UNPKG

@strapi/utils

Version:

Shared utilities for the Strapi packages

strapi.io

strapi/strapi

118 lines (115 loc) 4.75 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
import { isArray, isObject } from 'lodash/fp'; import { isMorphToRelationalAttribute, constants } from '../../content-types.mjs'; import { VALID_RELATION_ORDERING_KEYS } from '../../relations.mjs'; const ACTIONS_TO_VERIFY = [ 'find' ]; const { CREATED_BY_ATTRIBUTE, UPDATED_BY_ATTRIBUTE } = constants; var removeRestrictedRelations = ((auth)=>async ({ data, key, attribute, schema }, { remove, set })=>{ if (!attribute) { return; } const isRelation = attribute.type === 'relation'; if (!isRelation) { return; } const handleMorphRelation = async ()=>{ const elements = data[key]; if (!elements) { return; } if ('connect' in elements || 'set' in elements || 'disconnect' in elements) { const newValue = {}; const connect = await handleMorphElements(elements.connect || []); const relSet = await handleMorphElements(elements.set || []); const disconnect = await handleMorphElements(elements.disconnect || []); if (connect.length > 0) { newValue.connect = connect; } if (relSet.length > 0) { newValue.set = relSet; } if (disconnect.length > 0) { newValue.disconnect = disconnect; } // TODO: this should technically be in its own visitor to check morph options, but for now we'll handle it here if ('options' in elements && typeof elements.options === 'object' && elements.options !== null) { const filteredOptions = {}; // Iterate through the keys of elements.options Object.keys(elements.options).forEach((key)=>{ const validator = VALID_RELATION_ORDERING_KEYS[key]; // Ensure the key exists in VALID_RELATION_ORDERING_KEYS and the validator is defined before calling it if (validator && validator(elements.options[key])) { filteredOptions[key] = elements.options[key]; } }); // Assign the filtered options back to newValue newValue.options = filteredOptions; } else { newValue.options = {}; } set(key, newValue); } else { const newMorphValue = await handleMorphElements(elements); if (newMorphValue.length) { set(key, newMorphValue); } } }; const handleMorphElements = async (elements)=>{ const allowedElements = []; if (!isArray(elements)) { return allowedElements; } for (const element of elements){ if (!isObject(element) || !('__type' in element)) { continue; } const scopes = ACTIONS_TO_VERIFY.map((action)=>`${element.__type}.${action}`); const isAllowed = await hasAccessToSomeScopes(scopes, auth); if (isAllowed) { allowedElements.push(element); } } return allowedElements; }; const handleRegularRelation = async ()=>{ const scopes = ACTIONS_TO_VERIFY.map((action)=>`${attribute.target}.${action}`); const isAllowed = await hasAccessToSomeScopes(scopes, auth); // If the authenticated user don't have access to any of the scopes, then remove the field if (!isAllowed) { remove(key); } }; const isCreatorRelation = [ CREATED_BY_ATTRIBUTE, UPDATED_BY_ATTRIBUTE ].includes(key); // Polymorphic relations if (isMorphToRelationalAttribute(attribute)) { await handleMorphRelation(); return; } // Creator relations if (isCreatorRelation && schema.options?.populateCreatorFields) { // do nothing return; } // Regular relations await handleRegularRelation(); }); const hasAccessToSomeScopes = async (scopes, auth)=>{ for (const scope of scopes){ try { await strapi.auth.verify(auth, { scope }); return true; } catch { continue; } } return false; }; export { removeRestrictedRelations as default }; //# sourceMappingURL=remove-restricted-relations.mjs.map