mirror of
https://github.com/strapi/strapi.git
synced 2025-08-08 08:46:42 +00:00
4a615f2db4
Remove old cypress related files Update config and reorg tests Run test app before running playwright tests feat: add beginning of authentication test feat: add app template with database dumping ability chore: pr amends Run test app before running playwright tests feat: add beginning of authentication test feat: add app template with database dumping ability chore: pr amends init deits fix: e2e test chore: rename to e2e chore: commit tar for data Init playwright Run test app before running playwright tests feat: add beginning of authentication test feat: add app template with database dumping ability chore: pr amends chore: remove unneeded workflow fix: add private: true to the template so `test-apps` aren't published docs: add docs chore: add warning about DTS caveats chore: tweak docs docs(e2e): add correct route to api example for template chore: fix package.json tests chore: update from feature/DEITS chore: updates from DTS chore: update data-transfer Update yarn.lock fix: remove duplicate type chore(e2e): set up folder structure fix(e2e): avoid clearing 'admin_' DB tables through DTS or DB Dump feat(e2e): DTS scripts and backup files add route to change rate limit fix wront appPath for API test in CI no template by default when creating a test app Fix typo double equal fix template path for e2e tests chore(e2e): fix broken signup spec feat(e2e): basic logout test spec Login e2e tests globalSetup attempt use withAdmin backup cleanup fix playwright config & rate limit test remove example.spec.js refactor and merge some login tests Chore: Cleanup login and signup specs feat(e2e): sign up password error cases feat(e2e): add homepage expectation to signup spec refactor(e2e) refactor(e2e): signUp refactor(e2e): use global login util for logout and logins specs Init playwright fix: remove duplicate type chore: uncomment transfer route registering Update yarn.lock chore: update data-transfer chore: updates from DTS chore: update from feature/DEITS chore: fix package.json tests docs(e2e): add correct route to api example for template chore: tweak docs chore: add warning about DTS caveats docs: add docs fix: add private: true to the template so `test-apps` aren't published chore: remove unneeded workflow chore: pr amends feat: add app template with database dumping ability feat: add beginning of authentication test Run test app before running playwright tests Init playwright chore: commit tar for data chore: rename to e2e fix: e2e test init deits chore: pr amends feat: add app template with database dumping ability feat: add beginning of authentication test Run test app before running playwright tests chore: pr amends feat: add app template with database dumping ability feat: add beginning of authentication test Run test app before running playwright tests Update config and reorg tests Remove old cypress related files chore(e2e): cleanup e2e dir chore(docs): improve e2e testing documentation chore(docs): PR feedback chore: tweak action to run browsers in matrix & build packages chore: fix tests based on merge chore: shuffle e2e tests and add first conent-type fix: tests Make use of yarn linking for api & e2e tests Chore: Fix running backend unit tests Chore: Bring opts.run back Chore: Update playwright Chore: Update Playwright setup fix: workflow chore: fix path to package.json chore: build ts projects before tests chore: update e2e workflow chore: add no-immutable Use simpler transfer token to avoid misinterpretation Remove console.log Ensure that the custom transfer token exists in the e2e test app's database upon startup Use the custom transfer token for transferring data to the e2e test app Fix code analysis warning Define and export a constant for the custom transfer token Allow passing a custom access key for the transfer token service chore: add test-apps to workspace chore: update lockfile Co-Authored-By: Josh <37798644+joshuaellis@users.noreply.github.com> Co-Authored-By: Gustav Hansen <gu@stav.dev> Co-Authored-By: Alexandre BODIN <alexandrebodin@users.noreply.github.com> Co-Authored-By: Jean-Sébastien Herbaux <25851739+Convly@users.noreply.github.com>
Strapi Permissions
Highly customizable permission engine made for Strapi
Get Started
yarn add @strapi/permissions
const permissions = require('@strapi/permissions');
const engine = permissions.engine.new({ providers });
const ability = await engine.generateAbility([
{ action: 'read' },
{ action: 'delete', subject: 'foo' },
{ action: 'update', subject: 'bar', properties: { fields: ['foobar'] } },
{
action: 'create',
subject: 'foo',
properties: { fields: ['foobar'] },
conditions: ['isAuthor'],
},
]);
ability.can('read'); // true
ability.can('publish'); // false
ability.can('update', 'foo'); // false
ability.can('update', 'bar'); // true
- You need to give both an action and a condition provider as parameters when instantiating a new permission engine instance. They must be contained in a
providersobject property. - You can also pass an
abilityBuilderFactoryto customize what kind of ability thegenerateAbilitymethod will return. By default it'll use a@casl/abilitybuilder.
You can also register to some hooks for each engine instance.
See lib/engine/hooks.js -> createEngineHooks for available hooks.
const permissions = require('@strapi/permissions');
const engine = permissions.engine
.new({ providers })
.on('before-format::validate.permission', ({ permission }) => {
if (permission.action === 'read') {
return false;
}
});
const ability = await engine.generateAbility([
{ action: 'read' },
{ action: 'delete', subject: 'foo' },
{ action: 'update', subject: 'bar', properties: { fields: ['foobar'] } },
{
action: 'create',
subject: 'foo',
properties: { fields: ['foobar'] },
conditions: ['isAuthor'],
},
]);
ability.can('read'); // false since the validation hook prevents the engine from registering the permission
ability.can('publish'); // false
ability.can('update', 'foo'); // false
ability.can('update', 'bar'); // true
The format.permission hook can be used to modify the permission.
const permissions = require('@strapi/permissions');
const engine = permissions.engine
.new({ providers })
.on('before-format::validate.permission', ({ permission }) => {
if (permission.action === 'modify') {
return false;
}
})
.on('after-format::validate.permission', ({ permission }) => {
if (permission.action === 'update') {
return false;
}
})
.on('format.permission', ({ permission }) => {
if (permission.action === 'update') {
return {
...permission,
action: 'modify',
};
}
if (permission.action === 'delete') {
return {
...permission,
action: 'remove',
};
}
return permission;
});
const ability = await engine.generateAbility([{ action: 'update' }, { action: 'delete' }]);
ability.can('update'); // false
ability.can('modify'); // true, because create was changed to 'modify'
ability.can('delete'); // false, doesn't exist because it was changed by format.permission
ability.can('remove'); // true, before-format::validate.permission validates before format.permission changed it