Fixed OIDC Logout

[bookstack] / app / Entities / Tools / BookContents.php

diff --git a/app/Entities/Tools/BookContents.php b/app/Entities/Tools/BookContents.php
index bdbc4262d21f9fefdab4b9fafa6ba743046bacc5..f45bdfcc1b98fabcdb2d4dc774c30752a7582ef1 100644 (file)
--- a/app/Entities/Tools/BookContents.php
+++ b/app/Entities/Tools/BookContents.php
@@ -11,22 +11,15 @@ use Illuminate\Support\Collection;
 
 class BookContents
 {
-    /**
-     * @var Book
-     */
-    protected $book;
+    protected Book $book;
 
-    /**
-     * BookContents constructor.
-     */
     public function __construct(Book $book)
     {
         $this->book = $book;
     }
 
     /**
-     * Get the current priority of the last item
-     * at the top-level of the book.
+     * Get the current priority of the last item at the top-level of the book.
      */
     public function getLastPriority(): int
     {
@@ -119,9 +112,10 @@ class BookContents
         // Sort our changes from our map to be chapters first
         // Since they need to be process to ensure book alignment for child page changes.
         $sortMapItems = $sortMap->all();
-        usort($sortMapItems, function(BookSortMapItem $itemA, BookSortMapItem $itemB) {
+        usort($sortMapItems, function (BookSortMapItem $itemA, BookSortMapItem $itemB) {
             $aScore = $itemA->type === 'page' ? 2 : 1;
             $bScore = $itemB->type === 'page' ? 2 : 1;
+
             return $aScore - $bScore;
         });
 
@@ -167,14 +161,14 @@ class BookContents
             return;
         }
 
-        $currentParentKey =  'book:' . $model->book_id;
+        $currentParentKey = 'book:' . $model->book_id;
         if ($model instanceof Page && $model->chapter_id) {
-             $currentParentKey = 'chapter:' . $model->chapter_id;
+            $currentParentKey = 'chapter:' . $model->chapter_id;
         }
 
         $currentParent = $modelMap[$currentParentKey] ?? null;
         /** @var Book $newBook */
-        $newBook = $modelMap['book:' . $sortMapItem->parentBookId];
+        $newBook = $modelMap['book:' . $sortMapItem->parentBookId] ?? null;
         /** @var ?Chapter $newChapter */
         $newChapter = $sortMapItem->parentChapterId ? ($modelMap['chapter:' . $sortMapItem->parentChapterId] ?? null) : null;
 
@@ -187,7 +181,7 @@ class BookContents
             $model->changeBook($newBook->id);
         }
 
-        if ($chapterChanged) {
+        if ($model instanceof Page && $chapterChanged) {
             $model->chapter_id = $newChapter->id ?? 0;
         }
 
@@ -202,19 +196,27 @@ class BookContents
 
     /**
      * Check if the current user has permissions to apply the given sorting change.
+     * Is quite complex since items can gain a different parent change. Acts as a:
+     * - Update of old parent element (Change of content/order).
+     * - Update of sorted/moved element.
+     * - Deletion of element (Relative to parent upon move).
+     * - Creation of element within parent (Upon move to new parent).
      */
-    protected function isSortChangePermissible(BookSortMapItem $sortMapItem, Entity $model, ?Entity $currentParent, ?Entity $newBook, ?Entity $newChapter): bool
+    protected function isSortChangePermissible(BookSortMapItem $sortMapItem, BookChild $model, ?Entity $currentParent, ?Entity $newBook, ?Entity $newChapter): bool
     {
-        // TODO - Move operations check for create permissions, Needs these also/instead?
-
         // Stop if we can't see the current parent or new book.
         if (!$currentParent || !$newBook) {
             return false;
         }
 
+        $hasNewParent = $newBook->id !== $model->book_id || ($model instanceof Page && $model->chapter_id !== ($sortMapItem->parentChapterId ?? 0));
         if ($model instanceof Chapter) {
             $hasPermission = userCan('book-update', $currentParent)
-                && userCan('book-update', $newBook);
+                && userCan('book-update', $newBook)
+                && userCan('chapter-update', $model)
+                && (!$hasNewParent || userCan('chapter-create', $newBook))
+                && (!$hasNewParent || userCan('chapter-delete', $model));
+
             if (!$hasPermission) {
                 return false;
             }
@@ -232,11 +234,21 @@ class BookContents
                 return false;
             }
 
-            $newParentInRightLocation = ($newParent instanceof Book || $newParent->book_id === $newBook->id);
+            $hasPageEditPermission = userCan('page-update', $model);
+            $newParentInRightLocation = ($newParent instanceof Book || ($newParent instanceof Chapter && $newParent->book_id === $newBook->id));
             $newParentPermission = ($newParent instanceof Chapter) ? 'chapter-update' : 'book-update';
             $hasNewParentPermission = userCan($newParentPermission, $newParent);
 
-            $hasPermission = $hasCurrentParentPermission && $newParentInRightLocation && $hasNewParentPermission;
+            $hasDeletePermissionIfMoving = (!$hasNewParent || userCan('page-delete', $model));
+            $hasCreatePermissionIfMoving = (!$hasNewParent || userCan('page-create', $newParent));
+
+            $hasPermission = $hasCurrentParentPermission
+                && $newParentInRightLocation
+                && $hasNewParentPermission
+                && $hasPageEditPermission
+                && $hasDeletePermissionIfMoving
+                && $hasCreatePermissionIfMoving;
+
             if (!$hasPermission) {
                 return false;
             }
@@ -247,6 +259,7 @@ class BookContents
 
     /**
      * Load models from the database into the given sort map.
+     *
      * @return array<string, Entity>
      */
     protected function loadModelsFromSortMap(BookSortMap $sortMap): array
@@ -254,8 +267,8 @@ class BookContents
         $modelMap = [];
         $ids = [
             'chapter' => [],
-            'page' => [],
-            'book' => [],
+            'page'    => [],
+            'book'    => [],
         ];
 
         foreach ($sortMap->all() as $sortMapItem) {