2019-04-30 08:27:42 +08:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2015-10-11 17:41:23 +08:00
|
|
|
require 'rails_helper'
|
2013-04-03 07:17:17 +08:00
|
|
|
|
|
|
|
describe UploadsController do
|
2019-05-29 09:00:25 +08:00
|
|
|
fab!(:user) { Fabricate(:user) }
|
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
describe '#create' do
|
2013-09-07 01:18:42 +08:00
|
|
|
it 'requires you to be logged in' do
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json"
|
2018-01-12 11:15:10 +08:00
|
|
|
expect(response.status).to eq(403)
|
2013-04-03 07:17:17 +08:00
|
|
|
end
|
|
|
|
|
2013-09-07 01:18:42 +08:00
|
|
|
context 'logged in' do
|
2019-05-29 09:00:25 +08:00
|
|
|
before do
|
|
|
|
sign_in(user)
|
|
|
|
end
|
2013-04-03 07:17:17 +08:00
|
|
|
|
2020-05-19 07:09:36 +08:00
|
|
|
let(:logo_file) { file_from_fixtures("logo.png") }
|
2013-06-15 15:54:49 +08:00
|
|
|
let(:logo) do
|
2020-05-19 07:09:36 +08:00
|
|
|
Rack::Test::UploadedFile.new(logo_file)
|
2013-04-03 07:17:17 +08:00
|
|
|
end
|
2020-05-19 07:09:36 +08:00
|
|
|
let(:logo_filename) { File.basename(logo_file) }
|
2013-04-03 07:17:17 +08:00
|
|
|
|
2015-12-21 23:08:14 +08:00
|
|
|
let(:fake_jpg) do
|
2017-08-31 12:06:56 +08:00
|
|
|
Rack::Test::UploadedFile.new(file_from_fixtures("fake.jpg"))
|
2015-12-21 23:08:14 +08:00
|
|
|
end
|
|
|
|
|
2013-06-15 15:54:49 +08:00
|
|
|
let(:text_file) do
|
2017-08-31 12:06:56 +08:00
|
|
|
Rack::Test::UploadedFile.new(File.new("#{Rails.root}/LICENSE.txt"))
|
2013-06-15 15:54:49 +08:00
|
|
|
end
|
2013-04-03 07:17:17 +08:00
|
|
|
|
2017-05-18 18:13:13 +08:00
|
|
|
it 'expects a type' do
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json", params: { file: logo }
|
|
|
|
expect(response.status).to eq(400)
|
2017-08-23 04:40:01 +08:00
|
|
|
end
|
|
|
|
|
2015-05-20 07:39:58 +08:00
|
|
|
it 'is successful with an image' do
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json", params: { file: logo, type: "avatar" }
|
2015-05-20 07:39:58 +08:00
|
|
|
expect(response.status).to eq 200
|
2020-05-07 23:04:12 +08:00
|
|
|
expect(response.parsed_body["id"]).to be_present
|
2018-06-04 11:13:52 +08:00
|
|
|
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(1)
|
2015-05-20 07:39:58 +08:00
|
|
|
end
|
2014-04-30 01:12:35 +08:00
|
|
|
|
2020-07-03 19:23:10 +08:00
|
|
|
it 'returns "raw" url for site settings' do
|
|
|
|
set_cdn_url "https://awesome.com"
|
|
|
|
post "/uploads.json", params: { file: logo, type: "site_setting", for_site_setting: "true" }
|
|
|
|
expect(response.status).to eq 200
|
|
|
|
expect(response.parsed_body["url"]).to start_with("/uploads/default/")
|
|
|
|
end
|
|
|
|
|
2020-07-02 09:06:14 +08:00
|
|
|
it 'returns cdn url' do
|
|
|
|
set_cdn_url "https://awesome.com"
|
|
|
|
post "/uploads.json", params: { file: logo, type: "composer" }
|
|
|
|
expect(response.status).to eq 200
|
|
|
|
expect(response.parsed_body["url"]).to start_with("https://awesome.com/uploads/default/")
|
|
|
|
end
|
|
|
|
|
2015-05-20 07:39:58 +08:00
|
|
|
it 'is successful with an attachment' do
|
2017-06-13 04:41:29 +08:00
|
|
|
SiteSetting.authorized_extensions = "*"
|
2015-05-25 23:59:00 +08:00
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json", params: { file: text_file, type: "composer" }
|
2015-05-20 07:39:58 +08:00
|
|
|
expect(response.status).to eq 200
|
2018-06-04 11:13:52 +08:00
|
|
|
|
|
|
|
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
|
2020-05-07 23:04:12 +08:00
|
|
|
id = response.parsed_body["id"]
|
2017-11-27 09:43:18 +08:00
|
|
|
expect(id).to be
|
2015-06-21 19:52:52 +08:00
|
|
|
end
|
|
|
|
|
2018-02-24 19:35:57 +08:00
|
|
|
it 'is successful with api' do
|
2017-04-15 12:11:02 +08:00
|
|
|
SiteSetting.authorized_extensions = "*"
|
2018-06-04 11:13:52 +08:00
|
|
|
api_key = Fabricate(:api_key, user: user).key
|
2017-05-26 15:19:09 +08:00
|
|
|
|
2018-02-24 19:35:57 +08:00
|
|
|
url = "http://example.com/image.png"
|
|
|
|
png = File.read(Rails.root + "spec/fixtures/images/logo.png")
|
|
|
|
|
|
|
|
stub_request(:get, url).to_return(status: 200, body: png)
|
2015-06-21 19:52:52 +08:00
|
|
|
|
2020-04-07 06:55:44 +08:00
|
|
|
post "/uploads.json", params: { url: url, type: "avatar" }, headers: {
|
|
|
|
HTTP_API_KEY: api_key,
|
|
|
|
HTTP_API_USERNAME: user.username.downcase
|
|
|
|
}
|
2015-06-21 19:52:52 +08:00
|
|
|
|
2020-05-07 23:04:12 +08:00
|
|
|
json = response.parsed_body
|
2015-06-21 19:52:52 +08:00
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
expect(response.status).to eq(200)
|
|
|
|
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(1)
|
|
|
|
expect(json["id"]).to be_present
|
2017-08-23 04:40:01 +08:00
|
|
|
expect(json["short_url"]).to eq("upload://qUm0DGR49PAZshIi7HxMd3cAlzn.png")
|
2015-05-20 07:39:58 +08:00
|
|
|
end
|
2014-04-30 01:12:35 +08:00
|
|
|
|
2015-05-20 07:39:58 +08:00
|
|
|
it 'correctly sets retain_hours for admins' do
|
2018-06-04 11:13:52 +08:00
|
|
|
sign_in(Fabricate(:admin))
|
2014-04-30 01:12:35 +08:00
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json", params: {
|
2017-11-27 09:43:18 +08:00
|
|
|
file: logo,
|
|
|
|
retain_hours: 100,
|
|
|
|
type: "profile_background",
|
|
|
|
}
|
2014-04-30 01:12:35 +08:00
|
|
|
|
2020-05-07 23:04:12 +08:00
|
|
|
id = response.parsed_body["id"]
|
2018-06-04 11:13:52 +08:00
|
|
|
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
|
2015-05-20 07:39:58 +08:00
|
|
|
expect(Upload.find(id).retain_hours).to eq(100)
|
2013-06-15 15:54:49 +08:00
|
|
|
end
|
2013-04-03 07:17:17 +08:00
|
|
|
|
2015-08-18 17:39:51 +08:00
|
|
|
it 'requires a file' do
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json", params: { type: "composer" }
|
2015-08-18 17:39:51 +08:00
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
|
2020-05-07 23:04:12 +08:00
|
|
|
message = response.parsed_body
|
2017-11-27 09:43:18 +08:00
|
|
|
expect(response.status).to eq 422
|
|
|
|
expect(message["errors"]).to contain_exactly(I18n.t("upload.file_missing"))
|
2015-08-18 17:39:51 +08:00
|
|
|
end
|
|
|
|
|
2015-05-20 07:39:58 +08:00
|
|
|
it 'properly returns errors' do
|
2018-06-04 11:13:52 +08:00
|
|
|
SiteSetting.authorized_extensions = "*"
|
2017-06-13 04:41:29 +08:00
|
|
|
SiteSetting.max_attachment_size_kb = 1
|
2013-04-03 07:17:17 +08:00
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json", params: { file: text_file, type: "avatar" }
|
2015-05-25 23:59:00 +08:00
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
expect(response.status).to eq(422)
|
|
|
|
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
|
2020-05-07 23:04:12 +08:00
|
|
|
errors = response.parsed_body["errors"]
|
2018-06-04 11:13:52 +08:00
|
|
|
expect(errors.first).to eq(I18n.t("upload.attachments.too_large", max_size_kb: 1))
|
2013-04-03 07:17:17 +08:00
|
|
|
end
|
|
|
|
|
2015-11-12 17:26:45 +08:00
|
|
|
it 'ensures allow_uploaded_avatars is enabled when uploading an avatar' do
|
2017-06-13 04:41:29 +08:00
|
|
|
SiteSetting.allow_uploaded_avatars = false
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json", params: { file: logo, type: "avatar" }
|
|
|
|
expect(response.status).to eq(422)
|
2015-11-12 17:26:45 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'ensures sso_overrides_avatar is not enabled when uploading an avatar' do
|
2017-06-13 04:41:29 +08:00
|
|
|
SiteSetting.sso_overrides_avatar = true
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json", params: { file: logo, type: "avatar" }
|
|
|
|
expect(response.status).to eq(422)
|
2015-11-12 17:26:45 +08:00
|
|
|
end
|
|
|
|
|
2018-12-05 20:35:59 +08:00
|
|
|
it 'always allows admins to upload avatars' do
|
|
|
|
sign_in(Fabricate(:admin))
|
|
|
|
SiteSetting.allow_uploaded_avatars = false
|
|
|
|
|
|
|
|
post "/uploads.json", params: { file: logo, type: "avatar" }
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
end
|
|
|
|
|
2017-06-13 04:41:29 +08:00
|
|
|
it 'allows staff to upload any file in PM' do
|
|
|
|
SiteSetting.authorized_extensions = "jpg"
|
|
|
|
SiteSetting.allow_staff_to_upload_any_file_in_pm = true
|
2018-06-04 11:13:52 +08:00
|
|
|
user.update_columns(moderator: true)
|
2017-06-13 04:41:29 +08:00
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json", params: {
|
2017-11-27 09:43:18 +08:00
|
|
|
file: text_file,
|
|
|
|
type: "composer",
|
|
|
|
for_private_message: "true",
|
|
|
|
}
|
2017-06-13 04:41:29 +08:00
|
|
|
|
2018-06-07 16:11:09 +08:00
|
|
|
expect(response.status).to eq(200)
|
2020-05-07 23:04:12 +08:00
|
|
|
id = response.parsed_body["id"]
|
2018-11-14 15:03:02 +08:00
|
|
|
expect(Upload.last.id).to eq(id)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows staff to upload supported images for site settings' do
|
|
|
|
SiteSetting.authorized_extensions = ''
|
|
|
|
user.update!(admin: true)
|
|
|
|
|
|
|
|
post "/uploads.json", params: {
|
|
|
|
file: logo,
|
|
|
|
type: "site_setting",
|
|
|
|
for_site_setting: "true",
|
|
|
|
}
|
|
|
|
|
|
|
|
expect(response.status).to eq(200)
|
2020-05-07 23:04:12 +08:00
|
|
|
id = response.parsed_body["id"]
|
2018-11-14 15:03:02 +08:00
|
|
|
|
|
|
|
upload = Upload.last
|
|
|
|
|
|
|
|
expect(upload.id).to eq(id)
|
2020-05-19 07:09:36 +08:00
|
|
|
expect(upload.original_filename).to eq(logo_filename)
|
2017-06-13 04:41:29 +08:00
|
|
|
end
|
|
|
|
|
2018-02-19 17:44:24 +08:00
|
|
|
it 'respects `authorized_extensions_for_staff` setting when staff upload file' do
|
|
|
|
SiteSetting.authorized_extensions = ""
|
|
|
|
SiteSetting.authorized_extensions_for_staff = "*"
|
2018-06-04 11:13:52 +08:00
|
|
|
user.update_columns(moderator: true)
|
2018-02-19 17:44:24 +08:00
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json", params: {
|
2018-02-19 17:44:24 +08:00
|
|
|
file: text_file,
|
|
|
|
type: "composer",
|
|
|
|
}
|
|
|
|
|
2018-06-07 16:11:09 +08:00
|
|
|
expect(response.status).to eq(200)
|
2020-05-07 23:04:12 +08:00
|
|
|
data = response.parsed_body
|
2018-06-04 11:13:52 +08:00
|
|
|
expect(data["id"]).to be_present
|
2018-02-19 17:44:24 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'ignores `authorized_extensions_for_staff` setting when non-staff upload file' do
|
|
|
|
SiteSetting.authorized_extensions = ""
|
|
|
|
SiteSetting.authorized_extensions_for_staff = "*"
|
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json", params: {
|
2018-02-19 17:44:24 +08:00
|
|
|
file: text_file,
|
|
|
|
type: "composer",
|
|
|
|
}
|
|
|
|
|
2020-05-07 23:04:12 +08:00
|
|
|
data = response.parsed_body
|
2018-02-19 17:44:24 +08:00
|
|
|
expect(data["errors"].first).to eq(I18n.t("upload.unauthorized", authorized_extensions: ''))
|
|
|
|
end
|
|
|
|
|
2015-12-21 23:08:14 +08:00
|
|
|
it 'returns an error when it could not determine the dimensions of an image' do
|
2018-06-04 11:13:52 +08:00
|
|
|
post "/uploads.json", params: { file: fake_jpg, type: "composer" }
|
2015-12-21 23:08:14 +08:00
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
expect(response.status).to eq(422)
|
|
|
|
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
|
2020-05-07 23:04:12 +08:00
|
|
|
message = response.parsed_body["errors"]
|
2017-11-27 09:43:18 +08:00
|
|
|
expect(message).to contain_exactly(I18n.t("upload.images.size_not_found"))
|
2015-12-21 23:08:14 +08:00
|
|
|
end
|
2013-04-03 07:17:17 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-05-29 09:00:25 +08:00
|
|
|
def upload_file(file, folder = "images")
|
|
|
|
fake_logo = Rack::Test::UploadedFile.new(file_from_fixtures(file, folder))
|
|
|
|
SiteSetting.authorized_extensions = "*"
|
|
|
|
sign_in(user)
|
2018-06-04 11:13:52 +08:00
|
|
|
|
2019-05-29 09:00:25 +08:00
|
|
|
post "/uploads.json", params: {
|
|
|
|
file: fake_logo,
|
|
|
|
type: "composer",
|
|
|
|
}
|
2018-06-04 11:13:52 +08:00
|
|
|
|
2019-05-29 09:00:25 +08:00
|
|
|
expect(response.status).to eq(200)
|
2019-05-15 08:42:17 +08:00
|
|
|
|
2020-05-07 23:04:12 +08:00
|
|
|
url = response.parsed_body["url"]
|
2019-05-29 09:00:25 +08:00
|
|
|
upload = Upload.get_from_url(url)
|
|
|
|
upload
|
|
|
|
end
|
2019-05-15 08:42:17 +08:00
|
|
|
|
2019-05-29 09:00:25 +08:00
|
|
|
describe '#show' do
|
|
|
|
let(:site) { "default" }
|
|
|
|
let(:sha) { Digest::SHA1.hexdigest("discourse") }
|
2015-05-19 18:31:12 +08:00
|
|
|
|
2019-05-15 04:36:54 +08:00
|
|
|
context "when using external storage" do
|
2019-05-15 08:42:17 +08:00
|
|
|
fab!(:upload) { upload_file("small.pdf", "pdf") }
|
|
|
|
|
2019-05-15 04:36:54 +08:00
|
|
|
before do
|
|
|
|
SiteSetting.enable_s3_uploads = true
|
|
|
|
SiteSetting.s3_access_key_id = "fakeid7974664"
|
|
|
|
SiteSetting.s3_secret_access_key = "fakesecretid7974664"
|
|
|
|
end
|
2015-05-19 18:31:12 +08:00
|
|
|
|
2019-05-15 08:42:17 +08:00
|
|
|
it "returns 404 " do
|
|
|
|
upload = Fabricate(:upload_s3)
|
|
|
|
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
|
|
|
|
|
2019-05-15 04:36:54 +08:00
|
|
|
expect(response.response_code).to eq(404)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "returns upload if url not migrated" do
|
2019-05-15 08:42:17 +08:00
|
|
|
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
|
|
|
|
|
2019-05-15 04:36:54 +08:00
|
|
|
expect(response.status).to eq(200)
|
|
|
|
end
|
2013-09-07 01:18:42 +08:00
|
|
|
end
|
|
|
|
|
2016-12-20 02:39:04 +08:00
|
|
|
it "returns 404 when the upload doesn't exist" do
|
2018-06-04 11:13:52 +08:00
|
|
|
get "/uploads/#{site}/#{sha}.pdf"
|
|
|
|
expect(response.status).to eq(404)
|
2013-09-07 01:18:42 +08:00
|
|
|
end
|
|
|
|
|
2019-01-30 05:47:25 +08:00
|
|
|
it "returns 404 when the path is nil" do
|
|
|
|
upload = upload_file("logo.png")
|
|
|
|
upload.update_column(:url, "invalid-url")
|
|
|
|
|
|
|
|
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
|
|
|
|
expect(response.status).to eq(404)
|
|
|
|
end
|
|
|
|
|
2013-09-07 01:18:42 +08:00
|
|
|
it 'uses send_file' do
|
2018-06-04 11:13:52 +08:00
|
|
|
upload = upload_file("logo.png")
|
|
|
|
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
|
|
|
|
expect(response.status).to eq(200)
|
2019-04-30 14:58:18 +08:00
|
|
|
|
2019-08-07 23:00:43 +08:00
|
|
|
expect(response.headers["Content-Disposition"])
|
2020-05-19 07:09:36 +08:00
|
|
|
.to eq(%Q|attachment; filename="#{upload.original_filename}"; filename*=UTF-8''#{upload.original_filename}|)
|
2013-09-07 01:18:42 +08:00
|
|
|
end
|
|
|
|
|
2019-10-14 12:40:33 +08:00
|
|
|
it 'returns 200 when js file' do
|
2019-10-16 07:39:31 +08:00
|
|
|
ActionDispatch::FileHandler.any_instance.stubs(:match?).returns(false)
|
2019-10-14 12:40:33 +08:00
|
|
|
upload = upload_file("test.js", "themes")
|
|
|
|
get upload.url
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
end
|
|
|
|
|
2018-08-20 10:41:46 +08:00
|
|
|
it "handles image without extension" do
|
2016-12-20 02:39:04 +08:00
|
|
|
SiteSetting.authorized_extensions = "*"
|
2018-06-04 11:13:52 +08:00
|
|
|
upload = upload_file("image_no_extension")
|
2016-12-20 02:39:04 +08:00
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
get "/uploads/#{site}/#{upload.sha1}.json"
|
|
|
|
expect(response.status).to eq(200)
|
2019-08-07 23:00:43 +08:00
|
|
|
expect(response.headers["Content-Disposition"])
|
2020-05-19 07:09:36 +08:00
|
|
|
.to eq(%Q|attachment; filename="#{upload.original_filename}"; filename*=UTF-8''#{upload.original_filename}|)
|
2018-08-20 10:41:46 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
it "handles file without extension" do
|
|
|
|
SiteSetting.authorized_extensions = "*"
|
|
|
|
upload = upload_file("not_an_image")
|
|
|
|
|
|
|
|
get "/uploads/#{site}/#{upload.sha1}.json"
|
|
|
|
expect(response.status).to eq(200)
|
2019-08-07 23:00:43 +08:00
|
|
|
expect(response.headers["Content-Disposition"])
|
2020-05-19 07:09:36 +08:00
|
|
|
.to eq(%Q|attachment; filename="#{upload.original_filename}"; filename*=UTF-8''#{upload.original_filename}|)
|
2016-12-20 02:39:04 +08:00
|
|
|
end
|
|
|
|
|
2014-09-10 00:40:11 +08:00
|
|
|
context "prevent anons from downloading files" do
|
|
|
|
it "returns 404 when an anonymous user tries to download a file" do
|
2019-04-19 00:58:39 +08:00
|
|
|
upload = upload_file("small.pdf", "pdf")
|
2019-05-29 09:00:25 +08:00
|
|
|
delete "/session/#{user.username}.json"
|
2015-05-19 18:31:12 +08:00
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
SiteSetting.prevent_anons_from_downloading_files = true
|
2019-06-06 11:27:24 +08:00
|
|
|
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
|
2018-06-04 11:13:52 +08:00
|
|
|
expect(response.status).to eq(404)
|
2014-09-10 00:40:11 +08:00
|
|
|
end
|
|
|
|
end
|
2013-09-07 01:18:42 +08:00
|
|
|
end
|
|
|
|
|
2019-05-29 09:00:25 +08:00
|
|
|
describe "#show_short" do
|
2019-12-11 21:21:41 +08:00
|
|
|
it 'inlines only supported image files' do
|
|
|
|
upload = upload_file("smallest.png")
|
|
|
|
get upload.short_path, params: { inline: true }
|
|
|
|
expect(response.header['Content-Type']).to eq('image/png')
|
|
|
|
expect(response.header['Content-Disposition']).to include('inline;')
|
|
|
|
|
|
|
|
upload.update!(original_filename: "test.xml")
|
|
|
|
get upload.short_path, params: { inline: true }
|
|
|
|
expect(response.header['Content-Type']).to eq('application/xml')
|
|
|
|
expect(response.header['Content-Disposition']).to include('attachment;')
|
|
|
|
end
|
|
|
|
|
2019-05-29 09:00:25 +08:00
|
|
|
describe "local store" do
|
|
|
|
fab!(:image_upload) { upload_file("smallest.png") }
|
|
|
|
|
|
|
|
it "returns the right response" do
|
|
|
|
get image_upload.short_path
|
|
|
|
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
|
|
|
|
expect(response.headers["Content-Disposition"])
|
|
|
|
.to include("attachment; filename=\"#{image_upload.original_filename}\"")
|
|
|
|
end
|
|
|
|
|
|
|
|
it "returns the right response when `inline` param is given" do
|
|
|
|
get "#{image_upload.short_path}?inline=1"
|
|
|
|
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
|
|
|
|
expect(response.headers["Content-Disposition"])
|
|
|
|
.to include("inline; filename=\"#{image_upload.original_filename}\"")
|
|
|
|
end
|
|
|
|
|
|
|
|
it "returns the right response when base62 param is invalid " do
|
|
|
|
get "/uploads/short-url/12345.png"
|
|
|
|
|
|
|
|
expect(response.status).to eq(404)
|
|
|
|
end
|
|
|
|
|
2020-01-03 12:39:07 +08:00
|
|
|
it "returns uploads with underscore in extension correctly" do
|
|
|
|
fake_upload = upload_file("fake.not_image")
|
|
|
|
get fake_upload.short_path
|
|
|
|
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
end
|
|
|
|
|
2019-05-29 09:00:25 +08:00
|
|
|
it "returns the right response when anon tries to download a file " \
|
2020-03-26 05:16:02 +08:00
|
|
|
"when prevent_anons_from_downloading_files is true" do
|
2019-05-29 09:00:25 +08:00
|
|
|
|
|
|
|
delete "/session/#{user.username}.json"
|
|
|
|
SiteSetting.prevent_anons_from_downloading_files = true
|
|
|
|
|
|
|
|
get image_upload.short_path
|
|
|
|
|
|
|
|
expect(response.status).to eq(404)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe "s3 store" do
|
|
|
|
let(:upload) { Fabricate(:upload_s3) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
SiteSetting.enable_s3_uploads = true
|
|
|
|
SiteSetting.s3_access_key_id = "fakeid7974664"
|
|
|
|
SiteSetting.s3_secret_access_key = "fakesecretid7974664"
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should redirect to the s3 URL" do
|
|
|
|
get upload.short_path
|
|
|
|
|
|
|
|
expect(response).to redirect_to(upload.url)
|
|
|
|
end
|
2020-01-16 11:50:27 +08:00
|
|
|
|
|
|
|
context "when upload is secure and secure media enabled" do
|
|
|
|
before do
|
|
|
|
SiteSetting.secure_media = true
|
|
|
|
upload.update(secure: true)
|
|
|
|
stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
|
|
|
|
end
|
|
|
|
|
|
|
|
it "redirects to the signed_url_for_path" do
|
2020-03-26 05:16:02 +08:00
|
|
|
sign_in(user)
|
2020-03-11 06:22:26 +08:00
|
|
|
freeze_time
|
2020-01-16 11:50:27 +08:00
|
|
|
get upload.short_path
|
|
|
|
|
|
|
|
expect(response).to redirect_to(Discourse.store.signed_url_for_path(Discourse.store.get_path_for_upload(upload)))
|
|
|
|
end
|
|
|
|
|
2020-05-18 22:00:41 +08:00
|
|
|
it "has the correct caching header" do
|
|
|
|
sign_in(user)
|
|
|
|
get upload.short_path
|
|
|
|
|
|
|
|
expected_max_age = S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS - UploadsController::SECURE_REDIRECT_GRACE_SECONDS
|
|
|
|
expect(expected_max_age).to be > 0 # Sanity check that the constants haven't been set to broken values
|
|
|
|
|
|
|
|
expect(response.headers["Cache-Control"]).to eq("max-age=#{expected_max_age}, private")
|
|
|
|
end
|
|
|
|
|
2020-01-16 11:50:27 +08:00
|
|
|
it "raises invalid access if the user cannot access the upload access control post" do
|
2020-03-26 05:16:02 +08:00
|
|
|
sign_in(user)
|
2020-01-16 11:50:27 +08:00
|
|
|
post = Fabricate(:post)
|
|
|
|
post.topic.change_category_to_id(Fabricate(:private_category, group: Fabricate(:group)).id)
|
|
|
|
upload.update(access_control_post: post)
|
|
|
|
|
|
|
|
get upload.short_path
|
|
|
|
expect(response.code).to eq("403")
|
|
|
|
end
|
|
|
|
end
|
2019-05-29 09:00:25 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-11-18 09:25:42 +08:00
|
|
|
describe "#show_secure" do
|
|
|
|
describe "local store" do
|
|
|
|
fab!(:image_upload) { upload_file("smallest.png") }
|
|
|
|
|
|
|
|
it "does not return secure media when using local store" do
|
|
|
|
secure_url = image_upload.url.sub("/uploads", "/secure-media-uploads")
|
|
|
|
get secure_url
|
|
|
|
|
|
|
|
expect(response.status).to eq(404)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe "s3 store" do
|
|
|
|
let(:upload) { Fabricate(:upload_s3) }
|
2020-01-16 11:50:27 +08:00
|
|
|
let(:secure_url) { upload.url.sub(SiteSetting.Upload.absolute_base_url, "/secure-media-uploads") }
|
|
|
|
|
|
|
|
def sign_in_and_stub_head
|
|
|
|
sign_in(user)
|
2020-03-26 05:16:02 +08:00
|
|
|
stub_head
|
|
|
|
end
|
|
|
|
|
|
|
|
def stub_head
|
2020-01-16 11:50:27 +08:00
|
|
|
stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
|
|
|
|
end
|
2019-11-18 09:25:42 +08:00
|
|
|
|
|
|
|
before do
|
2020-03-26 05:16:02 +08:00
|
|
|
SiteSetting.authorized_extensions = "*"
|
2019-11-18 09:25:42 +08:00
|
|
|
SiteSetting.enable_s3_uploads = true
|
|
|
|
SiteSetting.s3_upload_bucket = "s3-upload-bucket"
|
|
|
|
SiteSetting.s3_access_key_id = "fakeid7974664"
|
|
|
|
SiteSetting.s3_secret_access_key = "fakesecretid7974664"
|
2019-12-11 22:13:17 +08:00
|
|
|
SiteSetting.s3_region = "us-east-1"
|
2019-11-18 09:25:42 +08:00
|
|
|
SiteSetting.secure_media = true
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should return 404 for anonymous requests requests" do
|
|
|
|
get secure_url
|
|
|
|
expect(response.status).to eq(404)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should return signed url for legitimate request" do
|
2020-01-16 11:50:27 +08:00
|
|
|
sign_in_and_stub_head
|
2019-11-18 09:25:42 +08:00
|
|
|
|
|
|
|
get secure_url
|
|
|
|
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(response.redirect_url).to match("Amz-Expires")
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should return secure media URL when looking up urls" do
|
|
|
|
upload.update_column(:secure, true)
|
|
|
|
sign_in(user)
|
|
|
|
|
|
|
|
post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
|
2020-05-07 23:04:12 +08:00
|
|
|
result = response.parsed_body
|
2019-11-18 09:25:42 +08:00
|
|
|
expect(result[0]["url"]).to match("secure-media-uploads")
|
|
|
|
end
|
2020-01-07 10:27:24 +08:00
|
|
|
|
2020-01-16 11:50:27 +08:00
|
|
|
context "when the upload cannot be found from the URL" do
|
|
|
|
it "returns a 404" do
|
|
|
|
sign_in_and_stub_head
|
|
|
|
upload.update(sha1: 'test')
|
|
|
|
|
|
|
|
get secure_url
|
|
|
|
expect(response.status).to eq(404)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "when the access_control_post_id has been set for the upload" do
|
|
|
|
let(:post) { Fabricate(:post) }
|
|
|
|
let!(:private_category) { Fabricate(:private_category, group: Fabricate(:group)) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
sign_in_and_stub_head
|
|
|
|
upload.update(access_control_post_id: post.id)
|
|
|
|
end
|
|
|
|
|
|
|
|
context "when the user has access to the post via guardian" do
|
|
|
|
it "should return signed url for legitimate request" do
|
|
|
|
sign_in_and_stub_head
|
|
|
|
get secure_url
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(response.redirect_url).to match("Amz-Expires")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "when the user does not have access to the post via guardian" do
|
|
|
|
before do
|
|
|
|
post.topic.change_category_to_id(private_category.id)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "returns a 403" do
|
|
|
|
sign_in_and_stub_head
|
|
|
|
get secure_url
|
|
|
|
expect(response.status).to eq(403)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-03-26 05:16:02 +08:00
|
|
|
context "when the upload is an attachment file" do
|
|
|
|
before do
|
|
|
|
upload.update(original_filename: 'test.pdf')
|
|
|
|
end
|
|
|
|
it "redirects to the signed_url_for_path" do
|
|
|
|
sign_in_and_stub_head
|
|
|
|
get secure_url
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(response.redirect_url).to match("Amz-Expires")
|
|
|
|
end
|
|
|
|
|
|
|
|
context "when the user does not have access to the access control post via guardian" do
|
|
|
|
let(:post) { Fabricate(:post) }
|
|
|
|
let!(:private_category) { Fabricate(:private_category, group: Fabricate(:group)) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
post.topic.change_category_to_id(private_category.id)
|
|
|
|
upload.update(access_control_post_id: post.id)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "returns a 403" do
|
|
|
|
sign_in_and_stub_head
|
|
|
|
get secure_url
|
|
|
|
expect(response.status).to eq(403)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "when the prevent_anons_from_downloading_files setting is enabled and the user is anon" do
|
|
|
|
before do
|
|
|
|
SiteSetting.prevent_anons_from_downloading_files = true
|
|
|
|
end
|
|
|
|
it "returns a 404" do
|
|
|
|
stub_head
|
|
|
|
delete "/session/#{user.username}.json"
|
|
|
|
get secure_url
|
|
|
|
expect(response.status).to eq(404)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-01-07 10:27:24 +08:00
|
|
|
context "when secure media is disabled" do
|
|
|
|
before do
|
|
|
|
SiteSetting.secure_media = false
|
|
|
|
end
|
|
|
|
|
2020-01-07 12:02:17 +08:00
|
|
|
context "if the upload is secure false, meaning the ACL is probably public" do
|
|
|
|
before do
|
|
|
|
upload.update(secure: false)
|
|
|
|
end
|
2020-01-07 10:27:24 +08:00
|
|
|
|
2020-01-07 12:02:17 +08:00
|
|
|
it "should redirect to the regular show route" do
|
|
|
|
secure_url = upload.url.sub(SiteSetting.Upload.absolute_base_url, "/secure-media-uploads")
|
|
|
|
sign_in(user)
|
|
|
|
stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
|
2020-01-07 10:27:24 +08:00
|
|
|
|
2020-01-07 12:02:17 +08:00
|
|
|
get secure_url
|
|
|
|
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(response.redirect_url).to eq(Discourse.store.cdn_url(upload.url))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "if the upload is secure true, meaning the ACL is probably private" do
|
|
|
|
before do
|
|
|
|
upload.update(secure: true)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should redirect to the presigned URL still otherwise we will get a 403" do
|
|
|
|
secure_url = upload.url.sub(SiteSetting.Upload.absolute_base_url, "/secure-media-uploads")
|
|
|
|
sign_in(user)
|
|
|
|
stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
|
|
|
|
|
|
|
|
get secure_url
|
|
|
|
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(response.redirect_url).to match("Amz-Expires")
|
|
|
|
end
|
2020-01-07 10:27:24 +08:00
|
|
|
end
|
|
|
|
end
|
2019-11-18 09:25:42 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-06-04 11:13:52 +08:00
|
|
|
describe '#lookup_urls' do
|
|
|
|
it 'can look up long urls' do
|
2019-05-29 09:00:25 +08:00
|
|
|
sign_in(user)
|
2018-06-04 11:13:52 +08:00
|
|
|
upload = Fabricate(:upload)
|
|
|
|
|
|
|
|
post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
|
2020-05-07 23:04:12 +08:00
|
|
|
result = response.parsed_body
|
2018-06-04 11:13:52 +08:00
|
|
|
expect(result[0]["url"]).to eq(upload.url)
|
2019-05-29 09:00:25 +08:00
|
|
|
expect(result[0]["short_path"]).to eq(upload.short_path)
|
2018-06-04 11:13:52 +08:00
|
|
|
end
|
2019-11-18 09:25:42 +08:00
|
|
|
|
|
|
|
describe 'secure media' do
|
|
|
|
let(:upload) { Fabricate(:upload_s3, secure: true) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
SiteSetting.authorized_extensions = "pdf|png"
|
|
|
|
SiteSetting.s3_upload_bucket = "s3-upload-bucket"
|
|
|
|
SiteSetting.s3_access_key_id = "s3-access-key-id"
|
|
|
|
SiteSetting.s3_secret_access_key = "s3-secret-access-key"
|
|
|
|
SiteSetting.enable_s3_uploads = true
|
|
|
|
SiteSetting.secure_media = true
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns secure url for a secure media upload' do
|
|
|
|
sign_in(user)
|
|
|
|
|
|
|
|
post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
|
2020-05-07 23:04:12 +08:00
|
|
|
result = response.parsed_body
|
2019-11-18 09:25:42 +08:00
|
|
|
expect(result[0]["url"]).to match("/secure-media-uploads")
|
|
|
|
expect(result[0]["short_path"]).to eq(upload.short_path)
|
|
|
|
end
|
|
|
|
|
2020-03-04 07:11:08 +08:00
|
|
|
it 'returns secure urls for non-media uploads' do
|
2019-11-18 09:25:42 +08:00
|
|
|
upload.update!(original_filename: "not-an-image.pdf", extension: "pdf")
|
|
|
|
sign_in(user)
|
|
|
|
|
|
|
|
post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
|
2020-05-07 23:04:12 +08:00
|
|
|
result = response.parsed_body
|
2020-03-04 07:11:08 +08:00
|
|
|
expect(result[0]["url"]).to match("/secure-media-uploads")
|
2019-11-18 09:25:42 +08:00
|
|
|
expect(result[0]["short_path"]).to eq(upload.short_path)
|
|
|
|
end
|
|
|
|
end
|
2018-06-04 11:13:52 +08:00
|
|
|
end
|
2019-02-21 10:13:37 +08:00
|
|
|
|
|
|
|
describe '#metadata' do
|
2019-05-07 11:12:20 +08:00
|
|
|
fab!(:upload) { Fabricate(:upload) }
|
2019-02-21 10:13:37 +08:00
|
|
|
|
|
|
|
describe 'when url is missing' do
|
|
|
|
it 'should return the right response' do
|
|
|
|
post "/uploads/lookup-metadata.json"
|
|
|
|
|
|
|
|
expect(response.status).to eq(403)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'when not signed in' do
|
|
|
|
it 'should return the right response' do
|
|
|
|
post "/uploads/lookup-metadata.json", params: { url: upload.url }
|
|
|
|
|
|
|
|
expect(response.status).to eq(403)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'when signed in' do
|
|
|
|
before do
|
2019-05-29 09:00:25 +08:00
|
|
|
sign_in(user)
|
2019-02-21 10:13:37 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
describe 'when url is invalid' do
|
|
|
|
it 'should return the right response' do
|
|
|
|
post "/uploads/lookup-metadata.json", params: { url: 'abc' }
|
|
|
|
|
|
|
|
expect(response.status).to eq(404)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should return the right response" do
|
|
|
|
post "/uploads/lookup-metadata.json", params: { url: upload.url }
|
|
|
|
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
|
2020-05-07 23:04:12 +08:00
|
|
|
result = response.parsed_body
|
2019-02-21 10:13:37 +08:00
|
|
|
|
|
|
|
expect(result["original_filename"]).to eq(upload.original_filename)
|
|
|
|
expect(result["width"]).to eq(upload.width)
|
|
|
|
expect(result["height"]).to eq(upload.height)
|
|
|
|
expect(result["human_filesize"]).to eq(upload.human_filesize)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2013-04-03 07:17:17 +08:00
|
|
|
end
|