Apply RBAC permissions to read filed

2025-12-29 16:16:20 +00:00 · 2023-07-25 18:33:55 +02:00 · 2023-07-25 18:33:55 +02:00 · 195dcb483a
commit 195dcb483a
parent 5b675ccfa6
2 changed files with 59 additions and 3 deletions
--- a/packages/core/content-manager/server/controllers/tests/relations.test.js
+++ b/packages/core/content-manager/server/controllers/tests/relations.test.js
@ -42,7 +42,7 @@ describe('Relations', () => {
        'content-manager': {
          services: {
            'permission-checker': {
-              create: () => ({
+              create: jest.fn().mockReturnValue({
                cannot: {
                  read: jest.fn().mockReturnValue(false),
                },
@ -225,4 +225,49 @@ describe('Relations', () => {
      );
    });
  });
+
+  test('Replace mainField by id when mainField is not accessible with RBAC', async () => {
+    global.strapi.plugins['content-manager'].services['permission-checker'].create
+      .mockReturnValueOnce({
+        cannot: {
+          read: jest.fn().mockReturnValue(false),
+        },
+        sanitizedQuery: {
+          read: jest.fn().mockReturnValue({}),
+        },
+      })
+      .mockReturnValueOnce({
+        cannot: {
+          read: jest.fn().mockReturnValue(true),
+        },
+      });
+
+    const ctx = createContext(
+      {
+        params: {
+          model: 'main',
+          targetField: 'relationWithHidden',
+          id: 1,
+        },
+      },
+      {
+        state: {
+          userAbility: {
+            can: jest.fn().mockReturnValue(true),
+          },
+        },
+      }
+    );
+
+    await relations.findExisting(ctx);
+
+    expect(strapi.entityService.load).toHaveBeenCalledWith(
+      'main',
+      { id: 1 },
+      'relationWithHidden',
+      expect.objectContaining({
+        fields: ['id'],
+      })
+    );
+  });
 });
--- a/packages/core/content-manager/server/controllers/relations.js
+++ b/packages/core/content-manager/server/controllers/relations.js
@ -82,12 +82,18 @@ module.exports = {

    const targetedModel = strapi.getModel(attribute.target);

+    const permissionChecker = getService('permission-checker').create({
+      userAbility,
+      model: attribute.target,
+    });
+
    const modelConfig = isComponent
      ? await getService('components').findConfiguration(modelSchema)
      : await getService('content-types').findConfiguration(modelSchema);

    let mainField = prop(`metadatas.${targetField}.edit.mainField`, modelConfig) || 'id';
-    if (!isListable(targetedModel, mainField)) {
+
+    if (!isListable(targetedModel, mainField) || permissionChecker.cannot.read(null, mainField)) {
      mainField = 'id';
    }

@ -195,8 +201,13 @@ module.exports = {
      ? await getService('components').findConfiguration(modelSchema)
      : await getService('content-types').findConfiguration(modelSchema);

+    const permissionChecker = getService('permission-checker').create({
+      userAbility,
+      model: attribute.target,
+    });
+
    let mainField = prop(`metadatas.${targetField}.edit.mainField`, modelConfig) || 'id';
-    if (!isListable(targetedModel, mainField)) {
+    if (!isListable(targetedModel, mainField) || permissionChecker.cannot.read(null, mainField)) {
      mainField = 'id';
    }