webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-08-07 23:03:00 +03:00
Code Activity

Attachments: Hid edit/delete controls where lacking permission

Browse Source 
Added test to cover.
Also migrated related ajax-delete-row component to ts.

For #5323
This commit is contained in:
Dan Brown
2024-12-11 20:38:30 +00:00
parent 0ece664475
commit fcf0bf79a9
4 changed files with 74 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
tests/Uploads/AttachmentTest.php
View File

@@ -267,6 +267,50 @@ class AttachmentTest extends TestCase
}
}
public function test_attachment_delete_only_shows_with_permission()
{
$this->asAdmin();
$page = $this->entities->page();
$this->files->uploadAttachmentFile($this, 'upload_test.txt', $page->id);
$attachment = $page->attachments()->first();
$viewer = $this->users->viewer();
$this->permissions->grantUserRolePermissions($viewer, ['page-update-all', 'attachment-create-all']);
$resp = $this->actingAs($viewer)->get($page->getUrl('/edit'));
$html = $this->withHtml($resp);
$html->assertElementExists(".card[data-id=\"{$attachment->id}\"]");
$html->assertElementNotExists(".card[data-id=\"{$attachment->id}\"] button[title=\"Delete\"]");
$this->permissions->grantUserRolePermissions($viewer, ['attachment-delete-all']);
$resp = $this->actingAs($viewer)->get($page->getUrl('/edit'));
$html = $this->withHtml($resp);
$html->assertElementExists(".card[data-id=\"{$attachment->id}\"] button[title=\"Delete\"]");
}
public function test_attachment_edit_only_shows_with_permission()
{
$this->asAdmin();
$page = $this->entities->page();
$this->files->uploadAttachmentFile($this, 'upload_test.txt', $page->id);
$attachment = $page->attachments()->first();
$viewer = $this->users->viewer();
$this->permissions->grantUserRolePermissions($viewer, ['page-update-all', 'attachment-create-all']);
$resp = $this->actingAs($viewer)->get($page->getUrl('/edit'));
$html = $this->withHtml($resp);
$html->assertElementExists(".card[data-id=\"{$attachment->id}\"]");
$html->assertElementNotExists(".card[data-id=\"{$attachment->id}\"] button[title=\"Edit\"]");
$this->permissions->grantUserRolePermissions($viewer, ['attachment-update-all']);
$resp = $this->actingAs($viewer)->get($page->getUrl('/edit'));
$html = $this->withHtml($resp);
$html->assertElementExists(".card[data-id=\"{$attachment->id}\"] button[title=\"Edit\"]");
}
public function test_file_access_with_open_query_param_provides_inline_response_with_correct_content_type()
{
$page = $this->entities->page();