Merge pull request #3632 from BookStackApp/ownable_permission_fix

Fixed failed permission checks due to non-loaded fields
2025-08-07 23:03:00 +03:00 · 2022-08-10 17:59:46 +01:00
parent 031c67ba58 16eedc8264
commit 375abca1ee
6 changed files with 42 additions and 6 deletions
--- a/app/Auth/Permissions/PermissionApplicator.php
+++ b/app/Auth/Permissions/PermissionApplicator.php
@@ -34,7 +34,13 @@ class PermissionApplicator
        $ownRolePermission = $user->can($fullPermission . '-own');
        $nonJointPermissions = ['restrictions', 'image', 'attachment', 'comment'];
        $ownerField = ($ownable instanceof Entity) ? 'owned_by' : 'created_by';
-        $isOwner = $user->id === $ownable->getAttribute($ownerField);
+        $ownableFieldVal = $ownable->getAttribute($ownerField);
+
+        if (is_null($ownableFieldVal)) {
+            throw new InvalidArgumentException("{$ownerField} field used but has not been loaded");
+        }
+
+        $isOwner = $user->id === $ownableFieldVal;
        $hasRolePermission = $allRolePermission || ($isOwner && $ownRolePermission);

        // Handle non entity specific jointPermissions
@@ -68,6 +74,11 @@ class PermissionApplicator
        }

        foreach ($chain as $currentEntity) {
+
+            if (is_null($currentEntity->restricted)) {
+                throw new InvalidArgumentException("Entity restricted field used but has not been loaded");
+            }
+
            if ($currentEntity->restricted) {
                return $currentEntity->permissions()
                    ->whereIn('role_id', $userRoleIds)
--- a/app/Entities/Repos/BaseRepo.php
+++ b/app/Entities/Repos/BaseRepo.php
@@ -38,6 +38,7 @@ class BaseRepo
            $this->tagRepo->saveTagsToEntity($entity, $input['tags']);
        }

+        $entity->refresh();
        $entity->rebuildPermissions();
        $entity->indexForSearch();
    }
--- a/app/Entities/Repos/BookshelfRepo.php
+++ b/app/Entities/Repos/BookshelfRepo.php
@@ -140,7 +140,7 @@ class BookshelfRepo
    public function copyDownPermissions(Bookshelf $shelf, $checkUserPermissions = true): int
    {
        $shelfPermissions = $shelf->permissions()->get(['role_id', 'action'])->toArray();
-        $shelfBooks = $shelf->books()->get(['id', 'restricted']);
+        $shelfBooks = $shelf->books()->get(['id', 'restricted', 'owned_by']);
        $updatedBookCount = 0;

        /** @var Book $book */
--- a/app/Entities/Tools/SearchRunner.php
+++ b/app/Entities/Tools/SearchRunner.php
@@ -163,7 +163,7 @@ class SearchRunner
        $entityQuery = $entityModelInstance->newQuery()->scopes('visible');

        if ($entityModelInstance instanceof Page) {
-            $entityQuery->select($entityModelInstance::$listAttributes);
+            $entityQuery->select(array_merge($entityModelInstance::$listAttributes, ['restricted', 'owned_by']));
        } else {
            $entityQuery->select(['*']);
        }
--- a/app/Http/Controllers/FavouriteController.php
+++ b/app/Http/Controllers/FavouriteController.php
@@ -87,7 +87,7 @@ class FavouriteController extends Controller

        $modelInstance = $model->newQuery()
            ->where('id', '=', $modelInfo['id'])
-            ->first(['id', 'name']);
+            ->first(['id', 'name', 'restricted', 'owned_by']);

        $inaccessibleEntity = ($modelInstance instanceof Entity && !userCan('view', $modelInstance));
        if (is_null($modelInstance) || $inaccessibleEntity) {