2020-06-18 11:41:12 +02:00
|
|
|
'use strict';
|
|
|
|
|
2020-06-19 15:02:10 +02:00
|
|
|
const _ = require('lodash');
|
|
|
|
const {
|
|
|
|
policy: { createPolicyFactory },
|
2021-04-29 13:51:12 +02:00
|
|
|
} = require('@strapi/utils');
|
2021-08-25 15:16:17 +02:00
|
|
|
const { validateHasPermissionsInput } = require('../validation/policies/hasPermissions');
|
2020-06-18 11:41:12 +02:00
|
|
|
|
2020-06-19 15:02:10 +02:00
|
|
|
const inputModifiers = [
|
|
|
|
{
|
|
|
|
check: _.isString,
|
|
|
|
transform: action => ({ action }),
|
|
|
|
},
|
|
|
|
{
|
|
|
|
check: _.isArray,
|
|
|
|
transform: arr => ({ action: arr[0], subject: arr[1] }),
|
|
|
|
},
|
|
|
|
{
|
2020-07-02 19:39:18 +02:00
|
|
|
// Has to be after the isArray check since _.isObject also matches arrays
|
2020-06-19 15:02:10 +02:00
|
|
|
check: _.isObject,
|
|
|
|
transform: perm => perm,
|
|
|
|
},
|
|
|
|
];
|
|
|
|
|
|
|
|
module.exports = createPolicyFactory(
|
2021-08-24 13:59:43 +02:00
|
|
|
options => {
|
|
|
|
const { actions } = options;
|
|
|
|
|
|
|
|
const permissions = actions.map(action =>
|
|
|
|
inputModifiers.find(modifier => modifier.check(action)).transform(action)
|
2020-06-19 15:02:10 +02:00
|
|
|
);
|
2020-06-18 11:41:12 +02:00
|
|
|
|
2021-09-24 09:35:25 +02:00
|
|
|
return ({ ctx, strapi }) => {
|
2021-09-08 18:47:22 +02:00
|
|
|
const { userAbility: ability, isAuthenticated } = ctx.state;
|
2020-07-02 15:58:12 +02:00
|
|
|
|
2021-09-08 18:47:22 +02:00
|
|
|
if (!isAuthenticated || !ability) {
|
2021-09-24 09:35:25 +02:00
|
|
|
return true;
|
2020-07-02 15:58:12 +02:00
|
|
|
}
|
2020-06-18 11:41:12 +02:00
|
|
|
|
2020-06-19 15:02:10 +02:00
|
|
|
const isAuthorized = permissions.every(({ action, subject }) => ability.can(action, subject));
|
2020-06-18 11:41:12 +02:00
|
|
|
|
2020-06-19 15:02:10 +02:00
|
|
|
if (!isAuthorized) {
|
|
|
|
throw strapi.errors.forbidden();
|
|
|
|
}
|
2020-06-18 11:41:12 +02:00
|
|
|
|
2021-09-24 09:35:25 +02:00
|
|
|
return true;
|
2020-06-19 15:02:10 +02:00
|
|
|
};
|
|
|
|
},
|
|
|
|
{
|
|
|
|
validator: validateHasPermissionsInput,
|
|
|
|
name: 'admin::hasPermissions',
|
|
|
|
}
|
|
|
|
);
|