webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-08-06 12:02:45 +03:00
Code Activity

Added additional case thats known to currently fail

Browse Source 
Also removed so no-longer-relevant todo/comments.
This commit is contained in:
Dan Brown
2022-12-21 17:00:05 +00:00
parent adabf06dbe
commit 2d9d2bba80
3 changed files with 46 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
app/Auth/Permissions/PermissionApplicator.php
View File

@@ -94,15 +94,8 @@ class PermissionApplicator
->get(['role_id', 'user_id', $action]) ->get(['role_id', 'user_id', $action])
->all(); ->all();
// Permissions work on specificity, in order of: // See dev/docs/permission-scenario-testing.md for technical details
// 1. User-specific permissions // on how permissions should be enforced.
// 2. Role-specific permissions
// 3. Fallback-specific permissions
// For role permissions, the system tries to be fairly permissive, in that if the user has two roles,
// one lacking and one permitting an action, they will be permitted.
// This can be complex when multiple roles and inheritance gets involved. If permission is prevented
// via "Role A" on an item, but inheritance is active and permission is granted via "Role B" on parent item,
// the user will be granted permission.
$allowedByTypeById = ['fallback' => [], 'user' => [], 'role' => []]; $allowedByTypeById = ['fallback' => [], 'user' => [], 'role' => []];
/** @var EntityPermission $permission */ /** @var EntityPermission $permission */
@@ -151,10 +144,9 @@ class PermissionApplicator
return $allowedByTypeById['fallback'][0]; return $allowedByTypeById['fallback'][0];
} }
// If we have roles that need to be assessed, but we are also inheriting, pass back the prevented // If we have relevant roles conditions that are actively blocking
// role IDs so they can be excluded from the role permission check. // return false since these are more specific than potential role-level permissions.
if (count($blockedRoleIds) > 0) { if (count($blockedRoleIds) > 0) {
// TODO - Need to use these ids in some form in outer permission check, as blockers when access
return false; return false;
} }

19
dev/docs/permission-scenario-testing.md
View File

@@ -220,6 +220,25 @@ User denied page permission.
User denied page permission. User denied page permission.
#### test_70_multi_role_inheriting_deny
- Page permissions have inherit enabled.
- Role A has all page role permission.
- Role B has entity denied page permission.
- User has Role A and B.
User denied page permission.
#### test_80_multi_role_inherited_deny_via_parent
- Page permissions have inherit enabled.
- Chapter permissions have inherit enabled.
- Role A has all-pages role permission.
- Role B has entity denied chapter permission.
- User has Role A & B.
User denied page permission.
--- ---
### Entity User Permissions ### Entity User Permissions

23
tests/Permissions/Scenarios/EntityRolePermissionsTest.php
View File

@@ -175,4 +175,27 @@ class EntityRolePermissionsTest extends PermissionScenarioTestCase
$this->assertNotVisibleToUser($page, $user); $this->assertNotVisibleToUser($page, $user);
} }
public function test_70_multi_role_inheriting_deny()
{
[$user, $roleA] = $this->users->newUserWithRole([], ['page-view-all']);
$roleB = $this->users->attachNewRole($user);
$page = $this->entities->page();
$this->permissions->addEntityPermission($page, [], $roleB);
$this->assertNotVisibleToUser($page, $user);
}
public function test_80_multi_role_inherited_deny_via_parent()
{
[$user, $roleA] = $this->users->newUserWithRole([], ['page-view-all']);
$roleB = $this->users->attachNewRole($user);
$page = $this->entities->pageWithinChapter();
$chapter = $page->chapter;
$this->permissions->addEntityPermission($chapter, [], $roleB);
$this->assertNotVisibleToUser($page, $user);
}
} }