fix error on traverse functions and add tests

2025-12-27 15:13:21 +00:00 · 2023-07-26 11:55:38 +02:00 · 2023-07-26 11:55:38 +02:00 · 1625aa419c
commit 1625aa419c
parent 7b67b767dd
2 changed files with 20 additions and 3 deletions
--- a/packages/core/admin/server/services/tests/permissions-manager-sanitize.test.js
+++ b/packages/core/admin/server/services/tests/permissions-manager-sanitize.test.js
@ -97,4 +97,21 @@ describe('Permissions Manager - Sanitize', () => {
      expect(result).toEqual({ c: 'Bar' });
    });
  });
+
+  describe('Sanitize Query', () => {
+    it('Removes hidden fields on filters, sort, populate and fields', async () => {
+      const data = {
+        filters: { a: 'Foo', c: 'Bar' },
+        sort: { a: 'asc', c: 'desc' },
+        populate: { a: 'Foo', c: 'Bar' },
+        fields: ['a', 'c'],
+      };
+      const result = await sanitizeHelpers.sanitizeQuery(data, { subject: fooModel.uid });
+
+      expect(result.filters).toEqual({ c: 'Bar' });
+      expect(result.sort).toEqual({ c: 'desc' });
+      expect(result.populate).toEqual({ c: 'Bar' });
+      expect(result.fields).toEqual([undefined, 'c']);
+    });
+  });
 });
--- a/packages/core/admin/server/services/permission/permissions-manager/sanitize.js
+++ b/packages/core/admin/server/services/permission/permissions-manager/sanitize.js
@ -71,7 +71,7 @@ module.exports = ({ action, ability, model }) => {
    const sanitizeSort = pipeAsync(
      traverse.traverseQuerySort(allowedFields(permittedFields), { schema }),
      traverse.traverseQuerySort(omitDisallowedAdminUserFields, { schema }),
-      traverse.traverseQueryFilters(omitHiddenFields, { schema }),
+      traverse.traverseQuerySort(omitHiddenFields, { schema }),
      traverse.traverseQuerySort(removePassword, { schema }),
      traverse.traverseQuerySort(
        ({ key, attribute, value }, { remove }) => {
@ -86,13 +86,13 @@ module.exports = ({ action, ability, model }) => {
    const sanitizePopulate = pipeAsync(
      traverse.traverseQueryPopulate(allowedFields(permittedFields), { schema }),
      traverse.traverseQueryPopulate(omitDisallowedAdminUserFields, { schema }),
-      traverse.traverseQueryFilters(omitHiddenFields, { schema }),
+      traverse.traverseQueryPopulate(omitHiddenFields, { schema }),
      traverse.traverseQueryPopulate(removePassword, { schema })
    );

    const sanitizeFields = pipeAsync(
      traverse.traverseQueryFields(allowedFields(permittedFields), { schema }),
-      traverse.traverseQueryFilters(omitHiddenFields, { schema }),
+      traverse.traverseQueryFields(omitHiddenFields, { schema }),
      traverse.traverseQueryFields(removePassword, { schema })
    );