@strapi/utils 4.0.0-next.8 → 4.0.2

package/lib/policy.js

@@ -4,61 +4,28 @@
 'use strict';
 
 const _ = require('lodash');
+const { eq } = require('lodash/fp');
 
-const GLOBAL_PREFIX = 'global::';
 const PLUGIN_PREFIX = 'plugin::';
-const ADMIN_PREFIX = 'admin::';
-const APPLICATION_PREFIX = 'api::';
-
-const getPolicyIn = (container, policy) => {
-  return (
-    _.get(container, ['config', 'policies', policy]) ||
-    _.get(container, ['config', 'policies', _.toLower(policy)])
-  );
-};
-
-const policyExistsIn = (container, policy) => !_.isUndefined(getPolicyIn(container, policy));
-
-const createPolicy = (policyName, args) => ({ policyName, args });
-
-const resolveHandler = policy => (_.isFunction(policy) ? policy : policy.handler);
+const API_PREFIX = 'api::';
 
 const parsePolicy = policy => {
   if (typeof policy === 'string') {
-    return createPolicy(policy);
+    return { policyName: policy, config: {} };
   }
 
-  const { name, options = {} } = policy;
-  return createPolicy(name, options);
-};
-
-const resolvePolicy = policyName => {
-  const resolver = policyResolvers.find(resolver => resolver.exists(policyName));
-
-  return resolver ? resolveHandler(resolver.get)(policyName) : undefined;
+  const { name, config } = policy;
+  return { policyName: name, config };
 };
 
-const searchLocalPolicy = (policy, plugin, apiName) => {
-  let [absoluteApiName, policyName] = policy.split('.');
-  let absoluteApi = _.get(strapi.api, absoluteApiName);
-  const resolver = policyResolvers.find(({ name }) => name === 'plugin');
-
-  if (policyExistsIn(absoluteApi, policyName)) {
-    return resolveHandler(getPolicyIn(absoluteApi, policyName));
+const searchLocalPolicy = (policyName, { pluginName, apiName }) => {
+  if (pluginName) {
+    return strapi.policy(`${PLUGIN_PREFIX}${pluginName}.${policyName}`);
   }
 
-  const pluginPolicy = `${PLUGIN_PREFIX}${plugin}.${policy}`;
-
-  if (plugin && resolver.exists(pluginPolicy)) {
-    return resolveHandler(resolver.get(pluginPolicy));
+  if (apiName) {
+    return strapi.policy(`${API_PREFIX}${apiName}.${policyName}`);
   }
-
-  const api = _.get(strapi.api, apiName);
-  if (api && policyExistsIn(api, policy)) {
-    return resolveHandler(getPolicyIn(api, policy));
-  }
-
-  return undefined;
 };
 
 const globalPolicy = ({ method, endpoint, controller, action, plugin }) => {
@@ -75,113 +42,87 @@ const globalPolicy = ({ method, endpoint, controller, action, plugin }) => {
   };
 };
 
-const bodyPolicy = async (ctx, next) => {
-  const values = await next();
-
-  if (_.isNil(ctx.body) && !_.isNil(values)) {
-    ctx.body = values;
-  }
+const resolvePolicies = (config, { pluginName, apiName } = {}) => {
+  return config.map(policyConfig => {
+    return {
+      handler: getPolicy(policyConfig, { pluginName, apiName }),
+      config: policyConfig.config || {},
+    };
+  });
 };
 
-const policyResolvers = [
-  {
-    name: 'api',
-    is(policy) {
-      return _.startsWith(policy, APPLICATION_PREFIX);
-    },
-    exists(policy) {
-      return this.is(policy) && !_.isUndefined(this.get(policy));
-    },
-    get: policy => {
-      const [, policyWithoutPrefix] = policy.split('::');
-      const [api = '', policyName = ''] = policyWithoutPrefix.split('.');
-      // TODO: load policies into the registry & user strapi.policy(policy)
-      return getPolicyIn(_.get(strapi, ['api', api]), policyName);
-    },
-  },
-  {
-    name: 'admin',
-    is(policy) {
-      return _.startsWith(policy, ADMIN_PREFIX);
-    },
-    exists(policy) {
-      return this.is(policy) && !_.isUndefined(this.get(policy));
-    },
-    get(policy) {
-      return strapi.policy(policy);
-    },
-  },
-  {
-    name: 'plugin',
-    is(policy) {
-      return _.startsWith(policy, PLUGIN_PREFIX);
-    },
-    exists(policy) {
-      return this.is(policy) && !_.isUndefined(this.get(policy));
-    },
-    get(policy) {
-      return strapi.policy(policy);
-    },
-  },
-  {
-    name: 'global',
-    is(policy) {
-      return _.startsWith(policy, GLOBAL_PREFIX);
-    },
-    exists(policy) {
-      return this.is(policy) && !_.isUndefined(this.get(policy));
-    },
-    get(policy) {
-      return strapi.policy(policy);
-    },
-  },
-];
-
-const get = (policy, plugin, apiName) => {
-  if (typeof policy === 'function') {
-    return policy;
-  }
-
-  const { policyName, args } = parsePolicy(policy);
-
-  const resolvedPolicy = resolvePolicy(policyName);
+const findPolicy = (name, { pluginName, apiName } = {}) => {
+  const resolvedPolicy = strapi.policy(name);
 
   if (resolvedPolicy !== undefined) {
-    return _.isPlainObject(policy) ? resolvedPolicy(args) : resolvedPolicy;
+    return resolvedPolicy;
   }
 
-  const localPolicy = searchLocalPolicy(policy, plugin, apiName);
+  const localPolicy = searchLocalPolicy(name, { pluginName, apiName });
 
   if (localPolicy !== undefined) {
     return localPolicy;
   }
 
-  throw new Error(`Could not find policy "${policy}"`);
+  throw new Error(`Could not find policy "${name}"`);
 };
 
-const createPolicyFactory = (factoryCallback, options) => {
-  const { validator, name = 'unnamed' } = options;
+const getPolicy = (policyConfig, { pluginName, apiName } = {}) => {
+  if (typeof policyConfig === 'function') {
+    return policyConfig;
+  }
 
-  const validate = (...args) => {
-    try {
-      validator(...args);
-    } catch (e) {
-      throw new Error(`Invalid objects submitted to "${name}" policy.`);
-    }
-  };
+  const { policyName, config } = parsePolicy(policyConfig);
+
+  const policy = findPolicy(policyName, { pluginName, apiName });
+
+  if (typeof policy === 'function') {
+    return policy;
+  }
+
+  if (policy.validator) {
+    policy.validator(config);
+  }
+
+  return policy.handler;
+};
 
-  return options => {
+const createPolicy = options => {
+  const { name = 'unnamed', validator, handler } = options;
+
+  const wrappedValidator = config => {
     if (validator) {
-      validate(options);
+      try {
+        validator(config);
+      } catch (e) {
+        throw new Error(`Invalid config passed to "${name}" policy.`);
+      }
     }
+  };
 
-    return factoryCallback(options);
+  return {
+    name,
+    validator: wrappedValidator,
+    handler,
   };
 };
 
+const createPolicyContext = (type, ctx) => {
+  return Object.assign(
+    {
+      is: eq(type),
+      get type() {
+        return type;
+      },
+    },
+    ctx
+  );
+};
+
 module.exports = {
-  get,
+  get: getPolicy,
+  resolve: resolvePolicies,
   globalPolicy,
-  bodyPolicy,
-  createPolicyFactory,
+  createPolicy,
+  createPolicyContext,
 };

package/lib/print-value.js

@@ -0,0 +1,51 @@
+'use strict';
+
+// Code copied from the yup library (https://github.com/jquense/yup)
+// https://github.com/jquense/yup/blob/2778b88bdacd5260d593c6468793da2e77daf21f/src/util/printValue.ts
+
+const toString = Object.prototype.toString;
+const errorToString = Error.prototype.toString;
+const regExpToString = RegExp.prototype.toString;
+const symbolToString = typeof Symbol !== 'undefined' ? Symbol.prototype.toString : () => '';
+
+const SYMBOL_REGEXP = /^Symbol\((.*)\)(.*)$/;
+
+function printNumber(val) {
+  if (val != +val) return 'NaN';
+  const isNegativeZero = val === 0 && 1 / val < 0;
+  return isNegativeZero ? '-0' : '' + val;
+}
+
+function printSimpleValue(val, quoteStrings = false) {
+  if (val == null || val === true || val === false) return '' + val;
+
+  const typeOf = typeof val;
+  if (typeOf === 'number') return printNumber(val);
+  if (typeOf === 'string') return quoteStrings ? `"${val}"` : val;
+  if (typeOf === 'function') return '[Function ' + (val.name || 'anonymous') + ']';
+  if (typeOf === 'symbol') return symbolToString.call(val).replace(SYMBOL_REGEXP, 'Symbol($1)');
+
+  const tag = toString.call(val).slice(8, -1);
+  if (tag === 'Date') return isNaN(val.getTime()) ? '' + val : val.toISOString(val);
+  if (tag === 'Error' || val instanceof Error) return '[' + errorToString.call(val) + ']';
+  if (tag === 'RegExp') return regExpToString.call(val);
+
+  return null;
+}
+
+function printValue(value, quoteStrings) {
+  let result = printSimpleValue(value, quoteStrings);
+  if (result !== null) return result;
+
+  return JSON.stringify(
+    value,
+    function(key, value) {
+      let result = printSimpleValue(this[key], quoteStrings);
+      if (result !== null) return result;
+      return value;
+    },
+    2
+  );
+}
+
+module.exports = printValue;

package/lib/sanitize/index.js

@@ -0,0 +1,51 @@
+'use strict';
+
+const { isArray } = require('lodash/fp');
+
+const traverseEntity = require('../traverse-entity');
+const { getNonWritableAttributes } = require('../content-types');
+const pipeAsync = require('../pipe-async');
+
+const visitors = require('./visitors');
+const sanitizers = require('./sanitizers');
+
+module.exports = {
+  contentAPI: {
+    input(data, schema, { auth } = {}) {
+      if (isArray(data)) {
+        return Promise.all(data.map(entry => this.input(entry, schema, { auth })));
+      }
+
+      const nonWritableAttributes = getNonWritableAttributes(schema);
+
+      const transforms = [
+        // Remove non writable attributes
+        traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),
+      ];
+
+      if (auth) {
+        // Remove restricted relations
+        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
+      }
+
+      return pipeAsync(...transforms)(data);
+    },
+
+    output(data, schema, { auth } = {}) {
+      if (isArray(data)) {
+        return Promise.all(data.map(entry => this.output(entry, schema, { auth })));
+      }
+
+      const transforms = [sanitizers.defaultSanitizeOutput(schema)];
+
+      if (auth) {
+        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
+      }
+
+      return pipeAsync(...transforms)(data);
+    },
+  },
+
+  sanitizers,
+  visitors,
+};

package/lib/sanitize/sanitizers.js

@@ -0,0 +1,26 @@
+'use strict';
+
+const { curry } = require('lodash/fp');
+
+const pipeAsync = require('../pipe-async');
+const traverseEntity = require('../traverse-entity');
+
+const { removePassword, removePrivate } = require('./visitors');
+
+const sanitizePasswords = curry((schema, entity) => {
+  return traverseEntity(removePassword, { schema }, entity);
+});
+
+const sanitizePrivates = curry((schema, entity) => {
+  return traverseEntity(removePrivate, { schema }, entity);
+});
+
+const defaultSanitizeOutput = curry((schema, entity) => {
+  return pipeAsync(sanitizePrivates(schema), sanitizePasswords(schema))(entity);
+});
+
+module.exports = {
+  sanitizePasswords,
+  sanitizePrivates,
+  defaultSanitizeOutput,
+};

package/lib/sanitize/visitors/allowed-fields.js

@@ -0,0 +1,92 @@
+'use strict';
+
+const { isArray, toPath } = require('lodash/fp');
+
+module.exports = (allowedFields = null) => ({ key, path }, { remove }) => {
+  // All fields are allowed
+  if (allowedFields === null) {
+    return;
+  }
+
+  // Ignore invalid formats
+  if (!isArray(allowedFields)) {
+    return;
+  }
+
+  const containedPaths = getContainedPaths(path);
+
+  /**
+   * Tells if the current path should be kept or not based
+   * on the success of the check functions for any of the allowed paths.
+   *
+   * The check functions are defined as follow:
+   *
+   * `containedPaths.includes(p)`
+   * @example
+   * ```js
+   * const path = 'foo.bar.field';
+   * const p = 'foo.bar';
+   * // it should match
+   *
+   * const path = 'foo.bar.field';
+   * const p = 'bar.foo';
+   * // it shouldn't match
+   *
+   * const path = 'foo.bar';
+   * const p = 'foo.bar.field';
+   * // it should match but isn't handled by this check
+   * ```
+   *
+   * `p.startsWith(`${path}.`)`
+   * @example
+   * ```js
+   * const path = 'foo.bar';
+   * const p = 'foo.bar.field';
+   * // it should match
+   *
+   * const path = 'foo.bar.field';
+   * const p = 'bar.foo';
+   * // it shouldn't match
+   *
+   * const path = 'foo.bar.field';
+   * const p = 'foo.bar';
+   * // it should match but isn't handled by this check
+   * ```
+   */
+  const isPathAllowed = allowedFields.some(
+    p => containedPaths.includes(p) || p.startsWith(`${path}.`)
+  );
+
+  if (isPathAllowed) {
+    return;
+  }
+
+  // Remove otherwise
+  remove(key);
+};
+
+/**
+ * Retrieve the list of allowed paths based on the given path
+ *
+ * @param {string} path
+ * @return {string[]}
+ *
+ * @example
+ * ```js
+ * const containedPaths = getContainedPaths('foo');
+ * // ['foo']
+ *
+ *  * const containedPaths = getContainedPaths('foo.bar');
+ * // ['foo', 'foo.bar']
+ *
+ *  * const containedPaths = getContainedPaths('foo.bar.field');
+ * // ['foo', 'foo.bar', 'foo.bar.field']
+ * ```
+ */
+const getContainedPaths = path => {
+  const parts = toPath(path);
+
+  return parts.reduce((acc, value, index, list) => {
+    return [...acc, list.slice(0, index + 1).join('.')];
+  }, []);
+};

package/lib/sanitize/visitors/index.js

@@ -0,0 +1,9 @@
+'use strict';
+
+module.exports = {
+  removePassword: require('./remove-password'),
+  removePrivate: require('./remove-private'),
+  removeRestrictedRelations: require('./remove-restricted-relations'),
+  allowedFields: require('./allowed-fields'),
+  restrictedFields: require('./restricted-fields'),
+};

package/lib/sanitize/visitors/remove-password.js

@@ -0,0 +1,7 @@
+'use strict';
+
+module.exports = ({ key, attribute }, { remove }) => {
+  if (attribute.type === 'password') {
+    remove(key);
+  }
+};

package/lib/sanitize/visitors/remove-private.js

@@ -0,0 +1,11 @@
+'use strict';
+
+const { isPrivateAttribute } = require('../../content-types');
+
+module.exports = ({ schema, key }, { remove }) => {
+  const isPrivate = isPrivateAttribute(schema, key);
+
+  if (isPrivate) {
+    remove(key);
+  }
+};

package/lib/sanitize/visitors/remove-restricted-relations.js

@@ -0,0 +1,67 @@
+'use strict';
+
+const ACTIONS_TO_VERIFY = ['find'];
+
+module.exports = auth => async ({ data, key, attribute }, { remove, set }) => {
+  const isRelation = attribute.type === 'relation';
+
+  if (!isRelation) {
+    return;
+  }
+
+  const handleMorphRelation = async () => {
+    const newMorphValue = [];
+
+    for (const element of data[key]) {
+      const scopes = ACTIONS_TO_VERIFY.map(action => `${element.__type}.${action}`);
+      const isAllowed = await hasAccessToSomeScopes(scopes, auth);
+
+      if (isAllowed) {
+        newMorphValue.push(element);
+      }
+    }
+
+    // If the new value is empty, remove the relation completely
+    if (newMorphValue.length === 0) {
+      remove(key);
+    } else {
+      set(key, newMorphValue);
+    }
+  };
+
+  const handleRegularRelation = async () => {
+    const scopes = ACTIONS_TO_VERIFY.map(action => `${attribute.target}.${action}`);
+
+    const isAllowed = await hasAccessToSomeScopes(scopes, auth);
+
+    // If the authenticated user don't have access to any of the scopes, then remove the field
+    if (!isAllowed) {
+      remove(key);
+    }
+  };
+
+  const isMorphRelation = attribute.relation.toLowerCase().startsWith('morph');
+
+  // Polymorphic relations
+  if (isMorphRelation) {
+    await handleMorphRelation();
+  }
+
+  // Regular relations
+  else {
+    await handleRegularRelation();
+  }
+};
+
+const hasAccessToSomeScopes = async (scopes, auth) => {
+  for (const scope of scopes) {
+    try {
+      await strapi.auth.verify(auth, { scope });
+      return true;
+    } catch {
+      continue;
+    }
+  }
+
+  return false;
+};

package/lib/sanitize/visitors/restricted-fields.js

@@ -0,0 +1,31 @@
+'use strict';
+
+const { isArray } = require('lodash/fp');
+
+module.exports = (restrictedFields = null) => ({ key, path }, { remove }) => {
+  // Remove all fields
+  if (restrictedFields === null) {
+    remove(key);
+    return;
+  }
+
+  // Ignore invalid formats
+  if (!isArray(restrictedFields)) {
+    return;
+  }
+
+  // Remove if an exact match was found
+  if (restrictedFields.includes(path)) {
+    remove(key);
+    return;
+  }
+
+  // Remove nested matches
+  const isRestrictedNested = restrictedFields.some(allowedPath =>
+    path.startsWith(`${allowedPath}.`)
+  );
+  if (isRestrictedNested) {
+    remove(key);
+    return;
+  }
+};

package/lib/traverse-entity.js

@@ -0,0 +1,100 @@
+'use strict';
+
+const { cloneDeep, isObject, isArray, isNil, curry } = require('lodash/fp');
+
+const traverseEntity = async (visitor, options, entity) => {
+  const { path = null, schema } = options;
+
+  // End recursion
+  if (!isObject(entity) || isNil(schema)) {
+    return entity;
+  }
+
+  // Don't mutate the original entity object
+  const copy = cloneDeep(entity);
+
+  for (const key of Object.keys(copy)) {
+    // Retrieve the attribute definition associated to the key from the schema
+    const attribute = schema.attributes[key];
+
+    // If the attribute doesn't exist within the schema, ignore it
+    if (isNil(attribute)) {
+      continue;
+    }
+
+    const newPath = path ? `${path}.${key}` : key;
+
+    // Visit the current attribute
+    const visitorOptions = { data: copy, schema, key, value: copy[key], attribute, path: newPath };
+    const visitorUtils = createVisitorUtils({ data: copy });
+
+    await visitor(visitorOptions, visitorUtils);
+
+    // Extract the value for the current key (after calling the visitor)
+    const value = copy[key];
+
+    // Ignore Nil values
+    if (isNil(value)) {
+      continue;
+    }
+
+    const isRelation = attribute.type === 'relation';
+    const isComponent = attribute.type === 'component';
+    const isDynamicZone = attribute.type === 'dynamiczone';
+
+    if (isRelation) {
+      const isMorphRelation = attribute.relation.toLowerCase().startsWith('morph');
+
+      const traverseTarget = entry => {
+        // Handle polymorphic relationships
+        const targetSchemaUID = isMorphRelation ? entry.__type : attribute.target;
+        const targetSchema = strapi.getModel(targetSchemaUID);
+
+        const traverseOptions = { schema: targetSchema, path: newPath };
+
+        return traverseEntity(visitor, traverseOptions, entry);
+      };
+
+      // need to update copy
+      copy[key] = isArray(value)
+        ? await Promise.all(value.map(traverseTarget))
+        : await traverseTarget(value);
+    }
+
+    if (isComponent) {
+      const targetSchema = strapi.getModel(attribute.component);
+      const traverseOptions = { schema: targetSchema, path: newPath };
+
+      const traverseComponent = entry => traverseEntity(visitor, traverseOptions, entry);
+
+      copy[key] = isArray(value)
+        ? await Promise.all(value.map(traverseComponent))
+        : await traverseComponent(value);
+    }
+
+    if (isDynamicZone && isArray(value)) {
+      const visitDynamicZoneEntry = entry => {
+        const targetSchema = strapi.getModel(entry.__component);
+        const traverseOptions = { schema: targetSchema, path: newPath };
+
+        return traverseEntity(visitor, traverseOptions, entry);
+      };
+
+      copy[key] = await Promise.all(value.map(visitDynamicZoneEntry));
+    }
+  }
+
+  return copy;
+};
+
+const createVisitorUtils = ({ data }) => ({
+  remove(key) {
+    delete data[key];
+  },
+
+  set(key, value) {
+    data[key] = value;
+  },
+});
+
+module.exports = curry(traverseEntity);