archive/BookStackApp_BookStack
0
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-04-18 02:22:39 +00:00
Code Issues Projects Releases Wiki Activity

Added destination permission checking to entity move

Browse source
This commit is contained in:
Dan Brown 2018-04-14 18:47:13 +01:00
parent 0f7b0ad45a
commit cdb1c7ef88
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9
9 changed files with 193 additions and 211 deletions

2
app/Http/Controllers/PageController.php
View file

@ -585,6 +585,8 @@ class PageController extends Controller
return redirect()->back(); return redirect()->back();
} }
$this->checkOwnablePermission('page-create', $parent);
$this->entityRepo->changePageParent($page, $parent); $this->entityRepo->changePageParent($page, $parent);
Activity::add($page, 'page_move', $page->book->id); Activity::add($page, 'page_move', $page->book->id);
session()->flash('success', trans('entities.pages_move_success', ['parentName' => $parent->name])); session()->flash('success', trans('entities.pages_move_success', ['parentName' => $parent->name]));

2
resources/views/chapters/move.blade.php
View file

@ -17,7 +17,7 @@
{!! csrf_field() !!} {!! csrf_field() !!}
<input type="hidden" name="_method" value="PUT"> <input type="hidden" name="_method" value="PUT">
@include('components.entity-selector', ['name' => 'entity_selection', 'selectorSize' => 'large', 'entityTypes' => 'book']) @include('components.entity-selector', ['name' => 'entity_selection', 'selectorSize' => 'large', 'entityTypes' => 'book', 'entityPermission' => 'chapter-create'])
<div class="form-group text-right"> <div class="form-group text-right">
<a href="{{ $chapter->getUrl() }}" class="button outline">{{ trans('common.cancel') }}</a> <a href="{{ $chapter->getUrl() }}" class="button outline">{{ trans('common.cancel') }}</a>

2
resources/views/pages/move.blade.php
View file

@ -17,7 +17,7 @@
{!! csrf_field() !!} {!! csrf_field() !!}
<input type="hidden" name="_method" value="PUT"> <input type="hidden" name="_method" value="PUT">
@include('components.entity-selector', ['name' => 'entity_selection', 'selectorSize' => 'large', 'entityTypes' => 'book,chapter']) @include('components.entity-selector', ['name' => 'entity_selection', 'selectorSize' => 'large', 'entityTypes' => 'book,chapter', 'entityPermission' => 'page-create'])
<div class="form-group text-right"> <div class="form-group text-right">
<a href="{{ $page->getUrl() }}" class="button outline">{{ trans('common.cancel') }}</a> <a href="{{ $page->getUrl() }}" class="button outline">{{ trans('common.cancel') }}</a>

59
tests/BrowserKitTest.php
View file

@ -12,10 +12,7 @@ abstract class BrowserKitTest extends TestCase
{ {
use DatabaseTransactions; use DatabaseTransactions;
use SharedTestHelpers;
// Local user instances
private $admin;
private $editor;
/** /**
* The base URL to use while testing the application. * The base URL to use while testing the application.
@ -43,38 +40,6 @@ abstract class BrowserKitTest extends TestCase
return $app; return $app;
} }
/**
* Set the current user context to be an admin.
* @return $this
*/
public function asAdmin()
{
return $this->actingAs($this->getAdmin());
}
/**
* Get the current admin user.
* @return mixed
*/
public function getAdmin() {
if($this->admin === null) {
$adminRole = Role::getSystemRole('admin');
$this->admin = $adminRole->users->first();
}
return $this->admin;
}
/**
* Set the current editor context to be an editor.
* @return $this
*/
public function asEditor()
{
if ($this->editor === null) {
$this->editor = $this->getEditor();
}
return $this->actingAs($this->editor);
}
/** /**
* Get a user that's not a system user such as the guest user. * Get a user that's not a system user such as the guest user.
@ -127,28 +92,6 @@ abstract class BrowserKitTest extends TestCase
$restrictionService->buildJointPermissionsForEntity($entity); $restrictionService->buildJointPermissionsForEntity($entity);
} }
/**
* Get an instance of a user with 'editor' permissions
* @param array $attributes
* @return mixed
*/
protected function getEditor($attributes = [])
{
$user = \BookStack\Role::getRole('editor')->users()->first();
if (!empty($attributes)) $user->forceFill($attributes)->save();
return $user;
}
/**
* Get an instance of a user with 'viewer' permissions
* @return mixed
*/
protected function getViewer()
{
$user = \BookStack\Role::getRole('viewer')->users()->first();
if (!empty($attributes)) $user->forceFill($attributes)->save();
return $user;
}
/** /**
* Quick way to create a new user without any permissions * Quick way to create a new user without any permissions

35
tests/Entity/SortTest.php
View file

@ -34,10 +34,10 @@ class SortTest extends TestCase
$currentBook = $page->book; $currentBook = $page->book;
$newBook = Book::where('id', '!=', $currentBook->id)->first(); $newBook = Book::where('id', '!=', $currentBook->id)->first();
$resp = $this->asAdmin()->get($page->getUrl() . '/move'); $resp = $this->asEditor()->get($page->getUrl('/move'));
$resp->assertSee('Move Page'); $resp->assertSee('Move Page');
$movePageResp = $this->put($page->getUrl() . '/move', [ $movePageResp = $this->put($page->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id 'entity_selection' => 'book:' . $newBook->id
]); ]);
$page = Page::find($page->id); $page = Page::find($page->id);
@ -50,6 +50,31 @@ class SortTest extends TestCase
$newBookResp->assertSee($page->name); $newBookResp->assertSee($page->name);
} }
public function test_page_move_requires_create_permissions_on_parent()
{
$page = Page::first();
$currentBook = $page->book;
$newBook = Book::where('id', '!=', $currentBook->id)->first();
$editor = $this->getEditor();
$this->setEntityRestrictions($newBook, ['view', 'edit', 'delete'], $editor->roles);
$movePageResp = $this->actingAs($editor)->put($page->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id
]);
$this->assertPermissionError($movePageResp);
$this->setEntityRestrictions($newBook, ['view', 'edit', 'delete', 'create'], $editor->roles);
$movePageResp = $this->put($page->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id
]);
$page = Page::find($page->id);
$movePageResp->assertRedirect($page->getUrl());
$this->assertTrue($page->book->id == $newBook->id, 'Page book is now the new book');
}
public function test_chapter_move() public function test_chapter_move()
{ {
$chapter = Chapter::first(); $chapter = Chapter::first();
@ -57,10 +82,10 @@ class SortTest extends TestCase
$pageToCheck = $chapter->pages->first(); $pageToCheck = $chapter->pages->first();
$newBook = Book::where('id', '!=', $currentBook->id)->first(); $newBook = Book::where('id', '!=', $currentBook->id)->first();
$chapterMoveResp = $this->asAdmin()->get($chapter->getUrl() . '/move'); $chapterMoveResp = $this->asEditor()->get($chapter->getUrl('/move'));
$chapterMoveResp->assertSee('Move Chapter'); $chapterMoveResp->assertSee('Move Chapter');
$moveChapterResp = $this->put($chapter->getUrl() . '/move', [ $moveChapterResp = $this->put($chapter->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id 'entity_selection' => 'book:' . $newBook->id
]); ]);
@ -105,7 +130,7 @@ class SortTest extends TestCase
]; ];
} }
$sortResp = $this->asAdmin()->put($newBook->getUrl() . '/sort', ['sort-tree' => json_encode($reqData)]); $sortResp = $this->asEditor()->put($newBook->getUrl() . '/sort', ['sort-tree' => json_encode($reqData)]);
$sortResp->assertRedirect($newBook->getUrl()); $sortResp->assertRedirect($newBook->getUrl());
$sortResp->assertStatus(302); $sortResp->assertStatus(302);
$this->assertDatabaseHas('chapters', [ $this->assertDatabaseHas('chapters', [

43
tests/Permissions/RestrictionsTest.php
View file

@ -1,7 +1,7 @@
<?php namespace Tests; <?php namespace Tests;
use BookStack\Book; use BookStack\Book;
use BookStack\Services\PermissionService; use BookStack\Entity;
use BookStack\User; use BookStack\User;
use BookStack\Repos\EntityRepo; use BookStack\Repos\EntityRepo;
@ -18,49 +18,20 @@ class RestrictionsTest extends BrowserKitTest
*/ */
protected $viewer; protected $viewer;
/**
* @var PermissionService
*/
protected $permissionService;
public function setUp() public function setUp()
{ {
parent::setUp(); parent::setUp();
$this->user = $this->getEditor(); $this->user = $this->getEditor();
$this->viewer = $this->getViewer(); $this->viewer = $this->getViewer();
$this->permissionService = $this->app[PermissionService::class];
} }
/** protected function setEntityRestrictions(Entity $entity, $actions = [], $roles = [])
* Manually set some permissions on an entity.
* @param \BookStack\Entity $entity
* @param $actions
*/
protected function setEntityRestrictions(\BookStack\Entity $entity, $actions)
{ {
$entity->restricted = true; $roles = [
$entity->permissions()->delete(); $this->user->roles->first(),
$this->viewer->roles->first(),
$role = $this->user->roles->first(); ];
$viewerRole = $this->viewer->roles->first(); parent::setEntityRestrictions($entity, $actions, $roles);
$permissions = [];
foreach ($actions as $action) {
$permissions[] = [
'role_id' => $role->id,
'action' => strtolower($action)
];
$permissions[] = [
'role_id' => $viewerRole->id,
'action' => strtolower($action)
];
}
$entity->permissions()->createMany($permissions);
$entity->save();
$entity->load('permissions');
$this->permissionService->buildJointPermissionsForEntity($entity);
$entity->load('jointPermissions');
} }
public function test_book_view_restriction() public function test_book_view_restriction()

8
tests/Permissions/RolesTest.php
View file

@ -16,14 +16,6 @@ class RolesTest extends BrowserKitTest
$this->user = $this->getViewer(); $this->user = $this->getViewer();
} }
protected function getViewer()
{
$role = \BookStack\Role::getRole('viewer');
$viewer = $this->getNewBlankUser();
$viewer->attachRole($role);;
return $viewer;
}
/** /**
* Give the given user some permissions. * Give the given user some permissions.
* @param \BookStack\User $user * @param \BookStack\User $user

143
tests/SharedTestHelpers.php Normal file
View file

@ -0,0 +1,143 @@
<?php namespace Tests;
use BookStack\Book;
use BookStack\Chapter;
use BookStack\Entity;
use BookStack\Repos\EntityRepo;
use BookStack\Role;
use BookStack\Services\PermissionService;
use BookStack\Services\SettingService;
trait SharedTestHelpers
{
protected $admin;
protected $editor;
/**
* Set the current user context to be an admin.
* @return $this
*/
public function asAdmin()
{
return $this->actingAs($this->getAdmin());
}
/**
* Get the current admin user.
* @return mixed
*/
public function getAdmin() {
if($this->admin === null) {
$adminRole = Role::getSystemRole('admin');
$this->admin = $adminRole->users->first();
}
return $this->admin;
}
/**
* Set the current user context to be an editor.
* @return $this
*/
public function asEditor()
{
return $this->actingAs($this->getEditor());
}
/**
* Get a editor user.
* @return mixed
*/
protected function getEditor() {
if($this->editor === null) {
$editorRole = Role::getRole('editor');
$this->editor = $editorRole->users->first();
}
return $this->editor;
}
/**
* Get an instance of a user with 'viewer' permissions
* @param $attributes
* @return mixed
*/
protected function getViewer($attributes = [])
{
$user = \BookStack\Role::getRole('viewer')->users()->first();
if (!empty($attributes)) $user->forceFill($attributes)->save();
return $user;
}
/**
* Create and return a new book.
* @param array $input
* @return Book
*/
public function newBook($input = ['name' => 'test book', 'description' => 'My new test book']) {
return $this->app[EntityRepo::class]->createFromInput('book', $input, false);
}
/**
* Create and return a new test chapter
* @param array $input
* @param Book $book
* @return Chapter
*/
public function newChapter($input = ['name' => 'test chapter', 'description' => 'My new test chapter'], Book $book) {
return $this->app[EntityRepo::class]->createFromInput('chapter', $input, $book);
}
/**
* Create and return a new test page
* @param array $input
* @return Chapter
*/
public function newPage($input = ['name' => 'test page', 'html' => 'My new test page']) {
$book = Book::first();
$entityRepo = $this->app[EntityRepo::class];
$draftPage = $entityRepo->getDraftPage($book);
return $entityRepo->publishPageDraft($draftPage, $input);
}
/**
* Quickly sets an array of settings.
* @param $settingsArray
*/
protected function setSettings($settingsArray)
{
$settings = app(SettingService::class);
foreach ($settingsArray as $key => $value) {
$settings->put($key, $value);
}
}
/**
* Manually set some permissions on an entity.
* @param Entity $entity
* @param array $actions
* @param array $roles
*/
protected function setEntityRestrictions(Entity $entity, $actions = [], $roles = [])
{
$entity->restricted = true;
$entity->permissions()->delete();
$permissions = [];
foreach ($actions as $action) {
foreach ($roles as $role) {
$permissions[] = [
'role_id' => $role->id,
'action' => strtolower($action)
];
}
}
$entity->permissions()->createMany($permissions);
$entity->save();
$entity->load('permissions');
$this->app[PermissionService::class]->buildJointPermissionsForEntity($entity);
$entity->load('jointPermissions');
}
}

110
tests/TestCase.php
View file

@ -1,21 +1,14 @@
<?php namespace Tests; <?php namespace Tests;
use BookStack\Book;
use BookStack\Chapter;
use BookStack\Repos\EntityRepo;
use BookStack\Role;
use BookStack\Services\SettingService;
use Illuminate\Foundation\Testing\DatabaseTransactions; use Illuminate\Foundation\Testing\DatabaseTransactions;
use Illuminate\Foundation\Testing\TestCase as BaseTestCase; use Illuminate\Foundation\Testing\TestCase as BaseTestCase;
use Illuminate\Foundation\Testing\TestResponse;
abstract class TestCase extends BaseTestCase abstract class TestCase extends BaseTestCase
{ {
use CreatesApplication; use CreatesApplication;
use DatabaseTransactions; use DatabaseTransactions;
use SharedTestHelpers;
protected $admin;
protected $editor;
/** /**
* The base URL to use while testing the application. * The base URL to use while testing the application.
* @var string * @var string
@ -23,100 +16,13 @@ abstract class TestCase extends BaseTestCase
protected $baseUrl = 'http://localhost'; protected $baseUrl = 'http://localhost';
/** /**
* Set the current user context to be an admin. * Assert a permission error has occurred.
* @return $this * @param TestResponse $response
*/ */
public function asAdmin() protected function assertPermissionError(TestResponse $response)
{ {
return $this->actingAs($this->getAdmin()); $response->assertRedirect('/');
} $this->assertTrue(session()->has('error'));
session()->remove('error');
/**
* Get the current admin user.
* @return mixed
*/
public function getAdmin() {
if($this->admin === null) {
$adminRole = Role::getSystemRole('admin');
$this->admin = $adminRole->users->first();
}
return $this->admin;
}
/**
* Set the current user context to be an editor.
* @return $this
*/
public function asEditor()
{
return $this->actingAs($this->getEditor());
}
/**
* Get a editor user.
* @return mixed
*/
public function getEditor() {
if($this->editor === null) {
$editorRole = Role::getRole('editor');
$this->editor = $editorRole->users->first();
}
return $this->editor;
}
/**
* Get an instance of a user with 'viewer' permissions
* @param $attributes
* @return mixed
*/
protected function getViewer($attributes = [])
{
$user = \BookStack\Role::getRole('viewer')->users()->first();
if (!empty($attributes)) $user->forceFill($attributes)->save();
return $user;
}
/**
* Create and return a new book.
* @param array $input
* @return Book
*/
public function newBook($input = ['name' => 'test book', 'description' => 'My new test book']) {
return $this->app[EntityRepo::class]->createFromInput('book', $input, false);
}
/**
* Create and return a new test chapter
* @param array $input
* @param Book $book
* @return Chapter
*/
public function newChapter($input = ['name' => 'test chapter', 'description' => 'My new test chapter'], Book $book) {
return $this->app[EntityRepo::class]->createFromInput('chapter', $input, $book);
}
/**
* Create and return a new test page
* @param array $input
* @return Chapter
*/
public function newPage($input = ['name' => 'test page', 'html' => 'My new test page']) {
$book = Book::first();
$entityRepo = $this->app[EntityRepo::class];
$draftPage = $entityRepo->getDraftPage($book);
return $entityRepo->publishPageDraft($draftPage, $input);
}
/**
* Quickly sets an array of settings.
* @param $settingsArray
*/
protected function setSettings($settingsArray)
{
$settings = app(SettingService::class);
foreach ($settingsArray as $key => $value) {
$settings->put($key, $value);
}
} }
} }