strapi/packages/plugins/users-permissions/server/services/users-permissions.js

'use strict';

const _ = require('lodash');
const { filter, map, pipe, prop } = require('lodash/fp');
const urlJoin = require('url-join');

const { getService } = require('../utils');

const DEFAULT_PERMISSIONS = [
  { action: 'plugin::users-permissions.auth.callback', roleType: 'public' },
  { action: 'plugin::users-permissions.auth.connect', roleType: 'public' },
  { action: 'plugin::users-permissions.auth.forgotPassword', roleType: 'public' },
  { action: 'plugin::users-permissions.auth.resetPassword', roleType: 'public' },
  { action: 'plugin::users-permissions.auth.register', roleType: 'public' },
  { action: 'plugin::users-permissions.auth.emailConfirmation', roleType: 'public' },
  { action: 'plugin::users-permissions.auth.sendEmailConfirmation', roleType: 'public' },
  { action: 'plugin::users-permissions.user.me', roleType: 'authenticated' },
  { action: 'plugin::users-permissions.auth.changePassword', roleType: 'authenticated' },
];

const transformRoutePrefixFor = (pluginName) => (route) => {
  const prefix = route.config && route.config.prefix;
  const path = prefix !== undefined ? `${prefix}${route.path}` : `/${pluginName}${route.path}`;

  return {
    ...route,
    path,
  };
};

module.exports = ({ strapi }) => ({
  getActions({ defaultEnable = false } = {}) {
    const actionMap = {};

    const isContentApi = (action) => {
      if (!_.has(action, Symbol.for('__type__'))) {
        return false;
      }

      return action[Symbol.for('__type__')].includes('content-api');
    };

    _.forEach(strapi.api, (api, apiName) => {
      const controllers = _.reduce(
        api.controllers,
        (acc, controller, controllerName) => {
          const contentApiActions = _.pickBy(controller, isContentApi);

          if (_.isEmpty(contentApiActions)) {
            return acc;
          }

          acc[controllerName] = _.mapValues(contentApiActions, () => {
            return {
              enabled: defaultEnable,
              policy: '',
            };
          });

          return acc;
        },
        {}
      );

      if (!_.isEmpty(controllers)) {
        actionMap[`api::${apiName}`] = { controllers };
      }
    });

    _.forEach(strapi.plugins, (plugin, pluginName) => {
      const controllers = _.reduce(
        plugin.controllers,
        (acc, controller, controllerName) => {
          const contentApiActions = _.pickBy(controller, isContentApi);

          if (_.isEmpty(contentApiActions)) {
            return acc;
          }

          acc[controllerName] = _.mapValues(contentApiActions, () => {
            return {
              enabled: defaultEnable,
              policy: '',
            };
          });

          return acc;
        },
        {}
      );

      if (!_.isEmpty(controllers)) {
        actionMap[`plugin::${pluginName}`] = { controllers };
      }
    });

    return actionMap;
  },

  async getRoutes() {
    const routesMap = {};

    _.forEach(strapi.api, (api, apiName) => {
      const routes = _.flatMap(api.routes, (route) => {
        if (_.has(route, 'routes')) {
          return route.routes;
        }

        return route;
      }).filter((route) => route.info.type === 'content-api');

      if (routes.length === 0) {
        return;
      }

      const apiPrefix = strapi.config.get('api.rest.prefix');
      routesMap[`api::${apiName}`] = routes.map((route) => ({
        ...route,
        path: urlJoin(apiPrefix, route.path),
      }));
    });

    _.forEach(strapi.plugins, (plugin, pluginName) => {
      const transformPrefix = transformRoutePrefixFor(pluginName);

      const routes = _.flatMap(plugin.routes, (route) => {
        if (_.has(route, 'routes')) {
          return route.routes.map(transformPrefix);
        }

        return transformPrefix(route);
      }).filter((route) => route.info.type === 'content-api');

      if (routes.length === 0) {
        return;
      }

      const apiPrefix = strapi.config.get('api.rest.prefix');
      routesMap[`plugin::${pluginName}`] = routes.map((route) => ({
        ...route,
        path: urlJoin(apiPrefix, route.path),
      }));
    });

    return routesMap;
  },

  async syncPermissions() {
    const roles = await strapi.query('plugin::users-permissions.role').findMany();
    const dbPermissions = await strapi.query('plugin::users-permissions.permission').findMany();

    const permissionsFoundInDB = _.uniq(_.map(dbPermissions, 'action'));

    const appActions = _.flatMap(strapi.api, (api, apiName) => {
      return _.flatMap(api.controllers, (controller, controllerName) => {
        return _.keys(controller).map((actionName) => {
          return `api::${apiName}.${controllerName}.${actionName}`;
        });
      });
    });

    const pluginsActions = _.flatMap(strapi.plugins, (plugin, pluginName) => {
      return _.flatMap(plugin.controllers, (controller, controllerName) => {
        return _.keys(controller).map((actionName) => {
          return `plugin::${pluginName}.${controllerName}.${actionName}`;
        });
      });
    });

    const allActions = [...appActions, ...pluginsActions];

    const toDelete = _.difference(permissionsFoundInDB, allActions);

    await Promise.all(
      toDelete.map((action) => {
        return strapi.query('plugin::users-permissions.permission').delete({ where: { action } });
      })
    );

    if (permissionsFoundInDB.length === 0) {
      // create default permissions
      for (const role of roles) {
        const toCreate = pipe(
          filter(({ roleType }) => roleType === role.type || roleType === null),
          map(prop('action'))
        )(DEFAULT_PERMISSIONS);

        await Promise.all(
          toCreate.map((action) => {
            return strapi.query('plugin::users-permissions.permission').create({
              data: {
                action,
                role: role.id,
              },
            });
          })
        );
      }
    }
  },

  async initialize() {
    const roleCount = await strapi.query('plugin::users-permissions.role').count();

    if (roleCount === 0) {
      await strapi.query('plugin::users-permissions.role').create({
        data: {
          name: 'Authenticated',
          description: 'Default role given to authenticated user.',
          type: 'authenticated',
        },
      });

      await strapi.query('plugin::users-permissions.role').create({
        data: {
          name: 'Public',
          description: 'Default role given to unauthenticated user.',
          type: 'public',
        },
      });
    }

    return getService('users-permissions').syncPermissions();
  },

  async updateUserRole(user, role) {
    return strapi
      .query('plugin::users-permissions.user')
      .update({ where: { id: user.id }, data: { role } });
  },

  template(layout, data) {
    const compiledObject = _.template(layout);
    return compiledObject(data);
  },
});
Generate plugin users-permissions and add it to strapi-packages 2017-11-06 11:14:43 +01:00			`'use strict';`

Change permissions data format 2017-11-16 17:59:41 +01:00			`const _ = require('lodash');`
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`const { filter, map, pipe, prop } = require('lodash/fp');`
fix confirmation url missing the api prefix 2022-01-10 18:11:32 +01:00			`const urlJoin = require('url-join');`
Add some lazy loading 2021-09-03 11:11:37 +02:00
Refactor all query() calls 2021-07-08 18:15:32 +02:00			`const { getService } = require('../utils');`
Generate plugin users-permissions and add it to strapi-packages 2017-11-06 11:14:43 +01:00
rename DEFAULT_PERMISSIONS Signed-off-by: Pierre Noël <pierre.noel@strapi.io> 2020-04-20 12:19:44 +02:00			`const DEFAULT_PERMISSIONS = [`
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`{ action: 'plugin::users-permissions.auth.callback', roleType: 'public' },`
Fix default permissions 2022-07-01 19:58:51 +02:00			`{ action: 'plugin::users-permissions.auth.connect', roleType: 'public' },`
			`{ action: 'plugin::users-permissions.auth.forgotPassword', roleType: 'public' },`
			`{ action: 'plugin::users-permissions.auth.resetPassword', roleType: 'public' },`
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`{ action: 'plugin::users-permissions.auth.register', roleType: 'public' },`
Fix default permissions 2022-07-01 19:58:51 +02:00			`{ action: 'plugin::users-permissions.auth.emailConfirmation', roleType: 'public' },`
			`{ action: 'plugin::users-permissions.auth.sendEmailConfirmation', roleType: 'public' },`
			`{ action: 'plugin::users-permissions.user.me', roleType: 'authenticated' },`
Add tests 2022-08-03 22:43:03 +02:00			`{ action: 'plugin::users-permissions.auth.changePassword', roleType: 'authenticated' },`
fix missing permissions at startup Signed-off-by: Pierre Noël <pierre.noel@strapi.io> 2020-04-15 19:47:55 +02:00			`];`

Prettier and backend fix 2022-08-08 23:33:39 +02:00			`const transformRoutePrefixFor = (pluginName) => (route) => {`
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00			`const prefix = route.config && route.config.prefix;`
			const path = prefix !== undefined ? `${prefix}${route.path}` : `/${pluginName}${route.path}`;

			`return {`
			`...route,`
			`path,`
			`};`
			`};`

WIP 2021-07-08 11:20:13 +02:00			`module.exports = ({ strapi }) => ({`
Start fixing tests 2021-09-07 21:03:30 +02:00			`getActions({ defaultEnable = false } = {}) {`
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`const actionMap = {};`
Change permissions data format 2017-11-16 17:59:41 +01:00
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`const isContentApi = (action) => {`
Filter action and routes displayed in users-permissions to be in the content-api - Remove legacy getPlugins code 2021-10-08 09:00:33 +02:00			`if (!_.has(action, Symbol.for('__type__'))) {`
			`return false;`
			`}`

			`return action[Symbol.for('__type__')].includes('content-api');`
			`};`

Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`_.forEach(strapi.api, (api, apiName) => {`
Filter action and routes displayed in users-permissions to be in the content-api - Remove legacy getPlugins code 2021-10-08 09:00:33 +02:00			`const controllers = _.reduce(`
			`api.controllers,`
			`(acc, controller, controllerName) => {`
			`const contentApiActions = _.pickBy(controller, isContentApi);`

			`if (_.isEmpty(contentApiActions)) {`
			`return acc;`
			`}`

			`acc[controllerName] = _.mapValues(contentApiActions, () => {`
			`return {`
			`enabled: defaultEnable,`
			`policy: '',`
			`};`
			`});`
Fix design and generatePermissions service 2017-11-17 12:14:12 +01:00
Filter action and routes displayed in users-permissions to be in the content-api - Remove legacy getPlugins code 2021-10-08 09:00:33 +02:00			`return acc;`
			`},`
			`{}`
			`);`

			`if (!_.isEmpty(controllers)) {`
			actionMap[`api::${apiName}`] = { controllers };
			`}`
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`});`
Fix design and generatePermissions service 2017-11-17 12:14:12 +01:00
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`_.forEach(strapi.plugins, (plugin, pluginName) => {`
Filter action and routes displayed in users-permissions to be in the content-api - Remove legacy getPlugins code 2021-10-08 09:00:33 +02:00			`const controllers = _.reduce(`
			`plugin.controllers,`
			`(acc, controller, controllerName) => {`
			`const contentApiActions = _.pickBy(controller, isContentApi);`

			`if (_.isEmpty(contentApiActions)) {`
			`return acc;`
			`}`
Change permissions data format 2017-11-16 17:59:41 +01:00
Filter action and routes displayed in users-permissions to be in the content-api - Remove legacy getPlugins code 2021-10-08 09:00:33 +02:00			`acc[controllerName] = _.mapValues(contentApiActions, () => {`
			`return {`
			`enabled: defaultEnable,`
			`policy: '',`
			`};`
			`});`

			`return acc;`
			`},`
			`{}`
			`);`

			`if (!_.isEmpty(controllers)) {`
			actionMap[`plugin::${pluginName}`] = { controllers };
			`}`
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`});`
Change permissions data format 2017-11-16 17:59:41 +01:00
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`return actionMap;`
Algo diff between objects 2017-11-17 16:36:57 +01:00			`},`
Write roles.sjon file 2017-11-17 14:22:59 +01:00
Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`async getRoutes() {`
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00			`const routesMap = {};`
Fix get routes u&p 2021-09-03 23:45:53 +02:00
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00			`_.forEach(strapi.api, (api, apiName) => {`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`const routes = _.flatMap(api.routes, (route) => {`
Fix get routes u&p 2021-09-03 23:45:53 +02:00			`if (_.has(route, 'routes')) {`
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00			`return route.routes;`
Fix get routes u&p 2021-09-03 23:45:53 +02:00			`}`
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00
			`return route;`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`}).filter((route) => route.info.type === 'content-api');`
Add handler to get the plugins routes 2017-11-30 16:34:43 +01:00
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00			`if (routes.length === 0) {`
			`return;`
			`}`

fix confirmation url missing the api prefix 2022-01-10 18:11:32 +01:00			`const apiPrefix = strapi.config.get('api.rest.prefix');`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			routesMap[`api::${apiName}`] = routes.map((route) => ({
Prefix route in U&P with /api 2021-09-24 09:55:01 +02:00			`...route,`
fix confirmation url missing the api prefix 2022-01-10 18:11:32 +01:00			`path: urlJoin(apiPrefix, route.path),`
Prefix route in U&P with /api 2021-09-24 09:55:01 +02:00			`}));`
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00			`});`
Merge branch 'develop' into features/media-lib Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-03-02 15:18:08 +01:00
Fix get routes u&p 2021-09-03 23:45:53 +02:00			`_.forEach(strapi.plugins, (plugin, pluginName) => {`
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00			`const transformPrefix = transformRoutePrefixFor(pluginName);`
Merge branch 'develop' into features/media-lib Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-03-02 15:18:08 +01:00
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`const routes = _.flatMap(plugin.routes, (route) => {`
Fix get routes u&p 2021-09-03 23:45:53 +02:00			`if (_.has(route, 'routes')) {`
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00			`return route.routes.map(transformPrefix);`
Fix get routes u&p 2021-09-03 23:45:53 +02:00			`}`
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00
			`return transformPrefix(route);`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`}).filter((route) => route.info.type === 'content-api');`
Fix get routes u&p 2021-09-03 23:45:53 +02:00
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00			`if (routes.length === 0) {`
			`return;`
			`}`

fix confirmation url missing the api prefix 2022-01-10 18:11:32 +01:00			`const apiPrefix = strapi.config.get('api.rest.prefix');`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			routesMap[`plugin::${pluginName}`] = routes.map((route) => ({
Prefix route in U&P with /api 2021-09-24 09:55:01 +02:00			`...route,`
fix confirmation url missing the api prefix 2022-01-10 18:11:32 +01:00			`path: urlJoin(apiPrefix, route.path),`
Prefix route in U&P with /api 2021-09-24 09:55:01 +02:00			`}));`
Fix get routes u&p 2021-09-03 23:45:53 +02:00			`});`
Add apiRoutes and fix feedback PR 2017-12-07 18:16:18 +01:00
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00			`return routesMap;`
Add handler to get the plugins routes 2017-11-30 16:34:43 +01:00			`},`

Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00			`async syncPermissions() {`
refactor with module approach 2021-08-06 18:09:49 +02:00			`const roles = await strapi.query('plugin::users-permissions.role').findMany();`
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`const dbPermissions = await strapi.query('plugin::users-permissions.permission').findMany();`
Refactor all query() calls 2021-07-08 18:15:32 +02:00
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`const permissionsFoundInDB = _.uniq(_.map(dbPermissions, 'action'));`
Merge branch 'develop' into features/media-lib Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-03-02 15:18:08 +01:00
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`const appActions = _.flatMap(strapi.api, (api, apiName) => {`
			`return _.flatMap(api.controllers, (controller, controllerName) => {`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`return _.keys(controller).map((actionName) => {`
Fixing invalid action name on restart because of lowercasing 2021-09-24 12:23:02 +02:00			return `api::${apiName}.${controllerName}.${actionName}`;
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`});`
Merge branch 'develop' into features/media-lib Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-03-02 15:18:08 +01:00			`});`
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`});`
Algo diff between objects 2017-11-17 16:36:57 +01:00
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`const pluginsActions = _.flatMap(strapi.plugins, (plugin, pluginName) => {`
			`return _.flatMap(plugin.controllers, (controller, controllerName) => {`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`return _.keys(controller).map((actionName) => {`
Fixing invalid action name on restart because of lowercasing 2021-09-24 12:23:02 +02:00			return `plugin::${pluginName}.${controllerName}.${actionName}`;
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`});`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`});`
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`});`
Fix roles.json bug 2017-12-07 10:16:36 +01:00
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`const allActions = [...appActions, ...pluginsActions];`
Refactor all query() calls 2021-07-08 18:15:32 +02:00
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`const toDelete = _.difference(permissionsFoundInDB, allActions);`
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`await Promise.all(`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`toDelete.map((action) => {`
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`return strapi.query('plugin::users-permissions.permission').delete({ where: { action } });`
			`})`
			`);`
Remove email update of admin during test that break next tests Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-18 20:39:39 +02:00
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`if (permissionsFoundInDB.length === 0) {`
			`// create default permissions`
			`for (const role of roles) {`
			`const toCreate = pipe(`
			`filter(({ roleType }) => roleType === role.type \|\| roleType === null),`
			`map(prop('action'))`
			`)(DEFAULT_PERMISSIONS);`

			`await Promise.all(`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`toCreate.map((action) => {`
Refactor u-p permission syntax 2021-09-06 22:33:55 +02:00			`return strapi.query('plugin::users-permissions.permission').create({`
			`data: {`
			`action,`
			`role: role.id,`
			`},`
			`});`
			`})`
			`);`
			`}`
Write roles.sjon file 2017-11-17 14:22:59 +01:00			`}`
Algo diff between objects 2017-11-17 16:36:57 +01:00			`},`
Write roles.sjon file 2017-11-17 14:22:59 +01:00
make boostrap functions async only 2019-08-12 15:35:40 +02:00			`async initialize() {`
refactor with module approach 2021-08-06 18:09:49 +02:00			`const roleCount = await strapi.query('plugin::users-permissions.role').count();`
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00
fix missing permissions at startup Signed-off-by: Pierre Noël <pierre.noel@strapi.io> 2020-04-15 19:47:55 +02:00			`if (roleCount === 0) {`
refactor with module approach 2021-08-06 18:09:49 +02:00			`await strapi.query('plugin::users-permissions.role').create({`
Refactor all query() calls 2021-07-08 18:15:32 +02:00			`data: {`
			`name: 'Authenticated',`
			`description: 'Default role given to authenticated user.',`
			`type: 'authenticated',`
			`},`
fix missing permissions at startup Signed-off-by: Pierre Noël <pierre.noel@strapi.io> 2020-04-15 19:47:55 +02:00			`});`
Fix user-permissions bootstrap issue Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-01-16 11:41:07 +01:00
refactor with module approach 2021-08-06 18:09:49 +02:00			`await strapi.query('plugin::users-permissions.role').create({`
Refactor all query() calls 2021-07-08 18:15:32 +02:00			`data: {`
			`name: 'Public',`
			`description: 'Default role given to unauthenticated user.',`
			`type: 'public',`
			`},`
fix missing permissions at startup Signed-off-by: Pierre Noël <pierre.noel@strapi.io> 2020-04-15 19:47:55 +02:00			`});`
			`}`
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00
Make new format compatible with old permissions format in u&p 2021-09-07 12:26:01 +02:00			`return getService('users-permissions').syncPermissions();`
Handle update role 2017-11-27 17:50:51 +01:00			`},`

Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`async updateUserRole(user, role) {`
Refactor all query() calls 2021-07-08 18:15:32 +02:00			`return strapi`
refactor with module approach 2021-08-06 18:09:49 +02:00			`.query('plugin::users-permissions.user')`
Refactor all query() calls 2021-07-08 18:15:32 +02:00			`.update({ where: { id: user.id }, data: { role } });`
Fix roles.json bug 2017-12-07 10:16:36 +01:00			`},`

Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`template(layout, data) {`
User service to template email 2018-01-25 08:38:46 +01:00			`const compiledObject = _.template(layout);`
			`return compiledObject(data);`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`},`
WIP 2021-07-08 11:20:13 +02:00			`});`