strapi/packages/strapi-plugin-users-permissions/config/policies/permissions.js

const _ = require('lodash');

module.exports = async (ctx, next) => {
  let role;

  if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
    try {
      const { id, isAdmin = false } = await strapi.plugins[
        'users-permissions'
      ].services.jwt.getToken(ctx);

      if (id === undefined) {
        throw new Error('Invalid token: Token did not contain required fields');
      }

      if (isAdmin) {
        ctx.state.admin = await strapi
          .query('administrator', 'admin')
          .findOne({ id });
      } else {
        ctx.state.user = await strapi
          .query('user', 'users-permissions')
          .findOne({ id });
      }
    } catch (err) {
      return handleErrors(ctx, err, 'unauthorized');
    }

    if (ctx.state.admin) {
      if (ctx.state.admin.blocked === true) {
        return handleErrors(
          ctx,
          'Your account has been blocked by the administrator.',
          'unauthorized'
        );
      }

      ctx.state.user = ctx.state.admin;
      return await next();
    }

    if (!ctx.state.user) {
      return handleErrors(ctx, 'User Not Found', 'unauthorized');
    }

    role = ctx.state.user.role;

    if (role.type === 'root') {
      return await next();
    }

    const store = await strapi.store({
      environment: '',
      type: 'plugin',
      name: 'users-permissions',
    });

    if (
      _.get(await store.get({ key: 'advanced' }), 'email_confirmation') &&
      !ctx.state.user.confirmed
    ) {
      return handleErrors(
        ctx,
        'Your account email is not confirmed.',
        'unauthorized'
      );
    }

    if (ctx.state.user.blocked) {
      return handleErrors(
        ctx,
        'Your account has been blocked by the administrator.',
        'unauthorized'
      );
    }
  }

  // Retrieve `public` role.
  if (!role) {
    role = await strapi
      .query('role', 'users-permissions')
      .findOne({ type: 'public' }, []);
  }

  const route = ctx.request.route;
  const permission = await strapi
    .query('permission', 'users-permissions')
    .findOne(
      {
        role: role.id,
        type: route.plugin || 'application',
        controller: route.controller,
        action: route.action,
        enabled: true,
      },
      []
    );

  if (!permission) {
    return handleErrors(ctx, undefined, 'forbidden');
  }

  // Execute the policies.
  if (permission.policy) {
    return await strapi.plugins['users-permissions'].config.policies[
      permission.policy
    ](ctx, next);
  }

  // Execute the action.
  await next();
};

const handleErrors = (ctx, err = undefined, type) => {
  if (ctx.request.graphql === null) {
    return (ctx.request.graphql = strapi.errors[type](err));
  }

  return ctx[type](err);
};
Add confirmation email 2018-08-08 17:57:02 +02:00			`const _ = require('lodash');`

Use request route to detect current action 2017-11-27 16:47:16 +01:00			`module.exports = async (ctx, next) => {`
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			`let role;`
Use request route to detect current action 2017-11-27 16:47:16 +01:00
			`if (ctx.request && ctx.request.header && ctx.request.header.authorization) {`
			`try {`
Clear _id now that queries return an id everytime 2019-08-13 16:31:29 +02:00			`const { id, isAdmin = false } = await strapi.plugins[`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`'users-permissions'`
			`].services.jwt.getToken(ctx);`
Fix non-polymorphic relations in strapi-bookshelf 2018-02-28 18:10:30 +01:00
Clear _id now that queries return an id everytime 2019-08-13 16:31:29 +02:00			`if (id === undefined) {`
Fix non-polymorphic relations in strapi-bookshelf 2018-02-28 18:10:30 +01:00			`throw new Error('Invalid token: Token did not contain required fields');`
			`}`
Check if token user still exist 2017-12-14 16:12:39 +01:00
Fix permission policy mixing users jwt and admin jwt 2019-06-07 15:16:52 +02:00			`if (isAdmin) {`
Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`ctx.state.admin = await strapi`
			`.query('administrator', 'admin')`
Clear _id now that queries return an id everytime 2019-08-13 16:31:29 +02:00			`.findOne({ id });`
Fix permission policy mixing users jwt and admin jwt 2019-06-07 15:16:52 +02:00			`} else {`
Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`ctx.state.user = await strapi`
			`.query('user', 'users-permissions')`
Clear _id now that queries return an id everytime 2019-08-13 16:31:29 +02:00			`.findOne({ id });`
Fix permission policy mixing users jwt and admin jwt 2019-06-07 15:16:52 +02:00			`}`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`} catch (err) {`
Improve permissions policy to avoid security breach with GraphQL 2018-11-06 18:58:40 +01:00			`return handleErrors(ctx, err, 'unauthorized');`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`}`
Execute controller action out of authorization try 2018-01-09 13:53:52 +01:00
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`if (ctx.state.admin) {`
			`if (ctx.state.admin.blocked === true) {`
			`return handleErrors(`
			`ctx,`
			`'Your account has been blocked by the administrator.',`
Init build bin 2019-04-25 12:34:55 +02:00			`'unauthorized'`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`);`
			`}`

			`ctx.state.user = ctx.state.admin;`
			`return await next();`
			`}`

Execute controller action out of authorization try 2018-01-09 13:53:52 +01:00			`if (!ctx.state.user) {`
Improve permissions policy to avoid security breach with GraphQL 2018-11-06 18:58:40 +01:00			`return handleErrors(ctx, 'User Not Found', 'unauthorized');`
Execute controller action out of authorization try 2018-01-09 13:53:52 +01:00			`}`

			`role = ctx.state.user.role;`

[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			`if (role.type === 'root') {`
Execute controller action out of authorization try 2018-01-09 13:53:52 +01:00			`return await next();`
			`}`
Add confirmation email 2018-08-08 17:57:02 +02:00
			`const store = await strapi.store({`
			`environment: '',`
			`type: 'plugin',`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`name: 'users-permissions',`
Add confirmation email 2018-08-08 17:57:02 +02:00			`});`

Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`if (`
			`_.get(await store.get({ key: 'advanced' }), 'email_confirmation') &&`
			`!ctx.state.user.confirmed`
			`) {`
			`return handleErrors(`
			`ctx,`
			`'Your account email is not confirmed.',`
Init build bin 2019-04-25 12:34:55 +02:00			`'unauthorized'`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`);`
Add confirmation email 2018-08-08 17:57:02 +02:00			`}`
Fix test launch 2018-10-31 17:20:09 +01:00
Fix for SQLite 2019-02-28 19:22:01 +02:00			`if (ctx.state.user.blocked) {`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`return handleErrors(`
			`ctx,`
			`'Your account has been blocked by the administrator.',`
Init build bin 2019-04-25 12:34:55 +02:00			`'unauthorized'`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`);`
Can block a user 2018-08-06 17:46:58 +02:00			`}`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`}`
Improve permissions policy to avoid security breach with GraphQL 2018-11-06 18:58:40 +01:00
Rename Guest to Public role 2018-03-12 16:37:20 +01:00			// Retrieve `public` role.
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			`if (!role) {`
Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`role = await strapi`
			`.query('role', 'users-permissions')`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`.findOne({ type: 'public' }, []);`
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			`}`
Resolve conflicts and disallow to edit and remove default roles 2018-01-24 11:52:09 +01:00
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			`const route = ctx.request.route;`
Refactor users-permissions to use the new strapi.query 2019-07-15 23:16:50 +02:00			`const permission = await strapi`
			`.query('permission', 'users-permissions')`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`.findOne(`
			`{`
Clear _id now that queries return an id everytime 2019-08-13 16:31:29 +02:00			`role: role.id,`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`type: route.plugin \|\| 'application',`
			`controller: route.controller,`
			`action: route.action,`
			`enabled: true,`
			`},`
Init build bin 2019-04-25 12:34:55 +02:00			`[]`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`);`
Use request route to detect current action 2017-11-27 16:47:16 +01:00
Handle delete plugin entry using Content Manager 2017-11-27 17:45:21 +01:00			`if (!permission) {`
Improve permissions policy to avoid security breach with GraphQL 2018-11-06 18:58:40 +01:00			`return handleErrors(ctx, undefined, 'forbidden');`
Handle delete plugin entry using Content Manager 2017-11-27 17:45:21 +01:00			`}`

[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00			`// Execute the policies.`
			`if (permission.policy) {`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`return await strapi.plugins['users-permissions'].config.policies[`
			`permission.policy`
			`](ctx, next);`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`}`
[WIP] Read and update roles & permissions using database 2018-01-17 18:50:12 +01:00
			`// Execute the action.`
			`await next();`
Use request route to detect current action 2017-11-27 16:47:16 +01:00			`};`
Improve permissions policy to avoid security breach with GraphQL 2018-11-06 18:58:40 +01:00
			`const handleErrors = (ctx, err = undefined, type) => {`
			`if (ctx.request.graphql === null) {`
Split admin and users. Co-authored-by: lauriejim 2019-04-09 12:09:03 +02:00			`return (ctx.request.graphql = strapi.errors[type](err));`
Improve permissions policy to avoid security breach with GraphQL 2018-11-06 18:58:40 +01:00			`}`

			`return ctx[type](err);`
Fix for SQLite 2019-02-28 19:22:01 +02:00			`};`