mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-07-15 21:31:36 +03:00
Comments: Added visibility check to comment delete
Aligns it with other actions/endpoints, and ensures an extra layer of control against malicious use. Thanks to mfk25 for reporting.
This commit is contained in:
@@ -59,8 +59,7 @@ class CommentController extends Controller
|
||||
'html' => ['required', 'string'],
|
||||
]);
|
||||
|
||||
$comment = $this->commentRepo->getById($commentId);
|
||||
$this->checkOwnablePermission(Permission::PageView, $comment->entity);
|
||||
$comment = $this->commentRepo->getVisibleById($commentId);
|
||||
$this->checkOwnablePermission(Permission::CommentUpdate, $comment);
|
||||
|
||||
$comment = $this->commentRepo->update($comment, $input['html']);
|
||||
@@ -76,8 +75,7 @@ class CommentController extends Controller
|
||||
*/
|
||||
public function archive(int $id)
|
||||
{
|
||||
$comment = $this->commentRepo->getById($id);
|
||||
$this->checkOwnablePermission(Permission::PageView, $comment->entity);
|
||||
$comment = $this->commentRepo->getVisibleById($id);
|
||||
if (!userCan(Permission::CommentUpdate, $comment) && !userCan(Permission::CommentDelete, $comment)) {
|
||||
$this->showPermissionError();
|
||||
}
|
||||
@@ -96,8 +94,7 @@ class CommentController extends Controller
|
||||
*/
|
||||
public function unarchive(int $id)
|
||||
{
|
||||
$comment = $this->commentRepo->getById($id);
|
||||
$this->checkOwnablePermission(Permission::PageView, $comment->entity);
|
||||
$comment = $this->commentRepo->getVisibleById($id);
|
||||
if (!userCan(Permission::CommentUpdate, $comment) && !userCan(Permission::CommentDelete, $comment)) {
|
||||
$this->showPermissionError();
|
||||
}
|
||||
@@ -116,7 +113,7 @@ class CommentController extends Controller
|
||||
*/
|
||||
public function destroy(int $id)
|
||||
{
|
||||
$comment = $this->commentRepo->getById($id);
|
||||
$comment = $this->commentRepo->getVisibleById($id);
|
||||
$this->checkOwnablePermission(Permission::CommentDelete, $comment);
|
||||
|
||||
$this->commentRepo->delete($comment);
|
||||
|
||||
@@ -105,6 +105,23 @@ class CommentStoreTest extends TestCase
|
||||
$this->assertActivityExists(ActivityType::COMMENT_DELETE);
|
||||
}
|
||||
|
||||
public function test_comment_delete_requires_view_permission_to_page()
|
||||
{
|
||||
$editor = $this->users->editor();
|
||||
$this->permissions->grantUserRolePermissions($editor, ['comment-delete-all']);
|
||||
$page = $this->entities->page();
|
||||
$this->actingAs($editor);
|
||||
|
||||
$commentData = Comment::factory()->make();
|
||||
$this->postJson("/comment/$page->id", $commentData->getAttributes());
|
||||
$comment = $page->comments()->first();
|
||||
$this->permissions->disableEntityInheritedPermissions($page);
|
||||
|
||||
$resp = $this->deleteJson("/comment/$comment->id");
|
||||
$resp->assertStatus(404);
|
||||
$this->assertDatabaseHas('comments', ['id' => $comment->id]);
|
||||
}
|
||||
|
||||
public function test_comment_archive_and_unarchive()
|
||||
{
|
||||
$this->asAdmin();
|
||||
|
||||
Reference in New Issue
Block a user