Updated API auth to allow public user if given permission

diff --git a/app/Http/Middleware/ApiAuthenticate.php b/app/Http/Middleware/ApiAuthenticate.php
index 15962b3b00471d1fc55dd2a229824b50319886d6..728057bed175b42a880014b0ecfbd6c3962d2701 100644 (file)
--- a/app/Http/Middleware/ApiAuthenticate.php
+++ b/app/Http/Middleware/ApiAuthenticate.php
@@ -35,9 +35,9 @@ class ApiAuthenticate
     {
         // Return if the user is already found to be signed in via session-based auth.
         // This is to make it easy to browser the API via browser after just logging into the system.
-        if (signedInUser()) {
+        if (signedInUser() || session()->isStarted()) {
             $this->ensureEmailConfirmedIfRequested();
-            if (!auth()->user()->can('access-api')) {
+            if (!user()->can('access-api')) {
                 throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
             }
             return;

diff --git a/tests/Api/ApiDocsTest.php b/tests/Api/ApiDocsTest.php
index 3cbcadfa30759d4197bbc8775370b0b954760590..1687c64a17e10a7a5110166d251be7c2721afcf1 100644 (file)
--- a/tests/Api/ApiDocsTest.php
+++ b/tests/Api/ApiDocsTest.php
@@ -1,5 +1,6 @@
 <?php namespace Tests\Api;
 
+use BookStack\Auth\User;
 use Tests\TestCase;
 
 class ApiDocsTest extends TestCase
@@ -39,4 +40,19 @@ class ApiDocsTest extends TestCase
             ] ]
         ]);
     }
+
+    public function test_docs_page_visible_by_public_user_if_given_permission()
+    {
+        $this->setSettings(['app-public' => true]);
+        $guest = User::getDefault();
+
+        $this->startSession();
+        $resp = $this->get('/api/docs');
+        $resp->assertStatus(403);
+
+        $this->giveUserPermissions($guest, ['access-api']);
+
+        $resp = $this->get('/api/docs');
+        $resp->assertStatus(200);
+    }
 }
\ No newline at end of file