]> BookStack Code Mirror - bookstack/commitdiff
projects / bookstack / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (parent: 20729a6)
Added check of owner field for manage-permissions-own
authorDan Brown <redacted>
Mon, 4 Jan 2021 18:07:39 +0000 (18:07 +0000)
committerDan Brown <redacted>
Mon, 4 Jan 2021 18:07:39 +0000 (18:07 +0000)
This permission was still checking based on created-by.
Updated testing to specifically check the owner since the tests
were passing by the fact of matching creator and owner.

Fixes #2445

app/Auth/Permissions/PermissionService.php patch | blob | history
tests/Permissions/RolesTest.php patch | blob | history

diff --git a/app/Auth/Permissions/PermissionService.php b/app/Auth/Permissions/PermissionService.php
index d858a7c18eea3a8aa546345189c22d413b499171..89c8a5fbb25a55fe54fd95cc8d2721c27c6b9334 100644 (file)
--- a/app/Auth/Permissions/PermissionService.php
+++ b/app/Auth/Permissions/PermissionService.php
@@ -533,7 +533,8 @@ class PermissionService
             $allPermission = $this->currentUser() && $this->currentUser()->can($permission . '-all');
             $ownPermission = $this->currentUser() && $this->currentUser()->can($permission . '-own');
             $this->currentAction = 'view';
-            $isOwner = $this->currentUser() && $this->currentUser()->id === $ownable->created_by;
+            $ownerField = ($ownable instanceof Entity) ? 'owned_by' : 'created_by';
+            $isOwner = $this->currentUser() && $this->currentUser()->id === $ownable->$ownerField;
             return ($allPermission || ($isOwner && $ownPermission));
         }
 
diff --git a/tests/Permissions/RolesTest.php b/tests/Permissions/RolesTest.php
index 3397ef42905bdb029108da634558a281d4482800..8398d08281a12d4e0239ae1531f4817d86b0c1a5 100644 (file)
--- a/tests/Permissions/RolesTest.php
+++ b/tests/Permissions/RolesTest.php
@@ -216,15 +216,23 @@ class RolesTest extends BrowserKitTest
     {
         $otherUsersPage = Page::first();
         $content = $this->createEntityChainBelongingToUser($this->user);
+
+        // Set a different creator on the page we're checking to ensure
+        // that the owner fields are checked
+        $page = $content['page']; /** @var Page $page */
+        $page->created_by = $otherUsersPage->id;
+        $page->owned_by = $this->user->id;
+        $page->save();
+
         // Check can't restrict other's content
         $this->actingAs($this->user)->visit($otherUsersPage->getUrl())
             ->dontSee('Permissions')
             ->visit($otherUsersPage->getUrl() . '/permissions')
             ->seePageIs('/');
         // Check can't restrict own content
-        $this->actingAs($this->user)->visit($content['page']->getUrl())
+        $this->actingAs($this->user)->visit($page->getUrl())
             ->dontSee('Permissions')
-            ->visit($content['page']->getUrl() . '/permissions')
+            ->visit($page->getUrl() . '/permissions')
             ->seePageIs('/');
 
         $this->giveUserPermissions($this->user, ['restrictions-manage-own']);
@@ -235,10 +243,10 @@ class RolesTest extends BrowserKitTest
             ->visit($otherUsersPage->getUrl() . '/permissions')
             ->seePageIs('/');
         // Check can restrict own content
-        $this->actingAs($this->user)->visit($content['page']->getUrl())
+        $this->actingAs($this->user)->visit($page->getUrl())
             ->see('Permissions')
             ->click('Permissions')
-            ->seePageIs($content['page']->getUrl() . '/permissions');
+            ->seePageIs($page->getUrl() . '/permissions');
     }
 
     /**
The core source code for the BookStack project.