BookStack/app/Permissions/ContentPermissionApiController.php at 32ba3a591f982ddd99aa44e4f67b1ee6e20d91ba · BookStackApp/BookStack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
<?php

namespace BookStack\Permissions;

use BookStack\Entities\EntityProvider;
use BookStack\Entities\Models\Entity;
use BookStack\Entities\Tools\PermissionsUpdater;
use BookStack\Http\ApiController;
use Illuminate\Http\Request;

class ContentPermissionApiController extends ApiController
{
    public function __construct(
        protected PermissionsUpdater $permissionsUpdater,
        protected EntityProvider $entities
    ) {
    }

    protected array $rules = [
        'update' => [
            'owner_id'  => ['int'],

            'role_permissions' => ['array'],
            'role_permissions.*.role_id' => ['required', 'int', 'exists:roles,id'],
            'role_permissions.*.view' => ['required', 'boolean'],
            'role_permissions.*.create' => ['required', 'boolean'],
            'role_permissions.*.update' => ['required', 'boolean'],
            'role_permissions.*.delete' => ['required', 'boolean'],

            'fallback_permissions' => ['nullable'],
            'fallback_permissions.inheriting' => ['required_with:fallback_permissions', 'boolean'],
            'fallback_permissions.view' => ['required_if:fallback_permissions.inheriting,false', 'boolean'],
            'fallback_permissions.create' => ['required_if:fallback_permissions.inheriting,false', 'boolean'],
            'fallback_permissions.update' => ['required_if:fallback_permissions.inheriting,false', 'boolean'],
            'fallback_permissions.delete' => ['required_if:fallback_permissions.inheriting,false', 'boolean'],
        ]
    ];

    /**
     * Read the configured content-level permissions for the item of the given type and ID.
     *
     * 'contentType' should be one of: page, book, chapter, bookshelf.
     * 'contentId' should be the relevant ID of that item type you'd like to handle permissions for.
     *
     * The permissions shown are those that override the default for just the specified item, they do not show the
     * full evaluated permission for a role, nor do they reflect permissions inherited from other items in the hierarchy.
     * Fallback permission values may be `null` when inheriting is active.
     */
    public function read(string $contentType, string $contentId)
    {
        $entity = $this->entities->get($contentType)
            ->newQuery()->scopes(['visible'])->findOrFail($contentId);

        $this->checkOwnablePermission('restrictions-manage', $entity);

        return response()->json($this->formattedPermissionDataForEntity($entity));
    }

    /**
     * Update the configured content-level permission overrides for the item of the given type and ID.
     * 'contentType' should be one of: page, book, chapter, bookshelf.
     *
     * 'contentId' should be the relevant ID of that item type you'd like to handle permissions for.
     * Providing an empty `role_permissions` array will remove any existing configured role permissions,
     * so you may want to fetch existing permissions beforehand if just adding/removing a single item.
     * You should completely omit the `owner_id`, `role_permissions` and/or the `fallback_permissions` properties
     * from your request data if you don't wish to update details within those categories.
     */
    public function update(Request $request, string $contentType, string $contentId)
    {
        $entity = $this->entities->get($contentType)
            ->newQuery()->scopes(['visible'])->findOrFail($contentId);

        $this->checkOwnablePermission('restrictions-manage', $entity);

        $data = $this->validate($request, $this->rules()['update']);
        $this->permissionsUpdater->updateFromApiRequestData($entity, $data);

        return response()->json($this->formattedPermissionDataForEntity($entity));
    }

    protected function formattedPermissionDataForEntity(Entity $entity): array
    {
        $rolePermissions = $entity->permissions()
            ->where('role_id', '!=', 0)
            ->with(['role:id,display_name'])
            ->get();

        $fallback = $entity->permissions()->where('role_id', '=', 0)->first();
        $fallbackData = [
            'inheriting' => is_null($fallback),
            'view' => $fallback->view ?? null,
            'create' => $fallback->create ?? null,
            'update' => $fallback->update ?? null,
            'delete' => $fallback->delete ?? null,
        ];

        return [
            'owner' => $entity->ownedBy()->first(),
            'role_permissions' => $rolePermissions,
            'fallback_permissions' => $fallbackData,
        ];
    }
}