1
0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-29 23:22:34 +01:00

API: Fixed lacking permission enforcement on book contents

This commit is contained in:
Dan Brown 2024-08-29 14:43:21 +01:00
parent c68d154f0f
commit 9aa3442a17
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
2 changed files with 21 additions and 1 deletions

View File

@ -7,6 +7,7 @@ use BookStack\Entities\Models\Book;
use BookStack\Entities\Models\Chapter;
use BookStack\Entities\Models\Entity;
use BookStack\Entities\Queries\BookQueries;
use BookStack\Entities\Queries\PageQueries;
use BookStack\Entities\Repos\BookRepo;
use BookStack\Entities\Tools\BookContents;
use BookStack\Http\ApiController;
@ -18,6 +19,7 @@ class BookApiController extends ApiController
public function __construct(
protected BookRepo $bookRepo,
protected BookQueries $queries,
protected PageQueries $pageQueries,
) {
}
@ -69,7 +71,8 @@ class BookApiController extends ApiController
->withType()
->withField('pages', function (Entity $entity) {
if ($entity instanceof Chapter) {
return (new ApiEntityListFormatter($entity->pages->all()))->format();
$pages = $this->pageQueries->visibleForChapterList($entity->id)->get()->all();
return (new ApiEntityListFormatter($pages))->format();
}
return null;
})->format();

View File

@ -149,6 +149,23 @@ class BooksApiTest extends TestCase
]);
}
public function test_read_endpoint_contents_nested_pages_has_permissions_applied()
{
$this->actingAsApiEditor();
$book = $this->entities->bookHasChaptersAndPages();
$chapter = $book->chapters()->first();
$chapterPage = $chapter->pages()->first();
$customName = 'MyNonVisiblePageWithinAChapter';
$chapterPage->name = $customName;
$chapterPage->save();
$this->permissions->disableEntityInheritedPermissions($chapterPage);
$resp = $this->getJson($this->baseEndpoint . "/{$book->id}");
$resp->assertJsonMissing(['name' => $customName]);
}
public function test_update_endpoint()
{
$this->actingAsApiEditor();