diff --git a/packages/core/admin/ee/server/controllers/workflows/index.js b/packages/core/admin/ee/server/controllers/workflows/index.js index fe7df35839..e0354f31ae 100644 --- a/packages/core/admin/ee/server/controllers/workflows/index.js +++ b/packages/core/admin/ee/server/controllers/workflows/index.js @@ -13,14 +13,18 @@ const { WORKFLOW_MODEL_UID } = require('../../constants/workflows'); * * @param { Strapi } strapi - Strapi instance * @param userAbility + * @param type - create a sanitizer for output or input * @return { (Workflow) => SanitizedWorkflow } */ -function sanitizeWorkflow({ strapi }, userAbility) { +function sanitizeWorkflow({ strapi }, userAbility, type = 'output') { const permissionChecker = strapi .plugin('content-manager') .service('permission-checker') .create({ userAbility, model: WORKFLOW_MODEL_UID }); + if (type === 'input') { + return (entity) => permissionChecker.sanitizeInput(entity); + } return (entity) => permissionChecker.sanitizeOutput(entity); } @@ -32,15 +36,19 @@ module.exports = { async create(ctx) { const { body } = ctx.request; const { populate } = ctx.query; - const sanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility); + const inputSanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility, 'input'); + const outputSanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility, 'output'); const workflowBody = await validateWorkflowCreate(body.data); const workflowService = getService('workflows'); - const createdWorkflow = await workflowService.create({ data: workflowBody, populate }); + const createdWorkflow = await workflowService.create({ + data: await inputSanitizer(workflowBody), + populate, + }); ctx.body = { - data: await sanitizer(createdWorkflow), + data: await outputSanitizer(createdWorkflow), }; }, @@ -53,7 +61,8 @@ module.exports = { const { body } = ctx.request; const { populate } = ctx.query; const workflowService = getService('workflows'); - const sanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility); + const inputSanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility, 'input'); + const outputSanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility, 'output'); const workflowBody = await validateWorkflowUpdate(body.data); @@ -63,12 +72,12 @@ module.exports = { } const updatedWorkflow = await workflowService.update(workflow, { - data: workflowBody, + data: await inputSanitizer(workflowBody), populate, }); ctx.body = { - data: await sanitizer(updatedWorkflow), + data: await outputSanitizer(updatedWorkflow), }; }, diff --git a/packages/core/admin/ee/server/controllers/workflows/stages/index.js b/packages/core/admin/ee/server/controllers/workflows/stages/index.js index 6752da0468..f8d2e8a375 100644 --- a/packages/core/admin/ee/server/controllers/workflows/stages/index.js +++ b/packages/core/admin/ee/server/controllers/workflows/stages/index.js @@ -76,10 +76,15 @@ module.exports = { async updateEntity(ctx) { const stagesService = getService('stages'); const workflowService = getService('workflows'); - const sanitizer = sanitizeStage({ strapi }, ctx.state.userAbility); + const { model_uid: modelUID, id: entityIdString } = ctx.params; const entityId = Number(entityIdString); + const { sanitizeOutput } = strapi + .plugin('content-manager') + .service('permission-checker') + .create({ userAbility: ctx.state.userAbility, model: modelUID }); + const { id: stageId } = await validateUpdateStageOnEntity( ctx.request?.body?.data, 'You should pass an id to the body of the put request.' @@ -88,8 +93,8 @@ module.exports = { const workflow = await workflowService.assertContentTypeBelongsToWorkflow(modelUID); workflowService.assertStageBelongsToWorkflow(stageId, workflow); - const stage = await stagesService.updateEntity({ id: entityId, modelUID }, stageId); + const entity = await stagesService.updateEntity({ id: entityId, modelUID }, stageId); - ctx.body = { data: await sanitizer(stage) }; + ctx.body = { data: await sanitizeOutput(entity) }; }, };