mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-01 01:36:00 -04:00
Fixed issue where books titles could be leaked via shelf home view
- Also added test to cover Fixes #1425
This commit is contained in:
parent
7ef059e254
commit
97ffbaa740
@ -67,6 +67,9 @@ class HomeController extends Controller
|
||||
|
||||
if ($homepageOption === 'bookshelves') {
|
||||
$shelves = $this->entityRepo->getAllPaginated('bookshelf', 18, $commonData['sort'], $commonData['order']);
|
||||
foreach ($shelves as $shelf) {
|
||||
$shelf->books = $this->entityRepo->getBookshelfChildren($shelf);
|
||||
}
|
||||
$data = array_merge($commonData, ['shelves' => $shelves]);
|
||||
return view('common.home-shelves', $data);
|
||||
}
|
||||
|
@ -1,5 +1,7 @@
|
||||
<?php namespace Tests;
|
||||
|
||||
use BookStack\Entities\Bookshelf;
|
||||
|
||||
class HomepageTest extends TestCase
|
||||
{
|
||||
|
||||
@ -89,4 +91,33 @@ class HomepageTest extends TestCase
|
||||
$this->setSettings(['app-homepage-type' => false]);
|
||||
$this->test_default_homepage_visible();
|
||||
}
|
||||
|
||||
public function test_shelves_list_homepage_adheres_to_book_visibility_permissions()
|
||||
{
|
||||
$editor = $this->getEditor();
|
||||
setting()->putUser($editor, 'bookshelves_view_type', 'list');
|
||||
$this->setSettings(['app-homepage-type' => 'bookshelves']);
|
||||
$this->asEditor();
|
||||
|
||||
$shelf = Bookshelf::query()->first();
|
||||
$book = $shelf->books()->first();
|
||||
|
||||
// Ensure initially visible
|
||||
$homeVisit = $this->get('/');
|
||||
$homeVisit->assertElementContains('.content-wrap', $shelf->name);
|
||||
$homeVisit->assertElementContains('.content-wrap', $book->name);
|
||||
|
||||
// Ensure book no longer visible without view permission
|
||||
$editor->roles()->detach();
|
||||
$this->giveUserPermissions($editor, ['bookshelf-view-all']);
|
||||
$homeVisit = $this->get('/');
|
||||
$homeVisit->assertElementContains('.content-wrap', $shelf->name);
|
||||
$homeVisit->assertElementNotContains('.content-wrap', $book->name);
|
||||
|
||||
// Ensure is visible again with entity-level view permission
|
||||
$this->setEntityRestrictions($book, ['view'], [$editor->roles()->first()]);
|
||||
$homeVisit = $this->get('/');
|
||||
$homeVisit->assertElementContains('.content-wrap', $shelf->name);
|
||||
$homeVisit->assertElementContains('.content-wrap', $book->name);
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user