strapi/packages/strapi-admin/services/permission/permissions-manager/index.js

'use strict';

const _ = require('lodash');
const { subject: asSubject } = require('@casl/ability');
const { permittedFieldsOf } = require('@casl/ability/extra');
const {
  sanitizeEntity,
  contentTypes: { constants },
} = require('strapi-utils');
const { buildStrapiQuery, buildCaslQuery } = require('./query-builers');

module.exports = (ability, action, model) => ({
  ability,
  action,
  model,

  get query() {
    return buildStrapiQuery(buildCaslQuery(ability, action, model));
  },

  get isAllowed() {
    return this.ability.can(action, model);
  },

  toSubject(target, subjectType = model) {
    return asSubject(subjectType, target);
  },

  pickPermittedFieldsOf(data, options = {}) {
    return this.sanitize(data, { ...options, isOutput: false });
  },

  queryFrom(query) {
    return {
      ...query,
      _where: query._where ? _.concat(this.query, query._where) : [this.query],
    };
  },

  sanitize(data, options = {}) {
    const {
      subject = this.toSubject(data),
      action: actionOverride = action,
      withPrivate = true,
      isOutput = true,
    } = options;

    if (_.isArray(data)) {
      return data.map(entity => this.sanitize(entity, { action, withPrivate, isOutput }));
    }

    const permittedFields = permittedFieldsOf(ability, actionOverride, subject);
    const hasAtLeastOneRegisteredField = _.some(
      _.flatMap(ability.rulesFor(actionOverride, subject), 'fields')
    );
    const shouldIncludeAllFields = _.isEmpty(permittedFields) && !hasAtLeastOneRegisteredField;

    const sanitizedEntity = sanitizeEntity(data, {
      model: strapi.getModel(model),
      includeFields: shouldIncludeAllFields ? null : permittedFields,
      withPrivate,
      isOutput,
    });

    return _.omit(sanitizedEntity, [
      `${constants.CREATED_BY_ATTRIBUTE}.roles`,
      `${constants.UPDATED_BY_ATTRIBUTE}.roles`,
    ]);
  },
});
Add tests for strapi-admin/services (especially on /permissions/). Some bug fixes on the permissions-manager Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-16 11:39:35 +02:00			`'use strict';`

			`const _ = require('lodash');`
			`const { subject: asSubject } = require('@casl/ability');`
			`const { permittedFieldsOf } = require('@casl/ability/extra');`
Fix "has same role as author" condition not working properly (#8202) * Fix "has same role as author" condition not working properly Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Use creators constants Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Add e2e test for default conditions, fix conditions on mongoose Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Fix tests in CE Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-10-08 19:50:39 +02:00			`const {`
			`sanitizeEntity,`
			`contentTypes: { constants },`
			`} = require('strapi-utils');`
Add tests for strapi-admin/services (especially on /permissions/). Some bug fixes on the permissions-manager Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-16 11:39:35 +02:00			`const { buildStrapiQuery, buildCaslQuery } = require('./query-builers');`

			`module.exports = (ability, action, model) => ({`
			`ability,`
			`action,`
			`model,`

			`get query() {`
			`return buildStrapiQuery(buildCaslQuery(ability, action, model));`
			`},`

			`get isAllowed() {`
			`return this.ability.can(action, model);`
			`},`

			`toSubject(target, subjectType = model) {`
			`return asSubject(subjectType, target);`
			`},`

			`pickPermittedFieldsOf(data, options = {}) {`
			`return this.sanitize(data, { ...options, isOutput: false });`
			`},`

			`queryFrom(query) {`
			`return {`
			`...query,`
			`_where: query._where ? _.concat(this.query, query._where) : [this.query],`
			`};`
			`},`

			`sanitize(data, options = {}) {`
			`const {`
			`subject = this.toSubject(data),`
			`action: actionOverride = action,`
			`withPrivate = true,`
			`isOutput = true,`
			`} = options;`

			`if (_.isArray(data)) {`
Hide creator fields from public api by default (#8052) * Add model option to hide/show creators fields in public API response Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Add content-types util, rework sanitize-entity's private handling Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Update search e2e tests, fix an issue on empty search for the core-api controller (find) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Fix GraphQL plugin (handle privates attributes on typeDefs + resolver builds) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Fix sanitizeEntity import Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Move doc update from beta to stable Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Fix e2e test Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Fix pr comments Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Remove creator's field from upload controller routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Fix typedef build for graphql association Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Fix pr (comments + several issues) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Add tests for search behavior in content-manager Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Rename files variables to meaningful names (upload controllers) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Fix test with search id matching serialNumber Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> * Add toHasBeenCalledWith check for config.get (utils/content-types.test.js) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> Co-authored-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-01 17:47:08 +02:00			`return data.map(entity => this.sanitize(entity, { action, withPrivate, isOutput }));`
Add tests for strapi-admin/services (especially on /permissions/). Some bug fixes on the permissions-manager Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-16 11:39:35 +02:00			`}`

			`const permittedFields = permittedFieldsOf(ability, actionOverride, subject);`
			`const hasAtLeastOneRegisteredField = _.some(`
Make better use of flatMap for hasAtLeastOneRegisteredField condition Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-17 12:00:51 +02:00			`_.flatMap(ability.rulesFor(actionOverride, subject), 'fields')`
Add tests for strapi-admin/services (especially on /permissions/). Some bug fixes on the permissions-manager Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-16 11:39:35 +02:00			`);`
			`const shouldIncludeAllFields = _.isEmpty(permittedFields) && !hasAtLeastOneRegisteredField;`

Fix "has same role as author" condition not working properly (#8202) * Fix "has same role as author" condition not working properly Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Use creators constants Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Add e2e test for default conditions, fix conditions on mongoose Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Fix tests in CE Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-10-08 19:50:39 +02:00			`const sanitizedEntity = sanitizeEntity(data, {`
Add tests for strapi-admin/services (especially on /permissions/). Some bug fixes on the permissions-manager Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-16 11:39:35 +02:00			`model: strapi.getModel(model),`
			`includeFields: shouldIncludeAllFields ? null : permittedFields,`
			`withPrivate,`
			`isOutput,`
			`});`
Fix "has same role as author" condition not working properly (#8202) * Fix "has same role as author" condition not working properly Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Use creators constants Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Add e2e test for default conditions, fix conditions on mongoose Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Fix tests in CE Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-10-08 19:50:39 +02:00
			`return _.omit(sanitizedEntity, [`
			`${constants.CREATED_BY_ATTRIBUTE}.roles`,
			`${constants.UPDATED_BY_ATTRIBUTE}.roles`,
			`]);`
Add tests for strapi-admin/services (especially on /permissions/). Some bug fixes on the permissions-manager Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-16 11:39:35 +02:00			`},`
			`});`