yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-09-27 09:25:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: sanitize update assignee entity

Browse Source
This commit is contained in:
Marc-Roig 2023-06-07 10:47:17 +02:00
parent 82668517b2
commit b64acedc45
No known key found for this signature in database
GPG Key ID: FB4E2C43A0BEE249
1 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
packages/core/admin/ee/server/controllers/workflows/assignees/index.js
View File

@ -21,20 +21,27 @@ module.exports = {
*/ */
async updateEntity(ctx) { async updateEntity(ctx) {
const assigneeService = getService('assignees'); const assigneeService = getService('assignees');
const { model_uid: modelUID, id: entityIdString } = ctx.params; const { model_uid: model, id } = ctx.params;
const entityId = Number(entityIdString);
const permissionChecker = strapi
.plugin('content-manager')
.service('permission-checker')
.create({ userAbility: ctx.state.userAbility, model });
// TODO: check if user has update permission on the entity
const { id: assigneeId } = await validateUpdateAssigneeOnEntity( const { id: assigneeId } = await validateUpdateAssigneeOnEntity(
ctx.request?.body?.data, ctx.request?.body?.data,
'You should pass an id to the body of the put request.' 'You should pass a valid id to the body of the put request.'
); );
if (!hasReviewWorkflow({ strapi }, modelUID)) { if (!hasReviewWorkflow({ strapi }, model)) {
throw new ApplicationError(`Review workflows is not activated on ${modelUID}.`); throw new ApplicationError(`Review workflows is not activated on ${model}.`);
} }
const data = await assigneeService.updateEntity({ id: entityId, modelUID }, assigneeId); const entity = await assigneeService.updateEntityAssignee(id, model, assigneeId);
const sanitizedEntity = await permissionChecker.sanitizeOutput(entity);
ctx.body = { data }; ctx.body = { data: sanitizedEntity };
}, },
}; };