2018-08-08 17:57:02 +02:00
|
|
|
const _ = require('lodash');
|
|
|
|
|
2017-11-27 16:47:16 +01:00
|
|
|
module.exports = async (ctx, next) => {
|
2018-01-17 18:50:12 +01:00
|
|
|
let role;
|
2017-11-27 16:47:16 +01:00
|
|
|
|
|
|
|
if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
|
|
|
|
try {
|
2018-01-18 11:13:44 +01:00
|
|
|
const { _id, id } = await strapi.plugins['users-permissions'].services.jwt.getToken(ctx);
|
2018-02-28 18:10:30 +01:00
|
|
|
|
|
|
|
if ((id || _id) === undefined) {
|
|
|
|
throw new Error('Invalid token: Token did not contain required fields');
|
|
|
|
}
|
2017-12-14 16:12:39 +01:00
|
|
|
|
2018-02-28 10:35:28 -05:00
|
|
|
ctx.state.user = await strapi.query('user', 'users-permissions').findOne({ _id, id });
|
2017-11-27 16:47:16 +01:00
|
|
|
} catch (err) {
|
2018-11-06 18:58:40 +01:00
|
|
|
return handleErrors(ctx, err, 'unauthorized');
|
2017-11-27 16:47:16 +01:00
|
|
|
}
|
2018-01-09 13:53:52 +01:00
|
|
|
|
|
|
|
if (!ctx.state.user) {
|
2018-11-06 18:58:40 +01:00
|
|
|
return handleErrors(ctx, 'User Not Found', 'unauthorized');
|
2018-01-09 13:53:52 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
role = ctx.state.user.role;
|
|
|
|
|
2018-01-17 18:50:12 +01:00
|
|
|
if (role.type === 'root') {
|
2018-01-09 13:53:52 +01:00
|
|
|
return await next();
|
|
|
|
}
|
2018-08-08 17:57:02 +02:00
|
|
|
|
|
|
|
const store = await strapi.store({
|
|
|
|
environment: '',
|
|
|
|
type: 'plugin',
|
|
|
|
name: 'users-permissions'
|
|
|
|
});
|
|
|
|
|
2019-02-28 19:22:01 +02:00
|
|
|
if (_.get(await store.get({key: 'advanced'}), 'email_confirmation') && !ctx.state.user.confirmed) {
|
2018-11-06 18:58:40 +01:00
|
|
|
return handleErrors(ctx, 'Your account email is not confirmed.', 'unauthorized');
|
2018-08-08 17:57:02 +02:00
|
|
|
}
|
2018-10-31 17:20:09 +01:00
|
|
|
|
2019-02-28 19:22:01 +02:00
|
|
|
if (ctx.state.user.blocked) {
|
2018-11-06 18:58:40 +01:00
|
|
|
return handleErrors(ctx, 'Your account has been blocked by the administrator.', 'unauthorized');
|
2018-08-06 17:46:58 +02:00
|
|
|
}
|
2017-11-27 16:47:16 +01:00
|
|
|
}
|
2018-11-06 18:58:40 +01:00
|
|
|
|
2018-03-12 16:37:20 +01:00
|
|
|
// Retrieve `public` role.
|
2018-01-17 18:50:12 +01:00
|
|
|
if (!role) {
|
2018-03-12 16:37:20 +01:00
|
|
|
role = await strapi.query('role', 'users-permissions').findOne({ type: 'public' }, []);
|
2018-01-17 18:50:12 +01:00
|
|
|
}
|
2018-01-24 11:52:09 +01:00
|
|
|
|
2018-01-17 18:50:12 +01:00
|
|
|
const route = ctx.request.route;
|
|
|
|
const permission = await strapi.query('permission', 'users-permissions').findOne({
|
|
|
|
role: role._id || role.id,
|
|
|
|
type: route.plugin || 'application',
|
|
|
|
controller: route.controller,
|
|
|
|
action: route.action,
|
|
|
|
enabled: true
|
|
|
|
}, []);
|
2017-11-27 16:47:16 +01:00
|
|
|
|
2017-11-27 17:45:21 +01:00
|
|
|
if (!permission) {
|
2018-11-06 18:58:40 +01:00
|
|
|
return handleErrors(ctx, undefined, 'forbidden');
|
2017-11-27 17:45:21 +01:00
|
|
|
}
|
|
|
|
|
2018-01-17 18:50:12 +01:00
|
|
|
// Execute the policies.
|
|
|
|
if (permission.policy) {
|
2018-01-24 19:00:12 +01:00
|
|
|
return await strapi.plugins['users-permissions'].config.policies[permission.policy](ctx, next);
|
2017-11-27 16:47:16 +01:00
|
|
|
}
|
2018-01-17 18:50:12 +01:00
|
|
|
|
|
|
|
// Execute the action.
|
|
|
|
await next();
|
2017-11-27 16:47:16 +01:00
|
|
|
};
|
2018-11-06 18:58:40 +01:00
|
|
|
|
|
|
|
const handleErrors = (ctx, err = undefined, type) => {
|
|
|
|
if (ctx.request.graphql === null) {
|
|
|
|
return ctx.request.graphql = strapi.errors[type](err);
|
|
|
|
}
|
|
|
|
|
|
|
|
return ctx[type](err);
|
2019-02-28 19:22:01 +02:00
|
|
|
};
|