Update permissions from UI in database

packages/strapi-plugin-users-permissions/config/queries/mongoose.js

@@ -46,10 +46,20 @@ module.exports = {
     });
   },
 
-  update: async function (params) {
+  update: async function (search, params) {
-    return this.update({
+    if (!params) {
-      [this.primaryKey]: params[this.primaryKey] || params.id
+      search = params;
-    }, params, {
+    }
+
+    const primaryKey = params[this.primaryKey] || params.id;
+
+    if (primaryKey) {
+      search = {
+        [this.primaryKey]: params[this.primaryKey] || params.id
+      }
+    }
+
+    return this.update(search, params, {
       strict: false
     })
     .catch((error) => {

packages/strapi-plugin-users-permissions/controllers/UsersPermissions.js

@@ -128,10 +128,15 @@ module.exports = {
     return ctx.send(data);
   },
 
-  updateRole: async (ctx) => {
+  updateRole: async function (ctx) {
-    const roleId = ctx.params.role;
+    // Fetch root role.
-    // Prevent from updating the Administrator role
+    const root = await strapi.query('role', 'users-permissions').findOne({ type: 'root' });
-    if (roleId === '0') {
+
+    const roleID = ctx.params.role;
+    const rootID = root.id || root._id;
+
+    // Prevent from updating the root role.
+    if (roleID === rootID) {
       return ctx.badRequest(null, [{ messages: [{ id: 'Unauthorized' }] }]);
     }
 
@@ -140,7 +145,8 @@ module.exports = {
     }
 
     try {
-      await strapi.plugins['users-permissions'].services.userspermissions.updateRole(roleId, ctx.request.body);
+      await strapi.plugins['users-permissions'].services.userspermissions.updateRole(roleID, ctx.request.body);
+
       ctx.send({ ok: true });
     } catch(error) {
       ctx.badRequest(null, [{ messages: [{ id: 'An error occurred' }] }]);

packages/strapi-plugin-users-permissions/services/Jwt.js

@@ -51,10 +51,17 @@ module.exports = {
         token,
         process.env.JWT_SECRET || _.get(strapi.plugins['users-permissions'], 'config.jwtSecret') || 'oursecret',
         {},
-        function (err, user) {
+        function (err, user = {}) {
-          if (err || !user || !_.get(user, 'id', '').toString()) {
+          if (err) {
             return reject('Invalid token.');
           }
+
+          const { _id, id } = user;
+
+          if ((id || _id) === undefined) {
+            return reject('Invalid token #2.');
+          }
+
           resolve(user);
         }
       );

packages/strapi-plugin-users-permissions/services/UsersPermissions.js

@@ -107,13 +107,20 @@ module.exports = {
       throw new Error('Cannot found this role');
     }
 
-    // Add `information` key.
+    // Group by `type`.
-    role.permissions
+    role.permissions = role.permissions.reduce((acc, permission) => {
-      .filter(permission => permission.type !== 'application')
+      _.set(acc, `${permission.type}.controllers.${permission.controller}.${permission.action}`, {
-      .map((permission, index) => {
+        enabled: permission.enabled,
-        role.permissions[index].information = plugins.find(plugin => plugin.id === permission.type) || {};
+        policy: permission.policy
       });
 
+      if (permission.type !== 'application' && !acc[permission.type].information) {
+        acc[permission.type].information = plugins.find(plugin => plugin.id === permission.type) || {};
+      }
+
+      return acc;
+    }, {});
+
     return role;
   },
 
@@ -252,29 +259,43 @@ module.exports = {
     await this.updatePermissions(cb);
   },
 
-  updateRole: async (roleId, body) => {
+  updateRole: async function (roleID, body) {
-    const appRoles = strapi.plugins['users-permissions'].config.roles
+    const [role, guest] = await Promise.all([
-    const updatedRole = _.pick(body, ['name', 'description', 'permissions']);
+      this.getRole(roleID, []),
-    _.set(appRoles, [roleId], updatedRole);
+      strapi.query('role', 'users-permissions').findOne({ type: 'guest' }, [])
+    ]);
 
-    // TODO:
+    const arrayOfPromises = Object.keys(body.permissions).reduce((acc, type) => {
-    // - Call request.
+      Object.keys(body.permissions[type].controllers).forEach(controller => {
-    // Role.update()
+        Object.keys(body.permissions[type].controllers[controller]).forEach(action => {
+          const bodyAction = body.permissions[type].controllers[controller][action];
+          const currentAction = _.get(role.permissions, `${type}.controllers.${controller}.${action}`, {});
 
-    module.exports.writePermissions(appRoles);
+          if (_.differenceWith([bodyAction], [currentAction]).length > 0) {
+            acc.push(strapi.query('permission', 'users-permissions').update({
+              role: roleID,
+              type,
+              controller,
+              action
+            }, bodyAction));
+          }
+        });
+      });
 
-    const currentUsers = await strapi.query('user', 'users-permissions').find(strapi.utils.models.convertParams('user', {
+      return acc;
-      role: roleId
+    }, []);
-    }));
-    const userToAdd = _.differenceBy(body.users, currentUsers.toJSON ? currentUsers.toJSON() : currentUsers, 'id');
-    const userToRemove = _.differenceBy(currentUsers.toJSON ? currentUsers.toJSON() : currentUsers, body.users, 'id');
 
-    _.forEach(userToAdd, (user) => {
+    // Add user to this role.
-      module.exports.updateUserRole(user, roleId);
+    _.differenceBy(body.users, role.users, role._id ? '_id' : 'id').forEach(user => {
-    });
+      arrayOfPromises.push(this.updateUserRole(user, roleID));
-    _.forEach(userToRemove, (user) => {
+    })
-      module.exports.updateUserRole(user, '1');
+
+    // Remove user to this role and link him to guest.
+    _.differenceBy(role.users, body.users, role._id ? '_id' : 'id').forEach(user => {
+      arrayOfPromises.push(this.updateUserRole(user, guest._id || guest.id));
     });
+
+    return Promise.all(arrayOfPromises);
   },
 
   updateUserRole: async (user, role) => {