From 4db2c274e21fb4a3900f057d3ff9d5d7f09b65be Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Sun, 2 Jul 2017 15:59:40 +0100
Subject: [PATCH] Prevent empty-state actions visible without permission.

Fixes #411
---
 resources/views/books/show.blade.php |  6 ++++++
 tests/BrowserKitTest.php             | 11 +++++++++++
 tests/Permissions/RolesTest.php      | 18 ++++++++++++++++++
 3 files changed, 35 insertions(+)

diff --git a/resources/views/books/show.blade.php b/resources/views/books/show.blade.php
index adfec4525..ddbe7a0a4 100644
--- a/resources/views/books/show.blade.php
+++ b/resources/views/books/show.blade.php
@@ -72,9 +72,15 @@
                         @else
                             <p class="text-muted">{{ trans('entities.books_empty_contents') }}</p>
                             <p>
+                                @if(userCan('page-create', $book))
                                 <a href="{{ $book->getUrl('/page/create') }}" class="text-page"><i class="zmdi zmdi-file-text"></i>{{ trans('entities.books_empty_create_page') }}</a>
+                                @endif
+                                @if(userCan('page-create', $book) && userCan('chapter-create', $book))
                                 &nbsp;&nbsp;<em class="text-muted">-{{ trans('entities.books_empty_or') }}-</em>&nbsp;&nbsp;&nbsp;
+                                @endif
+                                @if(userCan('chapter-create', $book))
                                 <a href="{{ $book->getUrl('/chapter/create') }}" class="text-chapter"><i class="zmdi zmdi-collection-bookmark"></i>{{ trans('entities.books_empty_add_chapter') }}</a>
+                                @endif
                             </p>
                             <hr>
                         @endif
diff --git a/tests/BrowserKitTest.php b/tests/BrowserKitTest.php
index c665bfc23..98259dea9 100644
--- a/tests/BrowserKitTest.php
+++ b/tests/BrowserKitTest.php
@@ -1,5 +1,6 @@
 <?php namespace Tests;
 
+use BookStack\Entity;
 use BookStack\Role;
 use BookStack\Services\PermissionService;
 use Illuminate\Contracts\Console\Kernel;
@@ -117,6 +118,16 @@ abstract class BrowserKitTest extends TestCase
         ];
     }
 
+    /**
+     * Helper for updating entity permissions.
+     * @param Entity $entity
+     */
+    protected function updateEntityPermissions(Entity $entity)
+    {
+        $restrictionService = $this->app[PermissionService::class];
+        $restrictionService->buildJointPermissionsForEntity($entity);
+    }
+
     /**
      * Quick way to create a new user
      * @param array $attributes
diff --git a/tests/Permissions/RolesTest.php b/tests/Permissions/RolesTest.php
index d0e42c6ee..eda5d092a 100644
--- a/tests/Permissions/RolesTest.php
+++ b/tests/Permissions/RolesTest.php
@@ -639,4 +639,22 @@ class RolesTest extends BrowserKitTest
         $this->actingAs($viewer)->visit($page->getUrl())->assertResponseStatus(404);
     }
 
+    public function test_empty_state_actions_not_visible_without_permission()
+    {
+        $admin = $this->getAdmin();
+        // Book links
+        $book = factory(\BookStack\Book::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id]);
+        $this->updateEntityPermissions($book);
+        $this->actingAs($this->getViewer())->visit($book->getUrl())
+            ->dontSee('Create a new page')
+            ->dontSee('Add a chapter');
+
+        // Chapter links
+        $chapter = factory(\BookStack\Chapter::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id, 'book_id' => $book->id]);
+        $this->updateEntityPermissions($chapter);
+        $this->actingAs($this->getViewer())->visit($chapter->getUrl())
+            ->dontSee('Create a new page')
+            ->dontSee('Sort the current book');
+    }
+
 }