Add missing RBAC check in the FE & fix lodash fp/no fp errors

2025-12-28 15:44:59 +00:00 · 2023-02-26 19:12:28 +01:00 · 2023-02-26 19:12:28 +01:00 · 879398552f
commit 879398552f
parent 2d48bf2ba0
2 changed files with 20 additions and 7 deletions
--- a/packages/core/admin/ee/admin/hooks/useLicenseLimits/index.js
+++ b/packages/core/admin/ee/admin/hooks/useLicenseLimits/index.js
@ -1,7 +1,17 @@
-import { useFetchClient } from '@strapi/helper-plugin';
+import { useFetchClient, useRBAC } from '@strapi/helper-plugin';
 import { useQuery } from 'react-query';
+import adminPermissions from '../../../../admin/src/permissions';

 const useLicenseLimits = () => {
+  const rbac = useRBAC(adminPermissions.settings.users);
+
+  const {
+    isLoading: isRBACLoading,
+    allowedActions: { canRead, canCreate, canUpdate, canDelete },
+  } = rbac;
+
+  const isRBACAllowed = canRead && canCreate && canUpdate && canDelete;
+
  const { get } = useFetchClient();
  const fetchLicenseLimitInfo = async () => {
    const {
@ -11,7 +21,9 @@ const useLicenseLimits = () => {
    return data;
  };

-  const license = useQuery(['ee', 'license-limit-info'], fetchLicenseLimitInfo);
+  const license = useQuery(['ee', 'license-limit-info'], fetchLicenseLimitInfo, {
+    enabled: !isRBACLoading && isRBACAllowed,
+  });

  return { license };
 };
--- a/packages/core/admin/ee/server/services/user.js
+++ b/packages/core/admin/ee/server/services/user.js
@ -1,6 +1,7 @@
 'use strict';

-const { pipe, castArray, map, toNumber, omit, pick, has } = require('lodash/fp');
+const _ = require('lodash');
+const { pipe, map, castArray, toNumber } = require('lodash/fp');
 const { stringIncludes } = require('@strapi/utils');
 const { ValidationError } = require('@strapi/utils').errors;
 const { hasSuperAdminRole } = require('../../../server/domain/user');
@ -65,7 +66,7 @@ const removeFromEEDisabledUsersList = async (ids) => {
 */
 const updateById = async (id, attributes) => {
  // Check at least one super admin remains
-  if (has(attributes, 'roles')) {
+  if (_.has(attributes, 'roles')) {
    const lastAdminUser = await isLastSuperAdminUser(id);
    const superAdminRole = await getService('role').getSuperAdminWithUsersCount();
    const willRemoveSuperAdminRole = !stringIncludes(attributes.roles, superAdminRole.id);
@ -84,7 +85,7 @@ const updateById = async (id, attributes) => {
  }

  // hash password if a new one is sent
-  if (has(attributes, 'password')) {
+  if (_.has(attributes, 'password')) {
    const hashedPassword = await getService('auth').hashPassword(attributes.password);

    const updatedUser = await strapi.query('admin::user').update({
@ -188,7 +189,7 @@ const deleteByIds = async (ids) => {
  return deletedUsers;
 };

-const sanitizeUserRoles = (role) => pick(role, ['id', 'name', 'description', 'code']);
+const sanitizeUserRoles = (role) => _.pick(role, ['id', 'name', 'description', 'code']);

 /**
 * Check if a user is the last super admin
@ -207,7 +208,7 @@ const isLastSuperAdminUser = async (userId) => {
 */
 const sanitizeUser = (user) => {
  return {
-    ...omit(user, ['password', 'resetPasswordToken', 'registrationToken', 'roles']),
+    ..._.omit(user, ['password', 'resetPasswordToken', 'registrationToken', 'roles']),
    roles: user.roles && user.roles.map(sanitizeUserRoles),
  };
 };