tabshift/payload
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: sanitize sub block field permissions correctly (#9296)

Browse Source 
Fixes https://github.com/payloadcms/payload/issues/9288

### What?
When a block had a subfield named `blocks`, sanitization would throw an
error.

### Why?
An incorrect check for the key of `"fields"` would then attempt to pass
`data.blocks[key].fields` aka `data.blocks.fields.fields` to the next
call of `areAllPermissionsTrue` which would be undefined. Instead if the
key is `fields` it should pass `data.blocks[key]`.

### How?
Remove the second `.fields` property accessor.
This commit is contained in:
Jarrod Flesch
2024-11-18 10:47:57 -05:00
committed by GitHub
parent 30947d2173
commit 5503afdf29
3 changed files with 104 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
packages/payload/src/auth/types.ts
View File

@@ -14,9 +14,18 @@ export type Permission = {
export type FieldPermissions = {
blocks?: {
[blockSlug: string]: {
create: {
permission: boolean
}
fields: {
[fieldName: string]: FieldPermissions
}
read: {
permission: boolean
}
update: {
permission: boolean
}
}
}
create: {

94
packages/payload/src/utilities/sanitizePermissions.spec.ts
View File

@@ -157,6 +157,15 @@ describe('recursivelySanitizePermissions', () => {
},
},
},
create: {
permission: true,
},
read: {
permission: true,
},
update: {
permission: true,
},
},
},
read: {
@@ -236,6 +245,15 @@ describe('recursivelySanitizePermissions', () => {
},
},
},
create: {
permission: true,
},
read: {
permission: true,
},
update: {
permission: true,
},
},
},
read: {
@@ -267,6 +285,9 @@ describe('recursivelySanitizePermissions', () => {
read: true,
},
},
create: true,
update: true,
read: true,
},
},
read: true,
@@ -349,6 +370,79 @@ describe('recursivelySanitizePermissions', () => {
})
})
it('should sanitize blocks with subfield named blocks', () => {
const permissions: CollectionPermission = {
fields: {
content: {
create: { permission: true },
blocks: {
test: {
fields: {
blocks: {
create: { permission: true },
fields: {
arrayText: {
create: { permission: true },
read: { permission: true },
update: { permission: true },
},
id: {
create: { permission: true },
read: { permission: true },
update: { permission: true },
},
},
read: { permission: true },
update: { permission: true },
},
id: {
create: { permission: true },
read: { permission: true },
update: { permission: true },
},
blockName: {
create: { permission: true },
read: { permission: true },
update: { permission: true },
},
},
create: { permission: true },
read: { permission: true },
update: { permission: true },
},
},
read: { permission: true },
update: { permission: true },
},
},
create: {
permission: true,
},
read: {
permission: true,
},
update: {
permission: true,
},
delete: {
permission: false,
},
readVersions: {
permission: true,
},
}
recursivelySanitizePermissions(permissions)
expect(permissions).toStrictEqual({
fields: true,
create: true,
read: true,
update: true,
readVersions: true,
})
})
it('should sanitize a collection with nested fields in richText', () => {
const permissions: Partial<CollectionPermission> = {
fields: {

2
packages/payload/src/utilities/sanitizePermissions.ts
View File

@@ -12,7 +12,7 @@ function areAllPermissionsTrue(data: PermissionObject): boolean {
for (const key in data.blocks) {
if (typeof data.blocks[key] === 'object') {
// If any recursive call returns false, the whole function returns false
if (key === 'fields' && !areAllPermissionsTrue(data.blocks[key].fields)) {
if (key === 'fields' && !areAllPermissionsTrue(data.blocks[key])) {
return false
}
if (data.blocks[key].fields && !areAllPermissionsTrue(data.blocks[key].fields)) {