use BookStack\Traits\HasOwner;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Database\Query\Builder as QueryBuilder;
+use Illuminate\Database\Query\JoinClause;
+use Illuminate\Support\Facades\DB;
use InvalidArgumentException;
class PermissionApplicator
*/
public function restrictEntityQuery(Builder $query, string $morphClass): Builder
{
- $this->getCurrentUserRoleIds();
- $this->currentUser()->id;
+ $this->applyPermissionsToQuery($query, $query->getModel()->getTable(), $morphClass, 'id', '');
- $userViewAll = userCan($morphClass . '-view-all');
- $userViewOwn = userCan($morphClass . '-view-own');
+ return $query;
+ }
- // TODO - Leave this as the new admin workaround?
- // Or auto generate collapsed role permissions for admins?
- if (\user()->hasSystemRole('admin')) {
- return $query;
+ /**
+ * @param Builder|QueryBuilder $query
+ */
+ protected function applyPermissionsToQuery($query, string $queryTable, string $entityTypeLimiter, string $entityIdColumn, string $entityTypeColumn): void
+ {
+ if ($this->currentUser()->hasSystemRole('admin')) {
+ return;
}
- // Fallback permission join
- $query->joinSub(function (QueryBuilder $joinQuery) use ($morphClass) {
- $joinQuery->select(['entity_id'])->selectRaw('max(view) as perms_fallback')
- ->from('entity_permissions_collapsed')
- ->where('entity_type', '=', $morphClass)
- ->whereNull(['role_id', 'user_id'])
- ->groupBy('entity_id');
- }, 'p_f', 'id', '=', 'p_f.entity_id', 'left');
-
- // Role permission join
- $query->joinSub(function (QueryBuilder $joinQuery) use ($morphClass) {
- $joinQuery->select(['entity_id'])->selectRaw('max(view) as perms_role')
- ->from('entity_permissions_collapsed')
- ->where('entity_type', '=', $morphClass)
- ->whereIn('role_id', $this->getCurrentUserRoleIds())
- ->groupBy('entity_id');
- }, 'p_r', 'id', '=', 'p_r.entity_id', 'left');
-
- // User permission join
- $query->joinSub(function (QueryBuilder $joinQuery) use ($morphClass) {
- $joinQuery->select(['entity_id'])->selectRaw('max(view) as perms_user')
- ->from('entity_permissions_collapsed')
- ->where('entity_type', '=', $morphClass)
- ->where('user_id', '=', $this->currentUser()->id)
- ->groupBy('entity_id');
- }, 'p_u', 'id', '=', 'p_u.entity_id', 'left');
-
- // Where permissions apply
- $query->where(function (Builder $query) use ($userViewOwn, $userViewAll) {
+ $this->applyFallbackJoin($query, $queryTable, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn);
+ $this->applyRoleJoin($query, $queryTable, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn);
+ $this->applyUserJoin($query, $queryTable, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn);
+ $this->applyPermissionWhereFilter($query, $queryTable, $entityTypeLimiter, $entityTypeColumn);
+ }
+
+ /**
+ * Apply the where condition to a permission restricting query, to limit based upon the values of the joined
+ * permission data. Query must have joins pre-applied.
+ * Either entityTypeLimiter or entityTypeColumn should be supplied, with the other empty.
+ * Both should not be applied since that would conflict upon intent.
+ * @param Builder|QueryBuilder $query
+ */
+ protected function applyPermissionWhereFilter($query, string $queryTable, string $entityTypeLimiter, string $entityTypeColumn)
+ {
+ $abilities = ['all' => [], 'own' => []];
+ $types = $entityTypeLimiter ? [$entityTypeLimiter] : ['page', 'chapter', 'bookshelf', 'book'];
+ $fullEntityTypeColumn = $queryTable . '.' . $entityTypeColumn;
+ foreach ($types as $type) {
+ $abilities['all'][$type] = userCan($type . '-view-all');
+ $abilities['own'][$type] = userCan($type . '-view-own');
+ }
+
+ $abilities['all'] = array_filter($abilities['all']);
+ $abilities['own'] = array_filter($abilities['own']);
+
+ $query->where(function (Builder $query) use ($abilities, $fullEntityTypeColumn, $entityTypeColumn) {
$query->where('perms_user', '=', 1)
->orWhere(function (Builder $query) {
$query->whereNull('perms_user')->where('perms_role', '=', 1);
->where('perms_fallback', '=', 1);
});
- if ($userViewAll) {
- $query->orWhere(function (Builder $query) {
+ if (count($abilities['all']) > 0) {
+ $query->orWhere(function (Builder $query) use ($abilities, $fullEntityTypeColumn, $entityTypeColumn) {
$query->whereNull(['perms_user', 'perms_role', 'perms_fallback']);
+ if ($entityTypeColumn) {
+ $query->whereIn($fullEntityTypeColumn, array_keys($abilities['all']));
+ }
});
- } else if ($userViewOwn) {
- $query->orWhere(function (Builder $query) {
+ }
+
+ if (count($abilities['own']) > 0) {
+ $query->orWhere(function (Builder $query) use ($abilities, $fullEntityTypeColumn, $entityTypeColumn) {
$query->whereNull(['perms_user', 'perms_role', 'perms_fallback'])
->where('owned_by', '=', $this->currentUser()->id);
+ if ($entityTypeColumn) {
+ $query->whereIn($fullEntityTypeColumn, array_keys($abilities['all']));
+ }
});
}
});
+ }
- return $query;
+ /**
+ * @param Builder|QueryBuilder $query
+ */
+ protected function applyPermissionJoin(callable $joinCallable, string $subAlias, $query, string $queryTable, string $entityTypeLimiter, string $entityIdColumn, string $entityTypeColumn)
+ {
+ $joinCondition = $this->getJoinCondition($queryTable, $subAlias, $entityIdColumn, $entityTypeColumn);
+
+ $query->joinSub(function (QueryBuilder $joinQuery) use ($joinCallable, $entityTypeLimiter) {
+ $joinQuery->select(['entity_id', 'entity_type'])->from('entity_permissions_collapsed')
+ ->groupBy('entity_id', 'entity_type');
+ $joinCallable($joinQuery);
+
+ if ($entityTypeLimiter) {
+ $joinQuery->where('entity_type', '=', $entityTypeLimiter);
+ }
+ }, $subAlias, $joinCondition, null, null, 'left');
+ }
+
+ /**
+ * @param Builder|QueryBuilder $query
+ */
+ protected function applyUserJoin($query, string $queryTable, string $entityTypeLimiter, string $entityIdColumn, string $entityTypeColumn)
+ {
+ $this->applyPermissionJoin(function (QueryBuilder $joinQuery) {
+ $joinQuery->selectRaw('max(view) as perms_user')
+ ->where('user_id', '=', $this->currentUser()->id);
+ }, 'p_u', $query, $queryTable, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn);
+ }
+
+
+ /**
+ * @param Builder|QueryBuilder $query
+ */
+ protected function applyRoleJoin($query, string $queryTable, string $entityTypeLimiter, string $entityIdColumn, string $entityTypeColumn)
+ {
+ $this->applyPermissionJoin(function (QueryBuilder $joinQuery) {
+ $joinQuery->selectRaw('max(view) as perms_role')
+ ->whereIn('role_id', $this->getCurrentUserRoleIds());
+ }, 'p_r', $query, $queryTable, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn);
+ }
+
+ /**
+ * @param Builder|QueryBuilder $query
+ */
+ protected function applyFallbackJoin($query, string $queryTable, string $entityTypeLimiter, string $entityIdColumn, string $entityTypeColumn)
+ {
+ $this->applyPermissionJoin(function (QueryBuilder $joinQuery) {
+ $joinQuery->selectRaw('max(view) as perms_fallback')
+ ->whereNull(['role_id', 'user_id']);
+ }, 'p_f', $query, $queryTable, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn);
+ }
+
+ protected function getJoinCondition(string $queryTable, string $joinTableName, string $entityIdColumn, string $entityTypeColumn): callable
+ {
+ return function (JoinClause $join) use ($queryTable, $joinTableName, $entityIdColumn, $entityTypeColumn) {
+ $join->on($queryTable . '.' . $entityIdColumn, '=', $joinTableName . '.entity_id');
+ if ($entityTypeColumn) {
+ $join->on($queryTable . '.' . $entityTypeColumn, '=', $joinTableName . '.entity_type');
+ }
+ };
}
/**
*/
public function restrictEntityRelationQuery($query, string $tableName, string $entityIdColumn, string $entityTypeColumn)
{
- $tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn, 'entityTypeColumn' => $entityTypeColumn];
- $pageMorphClass = (new Page())->getMorphClass();
-
- // TODO;
- return $query;
-
- $q = $query->where(function ($query) use ($tableDetails) {
- $query->whereExists(function ($permissionQuery) use ($tableDetails) {
- /** @var Builder $permissionQuery */
- $permissionQuery->select(['role_id'])->from('joint_permissions')
- ->whereColumn('joint_permissions.entity_id', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
- ->whereColumn('joint_permissions.entity_type', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityTypeColumn'])
- ->whereIn('joint_permissions.role_id', $this->getCurrentUserRoleIds())
- ->where(function (QueryBuilder $query) {
- $this->addJointHasPermissionCheck($query, $this->currentUser()->id);
- });
- })->orWhereExists(function ($permissionQuery) use ($tableDetails) {
- /** @var Builder $permissionQuery */
- $permissionQuery->select(['user_id'])->from('joint_user_permissions')
- ->whereColumn('joint_user_permissions.entity_id', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
- ->whereColumn('joint_user_permissions.entity_type', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityTypeColumn'])
- ->where('joint_user_permissions.user_id', '=', $this->currentUser()->id)
- ->where('joint_user_permissions.has_permission', '=', true);
- });
- })->whereNotExists(function ($query) use ($tableDetails) {
- $query->select(['user_id'])->from('joint_user_permissions')
- ->whereColumn('joint_user_permissions.entity_id', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
- ->whereColumn('joint_user_permissions.entity_type', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityTypeColumn'])
- ->where('joint_user_permissions.user_id', '=', $this->currentUser()->id)
- ->where('joint_user_permissions.has_permission', '=', false);
- })->where(function ($query) use ($tableDetails, $pageMorphClass) {
- /** @var Builder $query */
- $query->where($tableDetails['entityTypeColumn'], '!=', $pageMorphClass)
- ->orWhereExists(function (QueryBuilder $query) use ($tableDetails, $pageMorphClass) {
- $query->select('id')->from('pages')
- ->whereColumn('pages.id', '=', $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
- ->where($tableDetails['tableName'] . '.' . $tableDetails['entityTypeColumn'], '=', $pageMorphClass)
- ->where('pages.draft', '=', false);
+ $query->leftJoinSub(function (QueryBuilder $query) {
+ $query->select(['id as entity_id', DB::raw("'page' as entity_type"), 'owned_by', 'deleted_at', 'draft'])->from('pages');
+ $tablesByType = ['page' => 'pages', 'book' => 'books', 'chapter' => 'chapters', 'bookshelf' => 'bookshelves'];
+ foreach ($tablesByType as $type => $table) {
+ $query->unionAll(function (QueryBuilder $query) use ($type, $table) {
+ $query->select(['id as entity_id', DB::raw("'{$type}' as entity_type"), 'owned_by', 'deleted_at', DB::raw('0 as draft')])->from($table);
});
+ }
+ }, 'entities', function (JoinClause $join) use ($tableName, $entityIdColumn, $entityTypeColumn) {
+ $join->on($tableName . '.' . $entityIdColumn, '=', 'entities.entity_id')
+ ->on($tableName . '.' . $entityTypeColumn, '=', 'entities.entity_type');
});
- return $q;
+ $this->applyPermissionsToQuery($query, $tableName, '', $entityIdColumn, $entityTypeColumn);
+ // TODO - Test page draft access (Might allow drafts which should not be seen)
+
+ return $query;
}
/**
*/
public function restrictPageRelationQuery(Builder $query, string $tableName, string $pageIdColumn): Builder
{
- $fullPageIdColumn = $tableName . '.' . $pageIdColumn;
$morphClass = (new Page())->getMorphClass();
- // TODO
+ $this->applyPermissionsToQuery($query, $tableName, $morphClass, $pageIdColumn, '');
+ // TODO - Draft display
+ // TODO - Likely need owned_by entity join workaround as used above
return $query;
-
- $existsQuery = function ($permissionQuery) use ($fullPageIdColumn, $morphClass) {
- /** @var Builder $permissionQuery */
- $permissionQuery->select('joint_permissions.role_id')->from('joint_permissions')
- ->whereColumn('joint_permissions.entity_id', '=', $fullPageIdColumn)
- ->where('joint_permissions.entity_type', '=', $morphClass)
- ->whereIn('joint_permissions.role_id', $this->getCurrentUserRoleIds())
- ->where(function (QueryBuilder $query) {
- $this->addJointHasPermissionCheck($query, $this->currentUser()->id);
- });
- };
-
- $userExistsQuery = function ($hasPermission) use ($fullPageIdColumn, $morphClass) {
- return function ($permissionQuery) use ($fullPageIdColumn, $morphClass) {
- /** @var Builder $permissionQuery */
- $permissionQuery->select('joint_user_permissions.user_id')->from('joint_user_permissions')
- ->whereColumn('joint_user_permissions.entity_id', '=', $fullPageIdColumn)
- ->where('joint_user_permissions.entity_type', '=', $morphClass)
- ->where('joint_user_permissions.user_id', $this->currentUser()->id)
- ->where('has_permission', '=', true);
- };
- };
-
- $q = $query->where(function ($query) use ($existsQuery, $userExistsQuery, $fullPageIdColumn) {
- $query->whereExists($existsQuery)
- ->orWhereExists($userExistsQuery(true))
- ->orWhere($fullPageIdColumn, '=', 0);
- })->whereNotExists($userExistsQuery(false));
-
- // Prevent visibility of non-owned draft pages
- $q->whereExists(function (QueryBuilder $query) use ($fullPageIdColumn) {
- $query->select('id')->from('pages')
- ->whereColumn('pages.id', '=', $fullPageIdColumn)
- ->where(function (QueryBuilder $query) {
- $query->where('pages.draft', '=', false)
- ->orWhere('pages.owned_by', '=', $this->currentUser()->id);
- });
- });
-
- return $q;
- }
-
- /**
- * Add the query for checking the given user id has permission
- * within the join_permissions table.
- *
- * @param QueryBuilder|Builder $query
- */
- protected function addJointHasPermissionCheck($query, int $userIdToCheck)
- {
- $query->where('joint_permissions.has_permission', '=', true)->orWhere(function ($query) use ($userIdToCheck) {
- $query->where('joint_permissions.has_permission_own', '=', true)
- ->where('joint_permissions.owned_by', '=', $userIdToCheck);
- });
}
/**
projects / bookstack / blobdiff