Fixed issue where restricted page content in plaintext export

The content of pages made non-viewable to a user via permissions, within a visible parent, could be seen via the plaintext export option. Before v0.30.6 this would have applied only to scenarios where all pages within the chapter were made non-visible. In v0.30.6 this would make all pages within the chapter visible.

As per #2414

diff --git a/app/Entities/ExportService.php b/app/Entities/ExportService.php
index f945dfbe4afe1d17246ca7119c6e776c4acf0455..508670c850828265bf7a8dd2b7d94082d7335fcf 100644 (file)
--- a/app/Entities/ExportService.php
+++ b/app/Entities/ExportService.php
@@ -203,7 +203,7 @@ class ExportService
     {
         $text = $chapter->name . "\n\n";
         $text .= $chapter->description . "\n\n";
-        foreach ($chapter->pages as $page) {
+        foreach ($chapter->getVisiblePages() as $page) {
             $text .= $this->pageToPlainText($page);
         }
         return $text;
@@ -214,7 +214,7 @@ class ExportService
      */
     public function bookToPlainText(Book $book): string
     {
-        $bookTree = (new BookContents($book))->getTree(false, true);
+        $bookTree = (new BookContents($book))->getTree(false, false);
         $text = $book->name . "\n\n";
         foreach ($bookTree as $bookChild) {
             if ($bookChild->isA('chapter')) {

diff --git a/app/Uploads/ImageRepo.php b/app/Uploads/ImageRepo.php
index a0855508594b7c336252bc4d9856c5eb01db20ec..fb2a892286567fa762b25d769ea9f948f1b46dac 100644 (file)
--- a/app/Uploads/ImageRepo.php
+++ b/app/Uploads/ImageRepo.php
@@ -112,7 +112,7 @@ class ImageRepo
                 if ($filterType === 'page') {
                     $query->where('uploaded_to', '=', $contextPage->id);
                 } elseif ($filterType === 'book') {
-                    $validPageIds = $contextPage->book->pages()->get(['id'])->pluck('id')->toArray();
+                    $validPageIds = $contextPage->book->pages()->visible()->get(['id'])->pluck('id')->toArray();
                     $query->whereIn('uploaded_to', $validPageIds);
                 }
             };

diff --git a/tests/Permissions/ExportPermissionsTest.php b/tests/Permissions/ExportPermissionsTest.php
new file mode 100644 (file)
index 0000000..32ee9e7
--- /dev/null
+++ b/tests/Permissions/ExportPermissionsTest.php
@@ -0,0 +1,67 @@
+<?php namespace Tests\Permissions;
+
+use BookStack\Entities\Book;
+use BookStack\Entities\Chapter;
+use Illuminate\Support\Str;
+use Tests\TestCase;
+
+class ExportPermissionsTest extends TestCase
+{
+
+    public function test_page_content_without_view_access_hidden_on_chapter_export()
+    {
+        $chapter = Chapter::query()->first();
+        $page = $chapter->pages()->firstOrFail();
+        $pageContent = Str::random(48);
+        $page->html = '<p>' . $pageContent . '</p>';
+        $page->save();
+        $viewer = $this->getViewer();
+        $this->actingAs($viewer);
+        $formats = ['html', 'plaintext'];
+
+        foreach ($formats as $format) {
+            $resp = $this->get($chapter->getUrl("export/{$format}"));
+            $resp->assertStatus(200);
+            $resp->assertSee($page->name);
+            $resp->assertSee($pageContent);
+        }
+
+        $this->setEntityRestrictions($page, []);
+
+        foreach ($formats as $format) {
+            $resp = $this->get($chapter->getUrl("export/{$format}"));
+            $resp->assertStatus(200);
+            $resp->assertDontSee($page->name);
+            $resp->assertDontSee($pageContent);
+        }
+    }
+
+    public function test_page_content_without_view_access_hidden_on_book_export()
+    {
+        $book = Book::query()->first();
+        $page = $book->pages()->firstOrFail();
+        $pageContent = Str::random(48);
+        $page->html = '<p>' . $pageContent . '</p>';
+        $page->save();
+        $viewer = $this->getViewer();
+        $this->actingAs($viewer);
+        $formats = ['html', 'plaintext'];
+
+        foreach ($formats as $format) {
+            $resp = $this->get($book->getUrl("export/{$format}"));
+            $resp->assertStatus(200);
+            $resp->assertSee($page->name);
+            $resp->assertSee($pageContent);
+        }
+
+        $this->setEntityRestrictions($page, []);
+
+        foreach ($formats as $format) {
+            $resp = $this->get($book->getUrl("export/{$format}"));
+            $resp->assertStatus(200);
+            $resp->assertDontSee($page->name);
+            $resp->assertDontSee($pageContent);
+        }
+    }
+
+}
\ No newline at end of file