744 lines
		
	
	
		
			26 KiB
		
	
	
	
		
			PHP
		
	
	
	
			
		
		
	
	
			744 lines
		
	
	
		
			26 KiB
		
	
	
	
		
			PHP
		
	
	
	
| <?php
 | |
| 
 | |
| namespace Tests\Permissions;
 | |
| 
 | |
| use BookStack\Auth\User;
 | |
| use BookStack\Entities\Models\Book;
 | |
| use BookStack\Entities\Models\Bookshelf;
 | |
| use BookStack\Entities\Models\Chapter;
 | |
| use BookStack\Entities\Models\Entity;
 | |
| use BookStack\Entities\Models\Page;
 | |
| use Illuminate\Support\Str;
 | |
| use Tests\TestCase;
 | |
| 
 | |
| class EntityPermissionsTest extends TestCase
 | |
| {
 | |
|     /**
 | |
|      * @var User
 | |
|      */
 | |
|     protected $user;
 | |
| 
 | |
|     /**
 | |
|      * @var User
 | |
|      */
 | |
|     protected $viewer;
 | |
| 
 | |
|     public function setUp(): void
 | |
|     {
 | |
|         parent::setUp();
 | |
|         $this->user = $this->getEditor();
 | |
|         $this->viewer = $this->getViewer();
 | |
|     }
 | |
| 
 | |
|     protected function setRestrictionsForTestRoles(Entity $entity, array $actions = [])
 | |
|     {
 | |
|         $roles = [
 | |
|             $this->user->roles->first(),
 | |
|             $this->viewer->roles->first(),
 | |
|         ];
 | |
|         $this->setEntityRestrictions($entity, $actions, $roles);
 | |
|     }
 | |
| 
 | |
|     public function test_bookshelf_view_restriction()
 | |
|     {
 | |
|         /** @var Bookshelf $shelf */
 | |
|         $shelf = Bookshelf::query()->first();
 | |
| 
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($shelf->getUrl())
 | |
|             ->assertStatus(200);
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($shelf, []);
 | |
| 
 | |
|         $this->followingRedirects()->get($shelf->getUrl())
 | |
|             ->assertSee('Bookshelf not found');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($shelf, ['view']);
 | |
| 
 | |
|         $this->get($shelf->getUrl())
 | |
|             ->assertSee($shelf->name);
 | |
|     }
 | |
| 
 | |
|     public function test_bookshelf_update_restriction()
 | |
|     {
 | |
|         /** @var Bookshelf $shelf */
 | |
|         $shelf = Bookshelf::query()->first();
 | |
| 
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($shelf->getUrl('/edit'))
 | |
|             ->assertSee('Edit Book');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($shelf, ['view', 'delete']);
 | |
| 
 | |
|         $resp = $this->get($shelf->getUrl('/edit'))
 | |
|             ->assertRedirect('/');
 | |
|         $this->followRedirects($resp)->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($shelf, ['view', 'update']);
 | |
| 
 | |
|         $this->get($shelf->getUrl('/edit'))
 | |
|             ->assertOk();
 | |
|     }
 | |
| 
 | |
|     public function test_bookshelf_delete_restriction()
 | |
|     {
 | |
|         /** @var Bookshelf $shelf */
 | |
|         $shelf = Bookshelf::query()->first();
 | |
| 
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($shelf->getUrl('/delete'))
 | |
|             ->assertSee('Delete Book');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($shelf, ['view', 'update']);
 | |
| 
 | |
|         $this->get($shelf->getUrl('/delete'))->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($shelf, ['view', 'delete']);
 | |
| 
 | |
|         $this->get($shelf->getUrl('/delete'))
 | |
|             ->assertOk()
 | |
|             ->assertSee('Delete Book');
 | |
|     }
 | |
| 
 | |
|     public function test_book_view_restriction()
 | |
|     {
 | |
|         /** @var Book $book */
 | |
|         $book = Book::query()->first();
 | |
|         $bookPage = $book->pages->first();
 | |
|         $bookChapter = $book->chapters->first();
 | |
| 
 | |
|         $bookUrl = $book->getUrl();
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($bookUrl)
 | |
|             ->assertOk();
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, []);
 | |
| 
 | |
|         $this->followingRedirects()->get($bookUrl)
 | |
|             ->assertSee('Book not found');
 | |
|         $this->followingRedirects()->get($bookPage->getUrl())
 | |
|             ->assertSee('Page not found');
 | |
|         $this->followingRedirects()->get($bookChapter->getUrl())
 | |
|             ->assertSee('Chapter not found');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view']);
 | |
| 
 | |
|         $this->get($bookUrl)
 | |
|             ->assertSee($book->name);
 | |
|         $this->get($bookPage->getUrl())
 | |
|             ->assertSee($bookPage->name);
 | |
|         $this->get($bookChapter->getUrl())
 | |
|             ->assertSee($bookChapter->name);
 | |
|     }
 | |
| 
 | |
|     public function test_book_create_restriction()
 | |
|     {
 | |
|         /** @var Book $book */
 | |
|         $book = Book::query()->first();
 | |
| 
 | |
|         $bookUrl = $book->getUrl();
 | |
|         $this->actingAs($this->viewer)
 | |
|             ->get($bookUrl)
 | |
|             ->assertElementNotContains('.actions', 'New Page')
 | |
|             ->assertElementNotContains('.actions', 'New Chapter');
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($bookUrl)
 | |
|             ->assertElementContains('.actions', 'New Page')
 | |
|             ->assertElementContains('.actions', 'New Chapter');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view', 'delete', 'update']);
 | |
| 
 | |
|         $this->get($bookUrl . '/create-chapter')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->get($bookUrl . '/create-page')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->get($bookUrl)
 | |
|             ->assertElementNotContains('.actions', 'New Page')
 | |
|             ->assertElementNotContains('.actions', 'New Chapter');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view', 'create']);
 | |
| 
 | |
|         $resp = $this->post($book->getUrl('/create-chapter'), [
 | |
|             'name' => 'test chapter',
 | |
|             'description' => 'desc',
 | |
|         ]);
 | |
|         $resp->assertRedirect($book->getUrl('/chapter/test-chapter'));
 | |
| 
 | |
| 
 | |
|         $this->get($book->getUrl('/create-page'));
 | |
|         /** @var Page $page */
 | |
|         $page = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first();
 | |
|         $resp = $this->post($page->getUrl(), [
 | |
|             'name' => 'test page',
 | |
|             'html' => 'test content',
 | |
|         ]);
 | |
|         $resp->assertRedirect($book->getUrl('/page/test-page'));
 | |
| 
 | |
|         $this->get($bookUrl)
 | |
|             ->assertElementContains('.actions', 'New Page')
 | |
|             ->assertElementContains('.actions', 'New Chapter');
 | |
|     }
 | |
| 
 | |
|     public function test_book_update_restriction()
 | |
|     {
 | |
|         /** @var Book $book */
 | |
|         $book = Book::query()->first();
 | |
|         $bookPage = $book->pages->first();
 | |
|         $bookChapter = $book->chapters->first();
 | |
| 
 | |
|         $bookUrl = $book->getUrl();
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($bookUrl . '/edit')
 | |
|             ->assertSee('Edit Book');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view', 'delete']);
 | |
| 
 | |
|         $this->get($bookUrl . '/edit')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($bookPage->getUrl() . '/edit')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($bookChapter->getUrl() . '/edit')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view', 'update']);
 | |
| 
 | |
|         $this->get($bookUrl . '/edit')->assertOk();
 | |
|         $this->get($bookPage->getUrl() . '/edit')->assertOk();
 | |
|         $this->get($bookChapter->getUrl() . '/edit')->assertSee('Edit Chapter');
 | |
|     }
 | |
| 
 | |
|     public function test_book_delete_restriction()
 | |
|     {
 | |
|         /** @var Book $book */
 | |
|         $book = Book::query()->first();
 | |
|         $bookPage = $book->pages->first();
 | |
|         $bookChapter = $book->chapters->first();
 | |
| 
 | |
|         $bookUrl = $book->getUrl();
 | |
|         $this->actingAs($this->user)->get($bookUrl . '/delete')
 | |
|             ->assertSee('Delete Book');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view', 'update']);
 | |
| 
 | |
|         $this->get($bookUrl . '/delete')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($bookPage->getUrl() . '/delete')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($bookChapter->getUrl() . '/delete')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view', 'delete']);
 | |
| 
 | |
|         $this->get($bookUrl . '/delete')->assertOk()->assertSee('Delete Book');
 | |
|         $this->get($bookPage->getUrl('/delete'))->assertOk()->assertSee('Delete Page');
 | |
|         $this->get($bookChapter->getUrl('/delete'))->assertSee('Delete Chapter');
 | |
|     }
 | |
| 
 | |
|     public function test_chapter_view_restriction()
 | |
|     {
 | |
|         /** @var Chapter $chapter */
 | |
|         $chapter = Chapter::query()->first();
 | |
|         $chapterPage = $chapter->pages->first();
 | |
| 
 | |
|         $chapterUrl = $chapter->getUrl();
 | |
|         $this->actingAs($this->user)->get($chapterUrl)->assertOk();
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($chapter, []);
 | |
| 
 | |
|         $this->followingRedirects()->get($chapterUrl)->assertSee('Chapter not found');
 | |
|         $this->followingRedirects()->get($chapterPage->getUrl())->assertSee('Page not found');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($chapter, ['view']);
 | |
| 
 | |
|         $this->get($chapterUrl)->assertSee($chapter->name);
 | |
|         $this->get($chapterPage->getUrl())->assertSee($chapterPage->name);
 | |
|     }
 | |
| 
 | |
|     public function test_chapter_create_restriction()
 | |
|     {
 | |
|         /** @var Chapter $chapter */
 | |
|         $chapter = Chapter::query()->first();
 | |
| 
 | |
|         $chapterUrl = $chapter->getUrl();
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($chapterUrl)
 | |
|             ->assertElementContains('.actions', 'New Page');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($chapter, ['view', 'delete', 'update']);
 | |
| 
 | |
|         $this->get($chapterUrl . '/create-page')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($chapterUrl)->assertElementNotContains('.actions', 'New Page');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($chapter, ['view', 'create']);
 | |
| 
 | |
|         $this->get($chapter->getUrl('/create-page'));
 | |
|         /** @var Page $page */
 | |
|         $page = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first();
 | |
|         $resp = $this->post($page->getUrl(), [
 | |
|             'name' => 'test page',
 | |
|             'html' => 'test content',
 | |
|         ]);
 | |
|         $resp->assertRedirect($chapter->book->getUrl('/page/test-page'));
 | |
| 
 | |
|         $this->get($chapterUrl)->assertElementContains('.actions', 'New Page');
 | |
|     }
 | |
| 
 | |
|     public function test_chapter_update_restriction()
 | |
|     {
 | |
|         /** @var Chapter $chapter */
 | |
|         $chapter = Chapter::query()->first();
 | |
|         $chapterPage = $chapter->pages->first();
 | |
| 
 | |
|         $chapterUrl = $chapter->getUrl();
 | |
|         $this->actingAs($this->user)->get($chapterUrl . '/edit')
 | |
|             ->assertSee('Edit Chapter');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($chapter, ['view', 'delete']);
 | |
| 
 | |
|         $this->get($chapterUrl . '/edit')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($chapterPage->getUrl() . '/edit')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($chapter, ['view', 'update']);
 | |
| 
 | |
|         $this->get($chapterUrl . '/edit')->assertOk()->assertSee('Edit Chapter');
 | |
|         $this->get($chapterPage->getUrl() . '/edit')->assertOk();
 | |
|     }
 | |
| 
 | |
|     public function test_chapter_delete_restriction()
 | |
|     {
 | |
|         /** @var Chapter $chapter */
 | |
|         $chapter = Chapter::query()->first();
 | |
|         $chapterPage = $chapter->pages->first();
 | |
| 
 | |
|         $chapterUrl = $chapter->getUrl();
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($chapterUrl . '/delete')
 | |
|             ->assertSee('Delete Chapter');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($chapter, ['view', 'update']);
 | |
| 
 | |
|         $this->get($chapterUrl . '/delete')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($chapterPage->getUrl() . '/delete')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($chapter, ['view', 'delete']);
 | |
| 
 | |
|         $this->get($chapterUrl . '/delete')->assertOk()->assertSee('Delete Chapter');
 | |
|         $this->get($chapterPage->getUrl() . '/delete')->assertOk()->assertSee('Delete Page');
 | |
|     }
 | |
| 
 | |
|     public function test_page_view_restriction()
 | |
|     {
 | |
|         /** @var Page $page */
 | |
|         $page = Page::query()->first();
 | |
| 
 | |
|         $pageUrl = $page->getUrl();
 | |
|         $this->actingAs($this->user)->get($pageUrl)->assertOk();
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($page, ['update', 'delete']);
 | |
| 
 | |
|         $this->get($pageUrl)->assertSee('Page not found');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($page, ['view']);
 | |
| 
 | |
|         $this->get($pageUrl)->assertSee($page->name);
 | |
|     }
 | |
| 
 | |
|     public function test_page_update_restriction()
 | |
|     {
 | |
|         /** @var Page $page */
 | |
|         $page = Page::query()->first();
 | |
| 
 | |
|         $pageUrl = $page->getUrl();
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($pageUrl . '/edit')
 | |
|             ->assertElementExists('input[name="name"][value="' . $page->name . '"]');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($page, ['view', 'delete']);
 | |
| 
 | |
|         $this->get($pageUrl . '/edit')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($page, ['view', 'update']);
 | |
| 
 | |
|         $this->get($pageUrl . '/edit')
 | |
|             ->assertOk()
 | |
|             ->assertElementExists('input[name="name"][value="' . $page->name . '"]');
 | |
|     }
 | |
| 
 | |
|     public function test_page_delete_restriction()
 | |
|     {
 | |
|         /** @var Page $page */
 | |
|         $page = Page::query()->first();
 | |
| 
 | |
|         $pageUrl = $page->getUrl();
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($pageUrl . '/delete')
 | |
|             ->assertSee('Delete Page');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($page, ['view', 'update']);
 | |
| 
 | |
|         $this->get($pageUrl . '/delete')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($page, ['view', 'delete']);
 | |
| 
 | |
|         $this->get($pageUrl . '/delete')->assertOk()->assertSee('Delete Page');
 | |
|     }
 | |
| 
 | |
|     protected function entityRestrictionFormTest(string $model, string $title, string $permission, string $roleId)
 | |
|     {
 | |
|         /** @var Entity $modelInstance */
 | |
|         $modelInstance = $model::query()->first();
 | |
|         $this->asAdmin()->get($modelInstance->getUrl('/permissions'))
 | |
|             ->assertSee($title);
 | |
| 
 | |
|         $this->put($modelInstance->getUrl('/permissions'), [
 | |
|             'restricted' => 'true',
 | |
|             'restrictions' => [
 | |
|                 $roleId => [
 | |
|                     $permission => 'true'
 | |
|                 ]
 | |
|             ],
 | |
|         ]);
 | |
| 
 | |
|         $this->assertDatabaseHas($modelInstance->getTable(), ['id' => $modelInstance->id, 'restricted' => true]);
 | |
|         $this->assertDatabaseHas('entity_permissions', [
 | |
|             'restrictable_id'   => $modelInstance->id,
 | |
|             'restrictable_type' => $modelInstance->getMorphClass(),
 | |
|             'role_id'           => $roleId,
 | |
|             'action'            => $permission,
 | |
|         ]);
 | |
|     }
 | |
| 
 | |
|     public function test_bookshelf_restriction_form()
 | |
|     {
 | |
|         $this->entityRestrictionFormTest(Bookshelf::class, 'Bookshelf Permissions', 'view', '2');
 | |
|     }
 | |
| 
 | |
|     public function test_book_restriction_form()
 | |
|     {
 | |
|         $this->entityRestrictionFormTest(Book::class, 'Book Permissions', 'view', '2');
 | |
|     }
 | |
| 
 | |
|     public function test_chapter_restriction_form()
 | |
|     {
 | |
|         $this->entityRestrictionFormTest(Chapter::class, 'Chapter Permissions', 'update', '2');
 | |
|     }
 | |
| 
 | |
|     public function test_page_restriction_form()
 | |
|     {
 | |
|         $this->entityRestrictionFormTest(Page::class, 'Page Permissions', 'delete', '2');
 | |
|     }
 | |
| 
 | |
|     public function test_restricted_pages_not_visible_in_book_navigation_on_pages()
 | |
|     {
 | |
|         /** @var Chapter $chapter */
 | |
|         $chapter = Chapter::query()->first();
 | |
|         $page = $chapter->pages->first();
 | |
|         $page2 = $chapter->pages[2];
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($page, []);
 | |
| 
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($page2->getUrl())
 | |
|             ->assertElementNotContains('.sidebar-page-list', $page->name);
 | |
|     }
 | |
| 
 | |
|     public function test_restricted_pages_not_visible_in_book_navigation_on_chapters()
 | |
|     {
 | |
|         /** @var Chapter $chapter */
 | |
|         $chapter = Chapter::query()->first();
 | |
|         $page = $chapter->pages->first();
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($page, []);
 | |
| 
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($chapter->getUrl())
 | |
|             ->assertElementNotContains('.sidebar-page-list', $page->name);
 | |
|     }
 | |
| 
 | |
|     public function test_restricted_pages_not_visible_on_chapter_pages()
 | |
|     {
 | |
|         /** @var Chapter $chapter */
 | |
|         $chapter = Chapter::query()->first();
 | |
|         $page = $chapter->pages->first();
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($page, []);
 | |
| 
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($chapter->getUrl())
 | |
|             ->assertDontSee($page->name);
 | |
|     }
 | |
| 
 | |
|     public function test_restricted_chapter_pages_not_visible_on_book_page()
 | |
|     {
 | |
|         /** @var Chapter $chapter */
 | |
|         $chapter = Chapter::query()->first();
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($chapter->book->getUrl())
 | |
|             ->assertSee($chapter->pages->first()->name);
 | |
| 
 | |
|         foreach ($chapter->pages as $page) {
 | |
|             $this->setRestrictionsForTestRoles($page, []);
 | |
|         }
 | |
| 
 | |
|         $this->actingAs($this->user)
 | |
|             ->get($chapter->book->getUrl())
 | |
|             ->assertDontSee($chapter->pages->first()->name);
 | |
|     }
 | |
| 
 | |
|     public function test_bookshelf_update_restriction_override()
 | |
|     {
 | |
|         /** @var Bookshelf $shelf */
 | |
|         $shelf = Bookshelf::query()->first();
 | |
| 
 | |
|         $this->actingAs($this->viewer)
 | |
|             ->get($shelf->getUrl('/edit'))
 | |
|             ->assertDontSee('Edit Book');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($shelf, ['view', 'delete']);
 | |
| 
 | |
|         $this->get($shelf->getUrl('/edit'))->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($shelf, ['view', 'update']);
 | |
| 
 | |
|         $this->get($shelf->getUrl('/edit'))->assertOk();
 | |
|     }
 | |
| 
 | |
|     public function test_bookshelf_delete_restriction_override()
 | |
|     {
 | |
|         /** @var Bookshelf $shelf */
 | |
|         $shelf = Bookshelf::query()->first();
 | |
| 
 | |
|         $this->actingAs($this->viewer)
 | |
|             ->get($shelf->getUrl('/delete'))
 | |
|             ->assertDontSee('Delete Book');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($shelf, ['view', 'update']);
 | |
| 
 | |
|         $this->get($shelf->getUrl('/delete'))->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($shelf, ['view', 'delete']);
 | |
| 
 | |
|         $this->get($shelf->getUrl('/delete'))->assertOk()->assertSee('Delete Book');
 | |
|     }
 | |
| 
 | |
|     public function test_book_create_restriction_override()
 | |
|     {
 | |
|         /** @var Book $book */
 | |
|         $book = Book::query()->first();
 | |
| 
 | |
|         $bookUrl = $book->getUrl();
 | |
|         $this->actingAs($this->viewer)
 | |
|             ->get($bookUrl)
 | |
|             ->assertElementNotContains('.actions', 'New Page')
 | |
|             ->assertElementNotContains('.actions', 'New Chapter');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view', 'delete', 'update']);
 | |
| 
 | |
|         $this->get($bookUrl . '/create-chapter')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($bookUrl . '/create-page')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($bookUrl)->assertElementNotContains('.actions', 'New Page')
 | |
|             ->assertElementNotContains('.actions', 'New Chapter');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view', 'create']);
 | |
| 
 | |
|         $resp = $this->post($book->getUrl('/create-chapter'), [
 | |
|             'name' => 'test chapter',
 | |
|             'description' => 'test desc',
 | |
|         ]);
 | |
|         $resp->assertRedirect($book->getUrl('/chapter/test-chapter'));
 | |
| 
 | |
| 
 | |
|         $this->get($book->getUrl('/create-page'));
 | |
|         /** @var Page $page */
 | |
|         $page = Page::query()->where('draft', '=', true)->orderByDesc('id')->first();
 | |
|         $resp = $this->post($page->getUrl(), [
 | |
|             'name' => 'test page',
 | |
|             'html' => 'test desc',
 | |
|         ]);
 | |
|         $resp->assertRedirect($book->getUrl('/page/test-page'));
 | |
| 
 | |
|         $this->get($bookUrl)
 | |
|             ->assertElementContains('.actions', 'New Page')
 | |
|             ->assertElementContains('.actions', 'New Chapter');
 | |
|     }
 | |
| 
 | |
|     public function test_book_update_restriction_override()
 | |
|     {
 | |
|         /** @var Book $book */
 | |
|         $book = Book::query()->first();
 | |
|         $bookPage = $book->pages->first();
 | |
|         $bookChapter = $book->chapters->first();
 | |
| 
 | |
|         $bookUrl = $book->getUrl();
 | |
|         $this->actingAs($this->viewer)->get($bookUrl . '/edit')
 | |
|             ->assertDontSee('Edit Book');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view', 'delete']);
 | |
| 
 | |
|         $this->get($bookUrl . '/edit')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($bookPage->getUrl() . '/edit')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($bookChapter->getUrl() . '/edit')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view', 'update']);
 | |
| 
 | |
|         $this->get($bookUrl . '/edit')->assertOk();
 | |
|         $this->get($bookPage->getUrl() . '/edit')->assertOk();
 | |
|         $this->get($bookChapter->getUrl() . '/edit')->assertSee('Edit Chapter');
 | |
|     }
 | |
| 
 | |
|     public function test_book_delete_restriction_override()
 | |
|     {
 | |
|         /** @var Book $book */
 | |
|         $book = Book::query()->first();
 | |
|         $bookPage = $book->pages->first();
 | |
|         $bookChapter = $book->chapters->first();
 | |
| 
 | |
|         $bookUrl = $book->getUrl();
 | |
|         $this->actingAs($this->viewer)
 | |
|             ->get($bookUrl . '/delete')
 | |
|             ->assertDontSee('Delete Book');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view', 'update']);
 | |
| 
 | |
|         $this->get($bookUrl . '/delete')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($bookPage->getUrl() . '/delete')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|         $this->get($bookChapter->getUrl() . '/delete')->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, ['view', 'delete']);
 | |
| 
 | |
|         $this->get($bookUrl . '/delete')->assertOk()->assertSee('Delete Book');
 | |
|         $this->get($bookPage->getUrl() . '/delete')->assertOk()->assertSee('Delete Page');
 | |
|         $this->get($bookChapter->getUrl() . '/delete')->assertSee('Delete Chapter');
 | |
|     }
 | |
| 
 | |
|     public function test_page_visible_if_has_permissions_when_book_not_visible()
 | |
|     {
 | |
|         /** @var Book $book */
 | |
|         $book = Book::query()->first();
 | |
|         $bookChapter = $book->chapters->first();
 | |
|         $bookPage = $bookChapter->pages->first();
 | |
| 
 | |
|         foreach ([$book, $bookChapter, $bookPage] as $entity) {
 | |
|             $entity->name = Str::random(24);
 | |
|             $entity->save();
 | |
|         }
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($book, []);
 | |
|         $this->setRestrictionsForTestRoles($bookPage, ['view']);
 | |
| 
 | |
|         $this->actingAs($this->viewer);
 | |
|         $resp = $this->get($bookPage->getUrl());
 | |
|         $resp->assertOk();
 | |
|         $resp->assertSee($bookPage->name);
 | |
|         $resp->assertDontSee(substr($book->name, 0, 15));
 | |
|         $resp->assertDontSee(substr($bookChapter->name, 0, 15));
 | |
|     }
 | |
| 
 | |
|     public function test_book_sort_view_permission()
 | |
|     {
 | |
|         /** @var Book $firstBook */
 | |
|         $firstBook = Book::query()->first();
 | |
|         /** @var Book $secondBook */
 | |
|         $secondBook = Book::query()->find(2);
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($firstBook, ['view', 'update']);
 | |
|         $this->setRestrictionsForTestRoles($secondBook, ['view']);
 | |
| 
 | |
|         // Test sort page visibility
 | |
|         $this->actingAs($this->user)->get($secondBook->getUrl('/sort'))->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         // Check sort page on first book
 | |
|         $this->actingAs($this->user)->get($firstBook->getUrl('/sort'));
 | |
|     }
 | |
| 
 | |
|     public function test_book_sort_permission()
 | |
|     {
 | |
|         /** @var Book $firstBook */
 | |
|         $firstBook = Book::query()->first();
 | |
|         /** @var Book $secondBook */
 | |
|         $secondBook = Book::query()->find(2);
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($firstBook, ['view', 'update']);
 | |
|         $this->setRestrictionsForTestRoles($secondBook, ['view']);
 | |
| 
 | |
|         $firstBookChapter = $this->newChapter(['name' => 'first book chapter'], $firstBook);
 | |
|         $secondBookChapter = $this->newChapter(['name' => 'second book chapter'], $secondBook);
 | |
| 
 | |
|         // Create request data
 | |
|         $reqData = [
 | |
|             [
 | |
|                 'id'            => $firstBookChapter->id,
 | |
|                 'sort'          => 0,
 | |
|                 'parentChapter' => false,
 | |
|                 'type'          => 'chapter',
 | |
|                 'book'          => $secondBook->id,
 | |
|             ],
 | |
|         ];
 | |
| 
 | |
|         // Move chapter from first book to a second book
 | |
|         $this->actingAs($this->user)->put($firstBook->getUrl() . '/sort', ['sort-tree' => json_encode($reqData)])
 | |
|             ->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
| 
 | |
|         $reqData = [
 | |
|             [
 | |
|                 'id'            => $secondBookChapter->id,
 | |
|                 'sort'          => 0,
 | |
|                 'parentChapter' => false,
 | |
|                 'type'          => 'chapter',
 | |
|                 'book'          => $firstBook->id,
 | |
|             ],
 | |
|         ];
 | |
| 
 | |
|         // Move chapter from second book to first book
 | |
|         $this->actingAs($this->user)->put($firstBook->getUrl() . '/sort', ['sort-tree' => json_encode($reqData)])
 | |
|                 ->assertRedirect('/');
 | |
|         $this->get('/')->assertSee('You do not have permission');
 | |
|     }
 | |
| 
 | |
|     public function test_can_create_page_if_chapter_has_permissions_when_book_not_visible()
 | |
|     {
 | |
|         /** @var Book $book */
 | |
|         $book = Book::query()->first();
 | |
|         $this->setRestrictionsForTestRoles($book, []);
 | |
|         $bookChapter = $book->chapters->first();
 | |
|         $this->setRestrictionsForTestRoles($bookChapter, ['view']);
 | |
| 
 | |
|         $this->actingAs($this->user)->get($bookChapter->getUrl())
 | |
|             ->assertDontSee('New Page');
 | |
| 
 | |
|         $this->setRestrictionsForTestRoles($bookChapter, ['view', 'create']);
 | |
| 
 | |
| 
 | |
|         $this->get($bookChapter->getUrl('/create-page'));
 | |
|         /** @var Page $page */
 | |
|         $page = Page::query()->where('draft', '=', true)->orderByDesc('id')->first();
 | |
|         $resp = $this->post($page->getUrl(), [
 | |
|             'name' => 'test page',
 | |
|             'html' => 'test content',
 | |
|         ]);
 | |
|         $resp->assertRedirect($book->getUrl('/page/test-page'));
 | |
|     }
 | |
| }
 |