Skip to content

Commit 9aa3442

Browse files
ssddanbrownssddanbrown
committed
API: Fixed lacking permission enforcement on book contents
1 parent c68d154 commit 9aa3442

File tree

2 files changed

+21
-1
lines changed

2 files changed

+21
-1
lines changed

app/Entities/Controllers/BookApiController.php

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77
use BookStack\Entities\Models\Chapter;
88
use BookStack\Entities\Models\Entity;
99
use BookStack\Entities\Queries\BookQueries;
10+
use BookStack\Entities\Queries\PageQueries;
1011
use BookStack\Entities\Repos\BookRepo;
1112
use BookStack\Entities\Tools\BookContents;
1213
use BookStack\Http\ApiController;
@@ -18,6 +19,7 @@ class BookApiController extends ApiController
1819
public function __construct(
1920
protected BookRepo $bookRepo,
2021
protected BookQueries $queries,
22+
protected PageQueries $pageQueries,
2123
) {
2224
}
2325

@@ -69,7 +71,8 @@ public function read(string $id)
6971
->withType()
7072
->withField('pages', function (Entity $entity) {
7173
if ($entity instanceof Chapter) {
72-
return (new ApiEntityListFormatter($entity->pages->all()))->format();
74+
$pages = $this->pageQueries->visibleForChapterList($entity->id)->get()->all();
75+
return (new ApiEntityListFormatter($pages))->format();
7376
}
7477
return null;
7578
})->format();

tests/Api/BooksApiTest.php

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -149,6 +149,23 @@ public function test_read_endpoint_includes_chapter_and_page_contents()
149149
]);
150150
}
151151

152+
public function test_read_endpoint_contents_nested_pages_has_permissions_applied()
153+
{
154+
$this->actingAsApiEditor();
155+
156+
$book = $this->entities->bookHasChaptersAndPages();
157+
$chapter = $book->chapters()->first();
158+
$chapterPage = $chapter->pages()->first();
159+
$customName = 'MyNonVisiblePageWithinAChapter';
160+
$chapterPage->name = $customName;
161+
$chapterPage->save();
162+
163+
$this->permissions->disableEntityInheritedPermissions($chapterPage);
164+
165+
$resp = $this->getJson($this->baseEndpoint . "/{$book->id}");
166+
$resp->assertJsonMissing(['name' => $customName]);
167+
}
168+
152169
public function test_update_endpoint()
153170
{
154171
$this->actingAsApiEditor();

0 commit comments

Comments
 (0)