ucoding
diff --git a/‎dev/docs/permission-scenario-testing.md‎
Lines changed: 1 addition & 182 deletions b/‎dev/docs/permission-scenario-testing.md‎
Lines changed: 1 addition & 182 deletions
diff --git a/‎tests/Commands/RegeneratePermissionsCommandTest.php‎
Lines changed: 13 additions & 7 deletions b/‎tests/Commands/RegeneratePermissionsCommandTest.php‎
Lines changed: 13 additions & 7 deletions
diff --git a/‎tests/Entity/BookShelfTest.php‎
Lines changed: 1 addition & 0 deletions b/‎tests/Entity/BookShelfTest.php‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎tests/Helpers/PermissionsProvider.php‎
Lines changed: 6 additions & 6 deletions b/‎tests/Helpers/PermissionsProvider.php‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎tests/Permissions/EntityPermissionsTest.php‎
Lines changed: 6 additions & 8 deletions b/‎tests/Permissions/EntityPermissionsTest.php‎
Lines changed: 6 additions & 8 deletions
@@ -6,19 +6,16 @@ Test cases are written ability abstract, since all abilities should act the same
 
 Tests are categorised by the most specific element involved in the scenario, where the below list is most specific to least:
 
-- User entity permissions.
 - Role entity permissions.
 - Fallback entity permissions.
 - Role permissions.
 
-- TODO - Test fallback in the context of the above.
-
 ## General Permission Logical Rules
 
 The below are some general rules we follow to standardise the behaviour of permissions in the platform:
 
 - Most specific permission application (as above) take priority and can deny less specific permissions.
-- Parent user/role entity permissions that may be inherited, are considered to essentially be applied on the item they are inherited to unless a lower level has its own permission rule for an already specific role/user.
+- Parent role entity permissions that may be inherited, are considered to essentially be applied on the item they are inherited to unless a lower level has its own permission rule for an already specific role.
 - Where both grant and deny exist at the same specificity, we side towards grant.
 
 ## Cases
@@ -241,181 +238,3 @@ User denied page permission.
 - User has Role A & B.
 
 User denied page permission.
-
----
-
-### Entity User Permissions
-
-These are tests related to entity-level user-specific permission overrides.
-
-#### test_01_explicit_allow
-
-- Page permissions have inherit disabled.
-- User has entity allow page permission.
-
-User granted page permission.
-
-#### test_02_explicit_deny
-
-- Page permissions have inherit disabled.
-- User has entity deny page permission.
-
-User denied page permission.
-
-#### test_10_allow_inherit
-
-- Page permissions have inherit enabled.
-- Chapter permissions have inherit disabled.
-- User has entity allow chapter permission.
-
-User granted page permission.
-
-#### test_11_deny_inherit
-
-- Page permissions have inherit enabled.
-- Chapter permissions have inherit disabled.
-- User has entity deny chapter permission.
-
-User denied page permission.
-
-#### test_12_allow_inherit_override
-
-- Page permissions have inherit enabled.
-- Chapter permissions have inherit disabled.
-- User has entity deny chapter permission.
-- User has entity allow page permission.
-
-User granted page permission.
-
-#### test_13_deny_inherit_override
-
-- Page permissions have inherit enabled.
-- Chapter permissions have inherit disabled.
-- User has entity allow chapter permission.
-- User has entity deny page permission.
-
-User denied page permission.
-
-#### test_40_entity_role_override_allow
-
-- Page permissions have inherit disabled.
-- User has entity allow page permission.
-- Role A has entity deny page permission.
-- User has role A.
-
-User granted page permission.
-
-#### test_41_entity_role_override_deny
-
-- Page permissions have inherit disabled.
-- User has entity deny page permission.
-- Role A has entity allow page permission.
-- User has role A.
-
-User denied page permission.
-
-#### test_42_entity_role_override_allow_via_inherit
-
-- Page permissions have inherit enabled.
-- Chapter permissions have inherit disabled.
-- User has entity allow chapter permission.
-- Role A has entity deny page permission.
-- User has role A.
-
-User granted page permission.
-
-#### test_43_entity_role_override_deny_via_inherit
-
-- Page permissions have inherit enabled.
-- Chapter permissions have inherit disabled.
-- User has entity deny chapter permission.
-- Role A has entity allow page permission.
-- User has role A.
-
-User denied page permission.
-
-#### test_50_role_override_allow
-
-- Page permissions have inherit enabled.
-- Role A has no page role permission.
-- User has entity allow page permission.
-- User has Role A.
-
-User granted page permission.
-
-#### test_51_role_override_deny
-
-- Page permissions have inherit enabled.
-- Role A has all-page role permission.
-- User has entity deny page permission.
-- User has Role A.
-
-User denied page permission.
-
-#### test_60_inherited_role_override_allow
-
-- Page permissions have inherit enabled.
-- Role A has no page role permission.
-- User has entity allow chapter permission.
-- User has Role A.
-
-User granted page permission.
-
-#### test_61_inherited_role_override_deny
-
-- Page permissions have inherit enabled.
-- Role A has view-all page role permission.
-- User has entity deny chapter permission.
-- User has Role A.
-
-User denied page permission.
-
-#### test_61_inherited_role_override_deny_on_own
-
-- Page permissions have inherit enabled.
-- Role A has view-own page role permission.
-- User has entity deny chapter permission.
-- User has Role A.
-- User owns Page.
-
-User denied page permission.
-
-#### test_70_all_override_allow
-
-- Page permissions have inherit enabled.
-- Role A has no page role permission.
-- Role A has entity deny page permission.
-- User has entity allow page permission.
-- User has Role A.
-
-User granted page permission.
-
-#### test_71_all_override_deny
-
-- Page permissions have inherit enabled.
-- Role A has page-all role permission.
-- Role A has entity allow page permission.
-- User has entity deny page permission.
-- User has Role A.
-
-User denied page permission.
-
-#### test_80_inherited_all_override_allow
-
-- Page permissions have inherit enabled.
-- Role A has no page role permission.
-- Role A has entity deny chapter permission.
-- User has entity allow chapter permission.
-- User has Role A.
-
-User granted page permission.
-
-#### test_81_inherited_all_override_deny
-
-- Page permissions have inherit enabled.
-- Role A has view-all page role permission.
-- Role A has entity allow chapter permission.
-- User has entity deny chapter permission.
-- User has Role A.
-
-User denied page permission.
@@ -3,6 +3,8 @@
 namespace Tests\Commands;
 
 use BookStack\Auth\Permissions\CollapsedPermission;
+use BookStack\Auth\Permissions\EntityPermission;
+use BookStack\Auth\Permissions\JointPermission;
 use Illuminate\Support\Facades\Artisan;
 use Illuminate\Support\Facades\DB;
 use Tests\TestCase;
@@ -14,21 +16,25 @@ public function test_regen_permissions_command()
         DB::rollBack();
         $page = $this->entities->page();
         $editor = $this->users->editor();
-        $this->permissions->addEntityPermission($page, ['view'], null, $editor);
-        CollapsedPermission::query()->truncate();
+        $role = $editor->roles()->first();
+        $this->permissions->addEntityPermission($page, ['view'], $role);
+        JointPermission::query()->truncate();
 
-        $this->assertDatabaseMissing('entity_permissions_collapsed', ['entity_id' => $page->id]);
+        $this->assertDatabaseMissing('joint_permissions', ['entity_id' => $page->id]);
 
         $exitCode = Artisan::call('bookstack:regenerate-permissions');
         $this->assertTrue($exitCode === 0, 'Command executed successfully');
 
-        $this->assertDatabaseHas('entity_permissions_collapsed', [
+        $this->assertDatabaseHas('joint_permissions', [
             'entity_id' => $page->id,
-            'user_id' => $editor->id,
-            'view' => 1,
+            'entity_type' => 'page',
+            'role_id' => $role->id,
+            'has_permission' => 1,
         ]);
 
-        CollapsedPermission::query()->truncate();
+        $page->permissions()->delete();
+        $page->rebuildPermissions();
+
         DB::beginTransaction();
     }
 }
@@ -21,6 +21,7 @@ public function test_shelves_shows_in_header_if_have_view_permissions()
         $this->withHtml($resp)->assertElementContains('header', 'Shelves');
 
         $viewer->roles()->delete();
+        $this->permissions->grantUserRolePermissions($viewer, []);
         $resp = $this->actingAs($viewer)->get('/');
         $this->withHtml($resp)->assertElementNotContains('header', 'Shelves');
 
 
@@ -85,7 +85,7 @@ public function setEntityPermissions(Entity $entity, array $actions = [], array
 
         if (!$inherit) {
             // Set default permissions to not allow actions so that only the provided role permissions are at play.
-            $permissions[] = ['role_id' => null, 'user_id' => null, 'view' => false, 'create' => false, 'update' => false, 'delete' => false];
+            $permissions[] = ['role_id' => 0, 'view' => false, 'create' => false, 'update' => false, 'delete' => false];
         }
 
         foreach ($roles as $role) {
@@ -95,9 +95,9 @@ public function setEntityPermissions(Entity $entity, array $actions = [], array
         $this->addEntityPermissionEntries($entity, $permissions);
     }
 
-    public function addEntityPermission(Entity $entity, array $actionList, ?Role $role = null, ?User $user = null)
+    public function addEntityPermission(Entity $entity, array $actionList, Role $role)
     {
-        $permissionData = $this->actionListToEntityPermissionData($actionList, $role->id ?? null, $user->id ?? null);
+        $permissionData = $this->actionListToEntityPermissionData($actionList, $role->id);
         $this->addEntityPermissionEntries($entity, [$permissionData]);
     }
 
@@ -107,7 +107,7 @@ public function addEntityPermission(Entity $entity, array $actionList, ?Role $ro
      */
     public function disableEntityInheritedPermissions(Entity $entity): void
     {
-        $entity->permissions()->whereNull(['user_id', 'role_id'])->delete();
+        $entity->permissions()->where('role_id', '=', 0)->delete();
         $fallback = $this->actionListToEntityPermissionData([]);
         $this->addEntityPermissionEntries($entity, [$fallback]);
     }
@@ -124,9 +124,9 @@ protected function addEntityPermissionEntries(Entity $entity, array $entityPermi
      * the format to entity permission data, where permission is granted if the action is in the
      * given actionList array.
      */
-    protected function actionListToEntityPermissionData(array $actionList, int $roleId = null, int $userId = null): array
+    protected function actionListToEntityPermissionData(array $actionList, int $roleId = 0): array
     {
-        $permissionData = ['role_id' => $roleId, 'user_id' => $userId];
+        $permissionData = ['role_id' => $roleId];
         foreach (EntityPermission::PERMISSIONS as $possibleAction) {
             $permissionData[$possibleAction] = in_array($possibleAction, $actionList);
         }
 
@@ -379,19 +379,17 @@ protected function entityRestrictionFormTest(string $model, string $title, strin
 
         $this->put($modelInstance->getUrl('/permissions'), [
             'permissions' => [
-                'role' => [
-                    $roleId => [
-                        $permission => 'true',
-                    ],
+                $roleId => [
+                    $permission => 'true',
                 ],
             ],
         ]);
 
         $this->assertDatabaseHas('entity_permissions', [
-            'entity_id'   => $modelInstance->id,
-            'entity_type' => $modelInstance->getMorphClass(),
-            'role_id'           => $roleId,
-            $permission         => true,
+            'entity_id'      => $modelInstance->id,
+            'entity_type'    => $modelInstance->getMorphClass(),
+            'role_id'        => $roleId,
+            $permission => true,
         ]);
     }
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ public function setEntityPermissions(Entity $entity, array $actions = [], array`
`85`	`85`
`86`	`86`	`if (!$inherit) {`
`87`	`87`	`// Set default permissions to not allow actions so that only the provided role permissions are at play.`
`88`		`- $permissions[] = ['role_id' => null, 'user_id' => null, 'view' => false, 'create' => false, 'update' => false, 'delete' => false];`
	`88`	`+ $permissions[] = ['role_id' => 0, 'view' => false, 'create' => false, 'update' => false, 'delete' => false];`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`foreach ($roles as $role) {`
`@@ -95,9 +95,9 @@ public function setEntityPermissions(Entity $entity, array $actions = [], array`
`95`	`95`	`$this->addEntityPermissionEntries($entity, $permissions);`
`96`	`96`	`}`
`97`	`97`
`98`		`- public function addEntityPermission(Entity $entity, array $actionList, ?Role $role = null, ?User $user = null)`
	`98`	`+ public function addEntityPermission(Entity $entity, array $actionList, Role $role)`
`99`	`99`	`{`
`100`		`- $permissionData = $this->actionListToEntityPermissionData($actionList, $role->id ?? null, $user->id ?? null);`
	`100`	`+ $permissionData = $this->actionListToEntityPermissionData($actionList, $role->id);`
`101`	`101`	`$this->addEntityPermissionEntries($entity, [$permissionData]);`
`102`	`102`	`}`
`103`	`103`
`@@ -107,7 +107,7 @@ public function addEntityPermission(Entity $entity, array $actionList, ?Role $ro`
`107`	`107`	`*/`
`108`	`108`	`public function disableEntityInheritedPermissions(Entity $entity): void`
`109`	`109`	`{`
`110`		`- $entity->permissions()->whereNull(['user_id', 'role_id'])->delete();`
	`110`	`+ $entity->permissions()->where('role_id', '=', 0)->delete();`
`111`	`111`	`$fallback = $this->actionListToEntityPermissionData([]);`
`112`	`112`	`$this->addEntityPermissionEntries($entity, [$fallback]);`
`113`	`113`	`}`
`@@ -124,9 +124,9 @@ protected function addEntityPermissionEntries(Entity $entity, array $entityPermi`
`124`	`124`	`* the format to entity permission data, where permission is granted if the action is in the`
`125`	`125`	`* given actionList array.`
`126`	`126`	`*/`
`127`		`- protected function actionListToEntityPermissionData(array $actionList, int $roleId = null, int $userId = null): array`
	`127`	`+ protected function actionListToEntityPermissionData(array $actionList, int $roleId = 0): array`
`128`	`128`	`{`
`129`		`- $permissionData = ['role_id' => $roleId, 'user_id' => $userId];`
	`129`	`+ $permissionData = ['role_id' => $roleId];`
`130`	`130`	`foreach (EntityPermission::PERMISSIONS as $possibleAction) {`
`131`	`131`	`$permissionData[$possibleAction] = in_array($possibleAction, $actionList);`
`132`	`132`	`}`