$resp = $this->postJson("/comment/$page->id", $comment->getAttributes());
$resp->assertStatus(200);
- $resp->assertSee($comment->text);
+ $resp->assertSee($comment->html, false);
$pageResp = $this->get($page->getUrl());
- $pageResp->assertSee($comment->text);
+ $pageResp->assertSee($comment->html, false);
$this->assertDatabaseHas('comments', [
'local_id' => 1,
'entity_id' => $page->id,
'entity_type' => Page::newModelInstance()->getMorphClass(),
- 'text' => $comment->text,
+ 'text' => null,
'parent_id' => 2,
]);
$this->assertActivityExists(ActivityType::COMMENT_CREATE);
}
+ public function test_add_comment_stores_content_reference_only_if_format_valid()
+ {
+ $validityByRefs = [
+ 'bkmrk-my-title:4589284922:4-3' => true,
+ 'bkmrk-my-title:4589284922:' => true,
+ 'bkmrk-my-title:4589284922:abc' => false,
+ 'my-title:4589284922:' => false,
+ 'bkmrk-my-title-4589284922:' => false,
+ ];
+
+ $page = $this->entities->page();
+
+ foreach ($validityByRefs as $ref => $valid) {
+ $this->asAdmin()->postJson("/comment/$page->id", [
+ 'html' => '<p>My comment</p>',
+ 'parent_id' => null,
+ 'content_ref' => $ref,
+ ]);
+
+ if ($valid) {
+ $this->assertDatabaseHas('comments', ['entity_id' => $page->id, 'content_ref' => $ref]);
+ } else {
+ $this->assertDatabaseMissing('comments', ['entity_id' => $page->id, 'content_ref' => $ref]);
+ }
+ }
+ }
public function test_comment_edit()
{
$this->postJson("/comment/$page->id", $comment->getAttributes());
$comment = $page->comments()->first();
- $newText = 'updated text content';
+ $newHtml = '<p>updated text content</p>';
$resp = $this->putJson("/comment/$comment->id", [
- 'text' => $newText,
+ 'html' => $newHtml,
]);
$resp->assertStatus(200);
- $resp->assertSee($newText);
- $resp->assertDontSee($comment->text);
+ $resp->assertSee($newHtml, false);
+ $resp->assertDontSee($comment->html, false);
$this->assertDatabaseHas('comments', [
- 'text' => $newText,
+ 'html' => $newHtml,
'entity_id' => $page->id,
]);
$this->assertActivityExists(ActivityType::COMMENT_DELETE);
}
- public function test_comments_converts_markdown_input_to_html()
+ public function test_comment_archive_and_unarchive()
{
+ $this->asAdmin();
$page = $this->entities->page();
- $this->asAdmin()->postJson("/comment/$page->id", [
- 'text' => '# My Title',
+
+ $comment = Comment::factory()->make();
+ $page->comments()->save($comment);
+ $comment->refresh();
+
+ $this->put("/comment/$comment->id/archive");
+
+ $this->assertDatabaseHas('comments', [
+ 'id' => $comment->id,
+ 'archived' => true,
]);
+ $this->assertActivityExists(ActivityType::COMMENT_UPDATE);
+
+ $this->put("/comment/$comment->id/unarchive");
+
$this->assertDatabaseHas('comments', [
- 'entity_id' => $page->id,
- 'entity_type' => $page->getMorphClass(),
- 'text' => '# My Title',
- 'html' => "<h1>My Title</h1>\n",
+ 'id' => $comment->id,
+ 'archived' => false,
]);
- $pageView = $this->get($page->getUrl());
- $pageView->assertSee('<h1>My Title</h1>', false);
+ $this->assertActivityExists(ActivityType::COMMENT_UPDATE);
}
- public function test_html_cannot_be_injected_via_comment_content()
+ public function test_archive_endpoints_require_delete_or_edit_permissions()
{
- $this->asAdmin();
+ $viewer = $this->users->viewer();
$page = $this->entities->page();
- $script = '<script>const a = "script";</script>\n\n# sometextinthecomment';
- $this->postJson("/comment/$page->id", [
- 'text' => $script,
+ $comment = Comment::factory()->make();
+ $page->comments()->save($comment);
+ $comment->refresh();
+
+ $endpoints = ["/comment/$comment->id/archive", "/comment/$comment->id/unarchive"];
+
+ foreach ($endpoints as $endpoint) {
+ $resp = $this->actingAs($viewer)->put($endpoint);
+ $this->assertPermissionError($resp);
+ }
+
+ $this->permissions->grantUserRolePermissions($viewer, ['comment-delete-all']);
+
+ foreach ($endpoints as $endpoint) {
+ $resp = $this->actingAs($viewer)->put($endpoint);
+ $resp->assertOk();
+ }
+
+ $this->permissions->removeUserRolePermissions($viewer, ['comment-delete-all']);
+ $this->permissions->grantUserRolePermissions($viewer, ['comment-update-all']);
+
+ foreach ($endpoints as $endpoint) {
+ $resp = $this->actingAs($viewer)->put($endpoint);
+ $resp->assertOk();
+ }
+ }
+
+ public function test_scripts_cannot_be_injected_via_comment_html()
+ {
+ $page = $this->entities->page();
+
+ $script = '<script>const a = "script";</script><p onclick="1">My lovely comment</p>';
+ $this->asAdmin()->postJson("/comment/$page->id", [
+ 'html' => $script,
]);
$pageView = $this->get($page->getUrl());
$pageView->assertDontSee($script, false);
- $pageView->assertSee('sometextinthecomment');
+ $pageView->assertSee('<p>My lovely comment</p>', false);
$comment = $page->comments()->first();
$this->putJson("/comment/$comment->id", [
- 'text' => $script . 'updated',
+ 'html' => $script . '<p>updated</p>',
]);
$pageView = $this->get($page->getUrl());
$pageView->assertDontSee($script, false);
- $pageView->assertSee('sometextinthecommentupdated');
+ $pageView->assertSee('<p>My lovely comment</p><p>updated</p>');
+ }
+
+ public function test_scripts_are_removed_even_if_already_in_db()
+ {
+ $page = $this->entities->page();
+ Comment::factory()->create([
+ 'html' => '<script>superbadscript</script><p onclick="superbadonclick">scriptincommentest</p>',
+ 'entity_type' => 'page', 'entity_id' => $page
+ ]);
+
+ $resp = $this->asAdmin()->get($page->getUrl());
+ $resp->assertSee('scriptincommentest', false);
+ $resp->assertDontSee('superbadscript', false);
+ $resp->assertDontSee('superbadonclick', false);
+ }
+
+ public function test_comment_html_is_limited()
+ {
+ $page = $this->entities->page();
+ $input = '<h1>Test</h1><p id="abc" href="beans">Content<a href="#cat" data-a="b">a</a><section>Hello</section></p>';
+ $expected = '<p>Content<a href="#cat">a</a></p>';
+
+ $resp = $this->asAdmin()->post("/comment/{$page->id}", ['html' => $input]);
+ $resp->assertOk();
+ $this->assertDatabaseHas('comments', [
+ 'entity_type' => 'page',
+ 'entity_id' => $page->id,
+ 'html' => $expected,
+ ]);
+
+ $comment = $page->comments()->first();
+ $resp = $this->put("/comment/{$comment->id}", ['html' => $input]);
+ $resp->assertOk();
+ $this->assertDatabaseHas('comments', [
+ 'id' => $comment->id,
+ 'html' => $expected,
+ ]);
}
public function test_reply_comments_are_nested()
$this->asAdmin();
$page = $this->entities->page();
- $this->postJson("/comment/$page->id", ['text' => 'My new comment']);
- $this->postJson("/comment/$page->id", ['text' => 'My new comment']);
+ $this->postJson("/comment/$page->id", ['html' => '<p>My new comment</p>']);
+ $this->postJson("/comment/$page->id", ['html' => '<p>My new comment</p>']);
$respHtml = $this->withHtml($this->get($page->getUrl()));
$respHtml->assertElementCount('.comment-branch', 3);
$respHtml->assertElementNotExists('.comment-branch .comment-branch');
$comment = $page->comments()->first();
- $resp = $this->postJson("/comment/$page->id", ['text' => 'My nested comment', 'parent_id' => $comment->local_id]);
+ $resp = $this->postJson("/comment/$page->id", [
+ 'html' => '<p>My nested comment</p>', 'parent_id' => $comment->local_id
+ ]);
$resp->assertStatus(200);
$respHtml = $this->withHtml($this->get($page->getUrl()));
{
$page = $this->entities->page();
- $this->asAdmin()->postJson("/comment/$page->id", ['text' => 'My great comment to see in the editor']);
+ $this->asAdmin()->postJson("/comment/$page->id", ['html' => '<p>My great comment to see in the editor</p>']);
$respHtml = $this->withHtml($this->get($page->getUrl('/edit')));
$respHtml->assertElementContains('.comment-box .content', 'My great comment to see in the editor');
$pageResp = $this->asAdmin()->get($page->getUrl());
$pageResp->assertSee('Wolfeschlegels…');
}
+
+ public function test_comment_editor_js_loaded_with_create_or_edit_permissions()
+ {
+ $editor = $this->users->editor();
+ $page = $this->entities->page();
+
+ $resp = $this->actingAs($editor)->get($page->getUrl());
+ $resp->assertSee('tinymce.min.js?', false);
+ $resp->assertSee('window.editor_translations', false);
+ $resp->assertSee('component="entity-selector"', false);
+
+ $this->permissions->removeUserRolePermissions($editor, ['comment-create-all']);
+ $this->permissions->grantUserRolePermissions($editor, ['comment-update-own']);
+
+ $resp = $this->actingAs($editor)->get($page->getUrl());
+ $resp->assertDontSee('tinymce.min.js?', false);
+ $resp->assertDontSee('window.editor_translations', false);
+ $resp->assertDontSee('component="entity-selector"', false);
+
+ Comment::factory()->create([
+ 'created_by' => $editor->id,
+ 'entity_type' => 'page',
+ 'entity_id' => $page->id,
+ ]);
+
+ $resp = $this->actingAs($editor)->get($page->getUrl());
+ $resp->assertSee('tinymce.min.js?', false);
+ $resp->assertSee('window.editor_translations', false);
+ $resp->assertSee('component="entity-selector"', false);
+ }
+
+ public function test_comment_displays_relative_times()
+ {
+ $page = $this->entities->page();
+ $comment = Comment::factory()->create(['entity_id' => $page->id, 'entity_type' => $page->getMorphClass()]);
+ $comment->created_at = now()->subWeek();
+ $comment->updated_at = now()->subDay();
+ $comment->save();
+
+ $pageResp = $this->asAdmin()->get($page->getUrl());
+ $html = $this->withHtml($pageResp);
+
+ // Create date shows relative time as text to user
+ $html->assertElementContains('.comment-box', 'commented 1 week ago');
+ // Updated indicator has full time as title
+ $html->assertElementContains('.comment-box span[title^="Updated ' . $comment->updated_at->format('Y-m-d') . '"]', 'Updated');
+ }
}
projects / bookstack / blobdiff