strapi/packages/strapi-admin/validation/permission.js

'use strict';

const _ = require('lodash');
const { yup, formatYupErrors } = require('strapi-utils');
const validators = require('./common-validators');
const { checkFieldsAreCorrectlyNested } = require('./common-functions');

const handleReject = error => Promise.reject(formatYupErrors(error));

// validatedUpdatePermissionsInput

const BOUND_ACTIONS = [
  'plugins::content-manager.explorer.read',
  'plugins::content-manager.explorer.create',
  'plugins::content-manager.explorer.update',
  'plugins::content-manager.explorer.delete',
];

const checkBoundActionsHaveFields = function(permissions) {
  const haveFields = permissions
    .filter(perm => BOUND_ACTIONS.includes(perm.action))
    .every(perm => typeof perm.subject === 'string' && Array.isArray(perm.fields));

  return haveFields
    ? true
    : this.createError({
        message: 'Your permissions are missing fields "subject" and/or "fields"',
      });
};

const checkPermissionsAreBound = function(permissions) {
  const subjectMap = {};
  let areBond = true;
  permissions
    .filter(perm => BOUND_ACTIONS.includes(perm.action))
    .forEach(perm => {
      subjectMap[perm.subject] = subjectMap[perm.subject] || {};
      perm.fields.forEach(field => {
        subjectMap[perm.subject][field] = subjectMap[perm.subject][field] || new Set();
        subjectMap[perm.subject][field].add(perm.action);
      });
    });

  _.forIn(subjectMap, subject => {
    _.forIn(subject, field => {
      if (field.size !== BOUND_ACTIONS.length) {
        areBond = false;
        return false;
      }
    });
    if (!areBond) return false;
  });

  return areBond;
};

const updatePermissionsSchemaArray = [
  yup
    .object()
    .shape({
      permissions: yup
        .array()
        .requiredAllowEmpty()
        .of(
          yup
            .object()
            .shape({
              action: yup.string().required(),
              subject: yup.string(),
              fields: yup
                .array()
                .of(yup.string())
                .test(
                  'field-nested',
                  'Fields format are incorrect (duplicates or bad nesting).',
                  checkFieldsAreCorrectlyNested
                ),
              conditions: validators.arrayOfConditionNames,
            })
            .noUnknown()
        ),
    })
    .required()
    .noUnknown(),
  yup.object().shape({
    permissions: yup
      .array()
      .test(
        'contentTypes-have-fields',
        'Your permissions are missing fields "subject" and/or "fields"',
        checkBoundActionsHaveFields
      ),
  }),
  yup.object().shape({
    permissions: yup
      .array()
      .test(
        'are-bond',
        'Read, Create, Update and Delete have to be defined all together for a subject field or not at all',
        checkPermissionsAreBound
      ),
  }),
];

const checkPermissionsSchema = yup.object().shape({
  permissions: yup.array().of(
    yup
      .object()
      .shape({
        action: yup.string().required(),
        subject: yup.string(),
        field: yup.string(),
      })
      .noUnknown()
  ),
});

const validateCheckPermissionsInput = data => {
  return checkPermissionsSchema
    .validate(data, { strict: true, abortEarly: false })
    .catch(handleReject);
};

const validatedUpdatePermissionsInput = async data => {
  try {
    for (const schema of updatePermissionsSchemaArray) {
      await schema.validate(data, { strict: true, abortEarly: false });
    }
  } catch (e) {
    await handleReject(e);
  }
};

// validatePermissionsExist

const checkPermissionsExist = function(permissions) {
  const existingActions = strapi.admin.services.permission.actionProvider.getAll();
  const failIndex = permissions.findIndex(
    permission =>
      !existingActions.some(
        ea =>
          ea.actionId === permission.action &&
          (ea.section !== 'contentTypes' ||
            (ea.subjects.includes(permission.subject) && Array.isArray(permission.fields)))
      )
  );

  return failIndex === -1
    ? true
    : this.createError({
        path: 'permissions',
        message: `[${failIndex}] is not an existing permission action`,
      });
};

const actionsExistSchema = yup
  .array()
  .of(
    yup.object().shape({
      conditions: validators.arrayOfConditionNames,
    })
  )
  .test('actions-exist', '', checkPermissionsExist);

const validatePermissionsExist = data => {
  return actionsExistSchema.validate(data, { strict: true, abortEarly: false }).catch(handleReject);
};

// exports

module.exports = {
  validatedUpdatePermissionsInput,
  validatePermissionsExist,
  validateCheckPermissionsInput,
};
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`'use strict';`

refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`const _ = require('lodash');`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`const { yup, formatYupErrors } = require('strapi-utils');`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`const validators = require('./common-validators');`
first refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-18 11:40:50 +02:00			`const { checkFieldsAreCorrectlyNested } = require('./common-functions');`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00
			`const handleReject = error => Promise.reject(formatYupErrors(error));`

refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-10 15:42:32 +02:00			`// validatedUpdatePermissionsInput`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`const BOUND_ACTIONS = [`
rename plugins::content-manager.create to plugins::content-manager.explorer.create and others Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-18 11:53:35 +02:00			`'plugins::content-manager.explorer.read',`
			`'plugins::content-manager.explorer.create',`
			`'plugins::content-manager.explorer.update',`
			`'plugins::content-manager.explorer.delete',`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`];`

add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`const checkBoundActionsHaveFields = function(permissions) {`
			`const haveFields = permissions`
			`.filter(perm => BOUND_ACTIONS.includes(perm.action))`
			`.every(perm => typeof perm.subject === 'string' && Array.isArray(perm.fields));`

			`return haveFields`
			`? true`
			`: this.createError({`
			`message: 'Your permissions are missing fields "subject" and/or "fields"',`
			`});`
			`};`

			`const checkPermissionsAreBound = function(permissions) {`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`const subjectMap = {};`
			`let areBond = true;`
			`permissions`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`.filter(perm => BOUND_ACTIONS.includes(perm.action))`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`.forEach(perm => {`
			`subjectMap[perm.subject] = subjectMap[perm.subject] \|\| {};`
			`perm.fields.forEach(field => {`
			`subjectMap[perm.subject][field] = subjectMap[perm.subject][field] \|\| new Set();`
			`subjectMap[perm.subject][field].add(perm.action);`
			`});`
			`});`

			`_.forIn(subjectMap, subject => {`
			`_.forIn(subject, field => {`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`if (field.size !== BOUND_ACTIONS.length) {`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`areBond = false;`
			`return false;`
			`}`
			`});`
			`if (!areBond) return false;`
			`});`

			`return areBond;`
			`};`

add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`const updatePermissionsSchemaArray = [`
			`yup`
			`.object()`
			`.shape({`
			`permissions: yup`
			`.array()`
			`.requiredAllowEmpty()`
			`.of(`
			`yup`
			`.object()`
			`.shape({`
			`action: yup.string().required(),`
			`subject: yup.string(),`
first refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-18 11:40:50 +02:00			`fields: yup`
			`.array()`
			`.of(yup.string())`
			`.test(`
			`'field-nested',`
			`'Fields format are incorrect (duplicates or bad nesting).',`
			`checkFieldsAreCorrectlyNested`
			`),`
			`conditions: validators.arrayOfConditionNames,`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`})`
			`.noUnknown()`
			`),`
			`})`
			`.required()`
			`.noUnknown(),`
fix tests Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-16 18:49:49 +02:00			`yup.object().shape({`
			`permissions: yup`
			`.array()`
			`.test(`
			`'contentTypes-have-fields',`
			`'Your permissions are missing fields "subject" and/or "fields"',`
			`checkBoundActionsHaveFields`
			`),`
			`}),`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`yup.object().shape({`
Add domain model for permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 13:02:06 +02:00			`permissions: yup`
			`.array()`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`.test(`
			`'are-bond',`
			`'Read, Create, Update and Delete have to be defined all together for a subject field or not at all',`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`checkPermissionsAreBound`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`),`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`}),`
			`];`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00
Add check many permissions route/controller / Add userAbility to the context's state / Add isAuthenticatedAdmin.js Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-10 18:04:47 +02:00			`const checkPermissionsSchema = yup.object().shape({`
			`permissions: yup.array().of(`
			`yup`
			`.object()`
			`.shape({`
			`action: yup.string().required(),`
			`subject: yup.string(),`
			`field: yup.string(),`
			`})`
			`.noUnknown()`
			`),`
			`});`

			`const validateCheckPermissionsInput = data => {`
			`return checkPermissionsSchema`
			`.validate(data, { strict: true, abortEarly: false })`
			`.catch(handleReject);`
			`};`

add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`const validatedUpdatePermissionsInput = async data => {`
			`try {`
			`for (const schema of updatePermissionsSchemaArray) {`
			`await schema.validate(data, { strict: true, abortEarly: false });`
			`}`
			`} catch (e) {`
			`await handleReject(e);`
			`}`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`};`

refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-10 15:42:32 +02:00			`// validatePermissionsExist`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00
			`const checkPermissionsExist = function(permissions) {`
Add Condition Provider & Permissions Engine 2020-06-09 19:00:57 +02:00			`const existingActions = strapi.admin.services.permission.actionProvider.getAll();`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`const failIndex = permissions.findIndex(`
			`permission =>`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`!existingActions.some(`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`ea =>`
			`ea.actionId === permission.action &&`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`(ea.section !== 'contentTypes' \|\|`
			`(ea.subjects.includes(permission.subject) && Array.isArray(permission.fields)))`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`)`
			`);`

			`return failIndex === -1`
			`? true`
			`: this.createError({`
			`path: 'permissions',`
			message: `[${failIndex}] is not an existing permission action`,
			`});`
			`};`

			`const actionsExistSchema = yup`
			`.array()`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`.of(`
			`yup.object().shape({`
first refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-18 11:40:50 +02:00			`conditions: validators.arrayOfConditionNames,`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`})`
			`)`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`.test('actions-exist', '', checkPermissionsExist);`

			`const validatePermissionsExist = data => {`
			`return actionsExistSchema.validate(data, { strict: true, abortEarly: false }).catch(handleReject);`
			`};`

			`// exports`

Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`module.exports = {`
			`validatedUpdatePermissionsInput,`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`validatePermissionsExist,`
Add check many permissions route/controller / Add userAbility to the context's state / Add isAuthenticatedAdmin.js Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-10 18:04:47 +02:00			`validateCheckPermissionsInput,`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`};`