Commit Graph

285 Commits

Author SHA1 Message Date
3083979855 Added method for using enity ownership in relation queries
It has a large linear-entity-scaling performance impact though.
2023-01-15 17:38:08 +00:00
55642a33ee Attempted fix of issues, realised new query system is a failure
As part of the permission checking we need to check owner user status.
Upon this, we'd also want to check page draft status (and its
creator/owner).
These, for cross-entity/relation queries would need up to another 4 joins.
The performance/index usage is already questionable here.
2023-01-14 13:50:41 +00:00
93ba572369 Aligned admin permission check restriction ignore 2023-01-13 22:19:29 +00:00
a825f27930 Updated additional relation queries to apply permissions correctly 2023-01-13 22:13:31 +00:00
932e1d7c61 Got entity relation query permission application working
May be issues at points of use though, Added todo for this in code.
Also added extra indexes to collapsed table for better query
performance.
2023-01-13 17:10:20 +00:00
2f1491c5a4 Split out 'restrictEntityQuery' function components
Also fixed search query issue with abiguous column
2023-01-13 16:07:36 +00:00
026e9030b9 Reworked userCan permission check to follow defined logic.
Got all current scenario tests passing.
Also fixes own permission which was using the wrong field.
2022-12-23 21:07:49 +00:00
451e4ac452 Fixed collapsed perm. gen for book sub-items.
Also converted the existing "JointPermission" usage to the new
collapsed permission system.
2022-12-23 14:05:43 +00:00
7330139555 Created big scary query to apply permissions via new format 2022-12-22 20:32:06 +00:00
39acbeac68 Started new permission-caching/querying model 2022-12-22 15:09:17 +00:00
2d9d2bba80 Added additional case thats known to currently fail
Also removed so no-longer-relevant todo/comments.
2022-12-21 17:14:54 +00:00
d54ea1b3ed Started more formal permission test case definitions 2022-12-15 11:22:53 +00:00
e8a8fedfd6 Started aligning permission behaviour across application methods 2022-12-14 18:14:01 +00:00
60bf838a4a Added joint_user_permissions handling to query system
Some issues exist to resolve though, not in final state.
2022-12-11 22:53:46 +00:00
0411185fbb Added, and built perm. gen for, joint_user_permissions table 2022-12-11 14:51:53 +00:00
7a269e7689 Added users to permission form interface
Also updated non-joint permission handling to support user permissions.
2022-12-10 14:37:18 +00:00
f8c4725166 Aligned logic to entity_permission role_id usage change
Now idenitifies fallback using role_id and user_id = null.
Lays some foundations for handling user_id.
2022-12-07 22:07:03 +00:00
e20c944350 Fixed OIDC handling when no JWKS 'use' prop exists
Now assume, based on OIDC discovery spec, that keys without 'use' are
'sig' keys. Should not affect existing use-cases since existance of such
keys would have throw exceptions in prev. versions of bookstack.

For #3869
2022-11-23 11:50:59 +00:00
a3fcc98d6e Aligned user preference endpoints in style and behaviour
Changes their endpoints and remove the user id from the URLs.
Simplifies list changes to share a single endpoint, which aligns it to
the behaviour of the existing sort preference endpoint.
Also added test to ensure user preferences are deleted on user delete.
2022-11-09 19:30:08 +00:00
ec4cbbd004 Refactored common list handling operations to new class 2022-10-30 15:16:06 +00:00
f75091a1c5 Revised webhooks list to new format
Also aligned query naming to start with model in use.
Also added created/updated sort options to roles.
2022-10-30 12:02:06 +00:00
98b59a1024 Revised role index list to align with user list 2022-10-29 20:52:17 +01:00
986346a0e9 Redesigned users list to be responsive and aligned 2022-10-29 15:23:21 +01:00
2a65331573 Worked towards phpstan level 2, 13 errors remain 2022-10-24 12:12:48 +01:00
ea6eacb400 Fixed chapter fetching during joint permission building
Somehow I accidentally deleted previous line 143 in this commit:
3839bf6bf11ac6b4d19c2ae8f62a314a2c164251
which would then break permission generation for content related to, or
containing, chapters in the recycle bin.
Found via user report (subz) & debugging in discord.
2022-10-21 21:49:29 +01:00
f0ac454be1 Prevented saml2 autodiscovery on metadata load
Fixes issue where metadata cannot be viewed if autload is active and
entityid url is not active.
For #2480
2022-10-16 09:50:08 +01:00
bd412ddbf9 Updated test for perms. changes and fixed static issues 2022-10-12 12:12:36 +01:00
98c6422fa6 Extracted entity perms. text to translation files 2022-10-11 15:52:56 +01:00
0fae807713 Fixed and updated "Everyone Else" permissions handling
- Fixed inheriting control for new system.
- Tested copying shelf permissions to books.
- Added additional handling for inheriting scenario identification.
2022-10-10 17:22:38 +01:00
0f68be608d Removed most usages of restricted entitiy property 2022-10-10 16:58:26 +01:00
803934d020 Added interface for adding/removing roles in entity perms. 2022-10-10 12:24:23 +01:00
ffd6a1002e Centralised handling of permission form data to own class
Also updates show roles on permission view to just those with
permissions applied.
Fixes rounded borders for lone permission rows.
Moves "Everyone Else" handling from role to new class.
2022-10-09 17:14:11 +01:00
3839bf6bf1 Updated joint perms. gen. to use new entity permission format 2022-10-08 14:28:44 +01:00
aee0e16194 Started code update for new entity permission format 2022-10-08 13:52:59 +01:00
1df9ec9647 Added proper entity permission removal on role deletion
Added test to cover.
2022-10-07 13:12:33 +01:00
a03245e427 Added user-interface for "Everyone Else" entity permission item
Nothing on back-end logic done to hook this new option up.
Addition of permissions for role_id=0 works out of the box, but active
"everyone else" permissions, with no priviliges, is currently not
working. Needs change of permission gen logic also.
2022-10-02 18:09:48 +01:00
f4388d5e4a Removed usage of laravel/ui dependency
Brings app auth controller handling aligned within the app, rather than
having many overrides of the framwork packages causing confusion and
messiness over time.
2022-09-22 16:54:27 +01:00
dce6a82954 Added reason, if existing, into SAML acs error
Closes #3731
2022-09-20 12:52:44 +01:00
8a749c6acf Added and ran PHPCS 2022-09-18 01:25:20 +01:00
24f82749ff Updated OIDC group attr option name
To match the existing option name for display names.
Closes #3704
2022-09-06 16:33:17 +01:00
1cc7c649dc Applied StyleCi changes, updated php deps 2022-08-29 17:46:41 +01:00
401c156687 Merge pull request #3616 from BookStackApp/oidc_group_sync
Added OIDC group sync functionality
2022-08-25 11:17:18 +01:00
837fd74bf6 Refactored search-based code to its own folder
Also applied StyleCI changes
2022-08-16 11:28:05 +01:00
375abca1ee Merge pull request #3632 from BookStackApp/ownable_permission_fix
Fixed failed permission checks due to non-loaded fields
2022-08-10 17:59:46 +01:00
031c67ba58 Reduced the memory usage, db queries and cache hits loading revisions
Updated revision listing to only fetch required fields, massively
reducing memory usage by not loading content.
This also updates user avatar handling to effectively cache the avatar
url within request to avoid re-searching from cache, which may improve
performance of others areas of the application.
This also upates handling of the revisions list view to extract table
row to its own view to break things down a bit.

For #3633
2022-08-10 17:50:35 +01:00
16eedc8264 Fixed failed permission checks due to non-loaded fields
Added additional exceptions to prevent such cases in the future, so
that they are caught in dev ideally.
Added test case specifically for reported favourite scenario.
2022-08-10 08:06:48 +01:00
b987bea37a Added OIDC group sync functionality
Is generally aligned with out SAML2 group sync functionality, but for
OIDC based upon feedback in #3004.
Neeeded the tangental addition of being able to define custom scopes on
the initial auth request as some systems use this to provide additional
id token claims such as groups.

Includes tests to cover.
Tested live using Okta.
2022-08-02 16:56:56 +01:00
9cf05944f6 Applied StyleCI changes 2022-07-17 10:32:16 +01:00
8f90996cef Dropped use of non-view joint permissions 2022-07-16 21:50:42 +01:00
2332401854 Fixed a couple of non-intended logical permission issues
Both caught in tests:
Fixed loss of permissions for admin users when entity restrictions were
active, since there are no entity-restrictions for the admin role but
we'd force generate them in joint permissions, which would be queried.
Fixed new role permission checks when permissions given with only the
action (eg. 'view'), since the type prefix would be required for role
permission checks. Was previously not needed as only the simpler form
was used in the jointpermissions after merge & calculation.
2022-07-16 20:55:32 +01:00