yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-08-26 17:53:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: inconsistent publish permissions (#20668)

Browse Source 
* fix: inconsistent publish permissions

* fix: tests

* fix: api tests

* fix: is create should be is nil

* fix: publish and update by using locale

* fix: remove some conditions to the Document actions

---------

Co-authored-by: Simone Taeggi <startae14@gmail.com>
This commit is contained in:
Marc Roig 2024-07-22 10:03:14 +02:00 committed by GitHub
parent 5a07acc502
commit 8ddb1ecebc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 43 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
packages/core/content-manager/admin/src/pages/EditView/components/DocumentActions.tsx
View File

@ -666,8 +666,6 @@ const PublishAction: DocumentActionComponent = ({
* - the document is already published & not modified * - the document is already published & not modified
* - the document is being created & not modified * - the document is being created & not modified
* - the user doesn't have the permission to publish * - the user doesn't have the permission to publish
* - the user doesn't have the permission to create a new document
* - the user doesn't have the permission to update the document
*/ */
disabled: disabled:
isCloning || isCloning ||
@ -676,8 +674,7 @@ const PublishAction: DocumentActionComponent = ({
activeTab === 'published' || activeTab === 'published' ||
(!modified && isDocumentPublished) || (!modified && isDocumentPublished) ||
(!modified && !document?.documentId) || (!modified && !document?.documentId) ||
!canPublish || !canPublish,
Boolean((!document?.documentId && !canCreate) || (document?.documentId && !canUpdate)),
label: formatMessage({ label: formatMessage({
id: 'app.utils.publish', id: 'app.utils.publish',
defaultMessage: 'Publish', defaultMessage: 'Publish',
@ -754,14 +751,8 @@ const UpdateAction: DocumentActionComponent = ({
* - the form is submitting * - the form is submitting
* - the document is not modified & we're not cloning (you can save a clone entity straight away) * - the document is not modified & we're not cloning (you can save a clone entity straight away)
* - the active tab is the published tab * - the active tab is the published tab
* - the user doesn't have the permission to create a new document
* - the user doesn't have the permission to update the document
*/ */
disabled: disabled: isSubmitting || (!modified && !isCloning) || activeTab === 'published',
isSubmitting ||
(!modified && !isCloning) ||
activeTab === 'published' ||
Boolean((!documentId && !canCreate) || (documentId && !canUpdate)),
label: formatMessage({ label: formatMessage({
id: 'content-manager.containers.Edit.save', id: 'content-manager.containers.Edit.save',
defaultMessage: 'Save', defaultMessage: 'Save',

47
packages/core/content-manager/server/src/controllers/collection-types.ts
View File

@ -1,5 +1,6 @@
import { setCreatorFields, async, errors } from '@strapi/utils'; import { isNil } from 'lodash/fp';
import { setCreatorFields, async, errors } from '@strapi/utils';
import type { Modules, UID } from '@strapi/types'; import type { Modules, UID } from '@strapi/types';
import { getService } from '../utils'; import { getService } from '../utils';
@ -390,17 +391,49 @@ export default {
.countRelations() .countRelations()
.build(); .build();
const document = id let document: any;
? await updateDocument(ctx, { populate })
: await createDocument(ctx, { populate }); const { locale } = await getDocumentLocaleAndStatus(body, model);
/**
* Publish can be called on two scenarios:
* 1. Create a new document and publish it in one request
* 2. Update an existing document and publish it in one request
*
* Based on user permissions:
* 1. User cannot create a document, but can publish
* Action will be forbidden as user cannot create a document
* 2. User can update and publish a document
* Action will be allowed, but document will not be updated, only published with the latest draft
*/
const isCreate = isNil(id);
if (isCreate) {
if (permissionChecker.cannot.create()) {
throw new errors.ForbiddenError();
}
document = await createDocument(ctx, { populate });
}
const isUpdate = !isCreate;
if (isUpdate) {
document = await documentManager.findOne(id!, model, { populate, locale });
if (!document) {
throw new errors.NotFoundError('Document not found');
}
// Only Update if user has update permissions
if (permissionChecker.can.update(document)) {
await updateDocument(ctx);
}
}
if (permissionChecker.cannot.publish(document)) { if (permissionChecker.cannot.publish(document)) {
throw new errors.ForbiddenError(); throw new errors.ForbiddenError();
} }
const { locale } = await getDocumentLocaleAndStatus(body, model); const publishResult = await documentManager.publish(document.documentId, model, {
const publishResult = await documentManager.publish(document!.documentId, model, {
locale, locale,
// TODO: Allow setting creator fields on publish // TODO: Allow setting creator fields on publish
// data: setCreatorFields({ user, isEdition: true })({}), // data: setCreatorFields({ user, isEdition: true })({}),

1
tests/api/core/admin/admin-permissions-custom-conditions.test.api.js
View File

@ -267,6 +267,7 @@ describe('Admin Permissions - Conditions', () => {
const res = await rq({ const res = await rq({
method: 'POST', method: 'POST',
url: `/content-manager/collection-types/api::article.article/${documentId}/actions/publish`, url: `/content-manager/collection-types/api::article.article/${documentId}/actions/publish`,
body: { ...localTestData.cheapArticle, category: localTestData.categories[0].documentId },
}); });
expect(res.statusCode).toBe(200); expect(res.statusCode).toBe(200);