 @@ const createAsyncSeriesWaterfallHook = () => ({
 const createAsyncParallelHook = () => ({
   ...createHook(),
 
-  call(context) {
+  async call(context) {
     const promises = this.handlers.map(handler => handler(cloneDeep(context)));
 
     return Promise.all(promises);

package/lib/index.js

@@ -4,13 +4,12 @@
  * Export shared utilities
  */
 const { buildQuery, hasDeepFilters } = require('./build-query');
-const { QUERY_OPERATORS } = require('./convert-query-params');
 const parseMultipartData = require('./parse-multipart');
-const sanitizeEntity = require('./sanitize-entity');
 const parseType = require('./parse-type');
 const policy = require('./policy');
 const templateConfiguration = require('./template-configuration');
-const { yup, formatYupErrors } = require('./validators');
+const { yup, handleYupError, validateYupSchema, validateYupSchemaSync } = require('./validators');
+const errors = require('./errors');
 const {
   nameToSlug,
   nameToCollectionName,
@@ -32,17 +31,20 @@ const setCreatorFields = require('./set-creator-fields');
 const hooks = require('./hooks');
 const providerFactory = require('./provider-factory');
 const pagination = require('./pagination');
+const sanitize = require('./sanitize');
+const traverseEntity = require('./traverse-entity');
+const pipeAsync = require('./pipe-async');
 
 module.exports = {
   yup,
-  formatYupErrors,
+  handleYupError,
   policy,
   templateConfiguration,
-  QUERY_OPERATORS,
   buildQuery,
   hasDeepFilters,
   parseMultipartData,
-  sanitizeEntity,
+  sanitize,
+  traverseEntity,
   parseType,
   nameToSlug,
   nameToCollectionName,
@@ -65,4 +67,8 @@ module.exports = {
   hooks,
   providerFactory,
   pagination,
+  pipeAsync,
+  errors,
+  validateYupSchema,
+  validateYupSchemaSync,
 };

package/lib/pagination.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const { merge, pipe, omit, isNil } = require('lodash/fp');
+const { PaginationError } = require('./errors');
 
 const STRAPI_DEFAULTS = {
   offset: {
@@ -52,7 +53,7 @@ const withDefaultPagination = (args, { defaults = {}, maxLimit = -1 } = {}) => {
 
   // If there is page & offset pagination attributes, throw an error
   if (usePagePagination && useOffsetPagination) {
-    throw new Error('Cannot use both page & offset pagination in the same query');
+    throw new PaginationError('Cannot use both page & offset pagination in the same query');
   }
 
   const pagination = {};

package/lib/parse-multipart.js

@@ -10,7 +10,7 @@ module.exports = ctx => {
   const { body = {}, files = {} } = ctx.request;
 
   if (!body.data) {
-    throw strapi.errors.badRequest(
+    return ctx.badRequest(
       `When using multipart/form-data you need to provide your data in a JSON 'data' field.`
     );
   }
@@ -19,14 +19,14 @@ module.exports = ctx => {
   try {
     data = JSON.parse(body.data);
   } catch (error) {
-    throw strapi.errors.badRequest(`Invalid 'data' field. 'data' should be a valid JSON.`);
+    return ctx.badRequest(`Invalid 'data' field. 'data' should be a valid JSON.`);
   }
 
   const filesToUpload = Object.keys(files).reduce((acc, key) => {
     const fullPath = _.toPath(key);
 
     if (fullPath.length <= 1 || fullPath[0] !== 'files') {
-      throw strapi.errors.badRequest(
+      return ctx.badRequest(
         `When using multipart/form-data you need to provide your files by prefixing them with the 'files'.
 For example, when a media file is named "avatar", make sure the form key name is "files.avatar"`
       );

package/lib/pipe-async.js

@@ -0,0 +1,11 @@
+'use strict';
+
+module.exports = (...methods) => async data => {
+  let res = data;
+
+  for (const method of methods) {
+    res = await method(res);
+  }
+
+  return res;
+};

package/lib/policy.js

@@ -9,36 +9,22 @@ const { eq } = require('lodash/fp');
 const PLUGIN_PREFIX = 'plugin::';
 const API_PREFIX = 'api::';
 
-const createPolicy = (policyName, args) => ({ policyName, args });
-
-const resolveHandler = policy => {
-  return _.has('handler', policy) ? policy.handler : policy;
-};
-
 const parsePolicy = policy => {
   if (typeof policy === 'string') {
-    return createPolicy(policy);
+    return { policyName: policy, config: {} };
   }
 
-  const { name, options = {} } = policy;
-  return createPolicy(name, options);
-};
-
-const resolvePolicy = policyName => {
-  const policy = strapi.policy(policyName);
-
-  return resolveHandler(policy);
+  const { name, config } = policy;
+  return { policyName: name, config };
 };
 
 const searchLocalPolicy = (policyName, { pluginName, apiName }) => {
   if (pluginName) {
-    const policy = strapi.policy(`${PLUGIN_PREFIX}${pluginName}.${policyName}`);
-    return resolveHandler(policy);
+    return strapi.policy(`${PLUGIN_PREFIX}${pluginName}.${policyName}`);
   }
 
   if (apiName) {
-    const policy = strapi.policy(`${API_PREFIX}${apiName}.${policyName}`);
-    return resolveHandler(policy);
+    return strapi.policy(`${API_PREFIX}${apiName}.${policyName}`);
   }
 };
 
@@ -56,53 +42,68 @@ const globalPolicy = ({ method, endpoint, controller, action, plugin }) => {
   };
 };
 
-const bodyPolicy = async (ctx, next) => {
-  const values = await next();
-
-  if (_.isNil(ctx.body) && !_.isNil(values)) {
-    ctx.body = values;
-  }
+const resolvePolicies = (config, { pluginName, apiName } = {}) => {
+  return config.map(policyConfig => {
+    return {
+      handler: getPolicy(policyConfig, { pluginName, apiName }),
+      config: policyConfig.config || {},
+    };
+  });
 };
 
-const get = (policy, { pluginName, apiName } = {}) => {
-  if (typeof policy === 'function') {
-    return policy;
-  }
-
-  const { policyName, args } = parsePolicy(policy);
-
-  const resolvedPolicy = resolvePolicy(policyName);
+const findPolicy = (name, { pluginName, apiName } = {}) => {
+  const resolvedPolicy = strapi.policy(name);
 
   if (resolvedPolicy !== undefined) {
-    return _.isPlainObject(policy) ? resolvedPolicy(args) : resolvedPolicy;
+    return resolvedPolicy;
   }
 
-  const localPolicy = searchLocalPolicy(policy, { pluginName, apiName });
+  const localPolicy = searchLocalPolicy(name, { pluginName, apiName });
 
   if (localPolicy !== undefined) {
     return localPolicy;
   }
 
-  throw new Error(`Could not find policy "${policy}"`);
+  throw new Error(`Could not find policy "${name}"`);
 };
 
-const createPolicyFactory = (factoryCallback, options) => {
-  const { validator, name = 'unnamed' } = options;
+const getPolicy = (policyConfig, { pluginName, apiName } = {}) => {
+  if (typeof policyConfig === 'function') {
+    return policyConfig;
+  }
 
-  const validate = (...args) => {
-    try {
-      validator(...args);
-    } catch (e) {
-      throw new Error(`Invalid objects submitted to "${name}" policy.`);
-    }
-  };
+  const { policyName, config } = parsePolicy(policyConfig);
+
+  const policy = findPolicy(policyName, { pluginName, apiName });
+
+  if (typeof policy === 'function') {
+    return policy;
+  }
 
-  return options => {
+  if (policy.validator) {
+    policy.validator(config);
+  }
+
+  return policy.handler;
+};
+
+const createPolicy = options => {
+  const { name = 'unnamed', validator, handler } = options;
+
+  const wrappedValidator = config => {
     if (validator) {
-      validate(options);
+      try {
+        validator(config);
+      } catch (e) {
+        throw new Error(`Invalid config passed to "${name}" policy.`);
+      }
     }
+  };
 
-    return factoryCallback(options);
+  return {
+    name,
+    validator: wrappedValidator,
+    handler,
   };
 };
 
@@ -110,7 +111,6 @@ const createPolicyContext = (type, ctx) => {
   return Object.assign(
     {
       is: eq(type),
-
       get type() {
         return type;
       },
@@ -120,9 +120,9 @@ const createPolicyContext = (type, ctx) => {
 };
 
 module.exports = {
-  get,
+  get: getPolicy,
+  resolve: resolvePolicies,
   globalPolicy,
-  bodyPolicy,
-  createPolicyFactory,
+  createPolicy,
   createPolicyContext,
 };

package/lib/print-value.js

@@ -0,0 +1,51 @@
+'use strict';
+
+// Code copied from the yup library (https://github.com/jquense/yup)
+// https://github.com/jquense/yup/blob/2778b88bdacd5260d593c6468793da2e77daf21f/src/util/printValue.ts
+
+const toString = Object.prototype.toString;
+const errorToString = Error.prototype.toString;
+const regExpToString = RegExp.prototype.toString;
+const symbolToString = typeof Symbol !== 'undefined' ? Symbol.prototype.toString : () => '';
+
+const SYMBOL_REGEXP = /^Symbol\((.*)\)(.*)$/;
+
+function printNumber(val) {
+  if (val != +val) return 'NaN';
+  const isNegativeZero = val === 0 && 1 / val < 0;
+  return isNegativeZero ? '-0' : '' + val;
+}
+
+function printSimpleValue(val, quoteStrings = false) {
+  if (val == null || val === true || val === false) return '' + val;
+
+  const typeOf = typeof val;
+  if (typeOf === 'number') return printNumber(val);
+  if (typeOf === 'string') return quoteStrings ? `"${val}"` : val;
+  if (typeOf === 'function') return '[Function ' + (val.name || 'anonymous') + ']';
+  if (typeOf === 'symbol') return symbolToString.call(val).replace(SYMBOL_REGEXP, 'Symbol($1)');
+
+  const tag = toString.call(val).slice(8, -1);
+  if (tag === 'Date') return isNaN(val.getTime()) ? '' + val : val.toISOString(val);
+  if (tag === 'Error' || val instanceof Error) return '[' + errorToString.call(val) + ']';
+  if (tag === 'RegExp') return regExpToString.call(val);
+
+  return null;
+}
+
+function printValue(value, quoteStrings) {
+  let result = printSimpleValue(value, quoteStrings);
+  if (result !== null) return result;
+
+  return JSON.stringify(
+    value,
+    function(key, value) {
+      let result = printSimpleValue(this[key], quoteStrings);
+      if (result !== null) return result;
+      return value;
+    },
+    2
+  );
+}
+
+module.exports = printValue;

package/lib/sanitize/index.js

@@ -0,0 +1,51 @@
+'use strict';
+
+const { isArray } = require('lodash/fp');
+
+const traverseEntity = require('../traverse-entity');
+const { getNonWritableAttributes } = require('../content-types');
+const pipeAsync = require('../pipe-async');
+
+const visitors = require('./visitors');
+const sanitizers = require('./sanitizers');
+
+module.exports = {
+  contentAPI: {
+    input(data, schema, { auth } = {}) {
+      if (isArray(data)) {
+        return Promise.all(data.map(entry => this.input(entry, schema, { auth })));
+      }
+
+      const nonWritableAttributes = getNonWritableAttributes(schema);
+
+      const transforms = [
+        // Remove non writable attributes
+        traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),
+      ];
+
+      if (auth) {
+        // Remove restricted relations
+        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
+      }
+
+      return pipeAsync(...transforms)(data);
+    },
+
+    output(data, schema, { auth } = {}) {
+      if (isArray(data)) {
+        return Promise.all(data.map(entry => this.output(entry, schema, { auth })));
+      }
+
+      const transforms = [sanitizers.defaultSanitizeOutput(schema)];
+
+      if (auth) {
+        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
+      }
+
+      return pipeAsync(...transforms)(data);
+    },
+  },
+
+  sanitizers,
+  visitors,
+};

package/lib/sanitize/sanitizers.js

@@ -0,0 +1,26 @@
+'use strict';
+
+const { curry } = require('lodash/fp');
+
+const pipeAsync = require('../pipe-async');
+const traverseEntity = require('../traverse-entity');
+
+const { removePassword, removePrivate } = require('./visitors');
+
+const sanitizePasswords = curry((schema, entity) => {
+  return traverseEntity(removePassword, { schema }, entity);
+});
+
+const sanitizePrivates = curry((schema, entity) => {
+  return traverseEntity(removePrivate, { schema }, entity);
+});
+
+const defaultSanitizeOutput = curry((schema, entity) => {
+  return pipeAsync(sanitizePrivates(schema), sanitizePasswords(schema))(entity);
+});
+
+module.exports = {
+  sanitizePasswords,
+  sanitizePrivates,
+  defaultSanitizeOutput,
+};

package/lib/sanitize/visitors/allowed-fields.js

@@ -0,0 +1,92 @@
+'use strict';
+
+const { isArray, toPath } = require('lodash/fp');
+
+module.exports = (allowedFields = null) => ({ key, path }, { remove }) => {
+  // All fields are allowed
+  if (allowedFields === null) {
+    return;
+  }
+
+  // Ignore invalid formats
+  if (!isArray(allowedFields)) {
+    return;
+  }
+
+  const containedPaths = getContainedPaths(path);
+
+  /**
+   * Tells if the current path should be kept or not based
+   * on the success of the check functions for any of the allowed paths.
+   *
+   * The check functions are defined as follow:
+   *
+   * `containedPaths.includes(p)`
+   * @example
+   * ```js
+   * const path = 'foo.bar.field';
+   * const p = 'foo.bar';
+   * // it should match
+   *
+   * const path = 'foo.bar.field';
+   * const p = 'bar.foo';
+   * // it shouldn't match
+   *
+   * const path = 'foo.bar';
+   * const p = 'foo.bar.field';
+   * // it should match but isn't handled by this check
+   * ```
+   *
+   * `p.startsWith(`${path}.`)`
+   * @example
+   * ```js
+   * const path = 'foo.bar';
+   * const p = 'foo.bar.field';
+   * // it should match
+   *
+   * const path = 'foo.bar.field';
+   * const p = 'bar.foo';
+   * // it shouldn't match
+   *
+   * const path = 'foo.bar.field';
+   * const p = 'foo.bar';
+   * // it should match but isn't handled by this check
+   * ```
+   */
+  const isPathAllowed = allowedFields.some(
+    p => containedPaths.includes(p) || p.startsWith(`${path}.`)
+  );
+
+  if (isPathAllowed) {
+    return;
+  }
+
+  // Remove otherwise
+  remove(key);
+};
+
+/**
+ * Retrieve the list of allowed paths based on the given path
+ *
+ * @param {string} path
+ * @return {string[]}
+ *
+ * @example
+ * ```js
+ * const containedPaths = getContainedPaths('foo');
+ * // ['foo']
+ *
+ *  * const containedPaths = getContainedPaths('foo.bar');
+ * // ['foo', 'foo.bar']
+ *
+ *  * const containedPaths = getContainedPaths('foo.bar.field');
+ * // ['foo', 'foo.bar', 'foo.bar.field']
+ * ```
+ */
+const getContainedPaths = path => {
+  const parts = toPath(path);
+
+  return parts.reduce((acc, value, index, list) => {
+    return [...acc, list.slice(0, index + 1).join('.')];
+  }, []);
+};

package/lib/sanitize/visitors/index.js

@@ -0,0 +1,9 @@
+'use strict';
+
+module.exports = {
+  removePassword: require('./remove-password'),
+  removePrivate: require('./remove-private'),
+  removeRestrictedRelations: require('./remove-restricted-relations'),
+  allowedFields: require('./allowed-fields'),
+  restrictedFields: require('./restricted-fields'),
+};

package/lib/sanitize/visitors/remove-password.js

@@ -0,0 +1,7 @@
+'use strict';
+
+module.exports = ({ key, attribute }, { remove }) => {
+  if (attribute.type === 'password') {
+    remove(key);
+  }
+};

package/lib/sanitize/visitors/remove-private.js

@@ -0,0 +1,11 @@
+'use strict';
+
+const { isPrivateAttribute } = require('../../content-types');
+
+module.exports = ({ schema, key }, { remove }) => {
+  const isPrivate = isPrivateAttribute(schema, key);
+
+  if (isPrivate) {
+    remove(key);
+  }
+};

package/lib/sanitize/visitors/remove-restricted-relations.js

@@ -0,0 +1,67 @@
+'use strict';
+
+const ACTIONS_TO_VERIFY = ['find'];
+
+module.exports = auth => async ({ data, key, attribute }, { remove, set }) => {
+  const isRelation = attribute.type === 'relation';
+
+  if (!isRelation) {
+    return;
+  }
+
+  const handleMorphRelation = async () => {
+    const newMorphValue = [];
+
+    for (const element of data[key]) {
+      const scopes = ACTIONS_TO_VERIFY.map(action => `${element.__type}.${action}`);
+      const isAllowed = await hasAccessToSomeScopes(scopes, auth);
+
+      if (isAllowed) {
+        newMorphValue.push(element);
+      }
+    }
+
+    // If the new value is empty, remove the relation completely
+    if (newMorphValue.length === 0) {
+      remove(key);
+    } else {
+      set(key, newMorphValue);
+    }
+  };
+
+  const handleRegularRelation = async () => {
+    const scopes = ACTIONS_TO_VERIFY.map(action => `${attribute.target}.${action}`);
+
+    const isAllowed = await hasAccessToSomeScopes(scopes, auth);
+
+    // If the authenticated user don't have access to any of the scopes, then remove the field
+    if (!isAllowed) {
+      remove(key);
+    }
+  };
+
+  const isMorphRelation = attribute.relation.toLowerCase().startsWith('morph');
+
+  // Polymorphic relations
+  if (isMorphRelation) {
+    await handleMorphRelation();
+  }
+
+  // Regular relations
+  else {
+    await handleRegularRelation();
+  }
+};
+
+const hasAccessToSomeScopes = async (scopes, auth) => {
+  for (const scope of scopes) {
+    try {
+      await strapi.auth.verify(auth, { scope });
+      return true;
+    } catch {
+      continue;
+    }
+  }
+
+  return false;
+};

package/lib/sanitize/visitors/restricted-fields.js

@@ -0,0 +1,31 @@
+'use strict';
+
+const { isArray } = require('lodash/fp');
+
+module.exports = (restrictedFields = null) => ({ key, path }, { remove }) => {
+  // Remove all fields
+  if (restrictedFields === null) {
+    remove(key);
+    return;
+  }
+
+  // Ignore invalid formats
+  if (!isArray(restrictedFields)) {
+    return;
+  }
+
+  // Remove if an exact match was found
+  if (restrictedFields.includes(path)) {
+    remove(key);
+    return;
+  }
+
+  // Remove nested matches
+  const isRestrictedNested = restrictedFields.some(allowedPath =>
+    path.startsWith(`${allowedPath}.`)
+  );
+  if (isRestrictedNested) {
+    remove(key);
+    return;
+  }
+};

package/lib/traverse-entity.js

@@ -0,0 +1,100 @@
+'use strict';
+
+const { cloneDeep, isObject, isArray, isNil, curry } = require('lodash/fp');
+
+const traverseEntity = async (visitor, options, entity) => {
+  const { path = null, schema } = options;
+
+  // End recursion
+  if (!isObject(entity) || isNil(schema)) {
+    return entity;
+  }
+
+  // Don't mutate the original entity object
+  const copy = cloneDeep(entity);
+
+  for (const key of Object.keys(copy)) {
+    // Retrieve the attribute definition associated to the key from the schema
+    const attribute = schema.attributes[key];
+
+    // If the attribute doesn't exist within the schema, ignore it
+    if (isNil(attribute)) {
+      continue;
+    }
+
+    const newPath = path ? `${path}.${key}` : key;
+
+    // Visit the current attribute
+    const visitorOptions = { data: copy, schema, key, value: copy[key], attribute, path: newPath };
+    const visitorUtils = createVisitorUtils({ data: copy });
+
+    await visitor(visitorOptions, visitorUtils);
+
+    // Extract the value for the current key (after calling the visitor)
+    const value = copy[key];
+
+    // Ignore Nil values
+    if (isNil(value)) {
+      continue;
+    }
+
+    const isRelation = attribute.type === 'relation';
+    const isComponent = attribute.type === 'component';
+    const isDynamicZone = attribute.type === 'dynamiczone';
+
+    if (isRelation) {
+      const isMorphRelation = attribute.relation.toLowerCase().startsWith('morph');
+
+      const traverseTarget = entry => {
+        // Handle polymorphic relationships
+        const targetSchemaUID = isMorphRelation ? entry.__type : attribute.target;
+        const targetSchema = strapi.getModel(targetSchemaUID);
+
+        const traverseOptions = { schema: targetSchema, path: newPath };
+
+        return traverseEntity(visitor, traverseOptions, entry);
+      };
+
+      // need to update copy
+      copy[key] = isArray(value)
+        ? await Promise.all(value.map(traverseTarget))
+        : await traverseTarget(value);
+    }
+
+    if (isComponent) {
+      const targetSchema = strapi.getModel(attribute.component);
+      const traverseOptions = { schema: targetSchema, path: newPath };
+
+      const traverseComponent = entry => traverseEntity(visitor, traverseOptions, entry);
+
+      copy[key] = isArray(value)
+        ? await Promise.all(value.map(traverseComponent))
+        : await traverseComponent(value);
+    }
+
+    if (isDynamicZone && isArray(value)) {
+      const visitDynamicZoneEntry = entry => {
+        const targetSchema = strapi.getModel(entry.__component);
+        const traverseOptions = { schema: targetSchema, path: newPath };
+
+        return traverseEntity(visitor, traverseOptions, entry);
+      };
+
+      copy[key] = await Promise.all(value.map(visitDynamicZoneEntry));
+    }
+  }
+
+  return copy;
+};
+
+const createVisitorUtils = ({ data }) => ({
+  remove(key) {
+    delete data[key];
+  },
+
+  set(key, value) {
+    data[key] = value;
+  },
+});
+
+module.exports = curry(traverseEntity);

package/lib/validators.js

@@ -2,7 +2,10 @@
 
 const yup = require('yup');
 const _ = require('lodash');
+const { defaults } = require('lodash/fp');
 const utils = require('./string-formatting');
+const { YupValidationError } = require('./errors');
+const printValue = require('./print-value');
 
 const MixedSchemaType = yup.mixed;
 
@@ -56,27 +59,53 @@ class StrapiIDSchema extends MixedSchemaType {
 
 yup.strapiID = () => new StrapiIDSchema();
 
-/**
- * Returns a formatted error for http responses
- * @param {Object} validationError - a Yup ValidationError
- */
-const formatYupErrors = validationError => {
-  if (!validationError.inner) {
-    throw new Error('invalid.input');
-  }
+const handleYupError = (error, errorMessage) => {
+  throw new YupValidationError(error, errorMessage);
+};
+
+const defaultValidationParam = { strict: true, abortEarly: false };
 
-  if (validationError.inner.length === 0) {
-    if (validationError.path === undefined) return validationError.errors;
-    return { [validationError.path]: validationError.errors };
+const validateYupSchema = (schema, options = {}) => async (body, errorMessage) => {
+  try {
+    const optionsWithDefaults = defaults(defaultValidationParam, options);
+    return await schema.validate(body, optionsWithDefaults);
+  } catch (e) {
+    handleYupError(e, errorMessage);
   }
+};
 
-  return validationError.inner.reduce((acc, err) => {
-    acc[err.path] = err.errors;
-    return acc;
-  }, {});
+const validateYupSchemaSync = (schema, options = {}) => (body, errorMessage) => {
+  try {
+    const optionsWithDefaults = defaults(defaultValidationParam, options);
+    return schema.validateSync(body, optionsWithDefaults);
+  } catch (e) {
+    handleYupError(e, errorMessage);
+  }
 };
 
+// Temporary fix of this issue : https://github.com/jquense/yup/issues/616
+yup.setLocale({
+  mixed: {
+    notType({ path, type, value, originalValue }) {
+      let isCast = originalValue != null && originalValue !== value;
+      let msg =
+        `${path} must be a \`${type}\` type, ` +
+        `but the final value was: \`${printValue(value, true)}\`` +
+        (isCast ? ` (cast from the value \`${printValue(originalValue, true)}\`).` : '.');
+
+      /* Remove comment that is not supposed to be seen by the enduser
+      if (value === null) {
+        msg += `\n If "null" is intended as an empty value be sure to mark the schema as \`.nullable()\``;
+      }
+      */
+      return msg;
+    },
+  },
+});
+
 module.exports = {
   yup,
-  formatYupErrors,
+  handleYupError,
+  validateYupSchema,
+  validateYupSchemaSync,
 };

package/package.json

@@ -1,45 +1,46 @@
 {
   "name": "@strapi/utils",
-  "version": "4.0.0-beta.2",
+  "version": "4.0.0-beta.20",
   "description": "Shared utilities for the Strapi packages",
-  "homepage": "https://strapi.io",
   "keywords": [
     "strapi",
     "utils"
   ],
-  "directories": {
-    "lib": "./lib"
+  "homepage": "https://strapi.io",
+  "bugs": {
+    "url": "https://github.com/strapi/strapi/issues"
   },
-  "main": "./lib",
-  "dependencies": {
-    "@sindresorhus/slugify": "1.1.0",
-    "date-fns": "2.24.0",
-    "lodash": "4.17.21",
-    "yup": "0.32.9"
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/strapi/strapi.git"
   },
+  "license": "SEE LICENSE IN LICENSE",
   "author": {
+    "name": "Strapi Solutions SAS",
     "email": "hi@strapi.io",
-    "name": "Strapi team",
     "url": "https://strapi.io"
   },
   "maintainers": [
     {
-      "name": "Strapi team",
+      "name": "Strapi Solutions SAS",
       "email": "hi@strapi.io",
       "url": "https://strapi.io"
     }
   ],
-  "repository": {
-    "type": "git",
-    "url": "git://github.com/strapi/strapi.git"
+  "main": "./lib",
+  "directories": {
+    "lib": "./lib"
   },
-  "bugs": {
-    "url": "https://github.com/strapi/strapi/issues"
+  "dependencies": {
+    "@sindresorhus/slugify": "1.1.0",
+    "date-fns": "2.24.0",
+    "http-errors": "1.8.0",
+    "lodash": "4.17.21",
+    "yup": "0.32.9"
   },
   "engines": {
     "node": ">=12.x.x <=16.x.x",
     "npm": ">=6.0.0"
   },
-  "license": "SEE LICENSE IN LICENSE",
-  "gitHead": "020680cbb38b6281b3e16df264b9388a087b2b49"
+  "gitHead": "b4993dab9f6dbc583709167f459b6f00e0b4baa6"
 }

package/lib/sanitize-entity.js

@@ -1,171 +0,0 @@
-'use strict';
-
-const _ = require('lodash');
-const {
-  constants,
-  isPrivateAttribute,
-  getNonWritableAttributes,
-  getNonVisibleAttributes,
-  getWritableAttributes,
-} = require('./content-types');
-
-const { ID_ATTRIBUTE, CREATED_AT_ATTRIBUTE, UPDATED_AT_ATTRIBUTE } = constants;
-
-const sanitizeEntity = (dataSource, options) => {
-  const { model, withPrivate = false, isOutput = true, includeFields = null } = options;
-
-  if (typeof dataSource !== 'object' || _.isNil(dataSource)) {
-    return dataSource;
-  }
-
-  const data = parseOriginalData(dataSource);
-
-  if (typeof data !== 'object' || _.isNil(data)) {
-    return data;
-  }
-
-  if (_.isArray(data)) {
-    return data.map(entity => sanitizeEntity(entity, options));
-  }
-
-  if (_.isNil(model)) {
-    if (isOutput) {
-      return null;
-    } else {
-      return data;
-    }
-  }
-
-  const { attributes } = model;
-  const allowedFields = getAllowedFields({ includeFields, model, isOutput });
-
-  const reducerFn = (acc, value, key) => {
-    const attribute = attributes[key];
-    const allowedFieldsHasKey = allowedFields.includes(key);
-
-    if (shouldRemoveAttribute(model, key, attribute, { withPrivate, isOutput })) {
-      return acc;
-    }
-
-    // Relations
-    const isRelation = attribute && ['relation', 'component'].includes(attribute.type);
-    if (isRelation) {
-      const relation = attribute && (attribute.target || attribute.component);
-
-      if (_.isNil(value)) {
-        return { ...acc, [key]: value };
-      }
-
-      const [nextFields, isAllowed] = includeFields
-        ? getNextFields(allowedFields, key, { allowedFieldsHasKey })
-        : [null, true];
-
-      if (!isAllowed) {
-        return acc;
-      }
-
-      const baseOptions = {
-        withPrivate,
-        isOutput,
-        includeFields: nextFields,
-      };
-
-      let sanitizeFn;
-      if (attribute.relation && attribute.relation.toLowerCase().includes('morph')) {
-        sanitizeFn = entity => {
-          if (_.isNil(entity) || !_.has(entity, '__type')) {
-            return entity;
-          }
-
-          return sanitizeEntity(entity, { model: strapi.getModel(entity.__type), ...baseOptions });
-        };
-      } else {
-        sanitizeFn = entity => {
-          return sanitizeEntity(entity, { model: strapi.getModel(relation), ...baseOptions });
-        };
-      }
-
-      const nextVal = Array.isArray(value) ? value.map(sanitizeFn) : sanitizeFn(value);
-
-      return { ...acc, [key]: nextVal };
-    }
-
-    const isAllowedField = !includeFields || allowedFieldsHasKey;
-
-    // Dynamic zones
-    if (attribute && attribute.type === 'dynamiczone' && value !== null && isAllowedField) {
-      const nextVal = value.map(elem =>
-        sanitizeEntity(elem, {
-          model: strapi.getModel(elem.__component),
-          withPrivate,
-          isOutput,
-        })
-      );
-      return { ...acc, [key]: nextVal };
-    }
-
-    // Other fields
-    if (isAllowedField) {
-      return { ...acc, [key]: value };
-    }
-
-    return acc;
-  };
-
-  return _.reduce(data, reducerFn, {});
-};
-
-const parseOriginalData = data => (_.isFunction(data.toJSON) ? data.toJSON() : data);
-
-const COMPONENT_FIELDS = ['__component'];
-const STATIC_FIELDS = [ID_ATTRIBUTE];
-
-const getAllowedFields = ({ includeFields, model, isOutput }) => {
-  const nonWritableAttributes = getNonWritableAttributes(model);
-  const nonVisibleAttributes = getNonVisibleAttributes(model);
-
-  const writableAttributes = getWritableAttributes(model);
-
-  const nonVisibleWritableAttributes = _.intersection(writableAttributes, nonVisibleAttributes);
-
-  return _.uniq(
-    _.concat(
-      includeFields || [],
-      ...(isOutput
-        ? [
-            STATIC_FIELDS,
-            CREATED_AT_ATTRIBUTE,
-            UPDATED_AT_ATTRIBUTE,
-            COMPONENT_FIELDS,
-            ...nonWritableAttributes,
-            ...nonVisibleAttributes,
-          ]
-        : [STATIC_FIELDS, COMPONENT_FIELDS, ...nonVisibleWritableAttributes])
-    )
-  );
-};
-
-const getNextFields = (fields, key, { allowedFieldsHasKey }) => {
-  const searchStr = `${key}.`;
-
-  const transformedFields = (fields || [])
-    .filter(field => field.startsWith(searchStr))
-    .map(field => field.replace(searchStr, ''));
-
-  const isAllowed = allowedFieldsHasKey || transformedFields.length > 0;
-  const nextFields = allowedFieldsHasKey ? null : transformedFields;
-
-  return [nextFields, isAllowed];
-};
-
-const shouldRemoveAttribute = (model, key, attribute = {}, { withPrivate, isOutput }) => {
-  const isPassword = attribute.type === 'password';
-  const isPrivate = isPrivateAttribute(model, key);
-
-  const shouldRemovePassword = isOutput;
-  const shouldRemovePrivate = !withPrivate && isOutput;
-
-  return !!((isPassword && shouldRemovePassword) || (isPrivate && shouldRemovePrivate));
-};
-
-module.exports = sanitizeEntity;