Send 401 if action is not enabled

packages/strapi-plugin-users-permissions/config/policies/isAuthenticated.js

@@ -1,5 +1,47 @@
+const pathToRegexp = require('path-to-regexp');
+const _ = require('lodash');
+
 module.exports = async (ctx, next) => {
   const config = strapi.plugins['users-permissions'].config;
+  let match = false;
 
-  await next();
+  const matchRoute = async (route, plugin) => {
+    if (match) {
+      return false;
+    }
+
+    let value = _.clone(route.path);
+
+    if (route.config.prefix !== undefined) {
+      value = route.config.prefix + value;
+    } else if (plugin) {
+      value = `${plugin}/${value}`;
+    }
+
+    const re = pathToRegexp(value);
+    match = re.test(ctx.url) && ctx.method === route.method;
+
+    if (match) {
+      const permissions = _.get(config, ['0', 'permissions', plugin || 'application']);
+      const action = _.get(permissions, `controllers.${route.handler.toLowerCase()}`);
+
+      if (action.enabled) {
+        await next();
+      } else {
+        ctx.unauthorized('Nop!');
+      }
+    }
+  };
+
+  _.forEach(strapi.config.routes, value => {
+    matchRoute(value);
+  });
+
+  if (strapi.plugins) {
+    _.forEach(strapi.plugins, (plugin, name) => {
+      _.forEach(plugin.config.routes, value => {
+        matchRoute(value, name);
+      });
+    });
+  }
 };

packages/strapi-plugin-users-permissions/middlewares/users-permissions/index.js

@@ -1,4 +1,3 @@
-const pathToRegexp = require('path-to-regexp');
 const _ = require('lodash');
 
 module.exports = strapi => {

packages/strapi-plugin-users-permissions/package.json

@@ -63,4 +63,4 @@
     "rimraf": "^2.6.2",
     "webpack": "^3.8.1"
   }
-}
+}