Fixed related permissions query not considering drafts

Page-related items added on drafts could be visible in certain scenarios since the applied permissions query filters would not consider page draft visibility. This commit alters queries on related items to apply such filtering. Included test to cover API scenario. Thanks to @haxatron for reporting.
2025-06-03 16:23:35 +08:00 · 2021-11-30 00:06:17 +00:00
parent 42703dd859
commit b4fa82e329
4 changed files with 86 additions and 33 deletions
--- a/tests/Api/AttachmentsApiTest.php
+++ b/tests/Api/AttachmentsApiTest.php
@ -224,6 +224,29 @@ class AttachmentsApiTest extends TestCase
        unlink(storage_path($attachment->path));
    }

+    public function test_attachment_not_visible_on_other_users_draft()
+    {
+        $this->actingAsApiAdmin();
+        $editor = $this->getEditor();
+
+        /** @var Page $page */
+        $page = Page::query()->first();
+        $page->draft = true;
+        $page->owned_by = $editor;
+        $page->save();
+        $this->regenEntityPermissions($page);
+
+        $attachment = $this->createAttachmentForPage($page, [
+            'name'  => 'my attachment',
+            'path'  => 'https://example.com',
+            'order' => 1,
+        ]);
+
+        $resp = $this->getJson("{$this->baseEndpoint}/{$attachment->id}");
+
+        $resp->assertStatus(404);
+    }
+
    public function test_update_endpoint()
    {
        $this->actingAsApiAdmin();