BookStack Code Mirror - bookstack/blob - tests/Api/ContentPermissionsApiTest.php

   1 <?php
   2
   3 namespace Tests\Api;
   4
   5 use Tests\TestCase;
   6
   7 class ContentPermissionsApiTest extends TestCase
   8 {
   9     use TestsApi;
  10
  11     protected string $baseEndpoint = '/api/content-permissions';
  12
  13     public function test_user_roles_manage_permission_needed_for_all_endpoints()
  14     {
  15         $page = $this->entities->page();
  16         $endpointMap = [
  17             ['get', "/api/content-permissions/page/{$page->id}"],
  18             ['put', "/api/content-permissions/page/{$page->id}"],
  19         ];
  20         $editor = $this->users->editor();
  21
  22         $this->actingAs($editor, 'api');
  23         foreach ($endpointMap as [$method, $uri]) {
  24             $resp = $this->json($method, $uri);
  25             $resp->assertStatus(403);
  26             $resp->assertJson($this->permissionErrorResponse());
  27         }
  28
  29         $this->permissions->grantUserRolePermissions($editor, ['restrictions-manage-all']);
  30
  31         foreach ($endpointMap as [$method, $uri]) {
  32             $resp = $this->json($method, $uri);
  33             $this->assertNotEquals(403, $resp->getStatusCode());
  34         }
  35     }
  36
  37     public function test_read_endpoint_shows_expected_detail()
  38     {
  39         $page = $this->entities->page();
  40         $owner = $this->users->newUser();
  41         $role = $this->users->createRole();
  42         $this->permissions->addEntityPermission($page, ['view', 'delete'], $role);
  43         $this->permissions->changeEntityOwner($page, $owner);
  44         $this->permissions->setFallbackPermissions($page, ['update', 'create']);
  45
  46         $this->actingAsApiAdmin();
  47         $resp = $this->getJson($this->baseEndpoint . "/page/{$page->id}");
  48
  49         $resp->assertOk();
  50         $resp->assertExactJson([
  51             'owner' => [
  52                 'id' => $owner->id, 'name' => $owner->name, 'slug' => $owner->slug,
  53             ],
  54             'role_permissions' => [
  55                 [
  56                     'role_id' => $role->id,
  57                     'view' => true,
  58                     'create' => false,
  59                     'update' => false,
  60                     'delete' => true,
  61                     'role' => [
  62                         'id' => $role->id,
  63                         'display_name' => $role->display_name,
  64                     ]
  65                 ]
  66             ],
  67             'fallback_permissions' => [
  68                 'inheriting' => false,
  69                 'view' => false,
  70                 'create' => true,
  71                 'update' => true,
  72                 'delete' => false,
  73             ],
  74         ]);
  75     }
  76
  77     public function test_read_endpoint_shows_expected_detail_when_items_are_empty()
  78     {
  79         $page = $this->entities->page();
  80         $page->permissions()->delete();
  81         $page->owned_by = null;
  82         $page->save();
  83
  84         $this->actingAsApiAdmin();
  85         $resp = $this->getJson($this->baseEndpoint . "/page/{$page->id}");
  86
  87         $resp->assertOk();
  88         $resp->assertExactJson([
  89             'owner' => null,
  90             'role_permissions' => [],
  91             'fallback_permissions' => [
  92                 'inheriting' => true,
  93                 'view' => null,
  94                 'create' => null,
  95                 'update' => null,
  96                 'delete' => null,
  97             ],
  98         ]);
  99     }
 100
 101     public function test_update_endpoint_can_change_owner()
 102     {
 103         $page = $this->entities->page();
 104         $newOwner = $this->users->newUser();
 105
 106         $this->actingAsApiAdmin();
 107         $resp = $this->putJson($this->baseEndpoint . "/page/{$page->id}", [
 108             'owner_id' => $newOwner->id,
 109         ]);
 110
 111         $resp->assertOk();
 112         $resp->assertExactJson([
 113             'owner' => ['id' => $newOwner->id, 'name' => $newOwner->name, 'slug' => $newOwner->slug],
 114             'role_permissions' => [],
 115             'fallback_permissions' => [
 116                 'inheriting' => true,
 117                 'view' => null,
 118                 'create' => null,
 119                 'update' => null,
 120                 'delete' => null,
 121             ],
 122         ]);
 123     }
 124
 125     public function test_update_can_set_role_permissions()
 126     {
 127         $page = $this->entities->page();
 128         $page->owned_by = null;
 129         $page->save();
 130         $newRoleA = $this->users->createRole();
 131         $newRoleB = $this->users->createRole();
 132
 133         $this->actingAsApiAdmin();
 134         $resp = $this->putJson($this->baseEndpoint . "/page/{$page->id}", [
 135             'role_permissions' => [
 136                 ['role_id' => $newRoleA->id, 'view' => true, 'create' => false, 'update' => false, 'delete' => false],
 137                 ['role_id' => $newRoleB->id, 'view' => true, 'create' => false, 'update' => true, 'delete' => true],
 138             ],
 139         ]);
 140
 141         $resp->assertOk();
 142         $resp->assertExactJson([
 143             'owner' => null,
 144             'role_permissions' => [
 145                 [
 146                     'role_id' => $newRoleA->id,
 147                     'view' => true,
 148                     'create' => false,
 149                     'update' => false,
 150                     'delete' => false,
 151                     'role' => [
 152                         'id' => $newRoleA->id,
 153                         'display_name' => $newRoleA->display_name,
 154                     ]
 155                 ],
 156                 [
 157                     'role_id' => $newRoleB->id,
 158                     'view' => true,
 159                     'create' => false,
 160                     'update' => true,
 161                     'delete' => true,
 162                     'role' => [
 163                         'id' => $newRoleB->id,
 164                         'display_name' => $newRoleB->display_name,
 165                     ]
 166                 ]
 167             ],
 168             'fallback_permissions' => [
 169                 'inheriting' => true,
 170                 'view' => null,
 171                 'create' => null,
 172                 'update' => null,
 173                 'delete' => null,
 174             ],
 175         ]);
 176     }
 177
 178     public function test_update_can_set_fallback_permissions()
 179     {
 180         $page = $this->entities->page();
 181         $page->owned_by = null;
 182         $page->save();
 183
 184         $this->actingAsApiAdmin();
 185         $resp = $this->putJson($this->baseEndpoint . "/page/{$page->id}", [
 186             'fallback_permissions' => [
 187                 'inheriting' => false,
 188                 'view' => true,
 189                 'create' => true,
 190                 'update' => true,
 191                 'delete' => false,
 192             ],
 193         ]);
 194
 195         $resp->assertOk();
 196         $resp->assertExactJson([
 197             'owner' => null,
 198             'role_permissions' => [],
 199             'fallback_permissions' => [
 200                 'inheriting' => false,
 201                 'view' => true,
 202                 'create' => true,
 203                 'update' => true,
 204                 'delete' => false,
 205             ],
 206         ]);
 207     }
 208
 209     public function test_update_can_clear_roles_permissions()
 210     {
 211         $page = $this->entities->page();
 212         $this->permissions->addEntityPermission($page, ['view'], $this->users->createRole());
 213         $page->owned_by = null;
 214         $page->save();
 215
 216         $this->actingAsApiAdmin();
 217         $resp = $this->putJson($this->baseEndpoint . "/page/{$page->id}", [
 218             'role_permissions' => [],
 219         ]);
 220
 221         $resp->assertOk();
 222         $resp->assertExactJson([
 223             'owner' => null,
 224             'role_permissions' => [],
 225             'fallback_permissions' => [
 226                 'inheriting' => true,
 227                 'view' => null,
 228                 'create' => null,
 229                 'update' => null,
 230                 'delete' => null,
 231             ],
 232         ]);
 233     }
 234
 235     public function test_update_can_clear_fallback_permissions()
 236     {
 237         $page = $this->entities->page();
 238         $this->permissions->setFallbackPermissions($page, ['view', 'update']);
 239         $page->owned_by = null;
 240         $page->save();
 241
 242         $this->actingAsApiAdmin();
 243         $resp = $this->putJson($this->baseEndpoint . "/page/{$page->id}", [
 244             'fallback_permissions' => [
 245                 'inheriting' => true,
 246             ],
 247         ]);
 248
 249         $resp->assertOk();
 250         $resp->assertExactJson([
 251             'owner' => null,
 252             'role_permissions' => [],
 253             'fallback_permissions' => [
 254                 'inheriting' => true,
 255                 'view' => null,
 256                 'create' => null,
 257                 'update' => null,
 258                 'delete' => null,
 259             ],
 260         ]);
 261     }
 262
 263     public function test_update_can_both_provide_owner_and_fallback_permissions()
 264     {
 265         $user = $this->users->viewer();
 266         $page = $this->entities->page();
 267         $page->owned_by = null;
 268         $page->save();
 269
 270         $this->actingAsApiAdmin();
 271         $resp = $this->putJson($this->baseEndpoint . "/page/{$page->id}", [
 272             "owner_id" => $user->id,
 273             'fallback_permissions' => [
 274                 'inheriting' => false,
 275                 'view' => false,
 276                 'create' => false,
 277                 'update' => false,
 278                 'delete' => false,
 279             ],
 280         ]);
 281
 282         $resp->assertOk();
 283         $this->assertDatabaseHas('pages', ['id' => $page->id, 'owned_by' => $user->id]);
 284         $this->assertDatabaseHas('entity_permissions', [
 285             'entity_id' => $page->id,
 286             'entity_type' => 'page',
 287             'role_id' => 0,
 288             'view' => false,
 289             'create' => false,
 290             'update' => false,
 291             'delete' => false,
 292         ]);
 293     }
 294 }