BookStack Code Mirror - bookstack/blob - tests/Permissions/RolesTest.php

1 <?php namespace Tests;

3 use BookStack\Page;

4 use BookStack\Repos\PermissionsRepo;

5 use BookStack\Role;

6 use Laravel\BrowserKitTesting\HttpException;

7 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

9 class RolesTest extends BrowserKitTest

10 {

11 protected $user;

13 public function setUp()

14 {

15 parent::setUp();

16 $this->user = $this->getViewer();

17 }

19 protected function getViewer()

20 {

21 $role = \BookStack\Role::getRole('viewer');

22 $viewer = $this->getNewBlankUser();

23 $viewer->attachRole($role);;

24 return $viewer;

25 }

27 /**

28 * Give the given user some permissions.

29 * @param \BookStack\User $user

30 * @param array $permissions

31 */

32 protected function giveUserPermissions(\BookStack\User $user, $permissions = [])

33 {

34 $newRole = $this->createNewRole($permissions);

35 $user->attachRole($newRole);

36 $user->load('roles');

37 $user->permissions(false);

38 }

40 /**

41 * Create a new basic role for testing purposes.

42 * @param array $permissions

43 * @return Role

44 */

45 protected function createNewRole($permissions = [])

46 {

47 $permissionRepo = app(PermissionsRepo::class);

48 $roleData = factory(\BookStack\Role::class)->make()->toArray();

49 $roleData['permissions'] = array_flip($permissions);

50 return $permissionRepo->saveNewRole($roleData);

51 }

53 public function test_admin_can_see_settings()

54 {

55 $this->asAdmin()->visit('/settings')->see('Settings');

56 }

58 public function test_cannot_delete_admin_role()

59 {

60 $adminRole = \BookStack\Role::getRole('admin');

61 $deletePageUrl = '/settings/roles/delete/' . $adminRole->id;

62 $this->asAdmin()->visit($deletePageUrl)

63 ->press('Confirm')

64 ->seePageIs($deletePageUrl)

65 ->see('cannot be deleted');

66 }

68 public function test_role_cannot_be_deleted_if_default()

69 {

70 $newRole = $this->createNewRole();

71 $this->setSettings(['registration-role' => $newRole->id]);

73 $deletePageUrl = '/settings/roles/delete/' . $newRole->id;

74 $this->asAdmin()->visit($deletePageUrl)

75 ->press('Confirm')

76 ->seePageIs($deletePageUrl)

77 ->see('cannot be deleted');

78 }

80 public function test_role_create_update_delete_flow()

81 {

82 $testRoleName = 'Test Role';

83 $testRoleDesc = 'a little test description';

84 $testRoleUpdateName = 'An Super Updated role';

86 // Creation

87 $this->asAdmin()->visit('/settings')

88 ->click('Roles')

89 ->seePageIs('/settings/roles')

90 ->click('Create New Role')

91 ->type('Test Role', 'display_name')

92 ->type('A little test description', 'description')

93 ->press('Save Role')

94 ->seeInDatabase('roles', ['display_name' => $testRoleName, 'name' => 'test-role', 'description' => $testRoleDesc])

95 ->seePageIs('/settings/roles');

96 // Updating

97 $this->asAdmin()->visit('/settings/roles')

98 ->see($testRoleDesc)

99 ->click($testRoleName)

100 ->type($testRoleUpdateName, '#display_name')

101 ->press('Save Role')

102 ->seeInDatabase('roles', ['display_name' => $testRoleUpdateName, 'name' => 'test-role', 'description' => $testRoleDesc])

103 ->seePageIs('/settings/roles');

104 // Deleting

105 $this->asAdmin()->visit('/settings/roles')

106 ->click($testRoleUpdateName)

107 ->click('Delete Role')

108 ->see($testRoleUpdateName)

109 ->press('Confirm')

110 ->seePageIs('/settings/roles')

111 ->dontSee($testRoleUpdateName);

112 }

113

114 public function test_manage_user_permission()

115 {

116 $this->actingAs($this->user)->visit('/settings/users')

117 ->seePageIs('/');

118 $this->giveUserPermissions($this->user, ['users-manage']);

119 $this->actingAs($this->user)->visit('/settings/users')

120 ->seePageIs('/settings/users');

121 }

122

123 public function test_user_roles_manage_permission()

124 {

125 $this->actingAs($this->user)->visit('/settings/roles')

126 ->seePageIs('/')->visit('/settings/roles/1')->seePageIs('/');

127 $this->giveUserPermissions($this->user, ['user-roles-manage']);

128 $this->actingAs($this->user)->visit('/settings/roles')

129 ->seePageIs('/settings/roles')->click('Admin')

130 ->see('Edit Role');

131 }

132

133 public function test_settings_manage_permission()

134 {

135 $this->actingAs($this->user)->visit('/settings')

136 ->seePageIs('/');

137 $this->giveUserPermissions($this->user, ['settings-manage']);

138 $this->actingAs($this->user)->visit('/settings')

139 ->seePageIs('/settings')->press('Save Settings')->see('Settings Saved');

140 }

141

142 public function test_restrictions_manage_all_permission()

143 {

144 $page = \BookStack\Page::take(1)->get()->first();

145 $this->actingAs($this->user)->visit($page->getUrl())

146 ->dontSee('Permissions')

147 ->visit($page->getUrl() . '/permissions')

148 ->seePageIs('/');

149 $this->giveUserPermissions($this->user, ['restrictions-manage-all']);

150 $this->actingAs($this->user)->visit($page->getUrl())

151 ->see('Permissions')

152 ->click('Permissions')

153 ->see('Page Permissions')->seePageIs($page->getUrl() . '/permissions');

154 }

155

156 public function test_restrictions_manage_own_permission()

157 {

158 $otherUsersPage = \BookStack\Page::first();

159 $content = $this->createEntityChainBelongingToUser($this->user);

160 // Check can't restrict other's content

161 $this->actingAs($this->user)->visit($otherUsersPage->getUrl())

162 ->dontSee('Permissions')

163 ->visit($otherUsersPage->getUrl() . '/permissions')

164 ->seePageIs('/');

165 // Check can't restrict own content

166 $this->actingAs($this->user)->visit($content['page']->getUrl())

167 ->dontSee('Permissions')

168 ->visit($content['page']->getUrl() . '/permissions')

169 ->seePageIs('/');

170

171 $this->giveUserPermissions($this->user, ['restrictions-manage-own']);

172

173 // Check can't restrict other's content

174 $this->actingAs($this->user)->visit($otherUsersPage->getUrl())

175 ->dontSee('Permissions')

176 ->visit($otherUsersPage->getUrl() . '/permissions')

177 ->seePageIs('/');

178 // Check can restrict own content

179 $this->actingAs($this->user)->visit($content['page']->getUrl())

180 ->see('Permissions')

181 ->click('Permissions')

182 ->seePageIs($content['page']->getUrl() . '/permissions');

183 }

184

185 /**

186 * Check a standard entity access permission

187 * @param string $permission

188 * @param array $accessUrls Urls that are only accessible after having the permission

189 * @param array $visibles Check this text, In the buttons toolbar, is only visible with the permission

190 */

191 private function checkAccessPermission($permission, $accessUrls = [], $visibles = [])

192 {

193 foreach ($accessUrls as $url) {

194 $this->actingAs($this->user)->visit($url)

195 ->seePageIs('/');

196 }

197 foreach ($visibles as $url => $text) {

198 $this->actingAs($this->user)->visit($url)

199 ->dontSeeInElement('.action-buttons',$text);

200 }

201

202 $this->giveUserPermissions($this->user, [$permission]);

203

204 foreach ($accessUrls as $url) {

205 $this->actingAs($this->user)->visit($url)

206 ->seePageIs($url);

207 }

208 foreach ($visibles as $url => $text) {

209 $this->actingAs($this->user)->visit($url)

210 ->see($text);

211 }

212 }

213

214 public function test_books_create_all_permissions()

215 {

216 $this->checkAccessPermission('book-create-all', [

217 '/create-book'

218 ], [

219 '/books' => 'Create New Book'

220 ]);

221

222 $this->visit('/create-book')

223 ->type('test book', 'name')

224 ->type('book desc', 'description')

225 ->press('Save Book')

226 ->seePageIs('/books/test-book');

227 }

228

229 public function test_books_edit_own_permission()

230 {

231 $otherBook = \BookStack\Book::take(1)->get()->first();

232 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

233 $this->checkAccessPermission('book-update-own', [

234 $ownBook->getUrl() . '/edit'

235 ], [

236 $ownBook->getUrl() => 'Edit'

237 ]);

238

239 $this->visit($otherBook->getUrl())

240 ->dontSeeInElement('.action-buttons', 'Edit')

241 ->visit($otherBook->getUrl() . '/edit')

242 ->seePageIs('/');

243 }

244

245 public function test_books_edit_all_permission()

246 {

247 $otherBook = \BookStack\Book::take(1)->get()->first();

248 $this->checkAccessPermission('book-update-all', [

249 $otherBook->getUrl() . '/edit'

250 ], [

251 $otherBook->getUrl() => 'Edit'

252 ]);

253 }

254

255 public function test_books_delete_own_permission()

256 {

257 $this->giveUserPermissions($this->user, ['book-update-all']);

258 $otherBook = \BookStack\Book::take(1)->get()->first();

259 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

260 $this->checkAccessPermission('book-delete-own', [

261 $ownBook->getUrl() . '/delete'

262 ], [

263 $ownBook->getUrl() => 'Delete'

264 ]);

265

266 $this->visit($otherBook->getUrl())

267 ->dontSeeInElement('.action-buttons', 'Delete')

268 ->visit($otherBook->getUrl() . '/delete')

269 ->seePageIs('/');

270 $this->visit($ownBook->getUrl())->visit($ownBook->getUrl() . '/delete')

271 ->press('Confirm')

272 ->seePageIs('/books')

273 ->dontSee($ownBook->name);

274 }

275

276 public function test_books_delete_all_permission()

277 {

278 $this->giveUserPermissions($this->user, ['book-update-all']);

279 $otherBook = \BookStack\Book::take(1)->get()->first();

280 $this->checkAccessPermission('book-delete-all', [

281 $otherBook->getUrl() . '/delete'

282 ], [

283 $otherBook->getUrl() => 'Delete'

284 ]);

285

286 $this->visit($otherBook->getUrl())->visit($otherBook->getUrl() . '/delete')

287 ->press('Confirm')

288 ->seePageIs('/books')

289 ->dontSee($otherBook->name);

290 }

291

292 public function test_chapter_create_own_permissions()

293 {

294 $book = \BookStack\Book::take(1)->get()->first();

295 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

296 $this->checkAccessPermission('chapter-create-own', [

297 $ownBook->getUrl('/create-chapter')

298 ], [

299 $ownBook->getUrl() => 'New Chapter'

300 ]);

301

302 $this->visit($ownBook->getUrl('/create-chapter'))

303 ->type('test chapter', 'name')

304 ->type('chapter desc', 'description')

305 ->press('Save Chapter')

306 ->seePageIs($ownBook->getUrl('/chapter/test-chapter'));

307

308 $this->visit($book->getUrl())

309 ->dontSeeInElement('.action-buttons', 'New Chapter')

310 ->visit($book->getUrl('/create-chapter'))

311 ->seePageIs('/');

312 }

313

314 public function test_chapter_create_all_permissions()

315 {

316 $book = \BookStack\Book::take(1)->get()->first();

317 $this->checkAccessPermission('chapter-create-all', [

318 $book->getUrl('/create-chapter')

319 ], [

320 $book->getUrl() => 'New Chapter'

321 ]);

322

323 $this->visit($book->getUrl('/create-chapter'))

324 ->type('test chapter', 'name')

325 ->type('chapter desc', 'description')

326 ->press('Save Chapter')

327 ->seePageIs($book->getUrl('/chapter/test-chapter'));

328 }

329

330 public function test_chapter_edit_own_permission()

331 {

332 $otherChapter = \BookStack\Chapter::take(1)->get()->first();

333 $ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];

334 $this->checkAccessPermission('chapter-update-own', [

335 $ownChapter->getUrl() . '/edit'

336 ], [

337 $ownChapter->getUrl() => 'Edit'

338 ]);

339

340 $this->visit($otherChapter->getUrl())

341 ->dontSeeInElement('.action-buttons', 'Edit')

342 ->visit($otherChapter->getUrl() . '/edit')

343 ->seePageIs('/');

344 }

345

346 public function test_chapter_edit_all_permission()

347 {

348 $otherChapter = \BookStack\Chapter::take(1)->get()->first();

349 $this->checkAccessPermission('chapter-update-all', [

350 $otherChapter->getUrl() . '/edit'

351 ], [

352 $otherChapter->getUrl() => 'Edit'

353 ]);

354 }

355

356 public function test_chapter_delete_own_permission()

357 {

358 $this->giveUserPermissions($this->user, ['chapter-update-all']);

359 $otherChapter = \BookStack\Chapter::take(1)->get()->first();

360 $ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];

361 $this->checkAccessPermission('chapter-delete-own', [

362 $ownChapter->getUrl() . '/delete'

363 ], [

364 $ownChapter->getUrl() => 'Delete'

365 ]);

366

367 $bookUrl = $ownChapter->book->getUrl();

368 $this->visit($otherChapter->getUrl())

369 ->dontSeeInElement('.action-buttons', 'Delete')

370 ->visit($otherChapter->getUrl() . '/delete')

371 ->seePageIs('/');

372 $this->visit($ownChapter->getUrl())->visit($ownChapter->getUrl() . '/delete')

373 ->press('Confirm')

374 ->seePageIs($bookUrl)

375 ->dontSeeInElement('.book-content', $ownChapter->name);

376 }

377

378 public function test_chapter_delete_all_permission()

379 {

380 $this->giveUserPermissions($this->user, ['chapter-update-all']);

381 $otherChapter = \BookStack\Chapter::take(1)->get()->first();

382 $this->checkAccessPermission('chapter-delete-all', [

383 $otherChapter->getUrl() . '/delete'

384 ], [

385 $otherChapter->getUrl() => 'Delete'

386 ]);

387

388 $bookUrl = $otherChapter->book->getUrl();

389 $this->visit($otherChapter->getUrl())->visit($otherChapter->getUrl() . '/delete')

390 ->press('Confirm')

391 ->seePageIs($bookUrl)

392 ->dontSeeInElement('.book-content', $otherChapter->name);

393 }

394

395 public function test_page_create_own_permissions()

396 {

397 $book = \BookStack\Book::first();

398 $chapter = \BookStack\Chapter::first();

399

400 $entities = $this->createEntityChainBelongingToUser($this->user);

401 $ownBook = $entities['book'];

402 $ownChapter = $entities['chapter'];

403

404 $createUrl = $ownBook->getUrl('/create-page');

405 $createUrlChapter = $ownChapter->getUrl('/create-page');

406 $accessUrls = [$createUrl, $createUrlChapter];

407

408 foreach ($accessUrls as $url) {

409 $this->actingAs($this->user)->visit($url)

410 ->seePageIs('/');

411 }

412

413 $this->checkAccessPermission('page-create-own', [], [

414 $ownBook->getUrl() => 'New Page',

415 $ownChapter->getUrl() => 'New Page'

416 ]);

417

418 $this->giveUserPermissions($this->user, ['page-create-own']);

419

420 foreach ($accessUrls as $index => $url) {

421 $this->actingAs($this->user)->visit($url);

422 $expectedUrl = \BookStack\Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

423 $this->seePageIs($expectedUrl);

424 }

425

426 $this->visit($createUrl)

427 ->type('test page', 'name')

428 ->type('page desc', 'html')

429 ->press('Save Page')

430 ->seePageIs($ownBook->getUrl('/page/test-page'));

431

432 $this->visit($book->getUrl())

433 ->dontSeeInElement('.action-buttons', 'New Page')

434 ->visit($book->getUrl() . '/create-page')

435 ->seePageIs('/');

436 $this->visit($chapter->getUrl())

437 ->dontSeeInElement('.action-buttons', 'New Page')

438 ->visit($chapter->getUrl() . '/create-page')

439 ->seePageIs('/');

440 }

441

442 public function test_page_create_all_permissions()

443 {

444 $book = \BookStack\Book::take(1)->get()->first();

445 $chapter = \BookStack\Chapter::take(1)->get()->first();

446 $baseUrl = $book->getUrl() . '/page';

447 $createUrl = $book->getUrl('/create-page');

448

449 $createUrlChapter = $chapter->getUrl('/create-page');

450 $accessUrls = [$createUrl, $createUrlChapter];

451

452 foreach ($accessUrls as $url) {

453 $this->actingAs($this->user)->visit($url)

454 ->seePageIs('/');

455 }

456

457 $this->checkAccessPermission('page-create-all', [], [

458 $book->getUrl() => 'New Page',

459 $chapter->getUrl() => 'New Page'

460 ]);

461

462 $this->giveUserPermissions($this->user, ['page-create-all']);

463

464 foreach ($accessUrls as $index => $url) {

465 $this->actingAs($this->user)->visit($url);

466 $expectedUrl = \BookStack\Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

467 $this->seePageIs($expectedUrl);

468 }

469

470 $this->visit($createUrl)

471 ->type('test page', 'name')

472 ->type('page desc', 'html')

473 ->press('Save Page')

474 ->seePageIs($book->getUrl('/page/test-page'));

475

476 $this->visit($chapter->getUrl('/create-page'))

477 ->type('new test page', 'name')

478 ->type('page desc', 'html')

479 ->press('Save Page')

480 ->seePageIs($book->getUrl('/page/new-test-page'));

481 }

482

483 public function test_page_edit_own_permission()

484 {

485 $otherPage = \BookStack\Page::take(1)->get()->first();

486 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

487 $this->checkAccessPermission('page-update-own', [

488 $ownPage->getUrl() . '/edit'

489 ], [

490 $ownPage->getUrl() => 'Edit'

491 ]);

492

493 $this->visit($otherPage->getUrl())

494 ->dontSeeInElement('.action-buttons', 'Edit')

495 ->visit($otherPage->getUrl() . '/edit')

496 ->seePageIs('/');

497 }

498

499 public function test_page_edit_all_permission()

500 {

501 $otherPage = \BookStack\Page::take(1)->get()->first();

502 $this->checkAccessPermission('page-update-all', [

503 $otherPage->getUrl() . '/edit'

504 ], [

505 $otherPage->getUrl() => 'Edit'

506 ]);

507 }

508

509 public function test_page_delete_own_permission()

510 {

511 $this->giveUserPermissions($this->user, ['page-update-all']);

512 $otherPage = \BookStack\Page::take(1)->get()->first();

513 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

514 $this->checkAccessPermission('page-delete-own', [

515 $ownPage->getUrl() . '/delete'

516 ], [

517 $ownPage->getUrl() => 'Delete'

518 ]);

519

520 $bookUrl = $ownPage->book->getUrl();

521 $this->visit($otherPage->getUrl())

522 ->dontSeeInElement('.action-buttons', 'Delete')

523 ->visit($otherPage->getUrl() . '/delete')

524 ->seePageIs('/');

525 $this->visit($ownPage->getUrl())->visit($ownPage->getUrl() . '/delete')

526 ->press('Confirm')

527 ->seePageIs($bookUrl)

528 ->dontSeeInElement('.book-content', $ownPage->name);

529 }

530

531 public function test_page_delete_all_permission()

532 {

533 $this->giveUserPermissions($this->user, ['page-update-all']);

534 $otherPage = \BookStack\Page::take(1)->get()->first();

535 $this->checkAccessPermission('page-delete-all', [

536 $otherPage->getUrl() . '/delete'

537 ], [

538 $otherPage->getUrl() => 'Delete'

539 ]);

540

541 $bookUrl = $otherPage->book->getUrl();

542 $this->visit($otherPage->getUrl())->visit($otherPage->getUrl() . '/delete')

543 ->press('Confirm')

544 ->seePageIs($bookUrl)

545 ->dontSeeInElement('.book-content', $otherPage->name);

546 }

547

548 public function test_public_role_visible_in_user_edit_screen()

549 {

550 $user = \BookStack\User::first();

551 $this->asAdmin()->visit('/settings/users/' . $user->id)

552 ->seeElement('#roles-admin')

553 ->seeElement('#roles-public');

554 }

555

556 public function test_public_role_visible_in_role_listing()

557 {

558 $this->asAdmin()->visit('/settings/roles')

559 ->see('Admin')

560 ->see('Public');

561 }

562

563 public function test_public_role_visible_in_default_role_setting()

564 {

565 $this->asAdmin()->visit('/settings')

566 ->seeElement('[data-role-name="admin"]')

567 ->seeElement('[data-role-name="public"]');

568

569 }

570

571 public function test_public_role_not_deleteable()

572 {

573 $this->asAdmin()->visit('/settings/roles')

574 ->click('Public')

575 ->see('Edit Role')

576 ->click('Delete Role')

577 ->press('Confirm')

578 ->see('Delete Role')

579 ->see('Cannot be deleted');

580 }

581

582 public function test_image_delete_own_permission()

583 {

584 $this->giveUserPermissions($this->user, ['image-update-all']);

585 $page = \BookStack\Page::first();

586 $image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $this->user->id, 'updated_by' => $this->user->id]);

587

588 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

589 ->seeStatusCode(403);

590

591 $this->giveUserPermissions($this->user, ['image-delete-own']);

592

593 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

594 ->seeStatusCode(200)

595 ->dontSeeInDatabase('images', ['id' => $image->id]);

596 }

597

598 public function test_image_delete_all_permission()

599 {

600 $this->giveUserPermissions($this->user, ['image-update-all']);

601 $admin = $this->getAdmin();

602 $page = \BookStack\Page::first();

603 $image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]);

604

605 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

606 ->seeStatusCode(403);

607

608 $this->giveUserPermissions($this->user, ['image-delete-own']);

609

610 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

611 ->seeStatusCode(403);

612

613 $this->giveUserPermissions($this->user, ['image-delete-all']);

614

615 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

616 ->seeStatusCode(200)

617 ->dontSeeInDatabase('images', ['id' => $image->id]);

618 }

619

620 public function test_role_permission_removal()

621 {

622 // To cover issue fixed in f99c8ff99aee9beb8c692f36d4b84dc6e651e50a.

623 $page = Page::first();

624 $viewerRole = \BookStack\Role::getRole('viewer');

625 $viewer = $this->getViewer();

626 $this->actingAs($viewer)->visit($page->getUrl())->assertResponseStatus(200);

627

628 $this->asAdmin()->put('/settings/roles/' . $viewerRole->id, [

629 'display_name' => $viewerRole->display_name,

630 'description' => $viewerRole->description,

631 'permission' => []

632 ])->assertResponseStatus(302);

633

634 $this->expectException(HttpException::class);

635 $this->actingAs($viewer)->visit($page->getUrl())->assertResponseStatus(404);

636 }

637

638 public function test_empty_state_actions_not_visible_without_permission()

639 {

640 $admin = $this->getAdmin();

641 // Book links

642 $book = factory(\BookStack\Book::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id]);

643 $this->updateEntityPermissions($book);

644 $this->actingAs($this->getViewer())->visit($book->getUrl())

645 ->dontSee('Create a new page')

646 ->dontSee('Add a chapter');

647

648 // Chapter links

649 $chapter = factory(\BookStack\Chapter::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id, 'book_id' => $book->id]);

650 $this->updateEntityPermissions($chapter);

651 $this->actingAs($this->getViewer())->visit($chapter->getUrl())

652 ->dontSee('Create a new page')

653 ->dontSee('Sort the current book');

654 }

655

656 public function test_comment_create_permission () {

657 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

658

659 $this->actingAs($this->user)->addComment($ownPage);

660

661 $this->assertResponseStatus(403);

662

663 $this->giveUserPermissions($this->user, ['comment-create-all']);

664

665 $this->actingAs($this->user)->addComment($ownPage);

666 $this->assertResponseStatus(200);

667 }

668

669

670 public function test_comment_update_own_permission () {

671 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

672 $this->giveUserPermissions($this->user, ['comment-create-all']);

673 $commentId = $this->actingAs($this->user)->addComment($ownPage);

674

675 // no comment-update-own

676 $this->actingAs($this->user)->updateComment($commentId);

677 $this->assertResponseStatus(403);

678

679 $this->giveUserPermissions($this->user, ['comment-update-own']);

680

681 // now has comment-update-own

682 $this->actingAs($this->user)->updateComment($commentId);

683 $this->assertResponseStatus(200);

684 }

685

686 public function test_comment_update_all_permission () {

687 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

688 $commentId = $this->asAdmin()->addComment($ownPage);

689

690 // no comment-update-all

691 $this->actingAs($this->user)->updateComment($commentId);

692 $this->assertResponseStatus(403);

693

694 $this->giveUserPermissions($this->user, ['comment-update-all']);

695

696 // now has comment-update-all

697 $this->actingAs($this->user)->updateComment($commentId);

698 $this->assertResponseStatus(200);

699 }

700

701 public function test_comment_delete_own_permission () {

702 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

703 $this->giveUserPermissions($this->user, ['comment-create-all']);

704 $commentId = $this->actingAs($this->user)->addComment($ownPage);

705

706 // no comment-delete-own

707 $this->actingAs($this->user)->deleteComment($commentId);

708 $this->assertResponseStatus(403);

709

710 $this->giveUserPermissions($this->user, ['comment-delete-own']);

711

712 // now has comment-update-own

713 $this->actingAs($this->user)->deleteComment($commentId);

714 $this->assertResponseStatus(200);

715 }

716

717 public function test_comment_delete_all_permission () {

718 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

719 $commentId = $this->asAdmin()->addComment($ownPage);

720

721 // no comment-delete-all

722 $this->actingAs($this->user)->deleteComment($commentId);

723 $this->assertResponseStatus(403);

724

725 $this->giveUserPermissions($this->user, ['comment-delete-all']);

726

727 // now has comment-delete-all

728 $this->actingAs($this->user)->deleteComment($commentId);

729 $this->assertResponseStatus(200);

730 }

731

732 private function addComment($page) {

733 $comment = factory(\BookStack\Comment::class)->make();

734 $url = "/ajax/page/$page->id/comment";

735 $request = [

736 'text' => $comment->text,

737 'html' => $comment->html

738 ];

739

740 $this->postJson($url, $request);

741 $comment = $page->comments()->first();

742 return $comment === null ? null : $comment->id;

743 }

744

745 private function updateComment($commentId) {

746 $comment = factory(\BookStack\Comment::class)->make();

747 $url = "/ajax/comment/$commentId";

748 $request = [

749 'text' => $comment->text,

750 'html' => $comment->html

751 ];

752

753 return $this->putJson($url, $request);

754 }

755

756 private function deleteComment($commentId) {

757 $url = '/ajax/comment/' . $commentId;

758 return $this->json('DELETE', $url);

759 }

760

761 }