strapi/packages/core/content-manager/server/services/permission-checker.js

'use strict';

const ACTIONS = {
  read: 'plugin::content-manager.explorer.read',
  create: 'plugin::content-manager.explorer.create',
  update: 'plugin::content-manager.explorer.update',
  delete: 'plugin::content-manager.explorer.delete',
  publish: 'plugin::content-manager.explorer.publish',
  unpublish: 'plugin::content-manager.explorer.publish',
};

const createPermissionChecker = strapi => ({ userAbility, model }) => {
  const permissionsManager = strapi.admin.services.permission.createPermissionsManager({
    ability: userAbility,
    model,
  });

  const toSubject = entity => (entity ? permissionsManager.toSubject(entity, model) : model);

  const can = (action, entity, field) => {
    return userAbility.can(action, toSubject(entity), field);
  };

  const cannot = (action, entity, field) => {
    return userAbility.cannot(action, toSubject(entity), field);
  };

  const sanitizeOutput = (data, { action = ACTIONS.read } = {}) => {
    return permissionsManager.sanitizeOutput(data, { subject: toSubject(data), action });
  };

  const sanitizeInput = (action, data, entity) => {
    return permissionsManager.sanitizeInput(data, {
      subject: entity ? toSubject(entity) : model,
      action,
    });
  };

  const sanitizeCreateInput = data => sanitizeInput(ACTIONS.create, data);
  const sanitizeUpdateInput = entity => data => sanitizeInput(ACTIONS.update, data, entity);

  const buildPermissionQuery = (query, action) =>
    permissionsManager.addPermissionsQueryTo(query, action);

  const buildReadQuery = query => buildPermissionQuery(query, ACTIONS.read);
  const buildDeleteQuery = query => buildPermissionQuery(query, ACTIONS.delete);

  Object.keys(ACTIONS).forEach(action => {
    can[action] = (...args) => can(ACTIONS[action], ...args);
    cannot[action] = (...args) => cannot(ACTIONS[action], ...args);
  });

  return {
    can,
    cannot,
    sanitizeOutput,
    sanitizeCreateInput,
    sanitizeUpdateInput,
    buildReadQuery,
    buildDeleteQuery,
  };
};

module.exports = ({ strapi }) => ({
  create: createPermissionChecker(strapi),
});
init coll-type Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-28 18:47:14 +01:00			`'use strict';`

			`const ACTIONS = {`
refactor with module approach 2021-08-06 18:09:49 +02:00			`read: 'plugin::content-manager.explorer.read',`
			`create: 'plugin::content-manager.explorer.create',`
			`update: 'plugin::content-manager.explorer.update',`
			`delete: 'plugin::content-manager.explorer.delete',`
			`publish: 'plugin::content-manager.explorer.publish',`
			`unpublish: 'plugin::content-manager.explorer.publish',`
init coll-type Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-28 18:47:14 +01:00			`};`

wIP 2021-07-13 18:46:36 +02:00			`const createPermissionChecker = strapi => ({ userAbility, model }) => {`
init coll-type Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-28 18:47:14 +01:00			`const permissionsManager = strapi.admin.services.permission.createPermissionsManager({`
			`ability: userAbility,`
			`model,`
			`});`

			`const toSubject = entity => (entity ? permissionsManager.toSubject(entity, model) : model);`

add many relations preview route 2020-12-01 16:38:47 +01:00			`const can = (action, entity, field) => {`
			`return userAbility.can(action, toSubject(entity), field);`
init coll-type Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-28 18:47:14 +01:00			`};`

add many relations preview route 2020-12-01 16:38:47 +01:00			`const cannot = (action, entity, field) => {`
			`return userAbility.cannot(action, toSubject(entity), field);`
init coll-type Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-28 18:47:14 +01:00			`};`

			`const sanitizeOutput = (data, { action = ACTIONS.read } = {}) => {`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`return permissionsManager.sanitizeOutput(data, { subject: toSubject(data), action });`
init coll-type Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-28 18:47:14 +01:00			`};`

			`const sanitizeInput = (action, data, entity) => {`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`return permissionsManager.sanitizeInput(data, {`
Fix sanitize input not using the right subject Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-11-27 11:52:00 +01:00			`subject: entity ? toSubject(entity) : model,`
init coll-type Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-28 18:47:14 +01:00			`action,`
			`});`
			`};`

Cleanup sanitize function in permission-checker Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-11-03 16:48:14 +01:00			`const sanitizeCreateInput = data => sanitizeInput(ACTIONS.create, data);`
			`const sanitizeUpdateInput = entity => data => sanitizeInput(ACTIONS.update, data, entity);`

Use new filters format in the upload plugin 2021-09-20 18:50:48 +02:00			`const buildPermissionQuery = (query, action) =>`
			`permissionsManager.addPermissionsQueryTo(query, action);`
Fix is-creator condition not applied on find (#9213) * Fix is-creator condition not applied on find * Add test 2021-01-26 10:18:43 +01:00
			`const buildReadQuery = query => buildPermissionQuery(query, ACTIONS.read);`
			`const buildDeleteQuery = query => buildPermissionQuery(query, ACTIONS.delete);`
Cleanup sanitize function in permission-checker Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-11-03 16:48:14 +01:00
init coll-type Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-28 18:47:14 +01:00			`Object.keys(ACTIONS).forEach(action => {`
			`can[action] = (...args) => can(ACTIONS[action], ...args);`
			`cannot[action] = (...args) => cannot(ACTIONS[action], ...args);`
			`});`

Cleanup sanitize function in permission-checker Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-11-03 16:48:14 +01:00			`return {`
init coll-type Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-28 18:47:14 +01:00			`can,`
			`cannot,`
			`sanitizeOutput,`
Cleanup sanitize function in permission-checker Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-11-03 16:48:14 +01:00			`sanitizeCreateInput,`
			`sanitizeUpdateInput,`
Fix is-creator condition not applied on find (#9213) * Fix is-creator condition not applied on find * Add test 2021-01-26 10:18:43 +01:00			`buildReadQuery,`
			`buildDeleteQuery,`
init coll-type Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-10-28 18:47:14 +01:00			`};`
			`};`

wIP 2021-07-13 18:46:36 +02:00			`module.exports = ({ strapi }) => ({`
			`create: createPermissionChecker(strapi),`
			`});`