Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-01-31 12:11:37 +01:00
Code Issues Releases Wiki Activity

Tied entity restriction system into userCan checks

Browse Source
This commit is contained in:
Dan Brown 2016-02-29 20:31:21 +00:00
parent 7f5872372d
commit 985d2f1c2c
3 changed files with 40 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/Http/Controllers/Controller.php
View File

@ -68,7 +68,7 @@ abstract class Controller extends BaseController
protected function showPermissionError() protected function showPermissionError()
{ {
Session::flash('error', trans('errors.permission')); Session::flash('error', trans('errors.permission'));
$response = request()->wantsJson() ? response()->json(['error' => trans('errors.permissionJson')], 403) : redirect('/', 403); $response = request()->wantsJson() ? response()->json(['error' => trans('errors.permissionJson')], 403) : redirect('/');
throw new HttpResponseException($response); throw new HttpResponseException($response);
} }
@ -93,10 +93,8 @@ abstract class Controller extends BaseController
*/ */
protected function checkOwnablePermission($permission, Ownable $ownable) protected function checkOwnablePermission($permission, Ownable $ownable)
{ {
$permissionBaseName = strtolower($permission) . '-'; if (userCan($permission, $ownable)) return true;
if (userCan($permissionBaseName . 'all')) return true; return $this->showPermissionError();
if (userCan($permissionBaseName . 'own') && $ownable->createdBy->id === $this->currentUser->id) return true;
$this->showPermissionError();
} }
/** /**

30
app/Services/RestrictionService.php
View File

@ -1,5 +1,7 @@
<?php namespace BookStack\Services; <?php namespace BookStack\Services;
use BookStack\Entity;
class RestrictionService class RestrictionService
{ {
@ -12,8 +14,24 @@ class RestrictionService
*/ */
public function __construct() public function __construct()
{ {
$this->userRoles = auth()->user()->roles->pluck('id'); $user = auth()->user();
$this->isAdmin = auth()->user()->hasRole('admin'); $this->userRoles = $user ? auth()->user()->roles->pluck('id') : false;
$this->isAdmin = $user ? auth()->user()->hasRole('admin') : false;
}
public function checkIfEntityRestricted(Entity $entity, $action)
{
if ($this->isAdmin) return true;
$this->currentAction = $action;
$baseQuery = $entity->where('id', '=', $entity->id);
if ($entity->isA('page')) {
return $this->pageRestrictionQuery($baseQuery)->count() > 0;
} elseif ($entity->isA('chapter')) {
return $this->chapterRestrictionQuery($baseQuery)->count() > 0;
} elseif ($entity->isA('book')) {
return $this->bookRestrictionQuery($baseQuery)->count() > 0;
}
return false;
} }
/** /**
@ -184,25 +202,25 @@ class RestrictionService
if ($this->isAdmin) return $query; if ($this->isAdmin) return $query;
$this->currentAction = 'view'; $this->currentAction = 'view';
$tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn, 'entityTypeColumn' => $entityTypeColumn]; $tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn, 'entityTypeColumn' => $entityTypeColumn];
return $query->where(function($query) use ($tableDetails) { return $query->where(function ($query) use ($tableDetails) {
$query->where(function ($query) use (&$tableDetails) { $query->where(function ($query) use (&$tableDetails) {
$query->where($tableDetails['entityTypeColumn'], '=', 'BookStack\Page') $query->where($tableDetails['entityTypeColumn'], '=', 'BookStack\Page')
->whereExists(function ($query) use (&$tableDetails) { ->whereExists(function ($query) use (&$tableDetails) {
$query->select('*')->from('pages')->whereRaw('pages.id='.$tableDetails['tableName'].'.'.$tableDetails['entityIdColumn']) $query->select('*')->from('pages')->whereRaw('pages.id=' . $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
->where(function ($query) { ->where(function ($query) {
$this->pageRestrictionQuery($query); $this->pageRestrictionQuery($query);
}); });
}); });
})->orWhere(function ($query) use (&$tableDetails) { })->orWhere(function ($query) use (&$tableDetails) {
$query->where($tableDetails['entityTypeColumn'], '=', 'BookStack\Book')->whereExists(function ($query) use (&$tableDetails) { $query->where($tableDetails['entityTypeColumn'], '=', 'BookStack\Book')->whereExists(function ($query) use (&$tableDetails) {
$query->select('*')->from('books')->whereRaw('books.id='.$tableDetails['tableName'].'.'.$tableDetails['entityIdColumn']) $query->select('*')->from('books')->whereRaw('books.id=' . $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
->where(function ($query) { ->where(function ($query) {
$this->bookRestrictionQuery($query); $this->bookRestrictionQuery($query);
}); });
}); });
})->orWhere(function ($query) use (&$tableDetails) { })->orWhere(function ($query) use (&$tableDetails) {
$query->where($tableDetails['entityTypeColumn'], '=', 'BookStack\Chapter')->whereExists(function ($query) use (&$tableDetails) { $query->where($tableDetails['entityTypeColumn'], '=', 'BookStack\Chapter')->whereExists(function ($query) use (&$tableDetails) {
$query->select('*')->from('chapters')->whereRaw('chapters.id='.$tableDetails['tableName'].'.'.$tableDetails['entityIdColumn']) $query->select('*')->from('chapters')->whereRaw('chapters.id=' . $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
->where(function ($query) { ->where(function ($query) {
$this->chapterRestrictionQuery($query); $this->chapterRestrictionQuery($query);
}); });

16
app/helpers.php
View File

@ -43,8 +43,18 @@ function userCan($permission, \BookStack\Ownable $ownable = null)
return auth()->user() && auth()->user()->can($permission); return auth()->user() && auth()->user()->can($permission);
} }
// Check permission on ownable item
$permissionBaseName = strtolower($permission) . '-'; $permissionBaseName = strtolower($permission) . '-';
if (userCan($permissionBaseName . 'all')) return true; $hasPermission = false;
if (userCan($permissionBaseName . 'own') && $ownable->createdBy->id === auth()->user()->id) return true; if (auth()->user()->can($permissionBaseName . 'all')) $hasPermission = true;
return false; if (auth()->user()->can($permissionBaseName . 'own') && $ownable->createdBy->id === auth()->user()->id) $hasPermission = true;
if(!$ownable instanceof \BookStack\Entity) return $hasPermission;
// Check restrictions on the entitiy
$restrictionService = app('BookStack\Services\RestrictionService');
$explodedPermission = explode('-', $permission);
$action = end($explodedPermission);
$hasAccess = $restrictionService->checkIfEntityRestricted($ownable, $action);
return $hasAccess && $hasPermission;
} }