Added additional testing for editor switching permissions

[bookstack] / app / Uploads / Attachment.php

diff --git a/app/Uploads/Attachment.php b/app/Uploads/Attachment.php
index d1060477d085d3cda5c23b7363c5d54067de7b3d..5e637246a66b25b04f6256b92f7b8e1fca37778f 100644 (file)
--- a/app/Uploads/Attachment.php
+++ b/app/Uploads/Attachment.php
@@ -1,24 +1,42 @@
-<?php namespace BookStack\Uploads;
+<?php
 
+namespace BookStack\Uploads;
+
+use BookStack\Auth\Permissions\PermissionService;
+use BookStack\Auth\User;
+use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Models\Page;
 use BookStack\Model;
 use BookStack\Traits\HasCreatorAndUpdater;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
 
 /**
- * @property int id
- * @property string name
- * @property string path
- * @property string extension
- * @property bool external
+ * @property int    $id
+ * @property string $name
+ * @property string $path
+ * @property string $extension
+ * @property ?Page  $page
+ * @property bool   $external
+ * @property int    $uploaded_to
+ * @property User   $updatedBy
+ * @property User   $createdBy
+ *
+ * @method static Entity|Builder visible()
  */
 class Attachment extends Model
 {
     use HasCreatorAndUpdater;
 
     protected $fillable = ['name', 'order'];
+    protected $hidden = ['path', 'page'];
+    protected $casts = [
+        'external' => 'bool',
+    ];
 
     /**
      * Get the downloadable file name for this upload.
+     *
      * @return mixed|string
      */
     public function getFileName()
@@ -26,14 +44,14 @@ class Attachment extends Model
         if (strpos($this->name, '.') !== false) {
             return $this->name;
         }
+
         return $this->name . '.' . $this->extension;
     }
 
     /**
      * Get the page this file was uploaded to.
-     * @return \Illuminate\Database\Eloquent\Relations\BelongsTo
      */
-    public function page()
+    public function page(): BelongsTo
     {
         return $this->belongsTo(Page::class, 'uploaded_to');
     }
@@ -41,12 +59,13 @@ class Attachment extends Model
     /**
      * Get the url of this file.
      */
-    public function getUrl(): string
+    public function getUrl($openInline = false): string
     {
         if ($this->external && strpos($this->path, 'http') !== 0) {
             return $this->path;
         }
-        return url('/attachments/' . $this->id);
+
+        return url('/attachments/' . $this->id . ($openInline ? '?open=true' : ''));
     }
 
     /**
@@ -54,7 +73,7 @@ class Attachment extends Model
      */
     public function htmlLink(): string
     {
-        return '<a target="_blank" href="'.e($this->getUrl()).'">'.e($this->name).'</a>';
+        return '<a target="_blank" href="' . e($this->getUrl()) . '">' . e($this->name) . '</a>';
     }
 
     /**
@@ -62,6 +81,21 @@ class Attachment extends Model
      */
     public function markdownLink(): string
     {
-        return '['. $this->name .']('. $this->getUrl() .')';
+        return '[' . $this->name . '](' . $this->getUrl() . ')';
+    }
+
+    /**
+     * Scope the query to those attachments that are visible based upon related page permissions.
+     */
+    public function scopeVisible(): Builder
+    {
+        $permissionService = app()->make(PermissionService::class);
+
+        return $permissionService->filterRelatedEntity(
+            Page::class,
+            self::query(),
+            'attachments',
+            'uploaded_to'
+        );
     }
 }