archive/BookStackApp_BookStack
0
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-05-05 16:50:12 +00:00
Code Issues Projects Releases Wiki Activity

Made delete permissions a requirement for move operations

Browse source 
Closes
This commit is contained in:
Dan Brown 2019-01-05 14:39:40 +00:00
parent 2317bf2350
commit a2087fe3ff
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9
5 changed files with 65 additions and 6 deletions
app/Http/Controllers
ChapterController.phpPageController.php
resources/views
chapters
show.blade.php
pages
show.blade.php
tests/Entity
SortTest.php

2
app/Http/Controllers/ChapterController.php
View file

@ -161,6 +161,7 @@ class ChapterController extends Controller
$chapter = $this->entityRepo->getBySlug('chapter', $chapterSlug, $bookSlug); $chapter = $this->entityRepo->getBySlug('chapter', $chapterSlug, $bookSlug);
$this->setPageTitle(trans('entities.chapters_move_named', ['chapterName' => $chapter->getShortName()])); $this->setPageTitle(trans('entities.chapters_move_named', ['chapterName' => $chapter->getShortName()]));
$this->checkOwnablePermission('chapter-update', $chapter); $this->checkOwnablePermission('chapter-update', $chapter);
$this->checkOwnablePermission('chapter-delete', $chapter);
return view('chapters/move', [ return view('chapters/move', [
'chapter' => $chapter, 'chapter' => $chapter,
'book' => $chapter->book 'book' => $chapter->book
@ -179,6 +180,7 @@ class ChapterController extends Controller
{ {
$chapter = $this->entityRepo->getBySlug('chapter', $chapterSlug, $bookSlug); $chapter = $this->entityRepo->getBySlug('chapter', $chapterSlug, $bookSlug);
$this->checkOwnablePermission('chapter-update', $chapter); $this->checkOwnablePermission('chapter-update', $chapter);
$this->checkOwnablePermission('chapter-delete', $chapter);
$entitySelection = $request->get('entity_selection', null); $entitySelection = $request->get('entity_selection', null);
if ($entitySelection === null || $entitySelection === '') { if ($entitySelection === null || $entitySelection === '') {

2
app/Http/Controllers/PageController.php
View file

@ -586,6 +586,7 @@ class PageController extends Controller
{ {
$page = $this->pageRepo->getPageBySlug($pageSlug, $bookSlug); $page = $this->pageRepo->getPageBySlug($pageSlug, $bookSlug);
$this->checkOwnablePermission('page-update', $page); $this->checkOwnablePermission('page-update', $page);
$this->checkOwnablePermission('page-delete', $page);
return view('pages/move', [ return view('pages/move', [
'book' => $page->book, 'book' => $page->book,
'page' => $page 'page' => $page
@ -604,6 +605,7 @@ class PageController extends Controller
{ {
$page = $this->pageRepo->getPageBySlug($pageSlug, $bookSlug); $page = $this->pageRepo->getPageBySlug($pageSlug, $bookSlug);
$this->checkOwnablePermission('page-update', $page); $this->checkOwnablePermission('page-update', $page);
$this->checkOwnablePermission('page-delete', $page);
$entitySelection = $request->get('entity_selection', null); $entitySelection = $request->get('entity_selection', null);
if ($entitySelection === null || $entitySelection === '') { if ($entitySelection === null || $entitySelection === '') {

4
resources/views/chapters/show.blade.php
View file

@ -20,11 +20,11 @@
@if(userCan('chapter-update', $chapter)) @if(userCan('chapter-update', $chapter))
<a href="{{ $chapter->getUrl('/edit') }}" class="text-primary text-button">@icon('edit'){{ trans('common.edit') }}</a> <a href="{{ $chapter->getUrl('/edit') }}" class="text-primary text-button">@icon('edit'){{ trans('common.edit') }}</a>
@endif @endif
@if(userCan('chapter-update', $chapter) || userCan('restrictions-manage', $chapter) || userCan('chapter-delete', $chapter)) @if((userCan('chapter-update', $chapter) && userCan('chapter-delete', $chapter) )|| userCan('restrictions-manage', $chapter) || userCan('chapter-delete', $chapter))
<div dropdown class="dropdown-container"> <div dropdown class="dropdown-container">
<a dropdown-toggle class="text-primary text-button">@icon('more') {{ trans('common.more') }}</a> <a dropdown-toggle class="text-primary text-button">@icon('more') {{ trans('common.more') }}</a>
<ul> <ul>
@if(userCan('chapter-update', $chapter)) @if(userCan('chapter-update', $chapter) && userCan('chapter-delete', $chapter))
<li><a href="{{ $chapter->getUrl('/move') }}" class="text-primary">@icon('folder'){{ trans('common.move') }}</a></li> <li><a href="{{ $chapter->getUrl('/move') }}" class="text-primary">@icon('folder'){{ trans('common.move') }}</a></li>
@endif @endif
@if(userCan('restrictions-manage', $chapter)) @if(userCan('restrictions-manage', $chapter))

4
resources/views/pages/show.blade.php
View file

@ -23,7 +23,9 @@
<ul> <ul>
@if(userCan('page-update', $page)) @if(userCan('page-update', $page))
<li><a href="{{ $page->getUrl('/copy') }}" class="text-primary" >@icon('copy'){{ trans('common.copy') }}</a></li> <li><a href="{{ $page->getUrl('/copy') }}" class="text-primary" >@icon('copy'){{ trans('common.copy') }}</a></li>
<li><a href="{{ $page->getUrl('/move') }}" class="text-primary" >@icon('folder'){{ trans('common.move') }}</a></li> @if(userCan('page-delete', $page))
<li><a href="{{ $page->getUrl('/move') }}" class="text-primary" >@icon('folder'){{ trans('common.move') }}</a></li>
@endif
<li><a href="{{ $page->getUrl('/revisions') }}" class="text-primary">@icon('history'){{ trans('entities.revisions') }}</a></li> <li><a href="{{ $page->getUrl('/revisions') }}" class="text-primary">@icon('history'){{ trans('entities.revisions') }}</a></li>
@endif @endif
@if(userCan('restrictions-manage', $page)) @if(userCan('restrictions-manage', $page))

59
tests/Entity/SortTest.php
View file

@ -3,7 +3,6 @@
use BookStack\Entities\Book; use BookStack\Entities\Book;
use BookStack\Entities\Chapter; use BookStack\Entities\Chapter;
use BookStack\Entities\Page; use BookStack\Entities\Page;
use BookStack\Entities\Repos\EntityRepo;
use BookStack\Entities\Repos\PageRepo; use BookStack\Entities\Repos\PageRepo;
class SortTest extends TestCase class SortTest extends TestCase
@ -58,14 +57,14 @@ class SortTest extends TestCase
$newBook = Book::where('id', '!=', $currentBook->id)->first(); $newBook = Book::where('id', '!=', $currentBook->id)->first();
$editor = $this->getEditor(); $editor = $this->getEditor();
$this->setEntityRestrictions($newBook, ['view', 'edit', 'delete'], $editor->roles); $this->setEntityRestrictions($newBook, ['view', 'update', 'delete'], $editor->roles);
$movePageResp = $this->actingAs($editor)->put($page->getUrl('/move'), [ $movePageResp = $this->actingAs($editor)->put($page->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id 'entity_selection' => 'book:' . $newBook->id
]); ]);
$this->assertPermissionError($movePageResp); $this->assertPermissionError($movePageResp);
$this->setEntityRestrictions($newBook, ['view', 'edit', 'delete', 'create'], $editor->roles); $this->setEntityRestrictions($newBook, ['view', 'update', 'delete', 'create'], $editor->roles);
$movePageResp = $this->put($page->getUrl('/move'), [ $movePageResp = $this->put($page->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id 'entity_selection' => 'book:' . $newBook->id
]); ]);
@ -76,6 +75,33 @@ class SortTest extends TestCase
$this->assertTrue($page->book->id == $newBook->id, 'Page book is now the new book'); $this->assertTrue($page->book->id == $newBook->id, 'Page book is now the new book');
} }
public function test_page_move_requires_delete_permissions()
{
$page = Page::first();
$currentBook = $page->book;
$newBook = Book::where('id', '!=', $currentBook->id)->first();
$editor = $this->getEditor();
$this->setEntityRestrictions($newBook, ['view', 'update', 'create', 'delete'], $editor->roles);
$this->setEntityRestrictions($page, ['view', 'update', 'create'], $editor->roles);
$movePageResp = $this->actingAs($editor)->put($page->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id
]);
$this->assertPermissionError($movePageResp);
$pageView = $this->get($page->getUrl());
$pageView->assertDontSee($page->getUrl('/move'));
$this->setEntityRestrictions($page, ['view', 'update', 'create', 'delete'], $editor->roles);
$movePageResp = $this->put($page->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id
]);
$page = Page::find($page->id);
$movePageResp->assertRedirect($page->getUrl());
$this->assertTrue($page->book->id == $newBook->id, 'Page book is now the new book');
}
public function test_chapter_move() public function test_chapter_move()
{ {
$chapter = Chapter::first(); $chapter = Chapter::first();
@ -104,6 +130,33 @@ class SortTest extends TestCase
$pageCheckResp->assertSee($newBook->name); $pageCheckResp->assertSee($newBook->name);
} }
public function test_chapter_move_requires_delete_permissions()
{
$chapter = Chapter::first();
$currentBook = $chapter->book;
$newBook = Book::where('id', '!=', $currentBook->id)->first();
$editor = $this->getEditor();
$this->setEntityRestrictions($newBook, ['view', 'update', 'create', 'delete'], $editor->roles);
$this->setEntityRestrictions($chapter, ['view', 'update', 'create'], $editor->roles);
$moveChapterResp = $this->actingAs($editor)->put($chapter->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id
]);
$this->assertPermissionError($moveChapterResp);
$pageView = $this->get($chapter->getUrl());
$pageView->assertDontSee($chapter->getUrl('/move'));
$this->setEntityRestrictions($chapter, ['view', 'update', 'create', 'delete'], $editor->roles);
$moveChapterResp = $this->put($chapter->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id
]);
$chapter = Chapter::find($chapter->id);
$moveChapterResp->assertRedirect($chapter->getUrl());
$this->assertTrue($chapter->book->id == $newBook->id, 'Page book is now the new book');
}
public function test_book_sort() public function test_book_sort()
{ {
$oldBook = Book::query()->first(); $oldBook = Book::query()->first();