Prevent empty-state actions visible without permission.

Fixes #411
2024-07-07 20:02:40 +00:00 · 2017-07-02 15:59:40 +01:00 · 2017-07-02 15:59:40 +01:00 · 4db2c274e2
commit 4db2c274e2
parent cbff801aec
3 changed files with 35 additions and 0 deletions
--- a/resources/views/books/show.blade.php
+++ b/resources/views/books/show.blade.php
@ -72,9 +72,15 @@
                        @else
                            <p class="text-muted">{{ trans('entities.books_empty_contents') }}</p>
                            <p>
+                                @if(userCan('page-create', $book))
                                <a href="{{ $book->getUrl('/page/create') }}" class="text-page"><i class="zmdi zmdi-file-text"></i>{{ trans('entities.books_empty_create_page') }}</a>
+                                @endif
+                                @if(userCan('page-create', $book) && userCan('chapter-create', $book))
                                &nbsp;&nbsp;<em class="text-muted">-{{ trans('entities.books_empty_or') }}-</em>&nbsp;&nbsp;&nbsp;
+                                @endif
+                                @if(userCan('chapter-create', $book))
                                <a href="{{ $book->getUrl('/chapter/create') }}" class="text-chapter"><i class="zmdi zmdi-collection-bookmark"></i>{{ trans('entities.books_empty_add_chapter') }}</a>
+                                @endif
                            </p>
                            <hr>
                        @endif
--- a/tests/BrowserKitTest.php
+++ b/tests/BrowserKitTest.php
@ -1,5 +1,6 @@
 <?php namespace Tests;

+use BookStack\Entity;
 use BookStack\Role;
 use BookStack\Services\PermissionService;
 use Illuminate\Contracts\Console\Kernel;
@ -117,6 +118,16 @@ abstract class BrowserKitTest extends TestCase
        ];
    }

+    /**
+     * Helper for updating entity permissions.
+     * @param Entity $entity
+     */
+    protected function updateEntityPermissions(Entity $entity)
+    {
+        $restrictionService = $this->app[PermissionService::class];
+        $restrictionService->buildJointPermissionsForEntity($entity);
+    }
+
    /**
     * Quick way to create a new user
     * @param array $attributes
--- a/tests/Permissions/RolesTest.php
+++ b/tests/Permissions/RolesTest.php
@ -639,4 +639,22 @@ class RolesTest extends BrowserKitTest
        $this->actingAs($viewer)->visit($page->getUrl())->assertResponseStatus(404);
    }

+    public function test_empty_state_actions_not_visible_without_permission()
+    {
+        $admin = $this->getAdmin();
+        // Book links
+        $book = factory(\BookStack\Book::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id]);
+        $this->updateEntityPermissions($book);
+        $this->actingAs($this->getViewer())->visit($book->getUrl())
+            ->dontSee('Create a new page')
+            ->dontSee('Add a chapter');
+
+        // Chapter links
+        $chapter = factory(\BookStack\Chapter::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id, 'book_id' => $book->id]);
+        $this->updateEntityPermissions($chapter);
+        $this->actingAs($this->getViewer())->visit($chapter->getUrl())
+            ->dontSee('Create a new page')
+            ->dontSee('Sort the current book');
+    }
+
 }