colin
/
bookstack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated API auth to allow public user if given permission

This commit is contained in:
Dan Brown 2020-05-22 22:34:18 +01:00
parent 9666c8c0f7
commit 24bad5034a
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
2 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/Http/Middleware/ApiAuthenticate.php
View File

@ -35,9 +35,9 @@ class ApiAuthenticate
{ {
// Return if the user is already found to be signed in via session-based auth. // Return if the user is already found to be signed in via session-based auth.
// This is to make it easy to browser the API via browser after just logging into the system. // This is to make it easy to browser the API via browser after just logging into the system.
if (signedInUser()) { if (signedInUser() || session()->isStarted()) {
$this->ensureEmailConfirmedIfRequested(); $this->ensureEmailConfirmedIfRequested();
if (!auth()->user()->can('access-api')) { if (!user()->can('access-api')) {
throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403); throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
} }
return; return;

16
tests/Api/ApiDocsTest.php
View File

@ -1,5 +1,6 @@
<?php namespace Tests\Api; <?php namespace Tests\Api;
use BookStack\Auth\User;
use Tests\TestCase; use Tests\TestCase;
class ApiDocsTest extends TestCase class ApiDocsTest extends TestCase
@ -39,4 +40,19 @@ class ApiDocsTest extends TestCase
] ] ] ]
]); ]);
} }
public function test_docs_page_visible_by_public_user_if_given_permission()
{
$this->setSettings(['app-public' => true]);
$guest = User::getDefault();
$this->startSession();
$resp = $this->get('/api/docs');
$resp->assertStatus(403);
$this->giveUserPermissions($guest, ['access-api']);
$resp = $this->get('/api/docs');
$resp->assertStatus(200);
}
} }