Fix RBAC permissions without subject ignoring conditions (#10291)

* Fix RBAC permissions without subject ignoring conditions * Add unit test for nil subject in the permission engine
2025-11-01 02:16:03 +00:00 · 2021-05-17 08:14:58 +02:00 · 2021-05-17 08:14:58 +02:00 · 15c04d0612
commit 15c04d0612
parent 43b947b2ba
2 changed files with 39 additions and 2 deletions
--- a/packages/strapi-admin/services/tests/permissions.engine.test.js
+++ b/packages/strapi-admin/services/tests/permissions.engine.test.js
@ -349,6 +349,25 @@ describe('Permissions Engine', () => {
    });
  });

+  test('It should register the condition even if the subject is Nil', async () => {
+    const permission = {
+      action: 'read',
+      subject: null,
+      properties: {},
+      conditions: ['plugins::test.isCreatedBy'],
+    };
+
+    const user = getUser('alice');
+    const can = jest.fn();
+    const registerFn = engine.createRegisterFunction(can, {}, user);
+
+    await engine.evaluate({ permission, user, registerFn });
+
+    expect(can).toHaveBeenCalledWith('read', 'all', undefined, {
+      $and: [{ $or: [{ created_by: user.firstname }] }],
+    });
+  });
+
  describe('Create Register Function', () => {
    let can;
    let registerFn;
@ -376,6 +395,18 @@ describe('Permissions Engine', () => {
      expect(can).toHaveBeenCalledTimes(1);
      expect(can).toHaveBeenCalledWith('read', 'article', '*', { created_by: 1 });
    });
+
+    test(`It should use 'all' as a subject if it's Nil`, async () => {
+      await registerFn({
+        action: 'read',
+        subject: null,
+        fields: null,
+        condition: { created_by: 1 },
+      });
+
+      expect(can).toHaveBeenCalledTimes(1);
+      expect(can).toHaveBeenCalledWith('read', 'all', null, { created_by: 1 });
+    });
  });

  describe('Check Many', () => {
--- a/packages/strapi-admin/services/permission/engine.js
+++ b/packages/strapi-admin/services/permission/engine.js
@ -8,6 +8,7 @@ const {
  isFunction,
  isBoolean,
  isArray,
+  isNil,
  isEmpty,
  isObject,
  prop,
@ -160,7 +161,7 @@ module.exports = conditionProvider => {
      await this.applyPermissionProcessors(permission);

      // Extract the up-to-date components from the permission
-      const { action, subject = 'all', properties = {}, conditions } = permission;
+      const { action, subject, properties = {}, conditions } = permission;

      // Register the permission if there is no condition
      if (isEmpty(conditions)) {
@ -239,7 +240,12 @@ module.exports = conditionProvider => {
      const registerToCasl = caslPermission => {
        const { action, subject, fields, condition } = caslPermission;

-        can(action, subject, fields, isObject(condition) ? condition : undefined);
+        can(
+          action,
+          isNil(subject) ? 'all' : subject,
+          fields,
+          isObject(condition) ? condition : undefined
+        );
      };

      const runWillRegisterHook = async caslPermission => {