mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-11-26 02:10:19 +08:00
Abstracted userCanCreatePage helper to work for any permisison
- Added test to cover scenario where someone with create-own permission would want to copy a viewable item into a container entity that they own.
This commit is contained in:
parent
6be2d3f28c
commit
5c9b528517
|
@ -557,19 +557,17 @@ class PermissionService
|
|||
}
|
||||
|
||||
/**
|
||||
* Checks if a user has a book or chapter available to create a page
|
||||
* @param Ownable $ownable
|
||||
* @param $permission
|
||||
* Checks if a user has the given permission for any items in the system.
|
||||
* @param string $permission
|
||||
* @return bool
|
||||
*/
|
||||
public function checkAvailableCreatePageAccess()
|
||||
public function checkUserHasPermissionOnAnything(string $permission)
|
||||
{
|
||||
$userRoleIds = $this->currentUser()->roles()->pluck('id')->toArray();
|
||||
$userRoleIds = $this->currentUser()->roles()->select('id')->pluck('id')->toArray();
|
||||
$userId = $this->currentUser()->id;
|
||||
|
||||
|
||||
$canCreatePage = $this->db->table('joint_permissions')
|
||||
->where('action', '=', 'page-create')
|
||||
->where('action', '=', $permission)
|
||||
->whereIn('role_id', $userRoleIds)
|
||||
->where(function ($query) use ($userId) {
|
||||
$query->where('has_permission', '=', 1)
|
||||
|
@ -580,6 +578,7 @@ class PermissionService
|
|||
})
|
||||
->get()->count() > 0;
|
||||
|
||||
$this->clean();
|
||||
return $canCreatePage;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
<?php
|
||||
|
||||
use BookStack\Auth\Permissions\PermissionService;
|
||||
use BookStack\Ownable;
|
||||
|
||||
/**
|
||||
|
@ -50,30 +51,31 @@ function signedInUser()
|
|||
* Check if the current user has a permission.
|
||||
* If an ownable element is passed in the jointPermissions are checked against
|
||||
* that particular item.
|
||||
* @param $permission
|
||||
* @param string $permission
|
||||
* @param Ownable $ownable
|
||||
* @return mixed
|
||||
*/
|
||||
function userCan($permission, Ownable $ownable = null)
|
||||
function userCan(string $permission, Ownable $ownable = null)
|
||||
{
|
||||
if ($ownable === null) {
|
||||
return user() && user()->can($permission);
|
||||
}
|
||||
|
||||
// Check permission on ownable item
|
||||
$permissionService = app(\BookStack\Auth\Permissions\PermissionService::class);
|
||||
$permissionService = app(PermissionService::class);
|
||||
return $permissionService->checkOwnableUserAccess($ownable, $permission);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the current user has the ability to create a page for an existing object
|
||||
* Check if the current user has the given permission
|
||||
* on any item in the system.
|
||||
* @param string $permission
|
||||
* @return bool
|
||||
*/
|
||||
function userCanCreatePage()
|
||||
function userCanOnAny(string $permission)
|
||||
{
|
||||
// Check for create page permissions
|
||||
$permissionService = app(\BookStack\Auth\Permissions\PermissionService::class);
|
||||
return $permissionService->checkAvailableCreatePageAccess();
|
||||
$permissionService = app(PermissionService::class);
|
||||
return $permissionService->checkUserHasPermissionOnAnything($permission);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -17,14 +17,14 @@
|
|||
@if(userCan('page-update', $page))
|
||||
<a href="{{ $page->getUrl('/edit') }}" class="text-primary text-button" >@icon('edit'){{ trans('common.edit') }}</a>
|
||||
@endif
|
||||
@if((userCan('page-view', $page) && userCanCreatePage()) || userCan('page-update', $page) || userCan('restrictions-manage', $page) || userCan('page-delete', $page))
|
||||
@if((userCan('page-view', $page) && userCanOnAny('page-create')) || userCan('page-update', $page) || userCan('restrictions-manage', $page) || userCan('page-delete', $page))
|
||||
<div dropdown class="dropdown-container">
|
||||
<a dropdown-toggle class="text-primary text-button">@icon('more') {{ trans('common.more') }}</a>
|
||||
<ul>
|
||||
@if(userCanCreatePage())
|
||||
@if(userCanOnAny('page-create'))
|
||||
<li><a href="{{ $page->getUrl('/copy') }}" class="text-primary" >@icon('copy'){{ trans('common.copy') }}</a></li>
|
||||
@endif
|
||||
@if(userCan('page-delete', $page) && userCan('page-update, $page))
|
||||
@if(userCan('page-delete', $page) && userCan('page-update', $page))
|
||||
<li><a href="{{ $page->getUrl('/move') }}" class="text-primary" >@icon('folder'){{ trans('common.move') }}</a></li>
|
||||
@endif
|
||||
@if(userCan('page-update', $page))
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
<?php namespace Tests;
|
||||
|
||||
use BookStack\Auth\Role;
|
||||
use BookStack\Entities\Book;
|
||||
use BookStack\Entities\Chapter;
|
||||
use BookStack\Entities\Page;
|
||||
|
@ -239,4 +240,35 @@ class SortTest extends TestCase
|
|||
$this->assertTrue($pageCopy->id !== $page->id, 'Page copy is not the same instance');
|
||||
}
|
||||
|
||||
public function test_page_can_be_copied_without_edit_permission()
|
||||
{
|
||||
$page = Page::first();
|
||||
$currentBook = $page->book;
|
||||
$newBook = Book::where('id', '!=', $currentBook->id)->first();
|
||||
$viewer = $this->getViewer();
|
||||
|
||||
$resp = $this->actingAs($viewer)->get($page->getUrl());
|
||||
$resp->assertDontSee($page->getUrl('/copy'));
|
||||
|
||||
$newBook->created_by = $viewer->id;
|
||||
$newBook->save();
|
||||
$this->giveUserPermissions($viewer, ['page-create-own']);
|
||||
$this->regenEntityPermissions($newBook);
|
||||
|
||||
$resp = $this->actingAs($viewer)->get($page->getUrl());
|
||||
$resp->assertSee($page->getUrl('/copy'));
|
||||
|
||||
$movePageResp = $this->post($page->getUrl('/copy'), [
|
||||
'entity_selection' => 'book:' . $newBook->id,
|
||||
'name' => 'My copied test page'
|
||||
]);
|
||||
$movePageResp->assertRedirect();
|
||||
|
||||
$this->assertDatabaseHas('pages', [
|
||||
'name' => 'My copied test page',
|
||||
'created_by' => $viewer->id,
|
||||
'book_id' => $newBook->id,
|
||||
]);
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in New Issue
Block a user