mirror of
https://github.com/BookStackApp/BookStack.git
synced 2025-04-30 06:30:03 +00:00
Added additional permission checks and tests for book sorts
- Aligned permissions control with move operations to check delete/create permissions against old/new locations. - Added tests to cover additional permissions scenarios.
This commit is contained in:
Dan Brown
parent
553954ad18
commit
d3ca23b195
4 changed files with 119 additions and 27 deletions
app
tests/Entity
|
|
@ -94,6 +94,8 @@ class ChapterRepo
|
||||||
throw new MoveOperationException('Book to move chapter into not found');
|
throw new MoveOperationException('Book to move chapter into not found');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO - Check create permissions for new parent?
|
||||||
|
|
||||||
$chapter->changeBook($parent->id);
|
$chapter->changeBook($parent->id);
|
||||||
$chapter->rebuildPermissions();
|
$chapter->rebuildPermissions();
|
||||||
Activity::add(ActivityType::CHAPTER_MOVE, $chapter);
|
Activity::add(ActivityType::CHAPTER_MOVE, $chapter);
|
||||||
|
|
|
||||||
|
|
@ -174,7 +174,7 @@ class BookContents
|
||||||
|
|
||||||
$currentParent = $modelMap[$currentParentKey] ?? null;
|
$currentParent = $modelMap[$currentParentKey] ?? null;
|
||||||
/** @var Book $newBook */
|
/** @var Book $newBook */
|
||||||
$newBook = $modelMap['book:' . $sortMapItem->parentBookId];
|
$newBook = $modelMap['book:' . $sortMapItem->parentBookId] ?? null;
|
||||||
/** @var ?Chapter $newChapter */
|
/** @var ?Chapter $newChapter */
|
||||||
$newChapter = $sortMapItem->parentChapterId ? ($modelMap['chapter:' . $sortMapItem->parentChapterId] ?? null) : null;
|
$newChapter = $sortMapItem->parentChapterId ? ($modelMap['chapter:' . $sortMapItem->parentChapterId] ?? null) : null;
|
||||||
|
|
||||||
|
|
@ -202,19 +202,27 @@ class BookContents
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check if the current user has permissions to apply the given sorting change.
|
* Check if the current user has permissions to apply the given sorting change.
|
||||||
|
* Is quite complex since items can gain a different parent change. Acts as a:
|
||||||
|
* - Update of old parent element (Change of content/order).
|
||||||
|
* - Update of sorted/moved element.
|
||||||
|
* - Deletion of element (Relative to parent upon move).
|
||||||
|
* - Creation of element within parent (Upon move to new parent).
|
||||||
*/
|
*/
|
||||||
protected function isSortChangePermissible(BookSortMapItem $sortMapItem, Entity $model, ?Entity $currentParent, ?Entity $newBook, ?Entity $newChapter): bool
|
protected function isSortChangePermissible(BookSortMapItem $sortMapItem, BookChild $model, ?Entity $currentParent, ?Entity $newBook, ?Entity $newChapter): bool
|
||||||
{
|
{
|
||||||
// TODO - Move operations check for create permissions, Needs these also/instead?
|
|
||||||
|
|
||||||
// Stop if we can't see the current parent or new book.
|
// Stop if we can't see the current parent or new book.
|
||||||
if (!$currentParent || !$newBook) {
|
if (!$currentParent || !$newBook) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$hasNewParent = $newBook->id !== $model->book_id || ($model instanceof Page && $model->chapter_id !== ($sortMapItem->parentChapterId ?? 0));
|
||||||
if ($model instanceof Chapter) {
|
if ($model instanceof Chapter) {
|
||||||
$hasPermission = userCan('book-update', $currentParent)
|
$hasPermission = userCan('book-update', $currentParent)
|
||||||
&& userCan('book-update', $newBook);
|
&& userCan('book-update', $newBook)
|
||||||
|
&& userCan('chapter-update', $model)
|
||||||
|
&& (!$hasNewParent || userCan('chapter-create', $newBook))
|
||||||
|
&& (!$hasNewParent || userCan('chapter-delete', $model));
|
||||||
|
|
||||||
if (!$hasPermission) {
|
if (!$hasPermission) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -232,11 +240,21 @@ class BookContents
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$hasPageEditPermission = userCan('page-update', $model);
|
||||||
$newParentInRightLocation = ($newParent instanceof Book || $newParent->book_id === $newBook->id);
|
$newParentInRightLocation = ($newParent instanceof Book || $newParent->book_id === $newBook->id);
|
||||||
$newParentPermission = ($newParent instanceof Chapter) ? 'chapter-update' : 'book-update';
|
$newParentPermission = ($newParent instanceof Chapter) ? 'chapter-update' : 'book-update';
|
||||||
$hasNewParentPermission = userCan($newParentPermission, $newParent);
|
$hasNewParentPermission = userCan($newParentPermission, $newParent);
|
||||||
|
|
||||||
$hasPermission = $hasCurrentParentPermission && $newParentInRightLocation && $hasNewParentPermission;
|
$hasDeletePermissionIfMoving = (!$hasNewParent || userCan('page-delete', $model));
|
||||||
|
$hasCreatePermissionIfMoving = (!$hasNewParent || userCan('page-create', $newParent));
|
||||||
|
|
||||||
|
$hasPermission = $hasCurrentParentPermission
|
||||||
|
&& $newParentInRightLocation
|
||||||
|
&& $hasNewParentPermission
|
||||||
|
&& $hasPageEditPermission
|
||||||
|
&& $hasDeletePermissionIfMoving
|
||||||
|
&& $hasCreatePermissionIfMoving;
|
||||||
|
|
||||||
if (!$hasPermission) {
|
if (!$hasPermission) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -178,6 +178,8 @@ class ChapterController extends Controller
|
||||||
return redirect($chapter->getUrl());
|
return redirect($chapter->getUrl());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO - Check permissions against pages
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$newBook = $this->chapterRepo->move($chapter, $entitySelection);
|
$newBook = $this->chapterRepo->move($chapter, $entitySelection);
|
||||||
} catch (MoveOperationException $exception) {
|
} catch (MoveOperationException $exception) {
|
||||||
|
|
|
||||||
|
|
@ -33,9 +33,9 @@ class SortTest extends TestCase
|
||||||
|
|
||||||
public function test_page_move_into_book()
|
public function test_page_move_into_book()
|
||||||
{
|
{
|
||||||
$page = Page::first();
|
$page = Page::query()->first();
|
||||||
$currentBook = $page->book;
|
$currentBook = $page->book;
|
||||||
$newBook = Book::where('id', '!=', $currentBook->id)->first();
|
$newBook = Book::query()->where('id', '!=', $currentBook->id)->first();
|
||||||
|
|
||||||
$resp = $this->asEditor()->get($page->getUrl('/move'));
|
$resp = $this->asEditor()->get($page->getUrl('/move'));
|
||||||
$resp->assertSee('Move Page');
|
$resp->assertSee('Move Page');
|
||||||
|
|
@ -43,7 +43,7 @@ class SortTest extends TestCase
|
||||||
$movePageResp = $this->put($page->getUrl('/move'), [
|
$movePageResp = $this->put($page->getUrl('/move'), [
|
||||||
'entity_selection' => 'book:' . $newBook->id,
|
'entity_selection' => 'book:' . $newBook->id,
|
||||||
]);
|
]);
|
||||||
$page = Page::find($page->id);
|
$page = Page::query()->find($page->id);
|
||||||
|
|
||||||
$movePageResp->assertRedirect($page->getUrl());
|
$movePageResp->assertRedirect($page->getUrl());
|
||||||
$this->assertTrue($page->book->id == $newBook->id, 'Page book is now the new book');
|
$this->assertTrue($page->book->id == $newBook->id, 'Page book is now the new book');
|
||||||
|
|
@ -55,15 +55,15 @@ class SortTest extends TestCase
|
||||||
|
|
||||||
public function test_page_move_into_chapter()
|
public function test_page_move_into_chapter()
|
||||||
{
|
{
|
||||||
$page = Page::first();
|
$page = Page::query()->first();
|
||||||
$currentBook = $page->book;
|
$currentBook = $page->book;
|
||||||
$newBook = Book::where('id', '!=', $currentBook->id)->first();
|
$newBook = Book::query()->where('id', '!=', $currentBook->id)->first();
|
||||||
$newChapter = $newBook->chapters()->first();
|
$newChapter = $newBook->chapters()->first();
|
||||||
|
|
||||||
$movePageResp = $this->actingAs($this->getEditor())->put($page->getUrl('/move'), [
|
$movePageResp = $this->actingAs($this->getEditor())->put($page->getUrl('/move'), [
|
||||||
'entity_selection' => 'chapter:' . $newChapter->id,
|
'entity_selection' => 'chapter:' . $newChapter->id,
|
||||||
]);
|
]);
|
||||||
$page = Page::find($page->id);
|
$page = Page::query()->find($page->id);
|
||||||
|
|
||||||
$movePageResp->assertRedirect($page->getUrl());
|
$movePageResp->assertRedirect($page->getUrl());
|
||||||
$this->assertTrue($page->book->id == $newBook->id, 'Page parent is now the new chapter');
|
$this->assertTrue($page->book->id == $newBook->id, 'Page parent is now the new chapter');
|
||||||
|
|
@ -74,9 +74,9 @@ class SortTest extends TestCase
|
||||||
|
|
||||||
public function test_page_move_from_chapter_to_book()
|
public function test_page_move_from_chapter_to_book()
|
||||||
{
|
{
|
||||||
$oldChapter = Chapter::first();
|
$oldChapter = Chapter::query()->first();
|
||||||
$page = $oldChapter->pages()->first();
|
$page = $oldChapter->pages()->first();
|
||||||
$newBook = Book::where('id', '!=', $oldChapter->book_id)->first();
|
$newBook = Book::query()->where('id', '!=', $oldChapter->book_id)->first();
|
||||||
|
|
||||||
$movePageResp = $this->actingAs($this->getEditor())->put($page->getUrl('/move'), [
|
$movePageResp = $this->actingAs($this->getEditor())->put($page->getUrl('/move'), [
|
||||||
'entity_selection' => 'book:' . $newBook->id,
|
'entity_selection' => 'book:' . $newBook->id,
|
||||||
|
|
@ -110,7 +110,7 @@ class SortTest extends TestCase
|
||||||
'entity_selection' => 'book:' . $newBook->id,
|
'entity_selection' => 'book:' . $newBook->id,
|
||||||
]);
|
]);
|
||||||
|
|
||||||
$page = Page::find($page->id);
|
$page = Page::query()->find($page->id);
|
||||||
$movePageResp->assertRedirect($page->getUrl());
|
$movePageResp->assertRedirect($page->getUrl());
|
||||||
|
|
||||||
$this->assertTrue($page->book->id == $newBook->id, 'Page book is now the new book');
|
$this->assertTrue($page->book->id == $newBook->id, 'Page book is now the new book');
|
||||||
|
|
@ -118,9 +118,9 @@ class SortTest extends TestCase
|
||||||
|
|
||||||
public function test_page_move_requires_delete_permissions()
|
public function test_page_move_requires_delete_permissions()
|
||||||
{
|
{
|
||||||
$page = Page::first();
|
$page = Page::query()->first();
|
||||||
$currentBook = $page->book;
|
$currentBook = $page->book;
|
||||||
$newBook = Book::where('id', '!=', $currentBook->id)->first();
|
$newBook = Book::query()->where('id', '!=', $currentBook->id)->first();
|
||||||
$editor = $this->getEditor();
|
$editor = $this->getEditor();
|
||||||
|
|
||||||
$this->setEntityRestrictions($newBook, ['view', 'update', 'create', 'delete'], $editor->roles->all());
|
$this->setEntityRestrictions($newBook, ['view', 'update', 'create', 'delete'], $editor->roles->all());
|
||||||
|
|
@ -138,17 +138,17 @@ class SortTest extends TestCase
|
||||||
'entity_selection' => 'book:' . $newBook->id,
|
'entity_selection' => 'book:' . $newBook->id,
|
||||||
]);
|
]);
|
||||||
|
|
||||||
$page = Page::find($page->id);
|
$page = Page::query()->find($page->id);
|
||||||
$movePageResp->assertRedirect($page->getUrl());
|
$movePageResp->assertRedirect($page->getUrl());
|
||||||
$this->assertTrue($page->book->id == $newBook->id, 'Page book is now the new book');
|
$this->assertTrue($page->book->id == $newBook->id, 'Page book is now the new book');
|
||||||
}
|
}
|
||||||
|
|
||||||
public function test_chapter_move()
|
public function test_chapter_move()
|
||||||
{
|
{
|
||||||
$chapter = Chapter::first();
|
$chapter = Chapter::query()->first();
|
||||||
$currentBook = $chapter->book;
|
$currentBook = $chapter->book;
|
||||||
$pageToCheck = $chapter->pages->first();
|
$pageToCheck = $chapter->pages->first();
|
||||||
$newBook = Book::where('id', '!=', $currentBook->id)->first();
|
$newBook = Book::query()->where('id', '!=', $currentBook->id)->first();
|
||||||
|
|
||||||
$chapterMoveResp = $this->asEditor()->get($chapter->getUrl('/move'));
|
$chapterMoveResp = $this->asEditor()->get($chapter->getUrl('/move'));
|
||||||
$chapterMoveResp->assertSee('Move Chapter');
|
$chapterMoveResp->assertSee('Move Chapter');
|
||||||
|
|
@ -157,7 +157,7 @@ class SortTest extends TestCase
|
||||||
'entity_selection' => 'book:' . $newBook->id,
|
'entity_selection' => 'book:' . $newBook->id,
|
||||||
]);
|
]);
|
||||||
|
|
||||||
$chapter = Chapter::find($chapter->id);
|
$chapter = Chapter::query()->find($chapter->id);
|
||||||
$moveChapterResp->assertRedirect($chapter->getUrl());
|
$moveChapterResp->assertRedirect($chapter->getUrl());
|
||||||
$this->assertTrue($chapter->book->id === $newBook->id, 'Chapter Book is now the new book');
|
$this->assertTrue($chapter->book->id === $newBook->id, 'Chapter Book is now the new book');
|
||||||
|
|
||||||
|
|
@ -165,7 +165,7 @@ class SortTest extends TestCase
|
||||||
$newBookResp->assertSee('moved chapter');
|
$newBookResp->assertSee('moved chapter');
|
||||||
$newBookResp->assertSee($chapter->name);
|
$newBookResp->assertSee($chapter->name);
|
||||||
|
|
||||||
$pageToCheck = Page::find($pageToCheck->id);
|
$pageToCheck = Page::query()->find($pageToCheck->id);
|
||||||
$this->assertTrue($pageToCheck->book_id === $newBook->id, 'Chapter child page\'s book id has changed to the new book');
|
$this->assertTrue($pageToCheck->book_id === $newBook->id, 'Chapter child page\'s book id has changed to the new book');
|
||||||
$pageCheckResp = $this->get($pageToCheck->getUrl());
|
$pageCheckResp = $this->get($pageToCheck->getUrl());
|
||||||
$pageCheckResp->assertSee($newBook->name);
|
$pageCheckResp->assertSee($newBook->name);
|
||||||
|
|
@ -173,9 +173,9 @@ class SortTest extends TestCase
|
||||||
|
|
||||||
public function test_chapter_move_requires_delete_permissions()
|
public function test_chapter_move_requires_delete_permissions()
|
||||||
{
|
{
|
||||||
$chapter = Chapter::first();
|
$chapter = Chapter::query()->first();
|
||||||
$currentBook = $chapter->book;
|
$currentBook = $chapter->book;
|
||||||
$newBook = Book::where('id', '!=', $currentBook->id)->first();
|
$newBook = Book::query()->where('id', '!=', $currentBook->id)->first();
|
||||||
$editor = $this->getEditor();
|
$editor = $this->getEditor();
|
||||||
|
|
||||||
$this->setEntityRestrictions($newBook, ['view', 'update', 'create', 'delete'], $editor->roles->all());
|
$this->setEntityRestrictions($newBook, ['view', 'update', 'create', 'delete'], $editor->roles->all());
|
||||||
|
|
@ -193,7 +193,7 @@ class SortTest extends TestCase
|
||||||
'entity_selection' => 'book:' . $newBook->id,
|
'entity_selection' => 'book:' . $newBook->id,
|
||||||
]);
|
]);
|
||||||
|
|
||||||
$chapter = Chapter::find($chapter->id);
|
$chapter = Chapter::query()->find($chapter->id);
|
||||||
$moveChapterResp->assertRedirect($chapter->getUrl());
|
$moveChapterResp->assertRedirect($chapter->getUrl());
|
||||||
$this->assertTrue($chapter->book->id == $newBook->id, 'Page book is now the new book');
|
$this->assertTrue($chapter->book->id == $newBook->id, 'Page book is now the new book');
|
||||||
}
|
}
|
||||||
|
|
@ -314,14 +314,14 @@ class SortTest extends TestCase
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function test_book_sort_makes_no_changes_if_no_update_permissions_on_new_chapter()
|
public function test_book_sort_makes_no_changes_if_no_view_permissions_on_new_book()
|
||||||
{
|
{
|
||||||
/** @var Page $page */
|
/** @var Page $page */
|
||||||
$page = Page::query()->where('chapter_id', '!=', 0)->first();
|
$page = Page::query()->where('chapter_id', '!=', 0)->first();
|
||||||
/** @var Chapter $otherChapter */
|
/** @var Chapter $otherChapter */
|
||||||
$otherChapter = Chapter::query()->where('book_id', '!=', $page->book_id)->first();
|
$otherChapter = Chapter::query()->where('book_id', '!=', $page->book_id)->first();
|
||||||
$editor = $this->getEditor();
|
$editor = $this->getEditor();
|
||||||
$this->setEntityRestrictions($otherChapter, ['view'], [$editor->roles()->first()]);
|
$this->setEntityRestrictions($otherChapter->book, ['update', 'delete'], [$editor->roles()->first()]);
|
||||||
|
|
||||||
$sortData = [
|
$sortData = [
|
||||||
'id' => $page->id,
|
'id' => $page->id,
|
||||||
|
|
@ -337,6 +337,76 @@ class SortTest extends TestCase
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function test_book_sort_makes_no_changes_if_no_update_or_create_permissions_on_new_chapter()
|
||||||
|
{
|
||||||
|
/** @var Page $page */
|
||||||
|
$page = Page::query()->where('chapter_id', '!=', 0)->first();
|
||||||
|
/** @var Chapter $otherChapter */
|
||||||
|
$otherChapter = Chapter::query()->where('book_id', '!=', $page->book_id)->first();
|
||||||
|
$editor = $this->getEditor();
|
||||||
|
$this->setEntityRestrictions($otherChapter, ['view', 'delete'], [$editor->roles()->first()]);
|
||||||
|
|
||||||
|
$sortData = [
|
||||||
|
'id' => $page->id,
|
||||||
|
'sort' => 0,
|
||||||
|
'parentChapter' => $otherChapter->id,
|
||||||
|
'type' => 'page',
|
||||||
|
'book' => $otherChapter->book_id,
|
||||||
|
];
|
||||||
|
$this->actingAs($editor)->put($page->book->getUrl('/sort'), ['sort-tree' => json_encode([$sortData])])->assertRedirect();
|
||||||
|
|
||||||
|
$this->assertDatabaseHas('pages', [
|
||||||
|
'id' => $page->id, 'chapter_id' => $page->chapter_id, 'book_id' => $page->book_id,
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_book_sort_makes_no_changes_if_no_update_permissions_on_moved_item()
|
||||||
|
{
|
||||||
|
/** @var Page $page */
|
||||||
|
$page = Page::query()->where('chapter_id', '!=', 0)->first();
|
||||||
|
/** @var Chapter $otherChapter */
|
||||||
|
$otherChapter = Chapter::query()->where('book_id', '!=', $page->book_id)->first();
|
||||||
|
$editor = $this->getEditor();
|
||||||
|
$this->setEntityRestrictions($page, ['view', 'delete'], [$editor->roles()->first()]);
|
||||||
|
|
||||||
|
$sortData = [
|
||||||
|
'id' => $page->id,
|
||||||
|
'sort' => 0,
|
||||||
|
'parentChapter' => $otherChapter->id,
|
||||||
|
'type' => 'page',
|
||||||
|
'book' => $otherChapter->book_id,
|
||||||
|
];
|
||||||
|
$this->actingAs($editor)->put($page->book->getUrl('/sort'), ['sort-tree' => json_encode([$sortData])])->assertRedirect();
|
||||||
|
|
||||||
|
$this->assertDatabaseHas('pages', [
|
||||||
|
'id' => $page->id, 'chapter_id' => $page->chapter_id, 'book_id' => $page->book_id,
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_book_sort_makes_no_changes_if_no_delete_permissions_on_moved_item()
|
||||||
|
{
|
||||||
|
/** @var Page $page */
|
||||||
|
$page = Page::query()->where('chapter_id', '!=', 0)->first();
|
||||||
|
/** @var Chapter $otherChapter */
|
||||||
|
$otherChapter = Chapter::query()->where('book_id', '!=', $page->book_id)->first();
|
||||||
|
$editor = $this->getEditor();
|
||||||
|
$this->setEntityRestrictions($page, ['view', 'update'], [$editor->roles()->first()]);
|
||||||
|
|
||||||
|
$sortData = [
|
||||||
|
'id' => $page->id,
|
||||||
|
'sort' => 0,
|
||||||
|
'parentChapter' => $otherChapter->id,
|
||||||
|
'type' => 'page',
|
||||||
|
'book' => $otherChapter->book_id,
|
||||||
|
];
|
||||||
|
$this->actingAs($editor)->put($page->book->getUrl('/sort'), ['sort-tree' => json_encode([$sortData])])->assertRedirect();
|
||||||
|
|
||||||
|
$this->assertDatabaseHas('pages', [
|
||||||
|
'id' => $page->id, 'chapter_id' => $page->chapter_id, 'book_id' => $page->book_id,
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
public function test_book_sort_item_returns_book_content()
|
public function test_book_sort_item_returns_book_content()
|
||||||
{
|
{
|
||||||
$books = Book::all();
|
$books = Book::all();
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue