From 1df9ec96477740360fc6542beed902cc2571c6de Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Fri, 7 Oct 2022 13:12:33 +0100
Subject: [PATCH] Added proper entity permission removal on role deletion

Added test to cover.
---
 app/Auth/Permissions/PermissionsRepo.php |  1 +
 app/Auth/Role.php                        |  9 +++++++++
 tests/Permissions/RolesTest.php          | 23 +++++++++++++++++++++++
 3 files changed, 33 insertions(+)

diff --git a/app/Auth/Permissions/PermissionsRepo.php b/app/Auth/Permissions/PermissionsRepo.php
index 2c2bedb72..6dcef7256 100644
--- a/app/Auth/Permissions/PermissionsRepo.php
+++ b/app/Auth/Permissions/PermissionsRepo.php
@@ -139,6 +139,7 @@ class PermissionsRepo
             }
         }
 
+        $role->entityPermissions()->delete();
         $role->jointPermissions()->delete();
         Activity::add(ActivityType::ROLE_DELETE, $role);
         $role->delete();
diff --git a/app/Auth/Role.php b/app/Auth/Role.php
index 3ae469b59..d5ce5cab7 100644
--- a/app/Auth/Role.php
+++ b/app/Auth/Role.php
@@ -2,6 +2,7 @@
 
 namespace BookStack\Auth;
 
+use BookStack\Auth\Permissions\EntityPermission;
 use BookStack\Auth\Permissions\JointPermission;
 use BookStack\Auth\Permissions\RolePermission;
 use BookStack\Interfaces\Loggable;
@@ -54,6 +55,14 @@ class Role extends Model implements Loggable
         return $this->belongsToMany(RolePermission::class, 'permission_role', 'role_id', 'permission_id');
     }
 
+    /**
+     * Get the entity permissions assigned to this role.
+     */
+    public function entityPermissions(): HasMany
+    {
+        return $this->hasMany(EntityPermission::class);
+    }
+
     /**
      * Check if this role has a permission.
      */
diff --git a/tests/Permissions/RolesTest.php b/tests/Permissions/RolesTest.php
index 7512c6d2f..6c2f4c0df 100644
--- a/tests/Permissions/RolesTest.php
+++ b/tests/Permissions/RolesTest.php
@@ -163,6 +163,29 @@ class RolesTest extends TestCase
         $this->assertEquals($this->user->id, $roleA->users()->first()->id);
     }
 
+    public function test_entity_permissions_are_removed_on_delete()
+    {
+        /** @var Role $roleA */
+        $roleA = Role::query()->create(['display_name' => 'Entity Permissions Delete Test']);
+        $page = $this->entities->page();
+
+        $this->entities->setPermissions($page, ['view'], [$roleA]);
+
+        $this->assertDatabaseHas('entity_permissions', [
+            'role_id' => $roleA->id,
+            'restrictable_id' => $page->id,
+            'restrictable_type' => $page->getMorphClass(),
+        ]);
+
+        $this->asAdmin()->delete("/settings/roles/delete/$roleA->id");
+
+        $this->assertDatabaseMissing('entity_permissions', [
+            'role_id' => $roleA->id,
+            'restrictable_id' => $page->id,
+            'restrictable_type' => $page->getMorphClass(),
+        ]);
+    }
+
     public function test_image_view_notice_shown_on_role_form()
     {
         /** @var Role $role */