From 042a6f9760337d28138d4c1e4c7ab570bce8804c Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Sat, 9 Mar 2019 21:15:45 +0000
Subject: [PATCH] Updated shelf menu item to show on custom permission

- Extended new 'userCanOnAny' helper to take a entity class for
filtering.

Closes #1201
---
 app/Auth/Permissions/PermissionService.php | 25 ++++++++++++++--------
 app/helpers.php                            |  6 ++++--
 resources/views/base.blade.php             |  2 +-
 tests/Entity/BookShelfTest.php             | 18 ++++++++++++++++
 4 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/app/Auth/Permissions/PermissionService.php b/app/Auth/Permissions/PermissionService.php
index 33d214963..8fc70e916 100644
--- a/app/Auth/Permissions/PermissionService.php
+++ b/app/Auth/Permissions/PermissionService.php
@@ -558,28 +558,35 @@ class PermissionService
 
     /**
      * Checks if a user has the given permission for any items in the system.
+     * Can be passed an entity instance to filter on a specific type.
      * @param string $permission
+     * @param string $entityClass
      * @return bool
      */
-    public function checkUserHasPermissionOnAnything(string $permission)
+    public function checkUserHasPermissionOnAnything(string $permission, string $entityClass = null)
     {
         $userRoleIds = $this->currentUser()->roles()->select('id')->pluck('id')->toArray();
         $userId = $this->currentUser()->id;
 
-        $canCreatePage = $this->db->table('joint_permissions')
+        $permissionQuery = $this->db->table('joint_permissions')
             ->where('action', '=', $permission)
             ->whereIn('role_id', $userRoleIds)
             ->where(function ($query) use ($userId) {
                 $query->where('has_permission', '=', 1)
-                ->orWhere(function ($query2) use ($userId) {
-                    $query2->where('has_permission_own', '=', 1)
-                    ->where('created_by', '=', $userId);
-                });       
-            })
-            ->get()->count() > 0;
+                    ->orWhere(function ($query2) use ($userId) {
+                        $query2->where('has_permission_own', '=', 1)
+                            ->where('created_by', '=', $userId);
+                    });
+        }) ;
 
+        if (!is_null($entityClass)) {
+            $entityInstance = app()->make($entityClass);
+            $permissionQuery = $permissionQuery->where('entity_type', '=', $entityInstance->getMorphClass());
+        }
+
+        $hasPermission = $permissionQuery->count() > 0;
         $this->clean();
-        return $canCreatePage;
+        return $hasPermission;
     }
 
     /**
diff --git a/app/helpers.php b/app/helpers.php
index 0825a2e4a..d9533645d 100644
--- a/app/helpers.php
+++ b/app/helpers.php
@@ -1,6 +1,7 @@
 <?php
 
 use BookStack\Auth\Permissions\PermissionService;
+use BookStack\Entities\Entity;
 use BookStack\Ownable;
 
 /**
@@ -70,12 +71,13 @@ function userCan(string $permission, Ownable $ownable = null)
  * Check if the current user has the given permission
  * on any item in the system.
  * @param string $permission
+ * @param string|null $entityClass
  * @return bool
  */
-function userCanOnAny(string $permission)
+function userCanOnAny(string $permission, string $entityClass = null)
 {
     $permissionService = app(PermissionService::class);
-    return $permissionService->checkUserHasPermissionOnAnything($permission);
+    return $permissionService->checkUserHasPermissionOnAnything($permission, $entityClass);
 }
 
 /**
diff --git a/resources/views/base.blade.php b/resources/views/base.blade.php
index c7a5acca8..fdd248091 100644
--- a/resources/views/base.blade.php
+++ b/resources/views/base.blade.php
@@ -48,7 +48,7 @@
                             </form>
                         </div>
                         <div class="links text-center">
-                            @if(userCan('bookshelf-view-all') || userCan('bookshelf-view-own'))
+                            @if(userCanOnAny('view', \BookStack\Entities\Bookshelf::class) || userCan('bookshelf-view-own'))
                                 <a href="{{ baseUrl('/shelves') }}">@icon('bookshelf'){{ trans('entities.shelves') }}</a>
                             @endif
                             <a href="{{ baseUrl('/books') }}">@icon('book'){{ trans('entities.books') }}</a>
diff --git a/tests/Entity/BookShelfTest.php b/tests/Entity/BookShelfTest.php
index 5d71ec6f6..bdba812d5 100644
--- a/tests/Entity/BookShelfTest.php
+++ b/tests/Entity/BookShelfTest.php
@@ -1,5 +1,7 @@
 <?php namespace Tests;
 
+use BookStack\Auth\Role;
+use BookStack\Auth\User;
 use BookStack\Entities\Book;
 use BookStack\Entities\Bookshelf;
 
@@ -27,6 +29,22 @@ class BookShelfTest extends TestCase
         $resp->assertElementContains('header', 'Shelves');
     }
 
+    public function test_shelves_shows_in_header_if_have_any_shelve_view_permission()
+    {
+        $user = factory(User::class)->create();
+        $this->giveUserPermissions($user, ['image-create-all']);
+        $shelf = Bookshelf::first();
+        $userRole = $user->roles()->first();
+
+        $resp = $this->actingAs($user)->get('/');
+        $resp->assertElementNotContains('header', 'Shelves');
+
+        $this->setEntityRestrictions($shelf, ['view'], [$userRole]);
+
+        $resp = $this->get('/');
+        $resp->assertElementContains('header', 'Shelves');
+    }
+
     public function test_shelves_page_contains_create_link()
     {
         $resp = $this->asEditor()->get('/shelves');