BookStack Code Mirror - bookstack/blob - app/Services/PermissionService.php

1 <?php namespace BookStack\Services;

3 use BookStack\Book;

4 use BookStack\Chapter;

5 use BookStack\Entity;

6 use BookStack\EntityPermission;

7 use BookStack\JointPermission;

8 use BookStack\Ownable;

9 use BookStack\Page;

10 use BookStack\Role;

11 use BookStack\User;

12 use Illuminate\Database\Connection;

13 use Illuminate\Database\Eloquent\Builder;

14 use Illuminate\Database\Query\Builder as QueryBuilder;

15 use Illuminate\Support\Collection;

17 class PermissionService

18 {

20 protected $currentAction;

21 protected $isAdminUser;

22 protected $userRoles = false;

23 protected $currentUserModel = false;

25 public $book;

26 public $chapter;

27 public $page;

29 protected $db;

31 protected $jointPermission;

32 protected $role;

33 protected $entityPermission;

35 protected $entityCache;

37 /**

38 * PermissionService constructor.

39 * @param JointPermission $jointPermission

40 * @param EntityPermission $entityPermission

41 * @param Connection $db

42 * @param Book $book

43 * @param Chapter $chapter

44 * @param Page $page

45 * @param Role $role

46 */

47 public function __construct(JointPermission $jointPermission, EntityPermission $entityPermission, Connection $db, Book $book, Chapter $chapter, Page $page, Role $role)

48 {

49 $this->db = $db;

50 $this->jointPermission = $jointPermission;

51 $this->entityPermission = $entityPermission;

52 $this->role = $role;

53 $this->book = $book;

54 $this->chapter = $chapter;

55 $this->page = $page;

56 // TODO - Update so admin still goes through filters

57 }

59 /**

60 * Set the database connection

61 * @param Connection $connection

62 */

63 public function setConnection(Connection $connection)

64 {

65 $this->db = $connection;

66 }

68 /**

69 * Prepare the local entity cache and ensure it's empty

70 */

71 protected function readyEntityCache()

72 {

73 $this->entityCache = [

74 'books' => collect(),

75 'chapters' => collect()

76 ];

77 }

79 /**

80 * Get a book via ID, Checks local cache

81 * @param $bookId

82 * @return Book

83 */

84 protected function getBook($bookId)

85 {

86 if (isset($this->entityCache['books']) && $this->entityCache['books']->has($bookId)) {

87 return $this->entityCache['books']->get($bookId);

88 }

90 $book = $this->book->find($bookId);

91 if ($book === null) {

92 $book = false;

93 }

94 if (isset($this->entityCache['books'])) {

95 $this->entityCache['books']->put($bookId, $book);

96 }

98 return $book;

99 }

100

101 /**

102 * Get a chapter via ID, Checks local cache

103 * @param $chapterId

104 * @return Book

105 */

106 protected function getChapter($chapterId)

107 {

108 if (isset($this->entityCache['chapters']) && $this->entityCache['chapters']->has($chapterId)) {

109 return $this->entityCache['chapters']->get($chapterId);

110 }

111

112 $chapter = $this->chapter->find($chapterId);

113 if ($chapter === null) {

114 $chapter = false;

115 }

116 if (isset($this->entityCache['chapters'])) {

117 $this->entityCache['chapters']->put($chapterId, $chapter);

118 }

119

120 return $chapter;

121 }

122

123 /**

124 * Get the roles for the current user;

125 * @return array|bool

126 */

127 protected function getRoles()

128 {

129 if ($this->userRoles !== false) {

130 return $this->userRoles;

131 }

132

133 $roles = [];

134

135 if (auth()->guest()) {

136 $roles[] = $this->role->getSystemRole('public')->id;

137 return $roles;

138 }

139

140

141 foreach ($this->currentUser()->roles as $role) {

142 $roles[] = $role->id;

143 }

144 return $roles;

145 }

146

147 /**

148 * Re-generate all entity permission from scratch.

149 */

150 public function buildJointPermissions()

151 {

152 $this->jointPermission->truncate();

153 $this->readyEntityCache();

154

155 // Get all roles (Should be the most limited dimension)

156 $roles = $this->role->with('permissions')->get()->all();

157

158 // Chunk through all books

159 $this->bookFetchQuery()->chunk(5, function ($books) use ($roles) {

160 $this->buildJointPermissionsForBooks($books, $roles);

161 });

162 }

163

164 /**

165 * Get a query for fetching a book with it's children.

166 * @return QueryBuilder

167 */

168 protected function bookFetchQuery()

169 {

170 return $this->book->newQuery()->select(['id', 'restricted', 'created_by'])->with(['chapters' => function ($query) {

171 $query->select(['id', 'restricted', 'created_by', 'book_id']);

172 }, 'pages' => function ($query) {

173 $query->select(['id', 'restricted', 'created_by', 'book_id', 'chapter_id']);

174 }]);

175 }

176

177 /**

178 * Build joint permissions for an array of books

179 * @param Collection $books

180 * @param array $roles

181 * @param bool $deleteOld

182 */

183 protected function buildJointPermissionsForBooks($books, $roles, $deleteOld = false)

184 {

185 $entities = clone $books;

186

187 /** @var Book $book */

188 foreach ($books->all() as $book) {

189 foreach ($book->getRelation('chapters') as $chapter) {

190 $entities->push($chapter);

191 }

192 foreach ($book->getRelation('pages') as $page) {

193 $entities->push($page);

194 }

195 }

196

197 if ($deleteOld) {

198 $this->deleteManyJointPermissionsForEntities($entities->all());

199 }

200 $this->createManyJointPermissions($entities, $roles);

201 }

202

203 /**

204 * Rebuild the entity jointPermissions for a particular entity.

205 * @param Entity $entity

206 */

207 public function buildJointPermissionsForEntity(Entity $entity)

208 {

209 $entities = [$entity];

210 if ($entity->isA('book')) {

211 $books = $this->bookFetchQuery()->where('id', '=', $entity->id)->get();

212 $this->buildJointPermissionsForBooks($books, $this->role->newQuery()->get(), true);

213 return;

214 }

215

216 $entities[] = $entity->book;

217

218 if ($entity->isA('page') && $entity->chapter_id) {

219 $entities[] = $entity->chapter;

220 }

221

222 if ($entity->isA('chapter')) {

223 foreach ($entity->pages as $page) {

224 $entities[] = $page;

225 }

226 }

227

228 $this->deleteManyJointPermissionsForEntities($entities);

229 $this->buildJointPermissionsForEntities(collect($entities));

230 }

231

232 /**

233 * Rebuild the entity jointPermissions for a collection of entities.

234 * @param Collection $entities

235 */

236 public function buildJointPermissionsForEntities(Collection $entities)

237 {

238 $roles = $this->role->newQuery()->get();

239 $this->deleteManyJointPermissionsForEntities($entities->all());

240 $this->createManyJointPermissions($entities, $roles);

241 }

242

243 /**

244 * Build the entity jointPermissions for a particular role.

245 * @param Role $role

246 */

247 public function buildJointPermissionForRole(Role $role)

248 {

249 $roles = [$role];

250 $this->deleteManyJointPermissionsForRoles($roles);

251

252 // Chunk through all books

253 $this->bookFetchQuery()->chunk(5, function ($books) use ($roles) {

254 $this->buildJointPermissionsForBooks($books, $roles);

255 });

256 }

257

258 /**

259 * Delete the entity jointPermissions attached to a particular role.

260 * @param Role $role

261 */

262 public function deleteJointPermissionsForRole(Role $role)

263 {

264 $this->deleteManyJointPermissionsForRoles([$role]);

265 }

266

267 /**

268 * Delete all of the entity jointPermissions for a list of entities.

269 * @param Role[] $roles

270 */

271 protected function deleteManyJointPermissionsForRoles($roles)

272 {

273 $roleIds = array_map(function ($role) {

274 return $role->id;

275 }, $roles);

276 $this->jointPermission->newQuery()->whereIn('role_id', $roleIds)->delete();

277 }

278

279 /**

280 * Delete the entity jointPermissions for a particular entity.

281 * @param Entity $entity

282 */

283 public function deleteJointPermissionsForEntity(Entity $entity)

284 {

285 $this->deleteManyJointPermissionsForEntities([$entity]);

286 }

287

288 /**

289 * Delete all of the entity jointPermissions for a list of entities.

290 * @param Entity[] $entities

291 */

292 protected function deleteManyJointPermissionsForEntities($entities)

293 {

294 if (count($entities) === 0) {

295 return;

296 }

297

298 $this->db->transaction(function () use ($entities) {

299

300 foreach (array_chunk($entities, 1000) as $entityChunk) {

301 $query = $this->db->table('joint_permissions');

302 foreach ($entityChunk as $entity) {

303 $query->orWhere(function (QueryBuilder $query) use ($entity) {

304 $query->where('entity_id', '=', $entity->id)

305 ->where('entity_type', '=', $entity->getMorphClass());

306 });

307 }

308 $query->delete();

309 }

310 });

311 }

312

313 /**

314 * Create & Save entity jointPermissions for many entities and jointPermissions.

315 * @param Collection $entities

316 * @param array $roles

317 */

318 protected function createManyJointPermissions($entities, $roles)

319 {

320 $this->readyEntityCache();

321 $jointPermissions = [];

322

323 // Fetch Entity Permissions and create a mapping of entity restricted statuses

324 $entityRestrictedMap = [];

325 $permissionFetch = $this->entityPermission->newQuery();

326 foreach ($entities as $entity) {

327 $entityRestrictedMap[$entity->getMorphClass() . ':' . $entity->id] = boolval($entity->getRawAttribute('restricted'));

328 $permissionFetch->orWhere(function ($query) use ($entity) {

329 $query->where('restrictable_id', '=', $entity->id)->where('restrictable_type', '=', $entity->getMorphClass());

330 });

331 }

332 $permissions = $permissionFetch->get();

333

334 // Create a mapping of explicit entity permissions

335 $permissionMap = [];

336 foreach ($permissions as $permission) {

337 $key = $permission->restrictable_type . ':' . $permission->restrictable_id . ':' . $permission->role_id . ':' . $permission->action;

338 $isRestricted = $entityRestrictedMap[$permission->restrictable_type . ':' . $permission->restrictable_id];

339 $permissionMap[$key] = $isRestricted;

340 }

341

342 // Create a mapping of role permissions

343 $rolePermissionMap = [];

344 foreach ($roles as $role) {

345 foreach ($role->getRelationValue('permissions') as $permission) {

346 $rolePermissionMap[$role->getRawAttribute('id') . ':' . $permission->getRawAttribute('name')] = true;

347 }

348 }

349

350 // Create Joint Permission Data

351 foreach ($entities as $entity) {

352 foreach ($roles as $role) {

353 foreach ($this->getActions($entity) as $action) {

354 $jointPermissions[] = $this->createJointPermissionData($entity, $role, $action, $permissionMap, $rolePermissionMap);

355 }

356 }

357 }

358

359 $this->db->transaction(function () use ($jointPermissions) {

360 foreach (array_chunk($jointPermissions, 1000) as $jointPermissionChunk) {

361 $this->db->table('joint_permissions')->insert($jointPermissionChunk);

362 }

363 });

364 }

365

366

367 /**

368 * Get the actions related to an entity.

369 * @param Entity $entity

370 * @return array

371 */

372 protected function getActions(Entity $entity)

373 {

374 $baseActions = ['view', 'update', 'delete'];

375 if ($entity->isA('chapter') || $entity->isA('book')) {

376 $baseActions[] = 'page-create';

377 }

378 if ($entity->isA('book')) {

379 $baseActions[] = 'chapter-create';

380 }

381 return $baseActions;

382 }

383

384 /**

385 * Create entity permission data for an entity and role

386 * for a particular action.

387 * @param Entity $entity

388 * @param Role $role

389 * @param string $action

390 * @param array $permissionMap

391 * @param array $rolePermissionMap

392 * @return array

393 */

394 protected function createJointPermissionData(Entity $entity, Role $role, $action, $permissionMap, $rolePermissionMap)

395 {

396 $permissionPrefix = (strpos($action, '-') === false ? ($entity->getType() . '-') : '') . $action;

397 $roleHasPermission = isset($rolePermissionMap[$role->getRawAttribute('id') . ':' . $permissionPrefix . '-all']);

398 $roleHasPermissionOwn = isset($rolePermissionMap[$role->getRawAttribute('id') . ':' . $permissionPrefix . '-own']);

399 $explodedAction = explode('-', $action);

400 $restrictionAction = end($explodedAction);

401

402 if ($role->system_name === 'admin') {

403 return $this->createJointPermissionDataArray($entity, $role, $action, true, true);

404 }

405

406 if ($entity->restricted) {

407 $hasAccess = $this->mapHasActiveRestriction($permissionMap, $entity, $role, $restrictionAction);

408 return $this->createJointPermissionDataArray($entity, $role, $action, $hasAccess, $hasAccess);

409 }

410

411 if ($entity->isA('book')) {

412 return $this->createJointPermissionDataArray($entity, $role, $action, $roleHasPermission, $roleHasPermissionOwn);

413 }

414

415 // For chapters and pages, Check if explicit permissions are set on the Book.

416 $book = $this->getBook($entity->book_id);

417 $hasExplicitAccessToParents = $this->mapHasActiveRestriction($permissionMap, $book, $role, $restrictionAction);

418 $hasPermissiveAccessToParents = !$book->restricted;

419

420 // For pages with a chapter, Check if explicit permissions are set on the Chapter

421 if ($entity->isA('page') && $entity->chapter_id !== 0 && $entity->chapter_id !== '0') {

422 $chapter = $this->getChapter($entity->chapter_id);

423 $hasPermissiveAccessToParents = $hasPermissiveAccessToParents && !$chapter->restricted;

424 if ($chapter->restricted) {

425 $hasExplicitAccessToParents = $this->mapHasActiveRestriction($permissionMap, $chapter, $role, $restrictionAction);

426 }

427 }

428

429 return $this->createJointPermissionDataArray(

430 $entity,

431 $role,

432 $action,

433 ($hasExplicitAccessToParents || ($roleHasPermission && $hasPermissiveAccessToParents)),

434 ($hasExplicitAccessToParents || ($roleHasPermissionOwn && $hasPermissiveAccessToParents))

435 );

436 }

437

438 /**

439 * Check for an active restriction in an entity map.

440 * @param $entityMap

441 * @param Entity $entity

442 * @param Role $role

443 * @param $action

444 * @return bool

445 */

446 protected function mapHasActiveRestriction($entityMap, Entity $entity, Role $role, $action)

447 {

448 $key = $entity->getMorphClass() . ':' . $entity->getRawAttribute('id') . ':' . $role->getRawAttribute('id') . ':' . $action;

449 return isset($entityMap[$key]) ? $entityMap[$key] : false;

450 }

451

452 /**

453 * Create an array of data with the information of an entity jointPermissions.

454 * Used to build data for bulk insertion.

455 * @param Entity $entity

456 * @param Role $role

457 * @param $action

458 * @param $permissionAll

459 * @param $permissionOwn

460 * @return array

461 */

462 protected function createJointPermissionDataArray(Entity $entity, Role $role, $action, $permissionAll, $permissionOwn)

463 {

464 return [

465 'role_id' => $role->getRawAttribute('id'),

466 'entity_id' => $entity->getRawAttribute('id'),

467 'entity_type' => $entity->getMorphClass(),

468 'action' => $action,

469 'has_permission' => $permissionAll,

470 'has_permission_own' => $permissionOwn,

471 'created_by' => $entity->getRawAttribute('created_by')

472 ];

473 }

474

475 /**

476 * Checks if an entity has a restriction set upon it.

477 * @param Ownable $ownable

478 * @param $permission

479 * @return bool

480 */

481 public function checkOwnableUserAccess(Ownable $ownable, $permission)

482 {

483 if ($this->isAdmin()) {

484 $this->clean();

485 return true;

486 }

487

488 $explodedPermission = explode('-', $permission);

489

490 $baseQuery = $ownable->where('id', '=', $ownable->id);

491 $action = end($explodedPermission);

492 $this->currentAction = $action;

493

494 $nonJointPermissions = ['restrictions', 'image', 'attachment', 'comment'];

495

496 // Handle non entity specific jointPermissions

497 if (in_array($explodedPermission[0], $nonJointPermissions)) {

498 $allPermission = $this->currentUser() && $this->currentUser()->can($permission . '-all');

499 $ownPermission = $this->currentUser() && $this->currentUser()->can($permission . '-own');

500 $this->currentAction = 'view';

501 $isOwner = $this->currentUser() && $this->currentUser()->id === $ownable->created_by;

502 return ($allPermission || ($isOwner && $ownPermission));

503 }

504

505 // Handle abnormal create jointPermissions

506 if ($action === 'create') {

507 $this->currentAction = $permission;

508 }

509

510 $q = $this->entityRestrictionQuery($baseQuery)->count() > 0;

511 $this->clean();

512 return $q;

513 }

514

515 /**

516 * Check if an entity has restrictions set on itself or its

517 * parent tree.

518 * @param Entity $entity

519 * @param $action

520 * @return bool|mixed

521 */

522 public function checkIfRestrictionsSet(Entity $entity, $action)

523 {

524 $this->currentAction = $action;

525 if ($entity->isA('page')) {

526 return $entity->restricted || ($entity->chapter && $entity->chapter->restricted) || $entity->book->restricted;

527 } elseif ($entity->isA('chapter')) {

528 return $entity->restricted || $entity->book->restricted;

529 } elseif ($entity->isA('book')) {

530 return $entity->restricted;

531 }

532 }

533

534 /**

535 * The general query filter to remove all entities

536 * that the current user does not have access to.

537 * @param $query

538 * @return mixed

539 */

540 protected function entityRestrictionQuery($query)

541 {

542 $q = $query->where(function ($parentQuery) {

543 $parentQuery->whereHas('jointPermissions', function ($permissionQuery) {

544 $permissionQuery->whereIn('role_id', $this->getRoles())

545 ->where('action', '=', $this->currentAction)

546 ->where(function ($query) {

547 $query->where('has_permission', '=', true)

548 ->orWhere(function ($query) {

549 $query->where('has_permission_own', '=', true)

550 ->where('created_by', '=', $this->currentUser()->id);

551 });

552 });

553 });

554 });

555 $this->clean();

556 return $q;

557 }

558

559 /**

560 * Get the children of a book in an efficient single query, Filtered by the permission system.

561 * @param integer $book_id

562 * @param bool $filterDrafts

563 * @param bool $fetchPageContent

564 * @return QueryBuilder

565 */

566 public function bookChildrenQuery($book_id, $filterDrafts = false, $fetchPageContent = false)

567 {

568 $pageSelect = $this->db->table('pages')->selectRaw($this->page->entityRawQuery($fetchPageContent))->where('book_id', '=', $book_id)->where(function ($query) use ($filterDrafts) {

569 $query->where('draft', '=', 0);

570 if (!$filterDrafts) {

571 $query->orWhere(function ($query) {

572 $query->where('draft', '=', 1)->where('created_by', '=', $this->currentUser()->id);

573 });

574 }

575 });

576 $chapterSelect = $this->db->table('chapters')->selectRaw($this->chapter->entityRawQuery())->where('book_id', '=', $book_id);

577 $query = $this->db->query()->select('*')->from($this->db->raw("({$pageSelect->toSql()} UNION {$chapterSelect->toSql()}) AS U"))

578 ->mergeBindings($pageSelect)->mergeBindings($chapterSelect);

579

580 if (!$this->isAdmin()) {

581 $whereQuery = $this->db->table('joint_permissions as jp')->selectRaw('COUNT(*)')

582 ->whereRaw('jp.entity_id=U.id')->whereRaw('jp.entity_type=U.entity_type')

583 ->where('jp.action', '=', 'view')->whereIn('jp.role_id', $this->getRoles())

584 ->where(function ($query) {

585 $query->where('jp.has_permission', '=', 1)->orWhere(function ($query) {

586 $query->where('jp.has_permission_own', '=', 1)->where('jp.created_by', '=', $this->currentUser()->id);

587 });

588 });

589 $query->whereRaw("({$whereQuery->toSql()}) > 0")->mergeBindings($whereQuery);

590 }

591

592 $query->orderBy('draft', 'desc')->orderBy('priority', 'asc');

593 $this->clean();

594 return $query;

595 }

596

597 /**

598 * Add restrictions for a generic entity

599 * @param string $entityType

600 * @param Builder|Entity $query

601 * @param string $action

602 * @return Builder

603 */

604 public function enforceEntityRestrictions($entityType, $query, $action = 'view')

605 {

606 if (strtolower($entityType) === 'page') {

607 // Prevent drafts being visible to others.

608 $query = $query->where(function ($query) {

609 $query->where('draft', '=', false);

610 if ($this->currentUser()) {

611 $query->orWhere(function ($query) {

612 $query->where('draft', '=', true)->where('created_by', '=', $this->currentUser()->id);

613 });

614 }

615 });

616 }

617

618 if ($this->isAdmin()) {

619 $this->clean();

620 return $query;

621 }

622

623 $this->currentAction = $action;

624 return $this->entityRestrictionQuery($query);

625 }

626

627 /**

628 * Filter items that have entities set as a polymorphic relation.

629 * @param $query

630 * @param string $tableName

631 * @param string $entityIdColumn

632 * @param string $entityTypeColumn

633 * @return mixed

634 */

635 public function filterRestrictedEntityRelations($query, $tableName, $entityIdColumn, $entityTypeColumn)

636 {

637 if ($this->isAdmin()) {

638 $this->clean();

639 return $query;

640 }

641

642 $this->currentAction = 'view';

643 $tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn, 'entityTypeColumn' => $entityTypeColumn];

644

645 $q = $query->where(function ($query) use ($tableDetails) {

646 $query->whereExists(function ($permissionQuery) use (&$tableDetails) {

647 $permissionQuery->select('id')->from('joint_permissions')

648 ->whereRaw('joint_permissions.entity_id=' . $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])

649 ->whereRaw('joint_permissions.entity_type=' . $tableDetails['tableName'] . '.' . $tableDetails['entityTypeColumn'])

650 ->where('action', '=', $this->currentAction)

651 ->whereIn('role_id', $this->getRoles())

652 ->where(function ($query) {

653 $query->where('has_permission', '=', true)->orWhere(function ($query) {

654 $query->where('has_permission_own', '=', true)

655 ->where('created_by', '=', $this->currentUser()->id);

656 });

657 });

658 });

659 });

660 $this->clean();

661 return $q;

662 }

663

664 /**

665 * Filters pages that are a direct relation to another item.

666 * @param $query

667 * @param $tableName

668 * @param $entityIdColumn

669 * @return mixed

670 */

671 public function filterRelatedPages($query, $tableName, $entityIdColumn)

672 {

673 if ($this->isAdmin()) {

674 $this->clean();

675 return $query;

676 }

677

678 $this->currentAction = 'view';

679 $tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn];

680

681 $q = $query->where(function ($query) use ($tableDetails) {

682 $query->where(function ($query) use (&$tableDetails) {

683 $query->whereExists(function ($permissionQuery) use (&$tableDetails) {

684 $permissionQuery->select('id')->from('joint_permissions')

685 ->whereRaw('joint_permissions.entity_id=' . $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])

686 ->where('entity_type', '=', 'Bookstack\\Page')

687 ->where('action', '=', $this->currentAction)

688 ->whereIn('role_id', $this->getRoles())

689 ->where(function ($query) {

690 $query->where('has_permission', '=', true)->orWhere(function ($query) {

691 $query->where('has_permission_own', '=', true)

692 ->where('created_by', '=', $this->currentUser()->id);

693 });

694 });

695 });

696 })->orWhere($tableDetails['entityIdColumn'], '=', 0);

697 });

698 $this->clean();

699 return $q;

700 }

701

702 /**

703 * Check if the current user is an admin.

704 * @return bool

705 */

706 private function isAdmin()

707 {

708 if ($this->isAdminUser === null) {

709 $this->isAdminUser = ($this->currentUser()->id !== null) ? $this->currentUser()->hasSystemRole('admin') : false;

710 }

711

712 return $this->isAdminUser;

713 }

714

715 /**

716 * Get the current user

717 * @return User

718 */

719 private function currentUser()

720 {

721 if ($this->currentUserModel === false) {

722 $this->currentUserModel = user();

723 }

724

725 return $this->currentUserModel;

726 }

727

728 /**

729 * Clean the cached user elements.

730 */

731 private function clean()

732 {

733 $this->currentUserModel = false;

734 $this->userRoles = false;

735 $this->isAdminUser = null;

736 }

737 }