From 9aa3442a170d486c7ff5d8671ac1b11d3c886af1 Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Thu, 29 Aug 2024 14:43:21 +0100
Subject: [PATCH] API: Fixed lacking permission enforcement on book contents

---
 app/Entities/Controllers/BookApiController.php |  5 ++++-
 tests/Api/BooksApiTest.php                     | 17 +++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/app/Entities/Controllers/BookApiController.php b/app/Entities/Controllers/BookApiController.php
index 15e67a0f7..c1e38e72f 100644
--- a/app/Entities/Controllers/BookApiController.php
+++ b/app/Entities/Controllers/BookApiController.php
@@ -7,6 +7,7 @@ use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Queries\BookQueries;
+use BookStack\Entities\Queries\PageQueries;
 use BookStack\Entities\Repos\BookRepo;
 use BookStack\Entities\Tools\BookContents;
 use BookStack\Http\ApiController;
@@ -18,6 +19,7 @@ class BookApiController extends ApiController
     public function __construct(
         protected BookRepo $bookRepo,
         protected BookQueries $queries,
+        protected PageQueries $pageQueries,
     ) {
     }
 
@@ -69,7 +71,8 @@ class BookApiController extends ApiController
             ->withType()
             ->withField('pages', function (Entity $entity) {
                 if ($entity instanceof Chapter) {
-                    return (new ApiEntityListFormatter($entity->pages->all()))->format();
+                    $pages = $this->pageQueries->visibleForChapterList($entity->id)->get()->all();
+                    return (new ApiEntityListFormatter($pages))->format();
                 }
                 return null;
             })->format();
diff --git a/tests/Api/BooksApiTest.php b/tests/Api/BooksApiTest.php
index b8c2b6133..0de98dc32 100644
--- a/tests/Api/BooksApiTest.php
+++ b/tests/Api/BooksApiTest.php
@@ -149,6 +149,23 @@ class BooksApiTest extends TestCase
         ]);
     }
 
+    public function test_read_endpoint_contents_nested_pages_has_permissions_applied()
+    {
+        $this->actingAsApiEditor();
+
+        $book = $this->entities->bookHasChaptersAndPages();
+        $chapter = $book->chapters()->first();
+        $chapterPage = $chapter->pages()->first();
+        $customName = 'MyNonVisiblePageWithinAChapter';
+        $chapterPage->name = $customName;
+        $chapterPage->save();
+
+        $this->permissions->disableEntityInheritedPermissions($chapterPage);
+
+        $resp = $this->getJson($this->baseEndpoint . "/{$book->id}");
+        $resp->assertJsonMissing(['name' => $customName]);
+    }
+
     public function test_update_endpoint()
     {
         $this->actingAsApiEditor();