webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-07-28 17:02:04 +03:00
Code Activity

Added check of owner field for manage-permissions-own

Browse Source 
This permission was still checking based on created-by.
Updated testing to specifically check the owner since the tests
were passing by the fact of matching creator and owner.

Fixes #2445
This commit is contained in:
Dan Brown
2021-01-04 18:07:39 +00:00
parent 20729a618f
commit bbfb330b92
2 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app/Auth/Permissions/PermissionService.php
View File

@ -533,7 +533,8 @@ class PermissionService
$allPermission = $this->currentUser() && $this->currentUser()->can($permission . '-all');
$ownPermission = $this->currentUser() && $this->currentUser()->can($permission . '-own');
$this->currentAction = 'view';
$isOwner = $this->currentUser() && $this->currentUser()->id === $ownable->created_by;
$ownerField = ($ownable instanceof Entity) ? 'owned_by' : 'created_by';
$isOwner = $this->currentUser() && $this->currentUser()->id === $ownable->$ownerField;
return ($allPermission || ($isOwner && $ownPermission));
}