Fix sanitize media

2025-12-28 15:44:59 +00:00 · 2022-03-08 17:15:43 +01:00 · 2022-03-08 17:15:43 +01:00 · 6a9db23311
commit 6a9db23311
parent af7c3d54cb
5 changed files with 114 additions and 3 deletions
--- a/packages/core/content-manager/server/tests/api/populate/filtering/index.test.e2e.js
+++ b/packages/core/content-manager/server/tests/api/populate/filtering/index.test.e2e.js
@ -2,9 +2,9 @@

 const { propEq, omit } = require('lodash/fp');

-const { createTestBuilder } = require('../../../../../../../../test/helpers/builder');
-const { createStrapiInstance } = require('../../../../../../../../test/helpers/strapi');
-const { createContentAPIRequest } = require('../../../../../../../../test/helpers/request');
+const { createTestBuilder } = require('../../../../../../../test/helpers/builder');
+const { createStrapiInstance } = require('../../../../../../../test/helpers/strapi');
+const { createContentAPIRequest } = require('../../../../../../../test/helpers/request');

 const builder = createTestBuilder();

--- a/packages/core/strapi/tests/api/populate/rec.jpg
+++ b/packages/core/strapi/tests/api/populate/rec.jpg
--- a/packages/core/strapi/tests/api/populate/sanitize.test.e2e.js
+++ b/packages/core/strapi/tests/api/populate/sanitize.test.e2e.js
@ -0,0 +1,93 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const { createTestBuilder } = require('../../../../../../test/helpers/builder');
+const { createStrapiInstance } = require('../../../../../../test/helpers/strapi');
+const {
+  createContentAPIRequest,
+  createAuthRequest,
+} = require('../../../../../../test/helpers/request');
+
+const builder = createTestBuilder();
+
+let strapi;
+let rq;
+
+const schemas = {
+  contentTypes: {
+    a: {
+      kind: 'collectionType',
+      displayName: 'a',
+      singularName: 'a',
+      pluralName: 'as',
+      attributes: {
+        cover: { type: 'media' },
+      },
+    },
+  },
+};
+
+const getFixtures = file => {
+  return [
+    {
+      cover: file.id,
+    },
+  ];
+};
+
+const uploadFile = async () => {
+  const strapi = await createStrapiInstance();
+  const rq = await createAuthRequest({ strapi });
+
+  const res = await rq({
+    method: 'POST',
+    url: '/upload',
+    formData: {
+      files: fs.createReadStream(path.join(__dirname, 'rec.jpg')),
+    },
+  });
+
+  await strapi.destroy();
+
+  return res.body[0];
+};
+
+describe('Sanitize populated entries', () => {
+  beforeAll(async () => {
+    const file = await uploadFile();
+
+    await builder
+      .addContentTypes(Object.values(schemas.contentTypes))
+      .addFixtures(schemas.contentTypes.a.singularName, getFixtures(file))
+      .build();
+
+    strapi = await createStrapiInstance();
+    rq = createContentAPIRequest({ strapi });
+  });
+
+  afterAll(async () => {
+    await strapi.destroy();
+    await builder.cleanup();
+  });
+
+  describe('Populate simple media', () => {
+    test('Media can be populated without restricted attributes', async () => {
+      const { status, body } = await rq.get(`/${schemas.contentTypes.a.pluralName}`, {
+        qs: {
+          populate: {
+            cover: {
+              populate: '*',
+            },
+          },
+        },
+      });
+
+      expect(status).toBe(200);
+      expect(body.data[0].attributes.cover).toBeDefined();
+      expect(body.data[0].attributes.cover.data.attributes.createdBy).toBeUndefined();
+      expect(body.data[0].attributes.cover.data.attributes.updatedBy).toBeUndefined();
+    });
+  });
+});
--- a/packages/core/utils/lib/sanitize/visitors/remove-restricted-relations.js
+++ b/packages/core/utils/lib/sanitize/visitors/remove-restricted-relations.js
@ -2,6 +2,7 @@

 const ACTIONS_TO_VERIFY = ['find'];

+// FIXME: Support populating creator fields
 module.exports = auth => async ({ data, key, attribute }, { remove, set }) => {
  const isRelation = attribute.type === 'relation';

--- a/packages/core/utils/lib/traverse-entity.js
+++ b/packages/core/utils/lib/traverse-entity.js
@ -41,6 +41,7 @@ const traverseEntity = async (visitor, options, entity) => {
    const isRelation = attribute.type === 'relation';
    const isComponent = attribute.type === 'component';
    const isDynamicZone = attribute.type === 'dynamiczone';
+    const isMedia = attribute.type === 'media';

    if (isRelation) {
      const isMorphRelation = attribute.relation.toLowerCase().startsWith('morph');
@ -61,6 +62,22 @@ const traverseEntity = async (visitor, options, entity) => {
        : await traverseTarget(value);
    }

+    if (isMedia) {
+      const traverseTarget = entry => {
+        const targetSchemaUID = 'plugin::upload.file';
+        const targetSchema = strapi.getModel(targetSchemaUID);
+
+        const traverseOptions = { schema: targetSchema, path: newPath };
+
+        return traverseEntity(visitor, traverseOptions, entry);
+      };
+
+      // need to update copy
+      copy[key] = isArray(value)
+        ? await Promise.all(value.map(traverseTarget))
+        : await traverseTarget(value);
+    }
+
    if (isComponent) {
      const targetSchema = strapi.getModel(attribute.component);
      const traverseOptions = { schema: targetSchema, path: newPath };