feat: filter by non visible and writtable fields

2025-11-02 02:44:55 +00:00 · 2023-07-12 17:32:51 +02:00 · 2023-07-12 17:32:51 +02:00 · 723ae05bd3
commit 723ae05bd3
parent 123f4d0a47
1 changed files with 10 additions and 0 deletions
--- a/packages/core/admin/server/services/permission/permissions-manager/sanitize.js
+++ b/packages/core/admin/server/services/permission/permissions-manager/sanitize.js
@ -56,6 +56,7 @@ module.exports = ({ action, ability, model }) => {
    const sanitizeFilters = pipeAsync(
      traverse.traverseQueryFilters(allowedFields(permittedFields), { schema }),
      traverse.traverseQueryFilters(omitDisallowedAdminUserFields, { schema }),
+      traverse.traverseQueryFilters(omitHiddenFields, { schema }),
      traverse.traverseQueryFilters(removePassword, { schema }),
      traverse.traverseQueryFilters(
        ({ key, value }, { remove }) => {
@ -71,6 +72,7 @@ module.exports = ({ action, ability, model }) => {
      traverse.traverseQuerySort(allowedFields(permittedFields), { schema }),
      traverse.traverseQuerySort(omitDisallowedAdminUserFields, { schema }),
      traverse.traverseQuerySort(removePassword, { schema }),
+      traverse.traverseQueryFilters(omitHiddenFields, { schema }),
      traverse.traverseQuerySort(
        ({ key, attribute, value }, { remove }) => {
          if (!isScalarAttribute(attribute) && isEmpty(value)) {
@ -84,11 +86,13 @@ module.exports = ({ action, ability, model }) => {
    const sanitizePopulate = pipeAsync(
      traverse.traverseQueryPopulate(allowedFields(permittedFields), { schema }),
      traverse.traverseQueryPopulate(omitDisallowedAdminUserFields, { schema }),
+      traverse.traverseQueryFilters(omitHiddenFields, { schema }),
      traverse.traverseQueryPopulate(removePassword, { schema })
    );

    const sanitizeFields = pipeAsync(
      traverse.traverseQueryFields(allowedFields(permittedFields), { schema }),
+      traverse.traverseQueryFilters(omitHiddenFields, { schema }),
      traverse.traverseQueryFields(removePassword, { schema })
    );

@ -256,10 +260,16 @@ module.exports = ({ action, ability, model }) => {
  };

  const getQueryFields = (fields = []) => {
+    const nonVisibleAttributes = getNonVisibleAttributes(schema);
+    const writableAttributes = getWritableAttributes(schema);
+
+    const nonVisibleWritableAttributes = intersection(nonVisibleAttributes, writableAttributes);
+
    return uniq([
      ...fields,
      ...STATIC_FIELDS,
      ...COMPONENT_FIELDS,
+      ...nonVisibleWritableAttributes,
      CREATED_AT_ATTRIBUTE,
      UPDATED_AT_ATTRIBUTE,
      PUBLISHED_AT_ATTRIBUTE,