BookStack Code Mirror - bookstack/blobdiff - tests/Permissions/RolesTest.php

-<?php

+<?php namespace Tests;

-class RolesTest extends TestCase

+use BookStack\Page;

+use BookStack\Repos\PermissionsRepo;

+use BookStack\Role;

+use Laravel\BrowserKitTesting\HttpException;

+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

+

+class RolesTest extends BrowserKitTest

{

protected $user;

public function setUp()

{

parent::setUp();

{

protected $user;

public function setUp()

{

parent::setUp();

- $this->user = $this->getNewBlankUser();

+ $this->user = $this->getViewer();

+ }

+

+ protected function getViewer()

+ {

+ $role = \BookStack\Role::getRole('viewer');

+ $viewer = $this->getNewBlankUser();

+ $viewer->attachRole($role);;

+ return $viewer;

}

/**

}

/**

* Create a new basic role for testing purposes.

* @param array $permissions

/**

* Create a new basic role for testing purposes.

* @param array $permissions

- * @return static

+ * @return Role

*/

protected function createNewRole($permissions = [])

{

*/

protected function createNewRole($permissions = [])

{

- $permissionRepo = app('BookStack\Repos\PermissionsRepo');

+ $permissionRepo = app(PermissionsRepo::class);

$roleData = factory(\BookStack\Role::class)->make()->toArray();

$roleData['permissions'] = array_flip($permissions);

return $permissionRepo->saveNewRole($roleData);

$roleData = factory(\BookStack\Role::class)->make()->toArray();

$roleData['permissions'] = array_flip($permissions);

return $permissionRepo->saveNewRole($roleData);

$this->asAdmin()->visit('/settings')

->click('Roles')

->seePageIs('/settings/roles')

$this->asAdmin()->visit('/settings')

->click('Roles')

->seePageIs('/settings/roles')

- ->click('Add new role')

+ ->click('Create New Role')

->type('Test Role', 'display_name')

->type('A little test description', 'description')

->press('Save Role')

->type('Test Role', 'display_name')

->type('A little test description', 'description')

->press('Save Role')

public function test_manage_user_permission()

{

public function test_manage_user_permission()

{

- $this->actingAs($this->user)->visit('/')->visit('/settings/users')

+ $this->actingAs($this->user)->visit('/settings/users')

->seePageIs('/');

$this->giveUserPermissions($this->user, ['users-manage']);

->seePageIs('/');

$this->giveUserPermissions($this->user, ['users-manage']);

- $this->actingAs($this->user)->visit('/')->visit('/settings/users')

+ $this->actingAs($this->user)->visit('/settings/users')

->seePageIs('/settings/users');

}

public function test_user_roles_manage_permission()

{

->seePageIs('/settings/users');

}

public function test_user_roles_manage_permission()

{

- $this->actingAs($this->user)->visit('/')->visit('/settings/roles')

+ $this->actingAs($this->user)->visit('/settings/roles')

->seePageIs('/')->visit('/settings/roles/1')->seePageIs('/');

$this->giveUserPermissions($this->user, ['user-roles-manage']);

$this->actingAs($this->user)->visit('/settings/roles')

->seePageIs('/')->visit('/settings/roles/1')->seePageIs('/');

$this->giveUserPermissions($this->user, ['user-roles-manage']);

$this->actingAs($this->user)->visit('/settings/roles')

public function test_settings_manage_permission()

{

public function test_settings_manage_permission()

{

- $this->actingAs($this->user)->visit('/')->visit('/settings')

+ $this->actingAs($this->user)->visit('/settings')

->seePageIs('/');

$this->giveUserPermissions($this->user, ['settings-manage']);

->seePageIs('/');

$this->giveUserPermissions($this->user, ['settings-manage']);

- $this->actingAs($this->user)->visit('/')->visit('/settings')

+ $this->actingAs($this->user)->visit('/settings')

->seePageIs('/settings')->press('Save Settings')->see('Settings Saved');

}

->seePageIs('/settings')->press('Save Settings')->see('Settings Saved');

}

{

$page = \BookStack\Page::take(1)->get()->first();

$this->actingAs($this->user)->visit($page->getUrl())

{

$page = \BookStack\Page::take(1)->get()->first();

$this->actingAs($this->user)->visit($page->getUrl())

- ->dontSee('Restrict')

- ->visit($page->getUrl() . '/restrict')

+ ->dontSee('Permissions')

+ ->visit($page->getUrl() . '/permissions')

->seePageIs('/');

$this->giveUserPermissions($this->user, ['restrictions-manage-all']);

$this->actingAs($this->user)->visit($page->getUrl())

->seePageIs('/');

$this->giveUserPermissions($this->user, ['restrictions-manage-all']);

$this->actingAs($this->user)->visit($page->getUrl())

- ->see('Restrict')

- ->click('Restrict')

- ->see('Page Restrictions')->seePageIs($page->getUrl() . '/restrict');

+ ->see('Permissions')

+ ->click('Permissions')

+ ->see('Page Permissions')->seePageIs($page->getUrl() . '/permissions');

}

public function test_restrictions_manage_own_permission()

{

}

public function test_restrictions_manage_own_permission()

{

- $otherUsersPage = \BookStack\Page::take(1)->get()->first();

+ $otherUsersPage = \BookStack\Page::first();

$content = $this->createEntityChainBelongingToUser($this->user);

// Check can't restrict other's content

$this->actingAs($this->user)->visit($otherUsersPage->getUrl())

$content = $this->createEntityChainBelongingToUser($this->user);

// Check can't restrict other's content

$this->actingAs($this->user)->visit($otherUsersPage->getUrl())

- ->dontSee('Restrict')

- ->visit($otherUsersPage->getUrl() . '/restrict')

+ ->dontSee('Permissions')

+ ->visit($otherUsersPage->getUrl() . '/permissions')

->seePageIs('/');

// Check can't restrict own content

$this->actingAs($this->user)->visit($content['page']->getUrl())

->seePageIs('/');

// Check can't restrict own content

$this->actingAs($this->user)->visit($content['page']->getUrl())

- ->dontSee('Restrict')

- ->visit($content['page']->getUrl() . '/restrict')

+ ->dontSee('Permissions')

+ ->visit($content['page']->getUrl() . '/permissions')

->seePageIs('/');

$this->giveUserPermissions($this->user, ['restrictions-manage-own']);

// Check can't restrict other's content

$this->actingAs($this->user)->visit($otherUsersPage->getUrl())

->seePageIs('/');

$this->giveUserPermissions($this->user, ['restrictions-manage-own']);

// Check can't restrict other's content

$this->actingAs($this->user)->visit($otherUsersPage->getUrl())

- ->dontSee('Restrict')

- ->visit($otherUsersPage->getUrl() . '/restrict')

+ ->dontSee('Permissions')

+ ->visit($otherUsersPage->getUrl() . '/permissions')

->seePageIs('/');

// Check can restrict own content

$this->actingAs($this->user)->visit($content['page']->getUrl())

->seePageIs('/');

// Check can restrict own content

$this->actingAs($this->user)->visit($content['page']->getUrl())

- ->see('Restrict')

- ->click('Restrict')

- ->seePageIs($content['page']->getUrl() . '/restrict');

+ ->see('Permissions')

+ ->click('Permissions')

+ ->seePageIs($content['page']->getUrl() . '/permissions');

}

/**

}

/**

* @param string $permission

* @param array $accessUrls Urls that are only accessible after having the permission

* @param array $visibles Check this text, In the buttons toolbar, is only visible with the permission

* @param string $permission

* @param array $accessUrls Urls that are only accessible after having the permission

* @param array $visibles Check this text, In the buttons toolbar, is only visible with the permission

- * @param null $callback

*/

private function checkAccessPermission($permission, $accessUrls = [], $visibles = [])

{

foreach ($accessUrls as $url) {

*/

private function checkAccessPermission($permission, $accessUrls = [], $visibles = [])

{

foreach ($accessUrls as $url) {

- $this->actingAs($this->user)->visit('/')->visit($url)

+ $this->actingAs($this->user)->visit($url)

->seePageIs('/');

}

foreach ($visibles as $url => $text) {

->seePageIs('/');

}

foreach ($visibles as $url => $text) {

- $this->actingAs($this->user)->visit('/')->visit($url)

+ $this->actingAs($this->user)->visit($url)

->dontSeeInElement('.action-buttons',$text);

}

$this->giveUserPermissions($this->user, [$permission]);

foreach ($accessUrls as $url) {

->dontSeeInElement('.action-buttons',$text);

}

$this->giveUserPermissions($this->user, [$permission]);

foreach ($accessUrls as $url) {

- $this->actingAs($this->user)->visit('/')->visit($url)

+ $this->actingAs($this->user)->visit($url)

->seePageIs($url);

}

foreach ($visibles as $url => $text) {

->seePageIs($url);

}

foreach ($visibles as $url => $text) {

- $this->actingAs($this->user)->visit('/')->visit($url)

+ $this->actingAs($this->user)->visit($url)

->see($text);

}

->see($text);

}

$this->checkAccessPermission('book-create-all', [

'/books/create'

], [

$this->checkAccessPermission('book-create-all', [

'/books/create'

], [

- '/books' => 'Add new book'

+ '/books' => 'Create New Book'

]);

$this->visit('/books/create')

]);

$this->visit('/books/create')

public function test_page_create_own_permissions()

{

public function test_page_create_own_permissions()

{

- $book = \BookStack\Book::take(1)->get()->first();

- $chapter = \BookStack\Chapter::take(1)->get()->first();

+ $book = \BookStack\Book::first();

+ $chapter = \BookStack\Chapter::first();

$entities = $this->createEntityChainBelongingToUser($this->user);

$ownBook = $entities['book'];

$entities = $this->createEntityChainBelongingToUser($this->user);

$ownBook = $entities['book'];

$baseUrl = $ownBook->getUrl() . '/page';

- $this->checkAccessPermission('page-create-own', [

- $baseUrl . '/create',

- $ownChapter->getUrl() . '/create-page'

- ], [

+ $createUrl = $baseUrl . '/create';

+ $createUrlChapter = $ownChapter->getUrl() . '/create-page';

+ $accessUrls = [$createUrl, $createUrlChapter];

+

+ foreach ($accessUrls as $url) {

+ $this->actingAs($this->user)->visit($url)

+ ->seePageIs('/');

+ }

+

+ $this->checkAccessPermission('page-create-own', [], [

$ownBook->getUrl() => 'New Page',

$ownChapter->getUrl() => 'New Page'

]);

$ownBook->getUrl() => 'New Page',

$ownChapter->getUrl() => 'New Page'

]);

+ $this->giveUserPermissions($this->user, ['page-create-own']);

+

+ foreach ($accessUrls as $index => $url) {

+ $this->actingAs($this->user)->visit($url);

+ $expectedUrl = \BookStack\Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

+ $this->seePageIs($expectedUrl);

+ }

+

$this->visit($baseUrl . '/create')

->type('test page', 'name')

->type('page desc', 'html')

$this->visit($baseUrl . '/create')

->type('test page', 'name')

->type('page desc', 'html')

$book = \BookStack\Book::take(1)->get()->first();

$chapter = \BookStack\Chapter::take(1)->get()->first();

$baseUrl = $book->getUrl() . '/page';

$book = \BookStack\Book::take(1)->get()->first();

$chapter = \BookStack\Chapter::take(1)->get()->first();

$baseUrl = $book->getUrl() . '/page';

- $this->checkAccessPermission('page-create-all', [

- $baseUrl . '/create',

- $chapter->getUrl() . '/create-page'

- ], [

+ $createUrl = $baseUrl . '/create';

+

+ $createUrlChapter = $chapter->getUrl() . '/create-page';

+ $accessUrls = [$createUrl, $createUrlChapter];

+

+ foreach ($accessUrls as $url) {

+ $this->actingAs($this->user)->visit($url)

+ ->seePageIs('/');

+ }

+

+ $this->checkAccessPermission('page-create-all', [], [

$book->getUrl() => 'New Page',

$chapter->getUrl() => 'New Page'

]);

$book->getUrl() => 'New Page',

$chapter->getUrl() => 'New Page'

]);

+ $this->giveUserPermissions($this->user, ['page-create-all']);

+

+ foreach ($accessUrls as $index => $url) {

+ $this->actingAs($this->user)->visit($url);

+ $expectedUrl = \BookStack\Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

+ $this->seePageIs($expectedUrl);

+ }

+

$this->visit($baseUrl . '/create')

->type('test page', 'name')

->type('page desc', 'html')

$this->visit($baseUrl . '/create')

->type('test page', 'name')

->type('page desc', 'html')

->dontSeeInElement('.book-content', $otherPage->name);

}

->dontSeeInElement('.book-content', $otherPage->name);

}

+ public function test_public_role_visible_in_user_edit_screen()

+ {

+ $user = \BookStack\User::first();

+ $this->asAdmin()->visit('/settings/users/' . $user->id)

+ ->seeElement('#roles-admin')

+ ->seeElement('#roles-public');

+ }

+

+ public function test_public_role_visible_in_role_listing()

+ {

+ $this->asAdmin()->visit('/settings/roles')

+ ->see('Admin')

+ ->see('Public');

+ }

+

+ public function test_public_role_visible_in_default_role_setting()

+ {

+ $this->asAdmin()->visit('/settings')

+ ->seeElement('[data-role-name="admin"]')

+ ->seeElement('[data-role-name="public"]');

+

+ }

+

+ public function test_public_role_not_deleteable()

+ {

+ $this->asAdmin()->visit('/settings/roles')

+ ->click('Public')

+ ->see('Edit Role')

+ ->click('Delete Role')

+ ->press('Confirm')

+ ->see('Delete Role')

+ ->see('Cannot be deleted');

+ }

+

+ public function test_image_delete_own_permission()

+ {

+ $this->giveUserPermissions($this->user, ['image-update-all']);

+ $page = \BookStack\Page::first();

+ $image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $this->user->id, 'updated_by' => $this->user->id]);

+

+ $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

+ ->seeStatusCode(403);

+

+ $this->giveUserPermissions($this->user, ['image-delete-own']);

+

+ $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

+ ->seeStatusCode(200)

+ ->dontSeeInDatabase('images', ['id' => $image->id]);

+ }

+

+ public function test_image_delete_all_permission()

+ {

+ $this->giveUserPermissions($this->user, ['image-update-all']);

+ $admin = $this->getAdmin();

+ $page = \BookStack\Page::first();

+ $image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]);

+

+ $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

+ ->seeStatusCode(403);

+

+ $this->giveUserPermissions($this->user, ['image-delete-own']);

+

+ $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

+ ->seeStatusCode(403);

+

+ $this->giveUserPermissions($this->user, ['image-delete-all']);

+

+ $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

+ ->seeStatusCode(200)

+ ->dontSeeInDatabase('images', ['id' => $image->id]);

+ }

+

+ public function test_role_permission_removal()

+ {

+ // To cover issue fixed in f99c8ff99aee9beb8c692f36d4b84dc6e651e50a.

+ $page = Page::first();

+ $viewerRole = \BookStack\Role::getRole('viewer');

+ $viewer = $this->getViewer();

+ $this->actingAs($viewer)->visit($page->getUrl())->assertResponseOk();

+

+ $this->asAdmin()->put('/settings/roles/' . $viewerRole->id, [

+ 'display_name' => $viewerRole->display_name,

+ 'description' => $viewerRole->description,

+ 'permission' => []

+ ])->assertResponseStatus(302);

+

+ $this->expectException(HttpException::class);

+ $this->actingAs($viewer)->visit($page->getUrl())->assertResponseStatus(404);

+ }

+

+ public function test_empty_state_actions_not_visible_without_permission()

+ {

+ $admin = $this->getAdmin();

+ // Book links

+ $book = factory(\BookStack\Book::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id]);

+ $this->updateEntityPermissions($book);

+ $this->actingAs($this->getViewer())->visit($book->getUrl())

+ ->dontSee('Create a new page')

+ ->dontSee('Add a chapter');

+

+ // Chapter links

+ $chapter = factory(\BookStack\Chapter::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id, 'book_id' => $book->id]);

+ $this->updateEntityPermissions($chapter);

+ $this->actingAs($this->getViewer())->visit($chapter->getUrl())

+ ->dontSee('Create a new page')

+ ->dontSee('Sort the current book');

+ }

+

+ public function test_comment_create_permission () {

+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

+

+ $this->actingAs($this->user)->addComment($ownPage);

+

+ $this->assertResponseStatus(403);

+

+ $this->giveUserPermissions($this->user, ['comment-create-all']);

+

+ $this->actingAs($this->user)->addComment($ownPage);

+ $this->assertResponseOk(200)->seeJsonContains(['status' => 'success']);

+ }

+

+ public function test_comment_update_own_permission () {

+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

+ $this->giveUserPermissions($this->user, ['comment-create-all']);

+ $comment = $this->actingAs($this->user)->addComment($ownPage);

+

+ // no comment-update-own

+ $this->actingAs($this->user)->updateComment($ownPage, $comment['id']);

+ $this->assertResponseStatus(403);

+

+ $this->giveUserPermissions($this->user, ['comment-update-own']);

+

+ // now has comment-update-own

+ $this->actingAs($this->user)->updateComment($ownPage, $comment['id']);

+ $this->assertResponseOk()->seeJsonContains(['status' => 'success']);

+ }

+

+ public function test_comment_update_all_permission () {

+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

+ $comment = $this->asAdmin()->addComment($ownPage);

+

+ // no comment-update-all

+ $this->actingAs($this->user)->updateComment($ownPage, $comment['id']);

+ $this->assertResponseStatus(403);

+

+ $this->giveUserPermissions($this->user, ['comment-update-all']);

+

+ // now has comment-update-all

+ $this->actingAs($this->user)->updateComment($ownPage, $comment['id']);

+ $this->assertResponseOk()->seeJsonContains(['status' => 'success']);

+ }

+

+ public function test_comment_delete_own_permission () {

+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

+ $this->giveUserPermissions($this->user, ['comment-create-all']);

+ $comment = $this->actingAs($this->user)->addComment($ownPage);

+

+ // no comment-delete-own

+ $this->actingAs($this->user)->deleteComment($comment['id']);

+ $this->assertResponseStatus(403);

+

+ $this->giveUserPermissions($this->user, ['comment-delete-own']);

+

+ // now has comment-update-own

+ $this->actingAs($this->user)->deleteComment($comment['id']);

+ $this->assertResponseOk()->seeJsonContains(['status' => 'success']);

+ }

+

+ public function test_comment_delete_all_permission () {

+ $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

+ $comment = $this->asAdmin()->addComment($ownPage);

+

+ // no comment-delete-all

+ $this->actingAs($this->user)->deleteComment($comment['id']);

+ $this->assertResponseStatus(403);

+

+ $this->giveUserPermissions($this->user, ['comment-delete-all']);

+

+ // now has comment-delete-all

+ $this->actingAs($this->user)->deleteComment($comment['id']);

+ $this->assertResponseOk()->seeJsonContains(['status' => 'success']);

+ }

+

+ private function addComment($page) {

+ $comment = factory(\BookStack\Comment::class)->make();

+ $url = "/ajax/page/$page->id/comment/";

+ $request = [

+ 'text' => $comment->text,

+ 'html' => $comment->html

+ ];

+

+ $this->json('POST', $url, $request);

+ $resp = $this->decodeResponseJson();

+ if (isset($resp['comment'])) {

+ return $resp['comment'];

+ }

+ return null;

+ }

+

+ private function updateComment($page, $commentId) {

+ $comment = factory(\BookStack\Comment::class)->make();

+ $url = "/ajax/page/$page->id/comment/$commentId";

+ $request = [

+ 'text' => $comment->text,

+ 'html' => $comment->html

+ ];

+

+ return $this->json('PUT', $url, $request);

+ }

+

+ private function deleteComment($commentId) {

+ $url = '/ajax/comment/' . $commentId;

+ return $this->json('DELETE', $url);

+ }

+

}