yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-11-04 03:43:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: sanitize relation read query

Browse Source
This commit is contained in:
Bassel Kanso 2024-01-16 09:51:34 +02:00
parent 37dd1e3ff2
commit e686e96112
1 changed files with 32 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
packages/core/content-manager/server/src/controllers/relations.ts
View File

@ -1,4 +1,4 @@
import { prop, isEmpty, uniq, flow } from 'lodash/fp'; import { prop, isEmpty, uniq, flow, concat, uniqBy } from 'lodash/fp';
import { isOperatorOfType, contentTypes, relations } from '@strapi/utils'; import { isOperatorOfType, contentTypes, relations } from '@strapi/utils';
import { getService } from '../utils'; import { getService } from '../utils';
import { validateFindAvailable, validateFindExisting } from './validation/relations'; import { validateFindAvailable, validateFindExisting } from './validation/relations';
@ -133,14 +133,20 @@ export default {
filters: {}, // cannot filter for RBAC reasons filters: {}, // cannot filter for RBAC reasons
}; };
const permissionChecker = getService('permission-checker').create({
userAbility,
model: targetedModel.uid,
});
const permissionQuery = await permissionChecker.sanitizedQuery.read(queryParams);
if (!isEmpty(idsToOmit)) { if (!isEmpty(idsToOmit)) {
addFiltersClause(queryParams, { id: { $notIn: idsToOmit } }); addFiltersClause(permissionQuery, { id: { $notIn: idsToOmit } });
} }
// searching should be allowed only on mainField for permission reasons // searching should be allowed only on mainField for permission reasons
if (_q) { if (_q) {
const _filter = isOperatorOfType('where', query._filter) ? query._filter : '$containsi'; const _filter = isOperatorOfType('where', query._filter) ? query._filter : '$containsi';
addFiltersClause(queryParams, { [mainField]: { [_filter]: _q } }); addFiltersClause(permissionQuery, { [mainField]: { [_filter]: _q } });
} }
if (entityId) { if (entityId) {
@ -163,10 +169,10 @@ export default {
.select(`${alias}.id`) .select(`${alias}.id`)
.getKnexQuery(); .getKnexQuery();
addFiltersClause(queryParams, { id: { $notIn: knexSubQuery } }); addFiltersClause(permissionQuery, { id: { $notIn: knexSubQuery } });
} }
ctx.body = await strapi.entityService.findPage(targetedModel.uid, queryParams); ctx.body = await strapi.entityService.findPage(targetedModel.uid, permissionQuery);
}, },
async findExisting(ctx: any) { async findExisting(ctx: any) {
@ -242,13 +248,32 @@ export default {
fields: fieldsToSelect, fields: fieldsToSelect,
}; };
const permissionChecker = getService('permission-checker').create({
userAbility,
model: targetedModel.uid,
});
const permissionQuery = await permissionChecker.sanitizedQuery.read(queryParams);
if (isAnyToMany(attribute)) { if (isAnyToMany(attribute)) {
const resWithIds = await strapi.entityService.loadPages(
model,
{ id },
targetField,
{
fields: ['id'],
} as any,
{
page: ctx.request.query.page,
pageSize: ctx.request.query.pageSize,
}
);
const res = await strapi.entityService.loadPages( const res = await strapi.entityService.loadPages(
model, model,
{ id }, { id },
targetField, targetField,
{ {
...queryParams, ...permissionQuery,
ordering: 'desc', ordering: 'desc',
} as any, } as any,
{ {
@ -257,6 +282,7 @@ export default {
} }
); );
res.results = uniqBy('id', concat(res.results, resWithIds.results));
ctx.body = res; ctx.body = res;
} else { } else {
const result = await strapi.entityService.load(model, { id }, targetField, queryParams); const result = await strapi.entityService.load(model, { id }, targetField, queryParams);