fix(findSlug utility): respect foreign model permissions (#33)

* fix(slugController): respect foreign model access permissions (#32)

* feat(utils): add `sanitizeOutput`

* feat(utils): add `isValidFindSlugParams`

* feat(utils): add `hasRequiredModelsScope`

* refactor(slugController): utilise util functions

* fix(Query.findSlug): respect model access permissions

refactor(Query.findSlug): utilise utils functions

Co-authored-by: Jean-Sébastien Herbaux <[email protected]>

Author: ComfortablyCoding

server/controllers/slug-controller.js

@@ -1,56 +1,48 @@
 'use strict';
 
 const _ = require('lodash');
-const { sanitize } = require('@strapi/utils');
+const { NotFoundError } = require('@strapi/utils/lib/errors');
 const { getPluginService } = require('../utils/getPluginService');
 const { transformResponse } = require('@strapi/strapi/lib/core-api/controller/transform');
+const { isValidFindSlugParams } = require('../utils/isValidFindSlugParams');
+const { sanitizeOutput } = require('../utils/sanitizeOutput');
+const { hasRequiredModelScopes } = require('../utils/hasRequiredModelScopes');
 
 module.exports = ({ strapi }) => ({
 	async findSlug(ctx) {
 		const { models } = getPluginService(strapi, 'settingsService').get();
-		const { params } = ctx.request;
-		const { modelName, slug } = params;
-
-		try {
-			if (!modelName) {
-				throw Error('A model name path variable is required.');
-			}
-
-			if (!slug) {
-				throw Error('A slug path variable is required.');
-			}
-
-			const model = models[modelName];
-			if (!model) {
-				throw Error(
-					`${modelName} model name not found, all models must be defined in the settings and are case sensitive.`
-				);
-			}
-
-			const { uid, field, contentType } = model;
-
-			// add slug filter to any already existing query restrictions
-			let query = ctx.query || {};
-			if (!query.filters) {
-				query.filters = {};
-			}
-			query.filters[field] = slug;
-
-			// only return published entries by default if content type has draftAndPublish enabled
-			if (_.get(contentType, ['options', 'draftAndPublish'], false) && !query.publicationState) {
-				query.publicationState = 'live';
-			}
-
-			const data = await getPluginService(strapi, 'slugService').findOne(uid, query);
-
-			if (data) {
-				const sanitizedEntity = await sanitize.contentAPI.output(data, contentType);
-				ctx.body = transformResponse(sanitizedEntity);
-			} else {
-				ctx.notFound();
-			}
-		} catch (error) {
-			ctx.badRequest(error.message);
+		const { modelName, slug } = ctx.request.params;
+		const { auth } = ctx.state;
+
+		isValidFindSlugParams({
+			modelName,
+			slug,
+			models,
+		});
+
+		const { uid, field, contentType } = models[modelName];
+
+		await hasRequiredModelScopes(strapi, uid, auth);
+
+		// add slug filter to any already existing query restrictions
+		let query = ctx.query || {};
+		if (!query.filters) {
+			query.filters = {};
+		}
+		query.filters[field] = slug;
+
+		// only return published entries by default if content type has draftAndPublish enabled
+		if (_.get(contentType, ['options', 'draftAndPublish'], false) && !query.publicationState) {
+			query.publicationState = 'live';
+		}
+
+		const data = await getPluginService(strapi, 'slugService').findOne(uid, query);
+
+		if (data) {
+			const sanitizedEntity = await sanitizeOutput(data, contentType, auth);
+			ctx.body = transformResponse(sanitizedEntity);
+		} else {
+			throw new NotFoundError();
 		}
 	},
 });

server/graphql/types.js

@@ -1,6 +1,8 @@
 const _ = require('lodash');
 const { getPluginService } = require('../utils/getPluginService');
-const { ValidationError } = require('@strapi/utils').errors;
+const { isValidFindSlugParams } = require('../utils/isValidFindSlugParams');
+const { hasRequiredModelScopes } = require('../utils/hasRequiredModelScopes');
+const { sanitizeOutput } = require('../utils/sanitizeOutput');
 
 const getCustomTypes = (strapi, nexus) => {
 	const { naming } = getPluginService(strapi, 'utils', 'graphql');
@@ -46,20 +48,22 @@ const getCustomTypes = (strapi, nexus) => {
 						modelName: nexus.stringArg('The model name of the content type'),
 						slug: nexus.stringArg('The slug to query for'),
 					},
-					resolve: async (_parent, args) => {
+					resolve: async (_parent, args, ctx) => {
 						const { models } = getPluginService(strapi, 'settingsService').get();
 						const { modelName, slug } = args;
+						const { auth } = ctx.state;
 
-						const model = models[modelName];
+						isValidFindSlugParams({
+							modelName,
+							slug,
+							models,
+						});
 
-						// ensure valid model is passed
-						if (!model) {
-							throw new ValidationError(
-								`${modelName} model name not found, all models must be defined in the settings and are case sensitive.`
-							);
-						}
+						const { uid, field, contentType } = models[modelName];
+
+						await hasRequiredModelScopes(strapi, uid, auth);
 
-						const { uid, field, contentType } = model;
+						// build query
 						let query = {
 							filters: {
 								[field]: slug,
@@ -72,7 +76,8 @@ const getCustomTypes = (strapi, nexus) => {
 						}
 
 						const data = await getPluginService(strapi, 'slugService').findOne(uid, query);
-						return toEntityResponse(data, { resourceUID: uid });
+						const sanitizedEntity = await sanitizeOutput(data, contentType, auth);
+						return toEntityResponse(sanitizedEntity, { resourceUID: uid });
 					},
 				});
 			},

server/utils/hasRequiredModelScopes.js

@@ -0,0 +1,13 @@
+const { ForbiddenError } = require('@strapi/utils/lib/errors');
+
+const hasRequiredModelScopes = async (strapi, uid, auth) => {
+	try {
+		await strapi.auth.verify(auth, { scope: `${uid}.find` });
+	} catch (e) {
+		throw new ForbiddenError();
+	}
+};
+
+module.exports = {
+	hasRequiredModelScopes,
+};

server/utils/isValidFindSlugParams.js

@@ -0,0 +1,30 @@
+const { ValidationError } = require('@strapi/utils/lib/errors');
+
+const isValidFindSlugParams = (params) => {
+	if (!params) {
+		throw new ValidationError('A model and slug must be provided.');
+	}
+
+	const { modelName, slug, models } = params;
+
+	if (!modelName) {
+		throw new ValidationError('A model name path variable is required.');
+	}
+
+	if (!slug) {
+		throw new ValidationError('A slug path variable is required.');
+	}
+
+	const model = models[modelName];
+
+	// ensure valid model is passed
+	if (!model) {
+		throw new ValidationError(
+			`${modelName} model name not found, all models must be defined in the settings and are case sensitive.`
+		);
+	}
+};
+
+module.exports = {
+	isValidFindSlugParams,
+};

server/utils/sanitizeOutput.js

@@ -0,0 +1,7 @@
+const { contentAPI } = require('@strapi/utils/lib/sanitize');
+
+const sanitizeOutput = (data, contentType, auth) => contentAPI.output(data, contentType, { auth });
+
+module.exports = {
+	sanitizeOutput,
+};