Tied entity restriction system into userCan checks

diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php
index 4182743a7128518c9e63f9c87a9a4dfd4ba8eea9..f0cb47cd9197f6cfaf3b6c3441390e4ecd57be8f 100644 (file)
--- a/app/Http/Controllers/Controller.php
+++ b/app/Http/Controllers/Controller.php
@@ -68,7 +68,7 @@ abstract class Controller extends BaseController
     protected function showPermissionError()
     {
         Session::flash('error', trans('errors.permission'));
-        $response = request()->wantsJson() ? response()->json(['error' => trans('errors.permissionJson')], 403) : redirect('/', 403);
+        $response = request()->wantsJson() ? response()->json(['error' => trans('errors.permissionJson')], 403) : redirect('/');
         throw new HttpResponseException($response);
     }
 
@@ -93,10 +93,8 @@ abstract class Controller extends BaseController
      */
     protected function checkOwnablePermission($permission, Ownable $ownable)
     {
-        $permissionBaseName = strtolower($permission) . '-';
-        if (userCan($permissionBaseName . 'all')) return true;
-        if (userCan($permissionBaseName . 'own') && $ownable->createdBy->id === $this->currentUser->id) return true;
-        $this->showPermissionError();
+        if (userCan($permission, $ownable)) return true;
+        return $this->showPermissionError();
     }
 
     /**

diff --git a/app/Services/RestrictionService.php b/app/Services/RestrictionService.php
index 87dcbf0b3228c8269830be43d76bf1b926480503..0ef80b229002d5e137c9f9d4ec60290a648c7604 100644 (file)
--- a/app/Services/RestrictionService.php
+++ b/app/Services/RestrictionService.php
@@ -1,5 +1,7 @@
 <?php namespace BookStack\Services;
 
+use BookStack\Entity;
+
 class RestrictionService
 {
 
@@ -12,8 +14,24 @@ class RestrictionService
      */
     public function __construct()
     {
-        $this->userRoles = auth()->user()->roles->pluck('id');
-        $this->isAdmin = auth()->user()->hasRole('admin');
+        $user = auth()->user();
+        $this->userRoles = $user ? auth()->user()->roles->pluck('id') : false;
+        $this->isAdmin = $user ? auth()->user()->hasRole('admin') : false;
+    }
+
+    public function checkIfEntityRestricted(Entity $entity, $action)
+    {
+        if ($this->isAdmin) return true;
+        $this->currentAction = $action;
+        $baseQuery = $entity->where('id', '=', $entity->id);
+        if ($entity->isA('page')) {
+            return $this->pageRestrictionQuery($baseQuery)->count() > 0;
+        } elseif ($entity->isA('chapter')) {
+            return $this->chapterRestrictionQuery($baseQuery)->count() > 0;
+        } elseif ($entity->isA('book')) {
+            return $this->bookRestrictionQuery($baseQuery)->count() > 0;
+        }
+        return false;
     }
 
     /**
@@ -184,25 +202,25 @@ class RestrictionService
         if ($this->isAdmin) return $query;
         $this->currentAction = 'view';
         $tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn, 'entityTypeColumn' => $entityTypeColumn];
-        return $query->where(function($query) use ($tableDetails) {
+        return $query->where(function ($query) use ($tableDetails) {
             $query->where(function ($query) use (&$tableDetails) {
                 $query->where($tableDetails['entityTypeColumn'], '=', 'BookStack\Page')
                     ->whereExists(function ($query) use (&$tableDetails) {
-                        $query->select('*')->from('pages')->whereRaw('pages.id='.$tableDetails['tableName'].'.'.$tableDetails['entityIdColumn'])
+                        $query->select('*')->from('pages')->whereRaw('pages.id=' . $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
                             ->where(function ($query) {
                                 $this->pageRestrictionQuery($query);
                             });
                     });
             })->orWhere(function ($query) use (&$tableDetails) {
                 $query->where($tableDetails['entityTypeColumn'], '=', 'BookStack\Book')->whereExists(function ($query) use (&$tableDetails) {
-                    $query->select('*')->from('books')->whereRaw('books.id='.$tableDetails['tableName'].'.'.$tableDetails['entityIdColumn'])
+                    $query->select('*')->from('books')->whereRaw('books.id=' . $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
                         ->where(function ($query) {
                             $this->bookRestrictionQuery($query);
                         });
                 });
             })->orWhere(function ($query) use (&$tableDetails) {
                 $query->where($tableDetails['entityTypeColumn'], '=', 'BookStack\Chapter')->whereExists(function ($query) use (&$tableDetails) {
-                    $query->select('*')->from('chapters')->whereRaw('chapters.id='.$tableDetails['tableName'].'.'.$tableDetails['entityIdColumn'])
+                    $query->select('*')->from('chapters')->whereRaw('chapters.id=' . $tableDetails['tableName'] . '.' . $tableDetails['entityIdColumn'])
                         ->where(function ($query) {
                             $this->chapterRestrictionQuery($query);
                         });

diff --git a/app/helpers.php b/app/helpers.php
index db65407c73729a9c85669c7fd7e57fdc2b3eedeb..8f080c5e157f14e619059084abe7b811877c251c 100644 (file)
--- a/app/helpers.php
+++ b/app/helpers.php
@@ -43,8 +43,18 @@ function userCan($permission, \BookStack\Ownable $ownable = null)
         return auth()->user() && auth()->user()->can($permission);
     }
 
+    // Check permission on ownable item
     $permissionBaseName = strtolower($permission) . '-';
-    if (userCan($permissionBaseName . 'all')) return true;
-    if (userCan($permissionBaseName . 'own') && $ownable->createdBy->id === auth()->user()->id) return true;
-    return false;
+    $hasPermission = false;
+    if (auth()->user()->can($permissionBaseName . 'all')) $hasPermission = true;
+    if (auth()->user()->can($permissionBaseName . 'own') && $ownable->createdBy->id === auth()->user()->id) $hasPermission = true;
+
+    if(!$ownable instanceof \BookStack\Entity) return $hasPermission;
+
+    // Check restrictions on the entitiy
+    $restrictionService = app('BookStack\Services\RestrictionService');
+    $explodedPermission = explode('-', $permission);
+    $action = end($explodedPermission);
+    $hasAccess = $restrictionService->checkIfEntityRestricted($ownable, $action);
+    return $hasAccess && $hasPermission;
 }
\ No newline at end of file