5 use BookStack\Activity\ActivityType;
6 use BookStack\Users\Models\Role;
7 use BookStack\Users\Models\User;
10 class RoleManagementTest extends TestCase
12 public function test_cannot_delete_admin_role()
14 $adminRole = Role::getRole('admin');
15 $deletePageUrl = '/settings/roles/delete/' . $adminRole->id;
17 $this->asAdmin()->get($deletePageUrl);
18 $this->delete($deletePageUrl)->assertRedirect($deletePageUrl);
19 $this->get($deletePageUrl)->assertSee('cannot be deleted');
22 public function test_role_cannot_be_deleted_if_default()
24 $newRole = $this->users->createRole();
25 $this->setSettings(['registration-role' => $newRole->id]);
27 $deletePageUrl = '/settings/roles/delete/' . $newRole->id;
28 $this->asAdmin()->get($deletePageUrl);
29 $this->delete($deletePageUrl)->assertRedirect($deletePageUrl);
30 $this->get($deletePageUrl)->assertSee('cannot be deleted');
33 public function test_role_create_update_delete_flow()
35 $testRoleName = 'Test Role';
36 $testRoleDesc = 'a little test description';
37 $testRoleUpdateName = 'An Super Updated role';
40 $resp = $this->asAdmin()->get('/settings/features');
41 $this->withHtml($resp)->assertElementContains('a[href="' . url('/settings/roles') . '"]', 'Roles');
43 $resp = $this->get('/settings/roles');
44 $this->withHtml($resp)->assertElementContains('a[href="' . url('/settings/roles/new') . '"]', 'Create New Role');
46 $resp = $this->get('/settings/roles/new');
47 $this->withHtml($resp)->assertElementContains('form[action="' . url('/settings/roles/new') . '"]', 'Save Role');
49 $resp = $this->post('/settings/roles/new', [
50 'display_name' => $testRoleName,
51 'description' => $testRoleDesc,
53 $resp->assertRedirect('/settings/roles');
55 $resp = $this->get('/settings/roles');
56 $resp->assertSee($testRoleName);
57 $resp->assertSee($testRoleDesc);
58 $this->assertDatabaseHas('roles', [
59 'display_name' => $testRoleName,
60 'description' => $testRoleDesc,
61 'mfa_enforced' => false,
64 /** @var Role $role */
65 $role = Role::query()->where('display_name', '=', $testRoleName)->first();
68 $resp = $this->get('/settings/roles/' . $role->id);
69 $resp->assertSee($testRoleName);
70 $resp->assertSee($testRoleDesc);
71 $this->withHtml($resp)->assertElementContains('form[action="' . url('/settings/roles/' . $role->id) . '"]', 'Save Role');
73 $resp = $this->put('/settings/roles/' . $role->id, [
74 'display_name' => $testRoleUpdateName,
75 'description' => $testRoleDesc,
76 'mfa_enforced' => 'true',
78 $resp->assertRedirect('/settings/roles');
79 $this->assertDatabaseHas('roles', [
80 'display_name' => $testRoleUpdateName,
81 'description' => $testRoleDesc,
82 'mfa_enforced' => true,
86 $resp = $this->get('/settings/roles/' . $role->id);
87 $this->withHtml($resp)->assertElementContains('a[href="' . url("/settings/roles/delete/$role->id") . '"]', 'Delete Role');
89 $resp = $this->get("/settings/roles/delete/$role->id");
90 $resp->assertSee($testRoleUpdateName);
91 $this->withHtml($resp)->assertElementContains('form[action="' . url("/settings/roles/delete/$role->id") . '"]', 'Confirm');
93 $resp = $this->delete("/settings/roles/delete/$role->id");
94 $resp->assertRedirect('/settings/roles');
95 $this->get('/settings/roles')->assertSee('Role successfully deleted');
96 $this->assertActivityExists(ActivityType::ROLE_DELETE);
99 public function test_admin_role_cannot_be_removed_if_user_last_admin()
101 /** @var Role $adminRole */
102 $adminRole = Role::query()->where('system_name', '=', 'admin')->first();
103 $adminUser = $this->users->admin();
104 $adminRole->users()->where('id', '!=', $adminUser->id)->delete();
105 $this->assertEquals(1, $adminRole->users()->count());
107 $viewerRole = $this->users->viewer()->roles()->first();
109 $editUrl = '/settings/users/' . $adminUser->id;
110 $resp = $this->actingAs($adminUser)->put($editUrl, [
111 'name' => $adminUser->name,
112 'email' => $adminUser->email,
114 'viewer' => strval($viewerRole->id),
118 $resp->assertRedirect($editUrl);
120 $resp = $this->get($editUrl);
121 $resp->assertSee('This user is the only user assigned to the administrator role');
124 public function test_migrate_users_on_delete_works()
126 $roleA = $this->users->createRole();
127 $roleB = $this->users->createRole();
128 $user = $this->users->viewer();
129 $user->attachRole($roleB);
131 $this->assertCount(0, $roleA->users()->get());
132 $this->assertCount(1, $roleB->users()->get());
134 $deletePage = $this->asAdmin()->get("/settings/roles/delete/$roleB->id");
135 $this->withHtml($deletePage)->assertElementExists('select[name=migrate_role_id]');
136 $this->asAdmin()->delete("/settings/roles/delete/$roleB->id", [
137 'migrate_role_id' => $roleA->id,
140 $this->assertCount(1, $roleA->users()->get());
141 $this->assertEquals($user->id, $roleA->users()->first()->id);
144 public function test_delete_with_empty_migrate_option_works()
146 $role = $this->users->attachNewRole($this->users->viewer());
148 $this->assertCount(1, $role->users()->get());
150 $deletePage = $this->asAdmin()->get("/settings/roles/delete/$role->id");
151 $this->withHtml($deletePage)->assertElementExists('select[name=migrate_role_id]');
152 $resp = $this->asAdmin()->delete("/settings/roles/delete/$role->id", [
153 'migrate_role_id' => '',
156 $resp->assertRedirect('/settings/roles');
157 $this->assertDatabaseMissing('roles', ['id' => $role->id]);
160 public function test_entity_permissions_are_removed_on_delete()
162 /** @var Role $roleA */
163 $roleA = Role::query()->create(['display_name' => 'Entity Permissions Delete Test']);
164 $page = $this->entities->page();
166 $this->permissions->setEntityPermissions($page, ['view'], [$roleA]);
168 $this->assertDatabaseHas('entity_permissions', [
169 'role_id' => $roleA->id,
170 'entity_id' => $page->id,
171 'entity_type' => $page->getMorphClass(),
174 $this->asAdmin()->delete("/settings/roles/delete/$roleA->id");
176 $this->assertDatabaseMissing('entity_permissions', [
177 'role_id' => $roleA->id,
178 'entity_id' => $page->id,
179 'entity_type' => $page->getMorphClass(),
183 public function test_image_view_notice_shown_on_role_form()
185 /** @var Role $role */
186 $role = Role::query()->first();
187 $this->asAdmin()->get("/settings/roles/{$role->id}")
188 ->assertSee('Actual access of uploaded image files will be dependant upon system image storage option');
191 public function test_copy_role_button_shown()
193 /** @var Role $role */
194 $role = Role::query()->first();
195 $resp = $this->asAdmin()->get("/settings/roles/{$role->id}");
196 $this->withHtml($resp)->assertElementContains('a[href$="/roles/new?copy_from=' . $role->id . '"]', 'Copy');
199 public function test_copy_from_param_on_create_prefills_with_other_role_data()
201 /** @var Role $role */
202 $role = Role::query()->first();
203 $resp = $this->asAdmin()->get("/settings/roles/new?copy_from={$role->id}");
205 $this->withHtml($resp)->assertElementExists('input[name="display_name"][value="' . ($role->display_name . ' (Copy)') . '"]');
208 public function test_public_role_visible_in_user_edit_screen()
210 /** @var User $user */
211 $user = User::query()->first();
212 $adminRole = Role::getSystemRole('admin');
213 $publicRole = Role::getSystemRole('public');
214 $resp = $this->asAdmin()->get('/settings/users/' . $user->id);
215 $this->withHtml($resp)->assertElementExists('[name="roles[' . $adminRole->id . ']"]')
216 ->assertElementExists('[name="roles[' . $publicRole->id . ']"]');
219 public function test_public_role_visible_in_role_listing()
221 $this->asAdmin()->get('/settings/roles')
223 ->assertSee('Public');
226 public function test_public_role_visible_in_default_role_setting()
228 $resp = $this->asAdmin()->get('/settings/registration');
229 $this->withHtml($resp)->assertElementExists('[data-system-role-name="admin"]')
230 ->assertElementExists('[data-system-role-name="public"]');
233 public function test_public_role_not_deletable()
235 /** @var Role $publicRole */
236 $publicRole = Role::getSystemRole('public');
237 $resp = $this->asAdmin()->delete('/settings/roles/delete/' . $publicRole->id);
238 $resp->assertRedirect('/settings/roles/delete/' . $publicRole->id);
240 $this->get('/settings/roles/delete/' . $publicRole->id);
241 $resp = $this->delete('/settings/roles/delete/' . $publicRole->id);
242 $resp->assertRedirect('/settings/roles/delete/' . $publicRole->id);
243 $resp = $this->get('/settings/roles/delete/' . $publicRole->id);
244 $resp->assertSee('This role is a system role and cannot be deleted');
247 public function test_role_permission_removal()
249 // To cover issue fixed in f99c8ff99aee9beb8c692f36d4b84dc6e651e50a.
250 $page = $this->entities->page();
251 $viewerRole = Role::getRole('viewer');
252 $viewer = $this->users->viewer();
253 $this->actingAs($viewer)->get($page->getUrl())->assertOk();
255 $this->asAdmin()->put('/settings/roles/' . $viewerRole->id, [
256 'display_name' => $viewerRole->display_name,
257 'description' => $viewerRole->description,
259 ])->assertStatus(302);
261 $this->actingAs($viewer)->get($page->getUrl())->assertStatus(404);
264 public function test_index_listing_sorting()
267 $role = $this->users->createRole();
268 $role->display_name = 'zz test role';
269 $role->created_at = now()->addDays(1);
272 $runTest = function (string $order, string $direction, bool $expectFirstResult) use ($role) {
273 setting()->putForCurrentUser('roles_sort', $order);
274 setting()->putForCurrentUser('roles_sort_order', $direction);
275 $html = $this->withHtml($this->get('/settings/roles'));
276 $selector = ".item-list-row:first-child a[href$=\"/roles/{$role->id}\"]";
277 if ($expectFirstResult) {
278 $html->assertElementExists($selector);
280 $html->assertElementNotExists($selector);
284 $runTest('name', 'asc', false);
285 $runTest('name', 'desc', true);
286 $runTest('created_at', 'desc', true);
287 $runTest('created_at', 'asc', false);
projects / bookstack / blob