Keep original request and add properties to it, instead of copy

2022-08-20 01:33:29 +02:00
parent b21a56fdf7
commit bc97d3d6f2
11 changed files with 128 additions and 73 deletions
--- a/src/auth/operations/local/forgotPassword.ts
+++ b/src/auth/operations/local/forgotPassword.ts
@@ -19,15 +19,12 @@ async function localForgotPassword(payload: Payload, options: Options): Promise<
    data,
    expiration,
    disableEmail,
-    req: incomingReq = {},
+    req = {} as PayloadRequest,
  } = options;

  const collection = payload.collections[collectionSlug];

-  const req = {
-    ...incomingReq,
-    payloadAPI: 'local',
-  } as PayloadRequest;
+  req.payloadAPI = 'local';

  if (!req.payloadDataLoader) req.payloadDataLoader = getDataLoader(req);

--- a/src/auth/operations/local/login.ts
+++ b/src/auth/operations/local/login.ts
@@ -23,7 +23,7 @@ export type Options = {
 async function localLogin<T extends TypeWithID = any>(payload: Payload, options: Options): Promise<Result & { user: T}> {
  const {
    collection: collectionSlug,
-    req: incomingReq = {},
+    req = {} as PayloadRequest,
    res,
    depth,
    locale,
@@ -35,13 +35,10 @@ async function localLogin<T extends TypeWithID = any>(payload: Payload, options:

  const collection = payload.collections[collectionSlug];

-  const req = {
-    ...incomingReq,
-    payloadAPI: 'local',
-    payload,
-    locale: undefined,
-    fallbackLocale: undefined,
-  } as PayloadRequest;
+  req.payloadAPI = 'local';
+  req.payload = payload;
+  req.locale = undefined;
+  req.fallbackLocale = undefined;

  if (!req.payloadDataLoader) req.payloadDataLoader = getDataLoader(req);

--- a/src/auth/operations/local/resetPassword.ts
+++ b/src/auth/operations/local/resetPassword.ts
@@ -18,16 +18,13 @@ async function localResetPassword(payload: Payload, options: Options): Promise<R
    collection: collectionSlug,
    data,
    overrideAccess,
-    req: incomingReq = {},
+    req = {} as PayloadRequest,
  } = options;

  const collection = payload.collections[collectionSlug];

-  const req = {
-    ...incomingReq,
-    payload,
-    payloadAPI: 'local',
-  } as PayloadRequest;
+  req.payload = payload;
+  req.payloadAPI = 'local';

  if (!req.payloadDataLoader) req.payloadDataLoader = getDataLoader(req);

--- a/src/auth/operations/local/unlock.ts
+++ b/src/auth/operations/local/unlock.ts
@@ -17,16 +17,13 @@ async function localUnlock(payload: Payload, options: Options): Promise<boolean>
    collection: collectionSlug,
    data,
    overrideAccess = true,
-    req: incomingReq = {},
+    req = {} as PayloadRequest,
  } = options;

  const collection = payload.collections[collectionSlug];

-  const req = {
-    ...incomingReq,
-    payload,
-    payloadAPI: 'local',
-  } as PayloadRequest;
+  req.payload = payload;
+  req.payloadAPI = 'local';

  if (!req.payloadDataLoader) req.payloadDataLoader = getDataLoader(req);

--- a/src/collections/operations/local/create.ts
+++ b/src/collections/operations/local/create.ts
@@ -1,9 +1,9 @@
+import { UploadedFile } from 'express-fileupload';
 import { Payload } from '../../..';
 import { PayloadRequest } from '../../../express/types';
 import { Document } from '../../../types';
 import getFileByPath from '../../../uploads/getFileByPath';
 import create from '../create';
-import { File } from '../../../uploads/types';
 import { getDataLoader } from '../../dataloader';


@@ -18,7 +18,7 @@ export type Options<T> = {
  disableVerificationEmail?: boolean
  showHiddenFields?: boolean
  filePath?: string
-  file?: File
+  file?: UploadedFile
  overwriteExistingFiles?: boolean
  req?: PayloadRequest
  draft?: boolean
@@ -38,23 +38,21 @@ export default async function createLocal<T = any>(payload: Payload, options: Op
    filePath,
    file,
    overwriteExistingFiles = false,
-    req: incomingReq,
+    req = {} as PayloadRequest,
    draft,
  } = options;

  const collection = payload.collections[collectionSlug];

-  const req = {
-    ...incomingReq || {},
-    user,
-    payloadAPI: 'local',
-    locale: locale || incomingReq?.locale || (payload?.config?.localization ? payload?.config?.localization?.defaultLocale : null),
-    fallbackLocale: fallbackLocale || incomingReq?.fallbackLocale || null,
-    payload,
-    files: {
-      file: file ?? getFileByPath(filePath),
-    },
-  } as PayloadRequest;
+  req.payloadAPI = 'local';
+  req.locale = locale || req?.locale || (payload?.config?.localization ? payload?.config?.localization?.defaultLocale : null);
+  req.fallbackLocale = fallbackLocale || req?.fallbackLocale || null;
+  req.payload = payload;
+  req.files = {
+    file: (file as UploadedFile) ?? (getFileByPath(filePath) as UploadedFile),
+  };
+
+  if (typeof user !== 'undefined') req.user = user;

  if (!req.payloadDataLoader) req.payloadDataLoader = getDataLoader(req);

--- a/src/collections/operations/local/find.ts
+++ b/src/collections/operations/local/find.ts
@@ -43,19 +43,15 @@ export default async function findLocal<T extends TypeWithID = any>(payload: Pay
    sort,
    draft = false,
    pagination = true,
-    req: incomingReq,
+    req = {} as PayloadRequest,
  } = options;

  const collection = payload.collections[collectionSlug];

-  const req = {
-    user: undefined,
-    ...incomingReq || {},
-    payloadAPI: 'local',
-    locale: locale || incomingReq?.locale || (payload?.config?.localization ? payload?.config?.localization?.defaultLocale : null),
-    fallbackLocale: fallbackLocale || incomingReq?.fallbackLocale || null,
-    payload,
-  } as PayloadRequest;
+  req.payloadAPI = 'local';
+  req.locale = locale || req?.locale || (payload?.config?.localization ? payload?.config?.localization?.defaultLocale : null);
+  req.fallbackLocale = fallbackLocale || req?.fallbackLocale || null;
+  req.payload = payload;

  if (!req.payloadDataLoader) req.payloadDataLoader = getDataLoader(req);

--- a/src/collections/operations/local/findByID.ts
+++ b/src/collections/operations/local/findByID.ts
@@ -33,20 +33,16 @@ export default async function findByIDLocal<T extends TypeWithID = any>(payload:
    overrideAccess = true,
    disableErrors = false,
    showHiddenFields,
-    req: incomingReq,
+    req = {} as PayloadRequest,
    draft = false,
  } = options;

  const collection = payload.collections[collectionSlug];

-  const req = {
-    user: undefined,
-    ...incomingReq || {},
-    payloadAPI: 'local',
-    locale: locale || incomingReq?.locale || (payload?.config?.localization ? payload?.config?.localization?.defaultLocale : null),
-    fallbackLocale: fallbackLocale || incomingReq?.fallbackLocale || null,
-    payload,
-  } as PayloadRequest;
+  req.payloadAPI = 'local';
+  req.locale = locale || req?.locale || (payload?.config?.localization ? payload?.config?.localization?.defaultLocale : null);
+  req.fallbackLocale = fallbackLocale || req?.fallbackLocale || null;
+  req.payload = payload;

  if (typeof user !== 'undefined') req.user = user;

--- a/src/collections/operations/local/findVersionByID.ts
+++ b/src/collections/operations/local/findVersionByID.ts
@@ -28,18 +28,15 @@ export default async function findVersionByIDLocal<T extends TypeWithVersion<T>
    overrideAccess = true,
    disableErrors = false,
    showHiddenFields,
-    req: incomingReq,
+    req = {} as PayloadRequest,
  } = options;

  const collection = payload.collections[collectionSlug];

-  const req = {
-    ...incomingReq || {},
-    payloadAPI: 'local',
-    locale: locale || incomingReq?.locale || this?.config?.localization?.defaultLocale,
-    fallbackLocale: fallbackLocale || incomingReq?.fallbackLocale || null,
-    payload,
-  } as PayloadRequest;
+  req.payloadAPI = 'local';
+  req.locale = locale || req?.locale || this?.config?.localization?.defaultLocale;
+  req.fallbackLocale = fallbackLocale || req?.fallbackLocale || null;
+  req.payload = payload;

  if (!req.payloadDataLoader) req.payloadDataLoader = getDataLoader(req);

--- a/test/access-control/config.ts
+++ b/test/access-control/config.ts
@@ -9,6 +9,7 @@ export const readOnlySlug = 'read-only-collection';
 export const restrictedSlug = 'restricted';
 export const restrictedVersionsSlug = 'restricted-versions';
 export const siblingDataSlug = 'sibling-data';
+export const relyOnRequestHeadersSlug = 'rely-on-request-headers';

 const openAccess = {
  create: () => true,
@@ -24,6 +25,11 @@ const PublicReadabilityAccess: FieldAccess = ({ req: { user }, siblingData }) =>
  return false;
 };

+export const requestHeaders = {authorization: 'Bearer testBearerToken'};
+const UseRequestHeadersAccess: FieldAccess = ({ req: { headers } }) => {
+  return !!headers && headers.authorization === requestHeaders.authorization;
+};
+
 export default buildConfig({
  collections: [
    {
@@ -115,6 +121,21 @@ export default buildConfig({
        },
      ],
    },
+    {
+      slug: relyOnRequestHeadersSlug,
+      access: {
+        create: UseRequestHeadersAccess,
+        read: UseRequestHeadersAccess,
+        update: UseRequestHeadersAccess,
+        delete: UseRequestHeadersAccess,
+      },
+      fields: [
+        {
+          name: 'name',
+          type: 'text',
+        },
+      ],
+    },
  ],
  onInit: async (payload) => {
    await payload.create({
--- a/test/access-control/int.spec.ts
+++ b/test/access-control/int.spec.ts
@@ -1,9 +1,11 @@
 import mongoose from 'mongoose';
 import payload from '../../src';
+import type { Options as CreateOptions } from '../../src/collections/operations/local/create';
 import { Forbidden } from '../../src/errors';
+import type { PayloadRequest } from '../../src/types';
 import { initPayloadTest } from '../helpers/configHelpers';
-import { restrictedSlug, siblingDataSlug, slug } from './config';
-import type { Restricted, Post, SiblingDatum } from './payload-types';
+import { relyOnRequestHeadersSlug, requestHeaders, restrictedSlug, siblingDataSlug, slug } from './config';
+import type { Restricted, Post, SiblingDatum, RelyOnRequestHeader } from './payload-types';
 import { firstArrayText, secondArrayText } from './shared';

 describe('Access Control', () => {
@@ -74,7 +76,7 @@ describe('Access Control', () => {
  describe('Collections', () => {
    describe('restricted collection', () => {
      it('field without read access should not show', async () => {
-        const { id } = await createDoc({ restrictedField: 'restricted' });
+        const { id } = await createDoc<Post>({ restrictedField: 'restricted' });

        const retrievedDoc = await payload.findByID({ collection: slug, id, overrideAccess: false });

@@ -82,7 +84,7 @@ describe('Access Control', () => {
      });

      it('field without read access should not show when overrideAccess: true', async () => {
-        const { id, restrictedField } = await createDoc({ restrictedField: 'restricted' });
+        const { id, restrictedField } = await createDoc<Post>({ restrictedField: 'restricted' });

        const retrievedDoc = await payload.findByID({ collection: slug, id, overrideAccess: true });

@@ -90,13 +92,59 @@ describe('Access Control', () => {
      });

      it('field without read access should not show when overrideAccess default', async () => {
-        const { id, restrictedField } = await createDoc({ restrictedField: 'restricted' });
+        const { id, restrictedField } = await createDoc<Post>({ restrictedField: 'restricted' });

        const retrievedDoc = await payload.findByID({ collection: slug, id });

        expect(retrievedDoc.restrictedField).toEqual(restrictedField);
      });
    });
+    describe('non-enumerated request properties passed to access control', () => {
+      it('access control ok when passing request headers', async () => {
+        const req = Object.defineProperty({}, 'headers', {
+          value: requestHeaders,
+          enumerable: false,
+        }) as PayloadRequest;
+        const name = 'name';
+        const overrideAccess = false;
+
+        const { id } = await createDoc<RelyOnRequestHeader>({ name }, relyOnRequestHeadersSlug, { req, overrideAccess });
+        const docById = await payload.findByID({ collection: relyOnRequestHeadersSlug, id, req, overrideAccess });
+        const { docs: docsByName } = await payload.find({
+          collection: relyOnRequestHeadersSlug,
+          where: {
+            name: {
+              equals: name,
+            },
+          },
+          req,
+          overrideAccess,
+        });
+
+        expect(docById).not.toBeUndefined();
+        expect(docsByName.length).toBeGreaterThan(0);
+      });
+
+      it('access control fails when omitting request headers', async () => {
+        const name = 'name';
+        const overrideAccess = false;
+
+        await expect(() => createDoc<RelyOnRequestHeader>({ name }, relyOnRequestHeadersSlug, { overrideAccess })).rejects.toThrow(Forbidden);
+        const { id } = await createDoc<RelyOnRequestHeader>({ name }, relyOnRequestHeadersSlug);
+
+        await expect(() => payload.findByID({ collection: relyOnRequestHeadersSlug, id, overrideAccess })).rejects.toThrow(Forbidden);
+
+        await expect(() => payload.find({
+          collection: relyOnRequestHeadersSlug,
+          where: {
+            name: {
+              equals: name,
+            },
+          },
+          overrideAccess,
+        })).rejects.toThrow(Forbidden);
+      });
+    });
  });

  describe('Override Access', () => {
@@ -172,9 +220,10 @@ describe('Access Control', () => {
  });
 });

-async function createDoc(data: Partial<Post>): Promise<Post> {
-  return payload.create({
-    collection: slug,
+async function createDoc<Collection>(data: Partial<Collection>, overrideSlug = slug, options?: Partial<CreateOptions<Collection>>): Promise<Collection> {
+  return payload.create<Collection>({
+    ...options,
+    collection: overrideSlug,
    data: data ?? {},
  });
 }
--- a/test/access-control/payload-types.ts
+++ b/test/access-control/payload-types.ts
@@ -60,6 +60,16 @@ export interface SiblingDatum {
  createdAt: string;
  updatedAt: string;
 }
+/**
+ * This interface was referenced by `Config`'s JSON-Schema
+ * via the `definition` "rely-on-request-headers".
+ */
+export interface RelyOnRequestHeader {
+  id: string;
+  name?: string;
+  createdAt: string;
+  updatedAt: string;
+}
 /**
 * This interface was referenced by `Config`'s JSON-Schema
 * via the `definition` "users".