From 1625aa419c8e4b02f330a15c94d2cef805134e33 Mon Sep 17 00:00:00 2001
From: Fernando Chavez <fernando.chavez@strapi.io>
Date: Wed, 26 Jul 2023 11:55:38 +0200
Subject: [PATCH] fix error on traverse functions and add tests

---
 .../permissions-manager-sanitize.test.js        | 17 +++++++++++++++++
 .../permission/permissions-manager/sanitize.js  |  6 +++---
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/packages/core/admin/server/services/__tests__/permissions-manager-sanitize.test.js b/packages/core/admin/server/services/__tests__/permissions-manager-sanitize.test.js
index 9c6c70822d..a4aec860af 100644
--- a/packages/core/admin/server/services/__tests__/permissions-manager-sanitize.test.js
+++ b/packages/core/admin/server/services/__tests__/permissions-manager-sanitize.test.js
@@ -97,4 +97,21 @@ describe('Permissions Manager - Sanitize', () => {
       expect(result).toEqual({ c: 'Bar' });
     });
   });
+
+  describe('Sanitize Query', () => {
+    it('Removes hidden fields on filters, sort, populate and fields', async () => {
+      const data = {
+        filters: { a: 'Foo', c: 'Bar' },
+        sort: { a: 'asc', c: 'desc' },
+        populate: { a: 'Foo', c: 'Bar' },
+        fields: ['a', 'c'],
+      };
+      const result = await sanitizeHelpers.sanitizeQuery(data, { subject: fooModel.uid });
+
+      expect(result.filters).toEqual({ c: 'Bar' });
+      expect(result.sort).toEqual({ c: 'desc' });
+      expect(result.populate).toEqual({ c: 'Bar' });
+      expect(result.fields).toEqual([undefined, 'c']);
+    });
+  });
 });
diff --git a/packages/core/admin/server/services/permission/permissions-manager/sanitize.js b/packages/core/admin/server/services/permission/permissions-manager/sanitize.js
index 675d63b635..60017b518c 100644
--- a/packages/core/admin/server/services/permission/permissions-manager/sanitize.js
+++ b/packages/core/admin/server/services/permission/permissions-manager/sanitize.js
@@ -71,7 +71,7 @@ module.exports = ({ action, ability, model }) => {
     const sanitizeSort = pipeAsync(
       traverse.traverseQuerySort(allowedFields(permittedFields), { schema }),
       traverse.traverseQuerySort(omitDisallowedAdminUserFields, { schema }),
-      traverse.traverseQueryFilters(omitHiddenFields, { schema }),
+      traverse.traverseQuerySort(omitHiddenFields, { schema }),
       traverse.traverseQuerySort(removePassword, { schema }),
       traverse.traverseQuerySort(
         ({ key, attribute, value }, { remove }) => {
@@ -86,13 +86,13 @@ module.exports = ({ action, ability, model }) => {
     const sanitizePopulate = pipeAsync(
       traverse.traverseQueryPopulate(allowedFields(permittedFields), { schema }),
       traverse.traverseQueryPopulate(omitDisallowedAdminUserFields, { schema }),
-      traverse.traverseQueryFilters(omitHiddenFields, { schema }),
+      traverse.traverseQueryPopulate(omitHiddenFields, { schema }),
       traverse.traverseQueryPopulate(removePassword, { schema })
     );
 
     const sanitizeFields = pipeAsync(
       traverse.traverseQueryFields(allowedFields(permittedFields), { schema }),
-      traverse.traverseQueryFilters(omitHiddenFields, { schema }),
+      traverse.traverseQueryFields(omitHiddenFields, { schema }),
       traverse.traverseQueryFields(removePassword, { schema })
     );