Merge pull request #14234 from strapi/api-token-v2/allow-empty-permissions-array

allow empty array of permissions
2025-12-26 06:35:47 +00:00 · 2022-08-29 12:34:57 +02:00 · 2022-08-29 12:34:57 +02:00 · b4c8cae41d
commit b4c8cae41d
parent 4f7db2ef72 2dea049a8c
3 changed files with 73 additions and 7 deletions
--- a/packages/core/admin/server/services/tests/api-token.test.js
+++ b/packages/core/admin/server/services/tests/api-token.test.js
@ -188,6 +188,78 @@ describe('API Token', () => {
      });
    });

+    test('Creates a custom token with no permissions', async () => {
+      const attributes = {
+        name: 'api-token_tests-name',
+        description: 'api-token_tests-description',
+        type: 'custom',
+        permissions: [],
+      };
+      const createTokenResult = {
+        ...attributes,
+        lifespan: null,
+        expiresAt: null,
+        id: 1,
+      };
+
+      const findOne = jest.fn().mockResolvedValue(omit('permissions', createTokenResult));
+      const create = jest.fn().mockResolvedValue(createTokenResult);
+      const load = jest.fn().mockResolvedValueOnce(
+        Promise.resolve(
+          attributes.permissions.map((p) => {
+            return {
+              action: p,
+            };
+          })
+        )
+      );
+
+      global.strapi = {
+        query() {
+          return {
+            findOne,
+            create,
+          };
+        },
+        config: {
+          get: jest.fn(() => ''),
+        },
+        entityService: {
+          load,
+        },
+      };
+
+      const res = await apiTokenService.create(attributes);
+
+      expect(load).toHaveBeenCalledWith(
+        'admin::api-token',
+        {
+          ...createTokenResult,
+        },
+        'permissions'
+      );
+
+      // call to create token
+      expect(create).toHaveBeenCalledTimes(1);
+      expect(create).toHaveBeenNthCalledWith(1, {
+        select: expect.arrayContaining([expect.any(String)]),
+        data: {
+          ...omit('permissions', attributes),
+          accessKey: apiTokenService.hash(mockedApiToken.hexedString),
+          expiresAt: null,
+          lifespan: null,
+        },
+        populate: ['permissions'],
+      });
+
+      expect(res).toEqual({
+        ...createTokenResult,
+        accessKey: mockedApiToken.hexedString,
+        expiresAt: null,
+        lifespan: null,
+      });
+    });
+
    test('Creates a custom token with duplicate permissions should ignore duplicates', async () => {
      const attributes = {
        name: 'api-token_tests-name',
--- a/packages/core/admin/server/services/api-token.js
+++ b/packages/core/admin/server/services/api-token.js
@ -62,7 +62,7 @@ const assertCustomTokenPermissionsValidity = (attributes) => {
  }

  // Custom type tokens should always have permissions attached to them
-  if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM && isEmpty(attributes.permissions)) {
+  if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM && !isArray(attributes.permissions)) {
    throw new ValidationError('Missing permissions attribute for custom token');
  }
 };
--- a/packages/core/admin/server/tests/admin-api-token-crud.test.e2e.js
+++ b/packages/core/admin/server/tests/admin-api-token-crud.test.e2e.js
@ -304,11 +304,6 @@ describe('Admin API Token v2 CRUD (e2e)', () => {
    });
  });

-  /**
-   * TODO: Discuss: Which behaviour do we want? Should an empty array be treated the same as omitted/undefined?
-   * Easy to change in assertCustomTokenPermissionsValidity by checking isEmpty (to allow empty) vs !attributes.permissions
-   */
-
  test('Creates a non-custom api token with empty permissions attribute', async () => {
    const body = {
      name: 'api-token_tests-fullAccessFailWithEmptyPermissions',
@ -374,7 +369,6 @@ describe('Admin API Token v2 CRUD (e2e)', () => {
      name: 'api-token_tests-customFail',
      description: 'api-token_tests-description',
      type: 'custom',
-      permissions: [],
    };

    const res = await rq({