fix(medusa): Allowed properties expand (#4600)

What: The expand allowed properties should allow all the segments whereas the allowed fields should be specific
2023-07-25 16:37:44 +02:00
parent f12299deb1
commit 9129ca08a7
7 changed files with 86 additions and 71 deletions
--- a/.changeset/early-windows-drum.md
+++ b/.changeset/early-windows-drum.md
@@ -0,0 +1,5 @@
+---
+"@medusajs/medusa": patch
+---
+
+fix(medusa): Clean response data should takes the full path of sub relations
--- a/integration-tests/api/tests/store/orders.js
+++ b/integration-tests/api/tests/store/orders.js
@@ -215,33 +215,36 @@ describe("/store/carts", () => {
        "/store/orders?display_id=111&email=test@email.com&fields=status,email"
      )

-      expect(Object.keys(response.data.order)).toEqual([
-        // fields
-        "status",
-        "email",
+      expect(Object.keys(response.data.order)).toHaveLength(20)
+      expect(Object.keys(response.data.order)).toEqual(
+        expect.arrayContaining([
+          // fields
+          "status",
+          "email",

-        // relations
-        "shipping_address",
-        "fulfillments",
-        "items",
-        "shipping_methods",
-        "discounts",
-        "customer",
-        "payments",
-        "region",
+          // relations
+          "shipping_address",
+          "fulfillments",
+          "items",
+          "shipping_methods",
+          "discounts",
+          "customer",
+          "payments",
+          "region",

-        // totals
-        "shipping_total",
-        "discount_total",
-        "tax_total",
-        "refunded_total",
-        "total",
-        "subtotal",
-        "paid_total",
-        "refundable_amount",
-        "gift_card_total",
-        "gift_card_tax_total",
-      ])
+          // totals
+          "shipping_total",
+          "discount_total",
+          "tax_total",
+          "refunded_total",
+          "total",
+          "subtotal",
+          "paid_total",
+          "refundable_amount",
+          "gift_card_total",
+          "gift_card_tax_total",
+        ])
+      )
    })

    it("get order response contains only fields defined with `fields` param", async () => {
@@ -249,32 +252,35 @@ describe("/store/carts", () => {

      const response = await api.get("/store/orders/order_test?fields=status")

-      expect(Object.keys(response.data.order)).toEqual([
-        // fields
-        "status",
+      expect(Object.keys(response.data.order)).toHaveLength(19)
+      expect(Object.keys(response.data.order)).toEqual(
+        expect.arrayContaining([
+          // fields
+          "status",

-        // default relations
-        "shipping_address",
-        "fulfillments",
-        "items",
-        "shipping_methods",
-        "discounts",
-        "customer",
-        "payments",
-        "region",
+          // default relations
+          "shipping_address",
+          "fulfillments",
+          "items",
+          "shipping_methods",
+          "discounts",
+          "customer",
+          "payments",
+          "region",

-        // totals
-        "shipping_total",
-        "discount_total",
-        "tax_total",
-        "refunded_total",
-        "total",
-        "subtotal",
-        "paid_total",
-        "refundable_amount",
-        "gift_card_total",
-        "gift_card_tax_total",
-      ])
+          // totals
+          "shipping_total",
+          "discount_total",
+          "tax_total",
+          "refunded_total",
+          "total",
+          "subtotal",
+          "paid_total",
+          "refundable_amount",
+          "gift_card_total",
+          "gift_card_tax_total",
+        ])
+      )
    })

    it("get order response contains only fields defined with `fields` and `expand` param", async () => {
--- a/integration-tests/api/tests/store/products.js
+++ b/integration-tests/api/tests/store/products.js
@@ -212,18 +212,21 @@ describe("/store/products", () => {

      expect(response.status).toEqual(200)

-      expect(Object.keys(response.data.products[0])).toEqual([
-        // fields
-        "handle",
-        // relations
-        "variants",
-        "options",
-        "images",
-        "tags",
-        "collection",
-        "type",
-        "profiles",
-      ])
+      expect(Object.keys(response.data.products[0])).toHaveLength(8)
+      expect(Object.keys(response.data.products[0])).toEqual(
+        expect.arrayContaining([
+          // fields
+          "handle",
+          // relations
+          "variants",
+          "options",
+          "images",
+          "tags",
+          "collection",
+          "type",
+          "profiles",
+        ])
+      )
    })

    it("returns a list of ordered products by id ASC and filtered with free text search", async () => {
--- a/packages/medusa/src/api/middlewares/transform-query.ts
+++ b/packages/medusa/src/api/middlewares/transform-query.ts
@@ -11,6 +11,7 @@ import { BaseEntity } from "../../interfaces"
 import { FindConfig, QueryConfig, RequestQueryFields } from "../../types/common"
 import { omit } from "lodash"
 import { removeUndefinedProperties } from "../../utils"
+import { buildSelects, objectToStringPath } from "@medusajs/utils"

 /**
 * Middleware that transform the query input for the admin end points
@@ -151,7 +152,7 @@ function getStoreAllowedProperties<TEntity extends BaseEntity>(
      ? [...(validated.expand?.split(",") || []), ...includeKeys]
      : queryConfig?.allowedRelations || []

-  allowed.push(...fields, ...expand)
+  allowed.push(...fields, ...objectToStringPath(buildSelects(expand)))

  return allowed
 }
@@ -180,7 +181,7 @@ function getAllowedProperties<TEntity extends BaseEntity>(
      ? [...(validated.expand?.split(",") || []), ...includeKeys]
      : queryConfig?.defaultRelations || []

-  allowed.push(...fields, ...expand)
+  allowed.push(...fields, ...objectToStringPath(buildSelects(expand)))

  return allowed as string[]
 }
--- a/packages/medusa/src/api/routes/admin/orders/tests/get-order.js
+++ b/packages/medusa/src/api/routes/admin/orders/tests/get-order.js
@@ -50,7 +50,7 @@ describe("GET /admin/orders", () => {
            }
          ),
          // TODO [MEDUSA_FF_SALES_CHANNELS]: Remove when sales channel flag is removed entirely
-          relations: [...defaultAdminOrdersRelations, "sales_channel"],
+          relations: [...defaultAdminOrdersRelations, "sales_channel"].sort(),
        },
        {
          includes: undefined,
--- a/packages/medusa/src/api/routes/admin/orders/get-order.ts
+++ b/packages/medusa/src/api/routes/admin/orders/get-order.ts
@@ -72,7 +72,7 @@ export default async (req, res) => {

  order = cleanResponseData(order, req.allowedProperties)

-  res.json({ order: cleanResponseData(order, []) })
+  res.json({ order: order })
 }

 export class AdminGetOrdersOrderParams extends FindParams {}
--- a/packages/medusa/src/api/routes/admin/products/tests/get-product.js
+++ b/packages/medusa/src/api/routes/admin/products/tests/get-product.js
@@ -56,16 +56,16 @@ describe("GET /admin/products/:id", () => {
            "metadata",
          ],
          relations: [
-            "variants",
-            "variants.prices",
-            "variants.options",
-            "profiles",
+            "collection",
            "images",
            "options",
+            "profiles",
+            "sales_channels",
            "tags",
            "type",
-            "collection",
-            "sales_channels",
+            "variants",
+            "variants.options",
+            "variants.prices",
          ],
        }
      )