]> BookStack Code Mirror - bookstack/blob - tests/Permissions/RolesTest.php
projects / bookstack / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Upgraded to Laravel 5.4
[bookstack] / tests / Permissions / RolesTest.php
1 <?php
2
3 class RolesTest extends BrowserKitTest
4 {
5     protected $user;
6
7     public function setUp()
8     {
9         parent::setUp();
10         $this->user = $this->getViewer();
11     }
12
13     protected function getViewer()
14     {
15         $role = \BookStack\Role::getRole('viewer');
16         $viewer = $this->getNewBlankUser();
17         $viewer->attachRole($role);;
18         return $viewer;
19     }
20
21     /**
22      * Give the given user some permissions.
23      * @param \BookStack\User $user
24      * @param array $permissions
25      */
26     protected function giveUserPermissions(\BookStack\User $user, $permissions = [])
27     {
28         $newRole = $this->createNewRole($permissions);
29         $user->attachRole($newRole);
30         $user->load('roles');
31         $user->permissions(false);
32     }
33
34     /**
35      * Create a new basic role for testing purposes.
36      * @param array $permissions
37      * @return static
38      */
39     protected function createNewRole($permissions = [])
40     {
41         $permissionRepo = app('BookStack\Repos\PermissionsRepo');
42         $roleData = factory(\BookStack\Role::class)->make()->toArray();
43         $roleData['permissions'] = array_flip($permissions);
44         return $permissionRepo->saveNewRole($roleData);
45     }
46
47     public function test_admin_can_see_settings()
48     {
49         $this->asAdmin()->visit('/settings')->see('Settings');
50     }
51
52     public function test_cannot_delete_admin_role()
53     {
54         $adminRole = \BookStack\Role::getRole('admin');
55         $deletePageUrl = '/settings/roles/delete/' . $adminRole->id;
56         $this->asAdmin()->visit($deletePageUrl)
57             ->press('Confirm')
58             ->seePageIs($deletePageUrl)
59             ->see('cannot be deleted');
60     }
61
62     public function test_role_cannot_be_deleted_if_default()
63     {
64         $newRole = $this->createNewRole();
65         $this->setSettings(['registration-role' => $newRole->id]);
66
67         $deletePageUrl = '/settings/roles/delete/' . $newRole->id;
68         $this->asAdmin()->visit($deletePageUrl)
69             ->press('Confirm')
70             ->seePageIs($deletePageUrl)
71             ->see('cannot be deleted');
72     }
73
74     public function test_role_create_update_delete_flow()
75     {
76         $testRoleName = 'Test Role';
77         $testRoleDesc = 'a little test description';
78         $testRoleUpdateName = 'An Super Updated role';
79
80         // Creation
81         $this->asAdmin()->visit('/settings')
82             ->click('Roles')
83             ->seePageIs('/settings/roles')
84             ->click('Create New Role')
85             ->type('Test Role', 'display_name')
86             ->type('A little test description', 'description')
87             ->press('Save Role')
88             ->seeInDatabase('roles', ['display_name' => $testRoleName, 'name' => 'test-role', 'description' => $testRoleDesc])
89             ->seePageIs('/settings/roles');
90         // Updating
91         $this->asAdmin()->visit('/settings/roles')
92             ->see($testRoleDesc)
93             ->click($testRoleName)
94             ->type($testRoleUpdateName, '#display_name')
95             ->press('Save Role')
96             ->seeInDatabase('roles', ['display_name' => $testRoleUpdateName, 'name' => 'test-role', 'description' => $testRoleDesc])
97             ->seePageIs('/settings/roles');
98         // Deleting
99         $this->asAdmin()->visit('/settings/roles')
100             ->click($testRoleUpdateName)
101             ->click('Delete Role')
102             ->see($testRoleUpdateName)
103             ->press('Confirm')
104             ->seePageIs('/settings/roles')
105             ->dontSee($testRoleUpdateName);
106     }
107
108     public function test_manage_user_permission()
109     {
110         $this->actingAs($this->user)->visit('/')->visit('/settings/users')
111             ->seePageIs('/');
112         $this->giveUserPermissions($this->user, ['users-manage']);
113         $this->actingAs($this->user)->visit('/')->visit('/settings/users')
114             ->seePageIs('/settings/users');
115     }
116
117     public function test_user_roles_manage_permission()
118     {
119         $this->actingAs($this->user)->visit('/')->visit('/settings/roles')
120             ->seePageIs('/')->visit('/settings/roles/1')->seePageIs('/');
121         $this->giveUserPermissions($this->user, ['user-roles-manage']);
122         $this->actingAs($this->user)->visit('/settings/roles')
123             ->seePageIs('/settings/roles')->click('Admin')
124             ->see('Edit Role');
125     }
126
127     public function test_settings_manage_permission()
128     {
129         $this->actingAs($this->user)->visit('/')->visit('/settings')
130             ->seePageIs('/');
131         $this->giveUserPermissions($this->user, ['settings-manage']);
132         $this->actingAs($this->user)->visit('/')->visit('/settings')
133             ->seePageIs('/settings')->press('Save Settings')->see('Settings Saved');
134     }
135
136     public function test_restrictions_manage_all_permission()
137     {
138         $page = \BookStack\Page::take(1)->get()->first();
139         $this->actingAs($this->user)->visit($page->getUrl())
140             ->dontSee('Permissions')
141             ->visit($page->getUrl() . '/permissions')
142             ->seePageIs('/');
143         $this->giveUserPermissions($this->user, ['restrictions-manage-all']);
144         $this->actingAs($this->user)->visit($page->getUrl())
145             ->see('Permissions')
146             ->click('Permissions')
147             ->see('Page Permissions')->seePageIs($page->getUrl() . '/permissions');
148     }
149
150     public function test_restrictions_manage_own_permission()
151     {
152         $otherUsersPage = \BookStack\Page::first();
153         $content = $this->createEntityChainBelongingToUser($this->user);
154         // Check can't restrict other's content
155         $this->actingAs($this->user)->visit($otherUsersPage->getUrl())
156             ->dontSee('Permissions')
157             ->visit($otherUsersPage->getUrl() . '/permissions')
158             ->seePageIs('/');
159         // Check can't restrict own content
160         $this->actingAs($this->user)->visit($content['page']->getUrl())
161             ->dontSee('Permissions')
162             ->visit($content['page']->getUrl() . '/permissions')
163             ->seePageIs('/');
164
165         $this->giveUserPermissions($this->user, ['restrictions-manage-own']);
166
167         // Check can't restrict other's content
168         $this->actingAs($this->user)->visit($otherUsersPage->getUrl())
169             ->dontSee('Permissions')
170             ->visit($otherUsersPage->getUrl() . '/permissions')
171             ->seePageIs('/');
172         // Check can restrict own content
173         $this->actingAs($this->user)->visit($content['page']->getUrl())
174             ->see('Permissions')
175             ->click('Permissions')
176             ->seePageIs($content['page']->getUrl() . '/permissions');
177     }
178
179     /**
180      * Check a standard entity access permission
181      * @param string $permission
182      * @param array $accessUrls Urls that are only accessible after having the permission
183      * @param array $visibles Check this text, In the buttons toolbar, is only visible with the permission
184      * @param null $callback
185      */
186     private function checkAccessPermission($permission, $accessUrls = [], $visibles = [])
187     {
188         foreach ($accessUrls as $url) {
189             $this->actingAs($this->user)->visit('/')->visit($url)
190                 ->seePageIs('/');
191         }
192         foreach ($visibles as $url => $text) {
193             $this->actingAs($this->user)->visit('/')->visit($url)
194                 ->dontSeeInElement('.action-buttons',$text);
195         }
196
197         $this->giveUserPermissions($this->user, [$permission]);
198
199         foreach ($accessUrls as $url) {
200             $this->actingAs($this->user)->visit('/')->visit($url)
201                 ->seePageIs($url);
202         }
203         foreach ($visibles as $url => $text) {
204             $this->actingAs($this->user)->visit('/')->visit($url)
205                 ->see($text);
206         }
207     }
208
209     public function test_books_create_all_permissions()
210     {
211         $this->checkAccessPermission('book-create-all', [
212             '/books/create'
213         ], [
214             '/books' => 'Create New Book'
215         ]);
216
217         $this->visit('/books/create')
218             ->type('test book', 'name')
219             ->type('book desc', 'description')
220             ->press('Save Book')
221             ->seePageIs('/books/test-book');
222     }
223
224     public function test_books_edit_own_permission()
225     {
226         $otherBook = \BookStack\Book::take(1)->get()->first();
227         $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];
228         $this->checkAccessPermission('book-update-own', [
229             $ownBook->getUrl() . '/edit'
230         ], [
231             $ownBook->getUrl() => 'Edit'
232         ]);
233
234         $this->visit($otherBook->getUrl())
235             ->dontSeeInElement('.action-buttons', 'Edit')
236             ->visit($otherBook->getUrl() . '/edit')
237             ->seePageIs('/');
238     }
239
240     public function test_books_edit_all_permission()
241     {
242         $otherBook = \BookStack\Book::take(1)->get()->first();
243         $this->checkAccessPermission('book-update-all', [
244             $otherBook->getUrl() . '/edit'
245         ], [
246             $otherBook->getUrl() => 'Edit'
247         ]);
248     }
249
250     public function test_books_delete_own_permission()
251     {
252         $this->giveUserPermissions($this->user, ['book-update-all']);
253         $otherBook = \BookStack\Book::take(1)->get()->first();
254         $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];
255         $this->checkAccessPermission('book-delete-own', [
256             $ownBook->getUrl() . '/delete'
257         ], [
258             $ownBook->getUrl() => 'Delete'
259         ]);
260
261         $this->visit($otherBook->getUrl())
262             ->dontSeeInElement('.action-buttons', 'Delete')
263             ->visit($otherBook->getUrl() . '/delete')
264             ->seePageIs('/');
265         $this->visit($ownBook->getUrl())->visit($ownBook->getUrl() . '/delete')
266             ->press('Confirm')
267             ->seePageIs('/books')
268             ->dontSee($ownBook->name);
269     }
270
271     public function test_books_delete_all_permission()
272     {
273         $this->giveUserPermissions($this->user, ['book-update-all']);
274         $otherBook = \BookStack\Book::take(1)->get()->first();
275         $this->checkAccessPermission('book-delete-all', [
276             $otherBook->getUrl() . '/delete'
277         ], [
278             $otherBook->getUrl() => 'Delete'
279         ]);
280
281         $this->visit($otherBook->getUrl())->visit($otherBook->getUrl() . '/delete')
282             ->press('Confirm')
283             ->seePageIs('/books')
284             ->dontSee($otherBook->name);
285     }
286
287     public function test_chapter_create_own_permissions()
288     {
289         $book = \BookStack\Book::take(1)->get()->first();
290         $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];
291         $baseUrl = $ownBook->getUrl() . '/chapter';
292         $this->checkAccessPermission('chapter-create-own', [
293             $baseUrl . '/create'
294         ], [
295             $ownBook->getUrl() => 'New Chapter'
296         ]);
297
298         $this->visit($baseUrl . '/create')
299             ->type('test chapter', 'name')
300             ->type('chapter desc', 'description')
301             ->press('Save Chapter')
302             ->seePageIs($baseUrl . '/test-chapter');
303
304         $this->visit($book->getUrl())
305             ->dontSeeInElement('.action-buttons', 'New Chapter')
306             ->visit($book->getUrl() . '/chapter/create')
307             ->seePageIs('/');
308     }
309
310     public function test_chapter_create_all_permissions()
311     {
312         $book = \BookStack\Book::take(1)->get()->first();
313         $baseUrl = $book->getUrl() . '/chapter';
314         $this->checkAccessPermission('chapter-create-all', [
315             $baseUrl . '/create'
316         ], [
317             $book->getUrl() => 'New Chapter'
318         ]);
319
320         $this->visit($baseUrl . '/create')
321             ->type('test chapter', 'name')
322             ->type('chapter desc', 'description')
323             ->press('Save Chapter')
324             ->seePageIs($baseUrl . '/test-chapter');
325     }
326
327     public function test_chapter_edit_own_permission()
328     {
329         $otherChapter = \BookStack\Chapter::take(1)->get()->first();
330         $ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];
331         $this->checkAccessPermission('chapter-update-own', [
332             $ownChapter->getUrl() . '/edit'
333         ], [
334             $ownChapter->getUrl() => 'Edit'
335         ]);
336
337         $this->visit($otherChapter->getUrl())
338             ->dontSeeInElement('.action-buttons', 'Edit')
339             ->visit($otherChapter->getUrl() . '/edit')
340             ->seePageIs('/');
341     }
342
343     public function test_chapter_edit_all_permission()
344     {
345         $otherChapter = \BookStack\Chapter::take(1)->get()->first();
346         $this->checkAccessPermission('chapter-update-all', [
347             $otherChapter->getUrl() . '/edit'
348         ], [
349             $otherChapter->getUrl() => 'Edit'
350         ]);
351     }
352
353     public function test_chapter_delete_own_permission()
354     {
355         $this->giveUserPermissions($this->user, ['chapter-update-all']);
356         $otherChapter = \BookStack\Chapter::take(1)->get()->first();
357         $ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];
358         $this->checkAccessPermission('chapter-delete-own', [
359             $ownChapter->getUrl() . '/delete'
360         ], [
361             $ownChapter->getUrl() => 'Delete'
362         ]);
363
364         $bookUrl = $ownChapter->book->getUrl();
365         $this->visit($otherChapter->getUrl())
366             ->dontSeeInElement('.action-buttons', 'Delete')
367             ->visit($otherChapter->getUrl() . '/delete')
368             ->seePageIs('/');
369         $this->visit($ownChapter->getUrl())->visit($ownChapter->getUrl() . '/delete')
370             ->press('Confirm')
371             ->seePageIs($bookUrl)
372             ->dontSeeInElement('.book-content', $ownChapter->name);
373     }
374
375     public function test_chapter_delete_all_permission()
376     {
377         $this->giveUserPermissions($this->user, ['chapter-update-all']);
378         $otherChapter = \BookStack\Chapter::take(1)->get()->first();
379         $this->checkAccessPermission('chapter-delete-all', [
380             $otherChapter->getUrl() . '/delete'
381         ], [
382             $otherChapter->getUrl() => 'Delete'
383         ]);
384
385         $bookUrl = $otherChapter->book->getUrl();
386         $this->visit($otherChapter->getUrl())->visit($otherChapter->getUrl() . '/delete')
387             ->press('Confirm')
388             ->seePageIs($bookUrl)
389             ->dontSeeInElement('.book-content', $otherChapter->name);
390     }
391
392     public function test_page_create_own_permissions()
393     {
394         $book = \BookStack\Book::take(1)->get()->first();
395         $chapter = \BookStack\Chapter::take(1)->get()->first();
396
397         $entities = $this->createEntityChainBelongingToUser($this->user);
398         $ownBook = $entities['book'];
399         $ownChapter = $entities['chapter'];
400
401         $baseUrl = $ownBook->getUrl() . '/page';
402
403         $createUrl = $baseUrl . '/create';
404         $createUrlChapter = $ownChapter->getUrl() . '/create-page';
405         $accessUrls = [$createUrl, $createUrlChapter];
406
407         foreach ($accessUrls as $url) {
408             $this->actingAs($this->user)->visit('/')->visit($url)
409                 ->seePageIs('/');
410         }
411
412         $this->checkAccessPermission('page-create-own', [], [
413             $ownBook->getUrl() => 'New Page',
414             $ownChapter->getUrl() => 'New Page'
415         ]);
416
417         $this->giveUserPermissions($this->user, ['page-create-own']);
418
419         foreach ($accessUrls as $index => $url) {
420             $this->actingAs($this->user)->visit('/')->visit($url);
421             $expectedUrl = \BookStack\Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();
422             $this->seePageIs($expectedUrl);
423         }
424
425         $this->visit($baseUrl . '/create')
426             ->type('test page', 'name')
427             ->type('page desc', 'html')
428             ->press('Save Page')
429             ->seePageIs($baseUrl . '/test-page');
430
431         $this->visit($book->getUrl())
432             ->dontSeeInElement('.action-buttons', 'New Page')
433             ->visit($book->getUrl() . '/page/create')
434             ->seePageIs('/');
435         $this->visit($chapter->getUrl())
436             ->dontSeeInElement('.action-buttons', 'New Page')
437             ->visit($chapter->getUrl() . '/create-page')
438             ->seePageIs('/');
439     }
440
441     public function test_page_create_all_permissions()
442     {
443         $book = \BookStack\Book::take(1)->get()->first();
444         $chapter = \BookStack\Chapter::take(1)->get()->first();
445         $baseUrl = $book->getUrl() . '/page';
446         $createUrl = $baseUrl . '/create';
447
448         $createUrlChapter = $chapter->getUrl() . '/create-page';
449         $accessUrls = [$createUrl, $createUrlChapter];
450
451         foreach ($accessUrls as $url) {
452             $this->actingAs($this->user)->visit('/')->visit($url)
453                 ->seePageIs('/');
454         }
455
456         $this->checkAccessPermission('page-create-all', [], [
457             $book->getUrl() => 'New Page',
458             $chapter->getUrl() => 'New Page'
459         ]);
460
461         $this->giveUserPermissions($this->user, ['page-create-all']);
462
463         foreach ($accessUrls as $index => $url) {
464             $this->actingAs($this->user)->visit('/')->visit($url);
465             $expectedUrl = \BookStack\Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();
466             $this->seePageIs($expectedUrl);
467         }
468
469         $this->visit($baseUrl . '/create')
470             ->type('test page', 'name')
471             ->type('page desc', 'html')
472             ->press('Save Page')
473             ->seePageIs($baseUrl . '/test-page');
474
475         $this->visit($chapter->getUrl() . '/create-page')
476             ->type('new test page', 'name')
477             ->type('page desc', 'html')
478             ->press('Save Page')
479             ->seePageIs($baseUrl . '/new-test-page');
480     }
481
482     public function test_page_edit_own_permission()
483     {
484         $otherPage = \BookStack\Page::take(1)->get()->first();
485         $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
486         $this->checkAccessPermission('page-update-own', [
487             $ownPage->getUrl() . '/edit'
488         ], [
489             $ownPage->getUrl() => 'Edit'
490         ]);
491
492         $this->visit($otherPage->getUrl())
493             ->dontSeeInElement('.action-buttons', 'Edit')
494             ->visit($otherPage->getUrl() . '/edit')
495             ->seePageIs('/');
496     }
497
498     public function test_page_edit_all_permission()
499     {
500         $otherPage = \BookStack\Page::take(1)->get()->first();
501         $this->checkAccessPermission('page-update-all', [
502             $otherPage->getUrl() . '/edit'
503         ], [
504             $otherPage->getUrl() => 'Edit'
505         ]);
506     }
507
508     public function test_page_delete_own_permission()
509     {
510         $this->giveUserPermissions($this->user, ['page-update-all']);
511         $otherPage = \BookStack\Page::take(1)->get()->first();
512         $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
513         $this->checkAccessPermission('page-delete-own', [
514             $ownPage->getUrl() . '/delete'
515         ], [
516             $ownPage->getUrl() => 'Delete'
517         ]);
518
519         $bookUrl = $ownPage->book->getUrl();
520         $this->visit($otherPage->getUrl())
521             ->dontSeeInElement('.action-buttons', 'Delete')
522             ->visit($otherPage->getUrl() . '/delete')
523             ->seePageIs('/');
524         $this->visit($ownPage->getUrl())->visit($ownPage->getUrl() . '/delete')
525             ->press('Confirm')
526             ->seePageIs($bookUrl)
527             ->dontSeeInElement('.book-content', $ownPage->name);
528     }
529
530     public function test_page_delete_all_permission()
531     {
532         $this->giveUserPermissions($this->user, ['page-update-all']);
533         $otherPage = \BookStack\Page::take(1)->get()->first();
534         $this->checkAccessPermission('page-delete-all', [
535             $otherPage->getUrl() . '/delete'
536         ], [
537             $otherPage->getUrl() => 'Delete'
538         ]);
539
540         $bookUrl = $otherPage->book->getUrl();
541         $this->visit($otherPage->getUrl())->visit($otherPage->getUrl() . '/delete')
542             ->press('Confirm')
543             ->seePageIs($bookUrl)
544             ->dontSeeInElement('.book-content', $otherPage->name);
545     }
546
547     public function test_public_role_visible_in_user_edit_screen()
548     {
549         $user = \BookStack\User::first();
550         $this->asAdmin()->visit('/settings/users/' . $user->id)
551             ->seeElement('#roles-admin')
552             ->seeElement('#roles-public');
553     }
554
555     public function test_public_role_visible_in_role_listing()
556     {
557         $this->asAdmin()->visit('/settings/roles')
558             ->see('Admin')
559             ->see('Public');
560     }
561
562     public function test_public_role_visible_in_default_role_setting()
563     {
564         $this->asAdmin()->visit('/settings')
565             ->seeElement('[data-role-name="admin"]')
566             ->seeElement('[data-role-name="public"]');
567
568     }
569
570     public function test_public_role_not_deleteable()
571     {
572         $this->asAdmin()->visit('/settings/roles')
573             ->click('Public')
574             ->see('Edit Role')
575             ->click('Delete Role')
576             ->press('Confirm')
577             ->see('Delete Role')
578             ->see('Cannot be deleted');
579     }
580
581
582
583     public function test_image_delete_own_permission()
584     {
585         $this->giveUserPermissions($this->user, ['image-update-all']);
586         $page = \BookStack\Page::first();
587         $image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $this->user->id, 'updated_by' => $this->user->id]);
588
589         $this->actingAs($this->user)->json('delete', '/images/' . $image->id)
590             ->seeStatusCode(403);
591
592         $this->giveUserPermissions($this->user, ['image-delete-own']);
593
594         $this->actingAs($this->user)->json('delete', '/images/' . $image->id)
595             ->seeStatusCode(200)
596             ->dontSeeInDatabase('images', ['id' => $image->id]);
597     }
598
599     public function test_image_delete_all_permission()
600     {
601         $this->giveUserPermissions($this->user, ['image-update-all']);
602         $admin = $this->getAdmin();
603         $page = \BookStack\Page::first();
604         $image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]);
605
606         $this->actingAs($this->user)->json('delete', '/images/' . $image->id)
607             ->seeStatusCode(403);
608
609         $this->giveUserPermissions($this->user, ['image-delete-own']);
610
611         $this->actingAs($this->user)->json('delete', '/images/' . $image->id)
612             ->seeStatusCode(403);
613
614         $this->giveUserPermissions($this->user, ['image-delete-all']);
615
616         $this->actingAs($this->user)->json('delete', '/images/' . $image->id)
617             ->seeStatusCode(200)
618             ->dontSeeInDatabase('images', ['id' => $image->id]);
619     }
620
621 }
The core source code for the BookStack project.