UNPKG

@strapi/utils

Version:

Shared utilities for the Strapi packages

strapi.io

strapi/strapi

126 lines (122 loc) 4.74 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
'use strict'; var fp = require('lodash/fp'); var contentTypes = require('../../content-types.js'); var utils = require('../utils.js'); var relations = require('../../relations.js'); const ACTIONS_TO_VERIFY = [ 'find' ]; const { CREATED_BY_ATTRIBUTE, UPDATED_BY_ATTRIBUTE } = contentTypes.constants; var throwRestrictedRelations = ((auth)=>async ({ data, key, attribute, schema, path })=>{ if (!attribute) { return; } const isRelation = attribute.type === 'relation'; if (!isRelation) { return; } const handleMorphRelation = async ()=>{ const elements = data[key]; if ('connect' in elements || 'set' in elements || 'disconnect' in elements || 'options' in elements) { await handleMorphElements(elements.connect || []); await handleMorphElements(elements.set || []); await handleMorphElements(elements.disconnect || []); // TODO: this should technically be in its own visitor to check morph options, but for now we'll handle it here if ('options' in elements) { if (elements.options === null || elements.options === undefined) { return; } if (typeof elements.options !== 'object') { utils.throwInvalidKey({ key, path: path.attribute }); } const optionKeys = Object.keys(elements.options); // Validate each key based on its validator function for (const key of optionKeys){ if (!(key in relations.VALID_RELATION_ORDERING_KEYS)) { utils.throwInvalidKey({ key, path: path.attribute }); } if (!relations.VALID_RELATION_ORDERING_KEYS[key](elements.options[key])) { utils.throwInvalidKey({ key, path: path.attribute }); } } } } else { await handleMorphElements(elements); } }; const handleMorphElements = async (elements)=>{ if (!fp.isArray(elements)) { utils.throwInvalidKey({ key, path: path.attribute }); } for (const element of elements){ if (!fp.isObject(element) || !('__type' in element)) { utils.throwInvalidKey({ key, path: path.attribute }); } const scopes = ACTIONS_TO_VERIFY.map((action)=>`${element.__type}.${action}`); const isAllowed = await hasAccessToSomeScopes(scopes, auth); if (!isAllowed) { utils.throwInvalidKey({ key, path: path.attribute }); } } }; const handleRegularRelation = async ()=>{ const scopes = ACTIONS_TO_VERIFY.map((action)=>`${attribute.target}.${action}`); const isAllowed = await hasAccessToSomeScopes(scopes, auth); // If the authenticated user don't have access to any of the scopes if (!isAllowed) { utils.throwInvalidKey({ key, path: path.attribute }); } }; const isCreatorRelation = [ CREATED_BY_ATTRIBUTE, UPDATED_BY_ATTRIBUTE ].includes(key); // Polymorphic relations if (contentTypes.isMorphToRelationalAttribute(attribute)) { await handleMorphRelation(); return; } // Creator relations if (isCreatorRelation && schema.options?.populateCreatorFields) { // do nothing return; } // Regular relations await handleRegularRelation(); }); const hasAccessToSomeScopes = async (scopes, auth)=>{ for (const scope of scopes){ try { await strapi.auth.verify(auth, { scope }); return true; } catch { continue; } } return false; }; module.exports = throwRestrictedRelations; //# sourceMappingURL=throw-restricted-relations.js.map