sanitize.contentAPI not populating relations #14251

sjoukedv · 2022-08-30T06:27:17Z

Bug report

Required System information

Strapi version: 4.3.6
Database: Postgres

Describe the bug

I am trying to populate relations on the user object by calling api/users?populate=*. Using the custom extension below:

// path: src/extensions/users-permissions/strapi-server.js

const utils = require('@strapi/utils');
const { sanitize } = utils;

const getService = (name) => {
  return strapi.plugin('users-permissions').service(name);
};

export default (plugin) => {
    const sanitizeOutput = (user, ctx) => {
      // <-- here the user contains all the relations
      const schema = strapi.getModel('plugin::users-permissions.user');
      const { auth } = ctx.state;
    
      return sanitize.contentAPI.output(user, schema, { auth });
    };
  
    plugin.controllers.user.me = async (ctx) => {
      const authUser = ctx.state.user;
      const { query } = ctx;
  
      if (!authUser) {
        return ctx.unauthorized();
      }
  
      const user = await getService('user').fetch(authUser.id, query);
       
      ctx.body = await sanitizeOutput(user, ctx);
    };
  
    plugin.controllers.user.find = async (ctx) => {
      const users = await getService('user').fetchAll(ctx.query);
  
      ctx.body = await Promise.all(users.map((user) => sanitizeOutput(user, ctx)));
    };

    return plugin;
  };

schema

{
  collectionName: 'up_users',
  info: {
    name: 'user',
    description: '',
    singularName: 'user',
    pluralName: 'users',
    displayName: 'User'
  },
  options: { draftAndPublish: false, timestamps: true },
  attributes: {
    username: {
      type: 'string',
      minLength: 3,
      unique: true,
      configurable: false,
      required: false
    },
    email: {
      type: 'email',
      minLength: 6,
      unique: true,
      configurable: false,
      required: true
    },
    provider: { type: 'string', configurable: false },
    password: {
      type: 'password',
      minLength: 6,
      configurable: false,
      private: true
    },
    resetPasswordToken: { type: 'string', configurable: false, private: true },
    confirmationToken: { type: 'string', configurable: false, private: true },
    confirmed: { type: 'boolean', default: false, configurable: false },
    blocked: { type: 'boolean', default: false, configurable: false },
    role: {
      type: 'relation',
      relation: 'manyToOne',
      target: 'plugin::users-permissions.role',
      inversedBy: 'users',
      configurable: false
    },
    source: { type: 'enumeration', enum: [Array], required: true },
    subscriptions: {
      type: 'relation',
      relation: 'oneToMany',
      target: 'api::subscription.subscription',
      mappedBy: 'user'
    },
    favoriteSessions: {
      type: 'relation',
      relation: 'oneToMany',
      target: 'api::session.session'
    },
    uuid: { type: 'uid', required: false, minLength: 35 },
    newsletterOptIn: { type: 'boolean', default: false, required: false },
    firstName: { type: 'string' },
    lastName: { type: 'string' },
    createdAt: { type: 'datetime' },
    updatedAt: { type: 'datetime' },
    createdBy: {
      type: 'relation',
      relation: 'oneToOne',
      target: 'admin::user',
      configurable: false,
      writable: false,
      visible: false,
      useJoinTable: false,
      private: true
    },
    updatedBy: {
      type: 'relation',
      relation: 'oneToOne',
      target: 'admin::user',
      configurable: false,
      writable: false,
      visible: false,
      useJoinTable: false,
      private: true
    }
  },
  config: {
    attributes: {
      resetPasswordToken: [Object],
      confirmationToken: [Object],
      provider: [Object]
    }
  },
  kind: 'collectionType',
  __filename__: 'schema.json',
  __schema__: {
    collectionName: 'up_users',
    info: {
      name: 'user',
      description: '',
      singularName: 'user',
      pluralName: 'users',
      displayName: 'User'
    },
    options: { draftAndPublish: false, timestamps: true },
    attributes: {
      username: [Object],
      email: [Object],
      provider: [Object],
      password: [Object],
      resetPasswordToken: [Object],
      confirmationToken: [Object],
      confirmed: [Object],
      blocked: [Object],
      role: [Object],
      source: [Object],
      subscriptions: [Object],
      favoriteSessions: [Object],
      uuid: [Object],
      newsletterOptIn: [Object],
      firstName: [Object],
      lastName: [Object]
    },
    kind: 'collectionType'
  },
  modelType: 'contentType',
  modelName: 'user',
  connection: 'default',
  uid: 'plugin::users-permissions.user',
  plugin: 'users-permissions',
  globalId: 'UsersPermissionsUser',
  actions: undefined,
  lifecycles: undefined
}

Printing the user object before it is passed to sanitize.contentAPI.output(...) shows the object with the relations. After sanitizing the output only the favoriteSessions relation is populated and not the other relations like the default role.

Steps to reproduce the behavior

Add a relation to the user object
Add the extension in src/extensions/users-permissions/strapi-server.js (there is no overriding happening in the snippet above).
Call the api/users/me endpoint

Expected behavior

I am expecting the sanitize function to return the relations on the user object as defined in the schema.

Additional context

There has been issues in the past regarding population see #11957.

The text was updated successfully, but these errors were encountered:

sjoukedv · 2022-08-30T06:28:47Z

FYI: I am using an extension to override the controller so that I could enforce the population of fields for plugin.controllers.user.me with

const user = await strapi.entityService.findOne(
    'plugin::users-permissions.user', 
    authUser.id, 
    {
        populate: ['role', ...]
     }
);

derrickmehaffy · 2022-08-31T16:23:22Z

Please see this entry in the documentation: https://docs.strapi.io/developer-docs/latest/developer-resources/database-apis-reference/rest/populating-fields.html#relation-media-fields

Specifically:

Can you please confirm if you have enabled the find permission for the related content-types you are trying to populate?

sjoukedv · 2022-09-01T06:30:54Z

Please see this entry in the documentation: https://docs.strapi.io/developer-docs/latest/developer-resources/database-apis-reference/rest/populating-fields.html#relation-media-fields

Specifically:

Can you please confirm if you have enabled the find permission for the related content-types you are trying to populate?

@derrickmehaffy That is indeed the culprit. It might be a feature request to allow the population of relations as I might not want to 'open' all the items in a collection to a role, but just the ones that are linked (by means of a relation) to the up-user in this case. Right now, I will have to overwrite the find handler for this.

e.g. I have a user with collection item id 1 en 2 linked to it. Assigning the find permissions to the collection means it can also retrieve the item with id 3 by just sending a request to api/<collection>/3

derrickmehaffy · 2022-09-01T17:27:48Z

It's a use-case we are widely aware of but cannot fix with the current plugin and we are evaluating building a new one but no ETA on that. Basically it resolves around this feature: https://feedback.strapi.io/feature-requests/p/field-level-permissions-end-user-management

Since you confirmed it I'll mark this as closed but I'll mention this issue on that FR

sjoukedv · 2022-09-01T19:11:57Z

Thanks for the quick reply!

Indeed this relates to the up-plugin. In hindsight, this also explains why I cannot POST an entry to a collection with a relation to which the role does not have access to. For up-users I need the find or findOne permission to do this, but this means that e.g. every authenticated user is able to fetch other user's details. I am hoping this gets more priority soon because the find access rights should definitely not be needed when creating an entry where you pass the ID of whatever you find.

derrickmehaffy · 2022-09-02T17:42:04Z

Thanks for the quick reply!

Indeed this relates to the up-plugin. In hindsight, this also explains why I cannot POST an entry to a collection with a relation to which the role does not have access to. For up-users I need the find or findOne permission to do this, but this means that e.g. every authenticated user is able to fetch other user's details. I am hoping this gets more priority soon because the find access rights should definitely not be needed when creating an entry where you pass the ID of whatever you find.

You can create a route policy or middleware to restrict actual find access but indeed the permission isn't ideal

strapi-bot · 2022-11-27T15:48:16Z

This issue has been mentioned on Strapi Community Forum. There might be relevant details there:

https://forum.strapi.io/t/strapi-v4-search-by-slug-instead-id/13469/43

derrickmehaffy closed this as completed Sep 1, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sanitize.contentAPI not populating relations #14251

sanitize.contentAPI not populating relations #14251

sjoukedv commented Aug 30, 2022

sjoukedv commented Aug 30, 2022

derrickmehaffy commented Aug 31, 2022

sjoukedv commented Sep 1, 2022

derrickmehaffy commented Sep 1, 2022

sjoukedv commented Sep 1, 2022

derrickmehaffy commented Sep 2, 2022

strapi-bot commented Nov 27, 2022

sanitize.contentAPI not populating relations #14251

sanitize.contentAPI not populating relations #14251

Comments

sjoukedv commented Aug 30, 2022

Bug report

Required System information

Describe the bug

Steps to reproduce the behavior

Expected behavior

Additional context

sjoukedv commented Aug 30, 2022

derrickmehaffy commented Aug 31, 2022

sjoukedv commented Sep 1, 2022

derrickmehaffy commented Sep 1, 2022

sjoukedv commented Sep 1, 2022

derrickmehaffy commented Sep 2, 2022

strapi-bot commented Nov 27, 2022