strapi/packages/strapi-admin/services/permission/permissions-manager.js

'use strict';

const _ = require('lodash');
const { subject: asSubject } = require('@casl/ability');
const { permittedFieldsOf, rulesToQuery } = require('@casl/ability/extra');
const { VALID_REST_OPERATORS, sanitizeEntity } = require('strapi-utils');

const ops = {
  common: VALID_REST_OPERATORS,
  boolean: ['$or'],
  cleanable: ['$elemMatch'],
};

module.exports = (ability, action, model) => ({
  ability,
  action,
  model,

  get query() {
    return buildStrapiQuery(buildCaslQuery(ability, action, model));
  },

  toSubject(target, subjectType = model) {
    return asSubject(subjectType, target);
  },

  pickPermittedFieldsOf(data, options = {}) {
    return this.sanitize(data, { ...options, isOutput: false });
  },

  sanitize(data, options = {}) {
    const {
      subject = this.toSubject(data),
      action: actionOverride = action,
      withPrivate = true,
      isOutput = true,
    } = options;

    if (_.isArray(data)) {
      return data.map(this.sanitize.bind(this));
    }

    const permittedFields = permittedFieldsOf(ability, actionOverride, subject);

    return sanitizeEntity(data, {
      model: strapi.getModel(model),
      includeFields: _.isEmpty(permittedFields) ? null : permittedFields,
      withPrivate,
      isOutput,
    });
  },
});

const buildCaslQuery = (ability, action, model) => {
  const query = rulesToQuery(ability, action, model, o => o.conditions);
  return query && _.has(query, '$or') ? _.pick(query, '$or') : {};
};

const buildStrapiQuery = caslQuery => {
  const transform = _.flow([flattenDeep, cleanupUnwantedProperties]);
  return transform(caslQuery);
};

const flattenDeep = condition => {
  if (_.isArray(condition)) {
    return _.map(condition, flattenDeep);
  }

  const shouldIgnore = e => !!ops.common.includes(e);
  const shouldPerformTransformation = (v, k) => _.isObject(v) && !_.isArray(v) && !shouldIgnore(k);

  const result = {};
  const set = (key, value) => (result[key] = value);

  const getTransformParams = (prevKey, v, k) =>
    shouldIgnore(k) ? [`${prevKey}_${k.replace('$', '')}`, v] : [`${prevKey}.${k}`, v];

  _.each(condition, (value, key) => {
    if (ops.boolean.includes(key)) {
      set(key.replace('$', '_'), _.map(value, flattenDeep));
    } else if (shouldPerformTransformation(value, key)) {
      _.each(flattenDeep(value), (v, k) => {
        set(...getTransformParams(key, v, k));
      });
    } else {
      set(key, value);
    }
  });

  return result;
};

const cleanupUnwantedProperties = condition => {
  const shouldClean = e => ops.cleanable.find(o => e.includes(`.${o}`));

  return _.reduce(
    condition,
    (acc, value, key) => ({
      ...acc,
      [shouldClean(key) ? key.split(`.${shouldClean(key)}`).join('') : key]: value,
    }),
    {}
  );
};
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`'use strict';`

			`const _ = require('lodash');`
			`const { subject: asSubject } = require('@casl/ability');`
			`const { permittedFieldsOf, rulesToQuery } = require('@casl/ability/extra');`
Add new sanitize-entity.js Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 18:08:21 +02:00			`const { VALID_REST_OPERATORS, sanitizeEntity } = require('strapi-utils');`
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00
Handle $or operation on pm query, better parsing for the query Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 15:44:28 +02:00			`const ops = {`
			`common: VALID_REST_OPERATORS,`
			`boolean: ['$or'],`
			`cleanable: ['$elemMatch'],`
			`};`

Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`module.exports = (ability, action, model) => ({`
			`ability,`
			`action,`
			`model,`

			`get query() {`
			`return buildStrapiQuery(buildCaslQuery(ability, action, model));`
			`},`

			`toSubject(target, subjectType = model) {`
			`return asSubject(subjectType, target);`
			`},`

Better permissions-manager.sanitize behavior Forbid empty arrays as fields for permissions (on ability creation) Differentiate input from output sanitizing Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 13:03:30 +02:00			`pickPermittedFieldsOf(data, options = {}) {`
Add new sanitize-entity.js Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 18:08:21 +02:00			`return this.sanitize(data, { ...options, isOutput: false });`
Better permissions-manager.sanitize behavior Forbid empty arrays as fields for permissions (on ability creation) Differentiate input from output sanitizing Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 13:03:30 +02:00			`},`

Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`sanitize(data, options = {}) {`
Better permissions-manager.sanitize behavior Forbid empty arrays as fields for permissions (on ability creation) Differentiate input from output sanitizing Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 13:03:30 +02:00			`const {`
			`subject = this.toSubject(data),`
			`action: actionOverride = action,`
			`withPrivate = true,`
Add new sanitize-entity.js Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 18:08:21 +02:00			`isOutput = true,`
Better permissions-manager.sanitize behavior Forbid empty arrays as fields for permissions (on ability creation) Differentiate input from output sanitizing Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 13:03:30 +02:00			`} = options;`

			`if (_.isArray(data)) {`
			`return data.map(this.sanitize.bind(this));`
			`}`
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00
			`const permittedFields = permittedFieldsOf(ability, actionOverride, subject);`

Add new sanitize-entity.js Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 18:08:21 +02:00			`return sanitizeEntity(data, {`
			`model: strapi.getModel(model),`
			`includeFields: _.isEmpty(permittedFields) ? null : permittedFields,`
Better permissions-manager.sanitize behavior Forbid empty arrays as fields for permissions (on ability creation) Differentiate input from output sanitizing Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 13:03:30 +02:00			`withPrivate,`
Add new sanitize-entity.js Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 18:08:21 +02:00			`isOutput,`
Better permissions-manager.sanitize behavior Forbid empty arrays as fields for permissions (on ability creation) Differentiate input from output sanitizing Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 13:03:30 +02:00			`});`
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`},`
			`});`

			`const buildCaslQuery = (ability, action, model) => {`
			`const query = rulesToQuery(ability, action, model, o => o.conditions);`
Handle $or operation on pm query, better parsing for the query Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 15:44:28 +02:00			`return query && _.has(query, '$or') ? _.pick(query, '$or') : {};`
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`};`

			`const buildStrapiQuery = caslQuery => {`
Handle $or operation on pm query, better parsing for the query Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 15:44:28 +02:00			`const transform = _.flow([flattenDeep, cleanupUnwantedProperties]);`
			`return transform(caslQuery);`
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`};`

Handle $or operation on pm query, better parsing for the query Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 15:44:28 +02:00			`const flattenDeep = condition => {`
			`if (_.isArray(condition)) {`
			`return _.map(condition, flattenDeep);`
			`}`

			`const shouldIgnore = e => !!ops.common.includes(e);`
			`const shouldPerformTransformation = (v, k) => _.isObject(v) && !_.isArray(v) && !shouldIgnore(k);`

Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`const result = {};`
Handle $or operation on pm query, better parsing for the query Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 15:44:28 +02:00			`const set = (key, value) => (result[key] = value);`

			`const getTransformParams = (prevKey, v, k) =>`
			shouldIgnore(k) ? [`${prevKey}_${k.replace('$', '')}`, v] : [`${prevKey}.${k}`, v];
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00
			`_.each(condition, (value, key) => {`
Handle $or operation on pm query, better parsing for the query Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 15:44:28 +02:00			`if (ops.boolean.includes(key)) {`
			`set(key.replace('$', '_'), _.map(value, flattenDeep));`
			`} else if (shouldPerformTransformation(value, key)) {`
			`_.each(flattenDeep(value), (v, k) => {`
			`set(...getTransformParams(key, v, k));`
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`});`
			`} else {`
Handle $or operation on pm query, better parsing for the query Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 15:44:28 +02:00			`set(key, value);`
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`}`
			`});`

			`return result;`
			`};`

Handle $or operation on pm query, better parsing for the query Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 15:44:28 +02:00			`const cleanupUnwantedProperties = condition => {`
			const shouldClean = e => ops.cleanable.find(o => e.includes(`.${o}`));

			`return _.reduce(`
			`condition,`
			`(acc, value, key) => ({`
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`...acc,`
Handle $or operation on pm query, better parsing for the query Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-01 15:44:28 +02:00			[shouldClean(key) ? key.split(`.${shouldClean(key)}`).join('') : key]: value,
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`}),`
			`{}`
			`);`
			`};`