Allowed child entity permissions to override parent permissions

Updated elements of a page display and sidebar render to allow
child permissions to work even when parent entitites have permission
set. This allows a page with a 'view' permission to be viewable even
when the parent book or chapter is not viewable.

Fixes #366

diff --git a/app/Repos/EntityRepo.php b/app/Repos/EntityRepo.php
index f1041f126bd5477dcb4e41189a4c75ffe38a66d2..9a572be547f1ea87eb626ef0d29c98269598f39d 100644 (file)
--- a/app/Repos/EntityRepo.php
+++ b/app/Repos/EntityRepo.php
@@ -348,6 +348,10 @@ class EntityRepo
         foreach ($entities as $entity) {
             if ($entity->chapter_id === 0 || $entity->chapter_id === '0') continue;
             $parentKey = 'BookStack\\Chapter:' . $entity->chapter_id;
+            if (!isset($parents[$parentKey])) {
+                $tree[] = $entity;
+                continue;
+            }
             $chapter = $parents[$parentKey];
             $chapter->pages->push($entity);
         }

diff --git a/resources/views/chapters/_breadcrumbs.blade.php b/resources/views/chapters/_breadcrumbs.blade.php
index 9064cc7c3b32a19de222d1d746b50aede1b0806f..1e090759ac2df0b632a48ea2c29265e8ab4002c8 100644 (file)
--- a/resources/views/chapters/_breadcrumbs.blade.php
+++ b/resources/views/chapters/_breadcrumbs.blade.php
@@ -1,5 +1,7 @@
 <div class="breadcrumbs">
+    @if (userCan('view', $book))
     <a href="{{ $chapter->book->getUrl() }}" class="text-book text-button"><i class="zmdi zmdi-book"></i>{{ $chapter->book->getShortName() }}</a>
     <span class="sep">&raquo;</span>
+    @endif
     <a href="{{ $chapter->getUrl() }}" class="text-chapter text-button"><i class="zmdi zmdi-collection-bookmark"></i>{{$chapter->getShortName()}}</a>
 </div>
\ No newline at end of file

diff --git a/resources/views/pages/_breadcrumbs.blade.php b/resources/views/pages/_breadcrumbs.blade.php
index 0d2a61ab2475f28c2493792834f4c906ad380e5e..a7fb8fa0eab10c5f751b8fd4a62ed23d8a43ce09 100644 (file)
--- a/resources/views/pages/_breadcrumbs.blade.php
+++ b/resources/views/pages/_breadcrumbs.blade.php
@@ -1,12 +1,14 @@
 <div class="breadcrumbs">
-    <a href="{{ $page->book->getUrl() }}" class="text-book text-button"><i class="zmdi zmdi-book"></i>{{ $page->book->getShortName() }}</a>
-    @if($page->hasChapter())
+    @if (userCan('view', $page->book))
+        <a href="{{ $page->book->getUrl() }}" class="text-book text-button"><i class="zmdi zmdi-book"></i>{{ $page->book->getShortName() }}</a>
         <span class="sep">&raquo;</span>
+    @endif
+    @if($page->hasChapter() && userCan('view', $page->chapter))
         <a href="{{ $page->chapter->getUrl() }}" class="text-chapter text-button">
             <i class="zmdi zmdi-collection-bookmark"></i>
             {{ $page->chapter->getShortName() }}
         </a>
+        <span class="sep">&raquo;</span>
     @endif
-    <span class="sep">&raquo;</span>
     <a href="{{ $page->getUrl() }}" class="text-page text-button"><i class="zmdi zmdi-file"></i>{{ $page->getShortName() }}</a>
 </div>
\ No newline at end of file

diff --git a/resources/views/pages/sidebar-tree-list.blade.php b/resources/views/pages/sidebar-tree-list.blade.php
index faae6420a62cf0f72a75e5b845773049026ffc24..0a10987d693bf5e24bae4efd0b2c5b006f18649e 100644 (file)
--- a/resources/views/pages/sidebar-tree-list.blade.php
+++ b/resources/views/pages/sidebar-tree-list.blade.php
@@ -39,8 +39,10 @@
 
     <h6 class="text-muted">{{ trans('entities.books_navigation') }}</h6>
     <ul class="sidebar-page-list menu">
-        <li class="book-header"><a href="{{ $book->getUrl() }}" class="book {{ $current->matches($book)? 'selected' : '' }}"><i class="zmdi zmdi-book"></i>{{$book->name}}</a></li>
 
+        @if (userCan('view', $book))
+            <li class="book-header"><a href="{{ $book->getUrl() }}" class="book {{ $current->matches($book)? 'selected' : '' }}"><i class="zmdi zmdi-book"></i>{{$book->name}}</a></li>
+        @endif
 
         @foreach($sidebarTree as $bookChild)
             <li class="list-item-{{ $bookChild->getClassName() }} {{ $bookChild->getClassName() }} {{ $bookChild->isA('page') && $bookChild->draft ? 'draft' : '' }}">

diff --git a/tests/Permissions/RestrictionsTest.php b/tests/Permissions/RestrictionsTest.php
index 7007985e4ff19d72738e3c26919666290db4471f..58be1ea73e0488411b12471febc9dfd6f56da9c6 100644 (file)
--- a/tests/Permissions/RestrictionsTest.php
+++ b/tests/Permissions/RestrictionsTest.php
@@ -522,4 +522,21 @@ class RestrictionsTest extends BrowserKitTest
             ->see('Delete Chapter');
     }
 
+    public function test_page_visible_if_has_permissions_when_book_not_visible()
+    {
+        $book = \BookStack\Book::first();
+        $bookChapter = $book->chapters->first();
+        $bookPage = $bookChapter->pages->first();
+
+        $this->setEntityRestrictions($book, []);
+        $this->setEntityRestrictions($bookPage, ['view']);
+
+        $this->actingAs($this->viewer);
+        $this->get($bookPage->getUrl());
+        $this->assertResponseOk();
+        $this->see($bookPage->name);
+        $this->dontSee(substr($book->name, 0, 15));
+        $this->dontSee(substr($bookChapter->name, 0, 15));
+    }
+
 }