{"version":3,"file":"throw-restricted-relations.mjs","sources":["../../../src/validate/visitors/throw-restricted-relations.ts"],"sourcesContent":["import { isArray, isObject } from 'lodash/fp';\nimport * as contentTypeUtils from '../../content-types';\nimport { throwInvalidKey } from '../utils';\nimport type { Visitor } from '../../traverse/factory';\nimport { VALID_RELATION_ORDERING_KEYS } from '../../relations';\n\nconst ACTIONS_TO_VERIFY = ['find'];\nconst { CREATED_BY_ATTRIBUTE, UPDATED_BY_ATTRIBUTE } = contentTypeUtils.constants;\n\ntype MorphArray = Array<{ __type: string }>;\n\nexport default (auth: unknown): Visitor =>\n  async ({ data, key, attribute, schema, path }) => {\n    if (!attribute) {\n      return;\n    }\n\n    const isRelation = attribute.type === 'relation';\n\n    if (!isRelation) {\n      return;\n    }\n\n    const handleMorphRelation = async () => {\n      const elements: any = (data as Record<string, MorphArray>)[key];\n\n      if (\n        'connect' in elements ||\n        'set' in elements ||\n        'disconnect' in elements ||\n        'options' in elements\n      ) {\n        await handleMorphElements(elements.connect || []);\n        await handleMorphElements(elements.set || []);\n        await handleMorphElements(elements.disconnect || []);\n\n        // TODO: this should technically be in its own visitor to check morph options, but for now we'll handle it here\n        if ('options' in elements) {\n          if (elements.options === null || elements.options === undefined) {\n            return;\n          }\n\n          if (typeof elements.options !== 'object') {\n            throwInvalidKey({ key, path: path.attribute });\n          }\n\n          const optionKeys = Object.keys(elements.options);\n\n          // Validate each key based on its validator function\n          for (const key of optionKeys) {\n            if (!(key in VALID_RELATION_ORDERING_KEYS)) {\n              throwInvalidKey({ key, path: path.attribute });\n            }\n            if (!VALID_RELATION_ORDERING_KEYS[key](elements.options[key])) {\n              throwInvalidKey({ key, path: path.attribute });\n            }\n          }\n        }\n      } else {\n        await handleMorphElements(elements);\n      }\n    };\n\n    const handleMorphElements = async (elements: any[]) => {\n      if (!isArray(elements)) {\n        throwInvalidKey({ key, path: path.attribute });\n      }\n\n      for (const element of elements) {\n        if (!isObject(element) || !('__type' in element)) {\n          throwInvalidKey({ key, path: path.attribute });\n        }\n\n        const scopes = ACTIONS_TO_VERIFY.map((action) => `${element.__type}.${action}`);\n        const isAllowed = await hasAccessToSomeScopes(scopes, auth);\n\n        if (!isAllowed) {\n          throwInvalidKey({ key, path: path.attribute });\n        }\n      }\n    };\n\n    const handleRegularRelation = async () => {\n      const scopes = ACTIONS_TO_VERIFY.map((action) => `${attribute.target}.${action}`);\n\n      const isAllowed = await hasAccessToSomeScopes(scopes, auth);\n\n      // If the authenticated user don't have access to any of the scopes\n      if (!isAllowed) {\n        throwInvalidKey({ key, path: path.attribute });\n      }\n    };\n\n    const isCreatorRelation = [CREATED_BY_ATTRIBUTE, UPDATED_BY_ATTRIBUTE].includes(key);\n\n    // Polymorphic relations\n    if (contentTypeUtils.isMorphToRelationalAttribute(attribute)) {\n      await handleMorphRelation();\n      return;\n    }\n\n    // Creator relations\n    if (isCreatorRelation && schema.options?.populateCreatorFields) {\n      // do nothing\n      return;\n    }\n\n    // Regular relations\n    await handleRegularRelation();\n  };\n\nconst hasAccessToSomeScopes = async (scopes: string[], auth: unknown) => {\n  for (const scope of scopes) {\n    try {\n      await strapi.auth.verify(auth, { scope });\n      return true;\n    } catch {\n      continue;\n    }\n  }\n\n  return false;\n};\n"],"names":["ACTIONS_TO_VERIFY","CREATED_BY_ATTRIBUTE","UPDATED_BY_ATTRIBUTE","contentTypeUtils","auth","data","key","attribute","schema","path","isRelation","type","handleMorphRelation","elements","handleMorphElements","connect","set","disconnect","options","undefined","throwInvalidKey","optionKeys","Object","keys","VALID_RELATION_ORDERING_KEYS","isArray","element","isObject","scopes","map","action","__type","isAllowed","hasAccessToSomeScopes","handleRegularRelation","target","isCreatorRelation","includes","populateCreatorFields","scope","strapi","verify"],"mappings":";;;;;AAMA,MAAMA,iBAAoB,GAAA;AAAC,IAAA;AAAO,CAAA;AAClC,MAAM,EAAEC,oBAAoB,EAAEC,oBAAoB,EAAE,GAAGC,SAA0B;AAIjF,+BAAe,CAAA,CAACC,IACd,GAAA,OAAO,EAAEC,IAAI,EAAEC,GAAG,EAAEC,SAAS,EAAEC,MAAM,EAAEC,IAAI,EAAE,GAAA;AAC3C,QAAA,IAAI,CAACF,SAAW,EAAA;AACd,YAAA;AACF;QAEA,MAAMG,UAAAA,GAAaH,SAAUI,CAAAA,IAAI,KAAK,UAAA;AAEtC,QAAA,IAAI,CAACD,UAAY,EAAA;AACf,YAAA;AACF;AAEA,QAAA,MAAME,mBAAsB,GAAA,UAAA;AAC1B,YAAA,MAAMC,QAAgB,GAACR,IAAmC,CAACC,GAAI,CAAA;AAE/D,YAAA,IACE,aAAaO,QACb,IAAA,KAAA,IAASA,YACT,YAAgBA,IAAAA,QAAAA,IAChB,aAAaA,QACb,EAAA;AACA,gBAAA,MAAMC,mBAAoBD,CAAAA,QAAAA,CAASE,OAAO,IAAI,EAAE,CAAA;AAChD,gBAAA,MAAMD,mBAAoBD,CAAAA,QAAAA,CAASG,GAAG,IAAI,EAAE,CAAA;AAC5C,gBAAA,MAAMF,mBAAoBD,CAAAA,QAAAA,CAASI,UAAU,IAAI,EAAE,CAAA;;AAGnD,gBAAA,IAAI,aAAaJ,QAAU,EAAA;AACzB,oBAAA,IAAIA,SAASK,OAAO,KAAK,QAAQL,QAASK,CAAAA,OAAO,KAAKC,SAAW,EAAA;AAC/D,wBAAA;AACF;AAEA,oBAAA,IAAI,OAAON,QAAAA,CAASK,OAAO,KAAK,QAAU,EAAA;wBACxCE,eAAgB,CAAA;AAAEd,4BAAAA,GAAAA;AAAKG,4BAAAA,IAAAA,EAAMA,KAAKF;AAAU,yBAAA,CAAA;AAC9C;AAEA,oBAAA,MAAMc,UAAaC,GAAAA,MAAAA,CAAOC,IAAI,CAACV,SAASK,OAAO,CAAA;;oBAG/C,KAAK,MAAMZ,OAAOe,UAAY,CAAA;AAC5B,wBAAA,IAAI,EAAEf,GAAOkB,IAAAA,4BAA2B,CAAI,EAAA;4BAC1CJ,eAAgB,CAAA;AAAEd,gCAAAA,GAAAA;AAAKG,gCAAAA,IAAAA,EAAMA,KAAKF;AAAU,6BAAA,CAAA;AAC9C;wBACA,IAAI,CAACiB,4BAA4B,CAAClB,GAAAA,CAAI,CAACO,QAASK,CAAAA,OAAO,CAACZ,GAAAA,CAAI,CAAG,EAAA;4BAC7Dc,eAAgB,CAAA;AAAEd,gCAAAA,GAAAA;AAAKG,gCAAAA,IAAAA,EAAMA,KAAKF;AAAU,6BAAA,CAAA;AAC9C;AACF;AACF;aACK,MAAA;AACL,gBAAA,MAAMO,mBAAoBD,CAAAA,QAAAA,CAAAA;AAC5B;AACF,SAAA;AAEA,QAAA,MAAMC,sBAAsB,OAAOD,QAAAA,GAAAA;YACjC,IAAI,CAACY,QAAQZ,QAAW,CAAA,EAAA;gBACtBO,eAAgB,CAAA;AAAEd,oBAAAA,GAAAA;AAAKG,oBAAAA,IAAAA,EAAMA,KAAKF;AAAU,iBAAA,CAAA;AAC9C;YAEA,KAAK,MAAMmB,WAAWb,QAAU,CAAA;AAC9B,gBAAA,IAAI,CAACc,QAASD,CAAAA,OAAAA,CAAAA,IAAY,EAAE,QAAA,IAAYA,OAAM,CAAI,EAAA;oBAChDN,eAAgB,CAAA;AAAEd,wBAAAA,GAAAA;AAAKG,wBAAAA,IAAAA,EAAMA,KAAKF;AAAU,qBAAA,CAAA;AAC9C;AAEA,gBAAA,MAAMqB,MAAS5B,GAAAA,iBAAAA,CAAkB6B,GAAG,CAAC,CAACC,MAAW,GAAA,CAAC,EAAEJ,OAAAA,CAAQK,MAAM,CAAC,CAAC,EAAED,OAAO,CAAC,CAAA;gBAC9E,MAAME,SAAAA,GAAY,MAAMC,qBAAAA,CAAsBL,MAAQxB,EAAAA,IAAAA,CAAAA;AAEtD,gBAAA,IAAI,CAAC4B,SAAW,EAAA;oBACdZ,eAAgB,CAAA;AAAEd,wBAAAA,GAAAA;AAAKG,wBAAAA,IAAAA,EAAMA,KAAKF;AAAU,qBAAA,CAAA;AAC9C;AACF;AACF,SAAA;AAEA,QAAA,MAAM2B,qBAAwB,GAAA,UAAA;AAC5B,YAAA,MAAMN,MAAS5B,GAAAA,iBAAAA,CAAkB6B,GAAG,CAAC,CAACC,MAAW,GAAA,CAAC,EAAEvB,SAAAA,CAAU4B,MAAM,CAAC,CAAC,EAAEL,OAAO,CAAC,CAAA;YAEhF,MAAME,SAAAA,GAAY,MAAMC,qBAAAA,CAAsBL,MAAQxB,EAAAA,IAAAA,CAAAA;;AAGtD,YAAA,IAAI,CAAC4B,SAAW,EAAA;gBACdZ,eAAgB,CAAA;AAAEd,oBAAAA,GAAAA;AAAKG,oBAAAA,IAAAA,EAAMA,KAAKF;AAAU,iBAAA,CAAA;AAC9C;AACF,SAAA;AAEA,QAAA,MAAM6B,iBAAoB,GAAA;AAACnC,YAAAA,oBAAAA;AAAsBC,YAAAA;AAAqB,SAAA,CAACmC,QAAQ,CAAC/B,GAAAA,CAAAA;;QAGhF,IAAIH,4BAA6C,CAACI,SAAY,CAAA,EAAA;YAC5D,MAAMK,mBAAAA,EAAAA;AACN,YAAA;AACF;;AAGA,QAAA,IAAIwB,iBAAqB5B,IAAAA,MAAAA,CAAOU,OAAO,EAAEoB,qBAAuB,EAAA;;AAE9D,YAAA;AACF;;QAGA,MAAMJ,qBAAAA,EAAAA;AACR,KAAA;AAEF,MAAMD,qBAAAA,GAAwB,OAAOL,MAAkBxB,EAAAA,IAAAA,GAAAA;IACrD,KAAK,MAAMmC,SAASX,MAAQ,CAAA;QAC1B,IAAI;AACF,YAAA,MAAMY,MAAOpC,CAAAA,IAAI,CAACqC,MAAM,CAACrC,IAAM,EAAA;AAAEmC,gBAAAA;AAAM,aAAA,CAAA;YACvC,OAAO,IAAA;AACT,SAAA,CAAE,OAAM;AACN,YAAA;AACF;AACF;IAEA,OAAO,KAAA;AACT,CAAA;;;;"}