BookStack Code Mirror - bookstack/blob - tests/Permissions/RolesTest.php

1 <?php namespace Tests\Permissions;

3 use BookStack\Actions\Comment;

4 use BookStack\Auth\User;

5 use BookStack\Entities\Models\Book;

6 use BookStack\Entities\Models\Bookshelf;

7 use BookStack\Entities\Models\Chapter;

8 use BookStack\Entities\Models\Page;

9 use BookStack\Auth\Role;

10 use BookStack\Uploads\Image;

11 use Laravel\BrowserKitTesting\HttpException;

12 use Tests\BrowserKitTest;

14 class RolesTest extends BrowserKitTest

15 {

16 protected $user;

18 public function setUp(): void

19 {

20 parent::setUp();

21 $this->user = $this->getViewer();

22 }

24 public function test_admin_can_see_settings()

25 {

26 $this->asAdmin()->visit('/settings')->see('Settings');

27 }

29 public function test_cannot_delete_admin_role()

30 {

31 $adminRole = Role::getRole('admin');

32 $deletePageUrl = '/settings/roles/delete/' . $adminRole->id;

33 $this->asAdmin()->visit($deletePageUrl)

34 ->press('Confirm')

35 ->seePageIs($deletePageUrl)

36 ->see('cannot be deleted');

37 }

39 public function test_role_cannot_be_deleted_if_default()

40 {

41 $newRole = $this->createNewRole();

42 $this->setSettings(['registration-role' => $newRole->id]);

44 $deletePageUrl = '/settings/roles/delete/' . $newRole->id;

45 $this->asAdmin()->visit($deletePageUrl)

46 ->press('Confirm')

47 ->seePageIs($deletePageUrl)

48 ->see('cannot be deleted');

49 }

51 public function test_role_create_update_delete_flow()

52 {

53 $testRoleName = 'Test Role';

54 $testRoleDesc = 'a little test description';

55 $testRoleUpdateName = 'An Super Updated role';

57 // Creation

58 $this->asAdmin()->visit('/settings')

59 ->click('Roles')

60 ->seePageIs('/settings/roles')

61 ->click('Create New Role')

62 ->type('Test Role', 'display_name')

63 ->type('A little test description', 'description')

64 ->press('Save Role')

65 ->seeInDatabase('roles', ['display_name' => $testRoleName, 'description' => $testRoleDesc])

66 ->seePageIs('/settings/roles');

67 // Updating

68 $this->asAdmin()->visit('/settings/roles')

69 ->see($testRoleDesc)

70 ->click($testRoleName)

71 ->type($testRoleUpdateName, '#display_name')

72 ->press('Save Role')

73 ->seeInDatabase('roles', ['display_name' => $testRoleUpdateName, 'description' => $testRoleDesc])

74 ->seePageIs('/settings/roles');

75 // Deleting

76 $this->asAdmin()->visit('/settings/roles')

77 ->click($testRoleUpdateName)

78 ->click('Delete Role')

79 ->see($testRoleUpdateName)

80 ->press('Confirm')

81 ->seePageIs('/settings/roles')

82 ->dontSee($testRoleUpdateName);

83 }

85 public function test_admin_role_cannot_be_removed_if_last_admin()

86 {

87 $adminRole = Role::where('system_name', '=', 'admin')->first();

88 $adminUser = $this->getAdmin();

89 $adminRole->users()->where('id', '!=', $adminUser->id)->delete();

90 $this->assertEquals($adminRole->users()->count(), 1);

92 $viewerRole = $this->getViewer()->roles()->first();

94 $editUrl = '/settings/users/' . $adminUser->id;

95 $this->actingAs($adminUser)->put($editUrl, [

96 'name' => $adminUser->name,

97 'email' => $adminUser->email,

98 'roles' => [

99 'viewer' => strval($viewerRole->id),

100 ]

101 ])->followRedirects();

102

103 $this->seePageIs($editUrl);

104 $this->see('This user is the only user assigned to the administrator role');

105 }

106

107 public function test_migrate_users_on_delete_works()

108 {

109 $roleA = Role::query()->create(['display_name' => 'Delete Test A']);

110 $roleB = Role::query()->create(['display_name' => 'Delete Test B']);

111 $this->user->attachRole($roleB);

112

113 $this->assertCount(0, $roleA->users()->get());

114 $this->assertCount(1, $roleB->users()->get());

115

116 $deletePage = $this->asAdmin()->get("/settings/roles/delete/{$roleB->id}");

117 $deletePage->seeElement('select[name=migrate_role_id]');

118 $this->asAdmin()->delete("/settings/roles/delete/{$roleB->id}", [

119 'migrate_role_id' => $roleA->id,

120 ]);

121

122 $this->assertCount(1, $roleA->users()->get());

123 $this->assertEquals($this->user->id, $roleA->users()->first()->id);

124 }

125

126 public function test_manage_user_permission()

127 {

128 $this->actingAs($this->user)->visit('/settings/users')

129 ->seePageIs('/');

130 $this->giveUserPermissions($this->user, ['users-manage']);

131 $this->actingAs($this->user)->visit('/settings/users')

132 ->seePageIs('/settings/users');

133 }

134

135 public function test_manage_users_permission_shows_link_in_header_if_does_not_have_settings_manage_permision()

136 {

137 $usersLink = 'href="'.url('/settings/users') . '"';

138 $this->actingAs($this->user)->visit('/')->dontSee($usersLink);

139 $this->giveUserPermissions($this->user, ['users-manage']);

140 $this->actingAs($this->user)->visit('/')->see($usersLink);

141 $this->giveUserPermissions($this->user, ['settings-manage', 'users-manage']);

142 $this->actingAs($this->user)->visit('/')->dontSee($usersLink);

143 }

144

145 public function test_user_cannot_change_email_unless_they_have_manage_users_permission()

146 {

147 $userProfileUrl = '/settings/users/' . $this->user->id;

148 $originalEmail = $this->user->email;

149 $this->actingAs($this->user);

150

151 $this->visit($userProfileUrl)

152 ->assertResponseOk()

153 ->seeElement('input[name=email][disabled]');

154 $this->put($userProfileUrl, [

155 'name' => 'my_new_name',

156 'email' => '[email protected]',

157 ]);

158 $this->seeInDatabase('users', [

159 'id' => $this->user->id,

160 'email' => $originalEmail,

161 'name' => 'my_new_name',

162 ]);

163

164 $this->giveUserPermissions($this->user, ['users-manage']);

165

166 $this->visit($userProfileUrl)

167 ->assertResponseOk()

168 ->dontSeeElement('input[name=email][disabled]')

169 ->seeElement('input[name=email]');

170 $this->put($userProfileUrl, [

171 'name' => 'my_new_name_2',

172 'email' => '[email protected]',

173 ]);

174

175 $this->seeInDatabase('users', [

176 'id' => $this->user->id,

177 'email' => '[email protected]',

178 'name' => 'my_new_name_2',

179 ]);

180 }

181

182 public function test_user_roles_manage_permission()

183 {

184 $this->actingAs($this->user)->visit('/settings/roles')

185 ->seePageIs('/')->visit('/settings/roles/1')->seePageIs('/');

186 $this->giveUserPermissions($this->user, ['user-roles-manage']);

187 $this->actingAs($this->user)->visit('/settings/roles')

188 ->seePageIs('/settings/roles')->click('Admin')

189 ->see('Edit Role');

190 }

191

192 public function test_settings_manage_permission()

193 {

194 $this->actingAs($this->user)->visit('/settings')

195 ->seePageIs('/');

196 $this->giveUserPermissions($this->user, ['settings-manage']);

197 $this->actingAs($this->user)->visit('/settings')

198 ->seePageIs('/settings')->press('Save Settings')->see('Settings Saved');

199 }

200

201 public function test_restrictions_manage_all_permission()

202 {

203 $page = Page::take(1)->get()->first();

204 $this->actingAs($this->user)->visit($page->getUrl())

205 ->dontSee('Permissions')

206 ->visit($page->getUrl() . '/permissions')

207 ->seePageIs('/');

208 $this->giveUserPermissions($this->user, ['restrictions-manage-all']);

209 $this->actingAs($this->user)->visit($page->getUrl())

210 ->see('Permissions')

211 ->click('Permissions')

212 ->see('Page Permissions')->seePageIs($page->getUrl() . '/permissions');

213 }

214

215 public function test_restrictions_manage_own_permission()

216 {

217 $otherUsersPage = Page::first();

218 $content = $this->createEntityChainBelongingToUser($this->user);

219

220 // Set a different creator on the page we're checking to ensure

221 // that the owner fields are checked

222 $page = $content['page']; /** @var Page $page */

223 $page->created_by = $otherUsersPage->id;

224 $page->owned_by = $this->user->id;

225 $page->save();

226

227 // Check can't restrict other's content

228 $this->actingAs($this->user)->visit($otherUsersPage->getUrl())

229 ->dontSee('Permissions')

230 ->visit($otherUsersPage->getUrl() . '/permissions')

231 ->seePageIs('/');

232 // Check can't restrict own content

233 $this->actingAs($this->user)->visit($page->getUrl())

234 ->dontSee('Permissions')

235 ->visit($page->getUrl() . '/permissions')

236 ->seePageIs('/');

237

238 $this->giveUserPermissions($this->user, ['restrictions-manage-own']);

239

240 // Check can't restrict other's content

241 $this->actingAs($this->user)->visit($otherUsersPage->getUrl())

242 ->dontSee('Permissions')

243 ->visit($otherUsersPage->getUrl() . '/permissions')

244 ->seePageIs('/');

245 // Check can restrict own content

246 $this->actingAs($this->user)->visit($page->getUrl())

247 ->see('Permissions')

248 ->click('Permissions')

249 ->seePageIs($page->getUrl() . '/permissions');

250 }

251

252 /**

253 * Check a standard entity access permission

254 * @param string $permission

255 * @param array $accessUrls Urls that are only accessible after having the permission

256 * @param array $visibles Check this text, In the buttons toolbar, is only visible with the permission

257 */

258 private function checkAccessPermission($permission, $accessUrls = [], $visibles = [])

259 {

260 foreach ($accessUrls as $url) {

261 $this->actingAs($this->user)->visit($url)

262 ->seePageIs('/');

263 }

264 foreach ($visibles as $url => $text) {

265 $this->actingAs($this->user)->visit($url)

266 ->dontSeeInElement('.action-buttons',$text);

267 }

268

269 $this->giveUserPermissions($this->user, [$permission]);

270

271 foreach ($accessUrls as $url) {

272 $this->actingAs($this->user)->visit($url)

273 ->seePageIs($url);

274 }

275 foreach ($visibles as $url => $text) {

276 $this->actingAs($this->user)->visit($url)

277 ->see($text);

278 }

279 }

280

281 public function test_bookshelves_create_all_permissions()

282 {

283 $this->checkAccessPermission('bookshelf-create-all', [

284 '/create-shelf'

285 ], [

286 '/shelves' => 'New Shelf'

287 ]);

288

289 $this->visit('/create-shelf')

290 ->type('test shelf', 'name')

291 ->type('shelf desc', 'description')

292 ->press('Save Shelf')

293 ->seePageIs('/shelves/test-shelf');

294 }

295

296 public function test_bookshelves_edit_own_permission()

297 {

298 $otherShelf = Bookshelf::first();

299 $ownShelf = $this->newShelf(['name' => 'test-shelf', 'slug' => 'test-shelf']);

300 $ownShelf->forceFill(['owned_by' => $this->user->id, 'updated_by' => $this->user->id])->save();

301 $this->regenEntityPermissions($ownShelf);

302

303 $this->checkAccessPermission('bookshelf-update-own', [

304 $ownShelf->getUrl('/edit')

305 ], [

306 $ownShelf->getUrl() => 'Edit'

307 ]);

308

309 $this->visit($otherShelf->getUrl())

310 ->dontSeeInElement('.action-buttons', 'Edit')

311 ->visit($otherShelf->getUrl('/edit'))

312 ->seePageIs('/');

313 }

314

315 public function test_bookshelves_edit_all_permission()

316 {

317 $otherShelf = Bookshelf::first();

318 $this->checkAccessPermission('bookshelf-update-all', [

319 $otherShelf->getUrl('/edit')

320 ], [

321 $otherShelf->getUrl() => 'Edit'

322 ]);

323 }

324

325 public function test_bookshelves_delete_own_permission()

326 {

327 $this->giveUserPermissions($this->user, ['bookshelf-update-all']);

328 $otherShelf = Bookshelf::first();

329 $ownShelf = $this->newShelf(['name' => 'test-shelf', 'slug' => 'test-shelf']);

330 $ownShelf->forceFill(['owned_by' => $this->user->id, 'updated_by' => $this->user->id])->save();

331 $this->regenEntityPermissions($ownShelf);

332

333 $this->checkAccessPermission('bookshelf-delete-own', [

334 $ownShelf->getUrl('/delete')

335 ], [

336 $ownShelf->getUrl() => 'Delete'

337 ]);

338

339 $this->visit($otherShelf->getUrl())

340 ->dontSeeInElement('.action-buttons', 'Delete')

341 ->visit($otherShelf->getUrl('/delete'))

342 ->seePageIs('/');

343 $this->visit($ownShelf->getUrl())->visit($ownShelf->getUrl('/delete'))

344 ->press('Confirm')

345 ->seePageIs('/shelves')

346 ->dontSee($ownShelf->name);

347 }

348

349 public function test_bookshelves_delete_all_permission()

350 {

351 $this->giveUserPermissions($this->user, ['bookshelf-update-all']);

352 $otherShelf = Bookshelf::first();

353 $this->checkAccessPermission('bookshelf-delete-all', [

354 $otherShelf->getUrl('/delete')

355 ], [

356 $otherShelf->getUrl() => 'Delete'

357 ]);

358

359 $this->visit($otherShelf->getUrl())->visit($otherShelf->getUrl('/delete'))

360 ->press('Confirm')

361 ->seePageIs('/shelves')

362 ->dontSee($otherShelf->name);

363 }

364

365 public function test_books_create_all_permissions()

366 {

367 $this->checkAccessPermission('book-create-all', [

368 '/create-book'

369 ], [

370 '/books' => 'Create New Book'

371 ]);

372

373 $this->visit('/create-book')

374 ->type('test book', 'name')

375 ->type('book desc', 'description')

376 ->press('Save Book')

377 ->seePageIs('/books/test-book');

378 }

379

380 public function test_books_edit_own_permission()

381 {

382 $otherBook = Book::take(1)->get()->first();

383 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

384 $this->checkAccessPermission('book-update-own', [

385 $ownBook->getUrl() . '/edit'

386 ], [

387 $ownBook->getUrl() => 'Edit'

388 ]);

389

390 $this->visit($otherBook->getUrl())

391 ->dontSeeInElement('.action-buttons', 'Edit')

392 ->visit($otherBook->getUrl() . '/edit')

393 ->seePageIs('/');

394 }

395

396 public function test_books_edit_all_permission()

397 {

398 $otherBook = Book::take(1)->get()->first();

399 $this->checkAccessPermission('book-update-all', [

400 $otherBook->getUrl() . '/edit'

401 ], [

402 $otherBook->getUrl() => 'Edit'

403 ]);

404 }

405

406 public function test_books_delete_own_permission()

407 {

408 $this->giveUserPermissions($this->user, ['book-update-all']);

409 $otherBook = Book::take(1)->get()->first();

410 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

411 $this->checkAccessPermission('book-delete-own', [

412 $ownBook->getUrl() . '/delete'

413 ], [

414 $ownBook->getUrl() => 'Delete'

415 ]);

416

417 $this->visit($otherBook->getUrl())

418 ->dontSeeInElement('.action-buttons', 'Delete')

419 ->visit($otherBook->getUrl() . '/delete')

420 ->seePageIs('/');

421 $this->visit($ownBook->getUrl())->visit($ownBook->getUrl() . '/delete')

422 ->press('Confirm')

423 ->seePageIs('/books')

424 ->dontSee($ownBook->name);

425 }

426

427 public function test_books_delete_all_permission()

428 {

429 $this->giveUserPermissions($this->user, ['book-update-all']);

430 $otherBook = Book::take(1)->get()->first();

431 $this->checkAccessPermission('book-delete-all', [

432 $otherBook->getUrl() . '/delete'

433 ], [

434 $otherBook->getUrl() => 'Delete'

435 ]);

436

437 $this->visit($otherBook->getUrl())->visit($otherBook->getUrl() . '/delete')

438 ->press('Confirm')

439 ->seePageIs('/books')

440 ->dontSee($otherBook->name);

441 }

442

443 public function test_chapter_create_own_permissions()

444 {

445 $book = Book::take(1)->get()->first();

446 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

447 $this->checkAccessPermission('chapter-create-own', [

448 $ownBook->getUrl('/create-chapter')

449 ], [

450 $ownBook->getUrl() => 'New Chapter'

451 ]);

452

453 $this->visit($ownBook->getUrl('/create-chapter'))

454 ->type('test chapter', 'name')

455 ->type('chapter desc', 'description')

456 ->press('Save Chapter')

457 ->seePageIs($ownBook->getUrl('/chapter/test-chapter'));

458

459 $this->visit($book->getUrl())

460 ->dontSeeInElement('.action-buttons', 'New Chapter')

461 ->visit($book->getUrl('/create-chapter'))

462 ->seePageIs('/');

463 }

464

465 public function test_chapter_create_all_permissions()

466 {

467 $book = Book::take(1)->get()->first();

468 $this->checkAccessPermission('chapter-create-all', [

469 $book->getUrl('/create-chapter')

470 ], [

471 $book->getUrl() => 'New Chapter'

472 ]);

473

474 $this->visit($book->getUrl('/create-chapter'))

475 ->type('test chapter', 'name')

476 ->type('chapter desc', 'description')

477 ->press('Save Chapter')

478 ->seePageIs($book->getUrl('/chapter/test-chapter'));

479 }

480

481 public function test_chapter_edit_own_permission()

482 {

483 $otherChapter = Chapter::take(1)->get()->first();

484 $ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];

485 $this->checkAccessPermission('chapter-update-own', [

486 $ownChapter->getUrl() . '/edit'

487 ], [

488 $ownChapter->getUrl() => 'Edit'

489 ]);

490

491 $this->visit($otherChapter->getUrl())

492 ->dontSeeInElement('.action-buttons', 'Edit')

493 ->visit($otherChapter->getUrl() . '/edit')

494 ->seePageIs('/');

495 }

496

497 public function test_chapter_edit_all_permission()

498 {

499 $otherChapter = Chapter::take(1)->get()->first();

500 $this->checkAccessPermission('chapter-update-all', [

501 $otherChapter->getUrl() . '/edit'

502 ], [

503 $otherChapter->getUrl() => 'Edit'

504 ]);

505 }

506

507 public function test_chapter_delete_own_permission()

508 {

509 $this->giveUserPermissions($this->user, ['chapter-update-all']);

510 $otherChapter = Chapter::take(1)->get()->first();

511 $ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];

512 $this->checkAccessPermission('chapter-delete-own', [

513 $ownChapter->getUrl() . '/delete'

514 ], [

515 $ownChapter->getUrl() => 'Delete'

516 ]);

517

518 $bookUrl = $ownChapter->book->getUrl();

519 $this->visit($otherChapter->getUrl())

520 ->dontSeeInElement('.action-buttons', 'Delete')

521 ->visit($otherChapter->getUrl() . '/delete')

522 ->seePageIs('/');

523 $this->visit($ownChapter->getUrl())->visit($ownChapter->getUrl() . '/delete')

524 ->press('Confirm')

525 ->seePageIs($bookUrl)

526 ->dontSeeInElement('.book-content', $ownChapter->name);

527 }

528

529 public function test_chapter_delete_all_permission()

530 {

531 $this->giveUserPermissions($this->user, ['chapter-update-all']);

532 $otherChapter = Chapter::take(1)->get()->first();

533 $this->checkAccessPermission('chapter-delete-all', [

534 $otherChapter->getUrl() . '/delete'

535 ], [

536 $otherChapter->getUrl() => 'Delete'

537 ]);

538

539 $bookUrl = $otherChapter->book->getUrl();

540 $this->visit($otherChapter->getUrl())->visit($otherChapter->getUrl() . '/delete')

541 ->press('Confirm')

542 ->seePageIs($bookUrl)

543 ->dontSeeInElement('.book-content', $otherChapter->name);

544 }

545

546 public function test_page_create_own_permissions()

547 {

548 $book = Book::first();

549 $chapter = Chapter::first();

550

551 $entities = $this->createEntityChainBelongingToUser($this->user);

552 $ownBook = $entities['book'];

553 $ownChapter = $entities['chapter'];

554

555 $createUrl = $ownBook->getUrl('/create-page');

556 $createUrlChapter = $ownChapter->getUrl('/create-page');

557 $accessUrls = [$createUrl, $createUrlChapter];

558

559 foreach ($accessUrls as $url) {

560 $this->actingAs($this->user)->visit($url)

561 ->seePageIs('/');

562 }

563

564 $this->checkAccessPermission('page-create-own', [], [

565 $ownBook->getUrl() => 'New Page',

566 $ownChapter->getUrl() => 'New Page'

567 ]);

568

569 $this->giveUserPermissions($this->user, ['page-create-own']);

570

571 foreach ($accessUrls as $index => $url) {

572 $this->actingAs($this->user)->visit($url);

573 $expectedUrl = Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

574 $this->seePageIs($expectedUrl);

575 }

576

577 $this->visit($createUrl)

578 ->type('test page', 'name')

579 ->type('page desc', 'html')

580 ->press('Save Page')

581 ->seePageIs($ownBook->getUrl('/page/test-page'));

582

583 $this->visit($book->getUrl())

584 ->dontSeeInElement('.action-buttons', 'New Page')

585 ->visit($book->getUrl() . '/create-page')

586 ->seePageIs('/');

587 $this->visit($chapter->getUrl())

588 ->dontSeeInElement('.action-buttons', 'New Page')

589 ->visit($chapter->getUrl() . '/create-page')

590 ->seePageIs('/');

591 }

592

593 public function test_page_create_all_permissions()

594 {

595 $book = Book::take(1)->get()->first();

596 $chapter = Chapter::take(1)->get()->first();

597 $baseUrl = $book->getUrl() . '/page';

598 $createUrl = $book->getUrl('/create-page');

599

600 $createUrlChapter = $chapter->getUrl('/create-page');

601 $accessUrls = [$createUrl, $createUrlChapter];

602

603 foreach ($accessUrls as $url) {

604 $this->actingAs($this->user)->visit($url)

605 ->seePageIs('/');

606 }

607

608 $this->checkAccessPermission('page-create-all', [], [

609 $book->getUrl() => 'New Page',

610 $chapter->getUrl() => 'New Page'

611 ]);

612

613 $this->giveUserPermissions($this->user, ['page-create-all']);

614

615 foreach ($accessUrls as $index => $url) {

616 $this->actingAs($this->user)->visit($url);

617 $expectedUrl = Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

618 $this->seePageIs($expectedUrl);

619 }

620

621 $this->visit($createUrl)

622 ->type('test page', 'name')

623 ->type('page desc', 'html')

624 ->press('Save Page')

625 ->seePageIs($book->getUrl('/page/test-page'));

626

627 $this->visit($chapter->getUrl('/create-page'))

628 ->type('new test page', 'name')

629 ->type('page desc', 'html')

630 ->press('Save Page')

631 ->seePageIs($book->getUrl('/page/new-test-page'));

632 }

633

634 public function test_page_edit_own_permission()

635 {

636 $otherPage = Page::take(1)->get()->first();

637 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

638 $this->checkAccessPermission('page-update-own', [

639 $ownPage->getUrl() . '/edit'

640 ], [

641 $ownPage->getUrl() => 'Edit'

642 ]);

643

644 $this->visit($otherPage->getUrl())

645 ->dontSeeInElement('.action-buttons', 'Edit')

646 ->visit($otherPage->getUrl() . '/edit')

647 ->seePageIs('/');

648 }

649

650 public function test_page_edit_all_permission()

651 {

652 $otherPage = Page::take(1)->get()->first();

653 $this->checkAccessPermission('page-update-all', [

654 $otherPage->getUrl() . '/edit'

655 ], [

656 $otherPage->getUrl() => 'Edit'

657 ]);

658 }

659

660 public function test_page_delete_own_permission()

661 {

662 $this->giveUserPermissions($this->user, ['page-update-all']);

663 $otherPage = Page::take(1)->get()->first();

664 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

665 $this->checkAccessPermission('page-delete-own', [

666 $ownPage->getUrl() . '/delete'

667 ], [

668 $ownPage->getUrl() => 'Delete'

669 ]);

670

671 $parent = $ownPage->chapter ?? $ownPage->book;

672 $this->visit($otherPage->getUrl())

673 ->dontSeeInElement('.action-buttons', 'Delete')

674 ->visit($otherPage->getUrl() . '/delete')

675 ->seePageIs('/');

676 $this->visit($ownPage->getUrl())->visit($ownPage->getUrl() . '/delete')

677 ->press('Confirm')

678 ->seePageIs($parent->getUrl())

679 ->dontSeeInElement('.book-content', $ownPage->name);

680 }

681

682 public function test_page_delete_all_permission()

683 {

684 $this->giveUserPermissions($this->user, ['page-update-all']);

685 $otherPage = Page::take(1)->get()->first();

686 $this->checkAccessPermission('page-delete-all', [

687 $otherPage->getUrl() . '/delete'

688 ], [

689 $otherPage->getUrl() => 'Delete'

690 ]);

691

692 $parent = $otherPage->chapter ?? $otherPage->book;

693 $this->visit($otherPage->getUrl())->visit($otherPage->getUrl() . '/delete')

694 ->press('Confirm')

695 ->seePageIs($parent->getUrl())

696 ->dontSeeInElement('.book-content', $otherPage->name);

697 }

698

699 public function test_public_role_visible_in_user_edit_screen()

700 {

701 $user = User::first();

702 $adminRole = Role::getSystemRole('admin');

703 $publicRole = Role::getSystemRole('public');

704 $this->asAdmin()->visit('/settings/users/' . $user->id)

705 ->seeElement('[name="roles['.$adminRole->id.']"]')

706 ->seeElement('[name="roles['.$publicRole->id.']"]');

707 }

708

709 public function test_public_role_visible_in_role_listing()

710 {

711 $this->asAdmin()->visit('/settings/roles')

712 ->see('Admin')

713 ->see('Public');

714 }

715

716 public function test_public_role_visible_in_default_role_setting()

717 {

718 $this->asAdmin()->visit('/settings')

719 ->seeElement('[data-system-role-name="admin"]')

720 ->seeElement('[data-system-role-name="public"]');

721 }

722

723 public function test_public_role_not_deleteable()

724 {

725 $this->asAdmin()->visit('/settings/roles')

726 ->click('Public')

727 ->see('Edit Role')

728 ->click('Delete Role')

729 ->press('Confirm')

730 ->see('Delete Role')

731 ->see('Cannot be deleted');

732 }

733

734 public function test_image_delete_own_permission()

735 {

736 $this->giveUserPermissions($this->user, ['image-update-all']);

737 $page = Page::first();

738 $image = factory(Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $this->user->id, 'updated_by' => $this->user->id]);

739

740 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

741 ->seeStatusCode(403);

742

743 $this->giveUserPermissions($this->user, ['image-delete-own']);

744

745 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

746 ->seeStatusCode(200)

747 ->dontSeeInDatabase('images', ['id' => $image->id]);

748 }

749

750 public function test_image_delete_all_permission()

751 {

752 $this->giveUserPermissions($this->user, ['image-update-all']);

753 $admin = $this->getAdmin();

754 $page = Page::first();

755 $image = factory(Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]);

756

757 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

758 ->seeStatusCode(403);

759

760 $this->giveUserPermissions($this->user, ['image-delete-own']);

761

762 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

763 ->seeStatusCode(403);

764

765 $this->giveUserPermissions($this->user, ['image-delete-all']);

766

767 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

768 ->seeStatusCode(200)

769 ->dontSeeInDatabase('images', ['id' => $image->id]);

770 }

771

772 public function test_role_permission_removal()

773 {

774 // To cover issue fixed in f99c8ff99aee9beb8c692f36d4b84dc6e651e50a.

775 $page = Page::first();

776 $viewerRole = Role::getRole('viewer');

777 $viewer = $this->getViewer();

778 $this->actingAs($viewer)->visit($page->getUrl())->assertResponseStatus(200);

779

780 $this->asAdmin()->put('/settings/roles/' . $viewerRole->id, [

781 'display_name' => $viewerRole->display_name,

782 'description' => $viewerRole->description,

783 'permission' => []

784 ])->assertResponseStatus(302);

785

786 $this->expectException(HttpException::class);

787 $this->actingAs($viewer)->visit($page->getUrl())->assertResponseStatus(404);

788 }

789

790 public function test_empty_state_actions_not_visible_without_permission()

791 {

792 $admin = $this->getAdmin();

793 // Book links

794 $book = factory(Book::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id]);

795 $this->updateEntityPermissions($book);

796 $this->actingAs($this->getViewer())->visit($book->getUrl())

797 ->dontSee('Create a new page')

798 ->dontSee('Add a chapter');

799

800 // Chapter links

801 $chapter = factory(Chapter::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id, 'book_id' => $book->id]);

802 $this->updateEntityPermissions($chapter);

803 $this->actingAs($this->getViewer())->visit($chapter->getUrl())

804 ->dontSee('Create a new page')

805 ->dontSee('Sort the current book');

806 }

807

808 public function test_comment_create_permission () {

809 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

810

811 $this->actingAs($this->user)->addComment($ownPage);

812

813 $this->assertResponseStatus(403);

814

815 $this->giveUserPermissions($this->user, ['comment-create-all']);

816

817 $this->actingAs($this->user)->addComment($ownPage);

818 $this->assertResponseStatus(200);

819 }

820

821

822 public function test_comment_update_own_permission () {

823 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

824 $this->giveUserPermissions($this->user, ['comment-create-all']);

825 $commentId = $this->actingAs($this->user)->addComment($ownPage);

826

827 // no comment-update-own

828 $this->actingAs($this->user)->updateComment($commentId);

829 $this->assertResponseStatus(403);

830

831 $this->giveUserPermissions($this->user, ['comment-update-own']);

832

833 // now has comment-update-own

834 $this->actingAs($this->user)->updateComment($commentId);

835 $this->assertResponseStatus(200);

836 }

837

838 public function test_comment_update_all_permission () {

839 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

840 $commentId = $this->asAdmin()->addComment($ownPage);

841

842 // no comment-update-all

843 $this->actingAs($this->user)->updateComment($commentId);

844 $this->assertResponseStatus(403);

845

846 $this->giveUserPermissions($this->user, ['comment-update-all']);

847

848 // now has comment-update-all

849 $this->actingAs($this->user)->updateComment($commentId);

850 $this->assertResponseStatus(200);

851 }

852

853 public function test_comment_delete_own_permission () {

854 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

855 $this->giveUserPermissions($this->user, ['comment-create-all']);

856 $commentId = $this->actingAs($this->user)->addComment($ownPage);

857

858 // no comment-delete-own

859 $this->actingAs($this->user)->deleteComment($commentId);

860 $this->assertResponseStatus(403);

861

862 $this->giveUserPermissions($this->user, ['comment-delete-own']);

863

864 // now has comment-update-own

865 $this->actingAs($this->user)->deleteComment($commentId);

866 $this->assertResponseStatus(200);

867 }

868

869 public function test_comment_delete_all_permission () {

870 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

871 $commentId = $this->asAdmin()->addComment($ownPage);

872

873 // no comment-delete-all

874 $this->actingAs($this->user)->deleteComment($commentId);

875 $this->assertResponseStatus(403);

876

877 $this->giveUserPermissions($this->user, ['comment-delete-all']);

878

879 // now has comment-delete-all

880 $this->actingAs($this->user)->deleteComment($commentId);

881 $this->assertResponseStatus(200);

882 }

883

884 private function addComment($page) {

885 $comment = factory(Comment::class)->make();

886 $url = "/comment/$page->id";

887 $request = [

888 'text' => $comment->text,

889 'html' => $comment->html

890 ];

891

892 $this->postJson($url, $request);

893 $comment = $page->comments()->first();

894 return $comment === null ? null : $comment->id;

895 }

896

897 private function updateComment($commentId) {

898 $comment = factory(Comment::class)->make();

899 $url = "/comment/$commentId";

900 $request = [

901 'text' => $comment->text,

902 'html' => $comment->html

903 ];

904

905 return $this->putJson($url, $request);

906 }

907

908 private function deleteComment($commentId) {

909 $url = '/comment/' . $commentId;

910 return $this->json('DELETE', $url);

911 }

912

913 }