yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-09-09 16:47:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

renaming + add permission check on entity

Browse Source
This commit is contained in:
Pierre Noël 2022-08-11 15:52:58 +02:00
parent aa496ff4a7
commit 73f85a7c08
6 changed files with 39 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
packages/core/content-manager/server/controllers/relations.js
View File

@ -6,15 +6,16 @@ const { hasDraftAndPublish } = require('@strapi/utils').contentTypes;
const { PUBLISHED_AT_ATTRIBUTE } = require('@strapi/utils').contentTypes.constants; const { PUBLISHED_AT_ATTRIBUTE } = require('@strapi/utils').contentTypes.constants;
const { getService } = require('../utils'); const { getService } = require('../utils');
const { validateFindNew } = require('./validation/relations'); const { validateFindAvailable } = require('./validation/relations');
module.exports = { module.exports = {
async findNew(ctx) { async findAvailable(ctx) {
const { userAbility } = ctx.state;
const { model, targetField } = ctx.params; const { model, targetField } = ctx.params;
await validateFindNew(ctx.request.query); await validateFindAvailable(ctx.request.query);
const { component, entityId, idsToOmit, page = 1, pageSize = 10, q } = ctx.request.query; const { component, entityId, idsToOmit, page = 1, pageSize = 10, _q } = ctx.request.query;
const sourceModelUid = component || model; const sourceModelUid = component || model;
@ -23,6 +24,29 @@ module.exports = {
return ctx.badRequest("The model doesn't exist"); return ctx.badRequest("The model doesn't exist");
} }
// permission check
if (entityId) {
const entityManager = getService('entity-manager');
const permissionChecker = getService('permission-checker').create({
userAbility,
model: sourceModel,
});
if (permissionChecker.cannot.read()) {
return ctx.forbidden();
}
const entity = await entityManager.findOneWithCreatorRoles(entityId, model);
if (!entity) {
return ctx.notFound();
}
if (permissionChecker.cannot.read(entity)) {
return ctx.forbidden();
}
}
const attribute = sourceModel.attributes[targetField]; const attribute = sourceModel.attributes[targetField];
if (!attribute || attribute.type !== 'relation') { if (!attribute || attribute.type !== 'relation') {
return ctx.badRequest("This relational field doesn't exist"); return ctx.badRequest("This relational field doesn't exist");
@ -40,8 +64,8 @@ module.exports = {
const query = strapi.db.queryBuilder(targetedModel.uid); const query = strapi.db.queryBuilder(targetedModel.uid);
if (!isNil(q)) { if (!isNil(_q)) {
query.search(q); query.search(_q);
} }
if (!isNil(ctx.request.query.filters)) { if (!isNil(ctx.request.query.filters)) {

6
packages/core/content-manager/server/controllers/validation/relations.js
View File

@ -2,12 +2,12 @@
const { yup, validateYupSchema } = require('@strapi/utils'); const { yup, validateYupSchema } = require('@strapi/utils');
const validateFindNewSchema = yup const validateFindAvailableSchema = yup
.object() .object()
.shape({ .shape({
component: yup.string(), component: yup.string(),
entityId: yup.strapiID(), entityId: yup.strapiID(),
q: yup.string(), _q: yup.string(),
idsToOmit: yup.array().of(yup.strapiID()), idsToOmit: yup.array().of(yup.strapiID()),
page: yup page: yup
.number() .number()
@ -23,5 +23,5 @@ const validateFindNewSchema = yup
.required(); .required();
module.exports = { module.exports = {
validateFindNew: validateYupSchema(validateFindNewSchema, { strict: false }), validateFindAvailable: validateYupSchema(validateFindAvailableSchema, { strict: false }),
}; };

2
packages/core/content-manager/server/routes/admin.js
View File

@ -82,7 +82,7 @@ module.exports = {
{ {
method: 'GET', method: 'GET',
path: '/relations/:model/:targetField', path: '/relations/:model/:targetField',
handler: 'relations.findNew', handler: 'relations.findAvailable',
config: { config: {
policies: [ policies: [
'admin::isAuthenticatedAdmin', 'admin::isAuthenticatedAdmin',

2
packages/core/content-manager/server/tests/relations-dp.test.e2e.js
View File

@ -112,7 +112,7 @@ describe('Relations with Draft & Publish', () => {
await builder.cleanup(); await builder.cleanup();
}); });
describe('findNew', () => { describe('findAvailable', () => {
test('relation not in a component && no entity', async () => { test('relation not in a component && no entity', async () => {
let res = await rq({ let res = await rq({
method: 'GET', method: 'GET',

2
packages/core/content-manager/server/tests/relations.test.e2e.js
View File

@ -106,7 +106,7 @@ describe('Relations', () => {
await builder.cleanup(); await builder.cleanup();
}); });
describe('findNew', () => { describe('findAvailable', () => {
test('relation not in a component && no entity', async () => { test('relation not in a component && no entity', async () => {
let res = await rq({ let res = await rq({
method: 'GET', method: 'GET',

6
packages/plugins/i18n/server/register.js
View File

@ -22,9 +22,9 @@ const decorateRelations = () => {
const { wrapParams } = getService('entity-service-decorator'); const { wrapParams } = getService('entity-service-decorator');
strapi.container.get('controllers').extend('plugin::content-manager.relations', controller => { strapi.container.get('controllers').extend('plugin::content-manager.relations', controller => {
const oldFindNew = controller.findNew; const oldFindAvailable = controller.findAvailable;
return Object.assign(controller, { return Object.assign(controller, {
async findNew(ctx, next) { async findAvailable(ctx, next) {
const { model, targetField } = ctx.params; const { model, targetField } = ctx.params;
const { component } = ctx.request.query; const { component } = ctx.request.query;
@ -48,7 +48,7 @@ const decorateRelations = () => {
ctx.request.query = await wrapParams(ctx.request.query); ctx.request.query = await wrapParams(ctx.request.query);
} }
return oldFindNew(ctx, next); return oldFindAvailable(ctx, next);
}, },
}); });
}); });