discourse/spec/requests/svg_sprite_controller_spec.rb
Alan Guo Xiang Tan 5878535606
FIX: Searching for svg sprite icons connecting to default database (#21605)
What is the problem?

In `SvgSpriteController#search` and `SvgSpriteController#icon_picker_search`, the controller actions
was using the `RailsMultisite::ConnectionManagement.with_hostname` API
but `params[:hostname]` was always `nil` because the routes does not
have a `:hostname` param component and the client does not ever pass the
`:hostname` param when making the request. When `RailsMultisite::ConnectionManagement.with_hostname` is
used with a `nil` argument, it ends up connecting to the default
multisite database. Usually this would be bad because we're allowing a
site in a multisite setup to connect to another site but thankfully no
private data is being leaked here.

What is the fix?

Since `SvgSpriteController#search` and `SvgSpriteController#icon_picker_search` are login required route,
there is no need for us to switch database connections. The fix here is
to simply remove the use of `RailsMultisite::ConnectionManagement.with_hostname`.
2023-05-17 14:25:06 +08:00

161 lines
5.0 KiB
Ruby

# frozen_string_literal: true
RSpec.describe SvgSpriteController do
describe "#show" do
before { SvgSprite.expire_cache }
it "should return bundle when version is current" do
get "/svg-sprite/#{Discourse.current_hostname}/svg--#{SvgSprite.version}.js"
expect(response.status).to eq(200)
theme = Fabricate(:theme)
theme.set_field(target: :settings, name: :yaml, value: "custom_icon: dragon")
theme.save!
get "/svg-sprite/#{Discourse.current_hostname}/svg-#{theme.id}-#{SvgSprite.version(theme.id)}.js"
expect(response.status).to eq(200)
end
it "should redirect to current version" do
random_hash = Digest::SHA1.hexdigest("somerandomstring")
get "/svg-sprite/#{Discourse.current_hostname}/svg--#{random_hash}.js"
expect(response).to redirect_to("/svg-sprite/test.localhost/svg--#{SvgSprite.version}.js")
set_cdn_url "//some-cdn.com/site"
get "/svg-sprite/#{Discourse.current_hostname}/svg--#{random_hash}.js"
expect(response).to redirect_to(
"https://some-cdn.com/site/svg-sprite/test.localhost/svg--#{SvgSprite.version}.js",
)
end
end
describe "#search" do
it "should not work for anons" do
get "/svg-sprite/search/fa-bolt"
expect(response.status).to eq(404)
end
it "should return symbol for FA icon search" do
user = sign_in(Fabricate(:user))
get "/svg-sprite/search/fa-bolt"
expect(response.status).to eq(200)
expect(response.body).to include("bolt")
end
it "should return 404 when looking for non-existent FA icon" do
user = sign_in(Fabricate(:user))
get "/svg-sprite/search/fa-not-a-valid-icon"
expect(response.status).to eq(404)
end
it "should find a custom icon in default theme" do
theme = Fabricate(:theme)
fname = "custom-theme-icon-sprite.svg"
upload = UploadCreator.new(file_from_fixtures(fname), fname, for_theme: true).create_for(-1)
theme.set_field(
target: :common,
name: SvgSprite.theme_sprite_variable_name,
upload_id: upload.id,
type: :theme_upload_var,
)
theme.save!
SiteSetting.default_theme_id = theme.id
user = sign_in(Fabricate(:user))
get "/svg-sprite/search/fa-my-custom-theme-icon"
expect(response.status).to eq(200)
expect(response.body).to include("my-custom-theme-icon")
end
end
describe "#icon_picker_search" do
it "should return 403 for anonymous users" do
get "/svg-sprite/picker-search"
expect(response.status).to eq(403)
end
it "should work with no filter and max out at 200 results" do
user = sign_in(Fabricate(:user))
get "/svg-sprite/picker-search"
expect(response.status).to eq(200)
data = response.parsed_body
expect(data.length).to eq(200)
expect(data[0]["id"]).to eq("ad")
end
it "should filter" do
user = sign_in(Fabricate(:user))
get "/svg-sprite/picker-search", params: { filter: "500px" }
expect(response.status).to eq(200)
data = response.parsed_body
expect(data.length).to eq(1)
expect(data[0]["id"]).to eq("fab-500px")
end
it "should display only available" do
sign_in(Fabricate(:user))
get "/svg-sprite/picker-search"
data = response.parsed_body
beer_icon = response.parsed_body.find { |i| i["id"] == "beer" }
expect(beer_icon).to be_present
get "/svg-sprite/picker-search", params: { only_available: "true" }
data = response.parsed_body
beer_icon = response.parsed_body.find { |i| i["id"] == "beer" }
expect(beer_icon).to be nil
expect(data.length).to eq(200)
end
end
describe "#svg_icon" do
it "requires .svg extension" do
get "/svg-sprite/#{Discourse.current_hostname}/icon/bolt"
expect(response.status).to eq(404)
end
it "returns SVG given an icon name" do
get "/svg-sprite/#{Discourse.current_hostname}/icon/bolt.svg"
expect(response.status).to eq(200)
expect(response.body).to include("bolt")
end
it "returns SVG given an icon name and a color" do
get "/svg-sprite/#{Discourse.current_hostname}/icon/CC0000/fab-github.svg"
expect(response.status).to eq(200)
expect(response.body).to include("fab-github")
expect(response.body).to include('fill="#CC0000"')
expect(response.headers["Cache-Control"]).to eq("max-age=86400, public, immutable")
end
it "returns SVG given an icon name and a 3-character HEX color" do
get "/svg-sprite/#{Discourse.current_hostname}/icon/C00/fab-github.svg"
expect(response.status).to eq(200)
expect(response.body).to include("fab-github")
expect(response.body).to include('fill="#CC0000"')
expect(response.headers["Cache-Control"]).to eq("max-age=86400, public, immutable")
end
it "ignores non-HEX colors" do
get "/svg-sprite/#{Discourse.current_hostname}/icon/orange/fab-github.svg"
expect(response.status).to eq(404)
end
end
end