3 namespace Tests\Permissions;
5 use BookStack\Actions\ActivityType;
6 use BookStack\Actions\Comment;
7 use BookStack\Auth\Role;
8 use BookStack\Auth\User;
9 use BookStack\Entities\Models\Book;
10 use BookStack\Entities\Models\Bookshelf;
11 use BookStack\Entities\Models\Chapter;
12 use BookStack\Entities\Models\Entity;
13 use BookStack\Entities\Models\Page;
14 use BookStack\Uploads\Image;
15 use Illuminate\Testing\TestResponse;
18 class RolesTest extends TestCase
22 protected function setUp(): void
25 $this->user = $this->getViewer();
28 public function test_admin_can_see_settings()
30 $this->asAdmin()->get('/settings/features')->assertSee('Settings');
33 public function test_cannot_delete_admin_role()
35 $adminRole = Role::getRole('admin');
36 $deletePageUrl = '/settings/roles/delete/' . $adminRole->id;
38 $this->asAdmin()->get($deletePageUrl);
39 $this->delete($deletePageUrl)->assertRedirect($deletePageUrl);
40 $this->get($deletePageUrl)->assertSee('cannot be deleted');
43 public function test_role_cannot_be_deleted_if_default()
45 $newRole = $this->createNewRole();
46 $this->setSettings(['registration-role' => $newRole->id]);
48 $deletePageUrl = '/settings/roles/delete/' . $newRole->id;
49 $this->asAdmin()->get($deletePageUrl);
50 $this->delete($deletePageUrl)->assertRedirect($deletePageUrl);
51 $this->get($deletePageUrl)->assertSee('cannot be deleted');
54 public function test_role_create_update_delete_flow()
56 $testRoleName = 'Test Role';
57 $testRoleDesc = 'a little test description';
58 $testRoleUpdateName = 'An Super Updated role';
61 $resp = $this->asAdmin()->get('/settings/features');
62 $this->withHtml($resp)->assertElementContains('a[href="' . url('/settings/roles') . '"]', 'Roles');
64 $resp = $this->get('/settings/roles');
65 $this->withHtml($resp)->assertElementContains('a[href="' . url('/settings/roles/new') . '"]', 'Create New Role');
67 $resp = $this->get('/settings/roles/new');
68 $this->withHtml($resp)->assertElementContains('form[action="' . url('/settings/roles/new') . '"]', 'Save Role');
70 $resp = $this->post('/settings/roles/new', [
71 'display_name' => $testRoleName,
72 'description' => $testRoleDesc,
74 $resp->assertRedirect('/settings/roles');
76 $resp = $this->get('/settings/roles');
77 $resp->assertSee($testRoleName);
78 $resp->assertSee($testRoleDesc);
79 $this->assertDatabaseHas('roles', [
80 'display_name' => $testRoleName,
81 'description' => $testRoleDesc,
82 'mfa_enforced' => false,
85 /** @var Role $role */
86 $role = Role::query()->where('display_name', '=', $testRoleName)->first();
89 $resp = $this->get('/settings/roles/' . $role->id);
90 $resp->assertSee($testRoleName);
91 $resp->assertSee($testRoleDesc);
92 $this->withHtml($resp)->assertElementContains('form[action="' . url('/settings/roles/' . $role->id) . '"]', 'Save Role');
94 $resp = $this->put('/settings/roles/' . $role->id, [
95 'display_name' => $testRoleUpdateName,
96 'description' => $testRoleDesc,
97 'mfa_enforced' => 'true',
99 $resp->assertRedirect('/settings/roles');
100 $this->assertDatabaseHas('roles', [
101 'display_name' => $testRoleUpdateName,
102 'description' => $testRoleDesc,
103 'mfa_enforced' => true,
107 $resp = $this->get('/settings/roles/' . $role->id);
108 $this->withHtml($resp)->assertElementContains('a[href="' . url("/settings/roles/delete/$role->id") . '"]', 'Delete Role');
110 $resp = $this->get("/settings/roles/delete/$role->id");
111 $resp->assertSee($testRoleUpdateName);
112 $this->withHtml($resp)->assertElementContains('form[action="' . url("/settings/roles/delete/$role->id") . '"]', 'Confirm');
114 $resp = $this->delete("/settings/roles/delete/$role->id");
115 $resp->assertRedirect('/settings/roles');
116 $this->get('/settings/roles')->assertSee('Role successfully deleted');
117 $this->assertActivityExists(ActivityType::ROLE_DELETE);
120 public function test_admin_role_cannot_be_removed_if_user_last_admin()
122 /** @var Role $adminRole */
123 $adminRole = Role::query()->where('system_name', '=', 'admin')->first();
124 $adminUser = $this->getAdmin();
125 $adminRole->users()->where('id', '!=', $adminUser->id)->delete();
126 $this->assertEquals(1, $adminRole->users()->count());
128 $viewerRole = $this->getViewer()->roles()->first();
130 $editUrl = '/settings/users/' . $adminUser->id;
131 $resp = $this->actingAs($adminUser)->put($editUrl, [
132 'name' => $adminUser->name,
133 'email' => $adminUser->email,
135 'viewer' => strval($viewerRole->id),
139 $resp->assertRedirect($editUrl);
141 $resp = $this->get($editUrl);
142 $resp->assertSee('This user is the only user assigned to the administrator role');
145 public function test_migrate_users_on_delete_works()
147 /** @var Role $roleA */
148 $roleA = Role::query()->create(['display_name' => 'Delete Test A']);
149 /** @var Role $roleB */
150 $roleB = Role::query()->create(['display_name' => 'Delete Test B']);
151 $this->user->attachRole($roleB);
153 $this->assertCount(0, $roleA->users()->get());
154 $this->assertCount(1, $roleB->users()->get());
156 $deletePage = $this->asAdmin()->get("/settings/roles/delete/$roleB->id");
157 $this->withHtml($deletePage)->assertElementExists('select[name=migrate_role_id]');
158 $this->asAdmin()->delete("/settings/roles/delete/$roleB->id", [
159 'migrate_role_id' => $roleA->id,
162 $this->assertCount(1, $roleA->users()->get());
163 $this->assertEquals($this->user->id, $roleA->users()->first()->id);
166 public function test_copy_role_button_shown()
168 /** @var Role $role */
169 $role = Role::query()->first();
170 $resp = $this->asAdmin()->get("/settings/roles/{$role->id}");
171 $this->withHtml($resp)->assertElementContains('a[href$="/roles/new?copy_from=' . $role->id . '"]', 'Copy');
174 public function test_copy_from_param_on_create_prefills_with_other_role_data()
176 /** @var Role $role */
177 $role = Role::query()->first();
178 $resp = $this->asAdmin()->get("/settings/roles/new?copy_from={$role->id}");
180 $this->withHtml($resp)->assertElementExists('input[name="display_name"][value="' . ($role->display_name . ' (Copy)') . '"]');
183 public function test_manage_user_permission()
185 $this->actingAs($this->user)->get('/settings/users')->assertRedirect('/');
186 $this->giveUserPermissions($this->user, ['users-manage']);
187 $this->actingAs($this->user)->get('/settings/users')->assertOk();
190 public function test_manage_users_permission_shows_link_in_header_if_does_not_have_settings_manage_permision()
192 $usersLink = 'href="' . url('/settings/users') . '"';
193 $this->actingAs($this->user)->get('/')->assertDontSee($usersLink, false);
194 $this->giveUserPermissions($this->user, ['users-manage']);
195 $this->actingAs($this->user)->get('/')->assertSee($usersLink, false);
196 $this->giveUserPermissions($this->user, ['settings-manage', 'users-manage']);
197 $this->actingAs($this->user)->get('/')->assertDontSee($usersLink, false);
200 public function test_user_cannot_change_email_unless_they_have_manage_users_permission()
202 $userProfileUrl = '/settings/users/' . $this->user->id;
203 $originalEmail = $this->user->email;
204 $this->actingAs($this->user);
206 $resp = $this->get($userProfileUrl)
208 $this->withHtml($resp)->assertElementExists('input[name=email][disabled]');
209 $this->put($userProfileUrl, [
210 'name' => 'my_new_name',
213 $this->assertDatabaseHas('users', [
214 'id' => $this->user->id,
215 'email' => $originalEmail,
216 'name' => 'my_new_name',
219 $this->giveUserPermissions($this->user, ['users-manage']);
221 $resp = $this->get($userProfileUrl)
223 $this->withHtml($resp)->assertElementNotExists('input[name=email][disabled]')
224 ->assertElementExists('input[name=email]');
225 $this->put($userProfileUrl, [
226 'name' => 'my_new_name_2',
230 $this->assertDatabaseHas('users', [
231 'id' => $this->user->id,
233 'name' => 'my_new_name_2',
237 public function test_user_roles_manage_permission()
239 $this->actingAs($this->user)->get('/settings/roles')->assertRedirect('/');
240 $this->get('/settings/roles/1')->assertRedirect('/');
241 $this->giveUserPermissions($this->user, ['user-roles-manage']);
242 $this->actingAs($this->user)->get('/settings/roles')->assertOk();
243 $this->get('/settings/roles/1')
245 ->assertSee('Admin');
248 public function test_settings_manage_permission()
250 $this->actingAs($this->user)->get('/settings/features')->assertRedirect('/');
251 $this->giveUserPermissions($this->user, ['settings-manage']);
252 $this->get('/settings/features')->assertOk();
254 $resp = $this->post('/settings/features', []);
255 $resp->assertRedirect('/settings/features');
256 $resp = $this->get('/settings/features');
257 $resp->assertSee('Settings saved');
260 public function test_restrictions_manage_all_permission()
262 $page = Page::query()->get()->first();
264 $this->actingAs($this->user)->get($page->getUrl())->assertDontSee('Permissions');
265 $this->get($page->getUrl('/permissions'))->assertRedirect('/');
267 $this->giveUserPermissions($this->user, ['restrictions-manage-all']);
269 $this->actingAs($this->user)->get($page->getUrl())->assertSee('Permissions');
271 $this->get($page->getUrl('/permissions'))
273 ->assertSee('Page Permissions');
276 public function test_restrictions_manage_own_permission()
278 /** @var Page $otherUsersPage */
279 $otherUsersPage = Page::query()->first();
280 $content = $this->createEntityChainBelongingToUser($this->user);
282 // Set a different creator on the page we're checking to ensure
283 // that the owner fields are checked
284 $page = $content['page']; /** @var Page $page */
285 $page->created_by = $otherUsersPage->id;
286 $page->owned_by = $this->user->id;
289 // Check can't restrict other's content
290 $this->actingAs($this->user)->get($otherUsersPage->getUrl())->assertDontSee('Permissions');
291 $this->get($otherUsersPage->getUrl('/permissions'))->assertRedirect('/');
293 // Check can't restrict own content
294 $this->actingAs($this->user)->get($page->getUrl())->assertDontSee('Permissions');
295 $this->get($page->getUrl('/permissions'))->assertRedirect('/');
297 $this->giveUserPermissions($this->user, ['restrictions-manage-own']);
299 // Check can't restrict other's content
300 $this->actingAs($this->user)->get($otherUsersPage->getUrl())->assertDontSee('Permissions');
301 $this->get($otherUsersPage->getUrl('/permissions'))->assertRedirect();
303 // Check can restrict own content
304 $this->actingAs($this->user)->get($page->getUrl())->assertSee('Permissions');
305 $this->get($page->getUrl('/permissions'))->assertOk();
309 * Check a standard entity access permission.
311 private function checkAccessPermission(string $permission, array $accessUrls = [], array $visibles = [])
313 foreach ($accessUrls as $url) {
314 $this->actingAs($this->user)->get($url)->assertRedirect('/');
317 foreach ($visibles as $url => $text) {
318 $resp = $this->actingAs($this->user)->get($url);
319 $this->withHtml($resp)->assertElementNotContains('.action-buttons', $text);
322 $this->giveUserPermissions($this->user, [$permission]);
324 foreach ($accessUrls as $url) {
325 $this->actingAs($this->user)->get($url)->assertOk();
327 foreach ($visibles as $url => $text) {
328 $this->actingAs($this->user)->get($url)->assertSee($text);
332 public function test_bookshelves_create_all_permissions()
334 $this->checkAccessPermission('bookshelf-create-all', [
337 '/shelves' => 'New Shelf',
340 $this->post('/shelves', [
341 'name' => 'test shelf',
342 'description' => 'shelf desc',
343 ])->assertRedirect('/shelves/test-shelf');
346 public function test_bookshelves_edit_own_permission()
348 /** @var Bookshelf $otherShelf */
349 $otherShelf = Bookshelf::query()->first();
350 $ownShelf = $this->newShelf(['name' => 'test-shelf', 'slug' => 'test-shelf']);
351 $ownShelf->forceFill(['owned_by' => $this->user->id, 'updated_by' => $this->user->id])->save();
352 $this->regenEntityPermissions($ownShelf);
354 $this->checkAccessPermission('bookshelf-update-own', [
355 $ownShelf->getUrl('/edit'),
357 $ownShelf->getUrl() => 'Edit',
360 $resp = $this->get($otherShelf->getUrl());
361 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Edit');
362 $this->get($otherShelf->getUrl('/edit'))->assertRedirect('/');
365 public function test_bookshelves_edit_all_permission()
367 /** @var Bookshelf $otherShelf */
368 $otherShelf = Bookshelf::query()->first();
369 $this->checkAccessPermission('bookshelf-update-all', [
370 $otherShelf->getUrl('/edit'),
372 $otherShelf->getUrl() => 'Edit',
376 public function test_bookshelves_delete_own_permission()
378 $this->giveUserPermissions($this->user, ['bookshelf-update-all']);
379 /** @var Bookshelf $otherShelf */
380 $otherShelf = Bookshelf::query()->first();
381 $ownShelf = $this->newShelf(['name' => 'test-shelf', 'slug' => 'test-shelf']);
382 $ownShelf->forceFill(['owned_by' => $this->user->id, 'updated_by' => $this->user->id])->save();
383 $this->regenEntityPermissions($ownShelf);
385 $this->checkAccessPermission('bookshelf-delete-own', [
386 $ownShelf->getUrl('/delete'),
388 $ownShelf->getUrl() => 'Delete',
391 $resp = $this->get($otherShelf->getUrl());
392 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Delete');
393 $this->get($otherShelf->getUrl('/delete'))->assertRedirect('/');
395 $this->get($ownShelf->getUrl());
396 $this->delete($ownShelf->getUrl())->assertRedirect('/shelves');
397 $this->get('/shelves')->assertDontSee($ownShelf->name);
400 public function test_bookshelves_delete_all_permission()
402 $this->giveUserPermissions($this->user, ['bookshelf-update-all']);
403 /** @var Bookshelf $otherShelf */
404 $otherShelf = Bookshelf::query()->first();
405 $this->checkAccessPermission('bookshelf-delete-all', [
406 $otherShelf->getUrl('/delete'),
408 $otherShelf->getUrl() => 'Delete',
411 $this->delete($otherShelf->getUrl())->assertRedirect('/shelves');
412 $this->get('/shelves')->assertDontSee($otherShelf->name);
415 public function test_books_create_all_permissions()
417 $this->checkAccessPermission('book-create-all', [
420 '/books' => 'Create New Book',
423 $this->post('/books', [
424 'name' => 'test book',
425 'description' => 'book desc',
426 ])->assertRedirect('/books/test-book');
429 public function test_books_edit_own_permission()
431 /** @var Book $otherBook */
432 $otherBook = Book::query()->take(1)->get()->first();
433 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];
434 $this->checkAccessPermission('book-update-own', [
435 $ownBook->getUrl() . '/edit',
437 $ownBook->getUrl() => 'Edit',
440 $resp = $this->get($otherBook->getUrl());
441 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Edit');
442 $this->get($otherBook->getUrl('/edit'))->assertRedirect('/');
445 public function test_books_edit_all_permission()
447 /** @var Book $otherBook */
448 $otherBook = Book::query()->take(1)->get()->first();
449 $this->checkAccessPermission('book-update-all', [
450 $otherBook->getUrl() . '/edit',
452 $otherBook->getUrl() => 'Edit',
456 public function test_books_delete_own_permission()
458 $this->giveUserPermissions($this->user, ['book-update-all']);
459 /** @var Book $otherBook */
460 $otherBook = Book::query()->take(1)->get()->first();
461 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];
462 $this->checkAccessPermission('book-delete-own', [
463 $ownBook->getUrl() . '/delete',
465 $ownBook->getUrl() => 'Delete',
468 $resp = $this->get($otherBook->getUrl());
469 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Delete');
470 $this->get($otherBook->getUrl('/delete'))->assertRedirect('/');
471 $this->get($ownBook->getUrl());
472 $this->delete($ownBook->getUrl())->assertRedirect('/books');
473 $this->get('/books')->assertDontSee($ownBook->name);
476 public function test_books_delete_all_permission()
478 $this->giveUserPermissions($this->user, ['book-update-all']);
479 /** @var Book $otherBook */
480 $otherBook = Book::query()->take(1)->get()->first();
481 $this->checkAccessPermission('book-delete-all', [
482 $otherBook->getUrl() . '/delete',
484 $otherBook->getUrl() => 'Delete',
487 $this->get($otherBook->getUrl());
488 $this->delete($otherBook->getUrl())->assertRedirect('/books');
489 $this->get('/books')->assertDontSee($otherBook->name);
492 public function test_chapter_create_own_permissions()
494 /** @var Book $book */
495 $book = Book::query()->take(1)->get()->first();
496 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];
497 $this->checkAccessPermission('chapter-create-own', [
498 $ownBook->getUrl('/create-chapter'),
500 $ownBook->getUrl() => 'New Chapter',
503 $this->post($ownBook->getUrl('/create-chapter'), [
504 'name' => 'test chapter',
505 'description' => 'chapter desc',
506 ])->assertRedirect($ownBook->getUrl('/chapter/test-chapter'));
508 $resp = $this->get($book->getUrl());
509 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'New Chapter');
510 $this->get($book->getUrl('/create-chapter'))->assertRedirect('/');
513 public function test_chapter_create_all_permissions()
515 /** @var Book $book */
516 $book = Book::query()->first();
517 $this->checkAccessPermission('chapter-create-all', [
518 $book->getUrl('/create-chapter'),
520 $book->getUrl() => 'New Chapter',
523 $this->post($book->getUrl('/create-chapter'), [
524 'name' => 'test chapter',
525 'description' => 'chapter desc',
526 ])->assertRedirect($book->getUrl('/chapter/test-chapter'));
529 public function test_chapter_edit_own_permission()
531 /** @var Chapter $otherChapter */
532 $otherChapter = Chapter::query()->first();
533 $ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];
534 $this->checkAccessPermission('chapter-update-own', [
535 $ownChapter->getUrl() . '/edit',
537 $ownChapter->getUrl() => 'Edit',
540 $resp = $this->get($otherChapter->getUrl());
541 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Edit');
542 $this->get($otherChapter->getUrl('/edit'))->assertRedirect('/');
545 public function test_chapter_edit_all_permission()
547 /** @var Chapter $otherChapter */
548 $otherChapter = Chapter::query()->take(1)->get()->first();
549 $this->checkAccessPermission('chapter-update-all', [
550 $otherChapter->getUrl() . '/edit',
552 $otherChapter->getUrl() => 'Edit',
556 public function test_chapter_delete_own_permission()
558 $this->giveUserPermissions($this->user, ['chapter-update-all']);
559 /** @var Chapter $otherChapter */
560 $otherChapter = Chapter::query()->first();
561 $ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];
562 $this->checkAccessPermission('chapter-delete-own', [
563 $ownChapter->getUrl() . '/delete',
565 $ownChapter->getUrl() => 'Delete',
568 $bookUrl = $ownChapter->book->getUrl();
569 $resp = $this->get($otherChapter->getUrl());
570 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Delete');
571 $this->get($otherChapter->getUrl('/delete'))->assertRedirect('/');
572 $this->get($ownChapter->getUrl());
573 $this->delete($ownChapter->getUrl())->assertRedirect($bookUrl);
574 $resp = $this->get($bookUrl);
575 $this->withHtml($resp)->assertElementNotContains('.book-content', $ownChapter->name);
578 public function test_chapter_delete_all_permission()
580 $this->giveUserPermissions($this->user, ['chapter-update-all']);
581 /** @var Chapter $otherChapter */
582 $otherChapter = Chapter::query()->first();
583 $this->checkAccessPermission('chapter-delete-all', [
584 $otherChapter->getUrl() . '/delete',
586 $otherChapter->getUrl() => 'Delete',
589 $bookUrl = $otherChapter->book->getUrl();
590 $this->get($otherChapter->getUrl());
591 $this->delete($otherChapter->getUrl())->assertRedirect($bookUrl);
592 $resp = $this->get($bookUrl);
593 $this->withHtml($resp)->assertElementNotContains('.book-content', $otherChapter->name);
596 public function test_page_create_own_permissions()
598 /** @var Book $book */
599 $book = Book::query()->first();
600 /** @var Chapter $chapter */
601 $chapter = Chapter::query()->first();
603 $entities = $this->createEntityChainBelongingToUser($this->user);
604 $ownBook = $entities['book'];
605 $ownChapter = $entities['chapter'];
607 $createUrl = $ownBook->getUrl('/create-page');
608 $createUrlChapter = $ownChapter->getUrl('/create-page');
609 $accessUrls = [$createUrl, $createUrlChapter];
611 foreach ($accessUrls as $url) {
612 $this->actingAs($this->user)->get($url)->assertRedirect('/');
615 $this->checkAccessPermission('page-create-own', [], [
616 $ownBook->getUrl() => 'New Page',
617 $ownChapter->getUrl() => 'New Page',
620 $this->giveUserPermissions($this->user, ['page-create-own']);
622 foreach ($accessUrls as $index => $url) {
623 $resp = $this->actingAs($this->user)->get($url);
624 $expectedUrl = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();
625 $resp->assertRedirect($expectedUrl);
628 $this->get($createUrl);
629 /** @var Page $draft */
630 $draft = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first();
631 $this->post($draft->getUrl(), [
632 'name' => 'test page',
633 'html' => 'page desc',
634 ])->assertRedirect($ownBook->getUrl('/page/test-page'));
636 $resp = $this->get($book->getUrl());
637 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'New Page');
638 $this->get($book->getUrl('/create-page'))->assertRedirect('/');
640 $resp = $this->get($chapter->getUrl());
641 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'New Page');
642 $this->get($chapter->getUrl('/create-page'))->assertRedirect('/');
645 public function test_page_create_all_permissions()
647 /** @var Book $book */
648 $book = Book::query()->first();
649 /** @var Chapter $chapter */
650 $chapter = Chapter::query()->first();
651 $createUrl = $book->getUrl('/create-page');
653 $createUrlChapter = $chapter->getUrl('/create-page');
654 $accessUrls = [$createUrl, $createUrlChapter];
656 foreach ($accessUrls as $url) {
657 $this->actingAs($this->user)->get($url)->assertRedirect('/');
660 $this->checkAccessPermission('page-create-all', [], [
661 $book->getUrl() => 'New Page',
662 $chapter->getUrl() => 'New Page',
665 $this->giveUserPermissions($this->user, ['page-create-all']);
667 foreach ($accessUrls as $index => $url) {
668 $resp = $this->actingAs($this->user)->get($url);
669 $expectedUrl = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();
670 $resp->assertRedirect($expectedUrl);
673 $this->get($createUrl);
674 /** @var Page $draft */
675 $draft = Page::query()->where('draft', '=', true)->orderByDesc('id')->first();
676 $this->post($draft->getUrl(), [
677 'name' => 'test page',
678 'html' => 'page desc',
679 ])->assertRedirect($book->getUrl('/page/test-page'));
681 $this->get($chapter->getUrl('/create-page'));
682 /** @var Page $draft */
683 $draft = Page::query()->where('draft', '=', true)->orderByDesc('id')->first();
684 $this->post($draft->getUrl(), [
685 'name' => 'new test page',
686 'html' => 'page desc',
687 ])->assertRedirect($book->getUrl('/page/new-test-page'));
690 public function test_page_edit_own_permission()
692 /** @var Page $otherPage */
693 $otherPage = Page::query()->first();
694 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
695 $this->checkAccessPermission('page-update-own', [
696 $ownPage->getUrl() . '/edit',
698 $ownPage->getUrl() => 'Edit',
701 $resp = $this->get($otherPage->getUrl());
702 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Edit');
703 $this->get($otherPage->getUrl() . '/edit')->assertRedirect('/');
706 public function test_page_edit_all_permission()
708 /** @var Page $otherPage */
709 $otherPage = Page::query()->first();
710 $this->checkAccessPermission('page-update-all', [
711 $otherPage->getUrl('/edit'),
713 $otherPage->getUrl() => 'Edit',
717 public function test_page_delete_own_permission()
719 $this->giveUserPermissions($this->user, ['page-update-all']);
720 /** @var Page $otherPage */
721 $otherPage = Page::query()->first();
722 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
723 $this->checkAccessPermission('page-delete-own', [
724 $ownPage->getUrl() . '/delete',
726 $ownPage->getUrl() => 'Delete',
729 $parent = $ownPage->chapter ?? $ownPage->book;
730 $resp = $this->get($otherPage->getUrl());
731 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Delete');
732 $this->get($otherPage->getUrl('/delete'))->assertRedirect('/');
733 $this->get($ownPage->getUrl());
734 $this->delete($ownPage->getUrl())->assertRedirect($parent->getUrl());
735 $resp = $this->get($parent->getUrl());
736 $this->withHtml($resp)->assertElementNotContains('.book-content', $ownPage->name);
739 public function test_page_delete_all_permission()
741 $this->giveUserPermissions($this->user, ['page-update-all']);
742 /** @var Page $otherPage */
743 $otherPage = Page::query()->first();
745 $this->checkAccessPermission('page-delete-all', [
746 $otherPage->getUrl() . '/delete',
748 $otherPage->getUrl() => 'Delete',
751 /** @var Entity $parent */
752 $parent = $otherPage->chapter ?? $otherPage->book;
753 $this->get($otherPage->getUrl());
755 $this->delete($otherPage->getUrl())->assertRedirect($parent->getUrl());
756 $this->get($parent->getUrl())->assertDontSee($otherPage->name);
759 public function test_public_role_visible_in_user_edit_screen()
761 /** @var User $user */
762 $user = User::query()->first();
763 $adminRole = Role::getSystemRole('admin');
764 $publicRole = Role::getSystemRole('public');
765 $resp = $this->asAdmin()->get('/settings/users/' . $user->id);
766 $this->withHtml($resp)->assertElementExists('[name="roles[' . $adminRole->id . ']"]')
767 ->assertElementExists('[name="roles[' . $publicRole->id . ']"]');
770 public function test_public_role_visible_in_role_listing()
772 $this->asAdmin()->get('/settings/roles')
774 ->assertSee('Public');
777 public function test_public_role_visible_in_default_role_setting()
779 $resp = $this->asAdmin()->get('/settings/registration');
780 $this->withHtml($resp)->assertElementExists('[data-system-role-name="admin"]')
781 ->assertElementExists('[data-system-role-name="public"]');
784 public function test_public_role_not_deletable()
786 /** @var Role $publicRole */
787 $publicRole = Role::getSystemRole('public');
788 $resp = $this->asAdmin()->delete('/settings/roles/delete/' . $publicRole->id);
789 $resp->assertRedirect('/');
791 $this->get('/settings/roles/delete/' . $publicRole->id);
792 $resp = $this->delete('/settings/roles/delete/' . $publicRole->id);
793 $resp->assertRedirect('/settings/roles/delete/' . $publicRole->id);
794 $resp = $this->get('/settings/roles/delete/' . $publicRole->id);
795 $resp->assertSee('This role is a system role and cannot be deleted');
798 public function test_image_delete_own_permission()
800 $this->giveUserPermissions($this->user, ['image-update-all']);
801 /** @var Page $page */
802 $page = Page::query()->first();
803 $image = Image::factory()->create([
804 'uploaded_to' => $page->id,
805 'created_by' => $this->user->id,
806 'updated_by' => $this->user->id,
809 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertStatus(403);
811 $this->giveUserPermissions($this->user, ['image-delete-own']);
813 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertOk();
814 $this->assertDatabaseMissing('images', ['id' => $image->id]);
817 public function test_image_delete_all_permission()
819 $this->giveUserPermissions($this->user, ['image-update-all']);
820 $admin = $this->getAdmin();
821 /** @var Page $page */
822 $page = Page::query()->first();
823 $image = Image::factory()->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]);
825 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertStatus(403);
827 $this->giveUserPermissions($this->user, ['image-delete-own']);
829 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertStatus(403);
831 $this->giveUserPermissions($this->user, ['image-delete-all']);
833 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertOk();
834 $this->assertDatabaseMissing('images', ['id' => $image->id]);
837 public function test_role_permission_removal()
839 // To cover issue fixed in f99c8ff99aee9beb8c692f36d4b84dc6e651e50a.
840 /** @var Page $page */
841 $page = Page::query()->first();
842 $viewerRole = Role::getRole('viewer');
843 $viewer = $this->getViewer();
844 $this->actingAs($viewer)->get($page->getUrl())->assertOk();
846 $this->asAdmin()->put('/settings/roles/' . $viewerRole->id, [
847 'display_name' => $viewerRole->display_name,
848 'description' => $viewerRole->description,
850 ])->assertStatus(302);
852 $this->actingAs($viewer)->get($page->getUrl())->assertStatus(404);
855 public function test_empty_state_actions_not_visible_without_permission()
857 $admin = $this->getAdmin();
859 $book = Book::factory()->create(['created_by' => $admin->id, 'updated_by' => $admin->id]);
860 $this->regenEntityPermissions($book);
861 $this->actingAs($this->getViewer())->get($book->getUrl())
862 ->assertDontSee('Create a new page')
863 ->assertDontSee('Add a chapter');
866 $chapter = Chapter::factory()->create(['created_by' => $admin->id, 'updated_by' => $admin->id, 'book_id' => $book->id]);
867 $this->regenEntityPermissions($chapter);
868 $this->actingAs($this->getViewer())->get($chapter->getUrl())
869 ->assertDontSee('Create a new page')
870 ->assertDontSee('Sort the current book');
873 public function test_comment_create_permission()
875 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
877 $this->actingAs($this->user)
878 ->addComment($ownPage)
881 $this->giveUserPermissions($this->user, ['comment-create-all']);
883 $this->actingAs($this->user)
884 ->addComment($ownPage)
888 public function test_comment_update_own_permission()
890 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
891 $this->giveUserPermissions($this->user, ['comment-create-all']);
892 $this->actingAs($this->user)->addComment($ownPage);
893 /** @var Comment $comment */
894 $comment = $ownPage->comments()->latest()->first();
896 // no comment-update-own
897 $this->actingAs($this->user)->updateComment($comment)->assertStatus(403);
899 $this->giveUserPermissions($this->user, ['comment-update-own']);
901 // now has comment-update-own
902 $this->actingAs($this->user)->updateComment($comment)->assertOk();
905 public function test_comment_update_all_permission()
907 /** @var Page $ownPage */
908 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
909 $this->asAdmin()->addComment($ownPage);
910 /** @var Comment $comment */
911 $comment = $ownPage->comments()->latest()->first();
913 // no comment-update-all
914 $this->actingAs($this->user)->updateComment($comment)->assertStatus(403);
916 $this->giveUserPermissions($this->user, ['comment-update-all']);
918 // now has comment-update-all
919 $this->actingAs($this->user)->updateComment($comment)->assertOk();
922 public function test_comment_delete_own_permission()
924 /** @var Page $ownPage */
925 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
926 $this->giveUserPermissions($this->user, ['comment-create-all']);
927 $this->actingAs($this->user)->addComment($ownPage);
929 /** @var Comment $comment */
930 $comment = $ownPage->comments()->latest()->first();
932 // no comment-delete-own
933 $this->actingAs($this->user)->deleteComment($comment)->assertStatus(403);
935 $this->giveUserPermissions($this->user, ['comment-delete-own']);
937 // now has comment-update-own
938 $this->actingAs($this->user)->deleteComment($comment)->assertOk();
941 public function test_comment_delete_all_permission()
943 /** @var Page $ownPage */
944 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];
945 $this->asAdmin()->addComment($ownPage);
946 /** @var Comment $comment */
947 $comment = $ownPage->comments()->latest()->first();
949 // no comment-delete-all
950 $this->actingAs($this->user)->deleteComment($comment)->assertStatus(403);
952 $this->giveUserPermissions($this->user, ['comment-delete-all']);
954 // now has comment-delete-all
955 $this->actingAs($this->user)->deleteComment($comment)->assertOk();
958 private function addComment(Page $page): TestResponse
960 $comment = Comment::factory()->make();
962 return $this->postJson("/comment/$page->id", $comment->only('text', 'html'));
965 private function updateComment(Comment $comment): TestResponse
967 $commentData = Comment::factory()->make();
969 return $this->putJson("/comment/{$comment->id}", $commentData->only('text', 'html'));
972 private function deleteComment(Comment $comment): TestResponse
974 return $this->json('DELETE', '/comment/' . $comment->id);
projects / bookstack / blob