1
0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-30 07:32:39 +01:00

Fixed image delete permission issue

Also fixed missing translations and wrote tests to cover issue.
Fixes #258
This commit is contained in:
Dan Brown 2017-01-08 19:19:30 +00:00
parent f7f86ff821
commit 581c382f65
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
4 changed files with 53 additions and 2 deletions

View File

@ -405,7 +405,7 @@ class PermissionService
$action = end($explodedPermission);
$this->currentAction = $action;
$nonJointPermissions = ['restrictions'];
$nonJointPermissions = ['restrictions', 'image', 'attachment'];
// Handle non entity specific jointPermissions
if (in_array($explodedPermission[0], $nonJointPermissions)) {
@ -421,7 +421,6 @@ class PermissionService
$this->currentAction = $permission;
}
$q = $this->entityRestrictionQuery($baseQuery)->count() > 0;
$this->clean();
return $q;

View File

@ -59,4 +59,14 @@ $factory->define(BookStack\Tag::class, function ($faker) {
'name' => $faker->city,
'value' => $faker->sentence(3)
];
});
$factory->define(BookStack\Image::class, function ($faker) {
return [
'name' => $faker->slug . '.jpg',
'url' => $faker->url,
'path' => $faker->url,
'type' => 'gallery',
'uploaded_to' => 0
];
});

View File

@ -89,6 +89,7 @@ return [
* Chapters
*/
'chapter' => 'Chapter',
'chapters' => 'Chapters',
'chapters_popular' => 'Popular Chapters',
'chapters_new' => 'New Chapter',
'chapters_create' => 'Create New Chapter',

View File

@ -578,4 +578,45 @@ class RolesTest extends TestCase
->see('Cannot be deleted');
}
public function test_image_delete_own_permission()
{
$this->giveUserPermissions($this->user, ['image-update-all']);
// $admin = $this->getAdmin();
$page = \BookStack\Page::first();
$image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $this->user->id, 'updated_by' => $this->user->id]);
$this->actingAs($this->user)->json('delete', '/images/' . $image->id)
->seeStatusCode(403);
$this->giveUserPermissions($this->user, ['image-delete-own']);
$this->actingAs($this->user)->json('delete', '/images/' . $image->id)
->seeStatusCode(200)
->dontSeeInDatabase('images', ['id' => $image->id]);
}
public function test_image_delete_all_permission()
{
$this->giveUserPermissions($this->user, ['image-update-all']);
$admin = $this->getAdmin();
$page = \BookStack\Page::first();
$image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]);
$this->actingAs($this->user)->json('delete', '/images/' . $image->id)
->seeStatusCode(403);
$this->giveUserPermissions($this->user, ['image-delete-own']);
$this->actingAs($this->user)->json('delete', '/images/' . $image->id)
->seeStatusCode(403);
$this->giveUserPermissions($this->user, ['image-delete-all']);
$this->actingAs($this->user)->json('delete', '/images/' . $image->id)
->seeStatusCode(200)
->dontSeeInDatabase('images', ['id' => $image->id]);
}
}