colin
/
bookstack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added check of owner field for manage-permissions-own 

This permission was still checking based on created-by.
Updated testing to specifically check the owner since the tests
were passing by the fact of matching creator and owner.

Fixes #2445
This commit is contained in:
Dan Brown 2021-01-04 18:07:39 +00:00
parent 20729a618f
commit bbfb330b92
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
2 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/Auth/Permissions/PermissionService.php
View File

@ -533,7 +533,8 @@ class PermissionService
$allPermission = $this->currentUser() && $this->currentUser()->can($permission . '-all'); $allPermission = $this->currentUser() && $this->currentUser()->can($permission . '-all');
$ownPermission = $this->currentUser() && $this->currentUser()->can($permission . '-own'); $ownPermission = $this->currentUser() && $this->currentUser()->can($permission . '-own');
$this->currentAction = 'view'; $this->currentAction = 'view';
$isOwner = $this->currentUser() && $this->currentUser()->id === $ownable->created_by; $ownerField = ($ownable instanceof Entity) ? 'owned_by' : 'created_by';
$isOwner = $this->currentUser() && $this->currentUser()->id === $ownable->$ownerField;
return ($allPermission || ($isOwner && $ownPermission)); return ($allPermission || ($isOwner && $ownPermission));
} }

16
tests/Permissions/RolesTest.php
View File

@ -216,15 +216,23 @@ class RolesTest extends BrowserKitTest
{ {
$otherUsersPage = Page::first(); $otherUsersPage = Page::first();
$content = $this->createEntityChainBelongingToUser($this->user); $content = $this->createEntityChainBelongingToUser($this->user);
// Set a different creator on the page we're checking to ensure
// that the owner fields are checked
$page = $content['page']; /** @var Page $page */
$page->created_by = $otherUsersPage->id;
$page->owned_by = $this->user->id;
$page->save();
// Check can't restrict other's content // Check can't restrict other's content
$this->actingAs($this->user)->visit($otherUsersPage->getUrl()) $this->actingAs($this->user)->visit($otherUsersPage->getUrl())
->dontSee('Permissions') ->dontSee('Permissions')
->visit($otherUsersPage->getUrl() . '/permissions') ->visit($otherUsersPage->getUrl() . '/permissions')
->seePageIs('/'); ->seePageIs('/');
// Check can't restrict own content // Check can't restrict own content
$this->actingAs($this->user)->visit($content['page']->getUrl()) $this->actingAs($this->user)->visit($page->getUrl())
->dontSee('Permissions') ->dontSee('Permissions')
->visit($content['page']->getUrl() . '/permissions') ->visit($page->getUrl() . '/permissions')
->seePageIs('/'); ->seePageIs('/');
$this->giveUserPermissions($this->user, ['restrictions-manage-own']); $this->giveUserPermissions($this->user, ['restrictions-manage-own']);
@ -235,10 +243,10 @@ class RolesTest extends BrowserKitTest
->visit($otherUsersPage->getUrl() . '/permissions') ->visit($otherUsersPage->getUrl() . '/permissions')
->seePageIs('/'); ->seePageIs('/');
// Check can restrict own content // Check can restrict own content
$this->actingAs($this->user)->visit($content['page']->getUrl()) $this->actingAs($this->user)->visit($page->getUrl())
->see('Permissions') ->see('Permissions')
->click('Permissions') ->click('Permissions')
->seePageIs($content['page']->getUrl() . '/permissions'); ->seePageIs($page->getUrl() . '/permissions');
} }
/** /**