Fixed issue where books titles could be leaked via shelf home view

- Also added test to cover
Fixes #1425
This commit is contained in:
Dan Brown 2019-05-07 22:42:12 +01:00
parent 7ef059e254
commit 97ffbaa740
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9
2 changed files with 34 additions and 0 deletions

View file

@ -67,6 +67,9 @@ class HomeController extends Controller
if ($homepageOption === 'bookshelves') {
$shelves = $this->entityRepo->getAllPaginated('bookshelf', 18, $commonData['sort'], $commonData['order']);
foreach ($shelves as $shelf) {
$shelf->books = $this->entityRepo->getBookshelfChildren($shelf);
}
$data = array_merge($commonData, ['shelves' => $shelves]);
return view('common.home-shelves', $data);
}

View file

@ -1,5 +1,7 @@
<?php namespace Tests;
use BookStack\Entities\Bookshelf;
class HomepageTest extends TestCase
{
@ -89,4 +91,33 @@ class HomepageTest extends TestCase
$this->setSettings(['app-homepage-type' => false]);
$this->test_default_homepage_visible();
}
public function test_shelves_list_homepage_adheres_to_book_visibility_permissions()
{
$editor = $this->getEditor();
setting()->putUser($editor, 'bookshelves_view_type', 'list');
$this->setSettings(['app-homepage-type' => 'bookshelves']);
$this->asEditor();
$shelf = Bookshelf::query()->first();
$book = $shelf->books()->first();
// Ensure initially visible
$homeVisit = $this->get('/');
$homeVisit->assertElementContains('.content-wrap', $shelf->name);
$homeVisit->assertElementContains('.content-wrap', $book->name);
// Ensure book no longer visible without view permission
$editor->roles()->detach();
$this->giveUserPermissions($editor, ['bookshelf-view-all']);
$homeVisit = $this->get('/');
$homeVisit->assertElementContains('.content-wrap', $shelf->name);
$homeVisit->assertElementNotContains('.content-wrap', $book->name);
// Ensure is visible again with entity-level view permission
$this->setEntityRestrictions($book, ['view'], [$editor->roles()->first()]);
$homeVisit = $this->get('/');
$homeVisit->assertElementContains('.content-wrap', $shelf->name);
$homeVisit->assertElementContains('.content-wrap', $book->name);
}
}