strapi/packages/strapi-admin/validation/permission.js

'use strict';

const _ = require('lodash');
const { yup, formatYupErrors } = require('strapi-utils');
const validators = require('./common-validators');

const handleReject = error => Promise.reject(formatYupErrors(error));

// validatedUpdatePermissionsInput

const BOUND_ACTIONS = [
  'plugins::content-manager.explorer.read',
  'plugins::content-manager.explorer.create',
  'plugins::content-manager.explorer.update',
  'plugins::content-manager.explorer.delete',
];

const checkPermissionsAreBound = function(permissions) {
  let areBond = true;
  const permsBySubject = _.groupBy(
    permissions.filter(perm => BOUND_ACTIONS.includes(perm.action)),
    'subject'
  );
  _.forIn(permsBySubject, perms => {
    const uniqPerms = _.uniqBy(perms, 'action');
    areBond = uniqPerms.length === BOUND_ACTIONS.length;
    if (!areBond) return false;
    const permsByAction = _.groupBy(uniqPerms, 'action');
    areBond =
      BOUND_ACTIONS.filter(action => action !== 'plugins::content-manager.explorer.delete')
        .map(action => permsByAction[action][0].fields || [])
        .map(f => f.sort())
        .filter((fields, i, arr) => _.isEqual(arr[0], fields)).length ===
      BOUND_ACTIONS.length - 1;
    if (!areBond) return false;
  });

  return areBond;
};

const updatePermissionsSchemaWithBoundConstraint = [
  validators.updatePermissions,
  yup.object().shape({
    permissions: yup
      .array()
      .test(
        'are-bond',
        'Read, Create, Update and Delete have to be defined all together for a subject field or not at all',
        checkPermissionsAreBound
      ),
  }),
];

const checkPermissionsSchema = yup.object().shape({
  permissions: yup.array().of(
    yup
      .object()
      .shape({
        action: yup.string().required(),
        subject: yup.string(),
        field: yup.string(),
      })
      .noUnknown()
  ),
});

const validateCheckPermissionsInput = data => {
  return checkPermissionsSchema
    .validate(data, { strict: true, abortEarly: false })
    .catch(handleReject);
};

const validatedUpdatePermissionsInput = async data => {
  try {
    for (const schema of updatePermissionsSchemaWithBoundConstraint) {
      await schema.validate(data, { strict: true, abortEarly: false });
    }
  } catch (e) {
    return handleReject(e);
  }
};

// validatePermissionsExist

const checkPermissionsExist = function(permissions) {
  const existingActions = strapi.admin.services.permission.actionProvider.getAll();
  const failIndex = permissions.findIndex(
    permission =>
      !existingActions.some(
        ea =>
          ea.actionId === permission.action &&
          (ea.section !== 'contentTypes' || ea.subjects.includes(permission.subject))
      )
  );

  return failIndex === -1
    ? true
    : this.createError({
        path: 'permissions',
        message: `[${failIndex}] is not an existing permission action`,
      });
};

const actionsExistSchema = yup
  .array()
  .of(
    yup.object().shape({
      conditions: validators.arrayOfConditionNames,
    })
  )
  .test('actions-exist', '', checkPermissionsExist);

const validatePermissionsExist = data => {
  return actionsExistSchema.validate(data, { strict: true, abortEarly: false }).catch(handleReject);
};

// exports

module.exports = {
  validatedUpdatePermissionsInput,
  validatePermissionsExist,
  validateCheckPermissionsInput,
};
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`'use strict';`

refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`const _ = require('lodash');`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`const { yup, formatYupErrors } = require('strapi-utils');`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`const validators = require('./common-validators');`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00
			`const handleReject = error => Promise.reject(formatYupErrors(error));`

refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-10 15:42:32 +02:00			`// validatedUpdatePermissionsInput`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`const BOUND_ACTIONS = [`
rename plugins::content-manager.create to plugins::content-manager.explorer.create and others Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-18 11:53:35 +02:00			`'plugins::content-manager.explorer.read',`
			`'plugins::content-manager.explorer.create',`
			`'plugins::content-manager.explorer.update',`
			`'plugins::content-manager.explorer.delete',`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`];`

add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`const checkPermissionsAreBound = function(permissions) {`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`let areBond = true;`
handle fields null for delete perm Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-07-03 12:28:57 +02:00			`const permsBySubject = _.groupBy(`
			`permissions.filter(perm => BOUND_ACTIONS.includes(perm.action)),`
			`'subject'`
			`);`
			`_.forIn(permsBySubject, perms => {`
			`const uniqPerms = _.uniqBy(perms, 'action');`
			`areBond = uniqPerms.length === BOUND_ACTIONS.length;`
			`if (!areBond) return false;`
			`const permsByAction = _.groupBy(uniqPerms, 'action');`
			`areBond =`
filter instead of slice Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-07-03 13:17:54 +02:00			`BOUND_ACTIONS.filter(action => action !== 'plugins::content-manager.explorer.delete')`
handle fields null for delete perm Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-07-03 12:28:57 +02:00			`.map(action => permsByAction[action][0].fields \|\| [])`
			`.map(f => f.sort())`
filter instead of slice Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-07-03 13:17:54 +02:00			`.filter((fields, i, arr) => _.isEqual(arr[0], fields)).length ===`
			`BOUND_ACTIONS.length - 1;`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`if (!areBond) return false;`
			`});`

			`return areBond;`
			`};`

fifth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-23 16:31:16 +02:00			`const updatePermissionsSchemaWithBoundConstraint = [`
			`validators.updatePermissions,`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`yup.object().shape({`
Add domain model for permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 13:02:06 +02:00			`permissions: yup`
			`.array()`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`.test(`
			`'are-bond',`
			`'Read, Create, Update and Delete have to be defined all together for a subject field or not at all',`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`checkPermissionsAreBound`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`),`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`}),`
			`];`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00
Add check many permissions route/controller / Add userAbility to the context's state / Add isAuthenticatedAdmin.js Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-10 18:04:47 +02:00			`const checkPermissionsSchema = yup.object().shape({`
			`permissions: yup.array().of(`
			`yup`
			`.object()`
			`.shape({`
			`action: yup.string().required(),`
			`subject: yup.string(),`
			`field: yup.string(),`
			`})`
			`.noUnknown()`
			`),`
			`});`

			`const validateCheckPermissionsInput = data => {`
			`return checkPermissionsSchema`
			`.validate(data, { strict: true, abortEarly: false })`
			`.catch(handleReject);`
			`};`

add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`const validatedUpdatePermissionsInput = async data => {`
			`try {`
fifth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-23 16:31:16 +02:00			`for (const schema of updatePermissionsSchemaWithBoundConstraint) {`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`await schema.validate(data, { strict: true, abortEarly: false });`
			`}`
			`} catch (e) {`
add upload permissions to default roles + second refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-18 18:10:12 +02:00			`return handleReject(e);`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`}`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`};`

refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-10 15:42:32 +02:00			`// validatePermissionsExist`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00
			`const checkPermissionsExist = function(permissions) {`
Add Condition Provider & Permissions Engine 2020-06-09 19:00:57 +02:00			`const existingActions = strapi.admin.services.permission.actionProvider.getAll();`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`const failIndex = permissions.findIndex(`
			`permission =>`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`!existingActions.some(`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`ea =>`
			`ea.actionId === permission.action &&`
fifth refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-23 16:31:16 +02:00			`(ea.section !== 'contentTypes' \|\| ea.subjects.includes(permission.subject))`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`)`
			`);`

			`return failIndex === -1`
			`? true`
			`: this.createError({`
			`path: 'permissions',`
			message: `[${failIndex}] is not an existing permission action`,
			`});`
			`};`

			`const actionsExistSchema = yup`
			`.array()`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`.of(`
			`yup.object().shape({`
first refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-18 11:40:50 +02:00			`conditions: validators.arrayOfConditionNames,`
add conditions logic for author/editor Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-15 19:11:36 +02:00			`})`
			`)`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`.test('actions-exist', '', checkPermissionsExist);`

			`const validatePermissionsExist = data => {`
			`return actionsExistSchema.validate(data, { strict: true, abortEarly: false }).catch(handleReject);`
			`};`

			`// exports`

Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`module.exports = {`
			`validatedUpdatePermissionsInput,`
refacto Signed-off-by: Pierre Noël <petersg83@gmail.com> 2020-06-09 17:45:53 +02:00			`validatePermissionsExist,`
Add check many permissions route/controller / Add userAbility to the context's state / Add isAuthenticatedAdmin.js Signed-off-by: Convly <jean-sebastien.herbaux@epitech.eu> 2020-06-10 18:04:47 +02:00			`validateCheckPermissionsInput,`
Add assign permission Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> 2020-05-28 11:29:59 +02:00			`};`