BookStack Code Mirror - bookstack/blob - tests/Permissions/RolesTest.php

1 <?php namespace Tests;

3 use BookStack\Page;

4 use BookStack\Repos\PermissionsRepo;

5 use BookStack\Role;

6 use Laravel\BrowserKitTesting\HttpException;

7 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

9 class RolesTest extends BrowserKitTest

10 {

11 protected $user;

13 public function setUp()

14 {

15 parent::setUp();

16 $this->user = $this->getViewer();

17 }

19 protected function getViewer()

20 {

21 $role = \BookStack\Role::getRole('viewer');

22 $viewer = $this->getNewBlankUser();

23 $viewer->attachRole($role);;

24 return $viewer;

25 }

27 /**

28 * Give the given user some permissions.

29 * @param \BookStack\User $user

30 * @param array $permissions

31 */

32 protected function giveUserPermissions(\BookStack\User $user, $permissions = [])

33 {

34 $newRole = $this->createNewRole($permissions);

35 $user->attachRole($newRole);

36 $user->load('roles');

37 $user->permissions(false);

38 }

40 /**

41 * Create a new basic role for testing purposes.

42 * @param array $permissions

43 * @return Role

44 */

45 protected function createNewRole($permissions = [])

46 {

47 $permissionRepo = app(PermissionsRepo::class);

48 $roleData = factory(\BookStack\Role::class)->make()->toArray();

49 $roleData['permissions'] = array_flip($permissions);

50 return $permissionRepo->saveNewRole($roleData);

51 }

53 public function test_admin_can_see_settings()

54 {

55 $this->asAdmin()->visit('/settings')->see('Settings');

56 }

58 public function test_cannot_delete_admin_role()

59 {

60 $adminRole = \BookStack\Role::getRole('admin');

61 $deletePageUrl = '/settings/roles/delete/' . $adminRole->id;

62 $this->asAdmin()->visit($deletePageUrl)

63 ->press('Confirm')

64 ->seePageIs($deletePageUrl)

65 ->see('cannot be deleted');

66 }

68 public function test_role_cannot_be_deleted_if_default()

69 {

70 $newRole = $this->createNewRole();

71 $this->setSettings(['registration-role' => $newRole->id]);

73 $deletePageUrl = '/settings/roles/delete/' . $newRole->id;

74 $this->asAdmin()->visit($deletePageUrl)

75 ->press('Confirm')

76 ->seePageIs($deletePageUrl)

77 ->see('cannot be deleted');

78 }

80 public function test_role_create_update_delete_flow()

81 {

82 $testRoleName = 'Test Role';

83 $testRoleDesc = 'a little test description';

84 $testRoleUpdateName = 'An Super Updated role';

86 // Creation

87 $this->asAdmin()->visit('/settings')

88 ->click('Roles')

89 ->seePageIs('/settings/roles')

90 ->click('Create New Role')

91 ->type('Test Role', 'display_name')

92 ->type('A little test description', 'description')

93 ->press('Save Role')

94 ->seeInDatabase('roles', ['display_name' => $testRoleName, 'name' => 'test-role', 'description' => $testRoleDesc])

95 ->seePageIs('/settings/roles');

96 // Updating

97 $this->asAdmin()->visit('/settings/roles')

98 ->see($testRoleDesc)

99 ->click($testRoleName)

100 ->type($testRoleUpdateName, '#display_name')

101 ->press('Save Role')

102 ->seeInDatabase('roles', ['display_name' => $testRoleUpdateName, 'name' => 'test-role', 'description' => $testRoleDesc])

103 ->seePageIs('/settings/roles');

104 // Deleting

105 $this->asAdmin()->visit('/settings/roles')

106 ->click($testRoleUpdateName)

107 ->click('Delete Role')

108 ->see($testRoleUpdateName)

109 ->press('Confirm')

110 ->seePageIs('/settings/roles')

111 ->dontSee($testRoleUpdateName);

112 }

113

114 public function test_manage_user_permission()

115 {

116 $this->actingAs($this->user)->visit('/settings/users')

117 ->seePageIs('/');

118 $this->giveUserPermissions($this->user, ['users-manage']);

119 $this->actingAs($this->user)->visit('/settings/users')

120 ->seePageIs('/settings/users');

121 }

122

123 public function test_user_roles_manage_permission()

124 {

125 $this->actingAs($this->user)->visit('/settings/roles')

126 ->seePageIs('/')->visit('/settings/roles/1')->seePageIs('/');

127 $this->giveUserPermissions($this->user, ['user-roles-manage']);

128 $this->actingAs($this->user)->visit('/settings/roles')

129 ->seePageIs('/settings/roles')->click('Admin')

130 ->see('Edit Role');

131 }

132

133 public function test_settings_manage_permission()

134 {

135 $this->actingAs($this->user)->visit('/settings')

136 ->seePageIs('/');

137 $this->giveUserPermissions($this->user, ['settings-manage']);

138 $this->actingAs($this->user)->visit('/settings')

139 ->seePageIs('/settings')->press('Save Settings')->see('Settings Saved');

140 }

141

142 public function test_restrictions_manage_all_permission()

143 {

144 $page = \BookStack\Page::take(1)->get()->first();

145 $this->actingAs($this->user)->visit($page->getUrl())

146 ->dontSee('Permissions')

147 ->visit($page->getUrl() . '/permissions')

148 ->seePageIs('/');

149 $this->giveUserPermissions($this->user, ['restrictions-manage-all']);

150 $this->actingAs($this->user)->visit($page->getUrl())

151 ->see('Permissions')

152 ->click('Permissions')

153 ->see('Page Permissions')->seePageIs($page->getUrl() . '/permissions');

154 }

155

156 public function test_restrictions_manage_own_permission()

157 {

158 $otherUsersPage = \BookStack\Page::first();

159 $content = $this->createEntityChainBelongingToUser($this->user);

160 // Check can't restrict other's content

161 $this->actingAs($this->user)->visit($otherUsersPage->getUrl())

162 ->dontSee('Permissions')

163 ->visit($otherUsersPage->getUrl() . '/permissions')

164 ->seePageIs('/');

165 // Check can't restrict own content

166 $this->actingAs($this->user)->visit($content['page']->getUrl())

167 ->dontSee('Permissions')

168 ->visit($content['page']->getUrl() . '/permissions')

169 ->seePageIs('/');

170

171 $this->giveUserPermissions($this->user, ['restrictions-manage-own']);

172

173 // Check can't restrict other's content

174 $this->actingAs($this->user)->visit($otherUsersPage->getUrl())

175 ->dontSee('Permissions')

176 ->visit($otherUsersPage->getUrl() . '/permissions')

177 ->seePageIs('/');

178 // Check can restrict own content

179 $this->actingAs($this->user)->visit($content['page']->getUrl())

180 ->see('Permissions')

181 ->click('Permissions')

182 ->seePageIs($content['page']->getUrl() . '/permissions');

183 }

184

185 /**

186 * Check a standard entity access permission

187 * @param string $permission

188 * @param array $accessUrls Urls that are only accessible after having the permission

189 * @param array $visibles Check this text, In the buttons toolbar, is only visible with the permission

190 */

191 private function checkAccessPermission($permission, $accessUrls = [], $visibles = [])

192 {

193 foreach ($accessUrls as $url) {

194 $this->actingAs($this->user)->visit($url)

195 ->seePageIs('/');

196 }

197 foreach ($visibles as $url => $text) {

198 $this->actingAs($this->user)->visit($url)

199 ->dontSeeInElement('.action-buttons',$text);

200 }

201

202 $this->giveUserPermissions($this->user, [$permission]);

203

204 foreach ($accessUrls as $url) {

205 $this->actingAs($this->user)->visit($url)

206 ->seePageIs($url);

207 }

208 foreach ($visibles as $url => $text) {

209 $this->actingAs($this->user)->visit($url)

210 ->see($text);

211 }

212 }

213

214 public function test_books_create_all_permissions()

215 {

216 $this->checkAccessPermission('book-create-all', [

217 '/books/create'

218 ], [

219 '/books' => 'Create New Book'

220 ]);

221

222 $this->visit('/books/create')

223 ->type('test book', 'name')

224 ->type('book desc', 'description')

225 ->press('Save Book')

226 ->seePageIs('/books/test-book');

227 }

228

229 public function test_books_edit_own_permission()

230 {

231 $otherBook = \BookStack\Book::take(1)->get()->first();

232 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

233 $this->checkAccessPermission('book-update-own', [

234 $ownBook->getUrl() . '/edit'

235 ], [

236 $ownBook->getUrl() => 'Edit'

237 ]);

238

239 $this->visit($otherBook->getUrl())

240 ->dontSeeInElement('.action-buttons', 'Edit')

241 ->visit($otherBook->getUrl() . '/edit')

242 ->seePageIs('/');

243 }

244

245 public function test_books_edit_all_permission()

246 {

247 $otherBook = \BookStack\Book::take(1)->get()->first();

248 $this->checkAccessPermission('book-update-all', [

249 $otherBook->getUrl() . '/edit'

250 ], [

251 $otherBook->getUrl() => 'Edit'

252 ]);

253 }

254

255 public function test_books_delete_own_permission()

256 {

257 $this->giveUserPermissions($this->user, ['book-update-all']);

258 $otherBook = \BookStack\Book::take(1)->get()->first();

259 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

260 $this->checkAccessPermission('book-delete-own', [

261 $ownBook->getUrl() . '/delete'

262 ], [

263 $ownBook->getUrl() => 'Delete'

264 ]);

265

266 $this->visit($otherBook->getUrl())

267 ->dontSeeInElement('.action-buttons', 'Delete')

268 ->visit($otherBook->getUrl() . '/delete')

269 ->seePageIs('/');

270 $this->visit($ownBook->getUrl())->visit($ownBook->getUrl() . '/delete')

271 ->press('Confirm')

272 ->seePageIs('/books')

273 ->dontSee($ownBook->name);

274 }

275

276 public function test_books_delete_all_permission()

277 {

278 $this->giveUserPermissions($this->user, ['book-update-all']);

279 $otherBook = \BookStack\Book::take(1)->get()->first();

280 $this->checkAccessPermission('book-delete-all', [

281 $otherBook->getUrl() . '/delete'

282 ], [

283 $otherBook->getUrl() => 'Delete'

284 ]);

285

286 $this->visit($otherBook->getUrl())->visit($otherBook->getUrl() . '/delete')

287 ->press('Confirm')

288 ->seePageIs('/books')

289 ->dontSee($otherBook->name);

290 }

291

292 public function test_chapter_create_own_permissions()

293 {

294 $book = \BookStack\Book::take(1)->get()->first();

295 $ownBook = $this->createEntityChainBelongingToUser($this->user)['book'];

296 $baseUrl = $ownBook->getUrl() . '/chapter';

297 $this->checkAccessPermission('chapter-create-own', [

298 $baseUrl . '/create'

299 ], [

300 $ownBook->getUrl() => 'New Chapter'

301 ]);

302

303 $this->visit($baseUrl . '/create')

304 ->type('test chapter', 'name')

305 ->type('chapter desc', 'description')

306 ->press('Save Chapter')

307 ->seePageIs($baseUrl . '/test-chapter');

308

309 $this->visit($book->getUrl())

310 ->dontSeeInElement('.action-buttons', 'New Chapter')

311 ->visit($book->getUrl() . '/chapter/create')

312 ->seePageIs('/');

313 }

314

315 public function test_chapter_create_all_permissions()

316 {

317 $book = \BookStack\Book::take(1)->get()->first();

318 $baseUrl = $book->getUrl() . '/chapter';

319 $this->checkAccessPermission('chapter-create-all', [

320 $baseUrl . '/create'

321 ], [

322 $book->getUrl() => 'New Chapter'

323 ]);

324

325 $this->visit($baseUrl . '/create')

326 ->type('test chapter', 'name')

327 ->type('chapter desc', 'description')

328 ->press('Save Chapter')

329 ->seePageIs($baseUrl . '/test-chapter');

330 }

331

332 public function test_chapter_edit_own_permission()

333 {

334 $otherChapter = \BookStack\Chapter::take(1)->get()->first();

335 $ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];

336 $this->checkAccessPermission('chapter-update-own', [

337 $ownChapter->getUrl() . '/edit'

338 ], [

339 $ownChapter->getUrl() => 'Edit'

340 ]);

341

342 $this->visit($otherChapter->getUrl())

343 ->dontSeeInElement('.action-buttons', 'Edit')

344 ->visit($otherChapter->getUrl() . '/edit')

345 ->seePageIs('/');

346 }

347

348 public function test_chapter_edit_all_permission()

349 {

350 $otherChapter = \BookStack\Chapter::take(1)->get()->first();

351 $this->checkAccessPermission('chapter-update-all', [

352 $otherChapter->getUrl() . '/edit'

353 ], [

354 $otherChapter->getUrl() => 'Edit'

355 ]);

356 }

357

358 public function test_chapter_delete_own_permission()

359 {

360 $this->giveUserPermissions($this->user, ['chapter-update-all']);

361 $otherChapter = \BookStack\Chapter::take(1)->get()->first();

362 $ownChapter = $this->createEntityChainBelongingToUser($this->user)['chapter'];

363 $this->checkAccessPermission('chapter-delete-own', [

364 $ownChapter->getUrl() . '/delete'

365 ], [

366 $ownChapter->getUrl() => 'Delete'

367 ]);

368

369 $bookUrl = $ownChapter->book->getUrl();

370 $this->visit($otherChapter->getUrl())

371 ->dontSeeInElement('.action-buttons', 'Delete')

372 ->visit($otherChapter->getUrl() . '/delete')

373 ->seePageIs('/');

374 $this->visit($ownChapter->getUrl())->visit($ownChapter->getUrl() . '/delete')

375 ->press('Confirm')

376 ->seePageIs($bookUrl)

377 ->dontSeeInElement('.book-content', $ownChapter->name);

378 }

379

380 public function test_chapter_delete_all_permission()

381 {

382 $this->giveUserPermissions($this->user, ['chapter-update-all']);

383 $otherChapter = \BookStack\Chapter::take(1)->get()->first();

384 $this->checkAccessPermission('chapter-delete-all', [

385 $otherChapter->getUrl() . '/delete'

386 ], [

387 $otherChapter->getUrl() => 'Delete'

388 ]);

389

390 $bookUrl = $otherChapter->book->getUrl();

391 $this->visit($otherChapter->getUrl())->visit($otherChapter->getUrl() . '/delete')

392 ->press('Confirm')

393 ->seePageIs($bookUrl)

394 ->dontSeeInElement('.book-content', $otherChapter->name);

395 }

396

397 public function test_page_create_own_permissions()

398 {

399 $book = \BookStack\Book::first();

400 $chapter = \BookStack\Chapter::first();

401

402 $entities = $this->createEntityChainBelongingToUser($this->user);

403 $ownBook = $entities['book'];

404 $ownChapter = $entities['chapter'];

405

406 $baseUrl = $ownBook->getUrl() . '/page';

407

408 $createUrl = $baseUrl . '/create';

409 $createUrlChapter = $ownChapter->getUrl() . '/create-page';

410 $accessUrls = [$createUrl, $createUrlChapter];

411

412 foreach ($accessUrls as $url) {

413 $this->actingAs($this->user)->visit($url)

414 ->seePageIs('/');

415 }

416

417 $this->checkAccessPermission('page-create-own', [], [

418 $ownBook->getUrl() => 'New Page',

419 $ownChapter->getUrl() => 'New Page'

420 ]);

421

422 $this->giveUserPermissions($this->user, ['page-create-own']);

423

424 foreach ($accessUrls as $index => $url) {

425 $this->actingAs($this->user)->visit($url);

426 $expectedUrl = \BookStack\Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

427 $this->seePageIs($expectedUrl);

428 }

429

430 $this->visit($baseUrl . '/create')

431 ->type('test page', 'name')

432 ->type('page desc', 'html')

433 ->press('Save Page')

434 ->seePageIs($baseUrl . '/test-page');

435

436 $this->visit($book->getUrl())

437 ->dontSeeInElement('.action-buttons', 'New Page')

438 ->visit($book->getUrl() . '/page/create')

439 ->seePageIs('/');

440 $this->visit($chapter->getUrl())

441 ->dontSeeInElement('.action-buttons', 'New Page')

442 ->visit($chapter->getUrl() . '/create-page')

443 ->seePageIs('/');

444 }

445

446 public function test_page_create_all_permissions()

447 {

448 $book = \BookStack\Book::take(1)->get()->first();

449 $chapter = \BookStack\Chapter::take(1)->get()->first();

450 $baseUrl = $book->getUrl() . '/page';

451 $createUrl = $baseUrl . '/create';

452

453 $createUrlChapter = $chapter->getUrl() . '/create-page';

454 $accessUrls = [$createUrl, $createUrlChapter];

455

456 foreach ($accessUrls as $url) {

457 $this->actingAs($this->user)->visit($url)

458 ->seePageIs('/');

459 }

460

461 $this->checkAccessPermission('page-create-all', [], [

462 $book->getUrl() => 'New Page',

463 $chapter->getUrl() => 'New Page'

464 ]);

465

466 $this->giveUserPermissions($this->user, ['page-create-all']);

467

468 foreach ($accessUrls as $index => $url) {

469 $this->actingAs($this->user)->visit($url);

470 $expectedUrl = \BookStack\Page::where('draft', '=', true)->orderBy('id', 'desc')->first()->getUrl();

471 $this->seePageIs($expectedUrl);

472 }

473

474 $this->visit($baseUrl . '/create')

475 ->type('test page', 'name')

476 ->type('page desc', 'html')

477 ->press('Save Page')

478 ->seePageIs($baseUrl . '/test-page');

479

480 $this->visit($chapter->getUrl() . '/create-page')

481 ->type('new test page', 'name')

482 ->type('page desc', 'html')

483 ->press('Save Page')

484 ->seePageIs($baseUrl . '/new-test-page');

485 }

486

487 public function test_page_edit_own_permission()

488 {

489 $otherPage = \BookStack\Page::take(1)->get()->first();

490 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

491 $this->checkAccessPermission('page-update-own', [

492 $ownPage->getUrl() . '/edit'

493 ], [

494 $ownPage->getUrl() => 'Edit'

495 ]);

496

497 $this->visit($otherPage->getUrl())

498 ->dontSeeInElement('.action-buttons', 'Edit')

499 ->visit($otherPage->getUrl() . '/edit')

500 ->seePageIs('/');

501 }

502

503 public function test_page_edit_all_permission()

504 {

505 $otherPage = \BookStack\Page::take(1)->get()->first();

506 $this->checkAccessPermission('page-update-all', [

507 $otherPage->getUrl() . '/edit'

508 ], [

509 $otherPage->getUrl() => 'Edit'

510 ]);

511 }

512

513 public function test_page_delete_own_permission()

514 {

515 $this->giveUserPermissions($this->user, ['page-update-all']);

516 $otherPage = \BookStack\Page::take(1)->get()->first();

517 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

518 $this->checkAccessPermission('page-delete-own', [

519 $ownPage->getUrl() . '/delete'

520 ], [

521 $ownPage->getUrl() => 'Delete'

522 ]);

523

524 $bookUrl = $ownPage->book->getUrl();

525 $this->visit($otherPage->getUrl())

526 ->dontSeeInElement('.action-buttons', 'Delete')

527 ->visit($otherPage->getUrl() . '/delete')

528 ->seePageIs('/');

529 $this->visit($ownPage->getUrl())->visit($ownPage->getUrl() . '/delete')

530 ->press('Confirm')

531 ->seePageIs($bookUrl)

532 ->dontSeeInElement('.book-content', $ownPage->name);

533 }

534

535 public function test_page_delete_all_permission()

536 {

537 $this->giveUserPermissions($this->user, ['page-update-all']);

538 $otherPage = \BookStack\Page::take(1)->get()->first();

539 $this->checkAccessPermission('page-delete-all', [

540 $otherPage->getUrl() . '/delete'

541 ], [

542 $otherPage->getUrl() => 'Delete'

543 ]);

544

545 $bookUrl = $otherPage->book->getUrl();

546 $this->visit($otherPage->getUrl())->visit($otherPage->getUrl() . '/delete')

547 ->press('Confirm')

548 ->seePageIs($bookUrl)

549 ->dontSeeInElement('.book-content', $otherPage->name);

550 }

551

552 public function test_public_role_visible_in_user_edit_screen()

553 {

554 $user = \BookStack\User::first();

555 $this->asAdmin()->visit('/settings/users/' . $user->id)

556 ->seeElement('#roles-admin')

557 ->seeElement('#roles-public');

558 }

559

560 public function test_public_role_visible_in_role_listing()

561 {

562 $this->asAdmin()->visit('/settings/roles')

563 ->see('Admin')

564 ->see('Public');

565 }

566

567 public function test_public_role_visible_in_default_role_setting()

568 {

569 $this->asAdmin()->visit('/settings')

570 ->seeElement('[data-role-name="admin"]')

571 ->seeElement('[data-role-name="public"]');

572

573 }

574

575 public function test_public_role_not_deleteable()

576 {

577 $this->asAdmin()->visit('/settings/roles')

578 ->click('Public')

579 ->see('Edit Role')

580 ->click('Delete Role')

581 ->press('Confirm')

582 ->see('Delete Role')

583 ->see('Cannot be deleted');

584 }

585

586 public function test_image_delete_own_permission()

587 {

588 $this->giveUserPermissions($this->user, ['image-update-all']);

589 $page = \BookStack\Page::first();

590 $image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $this->user->id, 'updated_by' => $this->user->id]);

591

592 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

593 ->seeStatusCode(403);

594

595 $this->giveUserPermissions($this->user, ['image-delete-own']);

596

597 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

598 ->seeStatusCode(200)

599 ->dontSeeInDatabase('images', ['id' => $image->id]);

600 }

601

602 public function test_image_delete_all_permission()

603 {

604 $this->giveUserPermissions($this->user, ['image-update-all']);

605 $admin = $this->getAdmin();

606 $page = \BookStack\Page::first();

607 $image = factory(\BookStack\Image::class)->create(['uploaded_to' => $page->id, 'created_by' => $admin->id, 'updated_by' => $admin->id]);

608

609 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

610 ->seeStatusCode(403);

611

612 $this->giveUserPermissions($this->user, ['image-delete-own']);

613

614 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

615 ->seeStatusCode(403);

616

617 $this->giveUserPermissions($this->user, ['image-delete-all']);

618

619 $this->actingAs($this->user)->json('delete', '/images/' . $image->id)

620 ->seeStatusCode(200)

621 ->dontSeeInDatabase('images', ['id' => $image->id]);

622 }

623

624 public function test_role_permission_removal()

625 {

626 // To cover issue fixed in f99c8ff99aee9beb8c692f36d4b84dc6e651e50a.

627 $page = Page::first();

628 $viewerRole = \BookStack\Role::getRole('viewer');

629 $viewer = $this->getViewer();

630 $this->actingAs($viewer)->visit($page->getUrl())->assertResponseStatus(200);

631

632 $this->asAdmin()->put('/settings/roles/' . $viewerRole->id, [

633 'display_name' => $viewerRole->display_name,

634 'description' => $viewerRole->description,

635 'permission' => []

636 ])->assertResponseStatus(302);

637

638 $this->expectException(HttpException::class);

639 $this->actingAs($viewer)->visit($page->getUrl())->assertResponseStatus(404);

640 }

641

642 public function test_empty_state_actions_not_visible_without_permission()

643 {

644 $admin = $this->getAdmin();

645 // Book links

646 $book = factory(\BookStack\Book::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id]);

647 $this->updateEntityPermissions($book);

648 $this->actingAs($this->getViewer())->visit($book->getUrl())

649 ->dontSee('Create a new page')

650 ->dontSee('Add a chapter');

651

652 // Chapter links

653 $chapter = factory(\BookStack\Chapter::class)->create(['created_by' => $admin->id, 'updated_by' => $admin->id, 'book_id' => $book->id]);

654 $this->updateEntityPermissions($chapter);

655 $this->actingAs($this->getViewer())->visit($chapter->getUrl())

656 ->dontSee('Create a new page')

657 ->dontSee('Sort the current book');

658 }

659

660 public function test_comment_create_permission () {

661 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

662

663 $this->actingAs($this->user)->addComment($ownPage);

664

665 $this->assertResponseStatus(403);

666

667 $this->giveUserPermissions($this->user, ['comment-create-all']);

668

669 $this->actingAs($this->user)->addComment($ownPage);

670 $this->assertResponseStatus(200);

671 }

672

673

674 public function test_comment_update_own_permission () {

675 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

676 $this->giveUserPermissions($this->user, ['comment-create-all']);

677 $commentId = $this->actingAs($this->user)->addComment($ownPage);

678

679 // no comment-update-own

680 $this->actingAs($this->user)->updateComment($commentId);

681 $this->assertResponseStatus(403);

682

683 $this->giveUserPermissions($this->user, ['comment-update-own']);

684

685 // now has comment-update-own

686 $this->actingAs($this->user)->updateComment($commentId);

687 $this->assertResponseStatus(200);

688 }

689

690 public function test_comment_update_all_permission () {

691 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

692 $commentId = $this->asAdmin()->addComment($ownPage);

693

694 // no comment-update-all

695 $this->actingAs($this->user)->updateComment($commentId);

696 $this->assertResponseStatus(403);

697

698 $this->giveUserPermissions($this->user, ['comment-update-all']);

699

700 // now has comment-update-all

701 $this->actingAs($this->user)->updateComment($commentId);

702 $this->assertResponseStatus(200);

703 }

704

705 public function test_comment_delete_own_permission () {

706 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

707 $this->giveUserPermissions($this->user, ['comment-create-all']);

708 $commentId = $this->actingAs($this->user)->addComment($ownPage);

709

710 // no comment-delete-own

711 $this->actingAs($this->user)->deleteComment($commentId);

712 $this->assertResponseStatus(403);

713

714 $this->giveUserPermissions($this->user, ['comment-delete-own']);

715

716 // now has comment-update-own

717 $this->actingAs($this->user)->deleteComment($commentId);

718 $this->assertResponseStatus(200);

719 }

720

721 public function test_comment_delete_all_permission () {

722 $ownPage = $this->createEntityChainBelongingToUser($this->user)['page'];

723 $commentId = $this->asAdmin()->addComment($ownPage);

724

725 // no comment-delete-all

726 $this->actingAs($this->user)->deleteComment($commentId);

727 $this->assertResponseStatus(403);

728

729 $this->giveUserPermissions($this->user, ['comment-delete-all']);

730

731 // now has comment-delete-all

732 $this->actingAs($this->user)->deleteComment($commentId);

733 $this->assertResponseStatus(200);

734 }

735

736 private function addComment($page) {

737 $comment = factory(\BookStack\Comment::class)->make();

738 $url = "/ajax/page/$page->id/comment";

739 $request = [

740 'text' => $comment->text,

741 'html' => $comment->html

742 ];

743

744 $this->postJson($url, $request);

745 $comment = $page->comments()->first();

746 return $comment === null ? null : $comment->id;

747 }

748

749 private function updateComment($commentId) {

750 $comment = factory(\BookStack\Comment::class)->make();

751 $url = "/ajax/comment/$commentId";

752 $request = [

753 'text' => $comment->text,

754 'html' => $comment->html

755 ];

756

757 return $this->putJson($url, $request);

758 }

759

760 private function deleteComment($commentId) {

761 $url = '/ajax/comment/' . $commentId;

762 return $this->json('DELETE', $url);

763 }

764

765 }