strapi/packages/strapi-plugin-users-permissions/config/policies/permissions.js

const _ = require('lodash');

module.exports = async (ctx, next) => {
  const route = ctx.request.route;
  let role = '1';

  if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
    try {
      const tokenUser = await strapi.plugins['users-permissions'].services.jwt.getToken(ctx);

      ctx.state.user = await strapi.plugins['users-permissions'].services.user.fetch(_.pick(tokenUser, ['_id', 'id']));

    } catch (err) {
      return ctx.unauthorized(err);
    }

    if (!ctx.state.user) {
      return ctx.unauthorized('This user doesn\'t exit.');
    }

    role = ctx.state.user.role;

    if (role.toString() === '0') {
      return await next();
    }
  }

  const permission = _.get(strapi.plugins['users-permissions'].config, ['roles', role.toString(), 'permissions', route.plugin || 'application', 'controllers', route.controller, route.action]);

  if (!permission) {
    return await next();
  }

  if (permission.enabled && permission.policy) {
    try {
      await strapi.plugins['users-permissions'].config.policies[permission.policy](ctx, next);
    } catch (err) {
      ctx.unauthorized(err);
    }
  } else if (permission.enabled) {
    await next();
  } else {
    ctx.unauthorized('Access restricted for this action.');
  }
};
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`const _ = require('lodash');`

			`module.exports = async (ctx, next) => {`
			`const route = ctx.request.route;`
			`let role = '1';`

			`if (ctx.request && ctx.request.header && ctx.request.header.authorization) {`
			`try {`
Check if token user still exist 2017-12-14 16:12:39 +01:00			`const tokenUser = await strapi.plugins['users-permissions'].services.jwt.getToken(ctx);`

			`ctx.state.user = await strapi.plugins['users-permissions'].services.user.fetch(_.pick(tokenUser, ['_id', 'id']));`

Use request route to detect current action 2017-11-27 16:47:16 +01:00			`} catch (err) {`
By pass permissions for app owner 2017-11-27 16:59:53 +01:00			`return ctx.unauthorized(err);`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`}`
Execute controller action out of authorization try 2018-01-09 13:53:52 +01:00
			`if (!ctx.state.user) {`
Fix PR feedback 2018-01-10 13:39:42 +01:00			`return ctx.unauthorized('This user doesn\'t exit.');`
Execute controller action out of authorization try 2018-01-09 13:53:52 +01:00			`}`

			`role = ctx.state.user.role;`

			`if (role.toString() === '0') {`
			`return await next();`
			`}`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`}`

Add roles key to permissions 2017-12-08 12:03:37 +01:00			`const permission = _.get(strapi.plugins['users-permissions'].config, ['roles', role.toString(), 'permissions', route.plugin \|\| 'application', 'controllers', route.controller, route.action]);`
Use request route to detect current action 2017-11-27 16:47:16 +01:00
Handle delete plugin entry using Content Manager 2017-11-27 17:45:21 +01:00			`if (!permission) {`
			`return await next();`
			`}`

Use request route to detect current action 2017-11-27 16:47:16 +01:00			`if (permission.enabled && permission.policy) {`
			`try {`
Fix some PR feedback 2017-12-07 18:16:15 +01:00			`await strapi.plugins['users-permissions'].config.policies[permission.policy](ctx, next);`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`} catch (err) {`
			`ctx.unauthorized(err);`
			`}`
			`} else if (permission.enabled) {`
			`await next();`
			`} else {`
			`ctx.unauthorized('Access restricted for this action.');`
			`}`
			`};`