Merge branch 'master' of https://github.com/theodor-franke/BookStack into theodor...

[bookstack] / tests / Permissions / EntityPermissionsTest.php

<?php

namespace Tests\Permissions;

use BookStack\Auth\User;
use BookStack\Entities\Models\Book;
use BookStack\Entities\Models\Bookshelf;
use BookStack\Entities\Models\Chapter;
use BookStack\Entities\Models\Entity;
use BookStack\Entities\Models\Page;
use Illuminate\Support\Str;
use Tests\TestCase;

class EntityPermissionsTest extends TestCase
{
    /**
     * @var User
     */
    protected $user;

    /**
     * @var User
     */
    protected $viewer;

    public function setUp(): void
    {
        parent::setUp();
        $this->user = $this->getEditor();
        $this->viewer = $this->getViewer();
    }

    protected function setRestrictionsForTestRoles(Entity $entity, array $actions = [])
    {
        $roles = [
            $this->user->roles->first(),
            $this->viewer->roles->first(),
        ];
        $this->setEntityRestrictions($entity, $actions, $roles);
    }

    public function test_bookshelf_view_restriction()
    {
        /** @var Bookshelf $shelf */
        $shelf = Bookshelf::query()->first();

        $this->actingAs($this->user)
            ->get($shelf->getUrl())
            ->assertStatus(200);

        $this->setRestrictionsForTestRoles($shelf, []);

        $this->followingRedirects()->get($shelf->getUrl())
            ->assertSee('Bookshelf not found');

        $this->setRestrictionsForTestRoles($shelf, ['view']);

        $this->get($shelf->getUrl())
            ->assertSee($shelf->name);
    }

    public function test_bookshelf_update_restriction()
    {
        /** @var Bookshelf $shelf */
        $shelf = Bookshelf::query()->first();

        $this->actingAs($this->user)
            ->get($shelf->getUrl('/edit'))
            ->assertSee('Edit Book');

        $this->setRestrictionsForTestRoles($shelf, ['view', 'delete']);

        $resp = $this->get($shelf->getUrl('/edit'))
            ->assertRedirect('/');
        $this->followRedirects($resp)->assertSee('You do not have permission');

        $this->setRestrictionsForTestRoles($shelf, ['view', 'update']);

        $this->get($shelf->getUrl('/edit'))
            ->assertOk();
    }

    public function test_bookshelf_delete_restriction()
    {
        /** @var Bookshelf $shelf */
        $shelf = Bookshelf::query()->first();

        $this->actingAs($this->user)
            ->get($shelf->getUrl('/delete'))
            ->assertSee('Delete Book');

        $this->setRestrictionsForTestRoles($shelf, ['view', 'update']);

        $this->get($shelf->getUrl('/delete'))->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->setRestrictionsForTestRoles($shelf, ['view', 'delete']);

        $this->get($shelf->getUrl('/delete'))
            ->assertOk()
            ->assertSee('Delete Book');
    }

    public function test_book_view_restriction()
    {
        /** @var Book $book */
        $book = Book::query()->first();
        $bookPage = $book->pages->first();
        $bookChapter = $book->chapters->first();

        $bookUrl = $book->getUrl();
        $this->actingAs($this->user)
            ->get($bookUrl)
            ->assertOk();

        $this->setRestrictionsForTestRoles($book, []);

        $this->followingRedirects()->get($bookUrl)
            ->assertSee('Book not found');
        $this->followingRedirects()->get($bookPage->getUrl())
            ->assertSee('Page not found');
        $this->followingRedirects()->get($bookChapter->getUrl())
            ->assertSee('Chapter not found');

        $this->setRestrictionsForTestRoles($book, ['view']);

        $this->get($bookUrl)
            ->assertSee($book->name);
        $this->get($bookPage->getUrl())
            ->assertSee($bookPage->name);
        $this->get($bookChapter->getUrl())
            ->assertSee($bookChapter->name);
    }

    public function test_book_create_restriction()
    {
        /** @var Book $book */
        $book = Book::query()->first();

        $bookUrl = $book->getUrl();
        $this->actingAs($this->viewer)
            ->get($bookUrl)
            ->assertElementNotContains('.actions', 'New Page')
            ->assertElementNotContains('.actions', 'New Chapter');
        $this->actingAs($this->user)
            ->get($bookUrl)
            ->assertElementContains('.actions', 'New Page')
            ->assertElementContains('.actions', 'New Chapter');

        $this->setRestrictionsForTestRoles($book, ['view', 'delete', 'update']);

        $this->get($bookUrl . '/create-chapter')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->get($bookUrl . '/create-page')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->get($bookUrl)
            ->assertElementNotContains('.actions', 'New Page')
            ->assertElementNotContains('.actions', 'New Chapter');

        $this->setRestrictionsForTestRoles($book, ['view', 'create']);

        $resp = $this->post($book->getUrl('/create-chapter'), [
            'name'        => 'test chapter',
            'description' => 'desc',
        ]);
        $resp->assertRedirect($book->getUrl('/chapter/test-chapter'));

        $this->get($book->getUrl('/create-page'));
        /** @var Page $page */
        $page = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first();
        $resp = $this->post($page->getUrl(), [
            'name' => 'test page',
            'html' => 'test content',
        ]);
        $resp->assertRedirect($book->getUrl('/page/test-page'));

        $this->get($bookUrl)
            ->assertElementContains('.actions', 'New Page')
            ->assertElementContains('.actions', 'New Chapter');
    }

    public function test_book_update_restriction()
    {
        /** @var Book $book */
        $book = Book::query()->first();
        $bookPage = $book->pages->first();
        $bookChapter = $book->chapters->first();

        $bookUrl = $book->getUrl();
        $this->actingAs($this->user)
            ->get($bookUrl . '/edit')
            ->assertSee('Edit Book');

        $this->setRestrictionsForTestRoles($book, ['view', 'delete']);

        $this->get($bookUrl . '/edit')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($bookPage->getUrl() . '/edit')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($bookChapter->getUrl() . '/edit')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->setRestrictionsForTestRoles($book, ['view', 'update']);

        $this->get($bookUrl . '/edit')->assertOk();
        $this->get($bookPage->getUrl() . '/edit')->assertOk();
        $this->get($bookChapter->getUrl() . '/edit')->assertSee('Edit Chapter');
    }

    public function test_book_delete_restriction()
    {
        /** @var Book $book */
        $book = Book::query()->first();
        $bookPage = $book->pages->first();
        $bookChapter = $book->chapters->first();

        $bookUrl = $book->getUrl();
        $this->actingAs($this->user)->get($bookUrl . '/delete')
            ->assertSee('Delete Book');

        $this->setRestrictionsForTestRoles($book, ['view', 'update']);

        $this->get($bookUrl . '/delete')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($bookPage->getUrl() . '/delete')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($bookChapter->getUrl() . '/delete')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->setRestrictionsForTestRoles($book, ['view', 'delete']);

        $this->get($bookUrl . '/delete')->assertOk()->assertSee('Delete Book');
        $this->get($bookPage->getUrl('/delete'))->assertOk()->assertSee('Delete Page');
        $this->get($bookChapter->getUrl('/delete'))->assertSee('Delete Chapter');
    }

    public function test_chapter_view_restriction()
    {
        /** @var Chapter $chapter */
        $chapter = Chapter::query()->first();
        $chapterPage = $chapter->pages->first();

        $chapterUrl = $chapter->getUrl();
        $this->actingAs($this->user)->get($chapterUrl)->assertOk();

        $this->setRestrictionsForTestRoles($chapter, []);

        $this->followingRedirects()->get($chapterUrl)->assertSee('Chapter not found');
        $this->followingRedirects()->get($chapterPage->getUrl())->assertSee('Page not found');

        $this->setRestrictionsForTestRoles($chapter, ['view']);

        $this->get($chapterUrl)->assertSee($chapter->name);
        $this->get($chapterPage->getUrl())->assertSee($chapterPage->name);
    }

    public function test_chapter_create_restriction()
    {
        /** @var Chapter $chapter */
        $chapter = Chapter::query()->first();

        $chapterUrl = $chapter->getUrl();
        $this->actingAs($this->user)
            ->get($chapterUrl)
            ->assertElementContains('.actions', 'New Page');

        $this->setRestrictionsForTestRoles($chapter, ['view', 'delete', 'update']);

        $this->get($chapterUrl . '/create-page')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($chapterUrl)->assertElementNotContains('.actions', 'New Page');

        $this->setRestrictionsForTestRoles($chapter, ['view', 'create']);

        $this->get($chapter->getUrl('/create-page'));
        /** @var Page $page */
        $page = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first();
        $resp = $this->post($page->getUrl(), [
            'name' => 'test page',
            'html' => 'test content',
        ]);
        $resp->assertRedirect($chapter->book->getUrl('/page/test-page'));

        $this->get($chapterUrl)->assertElementContains('.actions', 'New Page');
    }

    public function test_chapter_update_restriction()
    {
        /** @var Chapter $chapter */
        $chapter = Chapter::query()->first();
        $chapterPage = $chapter->pages->first();

        $chapterUrl = $chapter->getUrl();
        $this->actingAs($this->user)->get($chapterUrl . '/edit')
            ->assertSee('Edit Chapter');

        $this->setRestrictionsForTestRoles($chapter, ['view', 'delete']);

        $this->get($chapterUrl . '/edit')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($chapterPage->getUrl() . '/edit')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->setRestrictionsForTestRoles($chapter, ['view', 'update']);

        $this->get($chapterUrl . '/edit')->assertOk()->assertSee('Edit Chapter');
        $this->get($chapterPage->getUrl() . '/edit')->assertOk();
    }

    public function test_chapter_delete_restriction()
    {
        /** @var Chapter $chapter */
        $chapter = Chapter::query()->first();
        $chapterPage = $chapter->pages->first();

        $chapterUrl = $chapter->getUrl();
        $this->actingAs($this->user)
            ->get($chapterUrl . '/delete')
            ->assertSee('Delete Chapter');

        $this->setRestrictionsForTestRoles($chapter, ['view', 'update']);

        $this->get($chapterUrl . '/delete')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($chapterPage->getUrl() . '/delete')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->setRestrictionsForTestRoles($chapter, ['view', 'delete']);

        $this->get($chapterUrl . '/delete')->assertOk()->assertSee('Delete Chapter');
        $this->get($chapterPage->getUrl() . '/delete')->assertOk()->assertSee('Delete Page');
    }

    public function test_page_view_restriction()
    {
        /** @var Page $page */
        $page = Page::query()->first();

        $pageUrl = $page->getUrl();
        $this->actingAs($this->user)->get($pageUrl)->assertOk();

        $this->setRestrictionsForTestRoles($page, ['update', 'delete']);

        $this->get($pageUrl)->assertSee('Page not found');

        $this->setRestrictionsForTestRoles($page, ['view']);

        $this->get($pageUrl)->assertSee($page->name);
    }

    public function test_page_update_restriction()
    {
        /** @var Page $page */
        $page = Page::query()->first();

        $pageUrl = $page->getUrl();
        $this->actingAs($this->user)
            ->get($pageUrl . '/edit')
            ->assertElementExists('input[name="name"][value="' . $page->name . '"]');

        $this->setRestrictionsForTestRoles($page, ['view', 'delete']);

        $this->get($pageUrl . '/edit')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->setRestrictionsForTestRoles($page, ['view', 'update']);

        $this->get($pageUrl . '/edit')
            ->assertOk()
            ->assertElementExists('input[name="name"][value="' . $page->name . '"]');
    }

    public function test_page_delete_restriction()
    {
        /** @var Page $page */
        $page = Page::query()->first();

        $pageUrl = $page->getUrl();
        $this->actingAs($this->user)
            ->get($pageUrl . '/delete')
            ->assertSee('Delete Page');

        $this->setRestrictionsForTestRoles($page, ['view', 'update']);

        $this->get($pageUrl . '/delete')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->setRestrictionsForTestRoles($page, ['view', 'delete']);

        $this->get($pageUrl . '/delete')->assertOk()->assertSee('Delete Page');
    }

    protected function entityRestrictionFormTest(string $model, string $title, string $permission, string $roleId)
    {
        /** @var Entity $modelInstance */
        $modelInstance = $model::query()->first();
        $this->asAdmin()->get($modelInstance->getUrl('/permissions'))
            ->assertSee($title);

        $this->put($modelInstance->getUrl('/permissions'), [
            'restricted'   => 'true',
            'restrictions' => [
                $roleId => [
                    $permission => 'true',
                ],
            ],
        ]);

        $this->assertDatabaseHas($modelInstance->getTable(), ['id' => $modelInstance->id, 'restricted' => true]);
        $this->assertDatabaseHas('entity_permissions', [
            'restrictable_id'   => $modelInstance->id,
            'restrictable_type' => $modelInstance->getMorphClass(),
            'role_id'           => $roleId,
            'action'            => $permission,
        ]);
    }

    public function test_bookshelf_restriction_form()
    {
        $this->entityRestrictionFormTest(Bookshelf::class, 'Bookshelf Permissions', 'view', '2');
    }

    public function test_book_restriction_form()
    {
        $this->entityRestrictionFormTest(Book::class, 'Book Permissions', 'view', '2');
    }

    public function test_chapter_restriction_form()
    {
        $this->entityRestrictionFormTest(Chapter::class, 'Chapter Permissions', 'update', '2');
    }

    public function test_page_restriction_form()
    {
        $this->entityRestrictionFormTest(Page::class, 'Page Permissions', 'delete', '2');
    }

    public function test_restricted_pages_not_visible_in_book_navigation_on_pages()
    {
        /** @var Chapter $chapter */
        $chapter = Chapter::query()->first();
        $page = $chapter->pages->first();
        $page2 = $chapter->pages[2];

        $this->setRestrictionsForTestRoles($page, []);

        $this->actingAs($this->user)
            ->get($page2->getUrl())
            ->assertElementNotContains('.sidebar-page-list', $page->name);
    }

    public function test_restricted_pages_not_visible_in_book_navigation_on_chapters()
    {
        /** @var Chapter $chapter */
        $chapter = Chapter::query()->first();
        $page = $chapter->pages->first();

        $this->setRestrictionsForTestRoles($page, []);

        $this->actingAs($this->user)
            ->get($chapter->getUrl())
            ->assertElementNotContains('.sidebar-page-list', $page->name);
    }

    public function test_restricted_pages_not_visible_on_chapter_pages()
    {
        /** @var Chapter $chapter */
        $chapter = Chapter::query()->first();
        $page = $chapter->pages->first();

        $this->setRestrictionsForTestRoles($page, []);

        $this->actingAs($this->user)
            ->get($chapter->getUrl())
            ->assertDontSee($page->name);
    }

    public function test_restricted_chapter_pages_not_visible_on_book_page()
    {
        /** @var Chapter $chapter */
        $chapter = Chapter::query()->first();
        $this->actingAs($this->user)
            ->get($chapter->book->getUrl())
            ->assertSee($chapter->pages->first()->name);

        foreach ($chapter->pages as $page) {
            $this->setRestrictionsForTestRoles($page, []);
        }

        $this->actingAs($this->user)
            ->get($chapter->book->getUrl())
            ->assertDontSee($chapter->pages->first()->name);
    }

    public function test_bookshelf_update_restriction_override()
    {
        /** @var Bookshelf $shelf */
        $shelf = Bookshelf::query()->first();

        $this->actingAs($this->viewer)
            ->get($shelf->getUrl('/edit'))
            ->assertDontSee('Edit Book');

        $this->setRestrictionsForTestRoles($shelf, ['view', 'delete']);

        $this->get($shelf->getUrl('/edit'))->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->setRestrictionsForTestRoles($shelf, ['view', 'update']);

        $this->get($shelf->getUrl('/edit'))->assertOk();
    }

    public function test_bookshelf_delete_restriction_override()
    {
        /** @var Bookshelf $shelf */
        $shelf = Bookshelf::query()->first();

        $this->actingAs($this->viewer)
            ->get($shelf->getUrl('/delete'))
            ->assertDontSee('Delete Book');

        $this->setRestrictionsForTestRoles($shelf, ['view', 'update']);

        $this->get($shelf->getUrl('/delete'))->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->setRestrictionsForTestRoles($shelf, ['view', 'delete']);

        $this->get($shelf->getUrl('/delete'))->assertOk()->assertSee('Delete Book');
    }

    public function test_book_create_restriction_override()
    {
        /** @var Book $book */
        $book = Book::query()->first();

        $bookUrl = $book->getUrl();
        $this->actingAs($this->viewer)
            ->get($bookUrl)
            ->assertElementNotContains('.actions', 'New Page')
            ->assertElementNotContains('.actions', 'New Chapter');

        $this->setRestrictionsForTestRoles($book, ['view', 'delete', 'update']);

        $this->get($bookUrl . '/create-chapter')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($bookUrl . '/create-page')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($bookUrl)->assertElementNotContains('.actions', 'New Page')
            ->assertElementNotContains('.actions', 'New Chapter');

        $this->setRestrictionsForTestRoles($book, ['view', 'create']);

        $resp = $this->post($book->getUrl('/create-chapter'), [
            'name'        => 'test chapter',
            'description' => 'test desc',
        ]);
        $resp->assertRedirect($book->getUrl('/chapter/test-chapter'));

        $this->get($book->getUrl('/create-page'));
        /** @var Page $page */
        $page = Page::query()->where('draft', '=', true)->orderByDesc('id')->first();
        $resp = $this->post($page->getUrl(), [
            'name' => 'test page',
            'html' => 'test desc',
        ]);
        $resp->assertRedirect($book->getUrl('/page/test-page'));

        $this->get($bookUrl)
            ->assertElementContains('.actions', 'New Page')
            ->assertElementContains('.actions', 'New Chapter');
    }

    public function test_book_update_restriction_override()
    {
        /** @var Book $book */
        $book = Book::query()->first();
        $bookPage = $book->pages->first();
        $bookChapter = $book->chapters->first();

        $bookUrl = $book->getUrl();
        $this->actingAs($this->viewer)->get($bookUrl . '/edit')
            ->assertDontSee('Edit Book');

        $this->setRestrictionsForTestRoles($book, ['view', 'delete']);

        $this->get($bookUrl . '/edit')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($bookPage->getUrl() . '/edit')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($bookChapter->getUrl() . '/edit')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->setRestrictionsForTestRoles($book, ['view', 'update']);

        $this->get($bookUrl . '/edit')->assertOk();
        $this->get($bookPage->getUrl() . '/edit')->assertOk();
        $this->get($bookChapter->getUrl() . '/edit')->assertSee('Edit Chapter');
    }

    public function test_book_delete_restriction_override()
    {
        /** @var Book $book */
        $book = Book::query()->first();
        $bookPage = $book->pages->first();
        $bookChapter = $book->chapters->first();

        $bookUrl = $book->getUrl();
        $this->actingAs($this->viewer)
            ->get($bookUrl . '/delete')
            ->assertDontSee('Delete Book');

        $this->setRestrictionsForTestRoles($book, ['view', 'update']);

        $this->get($bookUrl . '/delete')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($bookPage->getUrl() . '/delete')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
        $this->get($bookChapter->getUrl() . '/delete')->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $this->setRestrictionsForTestRoles($book, ['view', 'delete']);

        $this->get($bookUrl . '/delete')->assertOk()->assertSee('Delete Book');
        $this->get($bookPage->getUrl() . '/delete')->assertOk()->assertSee('Delete Page');
        $this->get($bookChapter->getUrl() . '/delete')->assertSee('Delete Chapter');
    }

    public function test_page_visible_if_has_permissions_when_book_not_visible()
    {
        /** @var Book $book */
        $book = Book::query()->first();
        $bookChapter = $book->chapters->first();
        $bookPage = $bookChapter->pages->first();

        foreach ([$book, $bookChapter, $bookPage] as $entity) {
            $entity->name = Str::random(24);
            $entity->save();
        }

        $this->setRestrictionsForTestRoles($book, []);
        $this->setRestrictionsForTestRoles($bookPage, ['view']);

        $this->actingAs($this->viewer);
        $resp = $this->get($bookPage->getUrl());
        $resp->assertOk();
        $resp->assertSee($bookPage->name);
        $resp->assertDontSee(substr($book->name, 0, 15));
        $resp->assertDontSee(substr($bookChapter->name, 0, 15));
    }

    public function test_book_sort_view_permission()
    {
        /** @var Book $firstBook */
        $firstBook = Book::query()->first();
        /** @var Book $secondBook */
        $secondBook = Book::query()->find(2);

        $this->setRestrictionsForTestRoles($firstBook, ['view', 'update']);
        $this->setRestrictionsForTestRoles($secondBook, ['view']);

        // Test sort page visibility
        $this->actingAs($this->user)->get($secondBook->getUrl('/sort'))->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        // Check sort page on first book
        $this->actingAs($this->user)->get($firstBook->getUrl('/sort'));
    }

    public function test_book_sort_permission()
    {
        /** @var Book $firstBook */
        $firstBook = Book::query()->first();
        /** @var Book $secondBook */
        $secondBook = Book::query()->find(2);

        $this->setRestrictionsForTestRoles($firstBook, ['view', 'update']);
        $this->setRestrictionsForTestRoles($secondBook, ['view']);

        $firstBookChapter = $this->newChapter(['name' => 'first book chapter'], $firstBook);
        $secondBookChapter = $this->newChapter(['name' => 'second book chapter'], $secondBook);

        // Create request data
        $reqData = [
            [
                'id'            => $firstBookChapter->id,
                'sort'          => 0,
                'parentChapter' => false,
                'type'          => 'chapter',
                'book'          => $secondBook->id,
            ],
        ];

        // Move chapter from first book to a second book
        $this->actingAs($this->user)->put($firstBook->getUrl() . '/sort', ['sort-tree' => json_encode($reqData)])
            ->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');

        $reqData = [
            [
                'id'            => $secondBookChapter->id,
                'sort'          => 0,
                'parentChapter' => false,
                'type'          => 'chapter',
                'book'          => $firstBook->id,
            ],
        ];

        // Move chapter from second book to first book
        $this->actingAs($this->user)->put($firstBook->getUrl() . '/sort', ['sort-tree' => json_encode($reqData)])
                ->assertRedirect('/');
        $this->get('/')->assertSee('You do not have permission');
    }

    public function test_can_create_page_if_chapter_has_permissions_when_book_not_visible()
    {
        /** @var Book $book */
        $book = Book::query()->first();
        $this->setRestrictionsForTestRoles($book, []);
        $bookChapter = $book->chapters->first();
        $this->setRestrictionsForTestRoles($bookChapter, ['view']);

        $this->actingAs($this->user)->get($bookChapter->getUrl())
            ->assertDontSee('New Page');

        $this->setRestrictionsForTestRoles($bookChapter, ['view', 'create']);

        $this->get($bookChapter->getUrl('/create-page'));
        /** @var Page $page */
        $page = Page::query()->where('draft', '=', true)->orderByDesc('id')->first();
        $resp = $this->post($page->getUrl(), [
            'name' => 'test page',
            'html' => 'test content',
        ]);
        $resp->assertRedirect($book->getUrl('/page/test-page'));
    }
}