npm - @webiny/api-headless-cms - Versions diffs - 0.0.0-mt-1 - Mend

@webiny/api-headless-cms 0.0.0-mt-1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (231) hide show

package/types.js ADDED Viewed

@@ -0,0 +1,366 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.CONTENT_ENTRY_STATUS = void 0;
+/**
+ * @description This combines all contexts used in the CMS into a single one.
+ *
+ * @category Context
+ */
+/**
+ * Object containing content model field predefined options and values.
+ *
+ * @category CmsModelField
+ */
+/**
+ * Object containing content model field renderer options.
+ *
+ * @category CmsModelField
+ */
+/**
+ * A definition for content model field. This type exists on the app side as well.
+ *
+ * @category ModelField
+ * @category Database model
+ */
+/**
+ * A definition for dateTime field to show possible type of the field in settings.
+ */
+/**
+ * Arguments for the field validator validate method.
+ *
+ * @category ModelField
+ * @category FieldValidation
+ */
+/**
+ * Definition for the field validator.
+ *
+ * @category Plugin
+ * @category ModelField
+ * @category FieldValidation
+ */
+/**
+ * A pattern validator for the content entry field value.
+ *
+ * @category Plugin
+ * @category ModelField
+ * @category FieldValidation
+ */
+/**
+ * Locked field in the content model
+ *
+ * @see CmsModel.lockedFields
+ *
+ * @category ModelField
+ */
+/**
+ * Cms Model defining an entry.
+ *
+ * @category Database model
+ * @category CmsModel
+ */
+/**
+ * @category ModelField
+ */
+/**
+ * @category Plugin
+ * @category ModelField
+ * @category GraphQL
+ */
+/**
+ * Check for content model locked field.
+ * A custom plugin definable by the user.
+ *
+ * @category CmsModel
+ * @category Plugin
+ */
+/**
+ * @category ModelField
+ */
+/**
+ * A interface describing the reference to a user that created some data in the database.
+ *
+ * @category General
+ */
+/**
+ * Representation of settings database model.
+ *
+ * @category Database model
+ */
+/**
+ * Settings CRUD in context.
+ *
+ * @category Context
+ */
+/**
+ * A GraphQL params.data parameter received when creating content model group.
+ *
+ * @category CmsGroup
+ * @category GraphQL params
+ */
+/**
+ * A GraphQL params.data parameter received when updating content model group.
+ *
+ * @category CmsGroup
+ * @category GraphQL params
+ */
+/**
+ * A representation of content model group in the database.
+ *
+ * @category CmsGroup
+ * @category Database model
+ */
+/**
+ * A data.where parameter received when listing content model groups.
+ *
+ * @category CmsGroup
+ * @category GraphQL params
+ */
+/**
+ * @category CmsGroup
+ * @category Topic
+ */
+/**
+ * @category CmsGroup
+ * @category Topic
+ */
+/**
+ * @category CmsGroup
+ * @category Topic
+ */
+/**
+ * @category CmsGroup
+ * @category Topic
+ */
+/**
+ * @category CmsGroup
+ * @category Topic
+ */
+/**
+ * @category CmsGroup
+ * @category Topic
+ */
+/**
+ * Cms Group in context.
+ *
+ * @category Context
+ * @category CmsGroup
+ */
+/**
+ * Definition for content model field validator.
+ *
+ * @category ModelField
+ * @category FieldValidation
+ */
+/**
+ * A GraphQL params.data parameter received when creating content model.
+ *
+ * @category GraphQL params
+ * @category CmsModel
+ */
+/**
+ * A definition for content model field received from the user.
+ *
+ * Input type for `CmsModelField`.
+ * @see CmsModelField
+ *
+ * @category GraphQL params
+ * @category ModelField
+ */
+/**
+ * A GraphQL params.data parameter received when updating content model.
+ *
+ * @category GraphQL params
+ * @category CmsModel
+ */
+/**
+ * A plugin to load a CmsModelManager.
+ *
+ * @see CmsModelManager
+ *
+ * @category Plugin
+ * @category CmsModel
+ * @category CmsEntry
+ */
+/**
+ * A content entry definition for and from the database.
+ *
+ * @category Database model
+ * @category CmsEntry
+ */
+/**
+ * A definition for content model manager to be used in the code.
+ * The default one uses `CmsEntryContext` methods internally, but devs can change to what every they want.
+ *
+ * @see CmsEntryContext
+ *
+ * @category Context
+ * @category CmsEntry
+ * @category CmsModel
+ */
+/**
+ * Cms Model in the context.
+ *
+ * @category Context
+ * @category CmsModel
+ */
+/**
+ * Available statuses for content entry.
+ *
+ * @category CmsEntry
+ */
+/**
+ * Entry listing where params.
+ *
+ * @category CmsEntry
+ * @category GraphQL params
+ */
+/**
+ * Entry listing sort.
+ *
+ * @category CmsEntry
+ * @category GraphQL params
+ */
+/**
+ * Get entry GraphQL resolver params.
+ *
+ * @category CmsEntry
+ * @category GraphQL params
+ */
+/**
+ * List entries GraphQL resolver params.
+ *
+ * @category CmsEntry
+ * @category GraphQL params
+ */
+/**
+ * Meta information for GraphQL output.
+ *
+ * @category CmsEntry
+ * @category GraphQL output
+ */
+/**
+ * Cms Entry CRUD methods in the context.
+ *
+ * @category Context
+ * @category CmsEntry
+ */
+/**
+ * Parameters for CmsEntryResolverFactory.
+ *
+ * @category GraphQL resolver
+ * @category CmsEntry
+ */
+/**
+ * A type for EntryResolvers. Used when creating get, list, update, publish, ...etc.
+ *
+ * @category GraphQL resolver
+ * @category CmsEntry
+ */
+/**
+ * Settings security permission.
+ *
+ * @category SecurityPermission
+ */
+// eslint-disable-line
+/**
+ * A security permission for content model.
+ *
+ * @category SecurityPermission
+ * @category CmsModel
+ */
+/**
+ * The security permission for content model groups.
+ *
+ * @category SecurityPermission
+ * @category CmsGroup
+ */
+/**
+ * The security permission for content entry.
+ *
+ * @category SecurityPermission
+ * @category CmsEntry
+ */
+/**
+ * Description of the CmsGroup CRUD operations.
+ * If user wants to add another database to the application, this is how it is done.
+ * This is just plain read, update, write, delete and list - no authentication or permission checks.
+ */
+/**
+ * Description of the CmsModel storage operations.
+ * If user wants to add another database to the application, this is how it is done.
+ * This is just plain read, update, write, delete and list - no authentication or permission checks.
+ */
+/**
+ * Description of the CmsModel storage operations.
+ * If user wants to add another database to the application, this is how it is done.
+ * This is just plain read, update, write, delete and list - no authentication or permission checks.
+ *
+ *
+ * @category StorageOperations
+ * @category CmsEntry
+ */
+let CONTENT_ENTRY_STATUS;
+exports.CONTENT_ENTRY_STATUS = CONTENT_ENTRY_STATUS;
+(function (CONTENT_ENTRY_STATUS) {
+  CONTENT_ENTRY_STATUS["DRAFT"] = "draft";
+  CONTENT_ENTRY_STATUS["PUBLISHED"] = "published";
+  CONTENT_ENTRY_STATUS["UNPUBLISHED"] = "unpublished";
+  CONTENT_ENTRY_STATUS["CHANGES_REQUESTED"] = "changesRequested";
+  CONTENT_ENTRY_STATUS["REVIEW_REQUESTED"] = "reviewRequested";
+})(CONTENT_ENTRY_STATUS || (exports.CONTENT_ENTRY_STATUS = CONTENT_ENTRY_STATUS = {}));

package/utils.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import { SecurityPermission } from "@webiny/api-security/types";
+import { CmsModel, CmsContext, CreatedBy, CmsGroupPermission, CmsGroup } from "./types";
+export declare const hasRwd: (permission: any, rwd: any) => any;
+export declare const hasPw: (permission: any, pw: any) => any;
+export declare const checkPermissions: <TPermission extends SecurityPermission = SecurityPermission>(context: CmsContext, name: string, check?: {
+    rwd?: string;
+    pw?: string;
+}) => Promise<TPermission>;
+export declare const checkOwnership: (context: CmsContext, permission: SecurityPermission, record: {
+    createdBy?: CreatedBy;
+    ownedBy?: CreatedBy;
+}) => void;
+export declare const validateOwnership: (context: CmsContext, permission: SecurityPermission, record: {
+    createdBy?: CreatedBy;
+    ownedBy?: CreatedBy;
+}) => boolean;
+/**
+ * model access is checking for both specific model or group access
+ * if permission has specific models set as access pattern then groups will not matter (although both can be set)
+ */
+export declare const checkModelAccess: (context: CmsContext, model: CmsModel) => Promise<void>;
+export declare const validateModelAccess: (context: CmsContext, model: CmsModel) => Promise<boolean>;
+export declare const validateGroupAccess: (context: CmsContext, permission: CmsGroupPermission, group: CmsGroup) => boolean;
+export declare const toSlug: (text: any) => string;
+export declare const filterAsync: <T = Record<string, any>>(items: T[], predicate: (T: any) => Promise<boolean>) => Promise<T[]>;

package/utils.js ADDED Viewed

@@ -0,0 +1,251 @@
+"use strict";
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.validateOwnership = exports.validateModelAccess = exports.validateGroupAccess = exports.toSlug = exports.hasRwd = exports.hasPw = exports.filterAsync = exports.checkPermissions = exports.checkOwnership = exports.checkModelAccess = void 0;
+var _slugify = _interopRequireDefault(require("slugify"));
+var _apiSecurity = require("@webiny/api-security");
+const hasRwd = (permission, rwd) => {
+  if (typeof permission.rwd !== "string") {
+    return true;
+  }
+  return permission.rwd.includes(rwd);
+};
+exports.hasRwd = hasRwd;
+const hasPw = (permission, pw) => {
+  const isCustom = Object.keys(permission).length > 1; // "name" key is always present
+  if (!isCustom) {
+    // Means it's a "full-access" permission.
+    return true;
+  }
+  if (typeof permission.pw !== "string") {
+    return false;
+  }
+  return permission.pw.includes(pw);
+};
+exports.hasPw = hasPw;
+const PW = {
+  r: "request review",
+  c: "request change",
+  p: "publish",
+  u: "unpublish"
+};
+const RWD = {
+  r: "read",
+  w: "write",
+  d: "delete"
+};
+const checkPermissions = async (context, name, check) => {
+  // Check if user is allowed to edit content in current language
+  const contentPermission = await context.security.getPermission("content.i18n");
+  if (!contentPermission) {
+    throw new _apiSecurity.NotAuthorizedError({
+      data: {
+        reason: "Missing access to content in any locale."
+      }
+    });
+  } // We need to check this manually as CMS locale comes from the URL and not the default i18n app.
+  const code = context.cms.getLocale().code; // IMPORTANT: If we have a `contentPermission`, and `locales` key is NOT SET - it means the user has access to all locales.
+  // However, if the the `locales` IS SET - check that it contains the required locale.
+  if (Array.isArray(contentPermission.locales) && !contentPermission.locales.includes(code)) {
+    throw new _apiSecurity.NotAuthorizedError({
+      data: {
+        reason: `Not allowed to access content in "${code}."`
+      }
+    });
+  }
+  const permission = await context.security.getPermission(name);
+  if (!permission) {
+    throw new _apiSecurity.NotAuthorizedError({
+      data: {
+        reason: `Missing permission "${name}".`
+      }
+    });
+  }
+  if (!check) {
+    return permission;
+  }
+  if (check.rwd && !hasRwd(permission, check.rwd)) {
+    throw new _apiSecurity.NotAuthorizedError({
+      data: {
+        reason: `Not allowed to perform "${RWD[check.rwd]}" on "${name}".`
+      }
+    });
+  } // r = request review
+  // c = request change
+  // p = publish
+  // u = unpublish
+  if (check.pw && !hasPw(permission, check.pw)) {
+    throw new _apiSecurity.NotAuthorizedError({
+      data: {
+        reason: `Not allowed to perform "${PW[check.pw]}" on "${name}".`
+      }
+    });
+  }
+  return permission;
+};
+exports.checkPermissions = checkPermissions;
+const checkOwnership = (context, permission, record) => {
+  if (!permission.own) {
+    return;
+  }
+  const identity = context.security.getIdentity();
+  const owner = identity && record["ownedBy"] && record["ownedBy"].id === identity.id;
+  const creator = identity && record["createdBy"] && record["createdBy"].id === identity.id;
+  if (!owner && !creator) {
+    throw new _apiSecurity.NotAuthorizedError({
+      data: {
+        reason: `You are not the owner of the record.`
+      }
+    });
+  }
+};
+exports.checkOwnership = checkOwnership;
+const validateOwnership = (context, permission, record) => {
+  try {
+    checkOwnership(context, permission, record);
+    return true;
+  } catch {
+    return false;
+  }
+};
+/**
+ * model access is checking for both specific model or group access
+ * if permission has specific models set as access pattern then groups will not matter (although both can be set)
+ */
+exports.validateOwnership = validateOwnership;
+const checkModelAccess = async (context, model) => {
+  if (await validateModelAccess(context, model)) {
+    return;
+  }
+  throw new _apiSecurity.NotAuthorizedError({
+    data: {
+      reason: `Not allowed to access model "${model.modelId}".`
+    }
+  });
+};
+exports.checkModelAccess = checkModelAccess;
+const validateModelAccess = async (context, model) => {
+  const modelGroupPermission = await checkPermissions(context, "cms.contentModelGroup", {
+    rwd: "r"
+  });
+  const {
+    groups
+  } = modelGroupPermission;
+  const modelPermission = await checkPermissions(context, "cms.contentModel", {
+    rwd: "r"
+  });
+  const {
+    models
+  } = modelPermission; // when no models or groups defined on permission
+  // it means user has access to everything
+  if (!models && !groups) {
+    return true;
+  }
+  const locale = context.cms.getLocale().code; // Check whether the model is question belongs to "content model groups" for which user has permission.
+  if (groups) {
+    if (Array.isArray(groups[locale]) === false || groups[locale].includes(model.group.id) === false) {
+      return false;
+    }
+  } // Check whether the model is question belongs to "content models" for which user has permission.
+  if (models) {
+    if (Array.isArray(models[locale]) === false || models[locale].includes(model.modelId) === false) {
+      return false;
+    }
+  }
+  return true;
+};
+exports.validateModelAccess = validateModelAccess;
+const validateGroupAccess = (context, permission, group) => {
+  const {
+    groups
+  } = permission; // when no groups defined on permission
+  // it means user has access to everything
+  if (!groups) {
+    return true;
+  }
+  const locale = context.cms.getLocale().code; // when there is no locale in groups, it means that no access was given
+  // this happens when access control was set but no models or groups were added
+  if (Array.isArray(groups[locale]) === false || groups[locale].includes(group.id) === false) {
+    return false;
+  }
+  return true;
+};
+exports.validateGroupAccess = validateGroupAccess;
+const toSlug = text => {
+  return (0, _slugify.default)(text, {
+    replacement: "-",
+    lower: true,
+    remove: /[*#\?<>_\{\}\[\]+~.()'"!:;@]/g
+  });
+};
+exports.toSlug = toSlug;
+const filterAsync = async (items, predicate) => {
+  const filteredItems = [];
+  for (let i = 0; i < items.length; i++) {
+    const item = items[i];
+    const valid = await predicate(item);
+    if (valid) {
+      filteredItems.push(item);
+    }
+  }
+  return filteredItems;
+};
+exports.filterAsync = filterAsync;