Added and addressed multi-role/own-role-perm/inheretance scenario

ssddanbrown · ssddanbrown · commit f6a6b11ec584 · 2023-01-26T12:53:25.000Z
Found during manual testing.
Have checked against relation queries manually too.
diff --git a/app/Auth/Permissions/PermissionApplicator.php b/app/Auth/Permissions/PermissionApplicator.php
@@ -99,7 +99,7 @@ public function restrictEntityQuery(Builder $query): Builder
                     ->selectRaw('max(status) as status')
                     ->whereIn('role_id', $this->getCurrentUserRoleIds())
                     ->groupBy(['entity_type', 'entity_id'])
-                    ->havingRaw('(status IN (1, 3) or owner_id = ?)', [$this->currentUser()->id]);
+                    ->havingRaw('(status IN (1, 3) or (owner_id = ? and status != 2))', [$this->currentUser()->id]);
             });
         });
     }
diff --git a/dev/docs/permission-scenario-testing.md b/dev/docs/permission-scenario-testing.md
@@ -229,6 +229,16 @@ User denied page permission.
 
 User denied page permission.
 
+#### test_71_multi_role_inheriting_deny_on_own
+
+- Page permissions have inherit enabled.
+- Role A has own page role permission.
+- Role B has entity denied page permission.
+- User has Role A and B.
+- Use owns Page.
+
+User denied page permission.
+
 #### test_75_multi_role_inherited_deny_via_parent
 
 - Page permissions have inherit enabled.
@@ -239,6 +249,16 @@ User denied page permission.
 
 User denied page permission.
 
+#### test_76_multi_role_inherited_deny_via_parent_on_own
+
+- Page permissions have inherit enabled.
+- Chapter permissions have inherit enabled.
+- Role A has own page role permission.
+- Role B has entity denied chapter permission.
+- User has Role A & B.
+
+User denied page permission.
+
 #### test_80_fallback_override_allow
 
 - Page permissions have inherit disabled.
diff --git a/tests/Permissions/Scenarios/EntityRolePermissionsTest.php b/tests/Permissions/Scenarios/EntityRolePermissionsTest.php
@@ -187,6 +187,19 @@ public function test_70_multi_role_inheriting_deny()
         $this->assertNotVisibleToUser($page, $user);
     }
 
+    public function test_71_multi_role_inheriting_deny_on_own()
+    {
+        [$user, $roleA] = $this->users->newUserWithRole([], ['page-view-own']);
+        $roleB = $this->users->attachNewRole($user);
+        $page = $this->entities->page();
+        $this->permissions->changeEntityOwner($page, $user);
+
+        $this->permissions->addEntityPermission($page, [], $roleB);
+
+        $this->assertNotVisibleToUser($page, $user);
+    }
+
+
     public function test_75_multi_role_inherited_deny_via_parent()
     {
         [$user, $roleA] = $this->users->newUserWithRole([], ['page-view-all']);
@@ -199,6 +212,19 @@ public function test_75_multi_role_inherited_deny_via_parent()
         $this->assertNotVisibleToUser($page, $user);
     }
 
+    public function test_76_multi_role_inherited_deny_via_parent_on_own()
+    {
+        [$user, $roleA] = $this->users->newUserWithRole([], ['page-view-own']);
+        $roleB = $this->users->attachNewRole($user);
+        $page = $this->entities->pageWithinChapter();
+        $chapter = $page->chapter;
+        $this->permissions->changeEntityOwner($page, $user);
+
+        $this->permissions->addEntityPermission($chapter, [], $roleB);
+
+        $this->assertNotVisibleToUser($page, $user);
+    }
+
     public function test_80_fallback_override_allow()
     {
         [$user, $roleA] = $this->users->newUserWithRole();

Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ public function restrictEntityQuery(Builder $query): Builder`
`99`	`99`	`->selectRaw('max(status) as status')`
`100`	`100`	`->whereIn('role_id', $this->getCurrentUserRoleIds())`
`101`	`101`	`->groupBy(['entity_type', 'entity_id'])`
`102`		`- ->havingRaw('(status IN (1, 3) or owner_id = ?)', [$this->currentUser()->id]);`
	`102`	`+ ->havingRaw('(status IN (1, 3) or (owner_id = ? and status != 2))', [$this->currentUser()->id]);`
`103`	`103`	`});`
`104`	`104`	`});`
`105`	`105`	`}`