mirror of
https://github.com/strapi/strapi.git
synced 2025-09-20 14:00:48 +00:00
fix(review-workflow): sanitize inputs
This commit is contained in:
nathan-pichon
parent
d901925443
commit
7da2f1e897
@ -13,14 +13,18 @@ const { WORKFLOW_MODEL_UID } = require('../../constants/workflows');
|
|||||||
*
|
*
|
||||||
* @param { Strapi } strapi - Strapi instance
|
* @param { Strapi } strapi - Strapi instance
|
||||||
* @param userAbility
|
* @param userAbility
|
||||||
|
* @param type - create a sanitizer for output or input
|
||||||
* @return { (Workflow) => SanitizedWorkflow }
|
* @return { (Workflow) => SanitizedWorkflow }
|
||||||
*/
|
*/
|
||||||
function sanitizeWorkflow({ strapi }, userAbility) {
|
function sanitizeWorkflow({ strapi }, userAbility, type = 'output') {
|
||||||
const permissionChecker = strapi
|
const permissionChecker = strapi
|
||||||
.plugin('content-manager')
|
.plugin('content-manager')
|
||||||
.service('permission-checker')
|
.service('permission-checker')
|
||||||
.create({ userAbility, model: WORKFLOW_MODEL_UID });
|
.create({ userAbility, model: WORKFLOW_MODEL_UID });
|
||||||
|
|
||||||
|
if (type === 'input') {
|
||||||
|
return (entity) => permissionChecker.sanitizeInput(entity);
|
||||||
|
}
|
||||||
return (entity) => permissionChecker.sanitizeOutput(entity);
|
return (entity) => permissionChecker.sanitizeOutput(entity);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -32,15 +36,19 @@ module.exports = {
|
|||||||
async create(ctx) {
|
async create(ctx) {
|
||||||
const { body } = ctx.request;
|
const { body } = ctx.request;
|
||||||
const { populate } = ctx.query;
|
const { populate } = ctx.query;
|
||||||
const sanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility);
|
const inputSanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility, 'input');
|
||||||
|
const outputSanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility, 'output');
|
||||||
|
|
||||||
const workflowBody = await validateWorkflowCreate(body.data);
|
const workflowBody = await validateWorkflowCreate(body.data);
|
||||||
|
|
||||||
const workflowService = getService('workflows');
|
const workflowService = getService('workflows');
|
||||||
const createdWorkflow = await workflowService.create({ data: workflowBody, populate });
|
const createdWorkflow = await workflowService.create({
|
||||||
|
data: await inputSanitizer(workflowBody),
|
||||||
|
populate,
|
||||||
|
});
|
||||||
|
|
||||||
ctx.body = {
|
ctx.body = {
|
||||||
data: await sanitizer(createdWorkflow),
|
data: await outputSanitizer(createdWorkflow),
|
||||||
};
|
};
|
||||||
},
|
},
|
||||||
|
|
||||||
@ -53,7 +61,8 @@ module.exports = {
|
|||||||
const { body } = ctx.request;
|
const { body } = ctx.request;
|
||||||
const { populate } = ctx.query;
|
const { populate } = ctx.query;
|
||||||
const workflowService = getService('workflows');
|
const workflowService = getService('workflows');
|
||||||
const sanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility);
|
const inputSanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility, 'input');
|
||||||
|
const outputSanitizer = sanitizeWorkflow({ strapi }, ctx.state.userAbility, 'output');
|
||||||
|
|
||||||
const workflowBody = await validateWorkflowUpdate(body.data);
|
const workflowBody = await validateWorkflowUpdate(body.data);
|
||||||
|
|
||||||
@ -63,12 +72,12 @@ module.exports = {
|
|||||||
}
|
}
|
||||||
|
|
||||||
const updatedWorkflow = await workflowService.update(workflow, {
|
const updatedWorkflow = await workflowService.update(workflow, {
|
||||||
data: workflowBody,
|
data: await inputSanitizer(workflowBody),
|
||||||
populate,
|
populate,
|
||||||
});
|
});
|
||||||
|
|
||||||
ctx.body = {
|
ctx.body = {
|
||||||
data: await sanitizer(updatedWorkflow),
|
data: await outputSanitizer(updatedWorkflow),
|
||||||
};
|
};
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|||||||
@ -76,10 +76,15 @@ module.exports = {
|
|||||||
async updateEntity(ctx) {
|
async updateEntity(ctx) {
|
||||||
const stagesService = getService('stages');
|
const stagesService = getService('stages');
|
||||||
const workflowService = getService('workflows');
|
const workflowService = getService('workflows');
|
||||||
const sanitizer = sanitizeStage({ strapi }, ctx.state.userAbility);
|
|
||||||
const { model_uid: modelUID, id: entityIdString } = ctx.params;
|
const { model_uid: modelUID, id: entityIdString } = ctx.params;
|
||||||
const entityId = Number(entityIdString);
|
const entityId = Number(entityIdString);
|
||||||
|
|
||||||
|
const { sanitizeOutput } = strapi
|
||||||
|
.plugin('content-manager')
|
||||||
|
.service('permission-checker')
|
||||||
|
.create({ userAbility: ctx.state.userAbility, model: modelUID });
|
||||||
|
|
||||||
const { id: stageId } = await validateUpdateStageOnEntity(
|
const { id: stageId } = await validateUpdateStageOnEntity(
|
||||||
ctx.request?.body?.data,
|
ctx.request?.body?.data,
|
||||||
'You should pass an id to the body of the put request.'
|
'You should pass an id to the body of the put request.'
|
||||||
@ -88,8 +93,8 @@ module.exports = {
|
|||||||
const workflow = await workflowService.assertContentTypeBelongsToWorkflow(modelUID);
|
const workflow = await workflowService.assertContentTypeBelongsToWorkflow(modelUID);
|
||||||
workflowService.assertStageBelongsToWorkflow(stageId, workflow);
|
workflowService.assertStageBelongsToWorkflow(stageId, workflow);
|
||||||
|
|
||||||
const stage = await stagesService.updateEntity({ id: entityId, modelUID }, stageId);
|
const entity = await stagesService.updateEntity({ id: entityId, modelUID }, stageId);
|
||||||
|
|
||||||
ctx.body = { data: await sanitizer(stage) };
|
ctx.body = { data: await sanitizeOutput(entity) };
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user