strapi/packages/core/content-manager/server/controllers/relations.js

'use strict';

const { prop, isEmpty } = require('lodash/fp');
const { hasDraftAndPublish } = require('@strapi/utils').contentTypes;
const { PUBLISHED_AT_ATTRIBUTE } = require('@strapi/utils').contentTypes.constants;
const { MANY_RELATIONS } = require('@strapi/utils').relations.constants;

const { getService } = require('../utils');
const { validateFindAvailable, validateFindExisting } = require('./validation/relations');

const addFiltersClause = (params, filtersClause) => {
  params.filters = params.filters || {};
  if (params.filters.$and) {
    params.filters.$and.push(filtersClause);
  } else {
    params.filters.$and = [filtersClause];
  }
};

module.exports = {
  async findAvailable(ctx) {
    const { userAbility } = ctx.state;
    const { model, targetField } = ctx.params;

    await validateFindAvailable(ctx.request.query);

    // idsToOmit: used to exclude relations that the front already added but that were not saved yet
    // idsToInclude: used to include relations that the front removed but not saved yes
    const { component, entityId, idsToOmit, idsToInclude, _q, ...query } = ctx.request.query;

    const sourceModelUid = component || model;

    const sourceModel = strapi.getModel(sourceModelUid);
    if (!sourceModel) {
      return ctx.badRequest("The model doesn't exist");
    }

    const permissionChecker = getService('permission-checker').create({
      userAbility,
      model,
    });

    if (permissionChecker.cannot.read()) {
      return ctx.forbidden();
    }

    const attribute = sourceModel.attributes[targetField];
    if (!attribute || attribute.type !== 'relation') {
      return ctx.badRequest("This relational field doesn't exist");
    }

    // TODO: find a way to check field permission for component
    if (!component && permissionChecker.cannot.read(null, targetField)) {
      return ctx.forbidden();
    }

    if (entityId) {
      const entityManager = getService('entity-manager');

      const entity = await entityManager.findOneWithCreatorRoles(entityId, model);

      if (!entity) {
        return ctx.notFound();
      }

      if (!component && permissionChecker.cannot.read(entity, targetField)) {
        return ctx.forbidden();
      }
      // TODO: find a way to check field permission for component
      if (component && permissionChecker.cannot.read(entity)) {
        return ctx.forbidden();
      }
    }

    const targetedModel = strapi.getModel(attribute.target);

    const modelConfig = component
      ? await getService('components').findConfiguration(sourceModel)
      : await getService('content-types').findConfiguration(sourceModel);
    const mainField = prop(`metadatas.${targetField}.edit.mainField`, modelConfig) || 'id';

    const fieldsToSelect = ['id', mainField];
    if (hasDraftAndPublish(targetedModel)) {
      fieldsToSelect.push(PUBLISHED_AT_ATTRIBUTE);
    }

    const queryParams = {
      sort: mainField,
      ...query,
      fields: fieldsToSelect, // cannot select other fields as the user may not have the permissions
      filters: {}, // cannot filter for RBAC reasons
    };

    if (!isEmpty(idsToOmit)) {
      addFiltersClause(queryParams, { id: { $notIn: idsToOmit } });
    }

    // searching should be allowed only on mainField for permission reasons
    if (_q) {
      addFiltersClause(queryParams, { [mainField]: { $containsi: _q } });
    }

    if (entityId) {
      const subQuery = strapi.db.queryBuilder(sourceModel.uid);

      const alias = subQuery.getAlias();

      const where = {
        id: entityId,
        [`${alias}.id`]: { $notNull: true },
      };

      if (!isEmpty(idsToInclude)) {
        where[`${alias}.id`].$notIn = idsToInclude;
      }

      const knexSubQuery = subQuery
        .where(where)
        .join({ alias, targetField })
        .select(`${alias}.id`)
        .getKnexQuery();

      addFiltersClause(queryParams, { id: { $notIn: knexSubQuery } });
    }

    ctx.body = await strapi.entityService.findPage(targetedModel.uid, queryParams);
  },

  async findExisting(ctx) {
    const { userAbility } = ctx.state;
    const { model, id, targetField } = ctx.params;

    await validateFindExisting(ctx.request.query);

    const { component, ...query } = ctx.request.query;

    const sourceModelUid = component || model;

    const sourceModel = strapi.getModel(sourceModelUid);
    if (!sourceModel) {
      return ctx.badRequest("The model doesn't exist");
    }

    const entityManager = getService('entity-manager');
    const permissionChecker = getService('permission-checker').create({
      userAbility,
      model,
    });

    if (permissionChecker.cannot.read()) {
      return ctx.forbidden();
    }

    const attribute = sourceModel.attributes[targetField];
    if (!attribute || attribute.type !== 'relation') {
      return ctx.badRequest("This relational field doesn't exist");
    }

    // TODO: find a way to check field permission for component
    if (!component && permissionChecker.cannot.read(null, targetField)) {
      return ctx.forbidden();
    }

    const entity = await entityManager.findOneWithCreatorRoles(id, model);

    if (!entity) {
      return ctx.notFound();
    }

    if (!component && permissionChecker.cannot.read(entity, targetField)) {
      return ctx.forbidden();
    }
    // TODO: find a way to check field permission for component
    if (component && permissionChecker.cannot.read(entity)) {
      return ctx.forbidden();
    }

    const targetedModel = strapi.getModel(attribute.target);

    const modelConfig = component
      ? await getService('components').findConfiguration(sourceModel)
      : await getService('content-types').findConfiguration(sourceModel);
    const mainField = prop(`metadatas.${targetField}.edit.mainField`, modelConfig) || 'id';

    const fieldsToSelect = ['id', mainField];
    if (hasDraftAndPublish(targetedModel)) {
      fieldsToSelect.push(PUBLISHED_AT_ATTRIBUTE);
    }

    const queryParams = {
      fields: fieldsToSelect,
    };

    if (MANY_RELATIONS.includes(attribute.relation)) {
      const res = await strapi.entityService.loadPages(sourceModelUid, { id }, targetField, {
        ...queryParams,
        page: query.page,
        pageSize: query.pageSize,
        ordering: 'desc',
      });

      ctx.body = res;
    } else {
      const result = await strapi.entityService.load(
        sourceModelUid,
        { id },
        targetField,
        queryParams
      );
      // const result = await strapi.db.query(sourceModelUid).load({ id }, targetField, queryParams);
      // TODO: Temporary fix (use data instead)
      ctx.body = {
        results: result ? [result] : [],
        pagination: { page: 1, pageSize: 5, pageCount: 1, total: 1 },
      };
    }
  },
};
Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00			`'use strict';`

apply feeback 2022-08-30 15:11:38 +02:00			`const { prop, isEmpty } = require('lodash/fp');`
add e2e tests 2022-08-09 19:35:48 +02:00			`const { hasDraftAndPublish } = require('@strapi/utils').contentTypes;`
Rename import & requires, fix tests 2021-04-29 13:51:12 +02:00			`const { PUBLISHED_AT_ATTRIBUTE } = require('@strapi/utils').contentTypes.constants;`
replace previewMany by getExistingRelations 2022-08-30 17:12:41 +02:00			`const { MANY_RELATIONS } = require('@strapi/utils').relations.constants;`
Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00
			`const { getService } = require('../utils');`
replace previewMany by getExistingRelations 2022-08-30 17:12:41 +02:00			`const { validateFindAvailable, validateFindExisting } = require('./validation/relations');`
Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00
use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`const addFiltersClause = (params, filtersClause) => {`
			`params.filters = params.filters \|\| {};`
			`if (params.filters.$and) {`
			`params.filters.$and.push(filtersClause);`
use transformParamsToQuery 2022-08-16 19:36:10 +02:00			`} else {`
use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`params.filters.$and = [filtersClause];`
use transformParamsToQuery 2022-08-16 19:36:10 +02:00			`}`
			`};`

Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00			`module.exports = {`
renaming + add permission check on entity 2022-08-11 15:52:58 +02:00			`async findAvailable(ctx) {`
			`const { userAbility } = ctx.state;`
Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00			`const { model, targetField } = ctx.params;`

renaming + add permission check on entity 2022-08-11 15:52:58 +02:00			`await validateFindAvailable(ctx.request.query);`
refactor relation findNew route 2022-08-05 16:05:52 +02:00
Remove idsToOmit + comment 2022-10-03 18:11:33 +02:00			`// idsToOmit: used to exclude relations that the front already added but that were not saved yet`
			`// idsToInclude: used to include relations that the front removed but not saved yes`
add idsToInclude 2022-09-30 15:38:49 +02:00			`const { component, entityId, idsToOmit, idsToInclude, _q, ...query } = ctx.request.query;`
Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00
add e2e tests 2022-08-09 19:35:48 +02:00			`const sourceModelUid = component \|\| model;`
Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00
add e2e tests 2022-08-09 19:35:48 +02:00			`const sourceModel = strapi.getModel(sourceModelUid);`
			`if (!sourceModel) {`
refactor relation findNew route 2022-08-05 16:05:52 +02:00			`return ctx.badRequest("The model doesn't exist");`
Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00			`}`

use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`const permissionChecker = getService('permission-checker').create({`
			`userAbility,`
			`model,`
			`});`

check field existance before permission 2022-09-06 15:10:08 +02:00			`if (permissionChecker.cannot.read()) {`
use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`return ctx.forbidden();`
			`}`
check field existance before permission 2022-09-06 15:10:08 +02:00
			`const attribute = sourceModel.attributes[targetField];`
			`if (!attribute \|\| attribute.type !== 'relation') {`
			`return ctx.badRequest("This relational field doesn't exist");`
			`}`

use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`// TODO: find a way to check field permission for component`
check field existance before permission 2022-09-06 15:10:08 +02:00			`if (!component && permissionChecker.cannot.read(null, targetField)) {`
use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`return ctx.forbidden();`
			`}`

renaming + add permission check on entity 2022-08-11 15:52:58 +02:00			`if (entityId) {`
			`const entityManager = getService('entity-manager');`

			`const entity = await entityManager.findOneWithCreatorRoles(entityId, model);`

			`if (!entity) {`
			`return ctx.notFound();`
			`}`

use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`if (!component && permissionChecker.cannot.read(entity, targetField)) {`
			`return ctx.forbidden();`
			`}`
			`// TODO: find a way to check field permission for component`
			`if (component && permissionChecker.cannot.read(entity)) {`
renaming + add permission check on entity 2022-08-11 15:52:58 +02:00			`return ctx.forbidden();`
			`}`
			`}`

refactor relation findNew route 2022-08-05 16:05:52 +02:00			`const targetedModel = strapi.getModel(attribute.target);`
Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00
refactor relation findNew route 2022-08-05 16:05:52 +02:00			`const modelConfig = component`
add e2e tests 2022-08-09 19:35:48 +02:00			`? await getService('components').findConfiguration(sourceModel)`
			`: await getService('content-types').findConfiguration(sourceModel);`
refactor relation findNew route 2022-08-05 16:05:52 +02:00			const mainField = prop(`metadatas.${targetField}.edit.mainField`, modelConfig) \|\| 'id';
Fix relation search (#9156) * add params to relation route to omit existing relations * small refacto * use omit approach * Fix relation select (Front) Signed-off-by: HichamELBSI <elabbassih@gmail.com> * Fix relation select review Signed-off-by: HichamELBSI <elabbassih@gmail.com> * update doc aos + remove useless cast to string Co-authored-by: HichamELBSI <elabbassih@gmail.com> 2021-01-25 17:58:18 +01:00
use entity manager 2022-08-16 18:48:50 +02:00			`const fieldsToSelect = ['id', mainField];`
			`if (hasDraftAndPublish(targetedModel)) {`
			`fieldsToSelect.push(PUBLISHED_AT_ATTRIBUTE);`
			`}`

apply feeback 2022-08-30 15:11:38 +02:00			`const queryParams = {`
use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`sort: mainField,`
			`...query,`
			`fields: fieldsToSelect, // cannot select other fields as the user may not have the permissions`
			`filters: {}, // cannot filter for RBAC reasons`
apply feeback 2022-08-30 15:11:38 +02:00			`};`
handle i18n dimension 2022-08-10 19:14:04 +02:00
refactor relation findNew route 2022-08-05 16:05:52 +02:00			`if (!isEmpty(idsToOmit)) {`
use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`addFiltersClause(queryParams, { id: { $notIn: idsToOmit } });`
Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00			`}`

use containsi for _q param 2022-08-17 11:58:18 +02:00			`// searching should be allowed only on mainField for permission reasons`
			`if (_q) {`
use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`addFiltersClause(queryParams, { [mainField]: { $containsi: _q } });`
use containsi for _q param 2022-08-17 11:58:18 +02:00			`}`

refactor relation findNew route 2022-08-05 16:05:52 +02:00			`if (entityId) {`
avoid using db metadata 2022-08-16 17:01:52 +02:00			`const subQuery = strapi.db.queryBuilder(sourceModel.uid);`

			`const alias = subQuery.getAlias();`

add idsToInclude 2022-09-30 15:38:49 +02:00			`const where = {`
			`id: entityId,`
			[`${alias}.id`]: { $notNull: true },
			`};`

			`if (!isEmpty(idsToInclude)) {`
			where[`${alias}.id`].$notIn = idsToInclude;
			`}`

avoid using db metadata 2022-08-16 17:01:52 +02:00			`const knexSubQuery = subQuery`
add idsToInclude 2022-09-30 15:38:49 +02:00			`.where(where)`
avoid using db metadata 2022-08-16 17:01:52 +02:00			`.join({ alias, targetField })`
			.select(`${alias}.id`)
refactor relation findNew route 2022-08-05 16:05:52 +02:00			`.getKnexQuery();`

use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`addFiltersClause(queryParams, { id: { $notIn: knexSubQuery } });`
refactor relation findNew route 2022-08-05 16:05:52 +02:00			`}`
Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00
use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`ctx.body = await strapi.entityService.findPage(targetedModel.uid, queryParams);`
Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00			`},`
replace previewMany by getExistingRelations 2022-08-30 17:12:41 +02:00
			`async findExisting(ctx) {`
			`const { userAbility } = ctx.state;`
			`const { model, id, targetField } = ctx.params;`

			`await validateFindExisting(ctx.request.query);`

Remove idsToOmit + comment 2022-10-03 18:11:33 +02:00			`const { component, ...query } = ctx.request.query;`
replace previewMany by getExistingRelations 2022-08-30 17:12:41 +02:00
			`const sourceModelUid = component \|\| model;`

			`const sourceModel = strapi.getModel(sourceModelUid);`
			`if (!sourceModel) {`
			`return ctx.badRequest("The model doesn't exist");`
			`}`

			`const entityManager = getService('entity-manager');`
			`const permissionChecker = getService('permission-checker').create({`
			`userAbility,`
			`model,`
			`});`

check field existance before permission 2022-09-06 15:10:08 +02:00			`if (permissionChecker.cannot.read()) {`
use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`return ctx.forbidden();`
			`}`
check field existance before permission 2022-09-06 15:10:08 +02:00
			`const attribute = sourceModel.attributes[targetField];`
			`if (!attribute \|\| attribute.type !== 'relation') {`
			`return ctx.badRequest("This relational field doesn't exist");`
			`}`

use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`// TODO: find a way to check field permission for component`
check field existance before permission 2022-09-06 15:10:08 +02:00			`if (!component && permissionChecker.cannot.read(null, targetField)) {`
replace previewMany by getExistingRelations 2022-08-30 17:12:41 +02:00			`return ctx.forbidden();`
			`}`

			`const entity = await entityManager.findOneWithCreatorRoles(id, model);`

			`if (!entity) {`
			`return ctx.notFound();`
			`}`

use entityService + redo permissions 2022-09-01 17:24:34 +02:00			`if (!component && permissionChecker.cannot.read(entity, targetField)) {`
			`return ctx.forbidden();`
			`}`
			`// TODO: find a way to check field permission for component`
			`if (component && permissionChecker.cannot.read(entity)) {`
replace previewMany by getExistingRelations 2022-08-30 17:12:41 +02:00			`return ctx.forbidden();`
			`}`

			`const targetedModel = strapi.getModel(attribute.target);`

			`const modelConfig = component`
			`? await getService('components').findConfiguration(sourceModel)`
			`: await getService('content-types').findConfiguration(sourceModel);`
			const mainField = prop(`metadatas.${targetField}.edit.mainField`, modelConfig) \|\| 'id';

			`const fieldsToSelect = ['id', mainField];`
			`if (hasDraftAndPublish(targetedModel)) {`
			`fieldsToSelect.push(PUBLISHED_AT_ATTRIBUTE);`
			`}`

			`const queryParams = {`
add and use loadPages 2022-10-03 17:52:12 +02:00			`fields: fieldsToSelect,`
replace previewMany by getExistingRelations 2022-08-30 17:12:41 +02:00			`};`

			`if (MANY_RELATIONS.includes(attribute.relation)) {`
add and use loadPages 2022-10-03 17:52:12 +02:00			`const res = await strapi.entityService.loadPages(sourceModelUid, { id }, targetField, {`
			`...queryParams,`
			`page: query.page,`
			`pageSize: query.pageSize,`
			`ordering: 'desc',`
			`});`

			`ctx.body = res;`
replace previewMany by getExistingRelations 2022-08-30 17:12:41 +02:00			`} else {`
add and use loadPages 2022-10-03 17:52:12 +02:00			`const result = await strapi.entityService.load(`
			`sourceModelUid,`
			`{ id },`
			`targetField,`
			`queryParams`
			`);`
			`// const result = await strapi.db.query(sourceModelUid).load({ id }, targetField, queryParams);`
fix xtoOne + conditions to enbale fetch + count label 2022-09-22 14:01:56 +02:00			`// TODO: Temporary fix (use data instead)`
use query().load() to get existing relations 2022-10-03 11:12:22 +02:00			`ctx.body = {`
			`results: result ? [result] : [],`
			`pagination: { page: 1, pageSize: 5, pageCount: 1, total: 1 },`
			`};`
replace previewMany by getExistingRelations 2022-08-30 17:12:41 +02:00			`}`
			`},`
Refactor relation-list route Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-27 16:01:46 +01:00			`};`