github-mirror/BookStack
2
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-01-31 23:34:58 +08:00
Code Issues Actions 13 Packages Projects Releases Wiki Activity

Allowed creating pages in visible chapters in invisible books

Browse Source 
Fixes permissions with test to cover in the event a page is created,
with permission, in a chapter but the user does not have permission to
see the parent book.

Fixes #912
This commit is contained in:
Dan Brown 2018-07-14 14:12:29 +01:00
parent b2cd363539
commit 2bcc159fd6
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
3 changed files with 52 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
app/Http/Controllers/PageController.php
View File

@ -5,7 +5,6 @@ use BookStack\Exceptions\NotFoundException;
use BookStack\Repos\EntityRepo; use BookStack\Repos\EntityRepo;
use BookStack\Repos\UserRepo; use BookStack\Repos\UserRepo;
use BookStack\Services\ExportService; use BookStack\Services\ExportService;
use Carbon\Carbon;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Illuminate\Http\Response; use Illuminate\Http\Response;
use Views; use Views;
@ -38,11 +37,18 @@ class PageController extends Controller
* @param string $chapterSlug * @param string $chapterSlug
* @return Response * @return Response
* @internal param bool $pageSlug * @internal param bool $pageSlug
* @throws NotFoundException
*/ */
public function create($bookSlug, $chapterSlug = null) public function create($bookSlug, $chapterSlug = null)
{ {
$book = $this->entityRepo->getBySlug('book', $bookSlug); if ($chapterSlug !== null) {
$chapter = $chapterSlug ? $this->entityRepo->getBySlug('chapter', $chapterSlug, $bookSlug) : null; $chapter = $this->entityRepo->getBySlug('chapter', $chapterSlug, $bookSlug);
$book = $chapter->book;
} else {
$chapter = null;
$book = $this->entityRepo->getBySlug('book', $bookSlug);
}
$parent = $chapter ? $chapter : $book; $parent = $chapter ? $chapter : $book;
$this->checkOwnablePermission('page-create', $parent); $this->checkOwnablePermission('page-create', $parent);
@ -52,7 +58,7 @@ class PageController extends Controller
return redirect($draft->getUrl()); return redirect($draft->getUrl());
} }
// Otherwise show edit view // Otherwise show the edit view if they're a guest
$this->setPageTitle(trans('entities.pages_new')); $this->setPageTitle(trans('entities.pages_new'));
return view('pages/guest-create', ['parent' => $parent]); return view('pages/guest-create', ['parent' => $parent]);
} }
@ -71,8 +77,14 @@ class PageController extends Controller
'name' => 'required|string|max:255' 'name' => 'required|string|max:255'
]); ]);
$book = $this->entityRepo->getBySlug('book', $bookSlug); if ($chapterSlug !== null) {
$chapter = $chapterSlug ? $this->entityRepo->getBySlug('chapter', $chapterSlug, $bookSlug) : null; $chapter = $this->entityRepo->getBySlug('chapter', $chapterSlug, $bookSlug);
$book = $chapter->book;
} else {
$chapter = null;
$book = $this->entityRepo->getBySlug('book', $bookSlug);
}
$parent = $chapter ? $chapter : $book; $parent = $chapter ? $chapter : $book;
$this->checkOwnablePermission('page-create', $parent); $this->checkOwnablePermission('page-create', $parent);
@ -93,7 +105,7 @@ class PageController extends Controller
public function editDraft($bookSlug, $pageId) public function editDraft($bookSlug, $pageId)
{ {
$draft = $this->entityRepo->getById('page', $pageId, true); $draft = $this->entityRepo->getById('page', $pageId, true);
$this->checkOwnablePermission('page-create', $draft->book); $this->checkOwnablePermission('page-create', $draft->parent);
$this->setPageTitle(trans('entities.pages_edit_draft')); $this->setPageTitle(trans('entities.pages_edit_draft'));
$draftsEnabled = $this->signedIn; $draftsEnabled = $this->signedIn;
@ -119,12 +131,10 @@ class PageController extends Controller
]); ]);
$input = $request->all(); $input = $request->all();
$book = $this->entityRepo->getBySlug('book', $bookSlug);
$draftPage = $this->entityRepo->getById('page', $pageId, true); $draftPage = $this->entityRepo->getById('page', $pageId, true);
$book = $draftPage->book;
$chapterId = intval($draftPage->chapter_id); $parent = $draftPage->parent;
$parent = $chapterId !== 0 ? $this->entityRepo->getById('chapter', $chapterId) : $book;
$this->checkOwnablePermission('page-create', $parent); $this->checkOwnablePermission('page-create', $parent);
if ($parent->isA('chapter')) { if ($parent->isA('chapter')) {

9
app/Page.php
View File

@ -28,6 +28,15 @@ class Page extends Entity
return $this->belongsTo(Book::class); return $this->belongsTo(Book::class);
} }
/**
* Get the parent item
* @return \Illuminate\Database\Eloquent\Relations\BelongsTo
*/
public function parent()
{
return $this->chapter_id ? $this->chapter() : $this->book();
}
/** /**
* Get the chapter that this page is in, If applicable. * Get the chapter that this page is in, If applicable.
* @return \Illuminate\Database\Eloquent\Relations\BelongsTo * @return \Illuminate\Database\Eloquent\Relations\BelongsTo

22
tests/Permissions/RestrictionsTest.php
View File

@ -592,4 +592,26 @@ class RestrictionsTest extends BrowserKitTest
->see('You do not have permission') ->see('You do not have permission')
->seePageIs('/'); ->seePageIs('/');
} }
public function test_can_create_page_if_chapter_has_permissions_when_book_not_visible()
{
$book = Book::first();
$this->setEntityRestrictions($book, []);
$bookChapter = $book->chapters->first();
$this->setEntityRestrictions($bookChapter, ['view']);
$this->actingAs($this->user)->visit($bookChapter->getUrl())
->dontSee('New Page');
$this->setEntityRestrictions($bookChapter, ['view', 'create']);
$this->actingAs($this->user)->visit($bookChapter->getUrl())
->click('New Page')
->seeStatusCode(200)
->type('test page', 'name')
->type('test content', 'html')
->press('Save Page')
->seePageIs($book->getUrl('/page/test-page'))
->seeStatusCode(200);
}
} }