github-mirror/BookStack
github-mirror/BookStack
2
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-04-02 05:45:13 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Added check of owner field for manage-permissions-own

Browse Source 
This permission was still checking based on created-by.
Updated testing to specifically check the owner since the tests
were passing by the fact of matching creator and owner.

Fixes #2445
This commit is contained in:
Dan Brown 2021-01-04 18:07:39 +00:00
parent 20729a618f
commit bbfb330b92
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
2 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/Auth/Permissions/PermissionService.php
View File

@ -533,7 +533,8 @@ class PermissionService
$allPermission = $this->currentUser() && $this->currentUser()->can($permission . '-all');
$ownPermission = $this->currentUser() && $this->currentUser()->can($permission . '-own');
$this->currentAction = 'view';
$isOwner = $this->currentUser() && $this->currentUser()->id === $ownable->created_by;
$ownerField = ($ownable instanceof Entity) ? 'owned_by' : 'created_by';
$isOwner = $this->currentUser() && $this->currentUser()->id === $ownable->$ownerField;
return ($allPermission || ($isOwner && $ownPermission));
}

16
tests/Permissions/RolesTest.php
View File

@ -216,15 +216,23 @@ class RolesTest extends BrowserKitTest
{
$otherUsersPage = Page::first();
$content = $this->createEntityChainBelongingToUser($this->user);
// Set a different creator on the page we're checking to ensure
// that the owner fields are checked
$page = $content['page']; /** @var Page $page */
$page->created_by = $otherUsersPage->id;
$page->owned_by = $this->user->id;
$page->save();
// Check can't restrict other's content
$this->actingAs($this->user)->visit($otherUsersPage->getUrl())
->dontSee('Permissions')
->visit($otherUsersPage->getUrl() . '/permissions')
->seePageIs('/');
// Check can't restrict own content
$this->actingAs($this->user)->visit($content['page']->getUrl())
$this->actingAs($this->user)->visit($page->getUrl())
->dontSee('Permissions')
->visit($content['page']->getUrl() . '/permissions')
->visit($page->getUrl() . '/permissions')
->seePageIs('/');
$this->giveUserPermissions($this->user, ['restrictions-manage-own']);
@ -235,10 +243,10 @@ class RolesTest extends BrowserKitTest
->visit($otherUsersPage->getUrl() . '/permissions')
->seePageIs('/');
// Check can restrict own content
$this->actingAs($this->user)->visit($content['page']->getUrl())
$this->actingAs($this->user)->visit($page->getUrl())
->see('Permissions')
->click('Permissions')
->seePageIs($content['page']->getUrl() . '/permissions');
->seePageIs($page->getUrl() . '/permissions');
}
/**