yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-09-25 16:29:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: sanitize update assignee entity

Browse Source
This commit is contained in:
Marc-Roig 2023-06-07 10:47:17 +02:00
parent 82668517b2
commit b64acedc45
No known key found for this signature in database
GPG Key ID: FB4E2C43A0BEE249
1 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
packages/core/admin/ee/server/controllers/workflows/assignees/index.js
View File

@ -21,20 +21,27 @@ module.exports = {
*/
async updateEntity(ctx) {
const assigneeService = getService('assignees');
const { model_uid: modelUID, id: entityIdString } = ctx.params;
const entityId = Number(entityIdString);
const { model_uid: model, id } = ctx.params;
const permissionChecker = strapi
.plugin('content-manager')
.service('permission-checker')
.create({ userAbility: ctx.state.userAbility, model });
// TODO: check if user has update permission on the entity
const { id: assigneeId } = await validateUpdateAssigneeOnEntity(
ctx.request?.body?.data,
'You should pass an id to the body of the put request.'
'You should pass a valid id to the body of the put request.'
);
if (!hasReviewWorkflow({ strapi }, modelUID)) {
throw new ApplicationError(`Review workflows is not activated on ${modelUID}.`);
if (!hasReviewWorkflow({ strapi }, model)) {
throw new ApplicationError(`Review workflows is not activated on ${model}.`);
}
const data = await assigneeService.updateEntity({ id: entityId, modelUID }, assigneeId);
const entity = await assigneeService.updateEntityAssignee(id, model, assigneeId);
const sanitizedEntity = await permissionChecker.sanitizeOutput(entity);
ctx.body = { data };
ctx.body = { data: sanitizedEntity };
},
};