Allowed creating pages in visible chapters in invisible books

Fixes permissions with test to cover in the event a page is created, with permission, in a chapter but the user does not have permission to see the parent book. Fixes #912
rosetta-ai · Jul 14, 2018 · 2bcc159 · 2bcc159
1 parent b2cd363
commit 2bcc159
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 11 deletions.
diff --git a/app/Http/Controllers/PageController.php b/app/Http/Controllers/PageController.php
@@ -5,7 +5,6 @@
 use BookStack\Repos\EntityRepo;
 use BookStack\Repos\UserRepo;
 use BookStack\Services\ExportService;
-use Carbon\Carbon;
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
 use Views;
@@ -38,11 +37,18 @@ public function __construct(EntityRepo $entityRepo, ExportService $exportService
      * @param string $chapterSlug
      * @return Response
      * @internal param bool $pageSlug
+     * @throws NotFoundException
      */
     public function create($bookSlug, $chapterSlug = null)
     {
-        $book = $this->entityRepo->getBySlug('book', $bookSlug);
-        $chapter = $chapterSlug ? $this->entityRepo->getBySlug('chapter', $chapterSlug, $bookSlug) : null;
+        if ($chapterSlug !== null) {
+            $chapter = $this->entityRepo->getBySlug('chapter', $chapterSlug, $bookSlug);
+            $book = $chapter->book;
+        } else {
+            $chapter = null;
+            $book = $this->entityRepo->getBySlug('book', $bookSlug);
+        }
+
         $parent = $chapter ? $chapter : $book;
         $this->checkOwnablePermission('page-create', $parent);
 
@@ -52,7 +58,7 @@ public function create($bookSlug, $chapterSlug = null)
             return redirect($draft->getUrl());
         }
 
-        // Otherwise show edit view
+        // Otherwise show the edit view if they're a guest
         $this->setPageTitle(trans('entities.pages_new'));
         return view('pages/guest-create', ['parent' => $parent]);
     }
@@ -71,8 +77,14 @@ public function createAsGuest(Request $request, $bookSlug, $chapterSlug = null)
             'name' => 'required|string|max:255'
         ]);
 
-        $book = $this->entityRepo->getBySlug('book', $bookSlug);
-        $chapter = $chapterSlug ? $this->entityRepo->getBySlug('chapter', $chapterSlug, $bookSlug) : null;
+        if ($chapterSlug !== null) {
+            $chapter = $this->entityRepo->getBySlug('chapter', $chapterSlug, $bookSlug);
+            $book = $chapter->book;
+        } else {
+            $chapter = null;
+            $book = $this->entityRepo->getBySlug('book', $bookSlug);
+        }
+
         $parent = $chapter ? $chapter : $book;
         $this->checkOwnablePermission('page-create', $parent);
 
@@ -93,7 +105,7 @@ public function createAsGuest(Request $request, $bookSlug, $chapterSlug = null)
     public function editDraft($bookSlug, $pageId)
     {
         $draft = $this->entityRepo->getById('page', $pageId, true);
-        $this->checkOwnablePermission('page-create', $draft->book);
+        $this->checkOwnablePermission('page-create', $draft->parent);
         $this->setPageTitle(trans('entities.pages_edit_draft'));
 
         $draftsEnabled = $this->signedIn;
@@ -119,12 +131,10 @@ public function store(Request $request, $bookSlug, $pageId)
         ]);
 
         $input = $request->all();
-        $book = $this->entityRepo->getBySlug('book', $bookSlug);
-
         $draftPage = $this->entityRepo->getById('page', $pageId, true);
+        $book = $draftPage->book;
 
-        $chapterId = intval($draftPage->chapter_id);
-        $parent = $chapterId !== 0 ? $this->entityRepo->getById('chapter', $chapterId) : $book;
+        $parent = $draftPage->parent;
         $this->checkOwnablePermission('page-create', $parent);
 
         if ($parent->isA('chapter')) {

diff --git a/app/Page.php b/app/Page.php
@@ -28,6 +28,15 @@ public function book()
         return $this->belongsTo(Book::class);
     }
 
+    /**
+     * Get the parent item
+     * @return \Illuminate\Database\Eloquent\Relations\BelongsTo
+     */
+    public function parent()
+    {
+        return $this->chapter_id ? $this->chapter() : $this->book();
+    }
+
     /**
      * Get the chapter that this page is in, If applicable.
      * @return \Illuminate\Database\Eloquent\Relations\BelongsTo

diff --git a/tests/Permissions/RestrictionsTest.php b/tests/Permissions/RestrictionsTest.php
@@ -592,4 +592,26 @@ public function test_book_sort_permission() {
                 ->see('You do not have permission')
                 ->seePageIs('/');
     }
+
+    public function test_can_create_page_if_chapter_has_permissions_when_book_not_visible()
+    {
+        $book = Book::first();
+        $this->setEntityRestrictions($book, []);
+        $bookChapter = $book->chapters->first();
+        $this->setEntityRestrictions($bookChapter, ['view']);
+
+        $this->actingAs($this->user)->visit($bookChapter->getUrl())
+            ->dontSee('New Page');
+
+        $this->setEntityRestrictions($bookChapter, ['view', 'create']);
+
+        $this->actingAs($this->user)->visit($bookChapter->getUrl())
+            ->click('New Page')
+            ->seeStatusCode(200)
+            ->type('test page', 'name')
+            ->type('test content', 'html')
+            ->press('Save Page')
+            ->seePageIs($book->getUrl('/page/test-page'))
+            ->seeStatusCode(200);
+    }
 }