@strapi/utils 4.0.0-next.6 → 4.0.0

package/lib/pagination.js

@@ -0,0 +1,88 @@
+'use strict';
+
+const { merge, pipe, omit, isNil } = require('lodash/fp');
+const { PaginationError } = require('./errors');
+
+const STRAPI_DEFAULTS = {
+  offset: {
+    start: 0,
+    limit: 10,
+  },
+  page: {
+    page: 1,
+    pageSize: 10,
+  },
+};
+
+const paginationAttributes = ['start', 'limit', 'page', 'pageSize'];
+
+const withMaxLimit = (limit, maxLimit = -1) => {
+  if (maxLimit === -1 || limit < maxLimit) {
+    return limit;
+  }
+
+  return maxLimit;
+};
+
+// Ensure minimum page & pageSize values (page >= 1, pageSize >= 0, start >= 0, limit >= 0)
+const ensureMinValues = ({ start, limit }) => ({
+  start: Math.max(start, 0),
+  limit: Math.max(limit, 1),
+});
+
+const ensureMaxValues = (maxLimit = -1) => ({ start, limit }) => ({
+  start,
+  limit: withMaxLimit(limit, maxLimit),
+});
+
+const withDefaultPagination = (args, { defaults = {}, maxLimit = -1 } = {}) => {
+  const defaultValues = merge(STRAPI_DEFAULTS, defaults);
+
+  const usePagePagination = !isNil(args.page) || !isNil(args.pageSize);
+  const useOffsetPagination = !isNil(args.start) || !isNil(args.limit);
+
+  const ensureValidValues = pipe(
+    ensureMinValues,
+    ensureMaxValues(maxLimit)
+  );
+
+  // If there is no pagination attribute, don't modify the payload
+  if (!usePagePagination && !useOffsetPagination) {
+    return merge(args, ensureValidValues(defaultValues.offset));
+  }
+
+  // If there is page & offset pagination attributes, throw an error
+  if (usePagePagination && useOffsetPagination) {
+    throw new PaginationError('Cannot use both page & offset pagination in the same query');
+  }
+
+  const pagination = {};
+
+  // Start / Limit
+  if (useOffsetPagination) {
+    const { start, limit } = merge(defaultValues.offset, args);
+
+    Object.assign(pagination, { start, limit });
+  }
+
+  // Page / PageSize
+  if (usePagePagination) {
+    const { page, pageSize } = merge(defaultValues.page, args);
+
+    Object.assign(pagination, {
+      start: (page - 1) * pageSize,
+      limit: pageSize,
+    });
+  }
+
+  const replacePaginationAttributes = pipe(
+    // Remove pagination attributes
+    omit(paginationAttributes),
+    // Merge the object with the new pagination + ensure minimum & maximum values
+    merge(ensureValidValues(pagination))
+  );
+
+  return replacePaginationAttributes(args);
+};
+
+module.exports = { withDefaultPagination };

package/lib/parse-multipart.js

@@ -3,10 +3,14 @@
 const _ = require('lodash');
 
 module.exports = ctx => {
+  if (!ctx.is('multipart')) {
+    return { data: ctx.request.body, files: {} };
+  }
+
   const { body = {}, files = {} } = ctx.request;
 
   if (!body.data) {
-    throw strapi.errors.badRequest(
+    return ctx.badRequest(
       `When using multipart/form-data you need to provide your data in a JSON 'data' field.`
     );
   }
@@ -15,14 +19,14 @@ module.exports = ctx => {
   try {
     data = JSON.parse(body.data);
   } catch (error) {
-    throw strapi.errors.badRequest(`Invalid 'data' field. 'data' should be a valid JSON.`);
+    return ctx.badRequest(`Invalid 'data' field. 'data' should be a valid JSON.`);
   }
 
   const filesToUpload = Object.keys(files).reduce((acc, key) => {
     const fullPath = _.toPath(key);
 
     if (fullPath.length <= 1 || fullPath[0] !== 'files') {
-      throw strapi.errors.badRequest(
+      return ctx.badRequest(
         `When using multipart/form-data you need to provide your files by prefixing them with the 'files'.
 For example, when a media file is named "avatar", make sure the form key name is "files.avatar"`
       );

package/lib/pipe-async.js

@@ -0,0 +1,11 @@
+'use strict';
+
+module.exports = (...methods) => async data => {
+  let res = data;
+
+  for (const method of methods) {
+    res = await method(res);
+  }
+
+  return res;
+};

package/lib/policy.js

@@ -4,59 +4,28 @@
 'use strict';
 
 const _ = require('lodash');
+const { eq } = require('lodash/fp');
 
-const GLOBAL_PREFIX = 'global::';
-const PLUGIN_PREFIX = 'plugins::';
-const ADMIN_PREFIX = 'admin::';
-const APPLICATION_PREFIX = 'application::';
+const PLUGIN_PREFIX = 'plugin::';
+const API_PREFIX = 'api::';
 
-const isPolicyFactory = _.isArray;
-
-const getPolicyIn = (container, policy) => {
-  return (
-    _.get(container, ['config', 'policies', policy]) ||
-    _.get(container, ['config', 'policies', _.toLower(policy)])
-  );
-};
-
-const policyExistsIn = (container, policy) => !_.isUndefined(getPolicyIn(container, policy));
-
-const stripPolicy = (policy, prefix) => policy.replace(prefix, '');
-
-const createPolicy = (policyName, ...args) => ({ policyName, args });
-
-const resolveHandler = policy => (_.isFunction(policy) ? policy : policy.handler);
-
-const parsePolicy = policy =>
-  isPolicyFactory(policy) ? createPolicy(...policy) : createPolicy(policy);
-
-const resolvePolicy = policyName => {
-  const resolver = policyResolvers.find(resolver => resolver.exists(policyName));
-
-  return resolver ? resolveHandler(resolver.get)(policyName) : undefined;
-};
-
-const searchLocalPolicy = (policy, plugin, apiName) => {
-  let [absoluteApiName, policyName] = policy.split('.');
-  let absoluteApi = _.get(strapi.api, absoluteApiName);
-  const resolver = policyResolvers.find(({ name }) => name === 'plugin');
-
-  if (policyExistsIn(absoluteApi, policyName)) {
-    return resolveHandler(getPolicyIn(absoluteApi, policyName));
+const parsePolicy = policy => {
+  if (typeof policy === 'string') {
+    return { policyName: policy, config: {} };
   }
 
-  const pluginPolicy = `${PLUGIN_PREFIX}${plugin}.${policy}`;
+  const { name, config } = policy;
+  return { policyName: name, config };
+};
 
-  if (plugin && resolver.exists(pluginPolicy)) {
-    return resolveHandler(resolver.get(pluginPolicy));
+const searchLocalPolicy = (policyName, { pluginName, apiName }) => {
+  if (pluginName) {
+    return strapi.policy(`${PLUGIN_PREFIX}${pluginName}.${policyName}`);
   }
 
-  const api = _.get(strapi.api, apiName);
-  if (api && policyExistsIn(api, policy)) {
-    return resolveHandler(getPolicyIn(api, policy));
+  if (apiName) {
+    return strapi.policy(`${API_PREFIX}${apiName}.${policyName}`);
   }
-
-  return undefined;
 };
 
 const globalPolicy = ({ method, endpoint, controller, action, plugin }) => {
@@ -73,100 +42,87 @@ const globalPolicy = ({ method, endpoint, controller, action, plugin }) => {
   };
 };
 
-const policyResolvers = [
-  {
-    name: 'api',
-    is(policy) {
-      return _.startsWith(policy, APPLICATION_PREFIX);
-    },
-    exists(policy) {
-      return this.is(policy) && !_.isUndefined(this.get(policy));
-    },
-    get: policy => {
-      const [, policyWithoutPrefix] = policy.split('::');
-      const [api = '', policyName = ''] = policyWithoutPrefix.split('.');
-      return getPolicyIn(_.get(strapi, ['api', api]), policyName);
-    },
-  },
-  {
-    name: 'admin',
-    is(policy) {
-      return _.startsWith(policy, ADMIN_PREFIX);
-    },
-    exists(policy) {
-      return this.is(policy) && !_.isUndefined(this.get(policy));
-    },
-    get: policy => {
-      return getPolicyIn(_.get(strapi, 'admin'), stripPolicy(policy, ADMIN_PREFIX));
-    },
-  },
-  {
-    name: 'plugin',
-    is(policy) {
-      return _.startsWith(policy, PLUGIN_PREFIX);
-    },
-    exists(policy) {
-      return this.is(policy) && !_.isUndefined(this.get(policy));
-    },
-    get(policy) {
-      const [plugin = '', policyName = ''] = stripPolicy(policy, PLUGIN_PREFIX).split('.');
-      return getPolicyIn(_.get(strapi, ['plugins', plugin]), policyName);
-    },
-  },
-  {
-    name: 'global',
-    is(policy) {
-      return _.startsWith(policy, GLOBAL_PREFIX);
-    },
-    exists(policy) {
-      return this.is(policy) && !_.isUndefined(this.get(policy));
-    },
-    get(policy) {
-      return getPolicyIn(strapi, stripPolicy(policy, GLOBAL_PREFIX));
-    },
-  },
-];
-
-const get = (policy, plugin, apiName) => {
-  const { policyName, args } = parsePolicy(policy);
+const resolvePolicies = (config, { pluginName, apiName } = {}) => {
+  return config.map(policyConfig => {
+    return {
+      handler: getPolicy(policyConfig, { pluginName, apiName }),
+      config: policyConfig.config || {},
+    };
+  });
+};
 
-  const resolvedPolicy = resolvePolicy(policyName);
+const findPolicy = (name, { pluginName, apiName } = {}) => {
+  const resolvedPolicy = strapi.policy(name);
 
   if (resolvedPolicy !== undefined) {
-    return isPolicyFactory(policy) ? resolvedPolicy(...args) : resolvedPolicy;
+    return resolvedPolicy;
   }
 
-  const localPolicy = searchLocalPolicy(policy, plugin, apiName);
+  const localPolicy = searchLocalPolicy(name, { pluginName, apiName });
 
   if (localPolicy !== undefined) {
     return localPolicy;
   }
 
-  throw new Error(`Could not find policy "${policy}"`);
+  throw new Error(`Could not find policy "${name}"`);
 };
 
-const createPolicyFactory = (factoryCallback, options) => {
-  const { validator, name = 'unnamed' } = options;
+const getPolicy = (policyConfig, { pluginName, apiName } = {}) => {
+  if (typeof policyConfig === 'function') {
+    return policyConfig;
+  }
 
-  const validate = (...args) => {
-    try {
-      validator(...args);
-    } catch (e) {
-      throw new Error(`Invalid objects submitted to "${name}" policy.`);
-    }
-  };
+  const { policyName, config } = parsePolicy(policyConfig);
+
+  const policy = findPolicy(policyName, { pluginName, apiName });
 
-  return (...args) => {
+  if (typeof policy === 'function') {
+    return policy;
+  }
+
+  if (policy.validator) {
+    policy.validator(config);
+  }
+
+  return policy.handler;
+};
+
+const createPolicy = options => {
+  const { name = 'unnamed', validator, handler } = options;
+
+  const wrappedValidator = config => {
     if (validator) {
-      validate(...args);
+      try {
+        validator(config);
+      } catch (e) {
+        throw new Error(`Invalid config passed to "${name}" policy.`);
+      }
     }
+  };
 
-    return factoryCallback(...args);
+  return {
+    name,
+    validator: wrappedValidator,
+    handler,
   };
 };
 
+const createPolicyContext = (type, ctx) => {
+  return Object.assign(
+    {
+      is: eq(type),
+      get type() {
+        return type;
+      },
+    },
+    ctx
+  );
+};
+
 module.exports = {
-  get,
+  get: getPolicy,
+  resolve: resolvePolicies,
   globalPolicy,
-  createPolicyFactory,
+  createPolicy,
+  createPolicyContext,
 };

package/lib/print-value.js

@@ -0,0 +1,51 @@
+'use strict';
+
+// Code copied from the yup library (https://github.com/jquense/yup)
+// https://github.com/jquense/yup/blob/2778b88bdacd5260d593c6468793da2e77daf21f/src/util/printValue.ts
+
+const toString = Object.prototype.toString;
+const errorToString = Error.prototype.toString;
+const regExpToString = RegExp.prototype.toString;
+const symbolToString = typeof Symbol !== 'undefined' ? Symbol.prototype.toString : () => '';
+
+const SYMBOL_REGEXP = /^Symbol\((.*)\)(.*)$/;
+
+function printNumber(val) {
+  if (val != +val) return 'NaN';
+  const isNegativeZero = val === 0 && 1 / val < 0;
+  return isNegativeZero ? '-0' : '' + val;
+}
+
+function printSimpleValue(val, quoteStrings = false) {
+  if (val == null || val === true || val === false) return '' + val;
+
+  const typeOf = typeof val;
+  if (typeOf === 'number') return printNumber(val);
+  if (typeOf === 'string') return quoteStrings ? `"${val}"` : val;
+  if (typeOf === 'function') return '[Function ' + (val.name || 'anonymous') + ']';
+  if (typeOf === 'symbol') return symbolToString.call(val).replace(SYMBOL_REGEXP, 'Symbol($1)');
+
+  const tag = toString.call(val).slice(8, -1);
+  if (tag === 'Date') return isNaN(val.getTime()) ? '' + val : val.toISOString(val);
+  if (tag === 'Error' || val instanceof Error) return '[' + errorToString.call(val) + ']';
+  if (tag === 'RegExp') return regExpToString.call(val);
+
+  return null;
+}
+
+function printValue(value, quoteStrings) {
+  let result = printSimpleValue(value, quoteStrings);
+  if (result !== null) return result;
+
+  return JSON.stringify(
+    value,
+    function(key, value) {
+      let result = printSimpleValue(this[key], quoteStrings);
+      if (result !== null) return result;
+      return value;
+    },
+    2
+  );
+}
+
+module.exports = printValue;

package/lib/sanitize/index.js

@@ -0,0 +1,51 @@
+'use strict';
+
+const { isArray } = require('lodash/fp');
+
+const traverseEntity = require('../traverse-entity');
+const { getNonWritableAttributes } = require('../content-types');
+const pipeAsync = require('../pipe-async');
+
+const visitors = require('./visitors');
+const sanitizers = require('./sanitizers');
+
+module.exports = {
+  contentAPI: {
+    input(data, schema, { auth } = {}) {
+      if (isArray(data)) {
+        return Promise.all(data.map(entry => this.input(entry, schema, { auth })));
+      }
+
+      const nonWritableAttributes = getNonWritableAttributes(schema);
+
+      const transforms = [
+        // Remove non writable attributes
+        traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),
+      ];
+
+      if (auth) {
+        // Remove restricted relations
+        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
+      }
+
+      return pipeAsync(...transforms)(data);
+    },
+
+    output(data, schema, { auth } = {}) {
+      if (isArray(data)) {
+        return Promise.all(data.map(entry => this.output(entry, schema, { auth })));
+      }
+
+      const transforms = [sanitizers.defaultSanitizeOutput(schema)];
+
+      if (auth) {
+        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
+      }
+
+      return pipeAsync(...transforms)(data);
+    },
+  },
+
+  sanitizers,
+  visitors,
+};

package/lib/sanitize/sanitizers.js

@@ -0,0 +1,26 @@
+'use strict';
+
+const { curry } = require('lodash/fp');
+
+const pipeAsync = require('../pipe-async');
+const traverseEntity = require('../traverse-entity');
+
+const { removePassword, removePrivate } = require('./visitors');
+
+const sanitizePasswords = curry((schema, entity) => {
+  return traverseEntity(removePassword, { schema }, entity);
+});
+
+const sanitizePrivates = curry((schema, entity) => {
+  return traverseEntity(removePrivate, { schema }, entity);
+});
+
+const defaultSanitizeOutput = curry((schema, entity) => {
+  return pipeAsync(sanitizePrivates(schema), sanitizePasswords(schema))(entity);
+});
+
+module.exports = {
+  sanitizePasswords,
+  sanitizePrivates,
+  defaultSanitizeOutput,
+};

package/lib/sanitize/visitors/allowed-fields.js

@@ -0,0 +1,92 @@
+'use strict';
+
+const { isArray, toPath } = require('lodash/fp');
+
+module.exports = (allowedFields = null) => ({ key, path }, { remove }) => {
+  // All fields are allowed
+  if (allowedFields === null) {
+    return;
+  }
+
+  // Ignore invalid formats
+  if (!isArray(allowedFields)) {
+    return;
+  }
+
+  const containedPaths = getContainedPaths(path);
+
+  /**
+   * Tells if the current path should be kept or not based
+   * on the success of the check functions for any of the allowed paths.
+   *
+   * The check functions are defined as follow:
+   *
+   * `containedPaths.includes(p)`
+   * @example
+   * ```js
+   * const path = 'foo.bar.field';
+   * const p = 'foo.bar';
+   * // it should match
+   *
+   * const path = 'foo.bar.field';
+   * const p = 'bar.foo';
+   * // it shouldn't match
+   *
+   * const path = 'foo.bar';
+   * const p = 'foo.bar.field';
+   * // it should match but isn't handled by this check
+   * ```
+   *
+   * `p.startsWith(`${path}.`)`
+   * @example
+   * ```js
+   * const path = 'foo.bar';
+   * const p = 'foo.bar.field';
+   * // it should match
+   *
+   * const path = 'foo.bar.field';
+   * const p = 'bar.foo';
+   * // it shouldn't match
+   *
+   * const path = 'foo.bar.field';
+   * const p = 'foo.bar';
+   * // it should match but isn't handled by this check
+   * ```
+   */
+  const isPathAllowed = allowedFields.some(
+    p => containedPaths.includes(p) || p.startsWith(`${path}.`)
+  );
+
+  if (isPathAllowed) {
+    return;
+  }
+
+  // Remove otherwise
+  remove(key);
+};
+
+/**
+ * Retrieve the list of allowed paths based on the given path
+ *
+ * @param {string} path
+ * @return {string[]}
+ *
+ * @example
+ * ```js
+ * const containedPaths = getContainedPaths('foo');
+ * // ['foo']
+ *
+ *  * const containedPaths = getContainedPaths('foo.bar');
+ * // ['foo', 'foo.bar']
+ *
+ *  * const containedPaths = getContainedPaths('foo.bar.field');
+ * // ['foo', 'foo.bar', 'foo.bar.field']
+ * ```
+ */
+const getContainedPaths = path => {
+  const parts = toPath(path);
+
+  return parts.reduce((acc, value, index, list) => {
+    return [...acc, list.slice(0, index + 1).join('.')];
+  }, []);
+};

package/lib/sanitize/visitors/index.js

@@ -0,0 +1,9 @@
+'use strict';
+
+module.exports = {
+  removePassword: require('./remove-password'),
+  removePrivate: require('./remove-private'),
+  removeRestrictedRelations: require('./remove-restricted-relations'),
+  allowedFields: require('./allowed-fields'),
+  restrictedFields: require('./restricted-fields'),
+};

package/lib/sanitize/visitors/remove-password.js

@@ -0,0 +1,7 @@
+'use strict';
+
+module.exports = ({ key, attribute }, { remove }) => {
+  if (attribute.type === 'password') {
+    remove(key);
+  }
+};

package/lib/sanitize/visitors/remove-private.js

@@ -0,0 +1,11 @@
+'use strict';
+
+const { isPrivateAttribute } = require('../../content-types');
+
+module.exports = ({ schema, key }, { remove }) => {
+  const isPrivate = isPrivateAttribute(schema, key);
+
+  if (isPrivate) {
+    remove(key);
+  }
+};

package/lib/sanitize/visitors/remove-restricted-relations.js

@@ -0,0 +1,67 @@
+'use strict';
+
+const ACTIONS_TO_VERIFY = ['find'];
+
+module.exports = auth => async ({ data, key, attribute }, { remove, set }) => {
+  const isRelation = attribute.type === 'relation';
+
+  if (!isRelation) {
+    return;
+  }
+
+  const handleMorphRelation = async () => {
+    const newMorphValue = [];
+
+    for (const element of data[key]) {
+      const scopes = ACTIONS_TO_VERIFY.map(action => `${element.__type}.${action}`);
+      const isAllowed = await hasAccessToSomeScopes(scopes, auth);
+
+      if (isAllowed) {
+        newMorphValue.push(element);
+      }
+    }
+
+    // If the new value is empty, remove the relation completely
+    if (newMorphValue.length === 0) {
+      remove(key);
+    } else {
+      set(key, newMorphValue);
+    }
+  };
+
+  const handleRegularRelation = async () => {
+    const scopes = ACTIONS_TO_VERIFY.map(action => `${attribute.target}.${action}`);
+
+    const isAllowed = await hasAccessToSomeScopes(scopes, auth);
+
+    // If the authenticated user don't have access to any of the scopes, then remove the field
+    if (!isAllowed) {
+      remove(key);
+    }
+  };
+
+  const isMorphRelation = attribute.relation.toLowerCase().startsWith('morph');
+
+  // Polymorphic relations
+  if (isMorphRelation) {
+    await handleMorphRelation();
+  }
+
+  // Regular relations
+  else {
+    await handleRegularRelation();
+  }
+};
+
+const hasAccessToSomeScopes = async (scopes, auth) => {
+  for (const scope of scopes) {
+    try {
+      await strapi.auth.verify(auth, { scope });
+      return true;
+    } catch {
+      continue;
+    }
+  }
+
+  return false;
+};