2020-07-06 16:25:25 +02:00
|
|
|
'use strict';
|
|
|
|
|
|
|
|
const _ = require('lodash');
|
2021-04-29 13:51:12 +02:00
|
|
|
const { contentTypes: contentTypesUtils } = require('@strapi/utils');
|
2020-08-18 17:09:21 +02:00
|
|
|
|
2021-07-08 18:15:32 +02:00
|
|
|
const { getService } = require('../../utils');
|
|
|
|
|
2020-08-18 17:09:21 +02:00
|
|
|
const { UPDATED_BY_ATTRIBUTE, CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;
|
|
|
|
|
2020-07-06 16:25:25 +02:00
|
|
|
const formatError = error => [
|
|
|
|
{ messages: [{ id: error.id, message: error.message, field: error.field }] },
|
|
|
|
];
|
|
|
|
|
2021-08-06 18:09:49 +02:00
|
|
|
const userModel = 'plugin::users-permissions.user';
|
2020-07-06 16:25:25 +02:00
|
|
|
const ACTIONS = {
|
2021-08-06 18:09:49 +02:00
|
|
|
read: 'plugin::content-manager.explorer.read',
|
|
|
|
create: 'plugin::content-manager.explorer.create',
|
|
|
|
edit: 'plugin::content-manager.explorer.update',
|
|
|
|
delete: 'plugin::content-manager.explorer.delete',
|
2020-07-06 16:25:25 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
const findEntityAndCheckPermissions = async (ability, action, model, id) => {
|
2021-08-06 18:09:49 +02:00
|
|
|
const entity = await strapi.query('plugin::users-permissions.user').findOne({ where: { id } });
|
2020-07-06 16:25:25 +02:00
|
|
|
|
|
|
|
if (_.isNil(entity)) {
|
|
|
|
throw strapi.errors.notFound();
|
|
|
|
}
|
|
|
|
|
2020-11-02 17:19:42 +01:00
|
|
|
const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });
|
2020-07-06 16:25:25 +02:00
|
|
|
|
2020-08-18 17:09:21 +02:00
|
|
|
const roles = _.has(entity, `${CREATED_BY_ATTRIBUTE}.id`)
|
2021-06-22 17:13:11 +02:00
|
|
|
? await strapi.query('strapi::role').findMany({
|
|
|
|
where: {
|
|
|
|
users: { id: entity[CREATED_BY_ATTRIBUTE].id },
|
|
|
|
},
|
|
|
|
})
|
2020-07-06 16:25:25 +02:00
|
|
|
: [];
|
2021-06-22 17:13:11 +02:00
|
|
|
|
2020-08-18 17:09:21 +02:00
|
|
|
const entityWithRoles = _.set(_.cloneDeep(entity), `${CREATED_BY_ATTRIBUTE}.roles`, roles);
|
2020-07-06 16:25:25 +02:00
|
|
|
|
|
|
|
if (pm.ability.cannot(pm.action, pm.toSubject(entityWithRoles))) {
|
|
|
|
throw strapi.errors.forbidden();
|
|
|
|
}
|
|
|
|
|
|
|
|
return { pm, entity };
|
|
|
|
};
|
|
|
|
|
|
|
|
module.exports = {
|
|
|
|
/**
|
|
|
|
* Create a/an user record.
|
|
|
|
* @return {Object}
|
|
|
|
*/
|
|
|
|
async create(ctx) {
|
|
|
|
const {
|
|
|
|
request: { body },
|
|
|
|
state: { userAbility, admin },
|
|
|
|
} = ctx;
|
|
|
|
const { email, username, password } = body;
|
|
|
|
|
2020-11-02 17:19:42 +01:00
|
|
|
const pm = strapi.admin.services.permission.createPermissionsManager({
|
|
|
|
ability: userAbility,
|
|
|
|
action: ACTIONS.create,
|
|
|
|
model: userModel,
|
|
|
|
});
|
2020-07-06 16:25:25 +02:00
|
|
|
|
|
|
|
if (!pm.isAllowed) {
|
|
|
|
throw strapi.errors.forbidden();
|
|
|
|
}
|
|
|
|
|
|
|
|
const sanitizedBody = pm.pickPermittedFieldsOf(body, { subject: userModel });
|
|
|
|
|
|
|
|
const advanced = await strapi
|
|
|
|
.store({
|
|
|
|
environment: '',
|
|
|
|
type: 'plugin',
|
|
|
|
name: 'users-permissions',
|
|
|
|
key: 'advanced',
|
|
|
|
})
|
|
|
|
.get();
|
|
|
|
|
|
|
|
if (!email) return ctx.badRequest('missing.email');
|
|
|
|
if (!username) return ctx.badRequest('missing.username');
|
|
|
|
if (!password) return ctx.badRequest('missing.password');
|
|
|
|
|
|
|
|
const userWithSameUsername = await strapi
|
2021-08-06 18:09:49 +02:00
|
|
|
.query('plugin::users-permissions.user')
|
2021-07-08 18:15:32 +02:00
|
|
|
.findOne({ where: { username } });
|
2020-07-06 16:25:25 +02:00
|
|
|
|
|
|
|
if (userWithSameUsername) {
|
|
|
|
return ctx.badRequest(
|
|
|
|
null,
|
|
|
|
formatError({
|
|
|
|
id: 'Auth.form.error.username.taken',
|
|
|
|
message: 'Username already taken.',
|
|
|
|
field: ['username'],
|
|
|
|
})
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (advanced.unique_email) {
|
2020-10-01 16:23:32 +02:00
|
|
|
const userWithSameEmail = await strapi
|
2021-08-06 18:09:49 +02:00
|
|
|
.query('plugin::users-permissions.user')
|
2021-07-08 18:15:32 +02:00
|
|
|
.findOne({ where: { email: email.toLowerCase() } });
|
2020-07-06 16:25:25 +02:00
|
|
|
|
|
|
|
if (userWithSameEmail) {
|
|
|
|
return ctx.badRequest(
|
|
|
|
null,
|
|
|
|
|
|
|
|
formatError({
|
|
|
|
id: 'Auth.form.error.email.taken',
|
|
|
|
message: 'Email already taken.',
|
|
|
|
field: ['email'],
|
|
|
|
})
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
const user = {
|
|
|
|
...sanitizedBody,
|
|
|
|
provider: 'local',
|
2020-08-18 17:09:21 +02:00
|
|
|
[CREATED_BY_ATTRIBUTE]: admin.id,
|
|
|
|
[UPDATED_BY_ATTRIBUTE]: admin.id,
|
2020-07-06 16:25:25 +02:00
|
|
|
};
|
|
|
|
|
2020-09-14 02:30:12 -05:00
|
|
|
user.email = user.email.toLowerCase();
|
|
|
|
|
2020-07-06 16:25:25 +02:00
|
|
|
if (!user.role) {
|
|
|
|
const defaultRole = await strapi
|
2021-08-06 18:09:49 +02:00
|
|
|
.query('plugin::users-permissions.role')
|
2021-07-08 18:15:32 +02:00
|
|
|
.findOne({ where: { type: advanced.default_role } });
|
2020-07-06 16:25:25 +02:00
|
|
|
|
|
|
|
user.role = defaultRole.id;
|
|
|
|
}
|
|
|
|
|
|
|
|
try {
|
2021-08-19 22:27:00 +02:00
|
|
|
const data = await getService('user').add(user);
|
2020-07-06 16:25:25 +02:00
|
|
|
|
|
|
|
ctx.created(pm.sanitize(data, { action: ACTIONS.read }));
|
|
|
|
} catch (error) {
|
|
|
|
ctx.badRequest(null, formatError(error));
|
|
|
|
}
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Update a/an user record.
|
|
|
|
* @return {Object}
|
|
|
|
*/
|
|
|
|
|
|
|
|
async update(ctx) {
|
|
|
|
const advancedConfigs = await strapi
|
|
|
|
.store({
|
|
|
|
environment: '',
|
|
|
|
type: 'plugin',
|
|
|
|
name: 'users-permissions',
|
|
|
|
key: 'advanced',
|
|
|
|
})
|
|
|
|
.get();
|
|
|
|
|
|
|
|
const {
|
|
|
|
params: { id },
|
|
|
|
request: { body },
|
|
|
|
state: { userAbility, admin },
|
|
|
|
} = ctx;
|
|
|
|
const { email, username, password } = body;
|
|
|
|
|
|
|
|
const { pm, entity: user } = await findEntityAndCheckPermissions(
|
|
|
|
userAbility,
|
|
|
|
ACTIONS.edit,
|
|
|
|
userModel,
|
|
|
|
id
|
|
|
|
);
|
|
|
|
|
|
|
|
if (_.has(body, 'email') && !email) {
|
|
|
|
return ctx.badRequest('email.notNull');
|
|
|
|
}
|
|
|
|
|
|
|
|
if (_.has(body, 'username') && !username) {
|
|
|
|
return ctx.badRequest('username.notNull');
|
|
|
|
}
|
|
|
|
|
|
|
|
if (_.has(body, 'password') && !password && user.provider === 'local') {
|
|
|
|
return ctx.badRequest('password.notNull');
|
|
|
|
}
|
|
|
|
|
|
|
|
if (_.has(body, 'username')) {
|
|
|
|
const userWithSameUsername = await strapi
|
2021-08-06 18:09:49 +02:00
|
|
|
.query('plugin::users-permissions.user')
|
2021-07-08 18:15:32 +02:00
|
|
|
.findOne({ where: { username } });
|
2020-07-06 16:25:25 +02:00
|
|
|
|
|
|
|
if (userWithSameUsername && userWithSameUsername.id != id) {
|
|
|
|
return ctx.badRequest(
|
|
|
|
null,
|
|
|
|
formatError({
|
|
|
|
id: 'Auth.form.error.username.taken',
|
|
|
|
message: 'username.alreadyTaken.',
|
|
|
|
field: ['username'],
|
|
|
|
})
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (_.has(body, 'email') && advancedConfigs.unique_email) {
|
2020-10-01 16:23:32 +02:00
|
|
|
const userWithSameEmail = await strapi
|
2021-08-06 18:09:49 +02:00
|
|
|
.query('plugin::users-permissions.user')
|
2021-07-08 18:15:32 +02:00
|
|
|
.findOne({ where: { email: email.toLowerCase() } });
|
2020-07-06 16:25:25 +02:00
|
|
|
|
|
|
|
if (userWithSameEmail && userWithSameEmail.id != id) {
|
|
|
|
return ctx.badRequest(
|
|
|
|
null,
|
|
|
|
formatError({
|
|
|
|
id: 'Auth.form.error.email.taken',
|
|
|
|
message: 'Email already taken',
|
|
|
|
field: ['email'],
|
|
|
|
})
|
|
|
|
);
|
|
|
|
}
|
2020-09-14 02:30:12 -05:00
|
|
|
body.email = body.email.toLowerCase();
|
2020-07-06 16:25:25 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
const sanitizedData = pm.pickPermittedFieldsOf(body, { subject: pm.toSubject(user) });
|
|
|
|
const updateData = _.omit({ ...sanitizedData, updated_by: admin.id }, 'created_by');
|
|
|
|
|
|
|
|
if (_.has(body, 'password') && password === user.password) {
|
|
|
|
delete updateData.password;
|
|
|
|
}
|
|
|
|
|
2021-07-08 18:15:32 +02:00
|
|
|
const data = await getService('user').edit({ id }, updateData);
|
2020-07-06 16:25:25 +02:00
|
|
|
|
|
|
|
ctx.body = pm.sanitize(data, { action: ACTIONS.read });
|
|
|
|
},
|
|
|
|
};
|