]> BookStack Code Mirror - bookstack/commitdiff
projects / bookstack / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (parent: e269cc7)
Refactored the code to first check for the permissions before sorting the book. 651/head
authorAbijeet <redacted>
Fri, 5 Jan 2018 19:34:48 +0000 (01:04 +0530)
committerAbijeet <redacted>
Fri, 5 Jan 2018 19:34:48 +0000 (01:04 +0530)
Signed-off-by: Abijeet <redacted>
app/Http/Controllers/BookController.php patch | blob | history

diff --git a/app/Http/Controllers/BookController.php b/app/Http/Controllers/BookController.php
index 700f7a06f6217d22c8a894bcc0420ed8e0328a2b..d70f9d0dfb92bc3b6691a0e6506c5fad23db3f72 100644 (file)
--- a/app/Http/Controllers/BookController.php
+++ b/app/Http/Controllers/BookController.php
@@ -195,35 +195,43 @@ class BookController extends Controller
         $sortMap = json_decode($request->get('sort-tree'));
         $defaultBookId = $book->id;
 
+        // Check permissions for all target and source books
         $permissionsList = [$book->id];
-
-        // Loop through contents of provided map and update entities accordingly
         foreach ($sortMap as $bookChild) {
-            $priority = $bookChild->sort;
-            $id = intval($bookChild->id);
-            $isPage = $bookChild->type == 'page';
-            $bookId = $defaultBookId;
-            $targetBook = $this->entityRepo->getById('book', $bookChild->book);
-
             // Check permission for target book
-            if (!empty($targetBook)) {
-                $bookId = $targetBook->id;
-                if (!in_array($bookId, $permissionsList)) {
+            if (!in_array($bookChild->book, $permissionsList)) {
+                $targetBook = $this->entityRepo->getById('book', $bookChild->book);
+                if (!empty($targetBook)) {
+                    $bookId = $targetBook->id;
                     $this->checkOwnablePermission('book-update', $targetBook);
                     // cache the permission for future use.
                     $permissionsList[] = $bookId;
                 }
             }
 
-            $chapterId = ($isPage && $bookChild->parentChapter === false) ? 0 : intval($bookChild->parentChapter);
-            $model = $this->entityRepo->getById($isPage?'page':'chapter', $id);
-
             // Check permissions for the source book
+            $id = intval($bookChild->id);
+            $isPage = $bookChild->type == 'page';
+            $model = $this->entityRepo->getById($isPage?'page':'chapter', $id);
             $sourceBook = $model->book;
             if (!in_array($sourceBook->id, $permissionsList)) {
                 $this->checkOwnablePermission('book-update', $sourceBook);
+
+                // cache the permission for future use.
                 $permissionsList[] = $sourceBook->id;
             }
+        }
+
+        // Loop through contents of provided map and update entities accordingly
+        foreach ($sortMap as $bookChild) {
+            $priority = $bookChild->sort;
+            $id = intval($bookChild->id);
+            $isPage = $bookChild->type == 'page';
+            $bookId = $defaultBookId;
+            $targetBook = $this->entityRepo->getById('book', $bookChild->book);
+
+            $chapterId = ($isPage && $bookChild->parentChapter === false) ? 0 : intval($bookChild->parentChapter);
+            $model = $this->entityRepo->getById($isPage?'page':'chapter', $id);
 
             // Update models only if there's a change in parent chain or ordering.
             if ($model->priority !== $priority || $model->book_id !== $bookId || ($isPage && $model->chapter_id !== $chapterId)) {
The core source code for the BookStack project.