strapi/packages/strapi-plugin-users-permissions/config/policies/permissions.js

module.exports = async (ctx, next) => {
  let role;

  if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
    try {
      const { _id, id } = await strapi.plugins['users-permissions'].services.jwt.getToken(ctx);

      if ((id || _id) === undefined) {
        throw new Error('Invalid token: Token did not contain required fields');
      }

      ctx.state.user = await strapi.query('user', 'users-permissions').findOne({ _id, id });
    } catch (err) {
      return ctx.unauthorized(err);
    }

    if (!ctx.state.user) {
      return ctx.unauthorized(`User Not Found.`);
    }

    role = ctx.state.user.role;

    if (role.type === 'root') {
      return await next();
    }
  }
  // Retrieve `public` role.
  if (!role) {
    role = await strapi.query('role', 'users-permissions').findOne({ type: 'public' }, []);
  }

  const route = ctx.request.route;
  const permission = await strapi.query('permission', 'users-permissions').findOne({
    role: role._id || role.id,
    type: route.plugin || 'application',
    controller: route.controller,
    action: route.action,
    enabled: true
  }, []);

  if (!permission) {
    if (ctx.request.graphql === null) {
      return ctx.request.graphql = strapi.errors.forbidden();
    }

    ctx.forbidden();
  }

  // Execute the policies.
  if (permission.policy) {
    return await strapi.plugins['users-permissions'].config.policies[permission.policy](ctx, next);
  }

  // Execute the action.
  await next();
};
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`module.exports = async (ctx, next) => {`
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			`let role;`
Use request route to detect current action 2017-11-27 16:47:16 +01:00
			`if (ctx.request && ctx.request.header && ctx.request.header.authorization) {`
			`try {`
Fix infinite login 2018-01-18 11:13:44 +01:00			`const { _id, id } = await strapi.plugins['users-permissions'].services.jwt.getToken(ctx);`
Fix non-polymorphic relations in strapi-bookshelf 2018-02-28 18:10:30 +01:00
			`if ((id \|\| _id) === undefined) {`
			`throw new Error('Invalid token: Token did not contain required fields');`
			`}`
Check if token user still exist 2017-12-14 16:12:39 +01:00
ISSUE 689 - Fix /user/me and ctx.state.user doesn't return OneToMany relations properly 2018-02-28 10:35:28 -05:00			`ctx.state.user = await strapi.query('user', 'users-permissions').findOne({ _id, id });`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`} catch (err) {`
By pass permissions for app owner 2017-11-27 16:59:53 +01:00			`return ctx.unauthorized(err);`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`}`
Execute controller action out of authorization try 2018-01-09 13:53:52 +01:00
			`if (!ctx.state.user) {`
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			return ctx.unauthorized(`User Not Found.`);
Execute controller action out of authorization try 2018-01-09 13:53:52 +01:00			`}`

			`role = ctx.state.user.role;`

[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			`if (role.type === 'root') {`
Execute controller action out of authorization try 2018-01-09 13:53:52 +01:00			`return await next();`
			`}`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`}`
Rename Guest to Public role 2018-03-12 16:37:20 +01:00			// Retrieve `public` role.
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			`if (!role) {`
Rename Guest to Public role 2018-03-12 16:37:20 +01:00			`role = await strapi.query('role', 'users-permissions').findOne({ type: 'public' }, []);`
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			`}`
Resolve conflicts and disallow to edit and remove default roles 2018-01-24 11:52:09 +01:00
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			`const route = ctx.request.route;`
			`const permission = await strapi.query('permission', 'users-permissions').findOne({`
			`role: role._id \|\| role.id,`
			`type: route.plugin \|\| 'application',`
			`controller: route.controller,`
			`action: route.action,`
			`enabled: true`
			`}, []);`
Use request route to detect current action 2017-11-27 16:47:16 +01:00
Handle delete plugin entry using Content Manager 2017-11-27 17:45:21 +01:00			`if (!permission) {`
Fixes #1247 2018-05-24 17:20:32 +02:00			`if (ctx.request.graphql === null) {`
			`return ctx.request.graphql = strapi.errors.forbidden();`
			`}`
Apply policy for each query and use generated API business logic 2018-04-10 11:47:01 +02:00
Fixes #1247 2018-05-24 17:20:32 +02:00			`ctx.forbidden();`
Handle delete plugin entry using Content Manager 2017-11-27 17:45:21 +01:00			`}`

[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			`// Execute the policies.`
			`if (permission.policy) {`
Don't execute the action again if there is a policy 2018-01-24 19:00:12 +01:00			`return await strapi.plugins['users-permissions'].config.policies[permission.policy](ctx, next);`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`}`
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00
			`// Execute the action.`
			`await next();`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`};`