Fixed image delete permission issue

Also fixed missing translations and wrote tests to cover issue.
Fixes #258

diff --git a/app/Services/PermissionService.php b/app/Services/PermissionService.php
index 467bf95da69f7f6dbe35361a2a595669cb977bc0..b58088dc0f9abaa65c0885f1a233c3959a105a45 100644 (file)
--- a/app/Services/PermissionService.php
+++ b/app/Services/PermissionService.php
@@ -405,7 +405,7 @@ class PermissionService
         $action = end($explodedPermission);
         $this->currentAction = $action;
 
-        $nonJointPermissions = ['restrictions'];
+        $nonJointPermissions = ['restrictions', 'image', 'attachment'];
 
         // Handle non entity specific jointPermissions
         if (in_array($explodedPermission[0], $nonJointPermissions)) {
@@ -421,7 +421,6 @@ class PermissionService
             $this->currentAction = $permission;
         }
 
-
         $q = $this->entityRestrictionQuery($baseQuery)->count() > 0;
         $this->clean();
         return $q;

diff --git a/database/factories/ModelFactory.php b/database/factories/ModelFactory.php
index 3820d5b59eeb90e490d1bf41e8bae11067da8850..43e2143868dd0c48ecc83d45cf53837d180111bb 100644 (file)
--- a/database/factories/ModelFactory.php
+++ b/database/factories/ModelFactory.php
@@ -59,4 +59,14 @@ $factory->define(BookStack\Tag::class, function ($faker) {
         'name' => $faker->city,
         'value' => $faker->sentence(3)
     ];
+});
+
+$factory->define(BookStack\Image::class, function ($faker) {
+    return [
+        'name' => $faker->slug . '.jpg',
+        'url' => $faker->url,
+        'path' => $faker->url,
+        'type' => 'gallery',
+        'uploaded_to' => 0
+    ];
 });
\ No newline at end of file

diff --git a/resources/lang/en/entities.php b/resources/lang/en/entities.php
index 033d9614ebcf12a20065a488a54e4f0debbbe8f9..109b6ee2a50251fe0b62cc59fba2b948e271c7a8 100644 (file)
--- a/resources/lang/en/entities.php
+++ b/resources/lang/en/entities.php
@@ -89,6 +89,7 @@ return [
      * Chapters
      */
     'chapter' => 'Chapter',
+    'chapters' => 'Chapters',
     'chapters_popular' => 'Popular Chapters',
     'chapters_new' => 'New Chapter',
     'chapters_create' => 'Create New Chapter',

diff --git a/tests/Permissions/RolesTest.php b/tests/Permissions/RolesTest.php
index 500dd3b6772f5d4d2b62ff93bacea80eb34722fa..0f6a7a150492c0c4a5845b0f4ae87f39be91766d 100644 (file)
--- a/tests/Permissions/RolesTest.php
+++ b/tests/Permissions/RolesTest.php
@@ -578,4 +578,45 @@ class RolesTest extends TestCase
             ->see('Cannot be deleted');
     }
 
+
+
+    public function test_image_delete_own_permission()
+    {
+        $this->giveUserPermissions($this->user, ['image-update-all']);
+//        $admin = $this->getAdmin();
+        $page = \BookStack\Page::first();
+        $image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $this->user->id, 'updated_by' => $this->user->id]);
+
+        $this->actingAs($this->user)->json('delete', '/images/' . $image->id)
+            ->seeStatusCode(403);
+
+        $this->giveUserPermissions($this->user, ['image-delete-own']);
+
+        $this->actingAs($this->user)->json('delete', '/images/' . $image->id)
+            ->seeStatusCode(200)
+            ->dontSeeInDatabase('images', ['id' => $image->id]);
+    }
+
+    public function test_image_delete_all_permission()
+    {
+        $this->giveUserPermissions($this->user, ['image-update-all']);
+        $admin = $this->getAdmin();
+        $page = \BookStack\Page::first();
+        $image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]);
+
+        $this->actingAs($this->user)->json('delete', '/images/' . $image->id)
+            ->seeStatusCode(403);
+
+        $this->giveUserPermissions($this->user, ['image-delete-own']);
+
+        $this->actingAs($this->user)->json('delete', '/images/' . $image->id)
+            ->seeStatusCode(403);
+
+        $this->giveUserPermissions($this->user, ['image-delete-all']);
+
+        $this->actingAs($this->user)->json('delete', '/images/' . $image->id)
+            ->seeStatusCode(200)
+            ->dontSeeInDatabase('images', ['id' => $image->id]);
+    }
+
 }