strapi/packages/core/utils/lib/sanitize/index.js

'use strict';

const { isArray } = require('lodash/fp');

const traverseEntity = require('../traverse-entity');
const { getNonWritableAttributes } = require('../content-types');
const visitors = require('./visitors');
const utils = require('./utils');

module.exports = {
  contentAPI: {
    input(data, schema, { auth } = {}) {
      if (isArray(data)) {
        return Promise.all(data.map(entry => this.input(entry, schema, { auth })));
      }

      const nonWritableAttributes = getNonWritableAttributes(schema);

      const transforms = [
        // Remove non writable attributes
        traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),
      ];

      if (auth) {
        // Remove restricted relations
        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
      }

      return utils.pipeAsync(...transforms)(data);
    },

    output(data, schema, { auth } = {}) {
      if (isArray(data)) {
        return Promise.all(data.map(entry => this.output(entry, schema, { auth })));
      }

      const transforms = [
        traverseEntity(visitors.removePassword, { schema }),
        traverseEntity(visitors.removePrivate, { schema }),
      ];

      if (auth) {
        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
      }

      return utils.pipeAsync(...transforms)(data);
    },
  },

  eventHub(data, schema) {
    if (isArray(data)) {
      return Promise.all(data.map(entry => this.eventHub(entry, schema)));
    }

    return utils.pipeAsync(
      traverseEntity(visitors.removePassword, { schema }),
      traverseEntity(visitors.removePrivate, { schema })
    )(data);
  },

  utils,
  visitors,
};
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`'use strict';`

			`const { isArray } = require('lodash/fp');`

			`const traverseEntity = require('../traverse-entity');`
			`const { getNonWritableAttributes } = require('../content-types');`
			`const visitors = require('./visitors');`
			`const utils = require('./utils');`

			`module.exports = {`
			`contentAPI: {`
			`input(data, schema, { auth } = {}) {`
			`if (isArray(data)) {`
			`return Promise.all(data.map(entry => this.input(entry, schema, { auth })));`
			`}`

			`const nonWritableAttributes = getNonWritableAttributes(schema);`

			`const transforms = [`
			`// Remove non writable attributes`
			`traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),`
			`];`

			`if (auth) {`
			`// Remove restricted relations`
			`transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));`
			`}`

			`return utils.pipeAsync(...transforms)(data);`
			`},`

			`output(data, schema, { auth } = {}) {`
			`if (isArray(data)) {`
			`return Promise.all(data.map(entry => this.output(entry, schema, { auth })));`
			`}`

			`const transforms = [`
			`traverseEntity(visitors.removePassword, { schema }),`
			`traverseEntity(visitors.removePrivate, { schema }),`
			`];`

			`if (auth) {`
			`transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));`
			`}`

			`return utils.pipeAsync(...transforms)(data);`
			`},`
			`},`

			`eventHub(data, schema) {`
			`if (isArray(data)) {`
			`return Promise.all(data.map(entry => this.eventHub(entry, schema)));`
			`}`

			`return utils.pipeAsync(`
			`traverseEntity(visitors.removePassword, { schema }),`
			`traverseEntity(visitors.removePrivate, { schema })`
			`)(data);`
			`},`

			`utils,`
			`visitors,`
			`};`