From 97ffbaa7403e08b2402a4a7c44762b848e1b3572 Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Tue, 7 May 2019 22:42:12 +0100
Subject: [PATCH] Fixed issue where books titles could be leaked via shelf home
 view

- Also added test to cover
Fixes #1425
---
 app/Http/Controllers/HomeController.php |  3 +++
 tests/HomepageTest.php                  | 31 +++++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/app/Http/Controllers/HomeController.php b/app/Http/Controllers/HomeController.php
index c5f3cd02a..ba93bfe65 100644
--- a/app/Http/Controllers/HomeController.php
+++ b/app/Http/Controllers/HomeController.php
@@ -67,6 +67,9 @@ class HomeController extends Controller
 
         if ($homepageOption === 'bookshelves') {
             $shelves = $this->entityRepo->getAllPaginated('bookshelf', 18, $commonData['sort'], $commonData['order']);
+            foreach ($shelves as $shelf) {
+                $shelf->books = $this->entityRepo->getBookshelfChildren($shelf);
+            }
             $data = array_merge($commonData, ['shelves' => $shelves]);
             return view('common.home-shelves', $data);
         }
diff --git a/tests/HomepageTest.php b/tests/HomepageTest.php
index 2c8b8d5c0..286d4cf60 100644
--- a/tests/HomepageTest.php
+++ b/tests/HomepageTest.php
@@ -1,5 +1,7 @@
 <?php namespace Tests;
 
+use BookStack\Entities\Bookshelf;
+
 class HomepageTest extends TestCase
 {
 
@@ -89,4 +91,33 @@ class HomepageTest extends TestCase
         $this->setSettings(['app-homepage-type' => false]);
         $this->test_default_homepage_visible();
     }
+
+    public function test_shelves_list_homepage_adheres_to_book_visibility_permissions()
+    {
+        $editor = $this->getEditor();
+        setting()->putUser($editor, 'bookshelves_view_type', 'list');
+        $this->setSettings(['app-homepage-type' => 'bookshelves']);
+        $this->asEditor();
+
+        $shelf = Bookshelf::query()->first();
+        $book = $shelf->books()->first();
+
+        // Ensure initially visible
+        $homeVisit = $this->get('/');
+        $homeVisit->assertElementContains('.content-wrap', $shelf->name);
+        $homeVisit->assertElementContains('.content-wrap', $book->name);
+
+        // Ensure book no longer visible without view permission
+        $editor->roles()->detach();
+        $this->giveUserPermissions($editor, ['bookshelf-view-all']);
+        $homeVisit = $this->get('/');
+        $homeVisit->assertElementContains('.content-wrap', $shelf->name);
+        $homeVisit->assertElementNotContains('.content-wrap', $book->name);
+
+        // Ensure is visible again with entity-level view permission
+        $this->setEntityRestrictions($book, ['view'], [$editor->roles()->first()]);
+        $homeVisit = $this->get('/');
+        $homeVisit->assertElementContains('.content-wrap', $shelf->name);
+        $homeVisit->assertElementContains('.content-wrap', $book->name);
+    }
 }