mirror of
https://github.com/BookStackApp/BookStack.git
synced 2025-02-17 07:22:45 +08:00
Updated so permission effect admins more
Asset permissions can now be configured for admins. joint_permissions will now effect admins more often. Made so shelves header link will hide if you have no bookshelves view permission.
This commit is contained in:
Dan Brown
parent
6eead437d8
commit
8ff969dd17
|
|
@ -80,7 +80,7 @@ class PermissionsRepo
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Updates an existing role.
|
* Updates an existing role.
|
||||||
* Ensure Admin role always has all permissions.
|
* Ensure Admin role always have core permissions.
|
||||||
* @param $roleId
|
* @param $roleId
|
||||||
* @param $roleData
|
* @param $roleData
|
||||||
* @throws PermissionsException
|
* @throws PermissionsException
|
||||||
|
|
@ -90,13 +90,18 @@ class PermissionsRepo
|
||||||
$role = $this->role->findOrFail($roleId);
|
$role = $this->role->findOrFail($roleId);
|
||||||
|
|
||||||
$permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];
|
$permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];
|
||||||
$this->assignRolePermissions($role, $permissions);
|
|
||||||
|
|
||||||
if ($role->system_name === 'admin') {
|
if ($role->system_name === 'admin') {
|
||||||
$permissions = $this->permission->all()->pluck('id')->toArray();
|
$permissions = array_merge($permissions, [
|
||||||
$role->permissions()->sync($permissions);
|
'users-manage',
|
||||||
|
'user-roles-manage',
|
||||||
|
'restrictions-manage-all',
|
||||||
|
'restrictions-manage-own',
|
||||||
|
'settings-manage',
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$this->assignRolePermissions($role, $permissions);
|
||||||
|
|
||||||
$role->fill($roleData);
|
$role->fill($roleData);
|
||||||
$role->save();
|
$role->save();
|
||||||
$this->permissionService->buildJointPermissionForRole($role);
|
$this->permissionService->buildJointPermissionForRole($role);
|
||||||
|
|
|
||||||
|
|
@ -60,7 +60,6 @@ class PermissionService
|
||||||
$this->book = $book;
|
$this->book = $book;
|
||||||
$this->chapter = $chapter;
|
$this->chapter = $chapter;
|
||||||
$this->page = $page;
|
$this->page = $page;
|
||||||
// TODO - Update so admin still goes through filters
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -520,11 +519,6 @@ class PermissionService
|
||||||
*/
|
*/
|
||||||
public function checkOwnableUserAccess(Ownable $ownable, $permission)
|
public function checkOwnableUserAccess(Ownable $ownable, $permission)
|
||||||
{
|
{
|
||||||
if ($this->isAdmin()) {
|
|
||||||
$this->clean();
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
$explodedPermission = explode('-', $permission);
|
$explodedPermission = explode('-', $permission);
|
||||||
|
|
||||||
$baseQuery = $ownable->where('id', '=', $ownable->id);
|
$baseQuery = $ownable->where('id', '=', $ownable->id);
|
||||||
|
|
@ -617,17 +611,16 @@ class PermissionService
|
||||||
$query = $this->db->query()->select('*')->from($this->db->raw("({$pageSelect->toSql()} UNION {$chapterSelect->toSql()}) AS U"))
|
$query = $this->db->query()->select('*')->from($this->db->raw("({$pageSelect->toSql()} UNION {$chapterSelect->toSql()}) AS U"))
|
||||||
->mergeBindings($pageSelect)->mergeBindings($chapterSelect);
|
->mergeBindings($pageSelect)->mergeBindings($chapterSelect);
|
||||||
|
|
||||||
if (!$this->isAdmin()) {
|
// Add joint permission filter
|
||||||
$whereQuery = $this->db->table('joint_permissions as jp')->selectRaw('COUNT(*)')
|
$whereQuery = $this->db->table('joint_permissions as jp')->selectRaw('COUNT(*)')
|
||||||
->whereRaw('jp.entity_id=U.id')->whereRaw('jp.entity_type=U.entity_type')
|
->whereRaw('jp.entity_id=U.id')->whereRaw('jp.entity_type=U.entity_type')
|
||||||
->where('jp.action', '=', 'view')->whereIn('jp.role_id', $this->getRoles())
|
->where('jp.action', '=', 'view')->whereIn('jp.role_id', $this->getRoles())
|
||||||
->where(function ($query) {
|
->where(function ($query) {
|
||||||
$query->where('jp.has_permission', '=', 1)->orWhere(function ($query) {
|
$query->where('jp.has_permission', '=', 1)->orWhere(function ($query) {
|
||||||
$query->where('jp.has_permission_own', '=', 1)->where('jp.created_by', '=', $this->currentUser()->id);
|
$query->where('jp.has_permission_own', '=', 1)->where('jp.created_by', '=', $this->currentUser()->id);
|
||||||
});
|
|
||||||
});
|
});
|
||||||
$query->whereRaw("({$whereQuery->toSql()}) > 0")->mergeBindings($whereQuery);
|
});
|
||||||
}
|
$query->whereRaw("({$whereQuery->toSql()}) > 0")->mergeBindings($whereQuery);
|
||||||
|
|
||||||
$query->orderBy('draft', 'desc')->orderBy('priority', 'asc');
|
$query->orderBy('draft', 'desc')->orderBy('priority', 'asc');
|
||||||
$this->clean();
|
$this->clean();
|
||||||
|
|
@ -655,11 +648,6 @@ class PermissionService
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($this->isAdmin()) {
|
|
||||||
$this->clean();
|
|
||||||
return $query;
|
|
||||||
}
|
|
||||||
|
|
||||||
$this->currentAction = $action;
|
$this->currentAction = $action;
|
||||||
return $this->entityRestrictionQuery($query);
|
return $this->entityRestrictionQuery($query);
|
||||||
}
|
}
|
||||||
|
|
@ -675,10 +663,6 @@ class PermissionService
|
||||||
*/
|
*/
|
||||||
public function filterRestrictedEntityRelations($query, $tableName, $entityIdColumn, $entityTypeColumn, $action = 'view')
|
public function filterRestrictedEntityRelations($query, $tableName, $entityIdColumn, $entityTypeColumn, $action = 'view')
|
||||||
{
|
{
|
||||||
if ($this->isAdmin()) {
|
|
||||||
$this->clean();
|
|
||||||
return $query;
|
|
||||||
}
|
|
||||||
|
|
||||||
$this->currentAction = $action;
|
$this->currentAction = $action;
|
||||||
$tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn, 'entityTypeColumn' => $entityTypeColumn];
|
$tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn, 'entityTypeColumn' => $entityTypeColumn];
|
||||||
|
|
@ -711,11 +695,6 @@ class PermissionService
|
||||||
*/
|
*/
|
||||||
public function filterRelatedPages($query, $tableName, $entityIdColumn)
|
public function filterRelatedPages($query, $tableName, $entityIdColumn)
|
||||||
{
|
{
|
||||||
if ($this->isAdmin()) {
|
|
||||||
$this->clean();
|
|
||||||
return $query;
|
|
||||||
}
|
|
||||||
|
|
||||||
$this->currentAction = 'view';
|
$this->currentAction = 'view';
|
||||||
$tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn];
|
$tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn];
|
||||||
|
|
||||||
|
|
@ -740,19 +719,6 @@ class PermissionService
|
||||||
return $q;
|
return $q;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Check if the current user is an admin.
|
|
||||||
* @return bool
|
|
||||||
*/
|
|
||||||
private function isAdmin()
|
|
||||||
{
|
|
||||||
if ($this->isAdminUser === null) {
|
|
||||||
$this->isAdminUser = ($this->currentUser()->id !== null) ? $this->currentUser()->hasSystemRole('admin') : false;
|
|
||||||
}
|
|
||||||
|
|
||||||
return $this->isAdminUser;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the current user
|
* Get the current user
|
||||||
* @return User
|
* @return User
|
||||||
|
|
|
||||||
|
|
@ -90,6 +90,7 @@ return [
|
||||||
'role_manage_settings' => 'Manage app settings',
|
'role_manage_settings' => 'Manage app settings',
|
||||||
'role_asset' => 'Asset Permissions',
|
'role_asset' => 'Asset Permissions',
|
||||||
'role_asset_desc' => 'These permissions control default access to the assets within the system. Permissions on Books, Chapters and Pages will override these permissions.',
|
'role_asset_desc' => 'These permissions control default access to the assets within the system. Permissions on Books, Chapters and Pages will override these permissions.',
|
||||||
|
'role_asset_admins' => 'Admins are automatically given access to all content but these options may show or hide UI options.',
|
||||||
'role_all' => 'All',
|
'role_all' => 'All',
|
||||||
'role_own' => 'Own',
|
'role_own' => 'Own',
|
||||||
'role_controlled_by_asset' => 'Controlled by the asset they are uploaded to',
|
'role_controlled_by_asset' => 'Controlled by the asset they are uploaded to',
|
||||||
|
|
|
||||||
|
|
@ -52,7 +52,9 @@
|
||||||
</form>
|
</form>
|
||||||
</div>
|
</div>
|
||||||
<div class="links text-center">
|
<div class="links text-center">
|
||||||
<a href="{{ baseUrl('/shelves') }}">@icon('bookshelf'){{ trans('entities.shelves') }}</a>
|
@if(userCan('bookshelf-view-all') || userCan('bookshelf-view-own'))
|
||||||
|
<a href="{{ baseUrl('/shelves') }}">@icon('bookshelf'){{ trans('entities.shelves') }}</a>
|
||||||
|
@endif
|
||||||
<a href="{{ baseUrl('/books') }}">@icon('book'){{ trans('entities.books') }}</a>
|
<a href="{{ baseUrl('/books') }}">@icon('book'){{ trans('entities.books') }}</a>
|
||||||
@if(signedInUser() && userCan('settings-manage'))
|
@if(signedInUser() && userCan('settings-manage'))
|
||||||
<a href="{{ baseUrl('/settings') }}">@icon('settings'){{ trans('settings.settings') }}</a>
|
<a href="{{ baseUrl('/settings') }}">@icon('settings'){{ trans('settings.settings') }}</a>
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,10 @@
|
||||||
<h5>{{ trans('settings.role_asset') }}</h5>
|
<h5>{{ trans('settings.role_asset') }}</h5>
|
||||||
<p>{{ trans('settings.role_asset_desc') }}</p>
|
<p>{{ trans('settings.role_asset_desc') }}</p>
|
||||||
|
|
||||||
|
@if (isset($role) && $role->system_name === 'admin')
|
||||||
|
<p>{{ trans('settings.role_asset_admins') }}</p>
|
||||||
|
@endif
|
||||||
|
|
||||||
<table class="table">
|
<table class="table">
|
||||||
<tr>
|
<tr>
|
||||||
<th width="20%"></th>
|
<th width="20%"></th>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user