mirror of
https://github.com/BookStackApp/BookStack.git
synced 2025-01-19 04:52:44 +08:00
Fixed image delete permission issue
Also fixed missing translations and wrote tests to cover issue. Fixes #258
This commit is contained in:
parent
f7f86ff821
commit
581c382f65
|
@ -405,7 +405,7 @@ class PermissionService
|
|||
$action = end($explodedPermission);
|
||||
$this->currentAction = $action;
|
||||
|
||||
$nonJointPermissions = ['restrictions'];
|
||||
$nonJointPermissions = ['restrictions', 'image', 'attachment'];
|
||||
|
||||
// Handle non entity specific jointPermissions
|
||||
if (in_array($explodedPermission[0], $nonJointPermissions)) {
|
||||
|
@ -421,7 +421,6 @@ class PermissionService
|
|||
$this->currentAction = $permission;
|
||||
}
|
||||
|
||||
|
||||
$q = $this->entityRestrictionQuery($baseQuery)->count() > 0;
|
||||
$this->clean();
|
||||
return $q;
|
||||
|
|
|
@ -59,4 +59,14 @@ $factory->define(BookStack\Tag::class, function ($faker) {
|
|||
'name' => $faker->city,
|
||||
'value' => $faker->sentence(3)
|
||||
];
|
||||
});
|
||||
|
||||
$factory->define(BookStack\Image::class, function ($faker) {
|
||||
return [
|
||||
'name' => $faker->slug . '.jpg',
|
||||
'url' => $faker->url,
|
||||
'path' => $faker->url,
|
||||
'type' => 'gallery',
|
||||
'uploaded_to' => 0
|
||||
];
|
||||
});
|
|
@ -89,6 +89,7 @@ return [
|
|||
* Chapters
|
||||
*/
|
||||
'chapter' => 'Chapter',
|
||||
'chapters' => 'Chapters',
|
||||
'chapters_popular' => 'Popular Chapters',
|
||||
'chapters_new' => 'New Chapter',
|
||||
'chapters_create' => 'Create New Chapter',
|
||||
|
|
|
@ -578,4 +578,45 @@ class RolesTest extends TestCase
|
|||
->see('Cannot be deleted');
|
||||
}
|
||||
|
||||
|
||||
|
||||
public function test_image_delete_own_permission()
|
||||
{
|
||||
$this->giveUserPermissions($this->user, ['image-update-all']);
|
||||
// $admin = $this->getAdmin();
|
||||
$page = \BookStack\Page::first();
|
||||
$image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $this->user->id, 'updated_by' => $this->user->id]);
|
||||
|
||||
$this->actingAs($this->user)->json('delete', '/images/' . $image->id)
|
||||
->seeStatusCode(403);
|
||||
|
||||
$this->giveUserPermissions($this->user, ['image-delete-own']);
|
||||
|
||||
$this->actingAs($this->user)->json('delete', '/images/' . $image->id)
|
||||
->seeStatusCode(200)
|
||||
->dontSeeInDatabase('images', ['id' => $image->id]);
|
||||
}
|
||||
|
||||
public function test_image_delete_all_permission()
|
||||
{
|
||||
$this->giveUserPermissions($this->user, ['image-update-all']);
|
||||
$admin = $this->getAdmin();
|
||||
$page = \BookStack\Page::first();
|
||||
$image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]);
|
||||
|
||||
$this->actingAs($this->user)->json('delete', '/images/' . $image->id)
|
||||
->seeStatusCode(403);
|
||||
|
||||
$this->giveUserPermissions($this->user, ['image-delete-own']);
|
||||
|
||||
$this->actingAs($this->user)->json('delete', '/images/' . $image->id)
|
||||
->seeStatusCode(403);
|
||||
|
||||
$this->giveUserPermissions($this->user, ['image-delete-all']);
|
||||
|
||||
$this->actingAs($this->user)->json('delete', '/images/' . $image->id)
|
||||
->seeStatusCode(200)
|
||||
->dontSeeInDatabase('images', ['id' => $image->id]);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user