BookStack Code Mirror - bookstack/blob - tests/Permissions/RolesTest.php

1 <?php

2

3 namespace Tests\Permissions;

4

5 use BookStack\Actions\ActivityType;

6 use BookStack\Actions\Comment;

7 use BookStack\Auth\Role;

8 use BookStack\Auth\User;

9 use BookStack\Entities\Models\Book;

10 use BookStack\Entities\Models\Bookshelf;

11 use BookStack\Entities\Models\Chapter;

12 use BookStack\Entities\Models\Entity;

13 use BookStack\Entities\Models\Page;

14 use BookStack\Uploads\Image;

15 use Illuminate\Testing\TestResponse;

16 use Tests\TestCase;

17

18 class RolesTest extends TestCase

19 {

20 protected User $user;

21

22 protected function setUp(): void

23 {

24 parent::setUp();

25 $this->user = $this->getViewer();

26 }

27

28 public function test_admin_can_see_settings()

29 {

30 $this->asAdmin()->get('/settings/features')->assertSee('Settings');

31 }

32

33 public function test_cannot_delete_admin_role()

34 {

35 $adminRole = Role::getRole('admin');

36 $deletePageUrl = '/settings/roles/delete/' . $adminRole->id;

37

38 $this->asAdmin()->get($deletePageUrl);

39 $this->delete($deletePageUrl)->assertRedirect($deletePageUrl);

40 $this->get($deletePageUrl)->assertSee('cannot be deleted');

41 }

42

43 public function test_role_cannot_be_deleted_if_default()

44 {

45 $newRole = $this->createNewRole();

46 $this->setSettings(['registration-role' => $newRole->id]);

47

48 $deletePageUrl = '/settings/roles/delete/' . $newRole->id;

49 $this->asAdmin()->get($deletePageUrl);

50 $this->delete($deletePageUrl)->assertRedirect($deletePageUrl);

51 $this->get($deletePageUrl)->assertSee('cannot be deleted');

52 }

53

54 public function test_role_create_update_delete_flow()

55 {

56 $testRoleName = 'Test Role';

57 $testRoleDesc = 'a little test description';

58 $testRoleUpdateName = 'An Super Updated role';

59

60 // Creation

61 $resp = $this->asAdmin()->get('/settings/features');

62 $this->withHtml($resp)->assertElementContains('a[href="' . url('/settings/roles') . '"]', 'Roles');

63

64 $resp = $this->get('/settings/roles');

65 $this->withHtml($resp)->assertElementContains('a[href="' . url('/settings/roles/new') . '"]', 'Create New Role');

66

67 $resp = $this->get('/settings/roles/new');

68 $this->withHtml($resp)->assertElementContains('form[action="' . url('/settings/roles/new') . '"]', 'Save Role');

69

70 $resp = $this->post('/settings/roles/new', [

71 'display_name' => $testRoleName,

72 'description' => $testRoleDesc,

73 ]);

74 $resp->assertRedirect('/settings/roles');

75

76 $resp = $this->get('/settings/roles');

77 $resp->assertSee($testRoleName);

78 $resp->assertSee($testRoleDesc);

79 $this->assertDatabaseHas('roles', [

80 'display_name' => $testRoleName,

81 'description' => $testRoleDesc,

82 'mfa_enforced' => false,

83 ]);

84

85 /** @var Role $role */

86 $role = Role::query()->where('display_name', '=', $testRoleName)->first();

87

88 // Updating

89 $resp = $this->get('/settings/roles/' . $role->id);

90 $resp->assertSee($testRoleName);

91 $resp->assertSee($testRoleDesc);

92 $this->withHtml($resp)->assertElementContains('form[action="' . url('/settings/roles/' . $role->id) . '"]', 'Save Role');

93

94 $resp = $this->put('/settings/roles/' . $role->id, [

95 'display_name' => $testRoleUpdateName,

96 'description' => $testRoleDesc,

97 'mfa_enforced' => 'true',

98 ]);

99 $resp->assertRedirect('/settings/roles');

100 $this->assertDatabaseHas('roles', [

101 'display_name' => $testRoleUpdateName,

102 'description' => $testRoleDesc,

103 'mfa_enforced' => true,

104 ]);

105

106 // Deleting

107 $resp = $this->get('/settings/roles/' . $role->id);

108 $this->withHtml($resp)->assertElementContains('a[href="' . url("/settings/roles/delete/$role->id") . '"]', 'Delete Role');

109

110 $resp = $this->get("/settings/roles/delete/$role->id");

111 $resp->assertSee($testRoleUpdateName);

112 $this->withHtml($resp)->assertElementContains('form[action="' . url("/settings/roles/delete/$role->id") . '"]', 'Confirm');

113

114 $resp = $this->delete("/settings/roles/delete/$role->id");

115 $resp->assertRedirect('/settings/roles');

116 $this->get('/settings/roles')->assertSee('Role successfully deleted');

117 $this->assertActivityExists(ActivityType::ROLE_DELETE);

118 }

119

120 public function test_admin_role_cannot_be_removed_if_user_last_admin()

121 {

122 /** @var Role $adminRole */

123 $adminRole = Role::query()->where('system_name', '=', 'admin')->first();

124 $adminUser = $this->getAdmin();

125 $adminRole->users()->where('id', '!=', $adminUser->id)->delete();

126 $this->assertEquals(1, $adminRole->users()->count());

127

128 $viewerRole = $this->getViewer()->roles()->first();

129

130 $editUrl = '/settings/users/' . $adminUser->id;

131 $resp = $this->actingAs($adminUser)->put($editUrl, [

132 'name' => $adminUser->name,

133 'email' => $adminUser->email,

134 'roles' => [

135 'viewer' => strval($viewerRole->id),

136 ],

137 ]);

138

139 $resp->assertRedirect($editUrl);

140

141 $resp = $this->get($editUrl);

142 $resp->assertSee('This user is the only user assigned to the administrator role');

143 }

144

145 public function test_migrate_users_on_delete_works()

146 {

147 /** @var Role $roleA */

148 $roleA = Role::query()->create(['display_name' => 'Delete Test A']);

149 /** @var Role $roleB */

150 $roleB = Role::query()->create(['display_name' => 'Delete Test B']);

151 $this->user->attachRole($roleB);

152

153 $this->assertCount(0, $roleA->users()->get());

154 $this->assertCount(1, $roleB->users()->get());

155

156 $deletePage = $this->asAdmin()->get("/settings/roles/delete/$roleB->id");

157 $this->withHtml($deletePage)->assertElementExists('select[name=migrate_role_id]');

158 $this->asAdmin()->delete("/settings/roles/delete/$roleB->id", [

159 'migrate_role_id' => $roleA->id,

160 ]);

161

162 $this->assertCount(1, $roleA->users()->get());

163 $this->assertEquals($this->user->id, $roleA->users()->first()->id);

164 }

165

166 public function test_image_view_notice_shown_on_role_form()

167 {

168 /** @var Role $role */

169 $role = Role::query()->first();

170 $this->asAdmin()->get("/settings/roles/{$role->id}")

171 ->assertSee('Actual access of uploaded image files will be dependant upon system image storage option');

172 }

173

174 public function test_copy_role_button_shown()

175 {

176 /** @var Role $role */

177 $role = Role::query()->first();

178 $resp = $this->asAdmin()->get("/settings/roles/{$role->id}");

179 $this->withHtml($resp)->assertElementContains('a[href$="/roles/new?copy_from=' . $role->id . '"]', 'Copy');

180 }

181

182 public function test_copy_from_param_on_create_prefills_with_other_role_data()

183 {

184 /** @var Role $role */

185 $role = Role::query()->first();

186 $resp = $this->asAdmin()->get("/settings/roles/new?copy_from={$role->id}");

187 $resp->assertOk();

188 $this->withHtml($resp)->assertElementExists('input[name="display_name"][value="' . ($role->display_name . ' (Copy)') . '"]');

189 }

190

191 public function test_manage_user_permission()

192 {

193 $this->actingAs($this->user)->get('/settings/users')->assertRedirect('/');

194 $this->giveUserPermissions($this->user, ['users-manage']);

195 $this->actingAs($this->user)->get('/settings/users')->assertOk();

196 }

197

198 public function test_manage_users_permission_shows_link_in_header_if_does_not_have_settings_manage_permision()

199 {

200 $usersLink = 'href="' . url('/settings/users') . '"';

201 $this->actingAs($this->user)->get('/')->assertDontSee($usersLink, false);

202 $this->giveUserPermissions($this->user, ['users-manage']);

203 $this->actingAs($this->user)->get('/')->assertSee($usersLink, false);

204 $this->giveUserPermissions($this->user, ['settings-manage', 'users-manage']);

205 $this->actingAs($this->user)->get('/')->assertDontSee($usersLink, false);

206 }

207

208 public function test_user_cannot_change_email_unless_they_have_manage_users_permission()

209 {

210 $userProfileUrl = '/settings/users/' . $this->user->id;

211 $originalEmail = $this->user->email;

212 $this->actingAs($this->user);

213

214 $resp = $this->get($userProfileUrl)

215 ->assertOk();

216 $this->withHtml($resp)->assertElementExists('input[name=email][disabled]');

217 $this->put($userProfileUrl, [

218 'name' => 'my_new_name',

219 'email' => '[email protected]',

220 ]);

221 $this->assertDatabaseHas('users', [

222 'id' => $this->user->id,

223 'email' => $originalEmail,

224 'name' => 'my_new_name',

225 ]);

226

227 $this->giveUserPermissions($this->user, ['users-manage']);

228

229 $resp = $this->get($userProfileUrl)

230 ->assertOk();

231 $this->withHtml($resp)->assertElementNotExists('input[name=email][disabled]')

232 ->assertElementExists('input[name=email]');

233 $this->put($userProfileUrl, [

234 'name' => 'my_new_name_2',

235 'email' => '[email protected]',

236 ]);

237

238 $this->assertDatabaseHas('users', [

239 'id' => $this->user->id,

240 'email' => '[email protected]',

241 'name' => 'my_new_name_2',

242 ]);

243 }

244

245 public function test_user_roles_manage_permission()

246 {

247 $this->actingAs($this->user)->get('/settings/roles')->assertRedirect('/');

248 $this->get('/settings/roles/1')->assertRedirect('/');

249 $this->giveUserPermissions($this->user, ['user-roles-manage']);

250 $this->actingAs($this->user)->get('/settings/roles')->assertOk();

251 $this->get('/settings/roles/1')

252 ->assertOk()

253 ->assertSee('Admin');

254 }

255

256 public function test_settings_manage_permission()

257 {

258 $this->actingAs($this->user)->get('/settings/features')->assertRedirect('/');

259 $this->giveUserPermissions($this->user, ['settings-manage']);

260 $this->get('/settings/features')->assertOk();

261

262 $resp = $this->post('/settings/features', []);

263 $resp->assertRedirect('/settings/features');

264 $resp = $this->get('/settings/features');

265 $resp->assertSee('Settings saved');

266 }

267

268 public function test_restrictions_manage_all_permission()

269 {

270 $page = Page::query()->get()->first();

271

272 $this->actingAs($this->user)->get($page->getUrl())->assertDontSee('Permissions');

273 $this->get($page->getUrl('/permissions'))->assertRedirect('/');

274

275 $this->giveUserPermissions($this->user, ['restrictions-manage-all']);

276

277 $this->actingAs($this->user)->get($page->getUrl())->assertSee('Permissions');

278

279 $this->get($page->getUrl('/permissions'))

280 ->assertOk()

281 ->assertSee('Page Permissions');

282 }

283

284 public function test_restrictions_manage_own_permission()

285 {

286 /** @var Page $otherUsersPage */

287 $otherUsersPage = Page::query()->first();

288 $content = $this->entities->createChainBelongingToUser($this->user);

289

290 // Set a different creator on the page we're checking to ensure

291 // that the owner fields are checked

292 $page = $content['page']; /** @var Page $page */

293 $page->created_by = $otherUsersPage->id;

294 $page->owned_by = $this->user->id;

295 $page->save();

296

297 // Check can't restrict other's content

298 $this->actingAs($this->user)->get($otherUsersPage->getUrl())->assertDontSee('Permissions');

299 $this->get($otherUsersPage->getUrl('/permissions'))->assertRedirect('/');

300

301 // Check can't restrict own content

302 $this->actingAs($this->user)->get($page->getUrl())->assertDontSee('Permissions');

303 $this->get($page->getUrl('/permissions'))->assertRedirect('/');

304

305 $this->giveUserPermissions($this->user, ['restrictions-manage-own']);

306

307 // Check can't restrict other's content

308 $this->actingAs($this->user)->get($otherUsersPage->getUrl())->assertDontSee('Permissions');

309 $this->get($otherUsersPage->getUrl('/permissions'))->assertRedirect();

310

311 // Check can restrict own content

312 $this->actingAs($this->user)->get($page->getUrl())->assertSee('Permissions');

313 $this->get($page->getUrl('/permissions'))->assertOk();

314 }

315

316 /**

317 * Check a standard entity access permission.

318 */

319 private function checkAccessPermission(string $permission, array $accessUrls = [], array $visibles = [])

320 {

321 foreach ($accessUrls as $url) {

322 $this->actingAs($this->user)->get($url)->assertRedirect('/');

323 }

324

325 foreach ($visibles as $url => $text) {

326 $resp = $this->actingAs($this->user)->get($url);

327 $this->withHtml($resp)->assertElementNotContains('.action-buttons', $text);

328 }

329

330 $this->giveUserPermissions($this->user, [$permission]);

331

332 foreach ($accessUrls as $url) {

333 $this->actingAs($this->user)->get($url)->assertOk();

334 }

335 foreach ($visibles as $url => $text) {

336 $this->actingAs($this->user)->get($url)->assertSee($text);

337 }

338 }

339

340 public function test_bookshelves_create_all_permissions()

341 {

342 $this->checkAccessPermission('bookshelf-create-all', [

343 '/create-shelf',

344 ], [

345 '/shelves' => 'New Shelf',

346 ]);

347

348 $this->post('/shelves', [

349 'name' => 'test shelf',

350 'description' => 'shelf desc',

351 ])->assertRedirect('/shelves/test-shelf');

352 }

353

354 public function test_bookshelves_edit_own_permission()

355 {

356 /** @var Bookshelf $otherShelf */

357 $otherShelf = Bookshelf::query()->first();

358 $ownShelf = $this->entities->newShelf(['name' => 'test-shelf', 'slug' => 'test-shelf']);

359 $ownShelf->forceFill(['owned_by' => $this->user->id, 'updated_by' => $this->user->id])->save();

360 $this->entities->regenPermissions($ownShelf);

361

362 $this->checkAccessPermission('bookshelf-update-own', [

363 $ownShelf->getUrl('/edit'),

364 ], [

365 $ownShelf->getUrl() => 'Edit',

366 ]);

367

368 $resp = $this->get($otherShelf->getUrl());

369 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Edit');

370 $this->get($otherShelf->getUrl('/edit'))->assertRedirect('/');

371 }

372

373 public function test_bookshelves_edit_all_permission()

374 {

375 /** @var Bookshelf $otherShelf */

376 $otherShelf = Bookshelf::query()->first();

377 $this->checkAccessPermission('bookshelf-update-all', [

378 $otherShelf->getUrl('/edit'),

379 ], [

380 $otherShelf->getUrl() => 'Edit',

381 ]);

382 }

383

384 public function test_bookshelves_delete_own_permission()

385 {

386 $this->giveUserPermissions($this->user, ['bookshelf-update-all']);

387 /** @var Bookshelf $otherShelf */

388 $otherShelf = Bookshelf::query()->first();

389 $ownShelf = $this->entities->newShelf(['name' => 'test-shelf', 'slug' => 'test-shelf']);

390 $ownShelf->forceFill(['owned_by' => $this->user->id, 'updated_by' => $this->user->id])->save();

391 $this->entities->regenPermissions($ownShelf);

392

393 $this->checkAccessPermission('bookshelf-delete-own', [

394 $ownShelf->getUrl('/delete'),

395 ], [

396 $ownShelf->getUrl() => 'Delete',

397 ]);

398

399 $resp = $this->get($otherShelf->getUrl());

400 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Delete');

401 $this->get($otherShelf->getUrl('/delete'))->assertRedirect('/');

402

403 $this->get($ownShelf->getUrl());

404 $this->delete($ownShelf->getUrl())->assertRedirect('/shelves');

405 $this->get('/shelves')->assertDontSee($ownShelf->name);

406 }

407

408 public function test_bookshelves_delete_all_permission()

409 {

410 $this->giveUserPermissions($this->user, ['bookshelf-update-all']);

411 /** @var Bookshelf $otherShelf */

412 $otherShelf = Bookshelf::query()->first();

413 $this->checkAccessPermission('bookshelf-delete-all', [

414 $otherShelf->getUrl('/delete'),

415 ], [

416 $otherShelf->getUrl() => 'Delete',

417 ]);

418

419 $this->delete($otherShelf->getUrl())->assertRedirect('/shelves');

420 $this->get('/shelves')->assertDontSee($otherShelf->name);

421 }

422

423 public function test_books_create_all_permissions()

424 {

425 $this->checkAccessPermission('book-create-all', [

426 '/create-book',

427 ], [

428 '/books' => 'Create New Book',

429 ]);

430

431 $this->post('/books', [

432 'name' => 'test book',

433 'description' => 'book desc',

434 ])->assertRedirect('/books/test-book');

435 }

436

437 public function test_books_edit_own_permission()

438 {

439 /** @var Book $otherBook */

440 $otherBook = Book::query()->take(1)->get()->first();

441 $ownBook = $this->entities->createChainBelongingToUser($this->user)['book'];

442 $this->checkAccessPermission('book-update-own', [

443 $ownBook->getUrl() . '/edit',

444 ], [

445 $ownBook->getUrl() => 'Edit',

446 ]);

447

448 $resp = $this->get($otherBook->getUrl());

449 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Edit');

450 $this->get($otherBook->getUrl('/edit'))->assertRedirect('/');

451 }

452

453 public function test_books_edit_all_permission()

454 {

455 /** @var Book $otherBook */

456 $otherBook = Book::query()->take(1)->get()->first();

457 $this->checkAccessPermission('book-update-all', [

458 $otherBook->getUrl() . '/edit',

459 ], [

460 $otherBook->getUrl() => 'Edit',

461 ]);

462 }

463

464 public function test_books_delete_own_permission()

465 {

466 $this->giveUserPermissions($this->user, ['book-update-all']);

467 /** @var Book $otherBook */

468 $otherBook = Book::query()->take(1)->get()->first();

469 $ownBook = $this->entities->createChainBelongingToUser($this->user)['book'];

470 $this->checkAccessPermission('book-delete-own', [

471 $ownBook->getUrl() . '/delete',

472 ], [

473 $ownBook->getUrl() => 'Delete',

474 ]);

475

476 $resp = $this->get($otherBook->getUrl());

477 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Delete');

478 $this->get($otherBook->getUrl('/delete'))->assertRedirect('/');

479 $this->get($ownBook->getUrl());

480 $this->delete($ownBook->getUrl())->assertRedirect('/books');

481 $this->get('/books')->assertDontSee($ownBook->name);

482 }

483

484 public function test_books_delete_all_permission()

485 {

486 $this->giveUserPermissions($this->user, ['book-update-all']);

487 /** @var Book $otherBook */

488 $otherBook = Book::query()->take(1)->get()->first();

489 $this->checkAccessPermission('book-delete-all', [

490 $otherBook->getUrl() . '/delete',

491 ], [

492 $otherBook->getUrl() => 'Delete',

493 ]);

494

495 $this->get($otherBook->getUrl());

496 $this->delete($otherBook->getUrl())->assertRedirect('/books');

497 $this->get('/books')->assertDontSee($otherBook->name);

498 }

499

500 public function test_chapter_create_own_permissions()

501 {

502 /** @var Book $book */

503 $book = Book::query()->take(1)->get()->first();

504 $ownBook = $this->entities->createChainBelongingToUser($this->user)['book'];

505 $this->checkAccessPermission('chapter-create-own', [

506 $ownBook->getUrl('/create-chapter'),

507 ], [

508 $ownBook->getUrl() => 'New Chapter',

509 ]);

510

511 $this->post($ownBook->getUrl('/create-chapter'), [

512 'name' => 'test chapter',

513 'description' => 'chapter desc',

514 ])->assertRedirect($ownBook->getUrl('/chapter/test-chapter'));

515

516 $resp = $this->get($book->getUrl());

517 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'New Chapter');

518 $this->get($book->getUrl('/create-chapter'))->assertRedirect('/');

519 }

520

521 public function test_chapter_create_all_permissions()

522 {

523 $book = $this->entities->book();

524 $this->checkAccessPermission('chapter-create-all', [

525 $book->getUrl('/create-chapter'),

526 ], [

527 $book->getUrl() => 'New Chapter',

528 ]);

529

530 $this->post($book->getUrl('/create-chapter'), [

531 'name' => 'test chapter',

532 'description' => 'chapter desc',

533 ])->assertRedirect($book->getUrl('/chapter/test-chapter'));

534 }

535

536 public function test_chapter_edit_own_permission()

537 {

538 /** @var Chapter $otherChapter */

539 $otherChapter = Chapter::query()->first();

540 $ownChapter = $this->entities->createChainBelongingToUser($this->user)['chapter'];

541 $this->checkAccessPermission('chapter-update-own', [

542 $ownChapter->getUrl() . '/edit',

543 ], [

544 $ownChapter->getUrl() => 'Edit',

545 ]);

546

547 $resp = $this->get($otherChapter->getUrl());

548 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Edit');

549 $this->get($otherChapter->getUrl('/edit'))->assertRedirect('/');

550 }

551

552 public function test_chapter_edit_all_permission()

553 {

554 /** @var Chapter $otherChapter */

555 $otherChapter = Chapter::query()->take(1)->get()->first();

556 $this->checkAccessPermission('chapter-update-all', [

557 $otherChapter->getUrl() . '/edit',

558 ], [

559 $otherChapter->getUrl() => 'Edit',

560 ]);

561 }

562

563 public function test_chapter_delete_own_permission()

564 {

565 $this->giveUserPermissions($this->user, ['chapter-update-all']);

566 /** @var Chapter $otherChapter */

567 $otherChapter = Chapter::query()->first();

568 $ownChapter = $this->entities->createChainBelongingToUser($this->user)['chapter'];

569 $this->checkAccessPermission('chapter-delete-own', [

570 $ownChapter->getUrl() . '/delete',

571 ], [

572 $ownChapter->getUrl() => 'Delete',

573 ]);

574

575 $bookUrl = $ownChapter->book->getUrl();

576 $resp = $this->get($otherChapter->getUrl());

577 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Delete');

578 $this->get($otherChapter->getUrl('/delete'))->assertRedirect('/');

579 $this->get($ownChapter->getUrl());

580 $this->delete($ownChapter->getUrl())->assertRedirect($bookUrl);

581 $resp = $this->get($bookUrl);

582 $this->withHtml($resp)->assertElementNotContains('.book-content', $ownChapter->name);

583 }

584

585 public function test_chapter_delete_all_permission()

586 {

587 $this->giveUserPermissions($this->user, ['chapter-update-all']);

588 /** @var Chapter $otherChapter */

589 $otherChapter = Chapter::query()->first();

590 $this->checkAccessPermission('chapter-delete-all', [

591 $otherChapter->getUrl() . '/delete',

592 ], [

593 $otherChapter->getUrl() => 'Delete',

594 ]);

595

596 $bookUrl = $otherChapter->book->getUrl();

597 $this->get($otherChapter->getUrl());

598 $this->delete($otherChapter->getUrl())->assertRedirect($bookUrl);

599 $resp = $this->get($bookUrl);

600 $this->withHtml($resp)->assertElementNotContains('.book-content', $otherChapter->name);

601 }

602

603 public function test_page_create_own_permissions()

604 {

605 $book = $this->entities->book();

606 $chapter = $this->entities->chapter();

607

608 $entities = $this->entities->createChainBelongingToUser($this->user);

609 $ownBook = $entities['book'];

610 $ownChapter = $entities['chapter'];

611

612 $createUrl = $ownBook->getUrl('/create-page');

613 $createUrlChapter = $ownChapter->getUrl('/create-page');

614 $accessUrls = [$createUrl, $createUrlChapter];

615

616 foreach ($accessUrls as $url) {

617 $this->actingAs($this->user)->get($url)->assertRedirect('/');

618 }

619

620 $this->checkAccessPermission('page-create-own', [], [

621 $ownBook->getUrl() => 'New Page',

622 $ownChapter->getUrl() => 'New Page',

623 ]);

624

625 $this->giveUserPermissions($this->user, ['page-create-own']);

626

627 foreach ($accessUrls as $index => $url) {

628 $resp = $this->actingAs($this->user)->get($url);

629 $expectedUrl = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

630 $resp->assertRedirect($expectedUrl);

631 }

632

633 $this->get($createUrl);

634 /** @var Page $draft */

635 $draft = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first();

636 $this->post($draft->getUrl(), [

637 'name' => 'test page',

638 'html' => 'page desc',

639 ])->assertRedirect($ownBook->getUrl('/page/test-page'));

640

641 $resp = $this->get($book->getUrl());

642 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'New Page');

643 $this->get($book->getUrl('/create-page'))->assertRedirect('/');

644

645 $resp = $this->get($chapter->getUrl());

646 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'New Page');

647 $this->get($chapter->getUrl('/create-page'))->assertRedirect('/');

648 }

649

650 public function test_page_create_all_permissions()

651 {

652 $book = $this->entities->book();

653 $chapter = $this->entities->chapter();

654 $createUrl = $book->getUrl('/create-page');

655

656 $createUrlChapter = $chapter->getUrl('/create-page');

657 $accessUrls = [$createUrl, $createUrlChapter];

658

659 foreach ($accessUrls as $url) {

660 $this->actingAs($this->user)->get($url)->assertRedirect('/');

661 }

662

663 $this->checkAccessPermission('page-create-all', [], [

664 $book->getUrl() => 'New Page',

665 $chapter->getUrl() => 'New Page',

666 ]);

667

668 $this->giveUserPermissions($this->user, ['page-create-all']);

669

670 foreach ($accessUrls as $index => $url) {

671 $resp = $this->actingAs($this->user)->get($url);

672 $expectedUrl = Page::query()->where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

673 $resp->assertRedirect($expectedUrl);

674 }

675

676 $this->get($createUrl);

677 /** @var Page $draft */

678 $draft = Page::query()->where('draft', '=', true)->orderByDesc('id')->first();

679 $this->post($draft->getUrl(), [

680 'name' => 'test page',

681 'html' => 'page desc',

682 ])->assertRedirect($book->getUrl('/page/test-page'));

683

684 $this->get($chapter->getUrl('/create-page'));

685 /** @var Page $draft */

686 $draft = Page::query()->where('draft', '=', true)->orderByDesc('id')->first();

687 $this->post($draft->getUrl(), [

688 'name' => 'new test page',

689 'html' => 'page desc',

690 ])->assertRedirect($book->getUrl('/page/new-test-page'));

691 }

692

693 public function test_page_edit_own_permission()

694 {

695 /** @var Page $otherPage */

696 $otherPage = Page::query()->first();

697 $ownPage = $this->entities->createChainBelongingToUser($this->user)['page'];

698 $this->checkAccessPermission('page-update-own', [

699 $ownPage->getUrl() . '/edit',

700 ], [

701 $ownPage->getUrl() => 'Edit',

702 ]);

703

704 $resp = $this->get($otherPage->getUrl());

705 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Edit');

706 $this->get($otherPage->getUrl() . '/edit')->assertRedirect('/');

707 }

708

709 public function test_page_edit_all_permission()

710 {

711 /** @var Page $otherPage */

712 $otherPage = Page::query()->first();

713 $this->checkAccessPermission('page-update-all', [

714 $otherPage->getUrl('/edit'),

715 ], [

716 $otherPage->getUrl() => 'Edit',

717 ]);

718 }

719

720 public function test_page_delete_own_permission()

721 {

722 $this->giveUserPermissions($this->user, ['page-update-all']);

723 /** @var Page $otherPage */

724 $otherPage = Page::query()->first();

725 $ownPage = $this->entities->createChainBelongingToUser($this->user)['page'];

726 $this->checkAccessPermission('page-delete-own', [

727 $ownPage->getUrl() . '/delete',

728 ], [

729 $ownPage->getUrl() => 'Delete',

730 ]);

731

732 $parent = $ownPage->chapter ?? $ownPage->book;

733 $resp = $this->get($otherPage->getUrl());

734 $this->withHtml($resp)->assertElementNotContains('.action-buttons', 'Delete');

735 $this->get($otherPage->getUrl('/delete'))->assertRedirect('/');

736 $this->get($ownPage->getUrl());

737 $this->delete($ownPage->getUrl())->assertRedirect($parent->getUrl());

738 $resp = $this->get($parent->getUrl());

739 $this->withHtml($resp)->assertElementNotContains('.book-content', $ownPage->name);

740 }

741

742 public function test_page_delete_all_permission()

743 {

744 $this->giveUserPermissions($this->user, ['page-update-all']);

745 /** @var Page $otherPage */

746 $otherPage = Page::query()->first();

747

748 $this->checkAccessPermission('page-delete-all', [

749 $otherPage->getUrl() . '/delete',

750 ], [

751 $otherPage->getUrl() => 'Delete',

752 ]);

753

754 /** @var Entity $parent */

755 $parent = $otherPage->chapter ?? $otherPage->book;

756 $this->get($otherPage->getUrl());

757

758 $this->delete($otherPage->getUrl())->assertRedirect($parent->getUrl());

759 $this->get($parent->getUrl())->assertDontSee($otherPage->name);

760 }

761

762 public function test_public_role_visible_in_user_edit_screen()

763 {

764 /** @var User $user */

765 $user = User::query()->first();

766 $adminRole = Role::getSystemRole('admin');

767 $publicRole = Role::getSystemRole('public');

768 $resp = $this->asAdmin()->get('/settings/users/' . $user->id);

769 $this->withHtml($resp)->assertElementExists('[name="roles[' . $adminRole->id . ']"]')

770 ->assertElementExists('[name="roles[' . $publicRole->id . ']"]');

771 }

772

773 public function test_public_role_visible_in_role_listing()

774 {

775 $this->asAdmin()->get('/settings/roles')

776 ->assertSee('Admin')

777 ->assertSee('Public');

778 }

779

780 public function test_public_role_visible_in_default_role_setting()

781 {

782 $resp = $this->asAdmin()->get('/settings/registration');

783 $this->withHtml($resp)->assertElementExists('[data-system-role-name="admin"]')

784 ->assertElementExists('[data-system-role-name="public"]');

785 }

786

787 public function test_public_role_not_deletable()

788 {

789 /** @var Role $publicRole */

790 $publicRole = Role::getSystemRole('public');

791 $resp = $this->asAdmin()->delete('/settings/roles/delete/' . $publicRole->id);

792 $resp->assertRedirect('/');

793

794 $this->get('/settings/roles/delete/' . $publicRole->id);

795 $resp = $this->delete('/settings/roles/delete/' . $publicRole->id);

796 $resp->assertRedirect('/settings/roles/delete/' . $publicRole->id);

797 $resp = $this->get('/settings/roles/delete/' . $publicRole->id);

798 $resp->assertSee('This role is a system role and cannot be deleted');

799 }

800

801 public function test_image_delete_own_permission()

802 {

803 $this->giveUserPermissions($this->user, ['image-update-all']);

804 $page = $this->entities->page();

805 $image = Image::factory()->create([

806 'uploaded_to' => $page->id,

807 'created_by' => $this->user->id,

808 'updated_by' => $this->user->id,

809 ]);

810

811 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertStatus(403);

812

813 $this->giveUserPermissions($this->user, ['image-delete-own']);

814

815 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertOk();

816 $this->assertDatabaseMissing('images', ['id' => $image->id]);

817 }

818

819 public function test_image_delete_all_permission()

820 {

821 $this->giveUserPermissions($this->user, ['image-update-all']);

822 $admin = $this->getAdmin();

823 $page = $this->entities->page();

824 $image = Image::factory()->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]);

825

826 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertStatus(403);

827

828 $this->giveUserPermissions($this->user, ['image-delete-own']);

829

830 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertStatus(403);

831

832 $this->giveUserPermissions($this->user, ['image-delete-all']);

833

834 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)->assertOk();

835 $this->assertDatabaseMissing('images', ['id' => $image->id]);

836 }

837

838 public function test_role_permission_removal()

839 {

840 // To cover issue fixed in f99c8ff99aee9beb8c692f36d4b84dc6e651e50a.

841 $page = $this->entities->page();

842 $viewerRole = Role::getRole('viewer');

843 $viewer = $this->getViewer();

844 $this->actingAs($viewer)->get($page->getUrl())->assertOk();

845

846 $this->asAdmin()->put('/settings/roles/' . $viewerRole->id, [

847 'display_name' => $viewerRole->display_name,

848 'description' => $viewerRole->description,

849 'permission' => [],

850 ])->assertStatus(302);

851

852 $this->actingAs($viewer)->get($page->getUrl())->assertStatus(404);

853 }

854

855 public function test_empty_state_actions_not_visible_without_permission()

856 {

857 $admin = $this->getAdmin();

858 // Book links

859 $book = Book::factory()->create(['created_by' => $admin->id, 'updated_by' => $admin->id]);

860 $this->entities->regenPermissions($book);

861 $this->actingAs($this->getViewer())->get($book->getUrl())

862 ->assertDontSee('Create a new page')

863 ->assertDontSee('Add a chapter');

864

865 // Chapter links

866 $chapter = Chapter::factory()->create(['created_by' => $admin->id, 'updated_by' => $admin->id, 'book_id' => $book->id]);

867 $this->entities->regenPermissions($chapter);

868 $this->actingAs($this->getViewer())->get($chapter->getUrl())

869 ->assertDontSee('Create a new page')

870 ->assertDontSee('Sort the current book');

871 }

872

873 public function test_comment_create_permission()

874 {

875 $ownPage = $this->entities->createChainBelongingToUser($this->user)['page'];

876

877 $this->actingAs($this->user)

878 ->addComment($ownPage)

879 ->assertStatus(403);

880

881 $this->giveUserPermissions($this->user, ['comment-create-all']);

882

883 $this->actingAs($this->user)

884 ->addComment($ownPage)

885 ->assertOk();

886 }

887

888 public function test_comment_update_own_permission()

889 {

890 $ownPage = $this->entities->createChainBelongingToUser($this->user)['page'];

891 $this->giveUserPermissions($this->user, ['comment-create-all']);

892 $this->actingAs($this->user)->addComment($ownPage);

893 /** @var Comment $comment */

894 $comment = $ownPage->comments()->latest()->first();

895

896 // no comment-update-own

897 $this->actingAs($this->user)->updateComment($comment)->assertStatus(403);

898

899 $this->giveUserPermissions($this->user, ['comment-update-own']);

900

901 // now has comment-update-own

902 $this->actingAs($this->user)->updateComment($comment)->assertOk();

903 }

904

905 public function test_comment_update_all_permission()

906 {

907 /** @var Page $ownPage */

908 $ownPage = $this->entities->createChainBelongingToUser($this->user)['page'];

909 $this->asAdmin()->addComment($ownPage);

910 /** @var Comment $comment */

911 $comment = $ownPage->comments()->latest()->first();

912

913 // no comment-update-all

914 $this->actingAs($this->user)->updateComment($comment)->assertStatus(403);

915

916 $this->giveUserPermissions($this->user, ['comment-update-all']);

917

918 // now has comment-update-all

919 $this->actingAs($this->user)->updateComment($comment)->assertOk();

920 }

921

922 public function test_comment_delete_own_permission()

923 {

924 /** @var Page $ownPage */

925 $ownPage = $this->entities->createChainBelongingToUser($this->user)['page'];

926 $this->giveUserPermissions($this->user, ['comment-create-all']);

927 $this->actingAs($this->user)->addComment($ownPage);

928

929 /** @var Comment $comment */

930 $comment = $ownPage->comments()->latest()->first();

931

932 // no comment-delete-own

933 $this->actingAs($this->user)->deleteComment($comment)->assertStatus(403);

934

935 $this->giveUserPermissions($this->user, ['comment-delete-own']);

936

937 // now has comment-update-own

938 $this->actingAs($this->user)->deleteComment($comment)->assertOk();

939 }

940

941 public function test_comment_delete_all_permission()

942 {

943 /** @var Page $ownPage */

944 $ownPage = $this->entities->createChainBelongingToUser($this->user)['page'];

945 $this->asAdmin()->addComment($ownPage);

946 /** @var Comment $comment */

947 $comment = $ownPage->comments()->latest()->first();

948

949 // no comment-delete-all

950 $this->actingAs($this->user)->deleteComment($comment)->assertStatus(403);

951

952 $this->giveUserPermissions($this->user, ['comment-delete-all']);

953

954 // now has comment-delete-all

955 $this->actingAs($this->user)->deleteComment($comment)->assertOk();

956 }

957

958 private function addComment(Page $page): TestResponse

959 {

960 $comment = Comment::factory()->make();

961

962 return $this->postJson("/comment/$page->id", $comment->only('text', 'html'));

963 }

964

965 private function updateComment(Comment $comment): TestResponse

966 {

967 $commentData = Comment::factory()->make();

968

969 return $this->putJson("/comment/{$comment->id}", $commentData->only('text', 'html'));

970 }

971

972 private function deleteComment(Comment $comment): TestResponse

973 {

974 return $this->json('DELETE', '/comment/' . $comment->id);

975 }

976 }