strapi/packages/core/utils/lib/sanitize/index.js

'use strict';

const { isArray } = require('lodash/fp');

const traverseEntity = require('../traverse-entity');
const { getNonWritableAttributes } = require('../content-types');
const pipeAsync = require('../pipe-async');

const visitors = require('./visitors');
const sanitizers = require('./sanitizers');

module.exports = {
  contentAPI: {
    input(data, schema, { auth } = {}) {
      if (isArray(data)) {
        return Promise.all(data.map(entry => this.input(entry, schema, { auth })));
      }

      const nonWritableAttributes = getNonWritableAttributes(schema);

      const transforms = [
        // Remove non writable attributes
        traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),
      ];

      if (auth) {
        // Remove restricted relations
        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
      }

      return pipeAsync(...transforms)(data);
    },

    output(data, schema, { auth } = {}) {
      if (isArray(data)) {
        return Promise.all(data.map(entry => this.output(entry, schema, { auth })));
      }

      const transforms = [
        sanitizers.defaultSanitizeOutput(schema),
        sanitizers.sanitizeUserRelationFromRoleEntities(schema),
      ];

      if (auth) {
        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
      }

      return pipeAsync(...transforms)(data);
    },
  },

  sanitizers,
  visitors,
};
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`'use strict';`

			`const { isArray } = require('lodash/fp');`

			`const traverseEntity = require('../traverse-entity');`
			`const { getNonWritableAttributes } = require('../content-types');`
Move pipeAsync to @strapi/utils 2021-11-04 16:43:27 +01:00			`const pipeAsync = require('../pipe-async');`

[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`const visitors = require('./visitors');`
use 'sanitizers' instead of 'utils' 2021-11-10 17:08:54 +01:00			`const sanitizers = require('./sanitizers');`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00
			`module.exports = {`
			`contentAPI: {`
			`input(data, schema, { auth } = {}) {`
			`if (isArray(data)) {`
			`return Promise.all(data.map(entry => this.input(entry, schema, { auth })));`
			`}`

			`const nonWritableAttributes = getNonWritableAttributes(schema);`

			`const transforms = [`
			`// Remove non writable attributes`
			`traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),`
			`];`

			`if (auth) {`
			`// Remove restricted relations`
			`transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));`
			`}`

Move pipeAsync to @strapi/utils 2021-11-04 16:43:27 +01:00			`return pipeAsync(...transforms)(data);`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`},`

			`output(data, schema, { auth } = {}) {`
			`if (isArray(data)) {`
			`return Promise.all(data.map(entry => this.output(entry, schema, { auth })));`
			`}`

Add new sanitizer to remove user relation from role entities 2022-03-03 22:45:55 +09:00			`const transforms = [`
			`sanitizers.defaultSanitizeOutput(schema),`
			`sanitizers.sanitizeUserRelationFromRoleEntities(schema),`
			`];`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00
			`if (auth) {`
			`transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));`
			`}`

Move pipeAsync to @strapi/utils 2021-11-04 16:43:27 +01:00			`return pipeAsync(...transforms)(data);`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`},`
			`},`

use 'sanitizers' instead of 'utils' 2021-11-10 17:08:54 +01:00			`sanitizers,`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`visitors,`
			`};`