From 9666c8c0f773ef0fac899e394485d255a70a3802 Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Tue, 12 May 2020 22:21:45 +0100
Subject: [PATCH] Updated shelf-list view to enforce view permissions for child
 books

- Aligned shelf-homepage behaviour to match
- Updated testing to cover.

For #2111
---
 app/Entities/Repos/BookshelfRepo.php        |  6 ++++--
 app/Http/Controllers/HomeController.php     |  4 ----
 resources/views/shelves/list-item.blade.php |  2 +-
 tests/Entity/BookShelfTest.php              | 19 +++++++++++++++++++
 4 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/app/Entities/Repos/BookshelfRepo.php b/app/Entities/Repos/BookshelfRepo.php
index 876f56e10..ba687c6f6 100644
--- a/app/Entities/Repos/BookshelfRepo.php
+++ b/app/Entities/Repos/BookshelfRepo.php
@@ -28,8 +28,10 @@ class BookshelfRepo
      */
     public function getAllPaginated(int $count = 20, string $sort = 'name', string $order = 'asc'): LengthAwarePaginator
     {
-        return Bookshelf::visible()->with('visibleBooks')
-            ->orderBy($sort, $order)->paginate($count);
+        return Bookshelf::visible()
+            ->with('visibleBooks')
+            ->orderBy($sort, $order)
+            ->paginate($count);
     }
 
     /**
diff --git a/app/Http/Controllers/HomeController.php b/app/Http/Controllers/HomeController.php
index 260952fd1..60d2664d0 100644
--- a/app/Http/Controllers/HomeController.php
+++ b/app/Http/Controllers/HomeController.php
@@ -69,11 +69,7 @@ class HomeController extends Controller
         }
 
         if ($homepageOption === 'bookshelves') {
-            $shelfRepo = app(BookshelfRepo::class);
             $shelves = app(BookshelfRepo::class)->getAllPaginated(18, $commonData['sort'], $commonData['order']);
-            foreach ($shelves as $shelf) {
-                $shelf->books = $shelf->visibleBooks;
-            }
             $data = array_merge($commonData, ['shelves' => $shelves]);
             return view('common.home-shelves', $data);
         }
diff --git a/resources/views/shelves/list-item.blade.php b/resources/views/shelves/list-item.blade.php
index c9c9670c5..6e5ed29a5 100644
--- a/resources/views/shelves/list-item.blade.php
+++ b/resources/views/shelves/list-item.blade.php
@@ -10,7 +10,7 @@
     </div>
 </a>
 <div class="entity-shelf-books grid third gap-y-xs entity-list-item-children">
-    @foreach($shelf->books as $book)
+    @foreach($shelf->visibleBooks as $book)
         <div>
             <a href="{{ $book->getUrl('?shelf=' . $shelf->id) }}" class="entity-chip text-book">
                 @icon('book')
diff --git a/tests/Entity/BookShelfTest.php b/tests/Entity/BookShelfTest.php
index abee4d34a..cb3acfb1e 100644
--- a/tests/Entity/BookShelfTest.php
+++ b/tests/Entity/BookShelfTest.php
@@ -56,6 +56,25 @@ class BookShelfTest extends TestCase
         $resp->assertElementContains('a', 'New Shelf');
     }
 
+    public function test_book_not_visible_in_shelf_list_view_if_user_cant_view_shelf()
+    {
+        config()->set([
+            'app.views.bookshelves' => 'list',
+        ]);
+        $shelf = Bookshelf::query()->first();
+        $book = $shelf->books()->first();
+
+        $resp = $this->asEditor()->get('/shelves');
+        $resp->assertSee($book->name);
+        $resp->assertSee($book->getUrl());
+
+        $this->setEntityRestrictions($book, []);
+
+        $resp = $this->asEditor()->get('/shelves');
+        $resp->assertDontSee($book->name);
+        $resp->assertDontSee($book->getUrl());
+    }
+
     public function test_shelves_create()
     {
         $booksToInclude = Book::take(2)->get();