Skip to content

Commit

Permalink
fix: sanitize sub block field permissions correctly (#9296)
Browse files Browse the repository at this point in the history 
Fixes #9288

### What?
When a block had a subfield named `blocks`, sanitization would throw an
error.

### Why?
An incorrect check for the key of `"fields"` would then attempt to pass
`data.blocks[key].fields` aka `data.blocks.fields.fields` to the next
call of `areAllPermissionsTrue` which would be undefined. Instead if the
key is `fields` it should pass `data.blocks[key]`.

### How?
Remove the second `.fields` property accessor.
  • Loading branch information
@JarrodMFlesch
JarrodMFlesch authored Nov 18, 2024
1 parent 30947d2 commit 5503afd
Show file tree
Hide file tree
Showing 3 changed files with 104 additions and 1 deletion.
9 changes: 9 additions & 0 deletions packages/payload/src/auth/types.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,18 @@ export type Permission = {
export type FieldPermissions = {
blocks?: {
[blockSlug: string]: {
create: {
permission: boolean
}
fields: {
[fieldName: string]: FieldPermissions
}
read: {
permission: boolean
}
update: {
permission: boolean
}
}
}
create: {
Expand Down
94 changes: 94 additions & 0 deletions packages/payload/src/utilities/sanitizePermissions.spec.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,15 @@ describe('recursivelySanitizePermissions', () => {
},
},
},
create: {
permission: true,
},
read: {
permission: true,
},
update: {
permission: true,
},
},
},
read: {
Expand Down Expand Up @@ -236,6 +245,15 @@ describe('recursivelySanitizePermissions', () => {
},
},
},
create: {
permission: true,
},
read: {
permission: true,
},
update: {
permission: true,
},
},
},
read: {
Expand Down Expand Up @@ -267,6 +285,9 @@ describe('recursivelySanitizePermissions', () => {
read: true,
},
},
create: true,
update: true,
read: true,
},
},
read: true,
Expand Down Expand Up @@ -349,6 +370,79 @@ describe('recursivelySanitizePermissions', () => {
})
})

it('should sanitize blocks with subfield named blocks', () => {
const permissions: CollectionPermission = {
fields: {
content: {
create: { permission: true },
blocks: {
test: {
fields: {
blocks: {
create: { permission: true },
fields: {
arrayText: {
create: { permission: true },
read: { permission: true },
update: { permission: true },
},
id: {
create: { permission: true },
read: { permission: true },
update: { permission: true },
},
},
read: { permission: true },
update: { permission: true },
},
id: {
create: { permission: true },
read: { permission: true },
update: { permission: true },
},
blockName: {
create: { permission: true },
read: { permission: true },
update: { permission: true },
},
},
create: { permission: true },
read: { permission: true },
update: { permission: true },
},
},
read: { permission: true },
update: { permission: true },
},
},
create: {
permission: true,
},
read: {
permission: true,
},
update: {
permission: true,
},
delete: {
permission: false,
},
readVersions: {
permission: true,
},
}

recursivelySanitizePermissions(permissions)

expect(permissions).toStrictEqual({
fields: true,
create: true,
read: true,
update: true,
readVersions: true,
})
})

it('should sanitize a collection with nested fields in richText', () => {
const permissions: Partial<CollectionPermission> = {
fields: {
Expand Down
2 changes: 1 addition & 1 deletion packages/payload/src/utilities/sanitizePermissions.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ function areAllPermissionsTrue(data: PermissionObject): boolean {
for (const key in data.blocks) {
if (typeof data.blocks[key] === 'object') {
// If any recursive call returns false, the whole function returns false
if (key === 'fields' && !areAllPermissionsTrue(data.blocks[key].fields)) {
if (key === 'fields' && !areAllPermissionsTrue(data.blocks[key])) {
return false
}
if (data.blocks[key].fields && !areAllPermissionsTrue(data.blocks[key].fields)) {
Expand Down

0 comments on commit 5503afd

Please sign in to comment.