Added destination permission checking to entity move

This commit is contained in:
Dan Brown 2018-04-14 18:47:13 +01:00
parent 0f7b0ad45a
commit cdb1c7ef88
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9
9 changed files with 193 additions and 211 deletions

View file

@ -585,6 +585,8 @@ class PageController extends Controller
return redirect()->back();
}
$this->checkOwnablePermission('page-create', $parent);
$this->entityRepo->changePageParent($page, $parent);
Activity::add($page, 'page_move', $page->book->id);
session()->flash('success', trans('entities.pages_move_success', ['parentName' => $parent->name]));

View file

@ -17,7 +17,7 @@
{!! csrf_field() !!}
<input type="hidden" name="_method" value="PUT">
@include('components.entity-selector', ['name' => 'entity_selection', 'selectorSize' => 'large', 'entityTypes' => 'book'])
@include('components.entity-selector', ['name' => 'entity_selection', 'selectorSize' => 'large', 'entityTypes' => 'book', 'entityPermission' => 'chapter-create'])
<div class="form-group text-right">
<a href="{{ $chapter->getUrl() }}" class="button outline">{{ trans('common.cancel') }}</a>

View file

@ -17,7 +17,7 @@
{!! csrf_field() !!}
<input type="hidden" name="_method" value="PUT">
@include('components.entity-selector', ['name' => 'entity_selection', 'selectorSize' => 'large', 'entityTypes' => 'book,chapter'])
@include('components.entity-selector', ['name' => 'entity_selection', 'selectorSize' => 'large', 'entityTypes' => 'book,chapter', 'entityPermission' => 'page-create'])
<div class="form-group text-right">
<a href="{{ $page->getUrl() }}" class="button outline">{{ trans('common.cancel') }}</a>

View file

@ -12,10 +12,7 @@ abstract class BrowserKitTest extends TestCase
{
use DatabaseTransactions;
// Local user instances
private $admin;
private $editor;
use SharedTestHelpers;
/**
* The base URL to use while testing the application.
@ -43,38 +40,6 @@ abstract class BrowserKitTest extends TestCase
return $app;
}
/**
* Set the current user context to be an admin.
* @return $this
*/
public function asAdmin()
{
return $this->actingAs($this->getAdmin());
}
/**
* Get the current admin user.
* @return mixed
*/
public function getAdmin() {
if($this->admin === null) {
$adminRole = Role::getSystemRole('admin');
$this->admin = $adminRole->users->first();
}
return $this->admin;
}
/**
* Set the current editor context to be an editor.
* @return $this
*/
public function asEditor()
{
if ($this->editor === null) {
$this->editor = $this->getEditor();
}
return $this->actingAs($this->editor);
}
/**
* Get a user that's not a system user such as the guest user.
@ -127,28 +92,6 @@ abstract class BrowserKitTest extends TestCase
$restrictionService->buildJointPermissionsForEntity($entity);
}
/**
* Get an instance of a user with 'editor' permissions
* @param array $attributes
* @return mixed
*/
protected function getEditor($attributes = [])
{
$user = \BookStack\Role::getRole('editor')->users()->first();
if (!empty($attributes)) $user->forceFill($attributes)->save();
return $user;
}
/**
* Get an instance of a user with 'viewer' permissions
* @return mixed
*/
protected function getViewer()
{
$user = \BookStack\Role::getRole('viewer')->users()->first();
if (!empty($attributes)) $user->forceFill($attributes)->save();
return $user;
}
/**
* Quick way to create a new user without any permissions

View file

@ -34,10 +34,10 @@ class SortTest extends TestCase
$currentBook = $page->book;
$newBook = Book::where('id', '!=', $currentBook->id)->first();
$resp = $this->asAdmin()->get($page->getUrl() . '/move');
$resp = $this->asEditor()->get($page->getUrl('/move'));
$resp->assertSee('Move Page');
$movePageResp = $this->put($page->getUrl() . '/move', [
$movePageResp = $this->put($page->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id
]);
$page = Page::find($page->id);
@ -50,6 +50,31 @@ class SortTest extends TestCase
$newBookResp->assertSee($page->name);
}
public function test_page_move_requires_create_permissions_on_parent()
{
$page = Page::first();
$currentBook = $page->book;
$newBook = Book::where('id', '!=', $currentBook->id)->first();
$editor = $this->getEditor();
$this->setEntityRestrictions($newBook, ['view', 'edit', 'delete'], $editor->roles);
$movePageResp = $this->actingAs($editor)->put($page->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id
]);
$this->assertPermissionError($movePageResp);
$this->setEntityRestrictions($newBook, ['view', 'edit', 'delete', 'create'], $editor->roles);
$movePageResp = $this->put($page->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id
]);
$page = Page::find($page->id);
$movePageResp->assertRedirect($page->getUrl());
$this->assertTrue($page->book->id == $newBook->id, 'Page book is now the new book');
}
public function test_chapter_move()
{
$chapter = Chapter::first();
@ -57,10 +82,10 @@ class SortTest extends TestCase
$pageToCheck = $chapter->pages->first();
$newBook = Book::where('id', '!=', $currentBook->id)->first();
$chapterMoveResp = $this->asAdmin()->get($chapter->getUrl() . '/move');
$chapterMoveResp = $this->asEditor()->get($chapter->getUrl('/move'));
$chapterMoveResp->assertSee('Move Chapter');
$moveChapterResp = $this->put($chapter->getUrl() . '/move', [
$moveChapterResp = $this->put($chapter->getUrl('/move'), [
'entity_selection' => 'book:' . $newBook->id
]);
@ -105,7 +130,7 @@ class SortTest extends TestCase
];
}
$sortResp = $this->asAdmin()->put($newBook->getUrl() . '/sort', ['sort-tree' => json_encode($reqData)]);
$sortResp = $this->asEditor()->put($newBook->getUrl() . '/sort', ['sort-tree' => json_encode($reqData)]);
$sortResp->assertRedirect($newBook->getUrl());
$sortResp->assertStatus(302);
$this->assertDatabaseHas('chapters', [

View file

@ -1,7 +1,7 @@
<?php namespace Tests;
use BookStack\Book;
use BookStack\Services\PermissionService;
use BookStack\Entity;
use BookStack\User;
use BookStack\Repos\EntityRepo;
@ -18,49 +18,20 @@ class RestrictionsTest extends BrowserKitTest
*/
protected $viewer;
/**
* @var PermissionService
*/
protected $permissionService;
public function setUp()
{
parent::setUp();
$this->user = $this->getEditor();
$this->viewer = $this->getViewer();
$this->permissionService = $this->app[PermissionService::class];
}
/**
* Manually set some permissions on an entity.
* @param \BookStack\Entity $entity
* @param $actions
*/
protected function setEntityRestrictions(\BookStack\Entity $entity, $actions)
protected function setEntityRestrictions(Entity $entity, $actions = [], $roles = [])
{
$entity->restricted = true;
$entity->permissions()->delete();
$role = $this->user->roles->first();
$viewerRole = $this->viewer->roles->first();
$permissions = [];
foreach ($actions as $action) {
$permissions[] = [
'role_id' => $role->id,
'action' => strtolower($action)
];
$permissions[] = [
'role_id' => $viewerRole->id,
'action' => strtolower($action)
];
}
$entity->permissions()->createMany($permissions);
$entity->save();
$entity->load('permissions');
$this->permissionService->buildJointPermissionsForEntity($entity);
$entity->load('jointPermissions');
$roles = [
$this->user->roles->first(),
$this->viewer->roles->first(),
];
parent::setEntityRestrictions($entity, $actions, $roles);
}
public function test_book_view_restriction()

View file

@ -16,14 +16,6 @@ class RolesTest extends BrowserKitTest
$this->user = $this->getViewer();
}
protected function getViewer()
{
$role = \BookStack\Role::getRole('viewer');
$viewer = $this->getNewBlankUser();
$viewer->attachRole($role);;
return $viewer;
}
/**
* Give the given user some permissions.
* @param \BookStack\User $user

143
tests/SharedTestHelpers.php Normal file
View file

@ -0,0 +1,143 @@
<?php namespace Tests;
use BookStack\Book;
use BookStack\Chapter;
use BookStack\Entity;
use BookStack\Repos\EntityRepo;
use BookStack\Role;
use BookStack\Services\PermissionService;
use BookStack\Services\SettingService;
trait SharedTestHelpers
{
protected $admin;
protected $editor;
/**
* Set the current user context to be an admin.
* @return $this
*/
public function asAdmin()
{
return $this->actingAs($this->getAdmin());
}
/**
* Get the current admin user.
* @return mixed
*/
public function getAdmin() {
if($this->admin === null) {
$adminRole = Role::getSystemRole('admin');
$this->admin = $adminRole->users->first();
}
return $this->admin;
}
/**
* Set the current user context to be an editor.
* @return $this
*/
public function asEditor()
{
return $this->actingAs($this->getEditor());
}
/**
* Get a editor user.
* @return mixed
*/
protected function getEditor() {
if($this->editor === null) {
$editorRole = Role::getRole('editor');
$this->editor = $editorRole->users->first();
}
return $this->editor;
}
/**
* Get an instance of a user with 'viewer' permissions
* @param $attributes
* @return mixed
*/
protected function getViewer($attributes = [])
{
$user = \BookStack\Role::getRole('viewer')->users()->first();
if (!empty($attributes)) $user->forceFill($attributes)->save();
return $user;
}
/**
* Create and return a new book.
* @param array $input
* @return Book
*/
public function newBook($input = ['name' => 'test book', 'description' => 'My new test book']) {
return $this->app[EntityRepo::class]->createFromInput('book', $input, false);
}
/**
* Create and return a new test chapter
* @param array $input
* @param Book $book
* @return Chapter
*/
public function newChapter($input = ['name' => 'test chapter', 'description' => 'My new test chapter'], Book $book) {
return $this->app[EntityRepo::class]->createFromInput('chapter', $input, $book);
}
/**
* Create and return a new test page
* @param array $input
* @return Chapter
*/
public function newPage($input = ['name' => 'test page', 'html' => 'My new test page']) {
$book = Book::first();
$entityRepo = $this->app[EntityRepo::class];
$draftPage = $entityRepo->getDraftPage($book);
return $entityRepo->publishPageDraft($draftPage, $input);
}
/**
* Quickly sets an array of settings.
* @param $settingsArray
*/
protected function setSettings($settingsArray)
{
$settings = app(SettingService::class);
foreach ($settingsArray as $key => $value) {
$settings->put($key, $value);
}
}
/**
* Manually set some permissions on an entity.
* @param Entity $entity
* @param array $actions
* @param array $roles
*/
protected function setEntityRestrictions(Entity $entity, $actions = [], $roles = [])
{
$entity->restricted = true;
$entity->permissions()->delete();
$permissions = [];
foreach ($actions as $action) {
foreach ($roles as $role) {
$permissions[] = [
'role_id' => $role->id,
'action' => strtolower($action)
];
}
}
$entity->permissions()->createMany($permissions);
$entity->save();
$entity->load('permissions');
$this->app[PermissionService::class]->buildJointPermissionsForEntity($entity);
$entity->load('jointPermissions');
}
}

View file

@ -1,21 +1,14 @@
<?php namespace Tests;
use BookStack\Book;
use BookStack\Chapter;
use BookStack\Repos\EntityRepo;
use BookStack\Role;
use BookStack\Services\SettingService;
use Illuminate\Foundation\Testing\DatabaseTransactions;
use Illuminate\Foundation\Testing\TestCase as BaseTestCase;
use Illuminate\Foundation\Testing\TestResponse;
abstract class TestCase extends BaseTestCase
{
use CreatesApplication;
use DatabaseTransactions;
protected $admin;
protected $editor;
use SharedTestHelpers;
/**
* The base URL to use while testing the application.
* @var string
@ -23,100 +16,13 @@ abstract class TestCase extends BaseTestCase
protected $baseUrl = 'http://localhost';
/**
* Set the current user context to be an admin.
* @return $this
* Assert a permission error has occurred.
* @param TestResponse $response
*/
public function asAdmin()
protected function assertPermissionError(TestResponse $response)
{
return $this->actingAs($this->getAdmin());
}
/**
* Get the current admin user.
* @return mixed
*/
public function getAdmin() {
if($this->admin === null) {
$adminRole = Role::getSystemRole('admin');
$this->admin = $adminRole->users->first();
}
return $this->admin;
}
/**
* Set the current user context to be an editor.
* @return $this
*/
public function asEditor()
{
return $this->actingAs($this->getEditor());
}
/**
* Get a editor user.
* @return mixed
*/
public function getEditor() {
if($this->editor === null) {
$editorRole = Role::getRole('editor');
$this->editor = $editorRole->users->first();
}
return $this->editor;
}
/**
* Get an instance of a user with 'viewer' permissions
* @param $attributes
* @return mixed
*/
protected function getViewer($attributes = [])
{
$user = \BookStack\Role::getRole('viewer')->users()->first();
if (!empty($attributes)) $user->forceFill($attributes)->save();
return $user;
}
/**
* Create and return a new book.
* @param array $input
* @return Book
*/
public function newBook($input = ['name' => 'test book', 'description' => 'My new test book']) {
return $this->app[EntityRepo::class]->createFromInput('book', $input, false);
}
/**
* Create and return a new test chapter
* @param array $input
* @param Book $book
* @return Chapter
*/
public function newChapter($input = ['name' => 'test chapter', 'description' => 'My new test chapter'], Book $book) {
return $this->app[EntityRepo::class]->createFromInput('chapter', $input, $book);
}
/**
* Create and return a new test page
* @param array $input
* @return Chapter
*/
public function newPage($input = ['name' => 'test page', 'html' => 'My new test page']) {
$book = Book::first();
$entityRepo = $this->app[EntityRepo::class];
$draftPage = $entityRepo->getDraftPage($book);
return $entityRepo->publishPageDraft($draftPage, $input);
}
/**
* Quickly sets an array of settings.
* @param $settingsArray
*/
protected function setSettings($settingsArray)
{
$settings = app(SettingService::class);
foreach ($settingsArray as $key => $value) {
$settings->put($key, $value);
}
$response->assertRedirect('/');
$this->assertTrue(session()->has('error'));
session()->remove('error');
}
}