$page = Page::first();
$viewerRole = \BookStack\Role::getRole('viewer');
$viewer = $this->getViewer();
- $this->actingAs($viewer)->visit($page->getUrl())->assertResponseOk();
+ $this->actingAs($viewer)->visit($page->getUrl())->assertResponseStatus(200);
$this->asAdmin()->put('/settings/roles/' . $viewerRole->id, [
'display_name' => $viewerRole->display_name,
->dontSee('Sort the current book');
}
+ public function test_comment_create_permission () {
+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
+
+ $this->actingAs($this->user)->addComment($ownPage);
+
+ $this->assertResponseStatus(403);
+
+ $this->giveUserPermissions($this->user, ['comment-create-all']);
+
+ $this->actingAs($this->user)->addComment($ownPage);
+ $this->assertResponseStatus(200);
+ }
+
+
+ public function test_comment_update_own_permission () {
+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
+ $this->giveUserPermissions($this->user, ['comment-create-all']);
+ $commentId = $this->actingAs($this->user)->addComment($ownPage);
+
+ // no comment-update-own
+ $this->actingAs($this->user)->updateComment($commentId);
+ $this->assertResponseStatus(403);
+
+ $this->giveUserPermissions($this->user, ['comment-update-own']);
+
+ // now has comment-update-own
+ $this->actingAs($this->user)->updateComment($commentId);
+ $this->assertResponseStatus(200);
+ }
+
+ public function test_comment_update_all_permission () {
+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
+ $commentId = $this->asAdmin()->addComment($ownPage);
+
+ // no comment-update-all
+ $this->actingAs($this->user)->updateComment($commentId);
+ $this->assertResponseStatus(403);
+
+ $this->giveUserPermissions($this->user, ['comment-update-all']);
+
+ // now has comment-update-all
+ $this->actingAs($this->user)->updateComment($commentId);
+ $this->assertResponseStatus(200);
+ }
+
+ public function test_comment_delete_own_permission () {
+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
+ $this->giveUserPermissions($this->user, ['comment-create-all']);
+ $commentId = $this->actingAs($this->user)->addComment($ownPage);
+
+ // no comment-delete-own
+ $this->actingAs($this->user)->deleteComment($commentId);
+ $this->assertResponseStatus(403);
+
+ $this->giveUserPermissions($this->user, ['comment-delete-own']);
+
+ // now has comment-update-own
+ $this->actingAs($this->user)->deleteComment($commentId);
+ $this->assertResponseStatus(200);
+ }
+
+ public function test_comment_delete_all_permission () {
+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
+ $commentId = $this->asAdmin()->addComment($ownPage);
+
+ // no comment-delete-all
+ $this->actingAs($this->user)->deleteComment($commentId);
+ $this->assertResponseStatus(403);
+
+ $this->giveUserPermissions($this->user, ['comment-delete-all']);
+
+ // now has comment-delete-all
+ $this->actingAs($this->user)->deleteComment($commentId);
+ $this->assertResponseStatus(200);
+ }
+
+ private function addComment($page) {
+ $comment = factory(\BookStack\Comment::class)->make();
+ $url = "/ajax/page/$page->id/comment";
+ $request = [
+ 'text' => $comment->text,
+ 'html' => $comment->html
+ ];
+
+ $this->postJson($url, $request);
+ $comment = $page->comments()->first();
+ return $comment === null ? null : $comment->id;
+ }
+
+ private function updateComment($commentId) {
+ $comment = factory(\BookStack\Comment::class)->make();
+ $url = "/ajax/comment/$commentId";
+ $request = [
+ 'text' => $comment->text,
+ 'html' => $comment->html
+ ];
+
+ return $this->putJson($url, $request);
+ }
+
+ private function deleteComment($commentId) {
+ $url = '/ajax/comment/' . $commentId;
+ return $this->json('DELETE', $url);
+ }
+
}
projects / bookstack / blobdiff