Infra-Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-01 01:36:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

API: Fixed lacking permission enforcement on book contents

Browse Source
This commit is contained in:
Dan Brown 2024-08-29 14:43:21 +01:00
parent c68d154f0f
commit 9aa3442a17
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/Entities/Controllers/BookApiController.php
View File

@ -7,6 +7,7 @@ use BookStack\Entities\Models\Book;
use BookStack\Entities\Models\Chapter; use BookStack\Entities\Models\Chapter;
use BookStack\Entities\Models\Entity; use BookStack\Entities\Models\Entity;
use BookStack\Entities\Queries\BookQueries; use BookStack\Entities\Queries\BookQueries;
use BookStack\Entities\Queries\PageQueries;
use BookStack\Entities\Repos\BookRepo; use BookStack\Entities\Repos\BookRepo;
use BookStack\Entities\Tools\BookContents; use BookStack\Entities\Tools\BookContents;
use BookStack\Http\ApiController; use BookStack\Http\ApiController;
@ -18,6 +19,7 @@ class BookApiController extends ApiController
public function __construct( public function __construct(
protected BookRepo $bookRepo, protected BookRepo $bookRepo,
protected BookQueries $queries, protected BookQueries $queries,
protected PageQueries $pageQueries,
) { ) {
} }
@ -69,7 +71,8 @@ class BookApiController extends ApiController
->withType() ->withType()
->withField('pages', function (Entity $entity) { ->withField('pages', function (Entity $entity) {
if ($entity instanceof Chapter) { if ($entity instanceof Chapter) {
return (new ApiEntityListFormatter($entity->pages->all()))->format(); $pages = $this->pageQueries->visibleForChapterList($entity->id)->get()->all();
return (new ApiEntityListFormatter($pages))->format();
} }
return null; return null;
})->format(); })->format();

17
tests/Api/BooksApiTest.php
View File

@ -149,6 +149,23 @@ class BooksApiTest extends TestCase
]); ]);
} }
public function test_read_endpoint_contents_nested_pages_has_permissions_applied()
{
$this->actingAsApiEditor();
$book = $this->entities->bookHasChaptersAndPages();
$chapter = $book->chapters()->first();
$chapterPage = $chapter->pages()->first();
$customName = 'MyNonVisiblePageWithinAChapter';
$chapterPage->name = $customName;
$chapterPage->save();
$this->permissions->disableEntityInheritedPermissions($chapterPage);
$resp = $this->getJson($this->baseEndpoint . "/{$book->id}");
$resp->assertJsonMissing(['name' => $customName]);
}
public function test_update_endpoint() public function test_update_endpoint()
{ {
$this->actingAsApiEditor(); $this->actingAsApiEditor();