X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/a5e49f642b18de09cac0f2fdceacf07b0bafafe7..refs/pull/651/head:/app/Http/Controllers/BookController.php

diff --git a/app/Http/Controllers/BookController.php b/app/Http/Controllers/BookController.php
index e181aec89..d70f9d0df 100644
--- a/app/Http/Controllers/BookController.php
+++ b/app/Http/Controllers/BookController.php
@@ -46,7 +46,7 @@ class BookController extends Controller
             'books' => $books,
             'recents' => $recents,
             'popular' => $popular,
-            'new' => $new, 
+            'new' => $new,
             'booksViewType' => $booksViewType
         ]);
     }
@@ -155,7 +155,7 @@ class BookController extends Controller
         $book = $this->entityRepo->getBySlug('book', $bookSlug);
         $this->checkOwnablePermission('book-update', $book);
         $bookChildren = $this->entityRepo->getBookChildren($book, true);
-        $books = $this->entityRepo->getAll('book', false);
+        $books = $this->entityRepo->getAll('book', false, 'update');
         $this->setPageTitle(trans('entities.books_sort_named', ['bookName'=>$book->getShortName()]));
         return view('books/sort', ['book' => $book, 'current' => $book, 'books' => $books, 'bookChildren' => $bookChildren]);
     }
@@ -195,12 +195,41 @@ class BookController extends Controller
         $sortMap = json_decode($request->get('sort-tree'));
         $defaultBookId = $book->id;
 
+        // Check permissions for all target and source books
+        $permissionsList = [$book->id];
+        foreach ($sortMap as $bookChild) {
+            // Check permission for target book
+            if (!in_array($bookChild->book, $permissionsList)) {
+                $targetBook = $this->entityRepo->getById('book', $bookChild->book);
+                if (!empty($targetBook)) {
+                    $bookId = $targetBook->id;
+                    $this->checkOwnablePermission('book-update', $targetBook);
+                    // cache the permission for future use.
+                    $permissionsList[] = $bookId;
+                }
+            }
+
+            // Check permissions for the source book
+            $id = intval($bookChild->id);
+            $isPage = $bookChild->type == 'page';
+            $model = $this->entityRepo->getById($isPage?'page':'chapter', $id);
+            $sourceBook = $model->book;
+            if (!in_array($sourceBook->id, $permissionsList)) {
+                $this->checkOwnablePermission('book-update', $sourceBook);
+
+                // cache the permission for future use.
+                $permissionsList[] = $sourceBook->id;
+            }
+        }
+
         // Loop through contents of provided map and update entities accordingly
         foreach ($sortMap as $bookChild) {
             $priority = $bookChild->sort;
             $id = intval($bookChild->id);
             $isPage = $bookChild->type == 'page';
-            $bookId = $this->entityRepo->exists('book', $bookChild->book) ? intval($bookChild->book) : $defaultBookId;
+            $bookId = $defaultBookId;
+            $targetBook = $this->entityRepo->getById('book', $bookChild->book);
+
             $chapterId = ($isPage && $bookChild->parentChapter === false) ? 0 : intval($bookChild->parentChapter);
             $model = $this->entityRepo->getById($isPage?'page':'chapter', $id);