Infra-Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-01 01:36:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

Attempted fix of issues, realised new query system is a failure

Browse Source 
As part of the permission checking we need to check owner user status.
Upon this, we'd also want to check page draft status (and its
creator/owner).
These, for cross-entity/relation queries would need up to another 4 joins.
The performance/index usage is already questionable here.
This commit is contained in:
Dan Brown 2023-01-14 13:50:41 +00:00
parent 93ba572369
commit 55642a33ee
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
2 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/Actions/ActivityQueries.php
View File

@ -31,6 +31,7 @@ class ActivityQueries
$activityList = $this->permissions $activityList = $this->permissions
->restrictEntityRelationQuery($query, 'activities', 'entity_id', 'entity_type') ->restrictEntityRelationQuery($query, 'activities', 'entity_id', 'entity_type')
->orderBy('created_at', 'desc') ->orderBy('created_at', 'desc')
->whereNotNull('activities.entity_id')
->with(['user', 'entity']) ->with(['user', 'entity'])
->skip($count * $page) ->skip($count * $page)
->take($count) ->take($count)
@ -86,6 +87,7 @@ class ActivityQueries
->restrictEntityRelationQuery($query, 'activities', 'entity_id', 'entity_type') ->restrictEntityRelationQuery($query, 'activities', 'entity_id', 'entity_type')
->orderBy('created_at', 'desc') ->orderBy('created_at', 'desc')
->where('user_id', '=', $user->id) ->where('user_id', '=', $user->id)
->whereNotNull('activities.entity_id')
->skip($count * $page) ->skip($count * $page)
->take($count) ->take($count)
->get(); ->get();

19
app/Auth/Permissions/PermissionApplicator.php
View File

@ -178,7 +178,7 @@ class PermissionApplicator
$this->applyFallbackJoin($query, $queryTable, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn); $this->applyFallbackJoin($query, $queryTable, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn);
$this->applyRoleJoin($query, $queryTable, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn); $this->applyRoleJoin($query, $queryTable, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn);
$this->applyUserJoin($query, $queryTable, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn); $this->applyUserJoin($query, $queryTable, $entityTypeLimiter, $entityIdColumn, $entityTypeColumn);
$this->applyPermissionWhereFilter($query, $entityTypeLimiter, $entityTypeColumn); $this->applyPermissionWhereFilter($query, $queryTable, $entityTypeLimiter, $entityTypeColumn);
} }
/** /**
@ -188,10 +188,11 @@ class PermissionApplicator
* Both should not be applied since that would conflict upon intent. * Both should not be applied since that would conflict upon intent.
* @param Builder|QueryBuilder $query * @param Builder|QueryBuilder $query
*/ */
protected function applyPermissionWhereFilter($query, string $entityTypeLimiter, string $entityTypeColumn) protected function applyPermissionWhereFilter($query, string $queryTable, string $entityTypeLimiter, string $entityTypeColumn)
{ {
$abilities = ['all' => [], 'own' => []]; $abilities = ['all' => [], 'own' => []];
$types = $entityTypeLimiter ? [$entityTypeLimiter] : ['page', 'chapter', 'bookshelf', 'book']; $types = $entityTypeLimiter ? [$entityTypeLimiter] : ['page', 'chapter', 'bookshelf', 'book'];
$fullEntityTypeColumn = $queryTable . '.' . $entityTypeColumn;
foreach ($types as $type) { foreach ($types as $type) {
$abilities['all'][$type] = userCan($type . '-view-all'); $abilities['all'][$type] = userCan($type . '-view-all');
$abilities['own'][$type] = userCan($type . '-view-own'); $abilities['own'][$type] = userCan($type . '-view-own');
@ -200,7 +201,7 @@ class PermissionApplicator
$abilities['all'] = array_filter($abilities['all']); $abilities['all'] = array_filter($abilities['all']);
$abilities['own'] = array_filter($abilities['own']); $abilities['own'] = array_filter($abilities['own']);
$query->where(function (Builder $query) use ($abilities, $entityTypeColumn) { $query->where(function (Builder $query) use ($abilities, $fullEntityTypeColumn) {
$query->where('perms_user', '=', 1) $query->where('perms_user', '=', 1)
->orWhere(function (Builder $query) { ->orWhere(function (Builder $query) {
$query->whereNull('perms_user')->where('perms_role', '=', 1); $query->whereNull('perms_user')->where('perms_role', '=', 1);
@ -210,20 +211,20 @@ class PermissionApplicator
}); });
if (count($abilities['all']) > 0) { if (count($abilities['all']) > 0) {
$query->orWhere(function (Builder $query) use ($abilities, $entityTypeColumn) { $query->orWhere(function (Builder $query) use ($abilities, $fullEntityTypeColumn) {
$query->whereNull(['perms_user', 'perms_role', 'perms_fallback']); $query->whereNull(['perms_user', 'perms_role', 'perms_fallback']);
if ($entityTypeColumn) { if ($fullEntityTypeColumn) {
$query->whereIn($entityTypeColumn, array_keys($abilities['all'])); $query->whereIn($fullEntityTypeColumn, array_keys($abilities['all']));
} }
}); });
} }
if (count($abilities['own']) > 0) { if (count($abilities['own']) > 0) {
$query->orWhere(function (Builder $query) use ($abilities, $entityTypeColumn) { $query->orWhere(function (Builder $query) use ($abilities, $fullEntityTypeColumn) {
$query->whereNull(['perms_user', 'perms_role', 'perms_fallback']) $query->whereNull(['perms_user', 'perms_role', 'perms_fallback'])
->where('owned_by', '=', $this->currentUser()->id); ->where('owned_by', '=', $this->currentUser()->id);
if ($entityTypeColumn) { if ($fullEntityTypeColumn) {
$query->whereIn($entityTypeColumn, array_keys($abilities['all'])); $query->whereIn($fullEntityTypeColumn, array_keys($abilities['all']));
} }
}); });
} }