strapi/packages/plugins/users-permissions/server/controllers/user.js

'use strict';

/**
 * User.js controller
 *
 * @description: A set of functions called "actions" for managing `User`.
 */

const _ = require('lodash');
const utils = require('@strapi/utils');
const { getService } = require('../utils');
const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');

const { sanitize } = utils;
const { ApplicationError, ValidationError } = utils.errors;

const sanitizeOutput = (user, ctx) => {
  const schema = strapi.getModel('plugin::users-permissions.user');
  const { auth } = ctx.state;

  return sanitize.contentAPI.output(user, schema, { auth });
};

module.exports = {
  /**
   * Create a/an user record.
   * @return {Object}
   */
  async create(ctx) {
    const advanced = await strapi
      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
      .get();

    await validateCreateUserBody(ctx.request.body);

    const { email, username, role } = ctx.request.body;

    const userWithSameUsername = await strapi
      .query('plugin::users-permissions.user')
      .findOne({ where: { username } });

    if (userWithSameUsername) {
      if (!email) throw new ApplicationError('Username already taken');
    }

    if (advanced.unique_email) {
      const userWithSameEmail = await strapi
        .query('plugin::users-permissions.user')
        .findOne({ where: { email: email.toLowerCase() } });

      if (userWithSameEmail) {
        throw new ApplicationError('Email already taken');
      }
    }

    const user = {
      ...ctx.request.body,
      provider: 'local',
    };

    user.email = _.toLower(user.email);

    if (!role) {
      const defaultRole = await strapi
        .query('plugin::users-permissions.role')
        .findOne({ where: { type: advanced.default_role } });

      user.role = defaultRole.id;
    }

    try {
      const data = await getService('user').add(user);
      const sanitizedData = await sanitizeOutput(data, ctx);

      ctx.created(sanitizedData);
    } catch (error) {
      throw new ApplicationError(error.message);
    }
  },

  /**
   * Update a/an user record.
   * @return {Object}
   */
  async update(ctx) {
    const advancedConfigs = await strapi
      .store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })
      .get();

    const { id } = ctx.params;
    const { email, username, password } = ctx.request.body;

    const user = await getService('user').fetch({ id });

    await validateUpdateUserBody(ctx.request.body);

    if (user.provider === 'local' && _.has(ctx.request.body, 'password') && !password) {
      throw new ValidationError('password.notNull');
    }

    if (_.has(ctx.request.body, 'username')) {
      const userWithSameUsername = await strapi
        .query('plugin::users-permissions.user')
        .findOne({ where: { username } });

      if (userWithSameUsername && userWithSameUsername.id != id) {
        throw new ApplicationError('Username already taken');
      }
    }

    if (_.has(ctx.request.body, 'email') && advancedConfigs.unique_email) {
      const userWithSameEmail = await strapi
        .query('plugin::users-permissions.user')
        .findOne({ where: { email: email.toLowerCase() } });

      if (userWithSameEmail && userWithSameEmail.id != id) {
        throw new ApplicationError('Email already taken');
      }
      ctx.request.body.email = ctx.request.body.email.toLowerCase();
    }

    let updateData = {
      ...ctx.request.body,
    };

    const data = await getService('user').edit({ id }, updateData);
    const sanitizedData = await sanitizeOutput(data, ctx);

    ctx.send(sanitizedData);
  },

  /**
   * Retrieve user records.
   * @return {Object|Array}
   */
  async find(ctx, next, { populate } = {}) {
    const users = await getService('user').fetchAll(ctx.query, populate);

    ctx.body = await Promise.all(users.map(user => sanitizeOutput(user, ctx)));
  },

  /**
   * Retrieve a user record.
   * @return {Object}
   */
  async findOne(ctx) {
    const { id } = ctx.params;
    let data = await getService('user').fetch({ id });

    if (data) {
      data = await sanitizeOutput(data, ctx);
    }

    ctx.body = data;
  },

  /**
   * Retrieve user count.
   * @return {Number}
   */
  async count(ctx) {
    ctx.body = await getService('user').count(ctx.query);
  },

  /**
   * Destroy a/an user record.
   * @return {Object}
   */
  async destroy(ctx) {
    const { id } = ctx.params;

    const data = await getService('user').remove({ id });
    const sanitizedUser = await sanitizeOutput(data, ctx);

    ctx.send(sanitizedUser);
  },

  /**
   * Retrieve authenticated user.
   * @return {Object|Array}
   */
  async me(ctx) {
    const user = ctx.state.user;

    if (!user) {
      return ctx.unauthorized();
    }

    ctx.body = await sanitizeOutput(user, ctx);
  },
};
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`'use strict';`

			`/**`
			`* User.js controller`
			`*`
			* @description: A set of functions called "actions" for managing `User`.
			`*/`

Fix user update encrypted password 2017-12-04 15:35:45 +01:00			`const _ = require('lodash');`
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`const utils = require('@strapi/utils');`
Refactor all query() calls 2021-07-08 18:15:32 +02:00			`const { getService } = require('../utils');`
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');`
sanitize user model data 2019-09-12 10:50:52 +02:00
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`const { sanitize } = utils;`
			`const { ApplicationError, ValidationError } = utils.errors;`
Fix user update encrypted password 2017-12-04 15:35:45 +01:00
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`const sanitizeOutput = (user, ctx) => {`
			`const schema = strapi.getModel('plugin::users-permissions.user');`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`const { auth } = ctx.state;`

Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`return sanitize.contentAPI.output(user, schema, { auth });`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`};`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00			`module.exports = {`
			`/**`
			`* Create a/an user record.`
			`* @return {Object}`
			`*/`
			`async create(ctx) {`
			`const advanced = await strapi`
			`.store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })`
			`.get();`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`await validateCreateUserBody(ctx.request.body);`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`const { email, username, role } = ctx.request.body;`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00			`const userWithSameUsername = await strapi`
			`.query('plugin::users-permissions.user')`
			`.findOne({ where: { username } });`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00			`if (userWithSameUsername) {`
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`if (!email) throw new ApplicationError('Username already taken');`
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00			`}`

			`if (advanced.unique_email) {`
			`const userWithSameEmail = await strapi`
			`.query('plugin::users-permissions.user')`
			`.findOne({ where: { email: email.toLowerCase() } });`

			`if (userWithSameEmail) {`
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`throw new ApplicationError('Email already taken');`
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00			`}`
			`}`

			`const user = {`
			`...ctx.request.body,`
			`provider: 'local',`
			`};`

			`user.email = _.toLower(user.email);`

			`if (!role) {`
			`const defaultRole = await strapi`
			`.query('plugin::users-permissions.role')`
			`.findOne({ where: { type: advanced.default_role } });`

			`user.role = defaultRole.id;`
			`}`

			`try {`
			`const data = await getService('user').add(user);`
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`const sanitizedData = await sanitizeOutput(data, ctx);`
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`ctx.created(sanitizedData);`
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00			`} catch (error) {`
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`throw new ApplicationError(error.message);`
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00			`}`
			`},`

			`/**`
			`* Update a/an user record.`
			`* @return {Object}`
			`*/`
			`async update(ctx) {`
			`const advancedConfigs = await strapi`
			`.store({ type: 'plugin', name: 'users-permissions', key: 'advanced' })`
			`.get();`

			`const { id } = ctx.params;`
			`const { email, username, password } = ctx.request.body;`

			`const user = await getService('user').fetch({ id });`

Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`await validateUpdateUserBody(ctx.request.body);`
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`if (user.provider === 'local' && _.has(ctx.request.body, 'password') && !password) {`
			`throw new ValidationError('password.notNull');`
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00			`}`

			`if (_.has(ctx.request.body, 'username')) {`
			`const userWithSameUsername = await strapi`
			`.query('plugin::users-permissions.user')`
			`.findOne({ where: { username } });`

			`if (userWithSameUsername && userWithSameUsername.id != id) {`
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`throw new ApplicationError('Username already taken');`
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00			`}`
			`}`

			`if (_.has(ctx.request.body, 'email') && advancedConfigs.unique_email) {`
			`const userWithSameEmail = await strapi`
			`.query('plugin::users-permissions.user')`
			`.findOne({ where: { email: email.toLowerCase() } });`

			`if (userWithSameEmail && userWithSameEmail.id != id) {`
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`throw new ApplicationError('Email already taken');`
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00			`}`
			`ctx.request.body.email = ctx.request.body.email.toLowerCase();`
			`}`

			`let updateData = {`
			`...ctx.request.body,`
			`};`

			`const data = await getService('user').edit({ id }, updateData);`
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`const sanitizedData = await sanitizeOutput(data, ctx);`
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`ctx.send(sanitizedData);`
Fix users-permissions user controllers permissions 2021-11-04 15:18:09 +01:00			`},`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`/**`
			`* Retrieve user records.`
			`* @return {Object\|Array}`
			`*/`
Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`async find(ctx, next, { populate } = {}) {`
Fix search 2021-07-28 21:03:32 +02:00			`const users = await getService('user').fetchAll(ctx.query, populate);`
Add _q param to GET /users 2019-05-21 16:18:18 +02:00
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`ctx.body = await Promise.all(users.map(user => sanitizeOutput(user, ctx)));`
added user count Signed-off-by: Walter Cossu <walter.cossu@realt.it> 2020-04-17 17:33:21 +02:00			`},`

Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`/**`
			`* Retrieve a user record.`
			`* @return {Object}`
			`*/`
Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`async findOne(ctx) {`
Fix user update and boolean values in DB 2019-07-16 16:26:53 +02:00			`const { id } = ctx.params;`
Use getService 2021-07-08 22:07:52 +02:00			`let data = await getService('user').fetch({ id });`
Remove password and token from fetchable data USER API / AUTH 2017-12-06 14:15:27 +01:00
			`if (data) {`
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`data = await sanitizeOutput(data, ctx);`
Remove password and token from fetchable data USER API / AUTH 2017-12-06 14:15:27 +01:00			`}`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00			`ctx.body = data;`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`},`

			`/**`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00			`* Retrieve user count.`
			`* @return {Number}`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`*/`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00			`async count(ctx) {`
Refactor all query() calls 2021-07-08 18:15:32 +02:00			`ctx.body = await getService('user').count(ctx.query);`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`},`

			`/**`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00			`* Destroy a/an user record.`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`* @return {Object}`
			`*/`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00			`async destroy(ctx) {`
Fix user update and boolean values in DB 2019-07-16 16:26:53 +02:00			`const { id } = ctx.params;`
Refactor all query() calls 2021-07-08 18:15:32 +02:00
			`const data = await getService('user').remove({ id });`
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`const sanitizedUser = await sanitizeOutput(data, ctx);`
Refactor all query() calls 2021-07-08 18:15:32 +02:00
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`ctx.send(sanitizedUser);`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00			`},`
Fix user update and boolean values in DB 2019-07-16 16:26:53 +02:00
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`/**`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00			`* Retrieve authenticated user.`
			`* @return {Object\|Array}`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`*/`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00			`async me(ctx) {`
			`const user = ctx.state.user;`
Handle delete many with models from users-permissions 2018-06-06 16:20:52 +02:00
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00			`if (!user) {`
refactor error handling 2021-10-20 17:30:05 +02:00			`return ctx.unauthorized();`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00			`}`
Handle delete many with models from users-permissions 2018-06-06 16:20:52 +02:00
Merge branch 'releases/v4' of github.com:strapi/strapi into v4/up-resolvers-picker-fix 2021-11-09 18:38:20 +01:00			`ctx.body = await sanitizeOutput(user, ctx);`
Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`},`
Init user models and fix api prefix 2017-11-14 11:11:22 +01:00			`};`