yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-09-19 21:38:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(review-workflow): sanitize inputs

Browse Source
This commit is contained in:
nathan-pichon 2023-06-23 17:30:29 +02:00
parent d901925443
commit 7da2f1e897
No known key found for this signature in database
2 changed files with 24 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
packages/core/admin/ee/server/controllers/workflows/index.js
View File

@ -13,14 +13,18 @@ const { WORKFLOW_MODEL_UID } = require('../../constants/workflows');
*
* @param { Strapi } strapi - Strapi instance
* @param userAbility
* @param type - create a sanitizer for output or input
* @return { (Workflow) => SanitizedWorkflow }
*/
function sanitizeWorkflow({ strapi }, userAbility) {
function sanitizeWorkflow({ strapi }, userAbility, type = 'output') {
const permissionChecker = strapi
.plugin('content-manager')
.service('permission-checker')
.create({ userAbility, model: WORKFLOW_MODEL_UID });
if (type === 'input') {
return (entity) => permissionChecker.sanitizeInput(entity);
}
return (entity) => permissionChecker.sanitizeOutput(entity);
}
@ -32,15 +36,19 @@ module.exports = {
async create(ctx) {
const { body } = ctx.request;
const { populate } = ctx.query;
const sanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility);
const inputSanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility, 'input');
const outputSanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility, 'output');
const workflowBody = await validateWorkflowCreate(body.data);
const workflowService = getService('workflows');
const createdWorkflow = await workflowService.create({ data: workflowBody, populate });
const createdWorkflow = await workflowService.create({
data: await inputSanitizer(workflowBody),
populate,
});
ctx.body = {
data: await sanitizer(createdWorkflow),
data: await outputSanitizer(createdWorkflow),
};
},
@ -53,7 +61,8 @@ module.exports = {
const { body } = ctx.request;
const { populate } = ctx.query;
const workflowService = getService('workflows');
const sanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility);
const inputSanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility, 'input');
const outputSanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility, 'output');
const workflowBody = await validateWorkflowUpdate(body.data);
@ -63,12 +72,12 @@ module.exports = {
}
const updatedWorkflow = await workflowService.update(workflow, {
data: workflowBody,
data: await inputSanitizer(workflowBody),
populate,
});
ctx.body = {
data: await sanitizer(updatedWorkflow),
data: await outputSanitizer(updatedWorkflow),
};
},

11
packages/core/admin/ee/server/controllers/workflows/stages/index.js
View File

@ -76,10 +76,15 @@ module.exports = {
async updateEntity(ctx) {
const stagesService = getService('stages');
const workflowService = getService('workflows');
const sanitizer = sanitizeStage({ strapi }, ctx.state.userAbility);
const { model_uid: modelUID, id: entityIdString } = ctx.params;
const entityId = Number(entityIdString);
const { sanitizeOutput } = strapi
.plugin('content-manager')
.service('permission-checker')
.create({ userAbility: ctx.state.userAbility, model: modelUID });
const { id: stageId } = await validateUpdateStageOnEntity(
ctx.request?.body?.data,
'You should pass an id to the body of the put request.'
@ -88,8 +93,8 @@ module.exports = {
const workflow = await workflowService.assertContentTypeBelongsToWorkflow(modelUID);
workflowService.assertStageBelongsToWorkflow(stageId, workflow);
const stage = await stagesService.updateEntity({ id: entityId, modelUID }, stageId);
const entity = await stagesService.updateEntity({ id: entityId, modelUID }, stageId);
ctx.body = { data: await sanitizer(stage) };
ctx.body = { data: await sanitizeOutput(entity) };
},
};