@webiny/api-headless-cms 0.0.0-unstable.c2780f51fe → 0.0.0-unstable.c7dec08bb0

package/crud/contentEntry.crud.js

@@ -7,31 +7,26 @@ Object.defineProperty(exports, "__esModule", {
 exports.createContentEntryCrud = exports.STATUS_UNPUBLISHED = exports.STATUS_PUBLISHED = exports.STATUS_DRAFT = void 0;
 var _objectSpread2 = _interopRequireDefault(require("@babel/runtime/helpers/objectSpread2"));
 var _merge = _interopRequireDefault(require("lodash/merge"));
-var _mdbid = _interopRequireDefault(require("mdbid"));
+var _utils = require("@webiny/utils");
 var _error = _interopRequireDefault(require("@webiny/error"));
 var _handlerGraphql = require("@webiny/handler-graphql");
+var _types = require("../types");
 var _entryDataValidation = require("./contentEntry/entryDataValidation");
 var _pubsub = require("@webiny/pubsub");
 var _beforeCreate = require("./contentEntry/beforeCreate");
 var _beforeUpdate = require("./contentEntry/beforeUpdate");
-var _utils = require("@webiny/utils");
 var _afterDelete = require("./contentEntry/afterDelete");
 var _referenceFieldsMapping = require("./contentEntry/referenceFieldsMapping");
-var _permissions = require("../utils/permissions");
-var _access = require("../utils/access");
-var _ownership = require("../utils/ownership");
 var _entryStorage = require("../utils/entryStorage");
 var _searchableFields = require("./contentEntry/searchableFields");
-/**
- * Package mdbid does not have types.
- */
-// @ts-ignore
-
-const STATUS_DRAFT = "draft";
+var _filterAsync = require("../utils/filterAsync");
+var _apiSecurity = require("@webiny/api-security/");
+var _constants = require("../constants");
+const STATUS_DRAFT = _types.CONTENT_ENTRY_STATUS.DRAFT;
 exports.STATUS_DRAFT = STATUS_DRAFT;
-const STATUS_PUBLISHED = "published";
+const STATUS_PUBLISHED = _types.CONTENT_ENTRY_STATUS.PUBLISHED;
 exports.STATUS_PUBLISHED = STATUS_PUBLISHED;
-const STATUS_UNPUBLISHED = "unpublished";
+const STATUS_UNPUBLISHED = _types.CONTENT_ENTRY_STATUS.UNPUBLISHED;
 exports.STATUS_UNPUBLISHED = STATUS_UNPUBLISHED;
 /**
  * Used for some fields to convert their values.
@@ -133,7 +128,7 @@ const createEntryMeta = (input, original) => {
   return (0, _utils.removeUndefinedValues)((0, _utils.removeNullValues)(meta));
 };
 const createEntryId = input => {
-  let entryId = (0, _mdbid.default)();
+  let entryId = (0, _utils.mdbid)();
   if (input.id) {
     if (input.id.match(/^([a-zA-Z0-9])([a-zA-Z0-9\-]+)([a-zA-Z0-9])$/) === null) {
       throw new _error.default("The provided ID is not valid. It must be a string which can be A-Z, a-z, 0-9, - and it cannot start or end with a -.", "INVALID_ID", {
@@ -175,9 +170,19 @@ const allowedEntryStatus = ["draft", "published", "unpublished"];
 const transformEntryStatus = status => {
   return allowedEntryStatus.includes(status) ? status : "draft";
 };
+const createSort = sort => {
+  if (!Array.isArray(sort)) {
+    return ["createdOn_DESC"];
+  } else if (sort.filter(s => !!s).length === 0) {
+    return ["createdOn_DESC"];
+  }
+  return sort;
+};
 const createContentEntryCrud = params => {
   const {
     storageOperations,
+    entriesPermissions,
+    modelsPermissions,
     context,
     getIdentity,
     getTenant,
@@ -247,6 +252,12 @@ const createContentEntryCrud = params => {
   const onEntryRevisionBeforeDelete = (0, _pubsub.createTopic)("cms.onEntryRevisionBeforeDelete");
   const onEntryRevisionAfterDelete = (0, _pubsub.createTopic)("cms.onEntryRevisionAfterDelete");
   const onEntryRevisionDeleteError = (0, _pubsub.createTopic)("cms.onEntryRevisionDeleteError");
+  /**
+   * Delete multiple entries
+   */
+  const onEntryBeforeDeleteMultiple = (0, _pubsub.createTopic)("cms.onEntryBeforeDeleteMultiple");
+  const onEntryAfterDeleteMultiple = (0, _pubsub.createTopic)("cms.onEntryAfterDeleteMultiple");
+  const onEntryDeleteMultipleError = (0, _pubsub.createTopic)("cms.onEntryDeleteMultipleError");
 
   /**
    * Get entry
@@ -273,9 +284,6 @@ const createContentEntryCrud = params => {
     context,
     onEntryAfterDelete
   });
-  const checkEntryPermissions = check => {
-    return (0, _permissions.checkPermissions)(context, "cms.contentEntry", check);
-  };
 
   /**
    * A helper to delete the entire entry.
@@ -315,14 +323,23 @@ const createContentEntryCrud = params => {
    */
   const getEntriesByIds = async (model, ids) => {
     return context.benchmark.measure("headlessCms.crud.entries.getEntriesByIds", async () => {
-      const permission = await checkEntryPermissions({
+      await entriesPermissions.ensure({
         rwd: "r"
       });
-      await (0, _access.checkModelAccess)(context, model);
+      await modelsPermissions.ensureCanAccessModel({
+        model,
+        locale: getLocale().code
+      });
       const entries = await storageOperations.entries.getByIds(model, {
         ids
       });
-      return entries.filter(entry => (0, _ownership.validateOwnership)(context, permission, entry));
+      return (0, _filterAsync.filterAsync)(entries, async entry => {
+        return entriesPermissions.ensure({
+          owns: entry.createdBy
+        }, {
+          throw: false
+        });
+      });
     });
   };
   const getEntryById = async (model, id) => {
@@ -340,27 +357,45 @@ const createContentEntryCrud = params => {
     return entry;
   };
   const getPublishedEntriesByIds = async (model, ids) => {
-    const permission = await checkEntryPermissions({
+    await entriesPermissions.ensure({
       rwd: "r"
     });
-    await (0, _access.checkModelAccess)(context, model);
+    await modelsPermissions.ensureCanAccessModel({
+      model,
+      locale: getLocale().code
+    });
     const entries = await storageOperations.entries.getPublishedByIds(model, {
       ids
     });
-    return entries.filter(entry => (0, _ownership.validateOwnership)(context, permission, entry));
+    return (0, _filterAsync.filterAsync)(entries, async entry => {
+      return entriesPermissions.ensure({
+        owns: entry.createdBy
+      }, {
+        throw: false
+      });
+    });
   };
   const getLatestEntriesByIds = async (model, ids) => {
-    const permission = await checkEntryPermissions({
+    await entriesPermissions.ensure({
       rwd: "r"
     });
-    await (0, _access.checkModelAccess)(context, model);
+    await modelsPermissions.ensureCanAccessModel({
+      model,
+      locale: getLocale().code
+    });
     const entries = await storageOperations.entries.getLatestByIds(model, {
       ids
     });
-    return entries.filter(entry => (0, _ownership.validateOwnership)(context, permission, entry));
+    return (0, _filterAsync.filterAsync)(entries, async entry => {
+      return entriesPermissions.ensure({
+        owns: entry.createdBy
+      }, {
+        throw: false
+      });
+    });
   };
   const getEntry = async (model, params) => {
-    await checkEntryPermissions({
+    await entriesPermissions.ensure({
       rwd: "r"
     });
     const {
@@ -388,27 +423,35 @@ const createContentEntryCrud = params => {
     });
   };
   const listEntries = async (model, params) => {
-    const permission = await checkEntryPermissions({
-      rwd: "r"
+    try {
+      await entriesPermissions.ensure({
+        rwd: "r"
+      });
+    } catch {
+      throw new _apiSecurity.NotAuthorizedError({
+        data: {
+          reason: 'Not allowed to perform "read" on "cms.contentEntry".'
+        }
+      });
+    }
+    await modelsPermissions.ensureCanAccessModel({
+      model,
+      locale: getLocale().code
     });
-    await (0, _access.checkModelAccess)(context, model);
     const {
       where: initialWhere,
       limit: initialLimit
     } = params;
     const limit = initialLimit && initialLimit > 0 ? initialLimit : 50;
-    /**
-     * We always assign tenant and locale because we do not allow one model to have content through multiple tenants.
-     */
     const where = (0, _objectSpread2.default)({}, initialWhere);
     /**
      * Possibly only get records which are owned by current user.
      * Or if searching for the owner set that value - in the case that user can see other entries than their own.
      */
-    const ownedBy = permission.own ? getIdentity().id : where.ownedBy;
-    if (ownedBy !== undefined) {
-      where.ownedBy = ownedBy;
+    if (await entriesPermissions.canAccessOnlyOwnRecords()) {
+      where.ownedBy = getIdentity().id;
     }
+
     /**
      * Where must contain either latest or published keys.
      * We cannot list entries without one of those
@@ -438,6 +481,7 @@ const createContentEntryCrud = params => {
         cursor,
         items
       } = await storageOperations.entries.list(model, (0, _objectSpread2.default)((0, _objectSpread2.default)({}, params), {}, {
+        sort: createSort(params.sort),
         limit,
         where,
         fields
@@ -466,10 +510,14 @@ const createContentEntryCrud = params => {
     }
   };
   const createEntry = async (model, inputData) => {
-    await checkEntryPermissions({
+    var _inputData$wbyAco_loc;
+    await entriesPermissions.ensure({
       rwd: "w"
     });
-    await (0, _access.checkModelAccess)(context, model);
+    await modelsPermissions.ensureCanAccessModel({
+      model,
+      locale: getLocale().code
+    });
 
     /**
      * Make sure we only work with fields that are defined in the model.
@@ -512,7 +560,10 @@ const createContentEntryCrud = params => {
       version,
       locked: false,
       status: STATUS_DRAFT,
-      values: input
+      values: input,
+      location: {
+        folderId: ((_inputData$wbyAco_loc = inputData.wbyAco_location) === null || _inputData$wbyAco_loc === void 0 ? void 0 : _inputData$wbyAco_loc.folderId) || _constants.ROOT_FOLDER
+      }
     };
     let storageEntry = null;
     try {
@@ -549,10 +600,13 @@ const createContentEntryCrud = params => {
     }
   };
   const createEntryRevisionFrom = async (model, sourceId, inputData) => {
-    const permission = await checkEntryPermissions({
+    await entriesPermissions.ensure({
       rwd: "w"
     });
-    await (0, _access.checkModelAccess)(context, model);
+    await modelsPermissions.ensureCanAccessModel({
+      model,
+      locale: getLocale().code
+    });
 
     /**
      * Make sure we only work with fields that are defined in the model.
@@ -592,7 +646,9 @@ const createContentEntryCrud = params => {
       input: initialValues,
       validateEntries: false
     });
-    (0, _ownership.checkOwnership)(context, permission, originalEntry);
+    await entriesPermissions.ensure({
+      owns: originalEntry.createdBy
+    });
     const identity = getIdentity();
     const latestId = latestStorageEntry ? latestStorageEntry.id : sourceId;
     const {
@@ -654,10 +710,14 @@ const createContentEntryCrud = params => {
     }
   };
   const updateEntry = async (model, id, inputData, metaInput) => {
-    const permission = await checkEntryPermissions({
+    var _inputData$wbyAco_loc2;
+    await entriesPermissions.ensure({
       rwd: "w"
     });
-    await (0, _access.checkModelAccess)(context, model);
+    await modelsPermissions.ensureCanAccessModel({
+      model,
+      locale: getLocale().code
+    });
 
     /**
      * Make sure we only work with fields that are defined in the model.
@@ -683,7 +743,9 @@ const createContentEntryCrud = params => {
       data: input,
       entry: originalEntry
     });
-    (0, _ownership.checkOwnership)(context, permission, originalEntry);
+    await entriesPermissions.ensure({
+      owns: originalEntry.createdBy
+    });
     const initialValues = (0, _objectSpread2.default)((0, _objectSpread2.default)({}, originalEntry.values), input);
     const values = await (0, _referenceFieldsMapping.referenceFieldsMapping)({
       context,
@@ -705,6 +767,12 @@ const createContentEntryCrud = params => {
       meta,
       status: transformEntryStatus(originalEntry.status)
     });
+    const folderId = (_inputData$wbyAco_loc2 = inputData.wbyAco_location) === null || _inputData$wbyAco_loc2 === void 0 ? void 0 : _inputData$wbyAco_loc2.folderId;
+    if (folderId) {
+      entry.location = {
+        folderId
+      };
+    }
     let storageEntry = null;
     try {
       await onEntryBeforeUpdate.publish({
@@ -743,10 +811,14 @@ const createContentEntryCrud = params => {
     }
   };
   const republishEntry = async (model, id) => {
-    await checkEntryPermissions({
+    await entriesPermissions.ensure({
       rwd: "w"
     });
-    await (0, _access.checkModelAccess)(context, model);
+    await modelsPermissions.ensureCanAccessModel({
+      model,
+      locale: getLocale().code
+    });
+
     /**
      * Fetch the entry from the storage.
      */
@@ -821,10 +893,13 @@ const createContentEntryCrud = params => {
     }
   };
   const deleteEntryRevision = async (model, revisionId) => {
-    const permission = await checkEntryPermissions({
+    await entriesPermissions.ensure({
       rwd: "d"
     });
-    await (0, _access.checkModelAccess)(context, model);
+    await modelsPermissions.ensureCanAccessModel({
+      model,
+      locale: getLocale().code
+    });
     const {
       id: entryId,
       version
@@ -842,7 +917,9 @@ const createContentEntryCrud = params => {
     if (!storageEntryToDelete) {
       throw new _handlerGraphql.NotFoundError(`Entry "${revisionId}" was not found!`);
     }
-    (0, _ownership.checkOwnership)(context, permission, storageEntryToDelete);
+    await entriesPermissions.ensure({
+      owns: storageEntryToDelete.createdBy
+    });
     const latestEntryRevisionId = latestStorageEntry ? latestStorageEntry.id : null;
     const entryToDelete = await (0, _entryStorage.entryFromStorageTransform)(context, model, storageEntryToDelete);
     /**
@@ -894,18 +971,124 @@ const createContentEntryCrud = params => {
       });
     }
   };
-  const deleteEntry = async (model, entryId) => {
-    const permission = await checkEntryPermissions({
+  const deleteMultipleEntries = async (model, params) => {
+    const {
+      entries: input
+    } = params;
+    const maxDeletableEntries = 50;
+    const entryIdList = new Set();
+    for (const id of input) {
+      const {
+        id: entryId
+      } = (0, _utils.parseIdentifier)(id);
+      entryIdList.add(entryId);
+    }
+    const ids = Array.from(entryIdList);
+    if (ids.length > maxDeletableEntries) {
+      throw new _error.default("Cannot delete more than 50 entries at once.", "DELETE_ENTRIES_MAX", {
+        entries: ids
+      });
+    }
+    await entriesPermissions.ensure({
+      rwd: "d"
+    });
+    await modelsPermissions.ensureCanAccessModel({
+      model,
+      locale: getLocale().code
+    });
+    const {
+      items: entries
+    } = await storageOperations.entries.list(model, {
+      where: {
+        latest: true,
+        entryId_in: ids
+      },
+      limit: maxDeletableEntries + 1
+    });
+    /**
+     * We do not want to allow deleting entries that user does not own or cannot access.
+     */
+    const items = (await (0, _filterAsync.filterAsync)(entries, async entry => {
+      return entriesPermissions.ensure({
+        owns: entry.createdBy
+      }, {
+        throw: false
+      });
+    })).map(entry => entry.id);
+    try {
+      await onEntryBeforeDeleteMultiple.publish({
+        entries,
+        ids,
+        model
+      });
+      await storageOperations.entries.deleteMultipleEntries(model, {
+        entries: items
+      });
+      await onEntryAfterDeleteMultiple.publish({
+        entries,
+        ids,
+        model
+      });
+      return items.map(id => {
+        return {
+          id
+        };
+      });
+    } catch (ex) {
+      await onEntryDeleteMultipleError.publish({
+        entries,
+        ids,
+        model,
+        error: ex
+      });
+      throw new _error.default(ex.message, ex.code || "DELETE_ENTRIES_MULTIPLE_ERROR", {
+        error: ex,
+        entries
+      });
+    }
+  };
+  const deleteEntry = async (model, id, options) => {
+    await entriesPermissions.ensure({
       rwd: "d"
     });
-    await (0, _access.checkModelAccess)(context, model);
+    await modelsPermissions.ensureCanAccessModel({
+      model,
+      locale: getLocale().code
+    });
+    const {
+      force
+    } = options || {};
     const storageEntry = await storageOperations.entries.getLatestRevisionByEntryId(model, {
-      id: entryId
+      id
     });
-    if (!storageEntry) {
-      throw new _handlerGraphql.NotFoundError(`Entry "${entryId}" was not found!`);
+    /**
+     * If there is no entry, and we do not force the deletion, just throw an error.
+     */
+    if (!storageEntry && !force) {
+      throw new _handlerGraphql.NotFoundError(`Entry "${id}" was not found!`);
+    }
+    /**
+     * In the case we are forcing the deletion, we do not need the storageEntry to exist as it might be an error when loading single database record.
+     *
+     * This happens, sometimes, in the Elasticsearch system as the entry might get deleted from the DynamoDB but not from the Elasticsearch.
+     * This is due to high load on the Elasticsearch at the time of the deletion.
+     */
+    //
+    else if (!storageEntry && force) {
+      const {
+        id: entryId
+      } = (0, _utils.parseIdentifier)(id);
+      return await deleteEntryHelper({
+        model,
+        entry: {
+          id,
+          entryId
+        }
+      });
     }
-    (0, _ownership.checkOwnership)(context, permission, storageEntry);
+    await entriesPermissions.ensure({
+      owns: storageEntry.createdBy
+    });
     const entry = await (0, _entryStorage.entryFromStorageTransform)(context, model, storageEntry);
     return await deleteEntryHelper({
       model,
@@ -913,17 +1096,22 @@ const createContentEntryCrud = params => {
     });
   };
   const publishEntry = async (model, id) => {
-    const permission = await checkEntryPermissions({
+    await entriesPermissions.ensure({
       pw: "p"
     });
-    await (0, _access.checkModelAccess)(context, model);
+    await modelsPermissions.ensureCanAccessModel({
+      model,
+      locale: getLocale().code
+    });
     const originalStorageEntry = await storageOperations.entries.getRevisionById(model, {
       id
     });
     if (!originalStorageEntry) {
       throw new _handlerGraphql.NotFoundError(`Entry "${id}" in the model "${model.modelId}" was not found.`);
     }
-    (0, _ownership.checkOwnership)(context, permission, originalStorageEntry);
+    await entriesPermissions.ensure({
+      owns: originalStorageEntry.createdBy
+    });
     const originalEntry = await (0, _entryStorage.entryFromStorageTransform)(context, model, originalStorageEntry);
     const currentDate = new Date().toISOString();
     const entry = (0, _objectSpread2.default)((0, _objectSpread2.default)({}, originalEntry), {}, {
@@ -965,7 +1153,7 @@ const createContentEntryCrud = params => {
     }
   };
   const unpublishEntry = async (model, id) => {
-    const permission = await checkEntryPermissions({
+    await entriesPermissions.ensure({
       pw: "u"
     });
     const {
@@ -982,7 +1170,9 @@ const createContentEntryCrud = params => {
         entry: originalStorageEntry
       });
     }
-    (0, _ownership.checkOwnership)(context, permission, originalStorageEntry);
+    await entriesPermissions.ensure({
+      owns: originalStorageEntry.createdBy
+    });
     const originalEntry = await (0, _entryStorage.entryFromStorageTransform)(context, model, originalStorageEntry);
     const entry = (0, _objectSpread2.default)((0, _objectSpread2.default)({}, originalEntry), {}, {
       status: STATUS_UNPUBLISHED
@@ -1018,6 +1208,71 @@ const createContentEntryCrud = params => {
       });
     }
   };
+  const getUniqueFieldValues = async (model, params) => {
+    await entriesPermissions.ensure({
+      rwd: "r"
+    });
+    await modelsPermissions.ensureCanAccessModel({
+      model,
+      locale: getLocale().code
+    });
+    const {
+      where: initialWhere,
+      fieldId
+    } = params;
+    const where = (0, _objectSpread2.default)({}, initialWhere);
+    /**
+     * Possibly only get records which are owned by current user.
+     * Or if searching for the owner set that value - in the case that user can see other entries than their own.
+     */
+    if (await entriesPermissions.canAccessOnlyOwnRecords()) {
+      where.ownedBy = getIdentity().id;
+    }
+
+    /**
+     * Where must contain either latest or published keys.
+     * We cannot list entries without one of those
+     */
+    if (where.latest && where.published) {
+      throw new _error.default("Cannot list entries that are both published and latest.", "LIST_ENTRIES_ERROR", {
+        where
+      });
+    } else if (!where.latest && !where.published) {
+      throw new _error.default("Cannot list entries if we do not have latest or published defined.", "LIST_ENTRIES_ERROR", {
+        where
+      });
+    }
+    /**
+     * We need to verify that the field in question is searchable.
+     */
+    const fields = (0, _searchableFields.getSearchableFields)({
+      fields: model.fields,
+      plugins: context.plugins,
+      input: []
+    });
+    if (!fields.includes(fieldId)) {
+      throw new _error.default("Cannot list unique entry field values if the field is not searchable.", "LIST_UNIQUE_ENTRY_VALUES_ERROR", {
+        fieldId
+      });
+    }
+    try {
+      return await storageOperations.entries.getUniqueFieldValues(model, {
+        where,
+        fieldId
+      });
+    } catch (ex) {
+      throw new _error.default("Error while fetching unique entry values from storage.", "LIST_UNIQUE_ENTRY_VALUES_ERROR", {
+        error: {
+          message: ex.message,
+          code: ex.code,
+          data: ex.data
+        },
+        model,
+        where,
+        fieldId
+      });
+    }
+  };
   return {
     /**
      * Deprecated - will be removed in 5.35.0
@@ -1192,9 +1447,14 @@ const createContentEntryCrud = params => {
         return deleteEntryRevision(model, id);
       });
     },
-    async deleteEntry(model, entryId) {
+    async deleteEntry(model, entryId, options) {
       return context.benchmark.measure("headlessCms.crud.entries.deleteEntry", async () => {
-        return deleteEntry(model, entryId);
+        return deleteEntry(model, entryId, options);
+      });
+    },
+    async deleteMultipleEntries(model, ids) {
+      return context.benchmark.measure("headlessCms.crud.entries.deleteMultipleEntries", async () => {
+        return deleteMultipleEntries(model, ids);
       });
     },
     async publishEntry(model, id) {
@@ -1206,6 +1466,11 @@ const createContentEntryCrud = params => {
       return context.benchmark.measure("headlessCms.crud.entries.unpublishEntry", async () => {
         return unpublishEntry(model, id);
       });
+    },
+    async getUniqueFieldValues(model, params) {
+      return context.benchmark.measure("headlessCms.crud.entries.getUniqueFieldValues", async () => {
+        return getUniqueFieldValues(model, params);
+      });
     }
   };
 };