mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-29 23:22:34 +01:00
API: Fixed lacking permission enforcement on book contents
This commit is contained in:
parent
c68d154f0f
commit
9aa3442a17
@ -7,6 +7,7 @@ use BookStack\Entities\Models\Book;
|
||||
use BookStack\Entities\Models\Chapter;
|
||||
use BookStack\Entities\Models\Entity;
|
||||
use BookStack\Entities\Queries\BookQueries;
|
||||
use BookStack\Entities\Queries\PageQueries;
|
||||
use BookStack\Entities\Repos\BookRepo;
|
||||
use BookStack\Entities\Tools\BookContents;
|
||||
use BookStack\Http\ApiController;
|
||||
@ -18,6 +19,7 @@ class BookApiController extends ApiController
|
||||
public function __construct(
|
||||
protected BookRepo $bookRepo,
|
||||
protected BookQueries $queries,
|
||||
protected PageQueries $pageQueries,
|
||||
) {
|
||||
}
|
||||
|
||||
@ -69,7 +71,8 @@ class BookApiController extends ApiController
|
||||
->withType()
|
||||
->withField('pages', function (Entity $entity) {
|
||||
if ($entity instanceof Chapter) {
|
||||
return (new ApiEntityListFormatter($entity->pages->all()))->format();
|
||||
$pages = $this->pageQueries->visibleForChapterList($entity->id)->get()->all();
|
||||
return (new ApiEntityListFormatter($pages))->format();
|
||||
}
|
||||
return null;
|
||||
})->format();
|
||||
|
@ -149,6 +149,23 @@ class BooksApiTest extends TestCase
|
||||
]);
|
||||
}
|
||||
|
||||
public function test_read_endpoint_contents_nested_pages_has_permissions_applied()
|
||||
{
|
||||
$this->actingAsApiEditor();
|
||||
|
||||
$book = $this->entities->bookHasChaptersAndPages();
|
||||
$chapter = $book->chapters()->first();
|
||||
$chapterPage = $chapter->pages()->first();
|
||||
$customName = 'MyNonVisiblePageWithinAChapter';
|
||||
$chapterPage->name = $customName;
|
||||
$chapterPage->save();
|
||||
|
||||
$this->permissions->disableEntityInheritedPermissions($chapterPage);
|
||||
|
||||
$resp = $this->getJson($this->baseEndpoint . "/{$book->id}");
|
||||
$resp->assertJsonMissing(['name' => $customName]);
|
||||
}
|
||||
|
||||
public function test_update_endpoint()
|
||||
{
|
||||
$this->actingAsApiEditor();
|
||||
|
Loading…
Reference in New Issue
Block a user