BookStack Code Mirror - bookstack/blob - tests/Permissions/RestrictionsTest.php

1 <?php namespace Tests;

3 class RestrictionsTest extends BrowserKitTest

4 {

5 protected $user;

6 protected $viewer;

7 protected $restrictionService;

9 public function setUp()

10 {

11 parent::setUp();

12 $this->user = $this->getEditor();

13 $this->viewer = $this->getViewer();

14 $this->restrictionService = $this->app[\BookStack\Services\PermissionService::class];

15 }

17 protected function getViewer()

18 {

19 $role = \BookStack\Role::getRole('viewer');

20 $viewer = $this->getNewBlankUser();

21 $viewer->attachRole($role);;

22 return $viewer;

23 }

25 /**

26 * Manually set some permissions on an entity.

27 * @param \BookStack\Entity $entity

28 * @param $actions

29 */

30 protected function setEntityRestrictions(\BookStack\Entity $entity, $actions)

31 {

32 $entity->restricted = true;

33 $entity->permissions()->delete();

34 $role = $this->user->roles->first();

35 $viewerRole = $this->viewer->roles->first();

36 foreach ($actions as $action) {

37 $entity->permissions()->create([

38 'role_id' => $role->id,

39 'action' => strtolower($action)

40 ]);

41 $entity->permissions()->create([

42 'role_id' => $viewerRole->id,

43 'action' => strtolower($action)

44 ]);

45 }

46 $entity->save();

47 $entity->load('permissions');

48 $this->restrictionService->buildJointPermissionsForEntity($entity);

49 $entity->load('jointPermissions');

50 }

52 public function test_book_view_restriction()

53 {

54 $book = \BookStack\Book::first();

55 $bookPage = $book->pages->first();

56 $bookChapter = $book->chapters->first();

58 $bookUrl = $book->getUrl();

59 $this->actingAs($this->user)

60 ->visit($bookUrl)

61 ->seePageIs($bookUrl);

63 $this->setEntityRestrictions($book, []);

65 $this->forceVisit($bookUrl)

66 ->see('Book not found');

67 $this->forceVisit($bookPage->getUrl())

68 ->see('Page not found');

69 $this->forceVisit($bookChapter->getUrl())

70 ->see('Chapter not found');

72 $this->setEntityRestrictions($book, ['view']);

74 $this->visit($bookUrl)

75 ->see($book->name);

76 $this->visit($bookPage->getUrl())

77 ->see($bookPage->name);

78 $this->visit($bookChapter->getUrl())

79 ->see($bookChapter->name);

80 }

82 public function test_book_create_restriction()

83 {

84 $book = \BookStack\Book::first();

86 $bookUrl = $book->getUrl();

87 $this->actingAs($this->viewer)

88 ->visit($bookUrl)

89 ->dontSeeInElement('.action-buttons', 'New Page')

90 ->dontSeeInElement('.action-buttons', 'New Chapter');

91 $this->actingAs($this->user)

92 ->visit($bookUrl)

93 ->seeInElement('.action-buttons', 'New Page')

94 ->seeInElement('.action-buttons', 'New Chapter');

96 $this->setEntityRestrictions($book, ['view', 'delete', 'update']);

98 $this->forceVisit($bookUrl . '/chapter/create')

99 ->see('You do not have permission')->seePageIs('/');

100 $this->forceVisit($bookUrl . '/page/create')

101 ->see('You do not have permission')->seePageIs('/');

102 $this->visit($bookUrl)->dontSeeInElement('.action-buttons', 'New Page')

103 ->dontSeeInElement('.action-buttons', 'New Chapter');

104

105 $this->setEntityRestrictions($book, ['view', 'create']);

106

107 $this->visit($bookUrl . '/chapter/create')

108 ->type('test chapter', 'name')

109 ->type('test description for chapter', 'description')

110 ->press('Save Chapter')

111 ->seePageIs($bookUrl . '/chapter/test-chapter');

112 $this->visit($bookUrl . '/page/create')

113 ->type('test page', 'name')

114 ->type('test content', 'html')

115 ->press('Save Page')

116 ->seePageIs($bookUrl . '/page/test-page');

117 $this->visit($bookUrl)->seeInElement('.action-buttons', 'New Page')

118 ->seeInElement('.action-buttons', 'New Chapter');

119 }

120

121 public function test_book_update_restriction()

122 {

123 $book = \BookStack\Book::first();

124 $bookPage = $book->pages->first();

125 $bookChapter = $book->chapters->first();

126

127 $bookUrl = $book->getUrl();

128 $this->actingAs($this->user)

129 ->visit($bookUrl . '/edit')

130 ->see('Edit Book');

131

132 $this->setEntityRestrictions($book, ['view', 'delete']);

133

134 $this->forceVisit($bookUrl . '/edit')

135 ->see('You do not have permission')->seePageIs('/');

136 $this->forceVisit($bookPage->getUrl() . '/edit')

137 ->see('You do not have permission')->seePageIs('/');

138 $this->forceVisit($bookChapter->getUrl() . '/edit')

139 ->see('You do not have permission')->seePageIs('/');

140

141 $this->setEntityRestrictions($book, ['view', 'update']);

142

143 $this->visit($bookUrl . '/edit')

144 ->seePageIs($bookUrl . '/edit');

145 $this->visit($bookPage->getUrl() . '/edit')

146 ->seePageIs($bookPage->getUrl() . '/edit');

147 $this->visit($bookChapter->getUrl() . '/edit')

148 ->see('Edit Chapter');

149 }

150

151 public function test_book_delete_restriction()

152 {

153 $book = \BookStack\Book::first();

154 $bookPage = $book->pages->first();

155 $bookChapter = $book->chapters->first();

156

157 $bookUrl = $book->getUrl();

158 $this->actingAs($this->user)

159 ->visit($bookUrl . '/delete')

160 ->see('Delete Book');

161

162 $this->setEntityRestrictions($book, ['view', 'update']);

163

164 $this->forceVisit($bookUrl . '/delete')

165 ->see('You do not have permission')->seePageIs('/');

166 $this->forceVisit($bookPage->getUrl() . '/delete')

167 ->see('You do not have permission')->seePageIs('/');

168 $this->forceVisit($bookChapter->getUrl() . '/delete')

169 ->see('You do not have permission')->seePageIs('/');

170

171 $this->setEntityRestrictions($book, ['view', 'delete']);

172

173 $this->visit($bookUrl . '/delete')

174 ->seePageIs($bookUrl . '/delete')->see('Delete Book');

175 $this->visit($bookPage->getUrl() . '/delete')

176 ->seePageIs($bookPage->getUrl() . '/delete')->see('Delete Page');

177 $this->visit($bookChapter->getUrl() . '/delete')

178 ->see('Delete Chapter');

179 }

180

181 public function test_chapter_view_restriction()

182 {

183 $chapter = \BookStack\Chapter::first();

184 $chapterPage = $chapter->pages->first();

185

186 $chapterUrl = $chapter->getUrl();

187 $this->actingAs($this->user)

188 ->visit($chapterUrl)

189 ->seePageIs($chapterUrl);

190

191 $this->setEntityRestrictions($chapter, []);

192

193 $this->forceVisit($chapterUrl)

194 ->see('Chapter not found');

195 $this->forceVisit($chapterPage->getUrl())

196 ->see('Page not found');

197

198 $this->setEntityRestrictions($chapter, ['view']);

199

200 $this->visit($chapterUrl)

201 ->see($chapter->name);

202 $this->visit($chapterPage->getUrl())

203 ->see($chapterPage->name);

204 }

205

206 public function test_chapter_create_restriction()

207 {

208 $chapter = \BookStack\Chapter::first();

209

210 $chapterUrl = $chapter->getUrl();

211 $this->actingAs($this->user)

212 ->visit($chapterUrl)

213 ->seeInElement('.action-buttons', 'New Page');

214

215 $this->setEntityRestrictions($chapter, ['view', 'delete', 'update']);

216

217 $this->forceVisit($chapterUrl . '/create-page')

218 ->see('You do not have permission')->seePageIs('/');

219 $this->visit($chapterUrl)->dontSeeInElement('.action-buttons', 'New Page');

220

221 $this->setEntityRestrictions($chapter, ['view', 'create']);

222

223

224 $this->visit($chapterUrl . '/create-page')

225 ->type('test page', 'name')

226 ->type('test content', 'html')

227 ->press('Save Page')

228 ->seePageIs($chapter->book->getUrl() . '/page/test-page');

229

230 $this->visit($chapterUrl)->seeInElement('.action-buttons', 'New Page');

231 }

232

233 public function test_chapter_update_restriction()

234 {

235 $chapter = \BookStack\Chapter::first();

236 $chapterPage = $chapter->pages->first();

237

238 $chapterUrl = $chapter->getUrl();

239 $this->actingAs($this->user)

240 ->visit($chapterUrl . '/edit')

241 ->see('Edit Chapter');

242

243 $this->setEntityRestrictions($chapter, ['view', 'delete']);

244

245 $this->forceVisit($chapterUrl . '/edit')

246 ->see('You do not have permission')->seePageIs('/');

247 $this->forceVisit($chapterPage->getUrl() . '/edit')

248 ->see('You do not have permission')->seePageIs('/');

249

250 $this->setEntityRestrictions($chapter, ['view', 'update']);

251

252 $this->visit($chapterUrl . '/edit')

253 ->seePageIs($chapterUrl . '/edit')->see('Edit Chapter');

254 $this->visit($chapterPage->getUrl() . '/edit')

255 ->seePageIs($chapterPage->getUrl() . '/edit');

256 }

257

258 public function test_chapter_delete_restriction()

259 {

260 $chapter = \BookStack\Chapter::first();

261 $chapterPage = $chapter->pages->first();

262

263 $chapterUrl = $chapter->getUrl();

264 $this->actingAs($this->user)

265 ->visit($chapterUrl . '/delete')

266 ->see('Delete Chapter');

267

268 $this->setEntityRestrictions($chapter, ['view', 'update']);

269

270 $this->forceVisit($chapterUrl . '/delete')

271 ->see('You do not have permission')->seePageIs('/');

272 $this->forceVisit($chapterPage->getUrl() . '/delete')

273 ->see('You do not have permission')->seePageIs('/');

274

275 $this->setEntityRestrictions($chapter, ['view', 'delete']);

276

277 $this->visit($chapterUrl . '/delete')

278 ->seePageIs($chapterUrl . '/delete')->see('Delete Chapter');

279 $this->visit($chapterPage->getUrl() . '/delete')

280 ->seePageIs($chapterPage->getUrl() . '/delete')->see('Delete Page');

281 }

282

283 public function test_page_view_restriction()

284 {

285 $page = \BookStack\Page::first();

286

287 $pageUrl = $page->getUrl();

288 $this->actingAs($this->user)

289 ->visit($pageUrl)

290 ->seePageIs($pageUrl);

291

292 $this->setEntityRestrictions($page, ['update', 'delete']);

293

294 $this->forceVisit($pageUrl)

295 ->see('Page not found');

296

297 $this->setEntityRestrictions($page, ['view']);

298

299 $this->visit($pageUrl)

300 ->see($page->name);

301 }

302

303 public function test_page_update_restriction()

304 {

305 $page = \BookStack\Chapter::first();

306

307 $pageUrl = $page->getUrl();

308 $this->actingAs($this->user)

309 ->visit($pageUrl . '/edit')

310 ->seeInField('name', $page->name);

311

312 $this->setEntityRestrictions($page, ['view', 'delete']);

313

314 $this->forceVisit($pageUrl . '/edit')

315 ->see('You do not have permission')->seePageIs('/');

316

317 $this->setEntityRestrictions($page, ['view', 'update']);

318

319 $this->visit($pageUrl . '/edit')

320 ->seePageIs($pageUrl . '/edit')->seeInField('name', $page->name);

321 }

322

323 public function test_page_delete_restriction()

324 {

325 $page = \BookStack\Page::first();

326

327 $pageUrl = $page->getUrl();

328 $this->actingAs($this->user)

329 ->visit($pageUrl . '/delete')

330 ->see('Delete Page');

331

332 $this->setEntityRestrictions($page, ['view', 'update']);

333

334 $this->forceVisit($pageUrl . '/delete')

335 ->see('You do not have permission')->seePageIs('/');

336

337 $this->setEntityRestrictions($page, ['view', 'delete']);

338

339 $this->visit($pageUrl . '/delete')

340 ->seePageIs($pageUrl . '/delete')->see('Delete Page');

341 }

342

343 public function test_book_restriction_form()

344 {

345 $book = \BookStack\Book::first();

346 $this->asAdmin()->visit($book->getUrl() . '/permissions')

347 ->see('Book Permissions')

348 ->check('restricted')

349 ->check('restrictions[2][view]')

350 ->press('Save Permissions')

351 ->seeInDatabase('books', ['id' => $book->id, 'restricted' => true])

352 ->seeInDatabase('entity_permissions', [

353 'restrictable_id' => $book->id,

354 'restrictable_type' => 'BookStack\Book',

355 'role_id' => '2',

356 'action' => 'view'

357 ]);

358 }

359

360 public function test_chapter_restriction_form()

361 {

362 $chapter = \BookStack\Chapter::first();

363 $this->asAdmin()->visit($chapter->getUrl() . '/permissions')

364 ->see('Chapter Permissions')

365 ->check('restricted')

366 ->check('restrictions[2][update]')

367 ->press('Save Permissions')

368 ->seeInDatabase('chapters', ['id' => $chapter->id, 'restricted' => true])

369 ->seeInDatabase('entity_permissions', [

370 'restrictable_id' => $chapter->id,

371 'restrictable_type' => 'BookStack\Chapter',

372 'role_id' => '2',

373 'action' => 'update'

374 ]);

375 }

376

377 public function test_page_restriction_form()

378 {

379 $page = \BookStack\Page::first();

380 $this->asAdmin()->visit($page->getUrl() . '/permissions')

381 ->see('Page Permissions')

382 ->check('restricted')

383 ->check('restrictions[2][delete]')

384 ->press('Save Permissions')

385 ->seeInDatabase('pages', ['id' => $page->id, 'restricted' => true])

386 ->seeInDatabase('entity_permissions', [

387 'restrictable_id' => $page->id,

388 'restrictable_type' => 'BookStack\Page',

389 'role_id' => '2',

390 'action' => 'delete'

391 ]);

392 }

393

394 public function test_restricted_pages_not_visible_in_book_navigation_on_pages()

395 {

396 $chapter = \BookStack\Chapter::first();

397 $page = $chapter->pages->first();

398 $page2 = $chapter->pages[2];

399

400 $this->setEntityRestrictions($page, []);

401

402 $this->actingAs($this->user)

403 ->visit($page2->getUrl())

404 ->dontSeeInElement('.sidebar-page-list', $page->name);

405 }

406

407 public function test_restricted_pages_not_visible_in_book_navigation_on_chapters()

408 {

409 $chapter = \BookStack\Chapter::first();

410 $page = $chapter->pages->first();

411

412 $this->setEntityRestrictions($page, []);

413

414 $this->actingAs($this->user)

415 ->visit($chapter->getUrl())

416 ->dontSeeInElement('.sidebar-page-list', $page->name);

417 }

418

419 public function test_restricted_pages_not_visible_on_chapter_pages()

420 {

421 $chapter = \BookStack\Chapter::first();

422 $page = $chapter->pages->first();

423

424 $this->setEntityRestrictions($page, []);

425

426 $this->actingAs($this->user)

427 ->visit($chapter->getUrl())

428 ->dontSee($page->name);

429 }

430

431 public function test_book_create_restriction_override()

432 {

433 $book = \BookStack\Book::first();

434

435 $bookUrl = $book->getUrl();

436 $this->actingAs($this->viewer)

437 ->visit($bookUrl)

438 ->dontSeeInElement('.action-buttons', 'New Page')

439 ->dontSeeInElement('.action-buttons', 'New Chapter');

440

441 $this->setEntityRestrictions($book, ['view', 'delete', 'update']);

442

443 $this->forceVisit($bookUrl . '/chapter/create')

444 ->see('You do not have permission')->seePageIs('/');

445 $this->forceVisit($bookUrl . '/page/create')

446 ->see('You do not have permission')->seePageIs('/');

447 $this->visit($bookUrl)->dontSeeInElement('.action-buttons', 'New Page')

448 ->dontSeeInElement('.action-buttons', 'New Chapter');

449

450 $this->setEntityRestrictions($book, ['view', 'create']);

451

452 $this->visit($bookUrl . '/chapter/create')

453 ->type('test chapter', 'name')

454 ->type('test description for chapter', 'description')

455 ->press('Save Chapter')

456 ->seePageIs($bookUrl . '/chapter/test-chapter');

457 $this->visit($bookUrl . '/page/create')

458 ->type('test page', 'name')

459 ->type('test content', 'html')

460 ->press('Save Page')

461 ->seePageIs($bookUrl . '/page/test-page');

462 $this->visit($bookUrl)->seeInElement('.action-buttons', 'New Page')

463 ->seeInElement('.action-buttons', 'New Chapter');

464 }

465

466 public function test_book_update_restriction_override()

467 {

468 $book = \BookStack\Book::first();

469 $bookPage = $book->pages->first();

470 $bookChapter = $book->chapters->first();

471

472 $bookUrl = $book->getUrl();

473 $this->actingAs($this->viewer)

474 ->visit($bookUrl . '/edit')

475 ->dontSee('Edit Book');

476

477 $this->setEntityRestrictions($book, ['view', 'delete']);

478

479 $this->forceVisit($bookUrl . '/edit')

480 ->see('You do not have permission')->seePageIs('/');

481 $this->forceVisit($bookPage->getUrl() . '/edit')

482 ->see('You do not have permission')->seePageIs('/');

483 $this->forceVisit($bookChapter->getUrl() . '/edit')

484 ->see('You do not have permission')->seePageIs('/');

485

486 $this->setEntityRestrictions($book, ['view', 'update']);

487

488 $this->visit($bookUrl . '/edit')

489 ->seePageIs($bookUrl . '/edit');

490 $this->visit($bookPage->getUrl() . '/edit')

491 ->seePageIs($bookPage->getUrl() . '/edit');

492 $this->visit($bookChapter->getUrl() . '/edit')

493 ->see('Edit Chapter');

494 }

495

496 public function test_book_delete_restriction_override()

497 {

498 $book = \BookStack\Book::first();

499 $bookPage = $book->pages->first();

500 $bookChapter = $book->chapters->first();

501

502 $bookUrl = $book->getUrl();

503 $this->actingAs($this->viewer)

504 ->visit($bookUrl . '/delete')

505 ->dontSee('Delete Book');

506

507 $this->setEntityRestrictions($book, ['view', 'update']);

508

509 $this->forceVisit($bookUrl . '/delete')

510 ->see('You do not have permission')->seePageIs('/');

511 $this->forceVisit($bookPage->getUrl() . '/delete')

512 ->see('You do not have permission')->seePageIs('/');

513 $this->forceVisit($bookChapter->getUrl() . '/delete')

514 ->see('You do not have permission')->seePageIs('/');

515

516 $this->setEntityRestrictions($book, ['view', 'delete']);

517

518 $this->visit($bookUrl . '/delete')

519 ->seePageIs($bookUrl . '/delete')->see('Delete Book');

520 $this->visit($bookPage->getUrl() . '/delete')

521 ->seePageIs($bookPage->getUrl() . '/delete')->see('Delete Page');

522 $this->visit($bookChapter->getUrl() . '/delete')

523 ->see('Delete Chapter');

524 }

525

526 public function test_page_visible_if_has_permissions_when_book_not_visible()

527 {

528 $book = \BookStack\Book::first();

529 $bookChapter = $book->chapters->first();

530 $bookPage = $bookChapter->pages->first();

531

532 $this->setEntityRestrictions($book, []);

533 $this->setEntityRestrictions($bookPage, ['view']);

534

535 $this->actingAs($this->viewer);

536 $this->get($bookPage->getUrl());

537 $this->assertResponseOk();

538 $this->see($bookPage->name);

539 $this->dontSee(substr($book->name, 0, 15));

540 $this->dontSee(substr($bookChapter->name, 0, 15));

541 }

542

543 }