Chapters API: Allowed move via book_id property

Aligns it with pages and with the book_id property already being part of the API. For #4272.
2025-08-09 10:22:51 +03:00 · 2023-05-30 20:55:24 +01:00
parent 3f5dc10cd4
commit 0323ebccd3
3 changed files with 60 additions and 22 deletions
--- a/tests/Api/ChaptersApiTest.php
+++ b/tests/Api/ChaptersApiTest.php
@@ -2,6 +2,7 @@

 namespace Tests\Api;

+use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Chapter;
 use Carbon\Carbon;
 use Illuminate\Support\Facades\DB;
@@ -163,6 +164,33 @@ class ChaptersApiTest extends TestCase
        $this->assertGreaterThan(Carbon::now()->subDay()->unix(), $chapter->updated_at->unix());
    }

+    public function test_update_with_book_id_moves_chapter()
+    {
+        $this->actingAsApiEditor();
+        $chapter = $this->entities->chapterHasPages();
+        $page = $chapter->pages()->first();
+        $newBook = Book::query()->where('id', '!=', $chapter->book_id)->first();
+
+        $resp = $this->putJson($this->baseEndpoint . "/{$chapter->id}", ['book_id' => $newBook->id]);
+        $resp->assertOk();
+        $chapter->refresh();
+
+        $this->assertDatabaseHas('chapters', ['id' => $chapter->id, 'book_id' => $newBook->id]);
+        $this->assertDatabaseHas('pages', ['id' => $page->id, 'book_id' => $newBook->id, 'chapter_id' => $chapter->id]);
+    }
+
+    public function test_update_with_new_book_id_requires_delete_permission()
+    {
+        $editor = $this->users->editor();
+        $this->permissions->removeUserRolePermissions($editor, ['chapter-delete-all', 'chapter-delete-own']);
+        $this->actingAs($editor);
+        $chapter = $this->entities->chapterHasPages();
+        $newBook = Book::query()->where('id', '!=', $chapter->book_id)->first();
+
+        $resp = $this->putJson($this->baseEndpoint . "/{$chapter->id}", ['book_id' => $newBook->id]);
+        $this->assertPermissionError($resp);
+    }
+
    public function test_delete_endpoint()
    {
        $this->actingAsApiEditor();
--- a/tests/TestCase.php
+++ b/tests/TestCase.php
@@ -213,18 +213,14 @@ abstract class TestCase extends BaseTestCase
     */
    private function isPermissionError($response): bool
    {
+        if ($response->status() === 403 && $response instanceof JsonResponse) {
+            $errMessage = $response->getData(true)['error']['message'] ?? '';
+            return $errMessage === 'You do not have permission to perform the requested action.';
+        }
+
        return $response->status() === 302
-            && (
-                (
-                    $response->headers->get('Location') === url('/')
-                    && strpos(session()->pull('error', ''), 'You do not have permission to access') === 0
-                )
-                ||
-                (
-                    $response instanceof JsonResponse &&
-                    $response->json(['error' => 'You do not have permission to perform the requested action.'])
-                )
-            );
+            && $response->headers->get('Location') === url('/')
+            && str_starts_with(session()->pull('error', ''), 'You do not have permission to access');
    }

    /**