use BookStack\Entities\Models\Book;
use BookStack\Entities\Models\Chapter;
use BookStack\Entities\Repos\ChapterRepo;
+use BookStack\Exceptions\PermissionsException;
use BookStack\Http\ApiController;
+use Exception;
use Illuminate\Database\Eloquent\Relations\HasMany;
use Illuminate\Http\Request;
class ChapterApiController extends ApiController
{
- protected $chapterRepo;
-
protected $rules = [
'create' => [
'book_id' => ['required', 'integer'],
],
];
- /**
- * ChapterController constructor.
- */
- public function __construct(ChapterRepo $chapterRepo)
- {
- $this->chapterRepo = $chapterRepo;
+ public function __construct(
+ protected ChapterRepo $chapterRepo
+ ) {
}
/**
*/
public function create(Request $request)
{
- $this->validate($request, $this->rules['create']);
+ $requestData = $this->validate($request, $this->rules['create']);
$bookId = $request->get('book_id');
$book = Book::visible()->findOrFail($bookId);
$this->checkOwnablePermission('chapter-create', $book);
- $chapter = $this->chapterRepo->create($request->all(), $book);
+ $chapter = $this->chapterRepo->create($requestData, $book);
return response()->json($chapter->load(['tags']));
}
/**
* Update the details of a single chapter.
+ * Providing a 'book_id' property will essentially move the chapter
+ * into that parent element if you have permissions to do so.
*/
public function update(Request $request, string $id)
{
+ $requestData = $this->validate($request, $this->rules()['update']);
$chapter = Chapter::visible()->findOrFail($id);
$this->checkOwnablePermission('chapter-update', $chapter);
- $updatedChapter = $this->chapterRepo->update($chapter, $request->all());
+ if ($request->has('book_id') && $chapter->book_id !== intval($requestData['book_id'])) {
+ $this->checkOwnablePermission('chapter-delete', $chapter);
+
+ try {
+ $this->chapterRepo->move($chapter, "book:{$requestData['book_id']}");
+ } catch (Exception $exception) {
+ if ($exception instanceof PermissionsException) {
+ $this->showPermissionError();
+ }
+
+ return $this->jsonError(trans('errors.selected_book_not_found'));
+ }
+ }
+
+ $updatedChapter = $this->chapterRepo->update($chapter, $requestData);
return response()->json($updatedChapter->load(['tags']));
}
namespace Tests\Api;
+use BookStack\Entities\Models\Book;
use BookStack\Entities\Models\Chapter;
use Carbon\Carbon;
use Illuminate\Support\Facades\DB;
$this->assertGreaterThan(Carbon::now()->subDay()->unix(), $chapter->updated_at->unix());
}
+ public function test_update_with_book_id_moves_chapter()
+ {
+ $this->actingAsApiEditor();
+ $chapter = $this->entities->chapterHasPages();
+ $page = $chapter->pages()->first();
+ $newBook = Book::query()->where('id', '!=', $chapter->book_id)->first();
+
+ $resp = $this->putJson($this->baseEndpoint . "/{$chapter->id}", ['book_id' => $newBook->id]);
+ $resp->assertOk();
+ $chapter->refresh();
+
+ $this->assertDatabaseHas('chapters', ['id' => $chapter->id, 'book_id' => $newBook->id]);
+ $this->assertDatabaseHas('pages', ['id' => $page->id, 'book_id' => $newBook->id, 'chapter_id' => $chapter->id]);
+ }
+
+ public function test_update_with_new_book_id_requires_delete_permission()
+ {
+ $editor = $this->users->editor();
+ $this->permissions->removeUserRolePermissions($editor, ['chapter-delete-all', 'chapter-delete-own']);
+ $this->actingAs($editor);
+ $chapter = $this->entities->chapterHasPages();
+ $newBook = Book::query()->where('id', '!=', $chapter->book_id)->first();
+
+ $resp = $this->putJson($this->baseEndpoint . "/{$chapter->id}", ['book_id' => $newBook->id]);
+ $this->assertPermissionError($resp);
+ }
+
public function test_delete_endpoint()
{
$this->actingAsApiEditor();
*/
private function isPermissionError($response): bool
{
+ if ($response->status() === 403 && $response instanceof JsonResponse) {
+ $errMessage = $response->getData(true)['error']['message'] ?? '';
+ return $errMessage === 'You do not have permission to perform the requested action.';
+ }
+
return $response->status() === 302
- && (
- (
- $response->headers->get('Location') === url('/')
- && strpos(session()->pull('error', ''), 'You do not have permission to access') === 0
- )
- ||
- (
- $response instanceof JsonResponse &&
- $response->json(['error' => 'You do not have permission to perform the requested action.'])
- )
- );
+ && $response->headers->get('Location') === url('/')
+ && str_starts_with(session()->pull('error', ''), 'You do not have permission to access');
}
/**
projects / bookstack / commitdiff