Pages: Redirect user to view if they can't edit

For #5568

diff --git a/app/Entities/Controllers/PageController.php b/app/Entities/Controllers/PageController.php
index 230a84721f80ee8793dd325f9c082c5c3ca2045c..de3aed7d9a7543dc61303b8f0a68ee7d3ac838c0 100644 (file)
--- a/app/Entities/Controllers/PageController.php
+++ b/app/Entities/Controllers/PageController.php
@@ -17,6 +17,7 @@ use BookStack\Entities\Tools\PageContent;
 use BookStack\Entities\Tools\PageEditActivity;
 use BookStack\Entities\Tools\PageEditorData;
 use BookStack\Exceptions\NotFoundException;
+use BookStack\Exceptions\NotifyException;
 use BookStack\Exceptions\PermissionsException;
 use BookStack\Http\Controller;
 use BookStack\References\ReferenceFetcher;
@@ -196,7 +197,7 @@ class PageController extends Controller
     public function edit(Request $request, string $bookSlug, string $pageSlug)
     {
         $page = $this->queries->findVisibleBySlugsOrFail($bookSlug, $pageSlug);
-        $this->checkOwnablePermission('page-update', $page);
+        $this->checkOwnablePermission('page-update', $page, $page->getUrl());
 
         $editorData = new PageEditorData($page, $this->entityQueries, $request->query('editor', ''));
         if ($editorData->getWarnings()) {

diff --git a/app/Http/Controller.php b/app/Http/Controller.php
index 652e2ccf3bd47ad7f9926f7181af8cf673654860..7f2134dd87abe8d7eedd8cc9d03038ba54d55260 100644 (file)
--- a/app/Http/Controller.php
+++ b/app/Http/Controller.php
@@ -49,13 +49,13 @@ abstract class Controller extends BaseController
      * On a permission error redirect to home and display.
      * the error as a notification.
      *
-     * @return never
+     * @throws NotifyException
      */
-    protected function showPermissionError()
+    protected function showPermissionError(string $redirectLocation = '/'): never
     {
         $message = request()->wantsJson() ? trans('errors.permissionJson') : trans('errors.permission');
 
-        throw new NotifyException($message, '/', 403);
+        throw new NotifyException($message, $redirectLocation, 403);
     }
 
     /**
@@ -81,10 +81,10 @@ abstract class Controller extends BaseController
     /**
      * Check the current user's permissions against an ownable item otherwise throw an exception.
      */
-    protected function checkOwnablePermission(string $permission, Model $ownable): void
+    protected function checkOwnablePermission(string $permission, Model $ownable, string $redirectLocation = '/'): void
     {
         if (!userCan($permission, $ownable)) {
-            $this->showPermissionError();
+            $this->showPermissionError($redirectLocation);
         }
     }
 

diff --git a/tests/Entity/PageTest.php b/tests/Entity/PageTest.php
index e444d165fb314193cb146e6d416a3ad677df74fd..d2c448bf4b77bfdfae0f3507550cb16de98bff32 100644 (file)
--- a/tests/Entity/PageTest.php
+++ b/tests/Entity/PageTest.php
@@ -356,4 +356,14 @@ class PageTest extends TestCase
         $resp = $this->get('/');
         $this->withHtml($resp)->assertElementContains('#recently-updated-pages', $page->name);
     }
+
+    public function test_page_edit_without_update_permissions_but_with_view_redirects_to_page()
+    {
+        $page = $this->entities->page();
+
+        $resp = $this->asViewer()->get($page->getUrl('/edit'));
+        $resp->assertRedirect($page->getUrl());
+
+        $resp->assertSessionHas('error', 'You do not have permission to access the requested page.');
+    }
 }