mirror of
				https://github.com/strapi/strapi.git
				synced 2025-10-26 07:30:17 +00:00 
			
		
		
		
	renaming + add permission check on entity
This commit is contained in:
		
							parent
							
								
									aa496ff4a7
								
							
						
					
					
						commit
						73f85a7c08
					
				| @ -6,15 +6,16 @@ const { hasDraftAndPublish } = require('@strapi/utils').contentTypes; | ||||
| const { PUBLISHED_AT_ATTRIBUTE } = require('@strapi/utils').contentTypes.constants; | ||||
| 
 | ||||
| const { getService } = require('../utils'); | ||||
| const { validateFindNew } = require('./validation/relations'); | ||||
| const { validateFindAvailable } = require('./validation/relations'); | ||||
| 
 | ||||
| module.exports = { | ||||
|   async findNew(ctx) { | ||||
|   async findAvailable(ctx) { | ||||
|     const { userAbility } = ctx.state; | ||||
|     const { model, targetField } = ctx.params; | ||||
| 
 | ||||
|     await validateFindNew(ctx.request.query); | ||||
|     await validateFindAvailable(ctx.request.query); | ||||
| 
 | ||||
|     const { component, entityId, idsToOmit, page = 1, pageSize = 10, q } = ctx.request.query; | ||||
|     const { component, entityId, idsToOmit, page = 1, pageSize = 10, _q } = ctx.request.query; | ||||
| 
 | ||||
|     const sourceModelUid = component || model; | ||||
| 
 | ||||
| @ -23,6 +24,29 @@ module.exports = { | ||||
|       return ctx.badRequest("The model doesn't exist"); | ||||
|     } | ||||
| 
 | ||||
|     // permission check
 | ||||
|     if (entityId) { | ||||
|       const entityManager = getService('entity-manager'); | ||||
|       const permissionChecker = getService('permission-checker').create({ | ||||
|         userAbility, | ||||
|         model: sourceModel, | ||||
|       }); | ||||
| 
 | ||||
|       if (permissionChecker.cannot.read()) { | ||||
|         return ctx.forbidden(); | ||||
|       } | ||||
| 
 | ||||
|       const entity = await entityManager.findOneWithCreatorRoles(entityId, model); | ||||
| 
 | ||||
|       if (!entity) { | ||||
|         return ctx.notFound(); | ||||
|       } | ||||
| 
 | ||||
|       if (permissionChecker.cannot.read(entity)) { | ||||
|         return ctx.forbidden(); | ||||
|       } | ||||
|     } | ||||
| 
 | ||||
|     const attribute = sourceModel.attributes[targetField]; | ||||
|     if (!attribute || attribute.type !== 'relation') { | ||||
|       return ctx.badRequest("This relational field doesn't exist"); | ||||
| @ -40,8 +64,8 @@ module.exports = { | ||||
| 
 | ||||
|     const query = strapi.db.queryBuilder(targetedModel.uid); | ||||
| 
 | ||||
|     if (!isNil(q)) { | ||||
|       query.search(q); | ||||
|     if (!isNil(_q)) { | ||||
|       query.search(_q); | ||||
|     } | ||||
| 
 | ||||
|     if (!isNil(ctx.request.query.filters)) { | ||||
|  | ||||
| @ -2,12 +2,12 @@ | ||||
| 
 | ||||
| const { yup, validateYupSchema } = require('@strapi/utils'); | ||||
| 
 | ||||
| const validateFindNewSchema = yup | ||||
| const validateFindAvailableSchema = yup | ||||
|   .object() | ||||
|   .shape({ | ||||
|     component: yup.string(), | ||||
|     entityId: yup.strapiID(), | ||||
|     q: yup.string(), | ||||
|     _q: yup.string(), | ||||
|     idsToOmit: yup.array().of(yup.strapiID()), | ||||
|     page: yup | ||||
|       .number() | ||||
| @ -23,5 +23,5 @@ const validateFindNewSchema = yup | ||||
|   .required(); | ||||
| 
 | ||||
| module.exports = { | ||||
|   validateFindNew: validateYupSchema(validateFindNewSchema, { strict: false }), | ||||
|   validateFindAvailable: validateYupSchema(validateFindAvailableSchema, { strict: false }), | ||||
| }; | ||||
|  | ||||
| @ -82,7 +82,7 @@ module.exports = { | ||||
|     { | ||||
|       method: 'GET', | ||||
|       path: '/relations/:model/:targetField', | ||||
|       handler: 'relations.findNew', | ||||
|       handler: 'relations.findAvailable', | ||||
|       config: { | ||||
|         policies: [ | ||||
|           'admin::isAuthenticatedAdmin', | ||||
|  | ||||
| @ -112,7 +112,7 @@ describe('Relations with Draft & Publish', () => { | ||||
|     await builder.cleanup(); | ||||
|   }); | ||||
| 
 | ||||
|   describe('findNew', () => { | ||||
|   describe('findAvailable', () => { | ||||
|     test('relation not in a component && no entity', async () => { | ||||
|       let res = await rq({ | ||||
|         method: 'GET', | ||||
|  | ||||
| @ -106,7 +106,7 @@ describe('Relations', () => { | ||||
|     await builder.cleanup(); | ||||
|   }); | ||||
| 
 | ||||
|   describe('findNew', () => { | ||||
|   describe('findAvailable', () => { | ||||
|     test('relation not in a component && no entity', async () => { | ||||
|       let res = await rq({ | ||||
|         method: 'GET', | ||||
|  | ||||
| @ -22,9 +22,9 @@ const decorateRelations = () => { | ||||
|   const { wrapParams } = getService('entity-service-decorator'); | ||||
| 
 | ||||
|   strapi.container.get('controllers').extend('plugin::content-manager.relations', controller => { | ||||
|     const oldFindNew = controller.findNew; | ||||
|     const oldFindAvailable = controller.findAvailable; | ||||
|     return Object.assign(controller, { | ||||
|       async findNew(ctx, next) { | ||||
|       async findAvailable(ctx, next) { | ||||
|         const { model, targetField } = ctx.params; | ||||
|         const { component } = ctx.request.query; | ||||
| 
 | ||||
| @ -48,7 +48,7 @@ const decorateRelations = () => { | ||||
|           ctx.request.query = await wrapParams(ctx.request.query); | ||||
|         } | ||||
| 
 | ||||
|         return oldFindNew(ctx, next); | ||||
|         return oldFindAvailable(ctx, next); | ||||
|       }, | ||||
|     }); | ||||
|   }); | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Pierre Noël
						Pierre Noël