404: Fixed entity list issue with entity with non-visible parent

ssddanbrown · ssddanbrown · commit f5f96f84e706 · 2024-02-28T13:08:06.000Z
Adds our mixed entity list loader to popular queries for more efficient
loading.
diff --git a/app/Entities/Queries/QueryPopular.php b/app/Entities/Queries/QueryPopular.php
@@ -4,10 +4,8 @@
 
 use BookStack\Activity\Models\View;
 use BookStack\Entities\EntityProvider;
-use BookStack\Entities\Models\BookChild;
-use BookStack\Entities\Models\Entity;
+use BookStack\Entities\Tools\MixedEntityListLoader;
 use BookStack\Permissions\PermissionApplicator;
-use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\DB;
 
@@ -16,10 +14,11 @@ class QueryPopular
     public function __construct(
         protected PermissionApplicator $permissions,
         protected EntityProvider $entityProvider,
+        protected MixedEntityListLoader $listLoader,
     ) {
     }
 
-    public function run(int $count, int $page, array $filterModels = null)
+    public function run(int $count, int $page, array $filterModels = null): Collection
     {
         $query = $this->permissions
             ->restrictEntityRelationQuery(View::query(), 'views', 'viewable_id', 'viewable_type')
@@ -31,24 +30,13 @@ public function run(int $count, int $page, array $filterModels = null)
             $query->whereIn('viewable_type', $this->entityProvider->getMorphClasses($filterModels));
         }
 
-        $entities = $query->with('viewable')
+        $views = $query
             ->skip($count * ($page - 1))
             ->take($count)
-            ->get()
-            ->pluck('viewable')
-            ->filter();
+            ->get();
 
-        $this->loadBooksForChildren($entities);
+        $this->listLoader->loadIntoRelations($views->all(), 'viewable', false);
 
-        return $entities;
-    }
-
-    protected function loadBooksForChildren(Collection $entities): void
-    {
-        $bookChildren = $entities->filter(fn(Entity $entity) => $entity instanceof BookChild);
-        $eloquent = (new \Illuminate\Database\Eloquent\Collection($bookChildren));
-        $eloquent->load(['book' => function (BelongsTo $query) {
-            $query->scopes('visible');
-        }]);
+        return $views->pluck('viewable')->filter();
     }
 }
diff --git a/tests/ErrorTest.php b/tests/ErrorTest.php
@@ -23,6 +23,35 @@ public function test_404_page_does_not_show_login()
         $notFound->assertSeeText('tester');
     }
 
+    public function test_404_page_does_not_non_visible_content()
+    {
+        $editor = $this->users->editor();
+        $book = $this->entities->book();
+
+        $this->actingAs($editor)->get($book->getUrl())->assertOk();
+
+        $this->permissions->disableEntityInheritedPermissions($book);
+
+        $this->actingAs($editor)->get($book->getUrl())->assertNotFound();
+    }
+
+    public function test_404_page_shows_visible_content_within_non_visible_parent()
+    {
+        $editor = $this->users->editor();
+        $book = $this->entities->book();
+        $page = $book->pages()->first();
+
+        $this->actingAs($editor)->get($page->getUrl())->assertOk();
+
+        $this->permissions->disableEntityInheritedPermissions($book);
+        $this->permissions->addEntityPermission($page, ['view'], $editor->roles()->first());
+
+        $resp = $this->actingAs($editor)->get($book->getUrl());
+        $resp->assertNotFound();
+        $resp->assertSee($page->name);
+        $resp->assertDontSee($book->name);
+    }
+
     public function test_item_not_found_does_not_get_logged_to_file()
     {
         $this->actingAs($this->users->viewer());
