Merge pull request #17793 from strapi/rw-stage-rbac/support-partial-updates

Support partial updates of review workflow stage permissions

api-tests/core/admin/ee/review-workflows.test.api.js

@@ -648,8 +648,14 @@ describeOnCondition(edition === 'EE')('Review workflows', () => {
     let utils;
     let entry;
     let restrictedRequest;
+    let restrictedUser;
     let restrictedRole;
 
+    const deleteFixtures = async () => {
+      await utils.deleteUserById(restrictedUser.id);
+      await utils.deleteRolesById([restrictedRole.id]);
+    };
+
     beforeAll(async () => {
       // Update workflow to assign content type
       await requests.admin.put(`/admin/review-workflows/workflows/${testWorkflow.id}?populate=*`, {
@@ -658,24 +664,28 @@ describeOnCondition(edition === 'EE')('Review workflows', () => {
 
       entry = await createEntry(productUID, { name: 'Product' });
 
-      const restrictedUser = {
-        email: 'restricted@user.io',
-        password: 'Restricted123',
-      };
-
       utils = createUtils(strapi);
       const role = await utils.createRole({
         name: 'restricted-role',
         description: '',
       });
+      restrictedRole = role;
 
-      await utils.createUserIfNotExists({
-        ...restrictedUser,
+      const restrictedUserInfo = {
+        email: 'restricted@user.io',
+        password: 'Restricted123',
+      };
+
+      restrictedUser = await utils.createUserIfNotExists({
+        ...restrictedUserInfo,
         roles: [role.id],
       });
 
-      restrictedRole = role;
-      restrictedRequest = await createAuthRequest({ strapi, userInfo: restrictedUser });
+      restrictedRequest = await createAuthRequest({ strapi, userInfo: restrictedUserInfo });
+    });
+
+    afterAll(async () => {
+      await deleteFixtures();
     });
 
     test("It shouldn't be available for public", async () => {

packages/core/admin/ee/server/services/__tests__/stages.test.js

@@ -247,5 +247,29 @@ describe('Review workflows - Stages service', () => {
       expect(entityServiceMock.update).toBeCalled();
       expect(entityServiceMock.delete).toBeCalled();
     });
+
+    test('Undefined destination stage permissions should apply a partial permission update', async () => {
+      const srcStages = workflowMock.stages.map((stage) => ({
+        ...stage,
+        permissions: [{ id: 1, role: 'role', action: 'action' }],
+      }));
+
+      const destStages = workflowMock.stages.map((stage, index) => ({
+        ...stage,
+        name: `Updated Name ${index}`,
+      }));
+
+      await stagesService.replaceStages(srcStages, destStages);
+
+      expect(entityServiceMock.create).not.toBeCalled();
+      expect(entityServiceMock.delete).not.toBeCalled();
+      expect(entityServiceMock.update).toBeCalledTimes(4);
+
+      destStages.forEach((stage, index) => {
+        expect(entityServiceMock.update).toBeCalledWith('admin::workflow-stage', stage.id, {
+          data: { ...stage, permissions: srcStages[index].permissions },
+        });
+      });
+    });
   });
 });

packages/core/admin/ee/server/services/review-workflows/stages.js

@@ -78,12 +78,12 @@ module.exports = ({ strapi }) => {
     },
 
     async update(srcStage, destStage) {
-      let stagePermissions = [];
+      let stagePermissions = srcStage?.permissions ?? [];
       const stageId = destStage.id;
 
+      if (destStage.permissions) {
         await this.deleteStagePermissions([srcStage]);
 
-      if (destStage.permissions) {
         const permissions = await mapAsync(destStage.permissions, (permission) =>
           stagePermissionsService.register(permission.role, permission.action, stageId)
         );
@@ -153,6 +153,7 @@ module.exports = ({ strapi }) => {
         // Update the workflow stages
         await mapAsync(updated, (destStage) => {
           const srcStage = srcStages.find((s) => s.id === destStage.id);
+
           return this.update(srcStage, destStage);
         });