github-mirror/BookStack
github-mirror/BookStack
2
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-04-07 15:26:48 +08:00
Code Issues Actions 20 Packages Projects Releases Wiki Activity

Added test to cover secure restricted functionality

Browse Source
This commit is contained in:
Dan Brown 2022-09-02 14:03:23 +01:00
parent f28ed0ef0b
commit f88330202b
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
1 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
tests/Uploads/ImageTest.php
View File

@ -327,6 +327,56 @@ class ImageTest extends TestCase
}
}
public function test_secure_restricted_images_inaccessible_without_relation_permission()
{
config()->set('filesystems.images', 'local_secure_restricted');
$this->asEditor();
$galleryFile = $this->getTestImage('my-secure-restricted-test-upload.png');
/** @var Page $page */
$page = Page::query()->first();
$upload = $this->call('POST', '/images/gallery', ['uploaded_to' => $page->id], [], ['file' => $galleryFile], []);
$upload->assertStatus(200);
$expectedUrl = url('uploads/images/gallery/' . date('Y-m') . '/my-secure-restricted-test-upload.png');
$expectedPath = storage_path('uploads/images/gallery/' . date('Y-m') . '/my-secure-restricted-test-upload.png');
$this->get($expectedUrl)->assertOk();
$this->setEntityRestrictions($page, [], []);
$resp = $this->get($expectedUrl);
$resp->assertNotFound();
if (file_exists($expectedPath)) {
unlink($expectedPath);
}
}
public function test_thumbnail_path_handled_by_secure_restricted_images()
{
config()->set('filesystems.images', 'local_secure_restricted');
$this->asEditor();
$galleryFile = $this->getTestImage('my-secure-restricted-thumb-test-test.png');
/** @var Page $page */
$page = Page::query()->first();
$upload = $this->call('POST', '/images/gallery', ['uploaded_to' => $page->id], [], ['file' => $galleryFile], []);
$upload->assertStatus(200);
$expectedUrl = url('uploads/images/gallery/' . date('Y-m') . '/thumbs-150-150/my-secure-restricted-thumb-test-test.png');
$expectedPath = storage_path('uploads/images/gallery/' . date('Y-m') . '/my-secure-restricted-thumb-test-test.png');
$this->get($expectedUrl)->assertOk();
$this->setEntityRestrictions($page, [], []);
$resp = $this->get($expectedUrl);
$resp->assertNotFound();
if (file_exists($expectedPath)) {
unlink($expectedPath);
}
}
public function test_image_delete()
{
$page = Page::query()->first();