strapi/packages/core/upload/server/controllers/admin-api.js

'use strict';

const _ = require('lodash');
const { contentTypes: contentTypesUtils } = require('@strapi/utils');
const { ApplicationError, NotFoundError, ForbiddenError } = require('@strapi/utils').errors;
const { getService } = require('../utils');
const validateSettings = require('./validation/settings');
const validateUploadBody = require('./validation/upload');

const { CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;

const ACTIONS = {
  read: 'plugin::upload.read',
  readSettings: 'plugin::upload.settings.read',
  create: 'plugin::upload.assets.create',
  update: 'plugin::upload.assets.update',
  download: 'plugin::upload.assets.download',
  copyLink: 'plugin::upload.assets.copy-link',
};

const fileModel = 'plugin::upload.file';

module.exports = {
  async find(ctx) {
    const {
      state: { userAbility },
    } = ctx;

    const pm = strapi.admin.services.permission.createPermissionsManager({
      ability: userAbility,
      action: ACTIONS.read,
      model: fileModel,
    });

    if (!pm.isAllowed) {
      return ctx.forbidden();
    }

    const query = pm.addPermissionsQueryTo(ctx.query);

    const { results, pagination } = await getService('upload').findPage(query);

    const sanitizedResults = await pm.sanitizeOutput(results);

    return { results: sanitizedResults, pagination };
  },

  async findOne(ctx) {
    const {
      state: { userAbility },
      params: { id },
    } = ctx;

    const { pm, file } = await findEntityAndCheckPermissions(
      userAbility,
      ACTIONS.read,
      fileModel,
      id
    );

    ctx.body = await pm.sanitizeOutput(file);
  },

  async destroy(ctx) {
    const { id } = ctx.params;
    const { userAbility } = ctx.state;

    const { pm, file } = await findEntityAndCheckPermissions(
      userAbility,
      ACTIONS.update,
      fileModel,
      id
    );

    await getService('upload').remove(file);

    ctx.body = await pm.sanitizeOutput(file, { action: ACTIONS.read });
  },

  async updateSettings(ctx) {
    const {
      request: { body },
      state: { userAbility },
    } = ctx;

    if (userAbility.cannot(ACTIONS.readSettings, fileModel)) {
      return ctx.forbidden();
    }

    const data = await validateSettings(body);

    await getService('upload').setSettings(data);

    ctx.body = { data };
  },

  async getSettings(ctx) {
    const {
      state: { userAbility },
    } = ctx;

    if (userAbility.cannot(ACTIONS.readSettings, fileModel)) {
      return ctx.forbidden();
    }

    const data = await getService('upload').getSettings();

    ctx.body = { data };
  },

  async updateFileInfo(ctx) {
    const {
      state: { userAbility, user },
      query: { id },
      request: { body },
    } = ctx;

    const uploadService = getService('upload');
    const { pm } = await findEntityAndCheckPermissions(userAbility, ACTIONS.update, fileModel, id);

    const data = await validateUploadBody(body);
    const file = await uploadService.updateFileInfo(id, data.fileInfo, { user });

    ctx.body = await pm.sanitizeOutput(file, { action: ACTIONS.read });
  },

  async replaceFile(ctx) {
    const {
      state: { userAbility, user },
      query: { id },
      request: { body, files: { files } = {} },
    } = ctx;

    const uploadService = getService('upload');
    const { pm } = await findEntityAndCheckPermissions(userAbility, ACTIONS.update, fileModel, id);

    if (Array.isArray(files)) {
      throw new ApplicationError('Cannot replace a file with multiple ones');
    }

    const data = await validateUploadBody(body);
    const replacedFiles = await uploadService.replace(id, { data, file: files }, { user });

    ctx.body = await pm.sanitizeOutput(replacedFiles, { action: ACTIONS.read });
  },

  async uploadFiles(ctx) {
    const {
      state: { userAbility, user },
      request: { body, files: { files } = {} },
    } = ctx;

    const uploadService = getService('upload');
    const pm = strapi.admin.services.permission.createPermissionsManager({
      ability: userAbility,
      action: ACTIONS.create,
      model: fileModel,
    });

    if (!pm.isAllowed) {
      return ctx.forbidden();
    }

    const data = await validateUploadBody(body);
    const uploadedFiles = await uploadService.upload({ data, files }, { user });

    ctx.body = await pm.sanitizeOutput(uploadedFiles, { action: ACTIONS.read });
  },

  async upload(ctx) {
    const {
      query: { id },
      request: { files: { files } = {} },
    } = ctx;

    if (id && (_.isEmpty(files) || files.size === 0)) {
      return this.updateFileInfo(ctx);
    }

    if (_.isEmpty(files) || files.size === 0) {
      throw new ApplicationError('Files are empty');
    }

    await (id ? this.replaceFile : this.uploadFiles)(ctx);
  },
};

const findEntityAndCheckPermissions = async (ability, action, model, id) => {
  const file = await getService('upload').findOne(id, [CREATED_BY_ATTRIBUTE]);

  if (_.isNil(file)) {
    throw new NotFoundError();
  }

  const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });

  const creatorId = _.get(file, [CREATED_BY_ATTRIBUTE, 'id']);
  const author = creatorId ? await strapi.admin.services.user.findOne(creatorId, ['roles']) : null;

  const fileWithRoles = _.set(_.cloneDeep(file), 'createdBy', author);

  if (pm.ability.cannot(pm.action, pm.toSubject(fileWithRoles))) {
    throw new ForbiddenError();
  }

  return { pm, file };
};
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`'use strict';`

			`const _ = require('lodash');`
remove search admin route for upload plugin 2021-09-24 15:59:51 +02:00			`const { contentTypes: contentTypesUtils } = require('@strapi/utils');`
refacto graphql errors 2021-10-27 18:54:58 +02:00			`const { ApplicationError, NotFoundError, ForbiddenError } = require('@strapi/utils').errors;`
Use new filters format in the upload plugin 2021-09-20 18:50:48 +02:00			`const { getService } = require('../utils');`
			`const validateSettings = require('./validation/settings');`
			`const validateUploadBody = require('./validation/upload');`
Make lint stricter and fix the errors Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 11:27:17 +01:00
Fix "has same role as author" condition not working properly (#8202) * Fix "has same role as author" condition not working properly Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Use creators constants Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Add e2e test for default conditions, fix conditions on mongoose Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> * Fix tests in CE Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-10-08 19:50:39 +02:00			`const { CREATED_BY_ATTRIBUTE } = contentTypesUtils.constants;`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
			`const ACTIONS = {`
refactor with module approach 2021-08-06 18:09:49 +02:00			`read: 'plugin::upload.read',`
			`readSettings: 'plugin::upload.settings.read',`
			`create: 'plugin::upload.assets.create',`
			`update: 'plugin::upload.assets.update',`
			`download: 'plugin::upload.assets.download',`
			`copyLink: 'plugin::upload.assets.copy-link',`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`};`

refactor with module approach 2021-08-06 18:09:49 +02:00			`const fileModel = 'plugin::upload.file';`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
			`module.exports = {`
			`async find(ctx) {`
			`const {`
			`state: { userAbility },`
			`} = ctx;`

Cleanup tests Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-11-02 17:19:42 +01:00			`const pm = strapi.admin.services.permission.createPermissionsManager({`
			`ability: userAbility,`
			`action: ACTIONS.read,`
			`model: fileModel,`
			`});`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
			`if (!pm.isAllowed) {`
			`return ctx.forbidden();`
			`}`

Use new filters format in the upload plugin 2021-09-20 18:50:48 +02:00			`const query = pm.addPermissionsQueryTo(ctx.query);`

Make sure the results are sanitized 2021-10-07 18:05:06 +02:00			`const { results, pagination } = await getService('upload').findPage(query);`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`const sanitizedResults = await pm.sanitizeOutput(results);`
Make sure the results are sanitized 2021-10-07 18:05:06 +02:00
			`return { results: sanitizedResults, pagination };`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`},`

			`async findOne(ctx) {`
			`const {`
			`state: { userAbility },`
			`params: { id },`
			`} = ctx;`

refacto graphql errors 2021-10-27 18:54:58 +02:00			`const { pm, file } = await findEntityAndCheckPermissions(`
			`userAbility,`
			`ACTIONS.read,`
			`fileModel,`
			`id`
			`);`

[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`ctx.body = await pm.sanitizeOutput(file);`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`},`

			`async destroy(ctx) {`
Add Delete an asset call to the ML (#11186) 2021-10-07 09:24:04 +02:00			`const { id } = ctx.params;`
			`const { userAbility } = ctx.state;`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
refacto graphql errors 2021-10-27 18:54:58 +02:00			`const { pm, file } = await findEntityAndCheckPermissions(`
			`userAbility,`
			`ACTIONS.update,`
			`fileModel,`
			`id`
			`);`

			`await getService('upload').remove(file);`

[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`ctx.body = await pm.sanitizeOutput(file, { action: ACTIONS.read });`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`},`

			`async updateSettings(ctx) {`
			`const {`
			`request: { body },`
			`state: { userAbility },`
			`} = ctx;`

Fix wrong permissions assigns (upload, users-permissions) (#8320) Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-10-13 18:51:09 +02:00			`if (userAbility.cannot(ACTIONS.readSettings, fileModel)) {`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`return ctx.forbidden();`
			`}`

			`const data = await validateSettings(body);`

Use getService 2021-07-08 22:07:52 +02:00			`await getService('upload').setSettings(data);`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
			`ctx.body = { data };`
			`},`

			`async getSettings(ctx) {`
			`const {`
			`state: { userAbility },`
			`} = ctx;`

Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00			`if (userAbility.cannot(ACTIONS.readSettings, fileModel)) {`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`return ctx.forbidden();`
			`}`

Use getService 2021-07-08 22:07:52 +02:00			`const data = await getService('upload').getSettings();`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
			`ctx.body = { data };`
			`},`

			`async updateFileInfo(ctx) {`
			`const {`
			`state: { userAbility, user },`
			`query: { id },`
			`request: { body },`
			`} = ctx;`

Use getService 2021-07-08 22:07:52 +02:00			`const uploadService = getService('upload');`
refacto graphql errors 2021-10-27 18:54:58 +02:00			`const { pm } = await findEntityAndCheckPermissions(userAbility, ACTIONS.update, fileModel, id);`

			`const data = await validateUploadBody(body);`
			`const file = await uploadService.updateFileInfo(id, data.fileInfo, { user });`

[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`ctx.body = await pm.sanitizeOutput(file, { action: ACTIONS.read });`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`},`

			`async replaceFile(ctx) {`
			`const {`
			`state: { userAbility, user },`
			`query: { id },`
			`request: { body, files: { files } = {} },`
			`} = ctx;`

Use getService 2021-07-08 22:07:52 +02:00			`const uploadService = getService('upload');`
refacto graphql errors 2021-10-27 18:54:58 +02:00			`const { pm } = await findEntityAndCheckPermissions(userAbility, ACTIONS.update, fileModel, id);`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
			`if (Array.isArray(files)) {`
refactor error handling 2021-10-20 17:30:05 +02:00			`throw new ApplicationError('Cannot replace a file with multiple ones');`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`}`

			`const data = await validateUploadBody(body);`
Merge branch 'master' into releases/3.2 Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-05 12:00:03 +02:00			`const replacedFiles = await uploadService.replace(id, { data, file: files }, { user });`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`ctx.body = await pm.sanitizeOutput(replacedFiles, { action: ACTIONS.read });`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`},`

			`async uploadFiles(ctx) {`
			`const {`
			`state: { userAbility, user },`
			`request: { body, files: { files } = {} },`
Fix upload w/ permissions bugs Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 19:18:33 +02:00			`} = ctx;`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
Use getService 2021-07-08 22:07:52 +02:00			`const uploadService = getService('upload');`
Cleanup tests Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-11-02 17:19:42 +01:00			`const pm = strapi.admin.services.permission.createPermissionsManager({`
			`ability: userAbility,`
			`action: ACTIONS.create,`
			`model: fileModel,`
			`});`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
			`if (!pm.isAllowed) {`
refactor error handling 2021-10-20 17:30:05 +02:00			`return ctx.forbidden();`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`}`

			`const data = await validateUploadBody(body);`
Merge branch 'master' into releases/3.2 Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-05 12:00:03 +02:00			`const uploadedFiles = await uploadService.upload({ data, files }, { user });`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`ctx.body = await pm.sanitizeOutput(uploadedFiles, { action: ACTIONS.read });`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`},`
Use new filters format in the upload plugin 2021-09-20 18:50:48 +02:00
			`async upload(ctx) {`
			`const {`
			`query: { id },`
			`request: { files: { files } = {} },`
			`} = ctx;`

			`if (id && (_.isEmpty(files) \|\| files.size === 0)) {`
			`return this.updateFileInfo(ctx);`
			`}`

			`if (_.isEmpty(files) \|\| files.size === 0) {`
refactor error handling 2021-10-20 17:30:05 +02:00			`throw new ApplicationError('Files are empty');`
Use new filters format in the upload plugin 2021-09-20 18:50:48 +02:00			`}`

			`await (id ? this.replaceFile : this.uploadFiles)(ctx);`
			`},`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`};`

			`const findEntityAndCheckPermissions = async (ability, action, model, id) => {`
fix RBAC 2021-09-24 15:40:02 +02:00			`const file = await getService('upload').findOne(id, [CREATED_BY_ATTRIBUTE]);`
Wip 2021-07-08 21:53:30 +02:00
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`if (_.isNil(file)) {`
refactor error handling 2021-10-20 17:30:05 +02:00			`throw new NotFoundError();`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`}`

Cleanup tests Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-11-02 17:19:42 +01:00			`const pm = strapi.admin.services.permission.createPermissionsManager({ ability, action, model });`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00
Refactor code to run the query only when necessary 2021-12-22 17:58:22 +09:00			`const creatorId = _.get(file, [CREATED_BY_ATTRIBUTE, 'id']);`
			`const author = creatorId ? await strapi.admin.services.user.findOne(creatorId, ['roles']) : null;`
Fix RBAC upload permissions (#10484) * Fix fetch of created_by.roles for the upload permissions' check * Remove console.log * Add default value for the set roles * Fetch the author (user) instead of their roles only * Only populate roles for the author 2021-06-17 12:00:02 +02:00
Rename creator fields 2021-09-22 17:04:57 +02:00			`const fileWithRoles = _.set(_.cloneDeep(file), 'createdBy', author);`
Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00
			`if (pm.ability.cannot(pm.action, pm.toSubject(fileWithRoles))) {`
refactor error handling 2021-10-20 17:30:05 +02:00			`throw new ForbiddenError();`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`}`

Rewrote users-permissions's controller to fit with rbac, fix various bugs in content-manager's controllers Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-06 16:25:25 +02:00			`return { pm, file };`
Add permissions on upload controller Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-07-02 18:49:20 +02:00			`};`