mirror of
https://github.com/strapi/strapi.git
synced 2025-10-04 04:42:47 +00:00
17dbeb2030
* fix: make contrib docs landing message clearer to users * v5.1.1 to main (#21954) * enhancement: ui issues and french translations (#21633) * chore: ui issues and french translations * chore: added missing translation * chore: made it prettier * fix: test CI/CD building repo 2 times (#21740) * fix: do not display fill from locales if i18n no enabled (#21737) * fix: do not display fill from locales if i18n no enabled * chore: disable only if there is not i18n enabled * fix: send ids when connecting relations to update u&p user role (#21726) * fix:update role * fix: send entry id when connecting/disconnecting relations * fix: changed empty components wording (#21630) * fix: changed empty components wording * fix: updated selectors * fix: made it prettier * enhancement: add preview panel button (#21776) * chore: add test workflow filters for each test type (#21770) * chore: upgrade mysql2 package to 3.9.8 (#21795) * feat: add mapping property support for documentation plugin's open api generated docs (#21752) * feat: add mapping property support for documentation plugin's open API generated spec Dynamic zones are reflected in the OpenAPI docs generated as an anyOf. We can use a discriminator and mapping to improve the docs. * fix: missing one value enum for __component property * enhancement: extract logic to convert component names to OpenAPI names * chore: run prettier write on clean schema attributes --------- Co-authored-by: Jamie Howard <48524071+jhoward1994@users.noreply.github.com> * chore: fix mysql workflow (#21801) * chore: upgrade koa/router to 12.0.2 (#21802) * Update "upgrade major" rules (#21745) * fix: broken list view pagination (#21800) * fix: broken list view pagination * chore: add list view pagination e2e test * enhancement: add copy preview url button (#21780) * enhancement: add copy preview button * chore: remove useClipboard from upload plugin * Add <latest> Upgrade Command (#21754) * Make locale/localizations private for non-localized cts (#21495) * chore: upgrade sendgrid-mail to 8.1.3 (#21797) * chore: re-enable history e2e tests (#21739) * fix: reenable history api tests fix: flaky findAndClose fix: close notifications * chore: add test workflow filters for each test type * chore: fix node versions * fix: match format of test.yml * revert: don't add test_result to skipped_tests * fix: add new outputs vars --------- Co-authored-by: Ben Irvin <ben@innerdvations.com> * fix: search by numeric numbers in a relation (#21873) * Sort Generated Content-Types and Components Definitions (#21868) * fix(e2e): remove webkit skip conditions (#21611) * fix(e2e): remove webkit skip conditions * chore: revert uniqueness spec to test others on ci * fix(e2e): ctb navigation * chore: ci config to speed up testing * chore: revert lock * chore(e2e): wip add webkit waiting * chore: single out history spec changes for ci * chore(e2e): use new webkit navigation for all affected test files * chore(e2e): revert e2e ci config so all tests run again * chore(e2e): temp skip uniqueness to test others * chore(e2e): revert so all tests run again * chore(e2e): re-skip uniqueness in webkit * chore(e2e): revert workflow yaml * chore(e2e): pr feedback --------- Co-authored-by: Ben Irvin <ben.irvin@strapi.io> * fix(strapi/types): add Attribute column type (#21858) * chore: add preview tracking (#21913) * chore: upgrade plop to 4.0.1 (#21798) * chore: upgrade cookie to 0.7.1 (#21833) * enhancement: DTS assert count of items sent and received is equal (#21900) * feat: added a count, start, finish counts to compare data recieved with data sent * feat: refactoring * feat: refactoring * v5.1.1 --------- Co-authored-by: Lucas Boilly <45385696+lucasboilly@users.noreply.github.com> Co-authored-by: Boegie19 <34578426+Boegie19@users.noreply.github.com> Co-authored-by: Rémi de Juvigny <8087692+remidej@users.noreply.github.com> Co-authored-by: Ben Irvin <ben.irvin@strapi.io> Co-authored-by: Pedro Cerejo <pedro.cerejo@tecnico.ulisboa.pt> Co-authored-by: Jamie Howard <48524071+jhoward1994@users.noreply.github.com> Co-authored-by: Jean-Sébastien Herbaux <jean-sebastien.herbaux@epitech.eu> Co-authored-by: Rémi de Juvigny <remi.dejuvigny@strapi.io> Co-authored-by: Ben Irvin <ben@innerdvations.com> Co-authored-by: Andrei Luca <1881266+iamandrewluca@users.noreply.github.com> Co-authored-by: Bassel Kanso <basselkanso82@gmail.com> * fix: prettier --------- Co-authored-by: Pierre Wizla <pwizla@users.noreply.github.com> Co-authored-by: Alexandre BODIN <alexandrebodin@users.noreply.github.com> Co-authored-by: Lucas Boilly <45385696+lucasboilly@users.noreply.github.com> Co-authored-by: Boegie19 <34578426+Boegie19@users.noreply.github.com> Co-authored-by: Rémi de Juvigny <8087692+remidej@users.noreply.github.com> Co-authored-by: Ben Irvin <ben.irvin@strapi.io> Co-authored-by: Pedro Cerejo <pedro.cerejo@tecnico.ulisboa.pt> Co-authored-by: Jamie Howard <48524071+jhoward1994@users.noreply.github.com> Co-authored-by: Jean-Sébastien Herbaux <jean-sebastien.herbaux@epitech.eu> Co-authored-by: Rémi de Juvigny <remi.dejuvigny@strapi.io> Co-authored-by: Ben Irvin <ben@innerdvations.com> Co-authored-by: Andrei Luca <1881266+iamandrewluca@users.noreply.github.com> Co-authored-by: Bassel Kanso <basselkanso82@gmail.com>
Strapi Permissions
Highly customizable permission engine made for Strapi
Get Started
yarn add @strapi/permissions
const permissions = require('@strapi/permissions');
const engine = permissions.engine.new({ providers });
const ability = await engine.generateAbility([
{ action: 'read' },
{ action: 'delete', subject: 'foo' },
{ action: 'update', subject: 'bar', properties: { fields: ['foobar'] } },
{
action: 'create',
subject: 'foo',
properties: { fields: ['foobar'] },
conditions: ['isAuthor'],
},
]);
ability.can('read'); // true
ability.can('publish'); // false
ability.can('update', 'foo'); // false
ability.can('update', 'bar'); // true
- You need to give both an action and a condition provider as parameters when instantiating a new permission engine instance. They must be contained in a
providersobject property. - You can also pass an
abilityBuilderFactoryto customize what kind of ability thegenerateAbilitymethod will return. By default it'll use a@casl/abilitybuilder.
You can also register to some hooks for each engine instance.
See lib/engine/hooks.js -> createEngineHooks for available hooks.
const permissions = require('@strapi/permissions');
const engine = permissions.engine
.new({ providers })
.on('before-format::validate.permission', ({ permission }) => {
if (permission.action === 'read') {
return false;
}
});
const ability = await engine.generateAbility([
{ action: 'read' },
{ action: 'delete', subject: 'foo' },
{ action: 'update', subject: 'bar', properties: { fields: ['foobar'] } },
{
action: 'create',
subject: 'foo',
properties: { fields: ['foobar'] },
conditions: ['isAuthor'],
},
]);
ability.can('read'); // false since the validation hook prevents the engine from registering the permission
ability.can('publish'); // false
ability.can('update', 'foo'); // false
ability.can('update', 'bar'); // true
The format.permission hook can be used to modify the permission.
const permissions = require('@strapi/permissions');
const engine = permissions.engine
.new({ providers })
.on('before-format::validate.permission', ({ permission }) => {
if (permission.action === 'modify') {
return false;
}
})
.on('after-format::validate.permission', ({ permission }) => {
if (permission.action === 'update') {
return false;
}
})
.on('format.permission', ({ permission }) => {
if (permission.action === 'update') {
return {
...permission,
action: 'modify',
};
}
if (permission.action === 'delete') {
return {
...permission,
action: 'remove',
};
}
return permission;
});
const ability = await engine.generateAbility([{ action: 'update' }, { action: 'delete' }]);
ability.can('update'); // false
ability.can('modify'); // true, because create was changed to 'modify'
ability.can('delete'); // false, doesn't exist because it was changed by format.permission
ability.can('remove'); // true, before-format::validate.permission validates before format.permission changed it