github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-23 13:03:45 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
16f6240782
discourse/spec/requests/uploads_controller_spec.rb

Failed to ignore revisions in .git-blame-ignore-revs.

702 lines
22 KiB
Ruby
Raw Normal View History

DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction
2019-04-30 08:27:42 +08:00
# frozen_string_literal: true
Prepare for separation of RSpec helper files Since rspec-rails 3, the default installation creates two helper files: * `spec_helper.rb` * `rails_helper.rb` `spec_helper.rb` is intended as a way of running specs that do not require Rails, whereas `rails_helper.rb` loads Rails (as Discourse's current `spec_helper.rb` does). For more information: https://www.relishapp.com/rspec/rspec-rails/docs/upgrade#default-helper-files In this commit, I've simply replaced all instances of `spec_helper` with `rails_helper`, and renamed the original `spec_helper.rb`. This brings the Discourse project closer to the standard usage of RSpec in a Rails app. At present, every spec relies on loading Rails, but there are likely many that don't need to. In a future pull request, I hope to introduce a separate, minimal `spec_helper.rb` which can be used in tests which don't rely on Rails.
2015-10-11 17:41:23 +08:00
require 'rails_helper'
add UploadsController specs
2013-04-03 07:17:17 +08:00
describe UploadsController do
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
fab!(:user) { Fabricate(:user) }
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
describe '#create' do
proper content-disposition header when downloading attachments
2013-09-07 01:18:42 +08:00
it 'requires you to be logged in' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json"
FIX: return 429 when admin api key is limited on admin route This also handles a general case where exceptions leak out prior to being handled by the application controller
2018-01-12 11:15:10 +08:00
expect(response.status).to eq(403)
add UploadsController specs
2013-04-03 07:17:17 +08:00
end
proper content-disposition header when downloading attachments
2013-09-07 01:18:42 +08:00
context 'logged in' do
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
before do
sign_in(user)
end
add UploadsController specs
2013-04-03 07:17:17 +08:00
remove useless upload topic direct association
2013-06-15 15:54:49 +08:00
let(:logo) do
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 12:06:56 +08:00
Rack::Test::UploadedFile.new(file_from_fixtures("logo.png"))
add UploadsController specs
2013-04-03 07:17:17 +08:00
end
SECURITY: ensure we never accept fake images
2015-12-21 23:08:14 +08:00
let(:fake_jpg) do
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 12:06:56 +08:00
Rack::Test::UploadedFile.new(file_from_fixtures("fake.jpg"))
SECURITY: ensure we never accept fake images
2015-12-21 23:08:14 +08:00
end
remove useless upload topic direct association
2013-06-15 15:54:49 +08:00
let(:text_file) do
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 12:06:56 +08:00
Rack::Test::UploadedFile.new(File.new("#{Rails.root}/LICENSE.txt"))
remove useless upload topic direct association
2013-06-15 15:54:49 +08:00
end
add UploadsController specs
2013-04-03 07:17:17 +08:00
replace the upload type whitelist with a sanitizer
2017-05-18 18:13:13 +08:00
it 'expects a type' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json", params: { file: logo }
expect(response.status).to eq(400)
FEATURE: image uploads now have short urls Shorten all image uploads to use short urls, this is the client side implementation.
2017-08-23 04:40:01 +08:00
end
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-20 07:39:58 +08:00
it 'is successful with an image' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json", params: { file: logo, type: "avatar" }
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-20 07:39:58 +08:00
expect(response.status).to eq 200
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
expect(response.parsed_body["id"]).to be_present
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(1)
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-20 07:39:58 +08:00
end
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive
2014-04-30 01:12:35 +08:00
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-20 07:39:58 +08:00
it 'is successful with an attachment' do
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-13 04:41:29 +08:00
SiteSetting.authorized_extensions = "*"
FEATURE: generate (avatar) thumbnails in a background task FIX: keep the "uploading..." indicator until the server replies via the MessageBus FIX: text was disapearing when uploading an avatar PERF: always use a region for S3 (defaults to 'us-east-1') FEATURE: ApplyCDN middleware when using S3 FIX: use the same pattern to store files on S3 and locally PERF: keep a local cache of uploads when generating thumbnails FEATURE: migrate_to_s3 rake task
2015-05-25 23:59:00 +08:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json", params: { file: text_file, type: "composer" }
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-20 07:39:58 +08:00
expect(response.status).to eq 200
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
id = response.parsed_body["id"]
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-27 09:43:18 +08:00
expect(id).to be
FIX: Allow api to send uploads with :url
2015-06-21 19:52:52 +08:00
end
FIX: don't double request when downloading a file
2018-02-24 19:35:57 +08:00
it 'is successful with api' do
Support Ruby 2.4.
2017-04-15 12:11:02 +08:00
SiteSetting.authorized_extensions = "*"
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
api_key = Fabricate(:api_key, user: user).key
Use webmock to stub external web requests.
2017-05-26 15:19:09 +08:00
FIX: don't double request when downloading a file
2018-02-24 19:35:57 +08:00
url = "http://example.com/image.png"
png = File.read(Rails.root + "spec/fixtures/images/logo.png")
stub_request(:get, url).to_return(status: 200, body: png)
FIX: Allow api to send uploads with :url
2015-06-21 19:52:52 +08:00
DEPRECATION: Remove support for api creds in query params (#9106) * DEPRECATION: Remove support for api creds in query params This commit removes support for api credentials in query params except for a few whitelisted routes like rss/json feeds and the handle_mail route. Several tests were written to valid these changes, but the bulk of the spec changes are just switching them over to use header based auth so that they will pass without changing what they were actually testing. Original commit that notified admins this change was coming was created over 3 months ago: 2db20031879dbafd1a90cbb1a43bca55d51c1b08 * fix tests * Also allow iCalendar feeds Co-authored-by: Rafael dos Santos Silva <xfalcox@gmail.com>
2020-04-07 06:55:44 +08:00
post "/uploads.json", params: { url: url, type: "avatar" }, headers: {
HTTP_API_KEY: api_key,
HTTP_API_USERNAME: user.username.downcase
}
FIX: Allow api to send uploads with :url
2015-06-21 19:52:52 +08:00
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
json = response.parsed_body
FIX: Allow api to send uploads with :url
2015-06-21 19:52:52 +08:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
expect(response.status).to eq(200)
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(1)
expect(json["id"]).to be_present
FEATURE: image uploads now have short urls Shorten all image uploads to use short urls, this is the client side implementation.
2017-08-23 04:40:01 +08:00
expect(json["short_url"]).to eq("upload://qUm0DGR49PAZshIi7HxMd3cAlzn.png")
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-20 07:39:58 +08:00
end
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive
2014-04-30 01:12:35 +08:00
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-20 07:39:58 +08:00
it 'correctly sets retain_hours for admins' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
sign_in(Fabricate(:admin))
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive
2014-04-30 01:12:35 +08:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json", params: {
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-27 09:43:18 +08:00
file: logo,
retain_hours: 100,
type: "profile_background",
}
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive
2014-04-30 01:12:35 +08:00
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
id = response.parsed_body["id"]
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-20 07:39:58 +08:00
expect(Upload.find(id).retain_hours).to eq(100)
remove useless upload topic direct association
2013-06-15 15:54:49 +08:00
end
add UploadsController specs
2013-04-03 07:17:17 +08:00
FIX: ensure a file is present when creating an upload
2015-08-18 17:39:51 +08:00
it 'requires a file' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json", params: { type: "composer" }
FIX: ensure a file is present when creating an upload
2015-08-18 17:39:51 +08:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
message = response.parsed_body
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-27 09:43:18 +08:00
expect(response.status).to eq 422
expect(message["errors"]).to contain_exactly(I18n.t("upload.file_missing"))
FIX: ensure a file is present when creating an upload
2015-08-18 17:39:51 +08:00
end
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-20 07:39:58 +08:00
it 'properly returns errors' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
SiteSetting.authorized_extensions = "*"
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-13 04:41:29 +08:00
SiteSetting.max_attachment_size_kb = 1
add UploadsController specs
2013-04-03 07:17:17 +08:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json", params: { file: text_file, type: "avatar" }
FEATURE: generate (avatar) thumbnails in a background task FIX: keep the "uploading..." indicator until the server replies via the MessageBus FIX: text was disapearing when uploading an avatar PERF: always use a region for S3 (defaults to 'us-east-1') FEATURE: ApplyCDN middleware when using S3 FIX: use the same pattern to store files on S3 and locally PERF: keep a local cache of uploads when generating thumbnails FEATURE: migrate_to_s3 rake task
2015-05-25 23:59:00 +08:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
expect(response.status).to eq(422)
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
errors = response.parsed_body["errors"]
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
expect(errors.first).to eq(I18n.t("upload.attachments.too_large", max_size_kb: 1))
add UploadsController specs
2013-04-03 07:17:17 +08:00
end
FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side
2015-11-12 17:26:45 +08:00
it 'ensures allow_uploaded_avatars is enabled when uploading an avatar' do
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-13 04:41:29 +08:00
SiteSetting.allow_uploaded_avatars = false
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json", params: { file: logo, type: "avatar" }
expect(response.status).to eq(422)
FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side
2015-11-12 17:26:45 +08:00
end
it 'ensures sso_overrides_avatar is not enabled when uploading an avatar' do
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-13 04:41:29 +08:00
SiteSetting.sso_overrides_avatar = true
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json", params: { file: logo, type: "avatar" }
expect(response.status).to eq(422)
FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side
2015-11-12 17:26:45 +08:00
end
FIX: Always allow admins upload selectable avatars.
2018-12-05 20:35:59 +08:00
it 'always allows admins to upload avatars' do
sign_in(Fabricate(:admin))
SiteSetting.allow_uploaded_avatars = false
post "/uploads.json", params: { file: logo, type: "avatar" }
expect(response.status).to eq(200)
end
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-13 04:41:29 +08:00
it 'allows staff to upload any file in PM' do
SiteSetting.authorized_extensions = "jpg"
SiteSetting.allow_staff_to_upload_any_file_in_pm = true
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
user.update_columns(moderator: true)
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-13 04:41:29 +08:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json", params: {
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-27 09:43:18 +08:00
file: text_file,
type: "composer",
for_private_message: "true",
}
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-13 04:41:29 +08:00
DEV: Assert for 200 response code to avoid changing magic helper in the future.
2018-06-07 16:11:09 +08:00
expect(response.status).to eq(200)
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
id = response.parsed_body["id"]
FEATURE: Upload Site Settings. (#6573)
2018-11-14 15:03:02 +08:00
expect(Upload.last.id).to eq(id)
end
it 'allows staff to upload supported images for site settings' do
SiteSetting.authorized_extensions = ''
user.update!(admin: true)
post "/uploads.json", params: {
file: logo,
type: "site_setting",
for_site_setting: "true",
}
expect(response.status).to eq(200)
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
id = response.parsed_body["id"]
FEATURE: Upload Site Settings. (#6573)
2018-11-14 15:03:02 +08:00
upload = Upload.last
expect(upload.id).to eq(id)
expect(upload.original_filename).to eq('logo.png')
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-13 04:41:29 +08:00
end
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus
2018-02-19 17:44:24 +08:00
it 'respects `authorized_extensions_for_staff` setting when staff upload file' do
SiteSetting.authorized_extensions = ""
SiteSetting.authorized_extensions_for_staff = "*"
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
user.update_columns(moderator: true)
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus
2018-02-19 17:44:24 +08:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json", params: {
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus
2018-02-19 17:44:24 +08:00
file: text_file,
type: "composer",
}
DEV: Assert for 200 response code to avoid changing magic helper in the future.
2018-06-07 16:11:09 +08:00
expect(response.status).to eq(200)
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
data = response.parsed_body
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
expect(data["id"]).to be_present
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus
2018-02-19 17:44:24 +08:00
end
it 'ignores `authorized_extensions_for_staff` setting when non-staff upload file' do
SiteSetting.authorized_extensions = ""
SiteSetting.authorized_extensions_for_staff = "*"
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json", params: {
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus
2018-02-19 17:44:24 +08:00
file: text_file,
type: "composer",
}
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
data = response.parsed_body
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus
2018-02-19 17:44:24 +08:00
expect(data["errors"].first).to eq(I18n.t("upload.unauthorized", authorized_extensions: ''))
end
SECURITY: ensure we never accept fake images
2015-12-21 23:08:14 +08:00
it 'returns an error when it could not determine the dimensions of an image' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
post "/uploads.json", params: { file: fake_jpg, type: "composer" }
SECURITY: ensure we never accept fake images
2015-12-21 23:08:14 +08:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
expect(response.status).to eq(422)
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
message = response.parsed_body["errors"]
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-27 09:43:18 +08:00
expect(message).to contain_exactly(I18n.t("upload.images.size_not_found"))
SECURITY: ensure we never accept fake images
2015-12-21 23:08:14 +08:00
end
add UploadsController specs
2013-04-03 07:17:17 +08:00
end
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
def upload_file(file, folder = "images")
fake_logo = Rack::Test::UploadedFile.new(file_from_fixtures(file, folder))
SiteSetting.authorized_extensions = "*"
sign_in(user)
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
post "/uploads.json", params: {
file: fake_logo,
type: "composer",
}
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
expect(response.status).to eq(200)
DEV: Improve specs to use `upload_s3` fabricator.
2019-05-15 08:42:17 +08:00
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
url = response.parsed_body["url"]
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
upload = Upload.get_from_url(url)
upload
end
DEV: Improve specs to use `upload_s3` fabricator.
2019-05-15 08:42:17 +08:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
describe '#show' do
let(:site) { "default" }
let(:sha) { Digest::SHA1.hexdigest("discourse") }
FIX: consistent and future-proof upload storage pattern
2015-05-19 18:31:12 +08:00
FIX: return 404 only if upload url also not internal.
2019-05-15 04:36:54 +08:00
context "when using external storage" do
DEV: Improve specs to use `upload_s3` fabricator.
2019-05-15 08:42:17 +08:00
fab!(:upload) { upload_file("small.pdf", "pdf") }
FIX: return 404 only if upload url also not internal.
2019-05-15 04:36:54 +08:00
before do
SiteSetting.enable_s3_uploads = true
SiteSetting.s3_access_key_id = "fakeid7974664"
SiteSetting.s3_secret_access_key = "fakesecretid7974664"
end
FIX: consistent and future-proof upload storage pattern
2015-05-19 18:31:12 +08:00
DEV: Improve specs to use `upload_s3` fabricator.
2019-05-15 08:42:17 +08:00
it "returns 404 " do
upload = Fabricate(:upload_s3)
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
FIX: return 404 only if upload url also not internal.
2019-05-15 04:36:54 +08:00
expect(response.response_code).to eq(404)
end
it "returns upload if url not migrated" do
DEV: Improve specs to use `upload_s3` fabricator.
2019-05-15 08:42:17 +08:00
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
FIX: return 404 only if upload url also not internal.
2019-05-15 04:36:54 +08:00
expect(response.status).to eq(200)
end
proper content-disposition header when downloading attachments
2013-09-07 01:18:42 +08:00
end
add test case for handling uploads without extension
2016-12-20 02:39:04 +08:00
it "returns 404 when the upload doesn't exist" do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
get "/uploads/#{site}/#{sha}.pdf"
expect(response.status).to eq(404)
proper content-disposition header when downloading attachments
2013-09-07 01:18:42 +08:00
end
FIX: Better error handling if a file cannot be sent If for some reason `Discourse.store.path_for` returns `nil`, the forum would throw an error rather than returning 404. Why would it be `nil`? One cause could be changing the type of file store and having the `url` field no longer be relative.
2019-01-30 05:47:25 +08:00
it "returns 404 when the path is nil" do
upload = upload_file("logo.png")
upload.update_column(:url, "invalid-url")
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
expect(response.status).to eq(404)
end
proper content-disposition header when downloading attachments
2013-09-07 01:18:42 +08:00
it 'uses send_file' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
upload = upload_file("logo.png")
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
expect(response.status).to eq(200)
DEV: Add support for Rails 6 Minor fixes to add Rails 6 support to Discourse, we now will boot with RAILS_MASTER=1, all specs pass Only one tiny deprecation left Largest change was the way ActiveModel:Errors changed interface a bit but there is a simple backwards compat way of working it
2019-04-30 14:58:18 +08:00
FIX: Correctly encode non-ASCII filenames in HTTP header Backport of fix from Rails 6: https://github.com/rails/rails/commit/890485cfce4c361c03a41ec23b0ba187007818cc
2019-08-07 23:00:43 +08:00
expect(response.headers["Content-Disposition"])
.to eq(%Q|attachment; filename="logo.png"; filename*=UTF-8''logo.png|)
proper content-disposition header when downloading attachments
2013-09-07 01:18:42 +08:00
end
FIX: Allow themes to upload and serve js files (#8188) If you set `config.public_file_server.enabled = false` when you try to get uploaded js file you will get an error: `Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.` The reason is that content type is `application/javascript` and in Rails 5 guard looked like that: https://github.com/rails/rails/blob/5-2-stable/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L278-L280 However, in Rails 6 `application` was added to regex: https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L282-L284 This pull request is related to https://meta.discourse.org/t/uploaded-js-file-for-theme-causes-a-rejection/129753/8
2019-10-14 12:40:33 +08:00
it 'returns 200 when js file' do
Revert "FIX: public_file_server.enabled is false in test (#8192)" (#8196) This reverts commit 5a8fdd02fe209872b2e2452b9b83e227dfed1727.
2019-10-16 07:39:31 +08:00
ActionDispatch::FileHandler.any_instance.stubs(:match?).returns(false)
FIX: Allow themes to upload and serve js files (#8188) If you set `config.public_file_server.enabled = false` when you try to get uploaded js file you will get an error: `Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.` The reason is that content type is `application/javascript` and in Rails 5 guard looked like that: https://github.com/rails/rails/blob/5-2-stable/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L278-L280 However, in Rails 6 `application` was added to regex: https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L282-L284 This pull request is related to https://meta.discourse.org/t/uploaded-js-file-for-theme-causes-a-rejection/129753/8
2019-10-14 12:40:33 +08:00
upload = upload_file("test.js", "themes")
get upload.url
expect(response.status).to eq(200)
end
correct specs
2018-08-20 10:41:46 +08:00
it "handles image without extension" do
add test case for handling uploads without extension
2016-12-20 02:39:04 +08:00
SiteSetting.authorized_extensions = "*"
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
upload = upload_file("image_no_extension")
add test case for handling uploads without extension
2016-12-20 02:39:04 +08:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
get "/uploads/#{site}/#{upload.sha1}.json"
expect(response.status).to eq(200)
FIX: Correctly encode non-ASCII filenames in HTTP header Backport of fix from Rails 6: https://github.com/rails/rails/commit/890485cfce4c361c03a41ec23b0ba187007818cc
2019-08-07 23:00:43 +08:00
expect(response.headers["Content-Disposition"])
.to eq(%Q|attachment; filename="image_no_extension.png"; filename*=UTF-8''image_no_extension.png|)
correct specs
2018-08-20 10:41:46 +08:00
end
it "handles file without extension" do
SiteSetting.authorized_extensions = "*"
upload = upload_file("not_an_image")
get "/uploads/#{site}/#{upload.sha1}.json"
expect(response.status).to eq(200)
FIX: Correctly encode non-ASCII filenames in HTTP header Backport of fix from Rails 6: https://github.com/rails/rails/commit/890485cfce4c361c03a41ec23b0ba187007818cc
2019-08-07 23:00:43 +08:00
expect(response.headers["Content-Disposition"])
.to eq(%Q|attachment; filename="not_an_image"; filename*=UTF-8''not_an_image|)
add test case for handling uploads without extension
2016-12-20 02:39:04 +08:00
end
FEATURE: new 'prevent anons from download files' site setting
2014-09-10 00:40:11 +08:00
context "prevent anons from downloading files" do
it "returns 404 when an anonymous user tries to download a file" do
DEV: fix and skip upload_controller test This test of `prevent_anons_from_downloading_files` was testing an image instead of an attachment and it was testing the wrong upload URL. I fixed the test, but with `config.public_file_server.enabled = true` on the test environment, this will always fail, as preventing anonymous file downloads depends on nginx. So, I marked the test as skipped, for now.
2019-04-19 00:58:39 +08:00
upload = upload_file("small.pdf", "pdf")
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
delete "/session/#{user.username}.json"
FIX: consistent and future-proof upload storage pattern
2015-05-19 18:31:12 +08:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
SiteSetting.prevent_anons_from_downloading_files = true
FEATURE: Support private attachments when using S3 storage (#7677) * Support private uploads in S3 * Use localStore for local avatars * Add job to update private upload ACL on S3 * Test multisite paths * update ACL for private uploads in migrate_to_s3 task
2019-06-06 11:27:24 +08:00
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
expect(response.status).to eq(404)
FEATURE: new 'prevent anons from download files' site setting
2014-09-10 00:40:11 +08:00
end
end
proper content-disposition header when downloading attachments
2013-09-07 01:18:42 +08:00
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
describe "#show_short" do
SECURITY: Ensure only image uploads can be inlined This prevents malicious files (for example special crafted XMLs) to be used in XSS attacks.
2019-12-11 21:21:41 +08:00
it 'inlines only supported image files' do
upload = upload_file("smallest.png")
get upload.short_path, params: { inline: true }
expect(response.header['Content-Type']).to eq('image/png')
expect(response.header['Content-Disposition']).to include('inline;')
upload.update!(original_filename: "test.xml")
get upload.short_path, params: { inline: true }
expect(response.header['Content-Type']).to eq('application/xml')
expect(response.header['Content-Disposition']).to include('attachment;')
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
describe "local store" do
fab!(:image_upload) { upload_file("smallest.png") }
it "returns the right response" do
get image_upload.short_path
expect(response.status).to eq(200)
expect(response.headers["Content-Disposition"])
.to include("attachment; filename=\"#{image_upload.original_filename}\"")
end
it "returns the right response when `inline` param is given" do
get "#{image_upload.short_path}?inline=1"
expect(response.status).to eq(200)
expect(response.headers["Content-Disposition"])
.to include("inline; filename=\"#{image_upload.original_filename}\"")
end
it "returns the right response when base62 param is invalid " do
get "/uploads/short-url/12345.png"
expect(response.status).to eq(404)
end
FIX: allow underscore in file extension while downloading the uploads.
2020-01-03 12:39:07 +08:00
it "returns uploads with underscore in extension correctly" do
fake_upload = upload_file("fake.not_image")
get fake_upload.short_path
expect(response.status).to eq(200)
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
it "returns the right response when anon tries to download a file " \
FIX: Change secure media to encompass attachments as well (#9271) If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”. This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2020-03-26 05:16:02 +08:00
"when prevent_anons_from_downloading_files is true" do
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
delete "/session/#{user.username}.json"
SiteSetting.prevent_anons_from_downloading_files = true
get image_upload.short_path
expect(response.status).to eq(404)
end
end
describe "s3 store" do
let(:upload) { Fabricate(:upload_s3) }
before do
SiteSetting.enable_s3_uploads = true
SiteSetting.s3_access_key_id = "fakeid7974664"
SiteSetting.s3_secret_access_key = "fakesecretid7974664"
end
it "should redirect to the s3 URL" do
get upload.short_path
expect(response).to redirect_to(upload.url)
end
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 11:50:27 +08:00
context "when upload is secure and secure media enabled" do
before do
SiteSetting.secure_media = true
upload.update(secure: true)
stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
end
it "redirects to the signed_url_for_path" do
FIX: Change secure media to encompass attachments as well (#9271) If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”. This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2020-03-26 05:16:02 +08:00
sign_in(user)
DEV: Fix flaky `signed_url_for_path` spec AWS gem uses internally `Time.now` to generate the presigned URLs, so often two consecutive calls with the same params would give different results.
2020-03-11 06:22:26 +08:00
freeze_time
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 11:50:27 +08:00
get upload.short_path
expect(response).to redirect_to(Discourse.store.signed_url_for_path(Discourse.store.get_path_for_upload(upload)))
end
UX: Allow secure media URLs to be cached for a short period of time Signed S3 URLs are valid for 15 seconds, so we can safely allow the browser to cache them for 10 seconds. This should help with large numbers of requests when composing a post with many images.
2020-05-18 22:00:41 +08:00
it "has the correct caching header" do
sign_in(user)
get upload.short_path
expected_max_age = S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS - UploadsController::SECURE_REDIRECT_GRACE_SECONDS
expect(expected_max_age).to be > 0 # Sanity check that the constants haven't been set to broken values
expect(response.headers["Cache-Control"]).to eq("max-age=#{expected_max_age}, private")
end
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 11:50:27 +08:00
it "raises invalid access if the user cannot access the upload access control post" do
FIX: Change secure media to encompass attachments as well (#9271) If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”. This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2020-03-26 05:16:02 +08:00
sign_in(user)
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 11:50:27 +08:00
post = Fabricate(:post)
post.topic.change_category_to_id(Fabricate(:private_category, group: Fabricate(:group)).id)
upload.update(access_control_post: post)
get upload.short_path
expect(response.code).to eq("403")
end
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
end
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
describe "#show_secure" do
describe "local store" do
fab!(:image_upload) { upload_file("smallest.png") }
it "does not return secure media when using local store" do
secure_url = image_upload.url.sub("/uploads", "/secure-media-uploads")
get secure_url
expect(response.status).to eq(404)
end
end
describe "s3 store" do
let(:upload) { Fabricate(:upload_s3) }
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 11:50:27 +08:00
let(:secure_url) { upload.url.sub(SiteSetting.Upload.absolute_base_url, "/secure-media-uploads") }
def sign_in_and_stub_head
sign_in(user)
FIX: Change secure media to encompass attachments as well (#9271) If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”. This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2020-03-26 05:16:02 +08:00
stub_head
end
def stub_head
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 11:50:27 +08:00
stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
before do
FIX: Change secure media to encompass attachments as well (#9271) If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”. This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2020-03-26 05:16:02 +08:00
SiteSetting.authorized_extensions = "*"
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
SiteSetting.enable_s3_uploads = true
SiteSetting.s3_upload_bucket = "s3-upload-bucket"
SiteSetting.s3_access_key_id = "fakeid7974664"
SiteSetting.s3_secret_access_key = "fakesecretid7974664"
DEV: Bump aws-sdk-sns from 1.13.0 to 1.21.0 (#8490) Bumps [aws-sdk-sns](https://github.com/aws/aws-sdk-ruby) from 1.13.0 to 1.21.0. - [Release notes](https://github.com/aws/aws-sdk-ruby/releases) - [Changelog](https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-sns/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-ruby/compare/1.13.0...1.21.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2019-12-11 22:13:17 +08:00
SiteSetting.s3_region = "us-east-1"
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
SiteSetting.secure_media = true
end
it "should return 404 for anonymous requests requests" do
get secure_url
expect(response.status).to eq(404)
end
it "should return signed url for legitimate request" do
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 11:50:27 +08:00
sign_in_and_stub_head
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
get secure_url
expect(response.status).to eq(302)
expect(response.redirect_url).to match("Amz-Expires")
end
it "should return secure media URL when looking up urls" do
upload.update_column(:secure, true)
sign_in(user)
post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
expect(response.status).to eq(200)
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
result = response.parsed_body
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
expect(result[0]["url"]).to match("secure-media-uploads")
end
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-07 10:27:24 +08:00
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 11:50:27 +08:00
context "when the upload cannot be found from the URL" do
it "returns a 404" do
sign_in_and_stub_head
upload.update(sha1: 'test')
get secure_url
expect(response.status).to eq(404)
end
end
context "when the access_control_post_id has been set for the upload" do
let(:post) { Fabricate(:post) }
let!(:private_category) { Fabricate(:private_category, group: Fabricate(:group)) }
before do
sign_in_and_stub_head
upload.update(access_control_post_id: post.id)
end
context "when the user has access to the post via guardian" do
it "should return signed url for legitimate request" do
sign_in_and_stub_head
get secure_url
expect(response.status).to eq(302)
expect(response.redirect_url).to match("Amz-Expires")
end
end
context "when the user does not have access to the post via guardian" do
before do
post.topic.change_category_to_id(private_category.id)
end
it "returns a 403" do
sign_in_and_stub_head
get secure_url
expect(response.status).to eq(403)
end
end
end
FIX: Change secure media to encompass attachments as well (#9271) If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”. This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2020-03-26 05:16:02 +08:00
context "when the upload is an attachment file" do
before do
upload.update(original_filename: 'test.pdf')
end
it "redirects to the signed_url_for_path" do
sign_in_and_stub_head
get secure_url
expect(response.status).to eq(302)
expect(response.redirect_url).to match("Amz-Expires")
end
context "when the user does not have access to the access control post via guardian" do
let(:post) { Fabricate(:post) }
let!(:private_category) { Fabricate(:private_category, group: Fabricate(:group)) }
before do
post.topic.change_category_to_id(private_category.id)
upload.update(access_control_post_id: post.id)
end
it "returns a 403" do
sign_in_and_stub_head
get secure_url
expect(response.status).to eq(403)
end
end
context "when the prevent_anons_from_downloading_files setting is enabled and the user is anon" do
before do
SiteSetting.prevent_anons_from_downloading_files = true
end
it "returns a 404" do
stub_head
delete "/session/#{user.username}.json"
get secure_url
expect(response.status).to eq(404)
end
end
end
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-07 10:27:24 +08:00
context "when secure media is disabled" do
before do
SiteSetting.secure_media = false
end
Still redirect to signed URL for secure uploads if SiteSetting.secure_media is disabled we still want to redirect to the signed url for uploads that are marked as secure because their ACLs are probably still private
2020-01-07 12:02:17 +08:00
context "if the upload is secure false, meaning the ACL is probably public" do
before do
upload.update(secure: false)
end
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-07 10:27:24 +08:00
Still redirect to signed URL for secure uploads if SiteSetting.secure_media is disabled we still want to redirect to the signed url for uploads that are marked as secure because their ACLs are probably still private
2020-01-07 12:02:17 +08:00
it "should redirect to the regular show route" do
secure_url = upload.url.sub(SiteSetting.Upload.absolute_base_url, "/secure-media-uploads")
sign_in(user)
stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-07 10:27:24 +08:00
Still redirect to signed URL for secure uploads if SiteSetting.secure_media is disabled we still want to redirect to the signed url for uploads that are marked as secure because their ACLs are probably still private
2020-01-07 12:02:17 +08:00
get secure_url
expect(response.status).to eq(302)
expect(response.redirect_url).to eq(Discourse.store.cdn_url(upload.url))
end
end
context "if the upload is secure true, meaning the ACL is probably private" do
before do
upload.update(secure: true)
end
it "should redirect to the presigned URL still otherwise we will get a 403" do
secure_url = upload.url.sub(SiteSetting.Upload.absolute_base_url, "/secure-media-uploads")
sign_in(user)
stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
get secure_url
expect(response.status).to eq(302)
expect(response.redirect_url).to match("Amz-Expires")
end
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-07 10:27:24 +08:00
end
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
end
end
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
describe '#lookup_urls' do
it 'can look up long urls' do
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
sign_in(user)
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
upload = Fabricate(:upload)
post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
expect(response.status).to eq(200)
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
result = response.parsed_body
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
expect(result[0]["url"]).to eq(upload.url)
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
expect(result[0]["short_path"]).to eq(upload.short_path)
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
describe 'secure media' do
let(:upload) { Fabricate(:upload_s3, secure: true) }
before do
SiteSetting.authorized_extensions = "pdf|png"
SiteSetting.s3_upload_bucket = "s3-upload-bucket"
SiteSetting.s3_access_key_id = "s3-access-key-id"
SiteSetting.s3_secret_access_key = "s3-secret-access-key"
SiteSetting.enable_s3_uploads = true
SiteSetting.secure_media = true
end
it 'returns secure url for a secure media upload' do
sign_in(user)
post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
expect(response.status).to eq(200)
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
result = response.parsed_body
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
expect(result[0]["url"]).to match("/secure-media-uploads")
expect(result[0]["short_path"]).to eq(upload.short_path)
end
FIX: Use full URL for secure attachments when secure media enabled (#9037) When secure media is enabled and an attachment is marked as secure we want to use the full url instead of the short-url so we get the same access control post protections as secure media uploads.
2020-03-04 07:11:08 +08:00
it 'returns secure urls for non-media uploads' do
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
upload.update!(original_filename: "not-an-image.pdf", extension: "pdf")
sign_in(user)
post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
expect(response.status).to eq(200)
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
result = response.parsed_body
FIX: Use full URL for secure attachments when secure media enabled (#9037) When secure media is enabled and an attachment is marked as secure we want to use the full url instead of the short-url so we get the same access control post protections as secure media uploads.
2020-03-04 07:11:08 +08:00
expect(result[0]["url"]).to match("/secure-media-uploads")
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
expect(result[0]["short_path"]).to eq(upload.short_path)
end
end
REFACTOR: uploads controller specs to requests (#5907)
2018-06-04 11:13:52 +08:00
end
UX: Lightbox support for image uploader. (#7034)
2019-02-21 10:13:37 +08:00
describe '#metadata' do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-07 11:12:20 +08:00
fab!(:upload) { Fabricate(:upload) }
UX: Lightbox support for image uploader. (#7034)
2019-02-21 10:13:37 +08:00
describe 'when url is missing' do
it 'should return the right response' do
post "/uploads/lookup-metadata.json"
expect(response.status).to eq(403)
end
end
describe 'when not signed in' do
it 'should return the right response' do
post "/uploads/lookup-metadata.json", params: { url: upload.url }
expect(response.status).to eq(403)
end
end
describe 'when signed in' do
before do
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
sign_in(user)
UX: Lightbox support for image uploader. (#7034)
2019-02-21 10:13:37 +08:00
end
describe 'when url is invalid' do
it 'should return the right response' do
post "/uploads/lookup-metadata.json", params: { url: 'abc' }
expect(response.status).to eq(404)
end
end
it "should return the right response" do
post "/uploads/lookup-metadata.json", params: { url: upload.url }
expect(response.status).to eq(200)
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 23:04:12 +08:00
result = response.parsed_body
UX: Lightbox support for image uploader. (#7034)
2019-02-21 10:13:37 +08:00
expect(result["original_filename"]).to eq(upload.original_filename)
expect(result["width"]).to eq(upload.width)
expect(result["height"]).to eq(upload.height)
expect(result["human_filesize"]).to eq(upload.human_filesize)
end
end
end
add UploadsController specs
2013-04-03 07:17:17 +08:00
end
Reference in New Issue Copy Permalink