Merge pull request #6967 from strapi/rbac/fix-permissions-issues

Fix some light issues in permissions-manager & engine

packages/strapi-admin/services/permission/engine.js

@@ -65,7 +65,8 @@ module.exports = conditionProvider => ({
    * @returns {Promise<void>}
    */
   async evaluatePermission({ permission, user, options, registerFn }) {
-    const { action, subject, fields, conditions } = permission;
+    const { action, fields, conditions } = permission;
+    const subject = permission.subject || 'all';
 
     // Permissions with empty fields array should be removed
     if (Array.isArray(fields) && fields.length === 0) {
@@ -96,7 +97,7 @@ module.exports = conditionProvider => ({
     // Transform each result into registerFn options
     const transformToRegisterOptions = map(result => ({
       action,
-      subject: subject || 'all',
+      subject,
       fields,
       condition: result,
     }));

packages/strapi-admin/services/permission/permissions-manager.js

@@ -35,7 +35,7 @@ module.exports = (ability, action, model) => ({
   queryFrom(query) {
     return {
       ...query,
-      _where: _.concat(this.query, query._where || {}),
+      _where: query._where ? _.concat(this.query, query._where) : [this.query],
     };
   },
 
@@ -52,10 +52,14 @@ module.exports = (ability, action, model) => ({
     }
 
     const permittedFields = permittedFieldsOf(ability, actionOverride, subject);
+    const hasAtLeastOneRegisteredField = _.some(
+      _.flatMap(ability.rulesFor(actionOverride, subject).map(_.property('fields')))
+    );
+    const shouldIncludeAllFields = _.isEmpty(permittedFields) && !hasAtLeastOneRegisteredField;
 
     return sanitizeEntity(data, {
       model: strapi.getModel(model),
-      includeFields: _.isEmpty(permittedFields) ? null : permittedFields,
+      includeFields: shouldIncludeAllFields ? null : permittedFields,
       withPrivate,
       isOutput,
     });