diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 85847f9b71c..25dbfc50015 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,7 +32,7 @@ jobs: - name: Get Changelog id: changelog - uses: statamic/changelog-action@5d112d0d790cdeeb5adca3e584e37edc474ab51b # v1 + uses: statamic/changelog-action@5d112d0d790cdeeb5adca3e584e37edc474ab51b # v1.0.2 with: version: ${{ github.ref }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 1096a92ab5c..0b99f557e8f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -77,7 +77,7 @@ jobs: run: sudo apt-get install language-pack-fr - name: Setup PHP - uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1 if: steps.should-run-tests.outputs.result == 'true' with: php-version: ${{ matrix.php }} @@ -164,7 +164,7 @@ jobs: actions: read # required by workflow-conclusion-action to determine overall workflow status if: always() steps: - - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3 + - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3 - name: Send Slack notification uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3 if: env.WORKFLOW_CONCLUSION == 'failure' && github.event_name == 'schedule' diff --git a/resources/js/components/entries/PublishForm.vue b/resources/js/components/entries/PublishForm.vue index bb2231865eb..641a0fa3b67 100644 --- a/resources/js/components/entries/PublishForm.vue +++ b/resources/js/components/entries/PublishForm.vue @@ -457,7 +457,7 @@ export default { }, showLivePreviewButton() { - return !this.isCreating && this.isBase && this.livePreviewUrl; + return !this.readOnly && !this.isCreating && this.isBase && this.livePreviewUrl; }, showVisitUrlButton() { diff --git a/resources/js/components/terms/PublishForm.vue b/resources/js/components/terms/PublishForm.vue index 45241177764..a27a354789b 100644 --- a/resources/js/components/terms/PublishForm.vue +++ b/resources/js/components/terms/PublishForm.vue @@ -271,7 +271,7 @@ export default { }, showLivePreviewButton() { - return !this.isCreating && this.isBase && this.livePreviewUrl && this.showVisitUrlButton; + return !this.readOnly && !this.isCreating && this.isBase && this.livePreviewUrl && this.showVisitUrlButton; }, showVisitUrlButton() { diff --git a/src/Http/Controllers/CP/PreviewController.php b/src/Http/Controllers/CP/PreviewController.php index c7d8b1dc3c5..6cc5569107a 100644 --- a/src/Http/Controllers/CP/PreviewController.php +++ b/src/Http/Controllers/CP/PreviewController.php @@ -18,7 +18,7 @@ public function show() public function edit(Request $request, $_, $data) { - $this->authorize('view', $data); + $this->authorize('update', $data); $fields = $data->blueprint() ->fields() diff --git a/tests/Feature/Entries/PreviewEntryTest.php b/tests/Feature/Entries/PreviewEntryTest.php index 986b4aeaa28..9a54e70d680 100644 --- a/tests/Feature/Entries/PreviewEntryTest.php +++ b/tests/Feature/Entries/PreviewEntryTest.php @@ -181,6 +181,33 @@ public function it_sets_live_preview_to_true_if_theres_no_additional_data() ); } + #[Test] + public function it_doesnt_create_a_token_without_edit_permission() + { + Collection::make('blog')->routes('/blog/{slug}')->save(); + + EntryFactory::id('the-entry') + ->collection('blog') + ->slug('the-existing-entry') + ->data(['title' => 'The Existing Entry']) + ->create(); + + LivePreview::shouldReceive('tokenize')->never(); + + $this->setTestRoles(['viewer' => ['access cp', 'view blog entries']]); + $user = User::make()->assignRole('viewer')->save(); + + $this + ->actingAs($user) + ->postJson('/cp/collections/blog/entries/the-entry/preview', [ + 'preview' => [ + 'title' => 'Edited title', + 'slug' => 'edited-slug', + ], + ]) + ->assertForbidden(); + } + private function user() { $this->setTestRoles(['test' => ['access cp', 'create blog entries', 'edit blog entries']]);