3 namespace BookStack\Auth\Permissions;
5 use BookStack\Auth\Role;
6 use BookStack\Auth\User;
7 use BookStack\Entities\Models\Chapter;
8 use BookStack\Entities\Models\Entity;
9 use BookStack\Entities\Models\Page;
11 use BookStack\Traits\HasCreatorAndUpdater;
12 use BookStack\Traits\HasOwner;
13 use Illuminate\Database\Eloquent\Builder;
14 use Illuminate\Database\Query\Builder as QueryBuilder;
15 use Illuminate\Database\Query\JoinClause;
16 use InvalidArgumentException;
18 class PermissionApplicator
21 * Checks if an entity has a restriction set upon it.
23 * @param HasCreatorAndUpdater|HasOwner $ownable
25 public function checkOwnableUserAccess(Model $ownable, string $permission): bool
27 $explodedPermission = explode('-', $permission);
28 $action = $explodedPermission[1] ?? $explodedPermission[0];
29 $fullPermission = count($explodedPermission) > 1 ? $permission : $ownable->getMorphClass() . '-' . $permission;
31 $user = $this->currentUser();
32 $userRoleIds = $this->getCurrentUserRoleIds();
34 $allRolePermission = $user->can($fullPermission . '-all');
35 $ownRolePermission = $user->can($fullPermission . '-own');
36 $nonJointPermissions = ['restrictions', 'image', 'attachment', 'comment'];
37 $ownerField = ($ownable instanceof Entity) ? 'owned_by' : 'created_by';
38 $ownableFieldVal = $ownable->getAttribute($ownerField);
40 if (is_null($ownableFieldVal)) {
41 throw new InvalidArgumentException("{$ownerField} field used but has not been loaded");
44 $isOwner = $user->id === $ownableFieldVal;
45 $hasRolePermission = $allRolePermission || ($isOwner && $ownRolePermission);
47 // Handle non entity specific jointPermissions
48 if (in_array($explodedPermission[0], $nonJointPermissions)) {
49 return $hasRolePermission;
52 $hasApplicableEntityPermissions = $this->hasEntityPermission($ownable, $userRoleIds, $user->id, $action);
54 return is_null($hasApplicableEntityPermissions) ? $hasRolePermission : $hasApplicableEntityPermissions;
58 * Check if there are permissions that are applicable for the given entity item, action and roles.
59 * Returns null when no entity permissions are in force.
61 protected function hasEntityPermission(Entity $entity, array $userRoleIds, int $userId, string $action): ?bool
63 $this->ensureValidEntityAction($action);
65 $adminRoleId = Role::getSystemRole('admin')->id;
66 if (in_array($adminRoleId, $userRoleIds)) {
70 // The array order here is very important due to the fact we walk up the chain
71 // in the flattening loop below. Earlier items in the chain have higher priority.
72 $typeIdList = [$entity->getMorphClass() . ':' . $entity->id];
73 if ($entity instanceof Page && $entity->chapter_id) {
74 $typeIdList[] = 'chapter:' . $entity->chapter_id;
77 if ($entity instanceof Page || $entity instanceof Chapter) {
78 $typeIdList[] = 'book:' . $entity->book_id;
81 $relevantPermissions = EntityPermission::query()
82 ->where(function (Builder $query) use ($typeIdList) {
83 foreach ($typeIdList as $typeId) {
84 $query->orWhere(function (Builder $query) use ($typeId) {
85 [$type, $id] = explode(':', $typeId);
86 $query->where('entity_type', '=', $type)
87 ->where('entity_id', '=', $id);
90 })->where(function (Builder $query) use ($userRoleIds, $userId) {
91 $query->whereIn('role_id', $userRoleIds)
92 ->orWhere('user_id', '=', $userId)
93 ->orWhere(function (Builder $query) {
94 $query->whereNull(['role_id', 'user_id']);
96 })->get(['entity_id', 'entity_type', 'role_id', 'user_id', $action])
99 $permissionMap = new EntityPermissionMap($relevantPermissions);
100 $permitsByType = ['user' => [], 'fallback' => [], 'role' => []];
102 // Collapse and simplify permission structure
103 foreach ($typeIdList as $typeId) {
104 $permissions = $permissionMap->getForEntity($typeId);
105 foreach ($permissions as $permission) {
106 $related = $permission->getAssignedType();
107 $relatedId = $permission->getAssignedTypeId();
108 if (!isset($permitsByType[$related][$relatedId])) {
109 $permitsByType[$related][$relatedId] = $permission->$action;
114 // Return user-level permission if exists
115 if (count($permitsByType['user']) > 0) {
116 return boolval(array_values($permitsByType['user'])[0]);
119 // Return grant or reject from role-level if exists
120 if (count($permitsByType['role']) > 0) {
121 return boolval(max($permitsByType['role']));
124 // Return fallback permission if exists
125 if (count($permitsByType['fallback']) > 0) {
126 return boolval($permitsByType['fallback'][0]);
133 * Checks if a user has the given permission for any items in the system.
134 * Can be passed an entity instance to filter on a specific type.
136 public function checkUserHasEntityPermissionOnAny(string $action, string $entityClass = ''): bool
138 $this->ensureValidEntityAction($action);
140 $permissionQuery = EntityPermission::query()
141 ->where($action, '=', true)
142 ->where(function (Builder $query) {
143 $query->whereIn('role_id', $this->getCurrentUserRoleIds())
144 ->orWhere('user_id', '=', $this->currentUser()->id);
147 if (!empty($entityClass)) {
148 /** @var Entity $entityInstance */
149 $entityInstance = app()->make($entityClass);
150 $permissionQuery = $permissionQuery->where('entity_type', '=', $entityInstance->getMorphClass());
153 $hasPermission = $permissionQuery->count() > 0;
155 return $hasPermission;
159 * Limit the given entity query so that the query will only
160 * return items that the user has view permission for.
162 public function restrictEntityQuery(Builder $query, string $morphClass): Builder
164 $this->getCurrentUserRoleIds();
165 $this->currentUser()->id;
167 // TODO - Leave this as the new admin workaround?
168 // Or auto generate collapsed role permissions for admins?
169 if (\user()->hasSystemRole('admin')) {
173 // Apply permission level joins
174 $this->applyFallbackJoin($query, $morphClass, 'id', '');
175 $this->applyRoleJoin($query, $morphClass, 'id', '');
176 $this->applyUserJoin($query, $morphClass, 'id', '');
178 // Where permissions apply
179 $this->applyPermissionWhereFilter($query, $morphClass);
184 protected function applyPermissionWhereFilter($query, string $entityTypeLimiter)
186 // TODO - Morph for all types
187 $userViewAll = userCan($entityTypeLimiter . '-view-all');
188 $userViewOwn = userCan($entityTypeLimiter . '-view-own');
190 $query->where(function (Builder $query) use ($userViewOwn, $userViewAll) {
191 $query->where('perms_user', '=', 1)
192 ->orWhere(function (Builder $query) {
193 $query->whereNull('perms_user')->where('perms_role', '=', 1);
194 })->orWhere(function (Builder $query) {
195 $query->whereNull(['perms_user', 'perms_role'])
196 ->where('perms_fallback', '=', 1);
200 $query->orWhere(function (Builder $query) {
201 $query->whereNull(['perms_user', 'perms_role', 'perms_fallback']);
203 } else if ($userViewOwn) {
204 $query->orWhere(function (Builder $query) {
205 $query->whereNull(['perms_user', 'perms_role', 'perms_fallback'])
206 ->where('owned_by', '=', $this->currentUser()->id);
213 * @param Builder|QueryBuilder $query
215 protected function applyPermissionJoin(callable $joinCallable, string $subAlias, $query, string $entityTypeLimiter, string $entityIdColumn, string $entityTypeColumn)
217 $joinCondition = $this->getJoinCondition($subAlias, $entityIdColumn, $entityTypeColumn);
219 $query->joinSub(function (QueryBuilder $joinQuery) use ($joinCallable, $entityTypeLimiter) {
220 $joinQuery->select(['entity_id', 'entity_type'])->from('entity_permissions_collapsed')
221 ->groupBy('entity_id', 'entity_type');
222 $joinCallable($joinQuery);
224 if ($entityTypeLimiter) {
225 $joinQuery->where('entity_type', '=', $entityTypeLimiter);
227 }, $subAlias, $joinCondition, null, null, 'left');
231 * @param Builder|QueryBuilder $query
233 protected function applyUserJoin($query, string $entityTypeLimiter, string $entityIdColumn, string $entityTypeColumn)
235 $this->applyPermissionJoin(function (QueryBuilder $joinQuery) {
236 $joinQuery->selectRaw('max(view) as perms_user')
237 ->where('user_id', '=', $this->currentUser()->id);
238 }, 'p_u', $query, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn);
243 * @param Builder|QueryBuilder $query
245 protected function applyRoleJoin($query, string $entityTypeLimiter, string $entityIdColumn, string $entityTypeColumn)
247 $this->applyPermissionJoin(function (QueryBuilder $joinQuery) {
248 $joinQuery->selectRaw('max(view) as perms_role')
249 ->whereIn('role_id', $this->getCurrentUserRoleIds());
250 }, 'p_r', $query, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn);
254 * @param Builder|QueryBuilder $query
256 protected function applyFallbackJoin($query, string $entityTypeLimiter, string $entityIdColumn, string $entityTypeColumn)
258 $this->applyPermissionJoin(function (QueryBuilder $joinQuery) {
259 $joinQuery->selectRaw('max(view) as perms_fallback')
260 ->whereNull(['role_id', 'user_id']);
261 }, 'p_f', $query, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn);
264 protected function getJoinCondition(string $joinTableName, string $entityIdColumn, string $entityTypeColumn): callable
266 return function (JoinClause $join) use ($joinTableName, $entityIdColumn, $entityTypeColumn) {
267 $join->on($entityIdColumn, '=', $joinTableName . '.entity_id');
268 if ($entityTypeColumn) {
269 $join->on($entityTypeColumn, '=', $joinTableName . '.entity_type');
275 * Extend the given page query to ensure draft items are not visible
276 * unless created by the given user.
278 public function restrictDraftsOnPageQuery(Builder $query): Builder
280 return $query->where(function (Builder $query) {
281 $query->where('draft', '=', false)
282 ->orWhere(function (Builder $query) {
283 $query->where('draft', '=', true)
284 ->where('owned_by', '=', $this->currentUser()->id);
290 * Filter items that have entities set as a polymorphic relation.
291 * For simplicity, this will not return results attached to draft pages.
292 * Draft pages should never really have related items though.
294 * @param Builder|QueryBuilder $query
296 public function restrictEntityRelationQuery($query, string $tableName, string $entityIdColumn, string $entityTypeColumn)
298 $tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn, 'entityTypeColumn' => $entityTypeColumn];
299 $pageMorphClass = (new Page())->getMorphClass();
301 // TODO - Abstract the permission queries above to make their join columns configurable
302 // so the query methods can be used on non-entity tables if possible.
305 $q = $query->where(function ($query) use ($tableDetails) {
306 $query->whereExists(function ($permissionQuery) use ($tableDetails) {
307 /** @var Builder $permissionQuery */
308 $permissionQuery->select(['role_id'])->from('joint_permissions')
309 ->whereColumn('joint_permissions.entity_id', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
310 ->whereColumn('joint_permissions.entity_type', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityTypeColumn'])
311 ->whereIn('joint_permissions.role_id', $this->getCurrentUserRoleIds())
312 ->where(function (QueryBuilder $query) {
313 $this->addJointHasPermissionCheck($query, $this->currentUser()->id);
315 })->orWhereExists(function ($permissionQuery) use ($tableDetails) {
316 /** @var Builder $permissionQuery */
317 $permissionQuery->select(['user_id'])->from('joint_user_permissions')
318 ->whereColumn('joint_user_permissions.entity_id', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
319 ->whereColumn('joint_user_permissions.entity_type', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityTypeColumn'])
320 ->where('joint_user_permissions.user_id', '=', $this->currentUser()->id)
321 ->where('joint_user_permissions.has_permission', '=', true);
323 })->whereNotExists(function ($query) use ($tableDetails) {
324 $query->select(['user_id'])->from('joint_user_permissions')
325 ->whereColumn('joint_user_permissions.entity_id', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
326 ->whereColumn('joint_user_permissions.entity_type', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityTypeColumn'])
327 ->where('joint_user_permissions.user_id', '=', $this->currentUser()->id)
328 ->where('joint_user_permissions.has_permission', '=', false);
329 })->where(function ($query) use ($tableDetails, $pageMorphClass) {
330 /** @var Builder $query */
331 $query->where($tableDetails['entityTypeColumn'], '!=', $pageMorphClass)
332 ->orWhereExists(function (QueryBuilder $query) use ($tableDetails, $pageMorphClass) {
333 $query->select('id')->from('pages')
334 ->whereColumn('pages.id', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
335 ->where($tableDetails['tableName'] . '.' . $tableDetails['entityTypeColumn'], '=', $pageMorphClass)
336 ->where('pages.draft', '=', false);
344 * Add conditions to a query for a model that's a relation of a page, so only the model results
345 * on visible pages are returned by the query.
346 * Is effectively the same as "restrictEntityRelationQuery" but takes into account page drafts
347 * while not expecting a polymorphic relation, Just a simpler one-page-to-many-relations set-up.
349 public function restrictPageRelationQuery(Builder $query, string $tableName, string $pageIdColumn): Builder
351 $fullPageIdColumn = $tableName . '.' . $pageIdColumn;
352 $morphClass = (new Page())->getMorphClass();
357 $existsQuery = function ($permissionQuery) use ($fullPageIdColumn, $morphClass) {
358 /** @var Builder $permissionQuery */
359 $permissionQuery->select('joint_permissions.role_id')->from('joint_permissions')
360 ->whereColumn('joint_permissions.entity_id', '=', $fullPageIdColumn)
361 ->where('joint_permissions.entity_type', '=', $morphClass)
362 ->whereIn('joint_permissions.role_id', $this->getCurrentUserRoleIds())
363 ->where(function (QueryBuilder $query) {
364 $this->addJointHasPermissionCheck($query, $this->currentUser()->id);
368 $userExistsQuery = function ($hasPermission) use ($fullPageIdColumn, $morphClass) {
369 return function ($permissionQuery) use ($fullPageIdColumn, $morphClass) {
370 /** @var Builder $permissionQuery */
371 $permissionQuery->select('joint_user_permissions.user_id')->from('joint_user_permissions')
372 ->whereColumn('joint_user_permissions.entity_id', '=', $fullPageIdColumn)
373 ->where('joint_user_permissions.entity_type', '=', $morphClass)
374 ->where('joint_user_permissions.user_id', $this->currentUser()->id)
375 ->where('has_permission', '=', true);
379 $q = $query->where(function ($query) use ($existsQuery, $userExistsQuery, $fullPageIdColumn) {
380 $query->whereExists($existsQuery)
381 ->orWhereExists($userExistsQuery(true))
382 ->orWhere($fullPageIdColumn, '=', 0);
383 })->whereNotExists($userExistsQuery(false));
385 // Prevent visibility of non-owned draft pages
386 $q->whereExists(function (QueryBuilder $query) use ($fullPageIdColumn) {
387 $query->select('id')->from('pages')
388 ->whereColumn('pages.id', '=', $fullPageIdColumn)
389 ->where(function (QueryBuilder $query) {
390 $query->where('pages.draft', '=', false)
391 ->orWhere('pages.owned_by', '=', $this->currentUser()->id);
399 * Add the query for checking the given user id has permission
400 * within the join_permissions table.
402 * @param QueryBuilder|Builder $query
404 protected function addJointHasPermissionCheck($query, int $userIdToCheck)
406 $query->where('joint_permissions.has_permission', '=', true)->orWhere(function ($query) use ($userIdToCheck) {
407 $query->where('joint_permissions.has_permission_own', '=', true)
408 ->where('joint_permissions.owned_by', '=', $userIdToCheck);
413 * Get the current user.
415 protected function currentUser(): User
421 * Get the roles for the current logged-in user.
425 protected function getCurrentUserRoleIds(): array
427 if (auth()->guest()) {
428 return [Role::getSystemRole('public')->id];
431 return $this->currentUser()->roles->pluck('id')->values()->all();
435 * Ensure the given action is a valid and expected entity action.
436 * Throws an exception if invalid otherwise does nothing.
437 * @throws InvalidArgumentException
439 protected function ensureValidEntityAction(string $action): void
441 if (!in_array($action, EntityPermission::PERMISSIONS)) {
442 throw new InvalidArgumentException('Action should be a simple entity permission action, not a role permission');
projects / bookstack / blob