From: Abijeet <redacted>
Date: Fri, 5 Jan 2018 19:34:48 +0000 (+0530)
Subject: Refactored the code to first check for the permissions before sorting the book.
X-Git-Tag: v0.20.0~1^2~23^2~1
X-Git-Url: http://source.bookstackapp.com/bookstack/commitdiff_plain/refs/pull/651/head?ds=inline

Refactored the code to first check for the permissions before sorting the book.

Signed-off-by: Abijeet <redacted>
---

diff --git a/app/Http/Controllers/BookController.php b/app/Http/Controllers/BookController.php
index 700f7a06f..d70f9d0df 100644
--- a/app/Http/Controllers/BookController.php
+++ b/app/Http/Controllers/BookController.php
@@ -195,35 +195,43 @@ class BookController extends Controller
         $sortMap = json_decode($request->get('sort-tree'));
         $defaultBookId = $book->id;
 
+        // Check permissions for all target and source books
         $permissionsList = [$book->id];
-
-        // Loop through contents of provided map and update entities accordingly
         foreach ($sortMap as $bookChild) {
-            $priority = $bookChild->sort;
-            $id = intval($bookChild->id);
-            $isPage = $bookChild->type == 'page';
-            $bookId = $defaultBookId;
-            $targetBook = $this->entityRepo->getById('book', $bookChild->book);
-
             // Check permission for target book
-            if (!empty($targetBook)) {
-                $bookId = $targetBook->id;
-                if (!in_array($bookId, $permissionsList)) {
+            if (!in_array($bookChild->book, $permissionsList)) {
+                $targetBook = $this->entityRepo->getById('book', $bookChild->book);
+                if (!empty($targetBook)) {
+                    $bookId = $targetBook->id;
                     $this->checkOwnablePermission('book-update', $targetBook);
                     // cache the permission for future use.
                     $permissionsList[] = $bookId;
                 }
             }
 
-            $chapterId = ($isPage && $bookChild->parentChapter === false) ? 0 : intval($bookChild->parentChapter);
-            $model = $this->entityRepo->getById($isPage?'page':'chapter', $id);
-
             // Check permissions for the source book
+            $id = intval($bookChild->id);
+            $isPage = $bookChild->type == 'page';
+            $model = $this->entityRepo->getById($isPage?'page':'chapter', $id);
             $sourceBook = $model->book;
             if (!in_array($sourceBook->id, $permissionsList)) {
                 $this->checkOwnablePermission('book-update', $sourceBook);
+
+                // cache the permission for future use.
                 $permissionsList[] = $sourceBook->id;
             }
+        }
+
+        // Loop through contents of provided map and update entities accordingly
+        foreach ($sortMap as $bookChild) {
+            $priority = $bookChild->sort;
+            $id = intval($bookChild->id);
+            $isPage = $bookChild->type == 'page';
+            $bookId = $defaultBookId;
+            $targetBook = $this->entityRepo->getById('book', $bookChild->book);
+
+            $chapterId = ($isPage && $bookChild->parentChapter === false) ? 0 : intval($bookChild->parentChapter);
+            $model = $this->entityRepo->getById($isPage?'page':'chapter', $id);
 
             // Update models only if there's a change in parent chain or ordering.
             if ($model->priority !== $priority || $model->book_id !== $bookId || ($isPage && $model->chapter_id !== $chapterId)) {