BookStack Code Mirror - bookstack/blob - tests/Permissions/RolesTest.php

1 <?php namespace Tests;

3 use BookStack\Entities\Bookshelf;

4 use BookStack\Entities\Page;

5 use BookStack\Auth\Permissions\PermissionsRepo;

6 use BookStack\Auth\Role;

7 use Laravel\BrowserKitTesting\HttpException;

8 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

10 class RolesTest extends BrowserKitTest

11 {

12 protected $user;

14 public function setUp()

15 {

16 parent::setUp();

17 $this->user = $this->getViewer();

18 }

20 public function test_admin_can_see_settings()

21 {

22 $this->asAdmin()->visit('/settings')->see('Settings');

23 }

25 public function test_cannot_delete_admin_role()

26 {

27 $adminRole = \BookStack\Auth\Role::getRole('admin');

28 $deletePageUrl = '/settings/roles/delete/' . $adminRole->id;

29 $this->asAdmin()->visit($deletePageUrl)

30 ->press('Confirm')

31 ->seePageIs($deletePageUrl)

32 ->see('cannot be deleted');

33 }

35 public function test_role_cannot_be_deleted_if_default()

36 {

37 $newRole = $this->createNewRole();

38 $this->setSettings(['registration-role' => $newRole->id]);

40 $deletePageUrl = '/settings/roles/delete/' . $newRole->id;

41 $this->asAdmin()->visit($deletePageUrl)

42 ->press('Confirm')

43 ->seePageIs($deletePageUrl)

44 ->see('cannot be deleted');

45 }

47 public function test_role_create_update_delete_flow()

48 {

49 $testRoleName = 'Test Role';

50 $testRoleDesc = 'a little test description';

51 $testRoleUpdateName = 'An Super Updated role';

53 // Creation

54 $this->asAdmin()->visit('/settings')

55 ->click('Roles')

56 ->seePageIs('/settings/roles')

57 ->click('Create New Role')

58 ->type('Test Role', 'display_name')

59 ->type('A little test description', 'description')

60 ->press('Save Role')

61 ->seeInDatabase('roles', ['display_name' => $testRoleName, 'name' => 'test-role', 'description' => $testRoleDesc])

62 ->seePageIs('/settings/roles');

63 // Updating

64 $this->asAdmin()->visit('/settings/roles')

65 ->see($testRoleDesc)

66 ->click($testRoleName)

67 ->type($testRoleUpdateName, '#display_name')

68 ->press('Save Role')

69 ->seeInDatabase('roles', ['display_name' => $testRoleUpdateName, 'name' => 'test-role', 'description' => $testRoleDesc])

70 ->seePageIs('/settings/roles');

71 // Deleting

72 $this->asAdmin()->visit('/settings/roles')

73 ->click($testRoleUpdateName)

74 ->click('Delete Role')

75 ->see($testRoleUpdateName)

76 ->press('Confirm')

77 ->seePageIs('/settings/roles')

78 ->dontSee($testRoleUpdateName);

79 }

81 public function test_manage_user_permission()

82 {

83 $this->actingAs($this->user)->visit('/settings/users')

84 ->seePageIs('/');

85 $this->giveUserPermissions($this->user, ['users-manage']);

86 $this->actingAs($this->user)->visit('/settings/users')

87 ->seePageIs('/settings/users');

88 }

90 public function test_user_roles_manage_permission()

91 {

92 $this->actingAs($this->user)->visit('/settings/roles')

93 ->seePageIs('/')->visit('/settings/roles/1')->seePageIs('/');

94 $this->giveUserPermissions($this->user, ['user-roles-manage']);

95 $this->actingAs($this->user)->visit('/settings/roles')

96 ->seePageIs('/settings/roles')->click('Admin')

97 ->see('Edit Role');

98 }

100 public function test_settings_manage_permission()

101 {

102 $this->actingAs($this->user)->visit('/settings')

103 ->seePageIs('/');

104 $this->giveUserPermissions($this->user, ['settings-manage']);

105 $this->actingAs($this->user)->visit('/settings')

106 ->seePageIs('/settings')->press('Save Settings')->see('Settings Saved');

107 }

108

109 public function test_restrictions_manage_all_permission()

110 {

111 $page = \BookStack\Entities\Page::take(1)->get()->first();

112 $this->actingAs($this->user)->visit($page->getUrl())

113 ->dontSee('Permissions')

114 ->visit($page->getUrl() . '/permissions')

115 ->seePageIs('/');

116 $this->giveUserPermissions($this->user, ['restrictions-manage-all']);

117 $this->actingAs($this->user)->visit($page->getUrl())

118 ->see('Permissions')

119 ->click('Permissions')

120 ->see('Page Permissions')->seePageIs($page->getUrl() . '/permissions');

121 }

122

123 public function test_restrictions_manage_own_permission()

124 {

125 $otherUsersPage = \BookStack\Entities\Page::first();

126 $content = $this->createEntityChainBelongingToUser($this->user);

127 // Check can't restrict other's content

128 $this->actingAs($this->user)->visit($otherUsersPage->getUrl())

129 ->dontSee('Permissions')

130 ->visit($otherUsersPage->getUrl() . '/permissions')

131 ->seePageIs('/');

132 // Check can't restrict own content

133 $this->actingAs($this->user)->visit($content['page']->getUrl())

134 ->dontSee('Permissions')

135 ->visit($content['page']->getUrl() . '/permissions')

136 ->seePageIs('/');

137

138 $this->giveUserPermissions($this->user, ['restrictions-manage-own']);

139

140 // Check can't restrict other's content

141 $this->actingAs($this->user)->visit($otherUsersPage->getUrl())

142 ->dontSee('Permissions')

143 ->visit($otherUsersPage->getUrl() . '/permissions')

144 ->seePageIs('/');

145 // Check can restrict own content

146 $this->actingAs($this->user)->visit($content['page']->getUrl())

147 ->see('Permissions')

148 ->click('Permissions')

149 ->seePageIs($content['page']->getUrl() . '/permissions');

150 }

151

152 /**

153 * Check a standard entity access permission

154 * @param string $permission

155 * @param array $accessUrls Urls that are only accessible after having the permission

156 * @param array $visibles Check this text, In the buttons toolbar, is only visible with the permission

157 */

158 private function checkAccessPermission($permission, $accessUrls = [], $visibles = [])

159 {

160 foreach ($accessUrls as $url) {

161 $this->actingAs($this->user)->visit($url)

162 ->seePageIs('/');

163 }

164 foreach ($visibles as $url => $text) {

165 $this->actingAs($this->user)->visit($url)

166 ->dontSeeInElement('.action-buttons',$text);

167 }

168

169 $this->giveUserPermissions($this->user, [$permission]);

170

171 foreach ($accessUrls as $url) {

172 $this->actingAs($this->user)->visit($url)

173 ->seePageIs($url);

174 }

175 foreach ($visibles as $url => $text) {

176 $this->actingAs($this->user)->visit($url)

177 ->see($text);

178 }

179 }

180

181 public function test_bookshelves_create_all_permissions()

182 {

183 $this->checkAccessPermission('bookshelf-create-all', [

184 '/create-shelf'

185 ], [

186 '/shelves' => 'Create New Shelf'

187 ]);

188

189 $this->visit('/create-shelf')

190 ->type('test shelf', 'name')

191 ->type('shelf desc', 'description')

192 ->press('Save Shelf')

193 ->seePageIs('/shelves/test-shelf');

194 }

195

196 public function test_bookshelves_edit_own_permission()

197 {

198 $otherShelf = Bookshelf::first();

199 $ownShelf = $this->newShelf(['name' => 'test-shelf', 'slug' => 'test-shelf']);

200 $ownShelf->forceFill(['created_by' => $this->user->id, 'updated_by' => $this->user->id])->save();

201 $this->regenEntityPermissions($ownShelf);

202

203 $this->checkAccessPermission('bookshelf-update-own', [

204 $ownShelf->getUrl('/edit')

205 ], [

206 $ownShelf->getUrl() => 'Edit'

207 ]);

208

209 $this->visit($otherShelf->getUrl())

210 ->dontSeeInElement('.action-buttons', 'Edit')

211 ->visit($otherShelf->getUrl('/edit'))

212 ->seePageIs('/');

213 }

214

215 public function test_bookshelves_edit_all_permission()

216 {

217 $otherShelf = \BookStack\Entities\Bookshelf::first();

218 $this->checkAccessPermission('bookshelf-update-all', [

219 $otherShelf->getUrl('/edit')

220 ], [

221 $otherShelf->getUrl() => 'Edit'

222 ]);

223 }

224

225 public function test_bookshelves_delete_own_permission()

226 {

227 $this->giveUserPermissions($this->user, ['bookshelf-update-all']);

228 $otherShelf = \BookStack\Entities\Bookshelf::first();

229 $ownShelf = $this->newShelf(['name' => 'test-shelf', 'slug' => 'test-shelf']);

230 $ownShelf->forceFill(['created_by' => $this->user->id, 'updated_by' => $this->user->id])->save();

231 $this->regenEntityPermissions($ownShelf);

232

233 $this->checkAccessPermission('bookshelf-delete-own', [

234 $ownShelf->getUrl('/delete')

235 ], [

236 $ownShelf->getUrl() => 'Delete'

237 ]);

238

239 $this->visit($otherShelf->getUrl())

240 ->dontSeeInElement('.action-buttons', 'Delete')

241 ->visit($otherShelf->getUrl('/delete'))

242 ->seePageIs('/');

243 $this->visit($ownShelf->getUrl())->visit($ownShelf->getUrl('/delete'))

244 ->press('Confirm')

245 ->seePageIs('/shelves')

246 ->dontSee($ownShelf->name);

247 }

248

249 public function test_bookshelves_delete_all_permission()

250 {

251 $this->giveUserPermissions($this->user, ['bookshelf-update-all']);

252 $otherShelf = \BookStack\Entities\Bookshelf::first();

253 $this->checkAccessPermission('bookshelf-delete-all', [

254 $otherShelf->getUrl('/delete')

255 ], [

256 $otherShelf->getUrl() => 'Delete'

257 ]);

258

259 $this->visit($otherShelf->getUrl())->visit($otherShelf->getUrl('/delete'))

260 ->press('Confirm')

261 ->seePageIs('/shelves')

262 ->dontSee($otherShelf->name);

263 }

264

265 public function test_books_create_all_permissions()

266 {

267 $this->checkAccessPermission('book-create-all', [

268 '/create-book'

269 ], [

270 '/books' => 'Create New Book'

271 ]);

272

273 $this->visit('/create-book')

274 ->type('test book', 'name')

275 ->type('book desc', 'description')

276 ->press('Save Book')

277 ->seePageIs('/books/test-book');

278 }

279

280 public function test_books_edit_own_permission()

281 {

282 $otherBook = \BookStack\Entities\Book::take(1)->get()->first();

283 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

284 $this->checkAccessPermission('book-update-own', [

285 $ownBook->getUrl() . '/edit'

286 ], [

287 $ownBook->getUrl() => 'Edit'

288 ]);

289

290 $this->visit($otherBook->getUrl())

291 ->dontSeeInElement('.action-buttons', 'Edit')

292 ->visit($otherBook->getUrl() . '/edit')

293 ->seePageIs('/');

294 }

295

296 public function test_books_edit_all_permission()

297 {

298 $otherBook = \BookStack\Entities\Book::take(1)->get()->first();

299 $this->checkAccessPermission('book-update-all', [

300 $otherBook->getUrl() . '/edit'

301 ], [

302 $otherBook->getUrl() => 'Edit'

303 ]);

304 }

305

306 public function test_books_delete_own_permission()

307 {

308 $this->giveUserPermissions($this->user, ['book-update-all']);

309 $otherBook = \BookStack\Entities\Book::take(1)->get()->first();

310 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

311 $this->checkAccessPermission('book-delete-own', [

312 $ownBook->getUrl() . '/delete'

313 ], [

314 $ownBook->getUrl() => 'Delete'

315 ]);

316

317 $this->visit($otherBook->getUrl())

318 ->dontSeeInElement('.action-buttons', 'Delete')

319 ->visit($otherBook->getUrl() . '/delete')

320 ->seePageIs('/');

321 $this->visit($ownBook->getUrl())->visit($ownBook->getUrl() . '/delete')

322 ->press('Confirm')

323 ->seePageIs('/books')

324 ->dontSee($ownBook->name);

325 }

326

327 public function test_books_delete_all_permission()

328 {

329 $this->giveUserPermissions($this->user, ['book-update-all']);

330 $otherBook = \BookStack\Entities\Book::take(1)->get()->first();

331 $this->checkAccessPermission('book-delete-all', [

332 $otherBook->getUrl() . '/delete'

333 ], [

334 $otherBook->getUrl() => 'Delete'

335 ]);

336

337 $this->visit($otherBook->getUrl())->visit($otherBook->getUrl() . '/delete')

338 ->press('Confirm')

339 ->seePageIs('/books')

340 ->dontSee($otherBook->name);

341 }

342

343 public function test_chapter_create_own_permissions()

344 {

345 $book = \BookStack\Entities\Book::take(1)->get()->first();

346 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

347 $this->checkAccessPermission('chapter-create-own', [

348 $ownBook->getUrl('/create-chapter')

349 ], [

350 $ownBook->getUrl() => 'New Chapter'

351 ]);

352

353 $this->visit($ownBook->getUrl('/create-chapter'))

354 ->type('test chapter', 'name')

355 ->type('chapter desc', 'description')

356 ->press('Save Chapter')

357 ->seePageIs($ownBook->getUrl('/chapter/test-chapter'));

358

359 $this->visit($book->getUrl())

360 ->dontSeeInElement('.action-buttons', 'New Chapter')

361 ->visit($book->getUrl('/create-chapter'))

362 ->seePageIs('/');

363 }

364

365 public function test_chapter_create_all_permissions()

366 {

367 $book = \BookStack\Entities\Book::take(1)->get()->first();

368 $this->checkAccessPermission('chapter-create-all', [

369 $book->getUrl('/create-chapter')

370 ], [

371 $book->getUrl() => 'New Chapter'

372 ]);

373

374 $this->visit($book->getUrl('/create-chapter'))

375 ->type('test chapter', 'name')

376 ->type('chapter desc', 'description')

377 ->press('Save Chapter')

378 ->seePageIs($book->getUrl('/chapter/test-chapter'));

379 }

380

381 public function test_chapter_edit_own_permission()

382 {

383 $otherChapter = \BookStack\Entities\Chapter::take(1)->get()->first();

384 $ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];

385 $this->checkAccessPermission('chapter-update-own', [

386 $ownChapter->getUrl() . '/edit'

387 ], [

388 $ownChapter->getUrl() => 'Edit'

389 ]);

390

391 $this->visit($otherChapter->getUrl())

392 ->dontSeeInElement('.action-buttons', 'Edit')

393 ->visit($otherChapter->getUrl() . '/edit')

394 ->seePageIs('/');

395 }

396

397 public function test_chapter_edit_all_permission()

398 {

399 $otherChapter = \BookStack\Entities\Chapter::take(1)->get()->first();

400 $this->checkAccessPermission('chapter-update-all', [

401 $otherChapter->getUrl() . '/edit'

402 ], [

403 $otherChapter->getUrl() => 'Edit'

404 ]);

405 }

406

407 public function test_chapter_delete_own_permission()

408 {

409 $this->giveUserPermissions($this->user, ['chapter-update-all']);

410 $otherChapter = \BookStack\Entities\Chapter::take(1)->get()->first();

411 $ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];

412 $this->checkAccessPermission('chapter-delete-own', [

413 $ownChapter->getUrl() . '/delete'

414 ], [

415 $ownChapter->getUrl() => 'Delete'

416 ]);

417

418 $bookUrl = $ownChapter->book->getUrl();

419 $this->visit($otherChapter->getUrl())

420 ->dontSeeInElement('.action-buttons', 'Delete')

421 ->visit($otherChapter->getUrl() . '/delete')

422 ->seePageIs('/');

423 $this->visit($ownChapter->getUrl())->visit($ownChapter->getUrl() . '/delete')

424 ->press('Confirm')

425 ->seePageIs($bookUrl)

426 ->dontSeeInElement('.book-content', $ownChapter->name);

427 }

428

429 public function test_chapter_delete_all_permission()

430 {

431 $this->giveUserPermissions($this->user, ['chapter-update-all']);

432 $otherChapter = \BookStack\Entities\Chapter::take(1)->get()->first();

433 $this->checkAccessPermission('chapter-delete-all', [

434 $otherChapter->getUrl() . '/delete'

435 ], [

436 $otherChapter->getUrl() => 'Delete'

437 ]);

438

439 $bookUrl = $otherChapter->book->getUrl();

440 $this->visit($otherChapter->getUrl())->visit($otherChapter->getUrl() . '/delete')

441 ->press('Confirm')

442 ->seePageIs($bookUrl)

443 ->dontSeeInElement('.book-content', $otherChapter->name);

444 }

445

446 public function test_page_create_own_permissions()

447 {

448 $book = \BookStack\Entities\Book::first();

449 $chapter = \BookStack\Entities\Chapter::first();

450

451 $entities = $this->createEntityChainBelongingToUser($this->user);

452 $ownBook = $entities['book'];

453 $ownChapter = $entities['chapter'];

454

455 $createUrl = $ownBook->getUrl('/create-page');

456 $createUrlChapter = $ownChapter->getUrl('/create-page');

457 $accessUrls = [$createUrl, $createUrlChapter];

458

459 foreach ($accessUrls as $url) {

460 $this->actingAs($this->user)->visit($url)

461 ->seePageIs('/');

462 }

463

464 $this->checkAccessPermission('page-create-own', [], [

465 $ownBook->getUrl() => 'New Page',

466 $ownChapter->getUrl() => 'New Page'

467 ]);

468

469 $this->giveUserPermissions($this->user, ['page-create-own']);

470

471 foreach ($accessUrls as $index => $url) {

472 $this->actingAs($this->user)->visit($url);

473 $expectedUrl = \BookStack\Entities\Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

474 $this->seePageIs($expectedUrl);

475 }

476

477 $this->visit($createUrl)

478 ->type('test page', 'name')

479 ->type('page desc', 'html')

480 ->press('Save Page')

481 ->seePageIs($ownBook->getUrl('/page/test-page'));

482

483 $this->visit($book->getUrl())

484 ->dontSeeInElement('.action-buttons', 'New Page')

485 ->visit($book->getUrl() . '/create-page')

486 ->seePageIs('/');

487 $this->visit($chapter->getUrl())

488 ->dontSeeInElement('.action-buttons', 'New Page')

489 ->visit($chapter->getUrl() . '/create-page')

490 ->seePageIs('/');

491 }

492

493 public function test_page_create_all_permissions()

494 {

495 $book = \BookStack\Entities\Book::take(1)->get()->first();

496 $chapter = \BookStack\Entities\Chapter::take(1)->get()->first();

497 $baseUrl = $book->getUrl() . '/page';

498 $createUrl = $book->getUrl('/create-page');

499

500 $createUrlChapter = $chapter->getUrl('/create-page');

501 $accessUrls = [$createUrl, $createUrlChapter];

502

503 foreach ($accessUrls as $url) {

504 $this->actingAs($this->user)->visit($url)

505 ->seePageIs('/');

506 }

507

508 $this->checkAccessPermission('page-create-all', [], [

509 $book->getUrl() => 'New Page',

510 $chapter->getUrl() => 'New Page'

511 ]);

512

513 $this->giveUserPermissions($this->user, ['page-create-all']);

514

515 foreach ($accessUrls as $index => $url) {

516 $this->actingAs($this->user)->visit($url);

517 $expectedUrl = \BookStack\Entities\Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

518 $this->seePageIs($expectedUrl);

519 }

520

521 $this->visit($createUrl)

522 ->type('test page', 'name')

523 ->type('page desc', 'html')

524 ->press('Save Page')

525 ->seePageIs($book->getUrl('/page/test-page'));

526

527 $this->visit($chapter->getUrl('/create-page'))

528 ->type('new test page', 'name')

529 ->type('page desc', 'html')

530 ->press('Save Page')

531 ->seePageIs($book->getUrl('/page/new-test-page'));

532 }

533

534 public function test_page_edit_own_permission()

535 {

536 $otherPage = \BookStack\Entities\Page::take(1)->get()->first();

537 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

538 $this->checkAccessPermission('page-update-own', [

539 $ownPage->getUrl() . '/edit'

540 ], [

541 $ownPage->getUrl() => 'Edit'

542 ]);

543

544 $this->visit($otherPage->getUrl())

545 ->dontSeeInElement('.action-buttons', 'Edit')

546 ->visit($otherPage->getUrl() . '/edit')

547 ->seePageIs('/');

548 }

549

550 public function test_page_edit_all_permission()

551 {

552 $otherPage = \BookStack\Entities\Page::take(1)->get()->first();

553 $this->checkAccessPermission('page-update-all', [

554 $otherPage->getUrl() . '/edit'

555 ], [

556 $otherPage->getUrl() => 'Edit'

557 ]);

558 }

559

560 public function test_page_delete_own_permission()

561 {

562 $this->giveUserPermissions($this->user, ['page-update-all']);

563 $otherPage = \BookStack\Entities\Page::take(1)->get()->first();

564 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

565 $this->checkAccessPermission('page-delete-own', [

566 $ownPage->getUrl() . '/delete'

567 ], [

568 $ownPage->getUrl() => 'Delete'

569 ]);

570

571 $bookUrl = $ownPage->book->getUrl();

572 $this->visit($otherPage->getUrl())

573 ->dontSeeInElement('.action-buttons', 'Delete')

574 ->visit($otherPage->getUrl() . '/delete')

575 ->seePageIs('/');

576 $this->visit($ownPage->getUrl())->visit($ownPage->getUrl() . '/delete')

577 ->press('Confirm')

578 ->seePageIs($bookUrl)

579 ->dontSeeInElement('.book-content', $ownPage->name);

580 }

581

582 public function test_page_delete_all_permission()

583 {

584 $this->giveUserPermissions($this->user, ['page-update-all']);

585 $otherPage = \BookStack\Entities\Page::take(1)->get()->first();

586 $this->checkAccessPermission('page-delete-all', [

587 $otherPage->getUrl() . '/delete'

588 ], [

589 $otherPage->getUrl() => 'Delete'

590 ]);

591

592 $bookUrl = $otherPage->book->getUrl();

593 $this->visit($otherPage->getUrl())->visit($otherPage->getUrl() . '/delete')

594 ->press('Confirm')

595 ->seePageIs($bookUrl)

596 ->dontSeeInElement('.book-content', $otherPage->name);

597 }

598

599 public function test_public_role_visible_in_user_edit_screen()

600 {

601 $user = \BookStack\Auth\User::first();

602 $this->asAdmin()->visit('/settings/users/' . $user->id)

603 ->seeElement('#roles-admin')

604 ->seeElement('#roles-public');

605 }

606

607 public function test_public_role_visible_in_role_listing()

608 {

609 $this->asAdmin()->visit('/settings/roles')

610 ->see('Admin')

611 ->see('Public');

612 }

613

614 public function test_public_role_visible_in_default_role_setting()

615 {

616 $this->asAdmin()->visit('/settings')

617 ->seeElement('[data-role-name="admin"]')

618 ->seeElement('[data-role-name="public"]');

619

620 }

621

622 public function test_public_role_not_deleteable()

623 {

624 $this->asAdmin()->visit('/settings/roles')

625 ->click('Public')

626 ->see('Edit Role')

627 ->click('Delete Role')

628 ->press('Confirm')

629 ->see('Delete Role')

630 ->see('Cannot be deleted');

631 }

632

633 public function test_image_delete_own_permission()

634 {

635 $this->giveUserPermissions($this->user, ['image-update-all']);

636 $page = \BookStack\Entities\Page::first();

637 $image = factory(\BookStack\Uploads\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $this->user->id, 'updated_by' => $this->user->id]);

638

639 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

640 ->seeStatusCode(403);

641

642 $this->giveUserPermissions($this->user, ['image-delete-own']);

643

644 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

645 ->seeStatusCode(200)

646 ->dontSeeInDatabase('images', ['id' => $image->id]);

647 }

648

649 public function test_image_delete_all_permission()

650 {

651 $this->giveUserPermissions($this->user, ['image-update-all']);

652 $admin = $this->getAdmin();

653 $page = \BookStack\Entities\Page::first();

654 $image = factory(\BookStack\Uploads\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]);

655

656 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

657 ->seeStatusCode(403);

658

659 $this->giveUserPermissions($this->user, ['image-delete-own']);

660

661 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

662 ->seeStatusCode(403);

663

664 $this->giveUserPermissions($this->user, ['image-delete-all']);

665

666 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

667 ->seeStatusCode(200)

668 ->dontSeeInDatabase('images', ['id' => $image->id]);

669 }

670

671 public function test_role_permission_removal()

672 {

673 // To cover issue fixed in f99c8ff99aee9beb8c692f36d4b84dc6e651e50a.

674 $page = Page::first();

675 $viewerRole = \BookStack\Auth\Role::getRole('viewer');

676 $viewer = $this->getViewer();

677 $this->actingAs($viewer)->visit($page->getUrl())->assertResponseStatus(200);

678

679 $this->asAdmin()->put('/settings/roles/' . $viewerRole->id, [

680 'display_name' => $viewerRole->display_name,

681 'description' => $viewerRole->description,

682 'permission' => []

683 ])->assertResponseStatus(302);

684

685 $this->expectException(HttpException::class);

686 $this->actingAs($viewer)->visit($page->getUrl())->assertResponseStatus(404);

687 }

688

689 public function test_empty_state_actions_not_visible_without_permission()

690 {

691 $admin = $this->getAdmin();

692 // Book links

693 $book = factory(\BookStack\Entities\Book::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id]);

694 $this->updateEntityPermissions($book);

695 $this->actingAs($this->getViewer())->visit($book->getUrl())

696 ->dontSee('Create a new page')

697 ->dontSee('Add a chapter');

698

699 // Chapter links

700 $chapter = factory(\BookStack\Entities\Chapter::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id, 'book_id' => $book->id]);

701 $this->updateEntityPermissions($chapter);

702 $this->actingAs($this->getViewer())->visit($chapter->getUrl())

703 ->dontSee('Create a new page')

704 ->dontSee('Sort the current book');

705 }

706

707 public function test_comment_create_permission () {

708 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

709

710 $this->actingAs($this->user)->addComment($ownPage);

711

712 $this->assertResponseStatus(403);

713

714 $this->giveUserPermissions($this->user, ['comment-create-all']);

715

716 $this->actingAs($this->user)->addComment($ownPage);

717 $this->assertResponseStatus(200);

718 }

719

720

721 public function test_comment_update_own_permission () {

722 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

723 $this->giveUserPermissions($this->user, ['comment-create-all']);

724 $commentId = $this->actingAs($this->user)->addComment($ownPage);

725

726 // no comment-update-own

727 $this->actingAs($this->user)->updateComment($commentId);

728 $this->assertResponseStatus(403);

729

730 $this->giveUserPermissions($this->user, ['comment-update-own']);

731

732 // now has comment-update-own

733 $this->actingAs($this->user)->updateComment($commentId);

734 $this->assertResponseStatus(200);

735 }

736

737 public function test_comment_update_all_permission () {

738 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

739 $commentId = $this->asAdmin()->addComment($ownPage);

740

741 // no comment-update-all

742 $this->actingAs($this->user)->updateComment($commentId);

743 $this->assertResponseStatus(403);

744

745 $this->giveUserPermissions($this->user, ['comment-update-all']);

746

747 // now has comment-update-all

748 $this->actingAs($this->user)->updateComment($commentId);

749 $this->assertResponseStatus(200);

750 }

751

752 public function test_comment_delete_own_permission () {

753 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

754 $this->giveUserPermissions($this->user, ['comment-create-all']);

755 $commentId = $this->actingAs($this->user)->addComment($ownPage);

756

757 // no comment-delete-own

758 $this->actingAs($this->user)->deleteComment($commentId);

759 $this->assertResponseStatus(403);

760

761 $this->giveUserPermissions($this->user, ['comment-delete-own']);

762

763 // now has comment-update-own

764 $this->actingAs($this->user)->deleteComment($commentId);

765 $this->assertResponseStatus(200);

766 }

767

768 public function test_comment_delete_all_permission () {

769 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

770 $commentId = $this->asAdmin()->addComment($ownPage);

771

772 // no comment-delete-all

773 $this->actingAs($this->user)->deleteComment($commentId);

774 $this->assertResponseStatus(403);

775

776 $this->giveUserPermissions($this->user, ['comment-delete-all']);

777

778 // now has comment-delete-all

779 $this->actingAs($this->user)->deleteComment($commentId);

780 $this->assertResponseStatus(200);

781 }

782

783 private function addComment($page) {

784 $comment = factory(\BookStack\Actions\Comment::class)->make();

785 $url = "/ajax/page/$page->id/comment";

786 $request = [

787 'text' => $comment->text,

788 'html' => $comment->html

789 ];

790

791 $this->postJson($url, $request);

792 $comment = $page->comments()->first();

793 return $comment === null ? null : $comment->id;

794 }

795

796 private function updateComment($commentId) {

797 $comment = factory(\BookStack\Actions\Comment::class)->make();

798 $url = "/ajax/comment/$commentId";

799 $request = [

800 'text' => $comment->text,

801 'html' => $comment->html

802 ];

803

804 return $this->putJson($url, $request);

805 }

806

807 private function deleteComment($commentId) {

808 $url = '/ajax/comment/' . $commentId;

809 return $this->json('DELETE', $url);

810 }

811

812 }