Fix sanitize media

strapi · Mar 8, 2022 · 072db8e · 072db8e
1 parent af7c3d5
commit 072db8e
Show file tree

Hide file tree

Showing 5 changed files with 114 additions and 3 deletions.
diff --git a/.../api/populate/filtering/index.test.e2e.js → .../api/populate/filtering/index.test.e2e.js b/.../api/populate/filtering/index.test.e2e.js → .../api/populate/filtering/index.test.e2e.js
@@ -2,9 +2,9 @@
 
 const { propEq, omit } = require('lodash/fp');
 
-const { createTestBuilder } = require('../../../../../../../../test/helpers/builder');
-const { createStrapiInstance } = require('../../../../../../../../test/helpers/strapi');
-const { createContentAPIRequest } = require('../../../../../../../../test/helpers/request');
+const { createTestBuilder } = require('../../../../../../../test/helpers/builder');
+const { createStrapiInstance } = require('../../../../../../../test/helpers/strapi');
+const { createContentAPIRequest } = require('../../../../../../../test/helpers/request');
 
 const builder = createTestBuilder();
 

diff --git a/packages/core/strapi/tests/api/populate/rec.jpg b/packages/core/strapi/tests/api/populate/rec.jpg
diff --git a/packages/core/strapi/tests/api/populate/sanitize.test.e2e.js b/packages/core/strapi/tests/api/populate/sanitize.test.e2e.js
@@ -0,0 +1,93 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const { createTestBuilder } = require('../../../../../../test/helpers/builder');
+const { createStrapiInstance } = require('../../../../../../test/helpers/strapi');
+const {
+  createContentAPIRequest,
+  createAuthRequest,
+} = require('../../../../../../test/helpers/request');
+
+const builder = createTestBuilder();
+
+let strapi;
+let rq;
+
+const schemas = {
+  contentTypes: {
+    a: {
+      kind: 'collectionType',
+      displayName: 'a',
+      singularName: 'a',
+      pluralName: 'as',
+      attributes: {
+        cover: { type: 'media', single: true },
+      },
+    },
+  },
+};
+
+const getFixtures = file => {
+  return [
+    {
+      cover: file.id,
+    },
+  ];
+};
+
+const uploadFile = async () => {
+  const strapi = await createStrapiInstance();
+  const rq = await createAuthRequest({ strapi });
+
+  const res = await rq({
+    method: 'POST',
+    url: '/upload',
+    formData: {
+      files: fs.createReadStream(path.join(__dirname, 'rec.jpg')),
+    },
+  });
+
+  await strapi.destroy();
+
+  return res.body[0];
+};
+
+describe('Sanitize populated entries', () => {
+  beforeAll(async () => {
+    const file = await uploadFile();
+
+    await builder
+      .addContentTypes(Object.values(schemas.contentTypes))
+      .addFixtures(schemas.contentTypes.a.singularName, getFixtures(file))
+      .build();
+
+    strapi = await createStrapiInstance();
+    rq = createContentAPIRequest({ strapi });
+  });
+
+  afterAll(async () => {
+    await strapi.destroy();
+    await builder.cleanup();
+  });
+
+  describe('Populate simple media', () => {
+    test('Media can be populated without restricted attributes', async () => {
+      const { status, body } = await rq.get(`/${schemas.contentTypes.a.pluralName}`, {
+        qs: {
+          populate: {
+            cover: {
+              populate: '*',
+            },
+          },
+        },
+      });
+
+      expect(status).toBe(200);
+      expect(body.data[0].attributes.cover).toBeDefined();
+      expect(body.data[0].attributes.cover.data.attributes.createdBy).toBeUndefined();
+      expect(body.data[0].attributes.cover.data.attributes.updatedBy).toBeUndefined();
+    });
+  });
+});
diff --git a/packages/core/utils/lib/sanitize/visitors/remove-restricted-relations.js b/packages/core/utils/lib/sanitize/visitors/remove-restricted-relations.js
@@ -2,6 +2,7 @@
 
 const ACTIONS_TO_VERIFY = ['find'];
 
+// FIXME: Support populating creator fields
 module.exports = auth => async ({ data, key, attribute }, { remove, set }) => {
   const isRelation = attribute.type === 'relation';
 

diff --git a/packages/core/utils/lib/traverse-entity.js b/packages/core/utils/lib/traverse-entity.js
@@ -41,6 +41,7 @@ const traverseEntity = async (visitor, options, entity) => {
     const isRelation = attribute.type === 'relation';
     const isComponent = attribute.type === 'component';
     const isDynamicZone = attribute.type === 'dynamiczone';
+    const isMedia = attribute.type === 'media';
 
     if (isRelation) {
       const isMorphRelation = attribute.relation.toLowerCase().startsWith('morph');
@@ -61,6 +62,22 @@ const traverseEntity = async (visitor, options, entity) => {
         : await traverseTarget(value);
     }
 
+    if (isMedia) {
+      const traverseTarget = entry => {
+        const targetSchemaUID = 'plugin::upload.file';
+        const targetSchema = strapi.getModel(targetSchemaUID);
+
+        const traverseOptions = { schema: targetSchema, path: newPath };
+
+        return traverseEntity(visitor, traverseOptions, entry);
+      };
+
+      // need to update copy
+      copy[key] = isArray(value)
+        ? await Promise.all(value.map(traverseTarget))
+        : await traverseTarget(value);
+    }
+
     if (isComponent) {
       const targetSchema = strapi.getModel(attribute.component);
       const traverseOptions = { schema: targetSchema, path: newPath };