webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-07-31 15:24:31 +03:00
Code Activity

Guests: Prevented access to profile routes

Browse Source 
Prevention of action on certain routes for guest user when public access
is enabled. Could not see a way this could be a security issue, beyond a
mild nuisance that'd only be visible if public users can edit, which
would present larger potential nuisance anyway.
This commit is contained in:
Dan Brown
2023-08-26 14:07:48 +01:00
parent 32516f7b68
commit 9100a82b47
2 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
tests/PublicActionTest.php
View File

@ -207,4 +207,16 @@ class PublicActionTest extends TestCase
$this->withHtml($resp)->assertLinkExists($page->getUrl('/edit'));
}
public function test_public_user_cannot_view_or_update_their_profile()
{
$this->setSettings(['app-public' => 'true']);
$guest = $this->users->guest();
$resp = $this->get($guest->getEditUrl());
$this->assertPermissionError($resp);
$resp = $this->put($guest->getEditUrl(), ['name' => 'My new guest name']);
$this->assertPermissionError($resp);
}
}