From 2acef3c2ecfae924204b7d0cef05d0a7916d81af Mon Sep 17 00:00:00 2001 From: Dan Brown Date: Fri, 18 Dec 2020 13:56:00 +0000 Subject: [PATCH] Fixed issue where restricted page content in plaintext export The content of pages made non-viewable to a user via permissions, within a visible parent, could be seen via the plaintext export option. Before v0.30.6 this would have applied only to scenarios where all pages within the chapter were made non-visible. In v0.30.6 this would make all pages within the chapter visible. As per #2414 --- app/Entities/ExportService.php | 4 +- app/Uploads/ImageRepo.php | 2 +- tests/Permissions/ExportPermissionsTest.php | 67 +++++++++++++++++++++ 3 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 tests/Permissions/ExportPermissionsTest.php diff --git a/app/Entities/ExportService.php b/app/Entities/ExportService.php index f945dfbe4..508670c85 100644 --- a/app/Entities/ExportService.php +++ b/app/Entities/ExportService.php @@ -203,7 +203,7 @@ class ExportService { $text = $chapter->name . "\n\n"; $text .= $chapter->description . "\n\n"; - foreach ($chapter->pages as $page) { + foreach ($chapter->getVisiblePages() as $page) { $text .= $this->pageToPlainText($page); } return $text; @@ -214,7 +214,7 @@ class ExportService */ public function bookToPlainText(Book $book): string { - $bookTree = (new BookContents($book))->getTree(false, true); + $bookTree = (new BookContents($book))->getTree(false, false); $text = $book->name . "\n\n"; foreach ($bookTree as $bookChild) { if ($bookChild->isA('chapter')) { diff --git a/app/Uploads/ImageRepo.php b/app/Uploads/ImageRepo.php index a08555085..fb2a89228 100644 --- a/app/Uploads/ImageRepo.php +++ b/app/Uploads/ImageRepo.php @@ -112,7 +112,7 @@ class ImageRepo if ($filterType === 'page') { $query->where('uploaded_to', '=', $contextPage->id); } elseif ($filterType === 'book') { - $validPageIds = $contextPage->book->pages()->get(['id'])->pluck('id')->toArray(); + $validPageIds = $contextPage->book->pages()->visible()->get(['id'])->pluck('id')->toArray(); $query->whereIn('uploaded_to', $validPageIds); } }; diff --git a/tests/Permissions/ExportPermissionsTest.php b/tests/Permissions/ExportPermissionsTest.php new file mode 100644 index 000000000..32ee9e7d6 --- /dev/null +++ b/tests/Permissions/ExportPermissionsTest.php @@ -0,0 +1,67 @@ +first(); + $page = $chapter->pages()->firstOrFail(); + $pageContent = Str::random(48); + $page->html = '

' . $pageContent . '

'; + $page->save(); + $viewer = $this->getViewer(); + $this->actingAs($viewer); + $formats = ['html', 'plaintext']; + + foreach ($formats as $format) { + $resp = $this->get($chapter->getUrl("export/{$format}")); + $resp->assertStatus(200); + $resp->assertSee($page->name); + $resp->assertSee($pageContent); + } + + $this->setEntityRestrictions($page, []); + + foreach ($formats as $format) { + $resp = $this->get($chapter->getUrl("export/{$format}")); + $resp->assertStatus(200); + $resp->assertDontSee($page->name); + $resp->assertDontSee($pageContent); + } + } + + public function test_page_content_without_view_access_hidden_on_book_export() + { + $book = Book::query()->first(); + $page = $book->pages()->firstOrFail(); + $pageContent = Str::random(48); + $page->html = '

' . $pageContent . '

'; + $page->save(); + $viewer = $this->getViewer(); + $this->actingAs($viewer); + $formats = ['html', 'plaintext']; + + foreach ($formats as $format) { + $resp = $this->get($book->getUrl("export/{$format}")); + $resp->assertStatus(200); + $resp->assertSee($page->name); + $resp->assertSee($pageContent); + } + + $this->setEntityRestrictions($page, []); + + foreach ($formats as $format) { + $resp = $this->get($book->getUrl("export/{$format}")); + $resp->assertStatus(200); + $resp->assertDontSee($page->name); + $resp->assertDontSee($pageContent); + } + } + +} \ No newline at end of file