feat: Add validation for array index in ToMany relations within URL patterns.

candidosales · candidosales · commit 888d218dc070 · 2025-11-23T12:11:24.000-05:00
diff --git a/packages/core/server/controllers/url-pattern.ts b/packages/core/server/controllers/url-pattern.ts
@@ -48,7 +48,7 @@ export default factories.createCoreController(contentTypeSlug, ({ strapi }) => (
       'uid',
       'documentId',
     ]);
-    const validated = urlPatternService.validatePattern(pattern, fields);
+    const validated = urlPatternService.validatePattern(pattern, fields, contentType);
 
     ctx.body = validated;
   },
diff --git a/packages/core/server/services/__tests__/url-pattern.test.ts b/packages/core/server/services/__tests__/url-pattern.test.ts
@@ -146,6 +146,25 @@ describe('URL Pattern Service', () => {
   });
 
   describe('validatePattern', () => {
+    it('should invalidate pattern with ToMany relation missing array index', () => {
+      const pattern = '/test/[private_categories.slug]/1';
+      const allowedFields = ['private_categories.slug'];
+      const contentType = {
+        attributes: {
+          private_categories: {
+            type: 'relation',
+            relation: 'manyToMany',
+            target: 'api::category.category',
+          },
+        },
+      } as any;
+
+      const result = service.validatePattern(pattern, allowedFields, contentType);
+
+      expect(result.valid).toBe(false);
+      expect(result.message).toContain('must include an array index');
+    });
+
     it('should validate pattern with underscored relation name', () => {
       const pattern = '/test/[private_categories[0].slug]/1';
       const allowedFields = ['private_categories.slug'];
diff --git a/packages/core/server/services/url-pattern.ts b/packages/core/server/services/url-pattern.ts
@@ -214,55 +214,55 @@ const customServices = () => ({
   /**
    * Validate if a pattern is correctly structured.
    *
-   * @param {string[]} pattern - The pattern to validate.
-   * @param {string[]} allowedFieldNames - The allowed field names in the pattern.
+   * @param {string} pattern - The pattern to validate.
+   * @param {string[]} allowedFieldNames - The allowed fields.
+   * @param {Schema.ContentType} contentType - The content type.
    * @returns {object} The validation result.
-   * @returns {boolean} object.valid - Validation boolean.
-   * @returns {string} object.message - Validation message.
    */
-  validatePattern: (pattern: string, allowedFieldNames: string[]) => {
-    if (!pattern.length) {
+  validatePattern: (pattern: string, allowedFieldNames: string[], contentType?: Schema.ContentType): { valid: boolean, message: string } => {
+    if (!pattern) {
       return {
         valid: false,
         message: 'Pattern cannot be empty',
       };
     }
 
-    const preCharCount = pattern.split('[').length - 1;
-    const postCharCount = pattern.split(']').length - 1;
+    const fields = getPluginService('url-pattern').getFieldsFromPattern(pattern);
+    let valid = true;
+    let message = '';
 
-    if (preCharCount < 1 || postCharCount < 1) {
-      return {
-        valid: false,
-        message: 'Pattern should contain at least one field',
-      };
-    }
-
-    if (preCharCount !== postCharCount) {
-      return {
-        valid: false,
-        message: 'Fields in the pattern are not escaped correctly',
-      };
-    }
-
-    let fieldsAreAllowed = true;
-
-    // Pass the original `pattern` array to getFieldsFromPattern
-    getPluginService('url-pattern').getFieldsFromPattern(pattern).forEach((field) => {
+    fields.forEach((field) => {
+      // Check if the field is allowed.
+      // We strip the array index from the field name to check if it is allowed.
+      // e.g. private_categories[0].slug -> private_categories.slug
       const fieldName = field.replace(/\[\d+\]/g, '');
-      if (!allowedFieldNames.includes(fieldName)) fieldsAreAllowed = false;
+      if (!allowedFieldNames.includes(fieldName)) {
+        valid = false;
+        message = `Pattern contains forbidden fields: ${field}`;
+      }
+
+      // Check if the field is a ToMany relation and has an array index.
+      if (contentType && field.includes('.')) {
+        const [relationName] = field.split('.');
+        // Strip array index to get the attribute name
+        const attributeName = relationName.replace(/\[\d+\]/g, '');
+        const attribute = contentType.attributes[attributeName];
+
+        if (
+          attribute
+          && attribute.type === 'relation'
+          && !attribute.relation.endsWith('ToOne')
+          && !relationName.includes('[')
+        ) {
+          valid = false;
+          message = `The relation ${attributeName} is a ToMany relation and must include an array index (e.g. ${attributeName}[0]).`;
+        }
+      }
     });
 
-    if (!fieldsAreAllowed) {
-      return {
-        valid: false,
-        message: 'Pattern contains forbidden fields',
-      };
-    }
-
     return {
-      valid: true,
-      message: 'Valid pattern',
+      valid,
+      message,
     };
   },
 });
