From cc1371d18e2eb7916ba72213af6f9e8fe0fe9b1c Mon Sep 17 00:00:00 2001
From: Jamie Howard <jamie.howard@strapi.io>
Date: Thu, 31 Aug 2023 16:33:24 +0100
Subject: [PATCH] test(content-api): sanitization of strapi_assignee on review
 workflow content types

---
 .../strapi/api/populate/sanitize.test.api.js  | 56 ++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/api-tests/core/strapi/api/populate/sanitize.test.api.js b/api-tests/core/strapi/api/populate/sanitize.test.api.js
index 94e04aba54..b9b51c91e6 100644
--- a/api-tests/core/strapi/api/populate/sanitize.test.api.js
+++ b/api-tests/core/strapi/api/populate/sanitize.test.api.js
@@ -6,12 +6,15 @@ const path = require('path');
 const { createTestBuilder } = require('api-tests/builder');
 const { createStrapiInstance } = require('api-tests/strapi');
 const { createContentAPIRequest, createAuthRequest } = require('api-tests/request');
+const { createUtils } = require('api-tests/utils');
 
 const builder = createTestBuilder();
 
 let strapi;
 let file;
 let rq;
+let adminUser;
+let utils;
 
 const schemas = {
   contentTypes: {
@@ -114,9 +117,23 @@ describe('Sanitize populated entries', () => {
 
     strapi = await createStrapiInstance();
     rq = createContentAPIRequest({ strapi });
+
+    utils = createUtils(strapi);
+
+    const userInfo = {
+      email: 'test@strapi.io',
+      firstname: 'test',
+      lastname: 'strapi',
+      registrationToken: 'foobar',
+      password: 'test1234',
+      roles: [await utils.getSuperAdminRole()],
+    };
+
+    adminUser = await utils.createUser(userInfo);
   });
 
   afterAll(async () => {
+    await utils.deleteUserById(adminUser.id);
     await strapi.destroy();
     await builder.cleanup();
   });
@@ -160,10 +177,29 @@ describe('Sanitize populated entries', () => {
   });
 
   describe('Wildcard Populate', () => {
+    beforeAll(async () => {
+      const adminRq = await createAuthRequest({ strapi });
+
+      await adminRq.put('/admin/review-workflows/workflows/1', {
+        body: {
+          data: {
+            id: 1,
+            name: 'Default',
+            contentTypes: ['api::b.b'],
+          },
+        },
+      });
+
+      const contentId = 1;
+      await adminRq.put(`/admin/content-manager/collection-types/api::b.b/${contentId}/assignee`, {
+        body: { data: { id: adminUser.id } },
+      });
+    });
+
     test('Wildcard populate is transformed to an exhaustive list of populatable fields', async () => {
       const findManyMock = jest.spyOn(strapi.entityService, 'findMany');
 
-      const { status } = await rq.get(`/${schemas.contentTypes.b.pluralName}`, {
+      const { status, body } = await rq.get(`/${schemas.contentTypes.b.pluralName}`, {
         qs: { fields: ['id'], populate: '*' },
       });
 
@@ -175,6 +211,24 @@ describe('Sanitize populated entries', () => {
           populate: expect.objectContaining({ relA: true, cp: true, dz: true, img: true }),
         })
       );
+
+      const privateUserFields = [
+        'password',
+        'email',
+        'resetPasswordToken',
+        'registrationToken',
+        'isActive',
+        'roles',
+        'blocked',
+      ];
+
+      // Assert that every assignee returned is sanitized correctly
+      body.data.forEach((item) => {
+        expect(item.attributes).toHaveProperty('strapi_assignee');
+        privateUserFields.forEach((field) => {
+          expect(item.attributes['strapi_assignee']).not.toHaveProperty(field);
+        });
+      });
     });
   });
 });