Allowed child entity permissions to override parent permissions

Updated elements of a page display and sidebar render to allow
child permissions to work even when parent entitites have permission
set. This allows a page with a 'view' permission to be viewable even
when the parent book or chapter is not viewable.

Fixes #366

app/Repos/EntityRepo.php

@@ -348,6 +348,10 @@ class EntityRepo
         foreach ($entities as $entity) {
             if ($entity->chapter_id === 0 || $entity->chapter_id === '0') continue;
             $parentKey = 'BookStack\\Chapter:' . $entity->chapter_id;
+            if (!isset($parents[$parentKey])) {
+                $tree[] = $entity;
+                continue;
+            }
             $chapter = $parents[$parentKey];
             $chapter->pages->push($entity);
         }

resources/views/chapters/_breadcrumbs.blade.php

@@ -1,5 +1,7 @@
 <div class="breadcrumbs">
+    @if (userCan('view', $book))
     <a href="{{ $chapter->book->getUrl() }}" class="text-book text-button"><i class="zmdi zmdi-book"></i>{{ $chapter->book->getShortName() }}</a>
     <span class="sep">&raquo;</span>
+    @endif
     <a href="{{ $chapter->getUrl() }}" class="text-chapter text-button"><i class="zmdi zmdi-collection-bookmark"></i>{{$chapter->getShortName()}}</a>
 </div>

resources/views/pages/_breadcrumbs.blade.php

@@ -1,12 +1,14 @@
 <div class="breadcrumbs">
-    <a href="{{ $page->book->getUrl() }}" class="text-book text-button"><i class="zmdi zmdi-book"></i>{{ $page->book->getShortName() }}</a>
-    @if($page->hasChapter())
+    @if (userCan('view', $page->book))
+        <a href="{{ $page->book->getUrl() }}" class="text-book text-button"><i class="zmdi zmdi-book"></i>{{ $page->book->getShortName() }}</a>
         <span class="sep">&raquo;</span>
+    @endif
+    @if($page->hasChapter() && userCan('view', $page->chapter))
         <a href="{{ $page->chapter->getUrl() }}" class="text-chapter text-button">
             <i class="zmdi zmdi-collection-bookmark"></i>
             {{ $page->chapter->getShortName() }}
         </a>
+        <span class="sep">&raquo;</span>
     @endif
-    <span class="sep">&raquo;</span>
     <a href="{{ $page->getUrl() }}" class="text-page text-button"><i class="zmdi zmdi-file"></i>{{ $page->getShortName() }}</a>
 </div>

resources/views/pages/sidebar-tree-list.blade.php

@@ -39,8 +39,10 @@
 
     <h6 class="text-muted">{{ trans('entities.books_navigation') }}</h6>
     <ul class="sidebar-page-list menu">
-        <li class="book-header"><a href="{{ $book->getUrl() }}" class="book {{ $current->matches($book)? 'selected' : '' }}"><i class="zmdi zmdi-book"></i>{{$book->name}}</a></li>
 
+        @if (userCan('view', $book))
+            <li class="book-header"><a href="{{ $book->getUrl() }}" class="book {{ $current->matches($book)? 'selected' : '' }}"><i class="zmdi zmdi-book"></i>{{$book->name}}</a></li>
+        @endif
 
         @foreach($sidebarTree as $bookChild)
             <li class="list-item-{{ $bookChild->getClassName() }} {{ $bookChild->getClassName() }} {{ $bookChild->isA('page') && $bookChild->draft ? 'draft' : '' }}">

tests/Permissions/RestrictionsTest.php

@@ -522,4 +522,21 @@ class RestrictionsTest extends BrowserKitTest
             ->see('Delete Chapter');
     }
 
+    public function test_page_visible_if_has_permissions_when_book_not_visible()
+    {
+        $book = \BookStack\Book::first();
+        $bookChapter = $book->chapters->first();
+        $bookPage = $bookChapter->pages->first();
+
+        $this->setEntityRestrictions($book, []);
+        $this->setEntityRestrictions($bookPage, ['view']);
+
+        $this->actingAs($this->viewer);
+        $this->get($bookPage->getUrl());
+        $this->assertResponseOk();
+        $this->see($bookPage->name);
+        $this->dontSee(substr($book->name, 0, 15));
+        $this->dontSee(substr($bookChapter->name, 0, 15));
+    }
+
 }