From 581c382f65041d843bc1167caa4295dbd589d506 Mon Sep 17 00:00:00 2001 From: Dan Brown Date: Sun, 8 Jan 2017 19:19:30 +0000 Subject: [PATCH] Fixed image delete permission issue Also fixed missing translations and wrote tests to cover issue. Fixes #258 --- app/Services/PermissionService.php | 3 +-- database/factories/ModelFactory.php | 10 +++++++ resources/lang/en/entities.php | 1 + tests/Permissions/RolesTest.php | 41 +++++++++++++++++++++++++++++ 4 files changed, 53 insertions(+), 2 deletions(-) diff --git a/app/Services/PermissionService.php b/app/Services/PermissionService.php index 467bf95da..b58088dc0 100644 --- a/app/Services/PermissionService.php +++ b/app/Services/PermissionService.php @@ -405,7 +405,7 @@ class PermissionService $action = end($explodedPermission); $this->currentAction = $action; - $nonJointPermissions = ['restrictions']; + $nonJointPermissions = ['restrictions', 'image', 'attachment']; // Handle non entity specific jointPermissions if (in_array($explodedPermission[0], $nonJointPermissions)) { @@ -421,7 +421,6 @@ class PermissionService $this->currentAction = $permission; } - $q = $this->entityRestrictionQuery($baseQuery)->count() > 0; $this->clean(); return $q; diff --git a/database/factories/ModelFactory.php b/database/factories/ModelFactory.php index 3820d5b59..43e214386 100644 --- a/database/factories/ModelFactory.php +++ b/database/factories/ModelFactory.php @@ -59,4 +59,14 @@ $factory->define(BookStack\Tag::class, function ($faker) { 'name' => $faker->city, 'value' => $faker->sentence(3) ]; +}); + +$factory->define(BookStack\Image::class, function ($faker) { + return [ + 'name' => $faker->slug . '.jpg', + 'url' => $faker->url, + 'path' => $faker->url, + 'type' => 'gallery', + 'uploaded_to' => 0 + ]; }); \ No newline at end of file diff --git a/resources/lang/en/entities.php b/resources/lang/en/entities.php index 033d9614e..109b6ee2a 100644 --- a/resources/lang/en/entities.php +++ b/resources/lang/en/entities.php @@ -89,6 +89,7 @@ return [ * Chapters */ 'chapter' => 'Chapter', + 'chapters' => 'Chapters', 'chapters_popular' => 'Popular Chapters', 'chapters_new' => 'New Chapter', 'chapters_create' => 'Create New Chapter', diff --git a/tests/Permissions/RolesTest.php b/tests/Permissions/RolesTest.php index 500dd3b67..0f6a7a150 100644 --- a/tests/Permissions/RolesTest.php +++ b/tests/Permissions/RolesTest.php @@ -578,4 +578,45 @@ class RolesTest extends TestCase ->see('Cannot be deleted'); } + + + public function test_image_delete_own_permission() + { + $this->giveUserPermissions($this->user, ['image-update-all']); +// $admin = $this->getAdmin(); + $page = \BookStack\Page::first(); + $image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $this->user->id, 'updated_by' => $this->user->id]); + + $this->actingAs($this->user)->json('delete', '/images/' . $image->id) + ->seeStatusCode(403); + + $this->giveUserPermissions($this->user, ['image-delete-own']); + + $this->actingAs($this->user)->json('delete', '/images/' . $image->id) + ->seeStatusCode(200) + ->dontSeeInDatabase('images', ['id' => $image->id]); + } + + public function test_image_delete_all_permission() + { + $this->giveUserPermissions($this->user, ['image-update-all']); + $admin = $this->getAdmin(); + $page = \BookStack\Page::first(); + $image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]); + + $this->actingAs($this->user)->json('delete', '/images/' . $image->id) + ->seeStatusCode(403); + + $this->giveUserPermissions($this->user, ['image-delete-own']); + + $this->actingAs($this->user)->json('delete', '/images/' . $image->id) + ->seeStatusCode(403); + + $this->giveUserPermissions($this->user, ['image-delete-all']); + + $this->actingAs($this->user)->json('delete', '/images/' . $image->id) + ->seeStatusCode(200) + ->dontSeeInDatabase('images', ['id' => $image->id]); + } + }