strapi/packages/strapi-admin/services/permission.js

'use strict';

const _ = require('lodash');
const pmap = require('p-map');
const { createPermission } = require('../domain/permission');
const { validatePermissionsExist } = require('../validation/permission');
const createPermissionsManager = require('./permission/permissions-manager');
const createConditionProvider = require('./permission/condition-provider');
const createPermissionEngine = require('./permission/engine');
const actionProvider = require('./permission/action-provider');

const conditionProvider = createConditionProvider();
const engine = createPermissionEngine(conditionProvider);

const fieldsToCompare = ['action', 'subject', 'fields', 'conditions'];
const getPermissionWithSortedFields = perm => {
  const sortedPerm = _.cloneDeep(perm);
  if (Array.isArray(sortedPerm.fields)) {
    sortedPerm.fields.sort();
  }
  return sortedPerm;
};
const arePermissionsEqual = (perm1, perm2) =>
  _.isEqual(
    _.pick(getPermissionWithSortedFields(perm1), fieldsToCompare),
    _.pick(getPermissionWithSortedFields(perm2), fieldsToCompare)
  );

/**
 * Removes unwanted fields from a permission
 * @param permission
 * @returns {*}
 */
const sanitizePermission = perm => ({
  ..._.pick(perm, ['id', 'action', 'subject', 'fields']),
  conditions: strapi.admin.services.condition.removeUnkownConditionIds(perm.conditions),
});

/**
 * Delete permissions of roles in database
 * @param rolesIds ids of roles
 * @returns {Promise<array>}
 */
const deleteByRolesIds = rolesIds => {
  return strapi.query('permission', 'admin').delete({ role_in: rolesIds });
};

/**
 * Delete permissions
 * @param ids ids of permissions
 * @returns {Promise<array>}
 */
const deleteByIds = ids => {
  return strapi.query('permission', 'admin').delete({ id_in: ids });
};

/**
 * Find assigned permissions in the database
 * @param params query params to find the permissions
 * @returns {Promise<array<Object>>}
 */
const find = (params = {}) => {
  return strapi.query('permission', 'admin').find(params, []);
};

/**
 * Assign permissions to a role
 * @param {string|int} roleId - role ID
 * @param {Array<Permission{action,subject,fields,conditions}>} permissions - permissions to assign to the role
 */
const assign = async (roleId, permissions = []) => {
  try {
    await validatePermissionsExist(permissions);
  } catch (err) {
    throw strapi.errors.badRequest('ValidationError', err);
  }

  const permissionsWithRole = permissions.map(permission =>
    createPermission({
      ...permission,
      conditions: strapi.admin.services.condition.removeUnkownConditionIds(permission.conditions),
      role: roleId,
    })
  );

  const existingPermissions = await find({ role: roleId, _limit: -1 });
  const permissionsToAdd = _.differenceWith(
    permissionsWithRole,
    existingPermissions,
    arePermissionsEqual
  );
  const permissionsToDelete = _.differenceWith(
    existingPermissions,
    permissionsWithRole,
    arePermissionsEqual
  );
  const permissionsToReturn = _.differenceBy(existingPermissions, permissionsToDelete, 'id');

  if (permissionsToDelete.length > 0) {
    await deleteByIds(permissionsToDelete.map(p => p.id));
  }
  if (permissionsToAdd.length > 0) {
    const createdPermissions = await strapi
      .query('permission', 'admin')
      .createMany(permissionsToAdd);
    permissionsToReturn.push(...createdPermissions.map(p => ({ ...p, role: p.role.id })));
  }

  return permissionsToReturn;
};

/**
 * Find all permissions for a user
 * @param roles
 * @returns {Promise<*[]|*>}
 */
const findUserPermissions = async ({ roles }) => {
  if (!_.isArray(roles)) {
    return [];
  }

  return strapi
    .query('permission', 'admin')
    .find({ role_in: roles.map(_.property('id')), _limit: -1 });
};

/**
 * Removes permissions in database that don't exist anymore
 * @returns {Promise<>}
 */
const cleanPermissionInDatabase = async () => {
  const pageSize = 200;
  let page = 0;
  let total = 1;

  while (page * pageSize < total) {
    // First, delete permission that don't exist anymore
    page += 1;
    const res = await strapi.query('permission', 'admin').findPage({ page, pageSize }, []);
    total = res.pagination.total;

    const dbPermissions = res.results;
    const allActionsMap = actionProvider.getAllByMap();
    const permissionsToRemoveIds = dbPermissions.reduce((idsToDelete, perm) => {
      if (
        !allActionsMap.has(perm.action) ||
        (Array.isArray(allActionsMap.get(perm.action).subjects) &&
          !allActionsMap.get(perm.action).subjects.includes(perm.subject))
      ) {
        idsToDelete.push(perm.id);
      }
      return idsToDelete;
    }, []);

    const deletePromise = deleteByIds(permissionsToRemoveIds);

    // Second, clean fields of permissions (add required ones, remove the non-existing anymore ones)
    const permissionsInDb = dbPermissions.filter(perm => !permissionsToRemoveIds.includes(perm.id));
    const permissionsWithCleanFields = strapi.admin.services['content-type'].cleanPermissionFields(
      permissionsInDb,
      {
        fieldsNullFor: ['plugins::content-manager.explorer.delete'],
      }
    );

    // Update only the ones that need to be updated
    const permissionsNeedingToBeUpdated = _.differenceWith(
      permissionsWithCleanFields,
      permissionsInDb,
      (a, b) => a.id === b.id && _.xor(a.fields, b.fields).length === 0
    );
    const promiseProvider = perm =>
      strapi.query('permission', 'admin').update({ id: perm.id }, perm);

    //Update the database
    await Promise.all([
      deletePromise,
      pmap(permissionsNeedingToBeUpdated, promiseProvider, {
        concurrency: 100,
        stopOnError: true,
      }),
    ]);
  }
};

/**
 * Reset super admin permissions (giving it all permissions)
 * @returns {Promise<>}
 */
const resetSuperAdminPermissions = async () => {
  const superAdminRole = await strapi.admin.services.role.getSuperAdmin();
  if (!superAdminRole) {
    return;
  }

  const allActions = strapi.admin.services.permission.actionProvider.getAll();
  const contentTypesActions = allActions.filter(a => a.section === 'contentTypes');

  const permissions = strapi.admin.services['content-type'].getPermissionsWithNestedFields(
    contentTypesActions,
    {
      fieldsNullFor: ['plugins::content-manager.explorer.delete'],
    }
  );

  const otherActions = allActions.filter(a => a.section !== 'contentTypes');
  otherActions.forEach(action => {
    if (action.subjects) {
      const newPerms = action.subjects.map(subject =>
        createPermission({ action: action.actionId, subject })
      );
      permissions.push(...newPerms);
    } else {
      permissions.push(createPermission({ action: action.actionId }));
    }
  });

  await assign(superAdminRole.id, permissions);
};

module.exports = {
  find,
  deleteByRolesIds,
  deleteByIds,
  assign,
  sanitizePermission,
  findUserPermissions,
  actionProvider,
  createPermissionsManager,
  engine,
  conditionProvider,
  cleanPermissionInDatabase,
  resetSuperAdminPermissions,
};
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-05-29 17:23:42 +02:00			`'use strict';`

Add /admin/users/me/permissions route (+ findUserPermissions & sanitizePermission) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-11 10:54:26 +02:00			`const _ = require('lodash');`
clean permissions fields in DB at startup Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-07-01 19:11:04 +02:00			`const pmap = require('p-map');`
Add domain model for permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 13:02:06 +02:00			`const { createPermission } = require('../domain/permission');`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`const { validatePermissionsExist } = require('../validation/permission');`
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`const createPermissionsManager = require('./permission/permissions-manager');`
Add Condition Provider & Permissions Engine 2020-06-09 19:00:57 +02:00			`const createConditionProvider = require('./permission/condition-provider');`
			`const createPermissionEngine = require('./permission/engine');`
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`const actionProvider = require('./permission/action-provider');`
Add Condition Provider & Permissions Engine 2020-06-09 19:00:57 +02:00
Fix pr comments Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-16 11:13:01 +02:00			`const conditionProvider = createConditionProvider();`
Add Condition Provider & Permissions Engine 2020-06-09 19:00:57 +02:00			`const engine = createPermissionEngine(conditionProvider);`
Add domain model for permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 13:02:06 +02:00
fourth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-22 13:00:21 +02:00			`const fieldsToCompare = ['action', 'subject', 'fields', 'conditions'];`
fifth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-23 16:31:16 +02:00			`const getPermissionWithSortedFields = perm => {`
			`const sortedPerm = _.cloneDeep(perm);`
			`if (Array.isArray(sortedPerm.fields)) {`
			`sortedPerm.fields.sort();`
			`}`
			`return sortedPerm;`
			`};`
fourth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-22 13:00:21 +02:00			`const arePermissionsEqual = (perm1, perm2) =>`
fifth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-23 16:31:16 +02:00			`_.isEqual(`
			`_.pick(getPermissionWithSortedFields(perm1), fieldsToCompare),`
			`_.pick(getPermissionWithSortedFields(perm2), fieldsToCompare)`
			`);`
fourth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-22 13:00:21 +02:00
clean conditions at get and update Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-07-20 17:40:01 +02:00			`/**`
			`* Removes unwanted fields from a permission`
			`* @param permission`
			`* @returns {*}`
			`*/`
			`const sanitizePermission = perm => ({`
			`..._.pick(perm, ['id', 'action', 'subject', 'fields']),`
			`conditions: strapi.admin.services.condition.removeUnkownConditionIds(perm.conditions),`
			`});`

refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-05-29 17:23:42 +02:00			`/**`
			`* Delete permissions of roles in database`
clean permissions in db at startup Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-08 15:13:26 +02:00			`* @param rolesIds ids of roles`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-05-29 17:23:42 +02:00			`* @returns {Promise<array>}`
			`*/`
add tests + make role decription optional + refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-05-29 11:09:17 +02:00			`const deleteByRolesIds = rolesIds => {`
			`return strapi.query('permission', 'admin').delete({ role_in: rolesIds });`
			`};`

clean permissions in db at startup Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-08 15:13:26 +02:00			`/**`
			`* Delete permissions`
			`* @param ids ids of permissions`
			`* @returns {Promise<array>}`
			`*/`
			`const deleteByIds = ids => {`
			`return strapi.query('permission', 'admin').delete({ id_in: ids });`
			`};`

Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`/**`
			`* Find assigned permissions in the database`
			`* @param params query params to find the permissions`
			`* @returns {Promise<array<Object>>}`
			`*/`
			`const find = (params = {}) => {`
			`return strapi.query('permission', 'admin').find(params, []);`
			`};`

			`/**`
Apply PR feedbacks Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-06-01 11:00:00 +02:00			`* Assign permissions to a role`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`* @param {string\|int} roleId - role ID`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`* @param {Array<Permission{action,subject,fields,conditions}>} permissions - permissions to assign to the role`
			`*/`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`const assign = async (roleId, permissions = []) => {`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`try {`
			`await validatePermissionsExist(permissions);`
			`} catch (err) {`
			`throw strapi.errors.badRequest('ValidationError', err);`
add route GET /admin/permissions Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-04 18:30:26 +02:00			`}`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00
fourth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-22 13:00:21 +02:00			`const permissionsWithRole = permissions.map(permission =>`
clean conditions at get and update Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-07-20 17:40:01 +02:00			`createPermission({`
			`...permission,`
			`conditions: strapi.admin.services.condition.removeUnkownConditionIds(permission.conditions),`
			`role: roleId,`
			`})`
fourth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-22 13:00:21 +02:00			`);`

			`const existingPermissions = await find({ role: roleId, _limit: -1 });`
			`const permissionsToAdd = _.differenceWith(`
			`permissionsWithRole,`
			`existingPermissions,`
			`arePermissionsEqual`
			`);`
			`const permissionsToDelete = _.differenceWith(`
			`existingPermissions,`
			`permissionsWithRole,`
			`arePermissionsEqual`
			`);`
fifth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-23 16:31:16 +02:00			`const permissionsToReturn = _.differenceBy(existingPermissions, permissionsToDelete, 'id');`
fourth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-22 13:00:21 +02:00
			`if (permissionsToDelete.length > 0) {`
			`await deleteByIds(permissionsToDelete.map(p => p.id));`
			`}`
			`if (permissionsToAdd.length > 0) {`
fifth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-23 16:31:16 +02:00			`const createdPermissions = await strapi`
			`.query('permission', 'admin')`
			`.createMany(permissionsToAdd);`
			`permissionsToReturn.push(...createdPermissions.map(p => ({ ...p, role: p.role.id })));`
fourth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-22 13:00:21 +02:00			`}`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00
fifth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-23 16:31:16 +02:00			`return permissionsToReturn;`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`};`

Fix pr comments (add doc, simplify engine code, add async test condition) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-12 10:28:14 +02:00			`/**`
			`* Find all permissions for a user`
			`* @param roles`
			`* @returns {Promise<[]\|>}`
			`*/`
Add /admin/users/me/permissions route (+ findUserPermissions & sanitizePermission) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-11 10:54:26 +02:00			`const findUserPermissions = async ({ roles }) => {`
			`if (!_.isArray(roles)) {`
			`return [];`
			`}`

fourth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-22 13:00:21 +02:00			`return strapi`
			`.query('permission', 'admin')`
			`.find({ role_in: roles.map(_.property('id')), _limit: -1 });`
Add /admin/users/me/permissions route (+ findUserPermissions & sanitizePermission) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-11 10:54:26 +02:00			`};`

fifth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-23 16:31:16 +02:00			`/**`
			`* Removes permissions in database that don't exist anymore`
move function from bootstrap to service Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-24 14:09:43 +02:00			`* @returns {Promise<>}`
fifth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-23 16:31:16 +02:00			`*/`
			`const cleanPermissionInDatabase = async () => {`
clean permissions fields in DB at startup Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-07-01 19:11:04 +02:00			`const pageSize = 200;`
			`let page = 0;`
			`let total = 1;`

			`while (page * pageSize < total) {`
			`// First, delete permission that don't exist anymore`
			`page += 1;`
			`const res = await strapi.query('permission', 'admin').findPage({ page, pageSize }, []);`
			`total = res.pagination.total;`

			`const dbPermissions = res.results;`
			`const allActionsMap = actionProvider.getAllByMap();`
			`const permissionsToRemoveIds = dbPermissions.reduce((idsToDelete, perm) => {`
			`if (`
			`!allActionsMap.has(perm.action) \|\|`
			`(Array.isArray(allActionsMap.get(perm.action).subjects) &&`
			`!allActionsMap.get(perm.action).subjects.includes(perm.subject))`
			`) {`
			`idsToDelete.push(perm.id);`
			`}`
			`return idsToDelete;`
			`}, []);`

			`const deletePromise = deleteByIds(permissionsToRemoveIds);`

			`// Second, clean fields of permissions (add required ones, remove the non-existing anymore ones)`
			`const permissionsInDb = dbPermissions.filter(perm => !permissionsToRemoveIds.includes(perm.id));`
			`const permissionsWithCleanFields = strapi.admin.services['content-type'].cleanPermissionFields(`
			`permissionsInDb,`
			`{`
			`fieldsNullFor: ['plugins::content-manager.explorer.delete'],`
			`}`
			`);`

			`// Update only the ones that need to be updated`
			`const permissionsNeedingToBeUpdated = _.differenceWith(`
			`permissionsWithCleanFields,`
			`permissionsInDb,`
			`(a, b) => a.id === b.id && _.xor(a.fields, b.fields).length === 0`
			`);`
			`const promiseProvider = perm =>`
			`strapi.query('permission', 'admin').update({ id: perm.id }, perm);`

			`//Update the database`
			`await Promise.all([`
			`deletePromise,`
			`pmap(permissionsNeedingToBeUpdated, promiseProvider, {`
			`concurrency: 100,`
			`stopOnError: true,`
			`}),`
			`]);`
			`}`
fifth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-23 16:31:16 +02:00			`};`

move function from bootstrap to service Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-24 14:09:43 +02:00			`/**`
			`* Reset super admin permissions (giving it all permissions)`
			`* @returns {Promise<>}`
			`*/`
			`const resetSuperAdminPermissions = async () => {`
			`const superAdminRole = await strapi.admin.services.role.getSuperAdmin();`
			`if (!superAdminRole) {`
			`return;`
			`}`

			`const allActions = strapi.admin.services.permission.actionProvider.getAll();`
			`const contentTypesActions = allActions.filter(a => a.section === 'contentTypes');`

Make default permission use up to 15 level of nesting Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-06-29 16:33:44 +02:00			`const permissions = strapi.admin.services['content-type'].getPermissionsWithNestedFields(`
			`contentTypesActions,`
			`{`
			`fieldsNullFor: ['plugins::content-manager.explorer.delete'],`
			`}`
			`);`
move function from bootstrap to service Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-24 14:09:43 +02:00
			`const otherActions = allActions.filter(a => a.section !== 'contentTypes');`
			`otherActions.forEach(action => {`
			`if (action.subjects) {`
			`const newPerms = action.subjects.map(subject =>`
			`createPermission({ action: action.actionId, subject })`
			`);`
			`permissions.push(...newPerms);`
			`} else {`
			`permissions.push(createPermission({ action: action.actionId }));`
			`}`
			`});`

			`await assign(superAdminRole.id, permissions);`
			`};`

add tests + make role decription optional + refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-05-29 11:09:17 +02:00			`module.exports = {`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`find,`
add tests + make role decription optional + refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-05-29 11:09:17 +02:00			`deleteByRolesIds,`
clean permissions in db at startup Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-08 15:13:26 +02:00			`deleteByIds,`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`assign,`
Add /admin/users/me/permissions route (+ findUserPermissions & sanitizePermission) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-11 10:54:26 +02:00			`sanitizePermission,`
			`findUserPermissions,`
Add Condition Provider & Permissions Engine 2020-06-09 19:00:57 +02:00			`actionProvider,`
Add permissions to the content-manager routes Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-29 16:32:14 +02:00			`createPermissionsManager,`
Add Condition Provider & Permissions Engine 2020-06-09 19:00:57 +02:00			`engine,`
			`conditionProvider,`
fifth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-23 16:31:16 +02:00			`cleanPermissionInDatabase,`
move function from bootstrap to service Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-24 14:09:43 +02:00			`resetSuperAdminPermissions,`
add tests + make role decription optional + refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-05-29 11:09:17 +02:00			`};`