diff --git a/api-tests/core/admin/ee/review-workflows.test.api.js b/api-tests/core/admin/ee/review-workflows.test.api.js index 74e8722e54..17c84f13be 100644 --- a/api-tests/core/admin/ee/review-workflows.test.api.js +++ b/api-tests/core/admin/ee/review-workflows.test.api.js @@ -74,14 +74,21 @@ describeOnCondition(edition === 'EE')('Review workflows', () => { return body; }; - const updateContentType = async (uid, data) => { - const result = await requests.admin({ - method: 'PUT', - url: `/content-type-builder/content-types/${uid}`, - body: data, + /** + * Create a full access token to authenticate the content API with + */ + const getFullAccessToken = async () => { + const res = await requests.admin.post('/admin/api-tokens', { + body: { + lifespan: null, + description: '', + type: 'full-access', + name: 'Full Access', + permissions: null, + }, }); - expect(result.statusCode).toBe(201); + return res.body.data.accessKey; }; beforeAll(async () => { @@ -89,9 +96,9 @@ describeOnCondition(edition === 'EE')('Review workflows', () => { // eslint-disable-next-line node/no-extraneous-require hasRW = require('@strapi/strapi/lib/utils/ee').features.isEnabled('review-workflows'); - strapi = await createStrapiInstance(); - requests.public = createRequest({ strapi }); + strapi = await createStrapiInstance({ bypassAuth: false }); requests.admin = await createAuthRequest({ strapi }); + requests.public = createRequest({ strapi }).setToken(await getFullAccessToken()); defaultStage = await strapi.query(STAGE_MODEL_UID).create({ data: { name: 'Stage' }, @@ -509,6 +516,7 @@ describeOnCondition(edition === 'EE')('Review workflows', () => { test('Should update the assignee on an entity', async () => { const entry = await createEntry(productUID, { name: 'Product' }); const user = requests.admin.getLoggedUser(); + const response = await requests.admin({ method: 'PUT', url: `/admin/content-manager/collection-types/${productUID}/${entry.id}/assignee`, @@ -538,6 +546,34 @@ describeOnCondition(edition === 'EE')('Review workflows', () => { expect(response.body.error.name).toEqual('ApplicationError'); expect(response.body.error.message).toEqual('Selected user does not exist'); }); + + test('Correctly sanitize private fields of assignees in the content API', async () => { + const assigneeAttribute = 'strapi_assignee'; + + const { status, body } = await requests.public.get(`/api/${model.pluralName}`, { + qs: { populate: assigneeAttribute }, + }); + + expect(status).toBe(200); + + const privateUserFields = [ + 'password', + 'email', + 'resetPasswordToken', + 'registrationToken', + 'isActive', + 'roles', + 'blocked', + ]; + + // Assert that every assignee returned is sanitized correctly + body.data.forEach((item) => { + expect(item.attributes).toHaveProperty(assigneeAttribute); + privateUserFields.forEach((field) => { + expect(item.attributes[assigneeAttribute]).not.toHaveProperty(field); + }); + }); + }); }); describe('Review Workflow is disabled', () => { diff --git a/api-tests/core/strapi/api/populate/sanitize.test.api.js b/api-tests/core/strapi/api/populate/sanitize.test.api.js index 94e04aba54..7d028d74c1 100644 --- a/api-tests/core/strapi/api/populate/sanitize.test.api.js +++ b/api-tests/core/strapi/api/populate/sanitize.test.api.js @@ -11,7 +11,7 @@ const builder = createTestBuilder(); let strapi; let file; -let rq; +let contentAPIRequest; const schemas = { contentTypes: { @@ -85,9 +85,9 @@ const fixtures = { const uploadFile = async () => { const strapi = await createStrapiInstance(); - const rq = await createAuthRequest({ strapi }); + const request = await createAuthRequest({ strapi }); - const res = await rq({ + const res = await request({ method: 'POST', url: '/upload', formData: { @@ -113,7 +113,7 @@ describe('Sanitize populated entries', () => { .build(); strapi = await createStrapiInstance(); - rq = createContentAPIRequest({ strapi }); + contentAPIRequest = createContentAPIRequest({ strapi }); }); afterAll(async () => { @@ -123,15 +123,18 @@ describe('Sanitize populated entries', () => { describe('Populate simple media', () => { test('Media can be populated without restricted attributes', async () => { - const { status, body } = await rq.get(`/${schemas.contentTypes.a.pluralName}`, { - qs: { - populate: { - cover: { - populate: '*', + const { status, body } = await contentAPIRequest.get( + `/${schemas.contentTypes.a.pluralName}`, + { + qs: { + populate: { + cover: { + populate: '*', + }, }, }, - }, - }); + } + ); expect(status).toBe(200); expect(body.data[0].attributes.cover).toBeDefined(); @@ -140,7 +143,7 @@ describe('Sanitize populated entries', () => { }); test("Media's relations (from related) can be populated without restricted attributes", async () => { - const { status, body } = await rq.get(`/upload/files/${file.id}`, { + const { status, body } = await contentAPIRequest.get(`/upload/files/${file.id}`, { qs: { populate: { related: { populate: '*' } } }, }); @@ -163,7 +166,7 @@ describe('Sanitize populated entries', () => { test('Wildcard populate is transformed to an exhaustive list of populatable fields', async () => { const findManyMock = jest.spyOn(strapi.entityService, 'findMany'); - const { status } = await rq.get(`/${schemas.contentTypes.b.pluralName}`, { + const { status } = await contentAPIRequest.get(`/${schemas.contentTypes.b.pluralName}`, { qs: { fields: ['id'], populate: '*' }, });