BookStack Code Mirror - bookstack/blobdiff - tests/Permissions/RolesTest.php

<?php

+namespace Tests\Permissions;

+

+use BookStack\Actions\ActivityType;

+use BookStack\Actions\Comment;

+use BookStack\Auth\Role;

+use BookStack\Auth\User;

+use BookStack\Entities\Models\Book;

+use BookStack\Entities\Models\Bookshelf;

+use BookStack\Entities\Models\Chapter;

+use BookStack\Entities\Models\Entity;

+use BookStack\Entities\Models\Page;

+use BookStack\Uploads\Image;

+use Tests\TestCase;

+use Tests\TestResponse;

+

class RolesTest extends TestCase

{

protected $user;

class RolesTest extends TestCase

{

protected $user;

- public function setUp()

+ public function setUp(): void

{

parent::setUp();

{

parent::setUp();

- $this->user = $this->getNewBlankUser();

- }

-

- /**

- * Give the given user some permissions.

- * @param \BookStack\User $user

- * @param array $permissions

- */

- protected function giveUserPermissions(\BookStack\User $user, $permissions = [])

- {

- $newRole = $this->createNewRole($permissions);

- $user->attachRole($newRole);

- $user->load('roles');

- $user->permissions(false);

- }

-

- /**

- * Create a new basic role for testing purposes.

- * @param array $permissions

- * @return static

- */

- protected function createNewRole($permissions = [])

- {

- $permissionRepo = app('BookStack\Repos\PermissionsRepo');

- $roleData = factory(\BookStack\Role::class)->make()->toArray();

- $roleData['permissions'] = array_flip($permissions);

- return $permissionRepo->saveNewRole($roleData);

+ $this->user = $this->getViewer();

}

public function test_admin_can_see_settings()

{

}

public function test_admin_can_see_settings()

{

- $this->asAdmin()->visit('/settings')->see('Settings');

+ $this->asAdmin()->get('/settings')->assertSee('Settings');

}

public function test_cannot_delete_admin_role()

{

}

public function test_cannot_delete_admin_role()

{

- $adminRole = \BookStack\Role::getRole('admin');

+ $adminRole = Role::getRole('admin');

$deletePageUrl = '/settings/roles/delete/' . $adminRole->id;

- $this->asAdmin()->visit($deletePageUrl)

- ->press('Confirm')

- ->seePageIs($deletePageUrl)

- ->see('cannot be deleted');

+

+ $this->asAdmin()->get($deletePageUrl);

+ $this->delete($deletePageUrl)->assertRedirect($deletePageUrl);

+ $this->get($deletePageUrl)->assertSee('cannot be deleted');

}

public function test_role_cannot_be_deleted_if_default()

}

public function test_role_cannot_be_deleted_if_default()

$this->setSettings(['registration-role' => $newRole->id]);

$deletePageUrl = '/settings/roles/delete/' . $newRole->id;

$this->setSettings(['registration-role' => $newRole->id]);

$deletePageUrl = '/settings/roles/delete/' . $newRole->id;

- $this->asAdmin()->visit($deletePageUrl)

- ->press('Confirm')

- ->seePageIs($deletePageUrl)

- ->see('cannot be deleted');

+ $this->asAdmin()->get($deletePageUrl);

+ $this->delete($deletePageUrl)->assertRedirect($deletePageUrl);

+ $this->get($deletePageUrl)->assertSee('cannot be deleted');

}

public function test_role_create_update_delete_flow()

}

public function test_role_create_update_delete_flow()

$testRoleUpdateName = 'An Super Updated role';

// Creation

$testRoleUpdateName = 'An Super Updated role';

// Creation

- $this->asAdmin()->visit('/settings')

- ->click('Roles')

- ->seePageIs('/settings/roles')

- ->click('Add new role')

- ->type('Test Role', 'display_name')

- ->type('A little test description', 'description')

- ->press('Save Role')

- ->seeInDatabase('roles', ['display_name' => $testRoleName, 'name' => 'test-role', 'description' => $testRoleDesc])

- ->seePageIs('/settings/roles');

+ $resp = $this->asAdmin()->get('/settings');

+ $resp->assertElementContains('a[href="' . url('/settings/roles') . '"]', 'Roles');

+

+ $resp = $this->get('/settings/roles');

+ $resp->assertElementContains('a[href="' . url('/settings/roles/new') . '"]', 'Create New Role');

+

+ $resp = $this->get('/settings/roles/new');

+ $resp->assertElementContains('form[action="' . url('/settings/roles/new') . '"]', 'Save Role');

+

+ $resp = $this->post('/settings/roles/new', [

+ 'display_name' => $testRoleName,

+ 'description' => $testRoleDesc,

+ ]);

+ $resp->assertRedirect('/settings/roles');

+

+ $resp = $this->get('/settings/roles');

+ $resp->assertSee($testRoleName);

+ $resp->assertSee($testRoleDesc);

+ $this->assertDatabaseHas('roles', [

+ 'display_name' => $testRoleName,

+ 'description' => $testRoleDesc,

+ 'mfa_enforced' => false,

+ ]);

+

+ /** @var Role $role */

+ $role = Role::query()->where('display_name', '=', $testRoleName)->first();

+

// Updating

- $this->asAdmin()->visit('/settings/roles')

- ->see($testRoleDesc)

- ->click($testRoleName)

- ->type($testRoleUpdateName, '#display_name')

- ->press('Save Role')

- ->seeInDatabase('roles', ['display_name' => $testRoleUpdateName, 'name' => 'test-role', 'description' => $testRoleDesc])

- ->seePageIs('/settings/roles');

+ $resp = $this->get('/settings/roles/' . $role->id);

+ $resp->assertSee($testRoleName);

+ $resp->assertSee($testRoleDesc);

+ $resp->assertElementContains('form[action="' . url('/settings/roles/' . $role->id) . '"]', 'Save Role');

+

+ $resp = $this->put('/settings/roles/' . $role->id, [

+ 'display_name' => $testRoleUpdateName,

+ 'description' => $testRoleDesc,

+ 'mfa_enforced' => 'true',

+ ]);

+ $resp->assertRedirect('/settings/roles');

+ $this->assertDatabaseHas('roles', [

+ 'display_name' => $testRoleUpdateName,

+ 'description' => $testRoleDesc,

+ 'mfa_enforced' => true,

+ ]);

+

// Deleting

- $this->asAdmin()->visit('/settings/roles')

- ->click($testRoleUpdateName)

- ->click('Delete Role')

- ->see($testRoleUpdateName)

- ->press('Confirm')

- ->seePageIs('/settings/roles')

- ->dontSee($testRoleUpdateName);

+ $resp = $this->get('/settings/roles/' . $role->id);

+ $resp->assertElementContains('a[href="' . url("/settings/roles/delete/$role->id") . '"]', 'Delete Role');

+

+ $resp = $this->get("/settings/roles/delete/$role->id");

+ $resp->assertSee($testRoleUpdateName);

+ $resp->assertElementContains('form[action="' . url("/settings/roles/delete/$role->id") . '"]', 'Confirm');

+

+ $resp = $this->delete("/settings/roles/delete/$role->id");

+ $resp->assertRedirect('/settings/roles');

+ $this->get('/settings/roles')->assertSee('Role successfully deleted');

+ $this->assertActivityExists(ActivityType::ROLE_DELETE);

+ }

+

+ public function test_admin_role_cannot_be_removed_if_user_last_admin()

+ {

+ /** @var Role $adminRole */

+ $adminRole = Role::query()->where('system_name', '=', 'admin')->first();

+ $adminUser = $this->getAdmin();

+ $adminRole->users()->where('id', '!=', $adminUser->id)->delete();

+ $this->assertEquals(1, $adminRole->users()->count());

+

+ $viewerRole = $this->getViewer()->roles()->first();

+

+ $editUrl = '/settings/users/' . $adminUser->id;

+ $resp = $this->actingAs($adminUser)->put($editUrl, [

+ 'name' => $adminUser->name,

+ 'email' => $adminUser->email,

+ 'roles' => [

+ 'viewer' => strval($viewerRole->id),

+ ],

+ ]);

+

+ $resp->assertRedirect($editUrl);

+

+ $resp = $this->get($editUrl);

+ $resp->assertSee('This user is the only user assigned to the administrator role');

+ }

+

+ public function test_migrate_users_on_delete_works()

+ {

+ /** @var Role $roleA */

+ $roleA = Role::query()->create(['display_name' => 'Delete Test A']);

+ /** @var Role $roleB */

+ $roleB = Role::query()->create(['display_name' => 'Delete Test B']);

+ $this->user->attachRole($roleB);

+

+ $this->assertCount(0, $roleA->users()->get());

+ $this->assertCount(1, $roleB->users()->get());

+

+ $deletePage = $this->asAdmin()->get("/settings/roles/delete/$roleB->id");

+ $deletePage->assertElementExists('select[name=migrate_role_id]');

+ $this->asAdmin()->delete("/settings/roles/delete/$roleB->id", [

+ 'migrate_role_id' => $roleA->id,

+ ]);

+

+ $this->assertCount(1, $roleA->users()->get());

+ $this->assertEquals($this->user->id, $roleA->users()->first()->id);

}

public function test_manage_user_permission()

{

}

public function test_manage_user_permission()

{

- $this->actingAs($this->user)->visit('/')->visit('/settings/users')

- ->seePageIs('/');

+ $this->actingAs($this->user)->get('/settings/users')->assertRedirect('/');

+ $this->giveUserPermissions($this->user, ['users-manage']);

+ $this->actingAs($this->user)->get('/settings/users')->assertOk();

+ }

+

+ public function test_manage_users_permission_shows_link_in_header_if_does_not_have_settings_manage_permision()

+ {

+ $usersLink = 'href="' . url('/settings/users') . '"';

+ $this->actingAs($this->user)->get('/')->assertDontSee($usersLink);

$this->giveUserPermissions($this->user, ['users-manage']);

- $this->actingAs($this->user)->visit('/')->visit('/settings/users')

- ->seePageIs('/settings/users');

+ $this->actingAs($this->user)->get('/')->assertSee($usersLink);

+ $this->giveUserPermissions($this->user, ['settings-manage', 'users-manage']);

+ $this->actingAs($this->user)->get('/')->assertDontSee($usersLink);

+ }

+

+ public function test_user_cannot_change_email_unless_they_have_manage_users_permission()

+ {

+ $userProfileUrl = '/settings/users/' . $this->user->id;

+ $originalEmail = $this->user->email;

+ $this->actingAs($this->user);

+

+ $this->get($userProfileUrl)

+ ->assertOk()

+ ->assertElementExists('input[name=email][disabled]');

+ $this->put($userProfileUrl, [

+ 'name' => 'my_new_name',

+ 'email' => '[email protected]',

+ ]);

+ $this->assertDatabaseHas('users', [

+ 'id' => $this->user->id,

+ 'email' => $originalEmail,

+ 'name' => 'my_new_name',

+ ]);

+

+ $this->giveUserPermissions($this->user, ['users-manage']);

+

+ $this->get($userProfileUrl)

+ ->assertOk()

+ ->assertElementNotExists('input[name=email][disabled]')

+ ->assertElementExists('input[name=email]');

+ $this->put($userProfileUrl, [

+ 'name' => 'my_new_name_2',

+ 'email' => '[email protected]',

+ ]);

+

+ $this->assertDatabaseHas('users', [

+ 'id' => $this->user->id,

+ 'email' => '[email protected]',

+ 'name' => 'my_new_name_2',

+ ]);

}

public function test_user_roles_manage_permission()

{

}

public function test_user_roles_manage_permission()

{

- $this->actingAs($this->user)->visit('/')->visit('/settings/roles')

- ->seePageIs('/')->visit('/settings/roles/1')->seePageIs('/');

+ $this->actingAs($this->user)->get('/settings/roles')->assertRedirect('/');

+ $this->get('/settings/roles/1')->assertRedirect('/');

$this->giveUserPermissions($this->user, ['user-roles-manage']);

- $this->actingAs($this->user)->visit('/settings/roles')

- ->seePageIs('/settings/roles')->click('Admin')

- ->see('Edit Role');

+ $this->actingAs($this->user)->get('/settings/roles')->assertOk();

+ $this->get('/settings/roles/1')

+ ->assertOk()

+ ->assertSee('Admin');

}

public function test_settings_manage_permission()

{

}

public function test_settings_manage_permission()

{

- $this->actingAs($this->user)->visit('/')->visit('/settings')

- ->seePageIs('/');

+ $this->actingAs($this->user)->get('/settings')->assertRedirect('/');

$this->giveUserPermissions($this->user, ['settings-manage']);

- $this->actingAs($this->user)->visit('/')->visit('/settings')

- ->seePageIs('/settings')->press('Save Settings')->see('Settings Saved');

+ $this->get('/settings')->assertOk();

+

+ $resp = $this->post('/settings', []);

+ $resp->assertRedirect('/settings');

+ $resp = $this->get('/settings');

+ $resp->assertSee('Settings saved');

}

public function test_restrictions_manage_all_permission()

{

}

public function test_restrictions_manage_all_permission()

{

- $page = \BookStack\Page::take(1)->get()->first();

- $this->actingAs($this->user)->visit($page->getUrl())

- ->dontSee('Restrict')

- ->visit($page->getUrl() . '/restrict')

- ->seePageIs('/');

+ $page = Page::query()->get()->first();

+

+ $this->actingAs($this->user)->get($page->getUrl())->assertDontSee('Permissions');

+ $this->get($page->getUrl('/permissions'))->assertRedirect('/');

+

$this->giveUserPermissions($this->user, ['restrictions-manage-all']);

- $this->actingAs($this->user)->visit($page->getUrl())

- ->see('Restrict')

- ->click('Restrict')

- ->see('Page Restrictions')->seePageIs($page->getUrl() . '/restrict');

+

+ $this->actingAs($this->user)->get($page->getUrl())->assertSee('Permissions');

+

+ $this->get($page->getUrl('/permissions'))

+ ->assertOk()

+ ->assertSee('Page Permissions');

}

public function test_restrictions_manage_own_permission()

{

}

public function test_restrictions_manage_own_permission()

{

- $otherUsersPage = \BookStack\Page::take(1)->get()->first();

+ /** @var Page $otherUsersPage */

+ $otherUsersPage = Page::query()->first();

$content = $this->createEntityChainBelongingToUser($this->user);

+

+ // Set a different creator on the page we're checking to ensure

+ // that the owner fields are checked

+ $page = $content['page']; /** @var Page $page */

+ $page->created_by = $otherUsersPage->id;

+ $page->owned_by = $this->user->id;

+ $page->save();

+

// Check can't restrict other's content

- $this->actingAs($this->user)->visit($otherUsersPage->getUrl())

- ->dontSee('Restrict')

- ->visit($otherUsersPage->getUrl() . '/restrict')

- ->seePageIs('/');

+ $this->actingAs($this->user)->get($otherUsersPage->getUrl())->assertDontSee('Permissions');

+ $this->get($otherUsersPage->getUrl('/permissions'))->assertRedirect('/');

+

// Check can't restrict own content

- $this->actingAs($this->user)->visit($content['page']->getUrl())

- ->dontSee('Restrict')

- ->visit($content['page']->getUrl() . '/restrict')

- ->seePageIs('/');

+ $this->actingAs($this->user)->get($page->getUrl())->assertDontSee('Permissions');

+ $this->get($page->getUrl('/permissions'))->assertRedirect('/');

$this->giveUserPermissions($this->user, ['restrictions-manage-own']);

// Check can't restrict other's content

$this->giveUserPermissions($this->user, ['restrictions-manage-own']);

// Check can't restrict other's content

- $this->actingAs($this->user)->visit($otherUsersPage->getUrl())

- ->dontSee('Restrict')

- ->visit($otherUsersPage->getUrl() . '/restrict')

- ->seePageIs('/');

+ $this->actingAs($this->user)->get($otherUsersPage->getUrl())->assertDontSee('Permissions');

+ $this->get($otherUsersPage->getUrl('/permissions'))->assertRedirect();

+

// Check can restrict own content

- $this->actingAs($this->user)->visit($content['page']->getUrl())

- ->see('Restrict')

- ->click('Restrict')

- ->seePageIs($content['page']->getUrl() . '/restrict');

+ $this->actingAs($this->user)->get($page->getUrl())->assertSee('Permissions');

+ $this->get($page->getUrl('/permissions'))->assertOk();

}

/**

}

/**

- * Check a standard entity access permission

- * @param string $permission

- * @param array $accessUrls Urls that are only accessible after having the permission

- * @param array $visibles Check this text, In the buttons toolbar, is only visible with the permission

- * @param null $callback

+ * Check a standard entity access permission.

*/

- private function checkAccessPermission($permission, $accessUrls = [], $visibles = [])

+ private function checkAccessPermission(string $permission, array $accessUrls = [], array $visibles = [])

{

foreach ($accessUrls as $url) {

{

foreach ($accessUrls as $url) {

- $this->actingAs($this->user)->visit('/')->visit($url)

- ->seePageIs('/');

+ $this->actingAs($this->user)->get($url)->assertRedirect('/');

}

+

foreach ($visibles as $url => $text) {

- $this->actingAs($this->user)->visit('/')->visit($url)

- ->dontSeeInElement('.action-buttons',$text);

+ $this->actingAs($this->user)->get($url)

+ ->assertElementNotContains('.action-buttons', $text);

}

$this->giveUserPermissions($this->user, [$permission]);

foreach ($accessUrls as $url) {

}

$this->giveUserPermissions($this->user, [$permission]);

foreach ($accessUrls as $url) {

- $this->actingAs($this->user)->visit('/')->visit($url)

- ->seePageIs($url);

+ $this->actingAs($this->user)->get($url)->assertOk();

}

foreach ($visibles as $url => $text) {

}

foreach ($visibles as $url => $text) {

- $this->actingAs($this->user)->visit('/')->visit($url)

- ->see($text);

+ $this->actingAs($this->user)->get($url)->assertSee($text);

}

+ public function test_bookshelves_create_all_permissions()

+ {

+ $this->checkAccessPermission('bookshelf-create-all', [

+ '/create-shelf',

+ ], [

+ '/shelves' => 'New Shelf',

+ ]);

+

+ $this->post('/shelves', [

+ 'name' => 'test shelf',

+ 'description' => 'shelf desc',

+ ])->assertRedirect('/shelves/test-shelf');

+ }

+

+ public function test_bookshelves_edit_own_permission()

+ {

+ /** @var Bookshelf $otherShelf */

+ $otherShelf = Bookshelf::query()->first();

+ $ownShelf = $this->newShelf(['name' => 'test-shelf', 'slug' => 'test-shelf']);

+ $ownShelf->forceFill(['owned_by' => $this->user->id, 'updated_by' => $this->user->id])->save();

+ $this->regenEntityPermissions($ownShelf);

+

+ $this->checkAccessPermission('bookshelf-update-own', [

+ $ownShelf->getUrl('/edit'),

+ ], [

+ $ownShelf->getUrl() => 'Edit',

+ ]);

+

+ $this->get($otherShelf->getUrl())->assertElementNotContains('.action-buttons', 'Edit');

+ $this->get($otherShelf->getUrl('/edit'))->assertRedirect('/');

+ }

+

+ public function test_bookshelves_edit_all_permission()

+ {

+ /** @var Bookshelf $otherShelf */

+ $otherShelf = Bookshelf::query()->first();

+ $this->checkAccessPermission('bookshelf-update-all', [

+ $otherShelf->getUrl('/edit'),

+ ], [

+ $otherShelf->getUrl() => 'Edit',

+ ]);

+ }

+

+ public function test_bookshelves_delete_own_permission()

+ {

+ $this->giveUserPermissions($this->user, ['bookshelf-update-all']);

+ /** @var Bookshelf $otherShelf */

+ $otherShelf = Bookshelf::query()->first();

+ $ownShelf = $this->newShelf(['name' => 'test-shelf', 'slug' => 'test-shelf']);

+ $ownShelf->forceFill(['owned_by' => $this->user->id, 'updated_by' => $this->user->id])->save();

+ $this->regenEntityPermissions($ownShelf);

+

+ $this->checkAccessPermission('bookshelf-delete-own', [

+ $ownShelf->getUrl('/delete'),

+ ], [

+ $ownShelf->getUrl() => 'Delete',

+ ]);

+

+ $this->get($otherShelf->getUrl())->assertElementNotContains('.action-buttons', 'Delete');

+ $this->get($otherShelf->getUrl('/delete'))->assertRedirect('/');

+

+ $this->get($ownShelf->getUrl());

+ $this->delete($ownShelf->getUrl())->assertRedirect('/shelves');

+ $this->get('/shelves')->assertDontSee($ownShelf->name);

+ }

+

+ public function test_bookshelves_delete_all_permission()

+ {

+ $this->giveUserPermissions($this->user, ['bookshelf-update-all']);

+ /** @var Bookshelf $otherShelf */

+ $otherShelf = Bookshelf::query()->first();

+ $this->checkAccessPermission('bookshelf-delete-all', [

+ $otherShelf->getUrl('/delete'),

+ ], [

+ $otherShelf->getUrl() => 'Delete',

+ ]);

+

+ $this->delete($otherShelf->getUrl())->assertRedirect('/shelves');

+ $this->get('/shelves')->assertDontSee($otherShelf->name);

+ }

+

public function test_books_create_all_permissions()

{

$this->checkAccessPermission('book-create-all', [

public function test_books_create_all_permissions()

{

$this->checkAccessPermission('book-create-all', [

- '/books/create'

+ '/create-book',

], [

- '/books' => 'Add new book'

+ '/books' => 'Create New Book',

]);

- $this->visit('/books/create')

- ->type('test book', 'name')

- ->type('book desc', 'description')

- ->press('Save Book')

- ->seePageIs('/books/test-book');

+ $this->post('/books', [

+ 'name' => 'test book',

+ 'description' => 'book desc',

+ ])->assertRedirect('/books/test-book');

}

public function test_books_edit_own_permission()

{

}

public function test_books_edit_own_permission()

{

- $otherBook = \BookStack\Book::take(1)->get()->first();

+ /** @var Book $otherBook */

+ $otherBook = Book::query()->take(1)->get()->first();

$ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

$this->checkAccessPermission('book-update-own', [

$ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

$this->checkAccessPermission('book-update-own', [

- $ownBook->getUrl() . '/edit'

+ $ownBook->getUrl() . '/edit',

], [

- $ownBook->getUrl() => 'Edit'

+ $ownBook->getUrl() => 'Edit',

]);

- $this->visit($otherBook->getUrl())

- ->dontSeeInElement('.action-buttons', 'Edit')

- ->visit($otherBook->getUrl() . '/edit')

- ->seePageIs('/');

+ $this->get($otherBook->getUrl())->assertElementNotContains('.action-buttons', 'Edit');

+ $this->get($otherBook->getUrl('/edit'))->assertRedirect('/');

}

public function test_books_edit_all_permission()

{

}

public function test_books_edit_all_permission()

{

- $otherBook = \BookStack\Book::take(1)->get()->first();

+ /** @var Book $otherBook */

+ $otherBook = Book::query()->take(1)->get()->first();

$this->checkAccessPermission('book-update-all', [

- $otherBook->getUrl() . '/edit'

+ $otherBook->getUrl() . '/edit',

], [

- $otherBook->getUrl() => 'Edit'

+ $otherBook->getUrl() => 'Edit',

]);

}

public function test_books_delete_own_permission()

{

$this->giveUserPermissions($this->user, ['book-update-all']);

]);

}

public function test_books_delete_own_permission()

{

$this->giveUserPermissions($this->user, ['book-update-all']);

- $otherBook = \BookStack\Book::take(1)->get()->first();

+ /** @var Book $otherBook */

+ $otherBook = Book::query()->take(1)->get()->first();

$ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

$this->checkAccessPermission('book-delete-own', [

$ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

$this->checkAccessPermission('book-delete-own', [

- $ownBook->getUrl() . '/delete'

+ $ownBook->getUrl() . '/delete',

], [

- $ownBook->getUrl() => 'Delete'

+ $ownBook->getUrl() => 'Delete',

]);

- $this->visit($otherBook->getUrl())

- ->dontSeeInElement('.action-buttons', 'Delete')

- ->visit($otherBook->getUrl() . '/delete')

- ->seePageIs('/');

- $this->visit($ownBook->getUrl())->visit($ownBook->getUrl() . '/delete')

- ->press('Confirm')

- ->seePageIs('/books')

- ->dontSee($ownBook->name);

+ $this->get($otherBook->getUrl())->assertElementNotContains('.action-buttons', 'Delete');

+ $this->get($otherBook->getUrl('/delete'))->assertRedirect('/');

+ $this->get($ownBook->getUrl());

+ $this->delete($ownBook->getUrl())->assertRedirect('/books');

+ $this->get('/books')->assertDontSee($ownBook->name);

}

public function test_books_delete_all_permission()

{

$this->giveUserPermissions($this->user, ['book-update-all']);

}

public function test_books_delete_all_permission()

{

$this->giveUserPermissions($this->user, ['book-update-all']);

- $otherBook = \BookStack\Book::take(1)->get()->first();

+ /** @var Book $otherBook */

+ $otherBook = Book::query()->take(1)->get()->first();

$this->checkAccessPermission('book-delete-all', [

- $otherBook->getUrl() . '/delete'

+ $otherBook->getUrl() . '/delete',

], [

- $otherBook->getUrl() => 'Delete'

+ $otherBook->getUrl() => 'Delete',

]);

- $this->visit($otherBook->getUrl())->visit($otherBook->getUrl() . '/delete')

- ->press('Confirm')

- ->seePageIs('/books')

- ->dontSee($otherBook->name);

+ $this->get($otherBook->getUrl());

+ $this->delete($otherBook->getUrl())->assertRedirect('/books');

+ $this->get('/books')->assertDontSee($otherBook->name);

}

public function test_chapter_create_own_permissions()

{

}

public function test_chapter_create_own_permissions()

{

- $book = \BookStack\Book::take(1)->get()->first();

+ /** @var Book $book */

+ $book = Book::query()->take(1)->get()->first();

$ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

- $baseUrl = $ownBook->getUrl() . '/chapter';

$this->checkAccessPermission('chapter-create-own', [

- $baseUrl . '/create'

+ $ownBook->getUrl('/create-chapter'),

], [

- $ownBook->getUrl() => 'New Chapter'

+ $ownBook->getUrl() => 'New Chapter',

]);

- $this->visit($baseUrl . '/create')

- ->type('test chapter', 'name')

- ->type('chapter desc', 'description')

- ->press('Save Chapter')

- ->seePageIs($baseUrl . '/test-chapter');

+ $this->post($ownBook->getUrl('/create-chapter'), [

+ 'name' => 'test chapter',

+ 'description' => 'chapter desc',

+ ])->assertRedirect($ownBook->getUrl('/chapter/test-chapter'));

- $this->visit($book->getUrl())

- ->dontSeeInElement('.action-buttons', 'New Chapter')

- ->visit($book->getUrl() . '/chapter/create')

- ->seePageIs('/');

+ $this->get($book->getUrl())->assertElementNotContains('.action-buttons', 'New Chapter');

+ $this->get($book->getUrl('/create-chapter'))->assertRedirect('/');

}

public function test_chapter_create_all_permissions()

{

}

public function test_chapter_create_all_permissions()

{

- $book = \BookStack\Book::take(1)->get()->first();

- $baseUrl = $book->getUrl() . '/chapter';

+ /** @var Book $book */

+ $book = Book::query()->first();

$this->checkAccessPermission('chapter-create-all', [

- $baseUrl . '/create'

+ $book->getUrl('/create-chapter'),

], [

- $book->getUrl() => 'New Chapter'

+ $book->getUrl() => 'New Chapter',

]);

- $this->visit($baseUrl . '/create')

- ->type('test chapter', 'name')

- ->type('chapter desc', 'description')

- ->press('Save Chapter')

- ->seePageIs($baseUrl . '/test-chapter');

+ $this->post($book->getUrl('/create-chapter'), [

+ 'name' => 'test chapter',

+ 'description' => 'chapter desc',

+ ])->assertRedirect($book->getUrl('/chapter/test-chapter'));

}

public function test_chapter_edit_own_permission()

{

}

public function test_chapter_edit_own_permission()

{

- $otherChapter = \BookStack\Chapter::take(1)->get()->first();

+ /** @var Chapter $otherChapter */

+ $otherChapter = Chapter::query()->first();

$ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];

$this->checkAccessPermission('chapter-update-own', [

$ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];

$this->checkAccessPermission('chapter-update-own', [

- $ownChapter->getUrl() . '/edit'

+ $ownChapter->getUrl() . '/edit',

], [

- $ownChapter->getUrl() => 'Edit'

+ $ownChapter->getUrl() => 'Edit',

]);

- $this->visit($otherChapter->getUrl())

- ->dontSeeInElement('.action-buttons', 'Edit')

- ->visit($otherChapter->getUrl() . '/edit')

- ->seePageIs('/');

+ $this->get($otherChapter->getUrl())->assertElementNotContains('.action-buttons', 'Edit');

+ $this->get($otherChapter->getUrl('/edit'))->assertRedirect('/');

}

public function test_chapter_edit_all_permission()

{

}

public function test_chapter_edit_all_permission()

{

- $otherChapter = \BookStack\Chapter::take(1)->get()->first();

+ /** @var Chapter $otherChapter */

+ $otherChapter = Chapter::query()->take(1)->get()->first();

$this->checkAccessPermission('chapter-update-all', [

- $otherChapter->getUrl() . '/edit'

+ $otherChapter->getUrl() . '/edit',

], [

- $otherChapter->getUrl() => 'Edit'

+ $otherChapter->getUrl() => 'Edit',

]);

}

public function test_chapter_delete_own_permission()

{

$this->giveUserPermissions($this->user, ['chapter-update-all']);

]);

}

public function test_chapter_delete_own_permission()

{

$this->giveUserPermissions($this->user, ['chapter-update-all']);

- $otherChapter = \BookStack\Chapter::take(1)->get()->first();

+ /** @var Chapter $otherChapter */

+ $otherChapter = Chapter::query()->first();

$ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];

$this->checkAccessPermission('chapter-delete-own', [

$ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];

$this->checkAccessPermission('chapter-delete-own', [

- $ownChapter->getUrl() . '/delete'

+ $ownChapter->getUrl() . '/delete',

], [

- $ownChapter->getUrl() => 'Delete'

+ $ownChapter->getUrl() => 'Delete',

]);

$bookUrl = $ownChapter->book->getUrl();

]);

$bookUrl = $ownChapter->book->getUrl();

- $this->visit($otherChapter->getUrl())

- ->dontSeeInElement('.action-buttons', 'Delete')

- ->visit($otherChapter->getUrl() . '/delete')

- ->seePageIs('/');

- $this->visit($ownChapter->getUrl())->visit($ownChapter->getUrl() . '/delete')

- ->press('Confirm')

- ->seePageIs($bookUrl)

- ->dontSeeInElement('.book-content', $ownChapter->name);

+ $this->get($otherChapter->getUrl())->assertElementNotContains('.action-buttons', 'Delete');

+ $this->get($otherChapter->getUrl('/delete'))->assertRedirect('/');

+ $this->get($ownChapter->getUrl());

+ $this->delete($ownChapter->getUrl())->assertRedirect($bookUrl);

+ $this->get($bookUrl)->assertElementNotContains('.book-content', $ownChapter->name);

}

public function test_chapter_delete_all_permission()

{

$this->giveUserPermissions($this->user, ['chapter-update-all']);

}

public function test_chapter_delete_all_permission()

{

$this->giveUserPermissions($this->user, ['chapter-update-all']);

- $otherChapter = \BookStack\Chapter::take(1)->get()->first();

+ /** @var Chapter $otherChapter */

+ $otherChapter = Chapter::query()->first();

$this->checkAccessPermission('chapter-delete-all', [

- $otherChapter->getUrl() . '/delete'

+ $otherChapter->getUrl() . '/delete',

], [

- $otherChapter->getUrl() => 'Delete'

+ $otherChapter->getUrl() => 'Delete',

]);

$bookUrl = $otherChapter->book->getUrl();

]);

$bookUrl = $otherChapter->book->getUrl();

- $this->visit($otherChapter->getUrl())->visit($otherChapter->getUrl() . '/delete')

- ->press('Confirm')

- ->seePageIs($bookUrl)

- ->dontSeeInElement('.book-content', $otherChapter->name);

+ $this->get($otherChapter->getUrl());

+ $this->delete($otherChapter->getUrl())->assertRedirect($bookUrl);

+ $this->get($bookUrl)->assertElementNotContains('.book-content', $otherChapter->name);

}

public function test_page_create_own_permissions()

{

}

public function test_page_create_own_permissions()

{

- $book = \BookStack\Book::take(1)->get()->first();

- $chapter = \BookStack\Chapter::take(1)->get()->first();

+ /** @var Book $book */

+ $book = Book::query()->first();

+ /** @var Chapter $chapter */

+ $chapter = Chapter::query()->first();

$entities = $this->createEntityChainBelongingToUser($this->user);

$ownBook = $entities['book'];

$ownChapter = $entities['chapter'];

$entities = $this->createEntityChainBelongingToUser($this->user);

$ownBook = $entities['book'];

$ownChapter = $entities['chapter'];

- $baseUrl = $ownBook->getUrl() . '/page';

-

- $createUrl = $baseUrl . '/create';

- $createUrlChapter = $ownChapter->getUrl() . '/create-page';

+ $createUrl = $ownBook->getUrl('/create-page');

+ $createUrlChapter = $ownChapter->getUrl('/create-page');

$accessUrls = [$createUrl, $createUrlChapter];

foreach ($accessUrls as $url) {

$accessUrls = [$createUrl, $createUrlChapter];

foreach ($accessUrls as $url) {

- $this->actingAs($this->user)->visit('/')->visit($url)

- ->seePageIs('/');

+ $this->actingAs($this->user)->get($url)->assertRedirect('/');

}

$this->checkAccessPermission('page-create-own', [], [

}

$this->checkAccessPermission('page-create-own', [], [

- $ownBook->getUrl() => 'New Page',

- $ownChapter->getUrl() => 'New Page'

+ $ownBook->getUrl() => 'New Page',

+ $ownChapter->getUrl() => 'New Page',

]);

$this->giveUserPermissions($this->user, ['page-create-own']);

foreach ($accessUrls as $index => $url) {

]);

$this->giveUserPermissions($this->user, ['page-create-own']);

foreach ($accessUrls as $index => $url) {

- $this->actingAs($this->user)->visit('/')->visit($url);

- $expectedUrl = \BookStack\Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

- $this->seePageIs($expectedUrl);

+ $resp = $this->actingAs($this->user)->get($url);

+ $expectedUrl = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

+ $resp->assertRedirect($expectedUrl);

}

- $this->visit($baseUrl . '/create')

- ->type('test page', 'name')

- ->type('page desc', 'html')

- ->press('Save Page')

- ->seePageIs($baseUrl . '/test-page');

+ $this->get($createUrl);

+ /** @var Page $draft */

+ $draft = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first();

+ $this->post($draft->getUrl(), [

+ 'name' => 'test page',

+ 'html' => 'page desc',

+ ])->assertRedirect($ownBook->getUrl('/page/test-page'));

+

+ $this->get($book->getUrl())->assertElementNotContains('.action-buttons', 'New Page');

+ $this->get($book->getUrl('/create-page'))->assertRedirect('/');

- $this->visit($book->getUrl())

- ->dontSeeInElement('.action-buttons', 'New Page')

- ->visit($book->getUrl() . '/page/create')

- ->seePageIs('/');

- $this->visit($chapter->getUrl())

- ->dontSeeInElement('.action-buttons', 'New Page')

- ->visit($chapter->getUrl() . '/create-page')

- ->seePageIs('/');

+ $this->get($chapter->getUrl())->assertElementNotContains('.action-buttons', 'New Page');

+ $this->get($chapter->getUrl('/create-page'))->assertRedirect('/');

}

public function test_page_create_all_permissions()

{

}

public function test_page_create_all_permissions()

{

- $book = \BookStack\Book::take(1)->get()->first();

- $chapter = \BookStack\Chapter::take(1)->get()->first();

- $baseUrl = $book->getUrl() . '/page';

- $createUrl = $baseUrl . '/create';

+ /** @var Book $book */

+ $book = Book::query()->first();

+ /** @var Chapter $chapter */

+ $chapter = Chapter::query()->first();

+ $createUrl = $book->getUrl('/create-page');

- $createUrlChapter = $chapter->getUrl() . '/create-page';

+ $createUrlChapter = $chapter->getUrl('/create-page');

$accessUrls = [$createUrl, $createUrlChapter];

foreach ($accessUrls as $url) {

$accessUrls = [$createUrl, $createUrlChapter];

foreach ($accessUrls as $url) {

- $this->actingAs($this->user)->visit('/')->visit($url)

- ->seePageIs('/');

+ $this->actingAs($this->user)->get($url)->assertRedirect('/');

}

$this->checkAccessPermission('page-create-all', [], [

}

$this->checkAccessPermission('page-create-all', [], [

- $book->getUrl() => 'New Page',

- $chapter->getUrl() => 'New Page'

+ $book->getUrl() => 'New Page',

+ $chapter->getUrl() => 'New Page',

]);

$this->giveUserPermissions($this->user, ['page-create-all']);

foreach ($accessUrls as $index => $url) {

]);

$this->giveUserPermissions($this->user, ['page-create-all']);

foreach ($accessUrls as $index => $url) {

- $this->actingAs($this->user)->visit('/')->visit($url);

- $expectedUrl = \BookStack\Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

- $this->seePageIs($expectedUrl);

+ $resp = $this->actingAs($this->user)->get($url);

+ $expectedUrl = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

+ $resp->assertRedirect($expectedUrl);

}

- $this->visit($baseUrl . '/create')

- ->type('test page', 'name')

- ->type('page desc', 'html')

- ->press('Save Page')

- ->seePageIs($baseUrl . '/test-page');

-

- $this->visit($chapter->getUrl() . '/create-page')

- ->type('new test page', 'name')

- ->type('page desc', 'html')

- ->press('Save Page')

- ->seePageIs($baseUrl . '/new-test-page');

+ $this->get($createUrl);

+ /** @var Page $draft */

+ $draft = Page::query()->where('draft', '=', true)->orderByDesc('id')->first();

+ $this->post($draft->getUrl(), [

+ 'name' => 'test page',

+ 'html' => 'page desc',

+ ])->assertRedirect($book->getUrl('/page/test-page'));

+

+ $this->get($chapter->getUrl('/create-page'));

+ /** @var Page $draft */

+ $draft = Page::query()->where('draft', '=', true)->orderByDesc('id')->first();

+ $this->post($draft->getUrl(), [

+ 'name' => 'new test page',

+ 'html' => 'page desc',

+ ])->assertRedirect($book->getUrl('/page/new-test-page'));

}

public function test_page_edit_own_permission()

{

}

public function test_page_edit_own_permission()

{

- $otherPage = \BookStack\Page::take(1)->get()->first();

+ /** @var Page $otherPage */

+ $otherPage = Page::query()->first();

$ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

$this->checkAccessPermission('page-update-own', [

$ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

$this->checkAccessPermission('page-update-own', [

- $ownPage->getUrl() . '/edit'

+ $ownPage->getUrl() . '/edit',

], [

- $ownPage->getUrl() => 'Edit'

+ $ownPage->getUrl() => 'Edit',

]);

- $this->visit($otherPage->getUrl())

- ->dontSeeInElement('.action-buttons', 'Edit')

- ->visit($otherPage->getUrl() . '/edit')

- ->seePageIs('/');

+ $this->get($otherPage->getUrl())->assertElementNotContains('.action-buttons', 'Edit');

+ $this->get($otherPage->getUrl() . '/edit')->assertRedirect('/');

}

public function test_page_edit_all_permission()

{

}

public function test_page_edit_all_permission()

{

- $otherPage = \BookStack\Page::take(1)->get()->first();

+ /** @var Page $otherPage */

+ $otherPage = Page::query()->first();

$this->checkAccessPermission('page-update-all', [

- $otherPage->getUrl() . '/edit'

+ $otherPage->getUrl('/edit'),

], [

- $otherPage->getUrl() => 'Edit'

+ $otherPage->getUrl() => 'Edit',

]);

}

public function test_page_delete_own_permission()

{

$this->giveUserPermissions($this->user, ['page-update-all']);

]);

}

public function test_page_delete_own_permission()

{

$this->giveUserPermissions($this->user, ['page-update-all']);

- $otherPage = \BookStack\Page::take(1)->get()->first();

+ /** @var Page $otherPage */

+ $otherPage = Page::query()->first();

$ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

$this->checkAccessPermission('page-delete-own', [

$ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

$this->checkAccessPermission('page-delete-own', [

- $ownPage->getUrl() . '/delete'

+ $ownPage->getUrl() . '/delete',

], [

- $ownPage->getUrl() => 'Delete'

+ $ownPage->getUrl() => 'Delete',

]);

- $bookUrl = $ownPage->book->getUrl();

- $this->visit($otherPage->getUrl())

- ->dontSeeInElement('.action-buttons', 'Delete')

- ->visit($otherPage->getUrl() . '/delete')

- ->seePageIs('/');

- $this->visit($ownPage->getUrl())->visit($ownPage->getUrl() . '/delete')

- ->press('Confirm')

- ->seePageIs($bookUrl)

- ->dontSeeInElement('.book-content', $ownPage->name);

+ $parent = $ownPage->chapter ?? $ownPage->book;

+ $this->get($otherPage->getUrl())->assertElementNotContains('.action-buttons', 'Delete');

+ $this->get($otherPage->getUrl('/delete'))->assertRedirect('/');

+ $this->get($ownPage->getUrl());

+ $this->delete($ownPage->getUrl())->assertRedirect($parent->getUrl());

+ $this->get($parent->getUrl())->assertElementNotContains('.book-content', $ownPage->name);

}

public function test_page_delete_all_permission()

{

$this->giveUserPermissions($this->user, ['page-update-all']);

}

public function test_page_delete_all_permission()

{

$this->giveUserPermissions($this->user, ['page-update-all']);

- $otherPage = \BookStack\Page::take(1)->get()->first();

+ /** @var Page $otherPage */

+ $otherPage = Page::query()->first();

+

$this->checkAccessPermission('page-delete-all', [

- $otherPage->getUrl() . '/delete'

+ $otherPage->getUrl() . '/delete',

], [

- $otherPage->getUrl() => 'Delete'

+ $otherPage->getUrl() => 'Delete',

+ ]);

+

+ /** @var Entity $parent */

+ $parent = $otherPage->chapter ?? $otherPage->book;

+ $this->get($otherPage->getUrl());

+

+ $this->delete($otherPage->getUrl())->assertRedirect($parent->getUrl());

+ $this->get($parent->getUrl())->assertDontSee($otherPage->name);

+ }

+

+ public function test_public_role_visible_in_user_edit_screen()

+ {

+ /** @var User $user */

+ $user = User::query()->first();

+ $adminRole = Role::getSystemRole('admin');

+ $publicRole = Role::getSystemRole('public');

+ $this->asAdmin()->get('/settings/users/' . $user->id)

+ ->assertElementExists('[name="roles[' . $adminRole->id . ']"]')

+ ->assertElementExists('[name="roles[' . $publicRole->id . ']"]');

+ }

+

+ public function test_public_role_visible_in_role_listing()

+ {

+ $this->asAdmin()->get('/settings/roles')

+ ->assertSee('Admin')

+ ->assertSee('Public');

+ }

+

+ public function test_public_role_visible_in_default_role_setting()

+ {

+ $this->asAdmin()->get('/settings')

+ ->assertElementExists('[data-system-role-name="admin"]')

+ ->assertElementExists('[data-system-role-name="public"]');

+ }

+

+ public function test_public_role_not_deletable()

+ {

+ /** @var Role $publicRole */

+ $publicRole = Role::getSystemRole('public');

+ $resp = $this->asAdmin()->delete('/settings/roles/delete/' . $publicRole->id);

+ $resp->assertRedirect('/');

+

+ $this->get('/settings/roles/delete/' . $publicRole->id);

+ $resp = $this->delete('/settings/roles/delete/' . $publicRole->id);

+ $resp->assertRedirect('/settings/roles/delete/' . $publicRole->id);

+ $resp = $this->get('/settings/roles/delete/' . $publicRole->id);

+ $resp->assertSee('This role is a system role and cannot be deleted');

+ }

+

+ public function test_image_delete_own_permission()

+ {

+ $this->giveUserPermissions($this->user, ['image-update-all']);

+ /** @var Page $page */

+ $page = Page::query()->first();

+ $image = factory(Image::class)->create([

+ 'uploaded_to' => $page->id,

+ 'created_by' => $this->user->id,

+ 'updated_by' => $this->user->id,

]);

- $bookUrl = $otherPage->book->getUrl();

- $this->visit($otherPage->getUrl())->visit($otherPage->getUrl() . '/delete')

- ->press('Confirm')

- ->seePageIs($bookUrl)

- ->dontSeeInElement('.book-content', $otherPage->name);

+ $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertStatus(403);

+

+ $this->giveUserPermissions($this->user, ['image-delete-own']);

+

+ $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertOk();

+ $this->assertDatabaseMissing('images', ['id' => $image->id]);

+ }

+

+ public function test_image_delete_all_permission()

+ {

+ $this->giveUserPermissions($this->user, ['image-update-all']);

+ $admin = $this->getAdmin();

+ /** @var Page $page */

+ $page = Page::query()->first();

+ $image = factory(Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]);

+

+ $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertStatus(403);

+

+ $this->giveUserPermissions($this->user, ['image-delete-own']);

+

+ $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertStatus(403);

+

+ $this->giveUserPermissions($this->user, ['image-delete-all']);

+

+ $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertOk();

+ $this->assertDatabaseMissing('images', ['id' => $image->id]);

+ }

+

+ public function test_role_permission_removal()

+ {

+ // To cover issue fixed in f99c8ff99aee9beb8c692f36d4b84dc6e651e50a.

+ /** @var Page $page */

+ $page = Page::query()->first();

+ $viewerRole = Role::getRole('viewer');

+ $viewer = $this->getViewer();

+ $this->actingAs($viewer)->get($page->getUrl())->assertOk();

+

+ $this->asAdmin()->put('/settings/roles/' . $viewerRole->id, [

+ 'display_name' => $viewerRole->display_name,

+ 'description' => $viewerRole->description,

+ 'permission' => [],

+ ])->assertStatus(302);

+

+ $this->actingAs($viewer)->get($page->getUrl())->assertStatus(404);

}

+ public function test_empty_state_actions_not_visible_without_permission()

+ {

+ $admin = $this->getAdmin();

+ // Book links

+ $book = factory(Book::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id]);

+ $this->regenEntityPermissions($book);

+ $this->actingAs($this->getViewer())->get($book->getUrl())

+ ->assertDontSee('Create a new page')

+ ->assertDontSee('Add a chapter');

+

+ // Chapter links

+ $chapter = factory(Chapter::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id, 'book_id' => $book->id]);

+ $this->regenEntityPermissions($chapter);

+ $this->actingAs($this->getViewer())->get($chapter->getUrl())

+ ->assertDontSee('Create a new page')

+ ->assertDontSee('Sort the current book');

+ }

+

+ public function test_comment_create_permission()

+ {

+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

+

+ $this->actingAs($this->user)

+ ->addComment($ownPage)

+ ->assertStatus(403);

+

+ $this->giveUserPermissions($this->user, ['comment-create-all']);

+

+ $this->actingAs($this->user)

+ ->addComment($ownPage)

+ ->assertOk();

+ }

+

+ public function test_comment_update_own_permission()

+ {

+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

+ $this->giveUserPermissions($this->user, ['comment-create-all']);

+ $this->actingAs($this->user)->addComment($ownPage);

+ /** @var Comment $comment */

+ $comment = $ownPage->comments()->latest()->first();

+

+ // no comment-update-own

+ $this->actingAs($this->user)->updateComment($comment)->assertStatus(403);

+

+ $this->giveUserPermissions($this->user, ['comment-update-own']);

+

+ // now has comment-update-own

+ $this->actingAs($this->user)->updateComment($comment)->assertOk();

+ }

+

+ public function test_comment_update_all_permission()

+ {

+ /** @var Page $ownPage */

+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

+ $this->asAdmin()->addComment($ownPage);

+ /** @var Comment $comment */

+ $comment = $ownPage->comments()->latest()->first();

+

+ // no comment-update-all

+ $this->actingAs($this->user)->updateComment($comment)->assertStatus(403);

+

+ $this->giveUserPermissions($this->user, ['comment-update-all']);

+

+ // now has comment-update-all

+ $this->actingAs($this->user)->updateComment($comment)->assertOk();

+ }

+

+ public function test_comment_delete_own_permission()

+ {

+ /** @var Page $ownPage */

+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

+ $this->giveUserPermissions($this->user, ['comment-create-all']);

+ $this->actingAs($this->user)->addComment($ownPage);

+

+ /** @var Comment $comment */

+ $comment = $ownPage->comments()->latest()->first();

+

+ // no comment-delete-own

+ $this->actingAs($this->user)->deleteComment($comment)->assertStatus(403);

+

+ $this->giveUserPermissions($this->user, ['comment-delete-own']);

+

+ // now has comment-update-own

+ $this->actingAs($this->user)->deleteComment($comment)->assertOk();

+ }

+

+ public function test_comment_delete_all_permission()

+ {

+ /** @var Page $ownPage */

+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

+ $this->asAdmin()->addComment($ownPage);

+ /** @var Comment $comment */

+ $comment = $ownPage->comments()->latest()->first();

+

+ // no comment-delete-all

+ $this->actingAs($this->user)->deleteComment($comment)->assertStatus(403);

+

+ $this->giveUserPermissions($this->user, ['comment-delete-all']);

+

+ // now has comment-delete-all

+ $this->actingAs($this->user)->deleteComment($comment)->assertOk();

+ }

+

+ private function addComment(Page $page): TestResponse

+ {

+ $comment = factory(Comment::class)->make();

+

+ return $this->postJson("/comment/$page->id", $comment->only('text', 'html'));

+ }

+

+ private function updateComment(Comment $comment): TestResponse

+ {

+ $commentData = factory(Comment::class)->make();

+

+ return $this->putJson("/comment/{$comment->id}", $commentData->only('text', 'html'));

+ }

+

+ private function deleteComment(Comment $comment): TestResponse

+ {

+ return $this->json('DELETE', '/comment/' . $comment->id);

+ }

}