mirror of
https://github.com/discourse/discourse.git
synced 2024-11-24 14:19:49 +08:00
8ebd5edd1e
This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
222 lines
7.4 KiB
Ruby
222 lines
7.4 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
RSpec.describe "tasks/uploads" do
|
|
before do
|
|
Rake::Task.clear
|
|
Discourse::Application.load_tasks
|
|
SiteSetting.authorized_extensions += "|pdf"
|
|
end
|
|
|
|
describe "uploads:secure_upload_analyse_and_update" do
|
|
let!(:uploads) do
|
|
[
|
|
multi_post_upload1,
|
|
upload1,
|
|
upload2,
|
|
upload3
|
|
]
|
|
end
|
|
let(:multi_post_upload1) { Fabricate(:upload_s3) }
|
|
let(:upload1) { Fabricate(:upload_s3) }
|
|
let(:upload2) { Fabricate(:upload_s3) }
|
|
let(:upload3) { Fabricate(:upload_s3, original_filename: 'test.pdf', extension: 'pdf') }
|
|
|
|
let!(:post1) { Fabricate(:post) }
|
|
let!(:post2) { Fabricate(:post) }
|
|
let!(:post3) { Fabricate(:post) }
|
|
|
|
before do
|
|
UploadReference.create(target: post1, upload: multi_post_upload1)
|
|
UploadReference.create(target: post2, upload: multi_post_upload1)
|
|
UploadReference.create(target: post2, upload: upload1)
|
|
UploadReference.create(target: post3, upload: upload2)
|
|
UploadReference.create(target: post3, upload: upload3)
|
|
end
|
|
|
|
def invoke_task
|
|
capture_stdout do
|
|
Rake::Task['uploads:secure_upload_analyse_and_update'].invoke
|
|
end
|
|
end
|
|
|
|
context "when the store is internal" do
|
|
it "does nothing; this is for external store only" do
|
|
Upload.expects(:transaction).never
|
|
expect { invoke_task }.to raise_error(SystemExit)
|
|
end
|
|
end
|
|
|
|
context "when store is external" do
|
|
before do
|
|
setup_s3
|
|
uploads.each { |upload| stub_upload(upload) }
|
|
end
|
|
|
|
context "when secure upload is enabled" do
|
|
before do
|
|
SiteSetting.secure_uploads = true
|
|
end
|
|
|
|
it "sets an access_control_post for each post upload, using the first linked post in the case of multiple links" do
|
|
invoke_task
|
|
expect(multi_post_upload1.reload.access_control_post).to eq(post1)
|
|
expect(upload1.reload.access_control_post).to eq(post2)
|
|
expect(upload2.reload.access_control_post).to eq(post3)
|
|
expect(upload3.reload.access_control_post).to eq(post3)
|
|
end
|
|
|
|
it "sets everything attached to a post as secure and rebakes all those posts if login is required" do
|
|
SiteSetting.login_required = true
|
|
freeze_time
|
|
|
|
post1.update_columns(baked_at: 1.week.ago)
|
|
post2.update_columns(baked_at: 1.week.ago)
|
|
post3.update_columns(baked_at: 1.week.ago)
|
|
|
|
invoke_task
|
|
|
|
expect(post1.reload.baked_at).not_to eq_time(1.week.ago)
|
|
expect(post2.reload.baked_at).not_to eq_time(1.week.ago)
|
|
expect(post3.reload.baked_at).not_to eq_time(1.week.ago)
|
|
expect(upload2.reload.secure).to eq(true)
|
|
expect(upload1.reload.secure).to eq(true)
|
|
expect(upload3.reload.secure).to eq(true)
|
|
end
|
|
|
|
it "sets the uploads that are media and attachments in the read restricted topic category to secure" do
|
|
post3.topic.update(category: Fabricate(:private_category, group: Fabricate(:group)))
|
|
invoke_task
|
|
expect(upload2.reload.secure).to eq(true)
|
|
expect(upload1.reload.secure).to eq(false)
|
|
expect(upload3.reload.secure).to eq(true)
|
|
end
|
|
|
|
it "sets the upload in the PM topic to secure" do
|
|
post3.topic.update(archetype: 'private_message', category: nil)
|
|
invoke_task
|
|
expect(upload2.reload.secure).to eq(true)
|
|
expect(upload1.reload.secure).to eq(false)
|
|
end
|
|
|
|
it "rebakes the posts attached for uploads that change secure status" do
|
|
post3.topic.update(category: Fabricate(:private_category, group: Fabricate(:group)))
|
|
freeze_time
|
|
|
|
post1.update_columns(baked_at: 1.week.ago)
|
|
post2.update_columns(baked_at: 1.week.ago)
|
|
post3.update_columns(baked_at: 1.week.ago)
|
|
|
|
invoke_task
|
|
|
|
expect(post1.reload.baked_at).to eq_time(1.week.ago)
|
|
expect(post2.reload.baked_at).to eq_time(1.week.ago)
|
|
expect(post3.reload.baked_at).not_to eq_time(1.week.ago)
|
|
end
|
|
|
|
context "for an upload that is already secure and does not need to change" do
|
|
before do
|
|
post3.topic.update(archetype: 'private_message', category: nil)
|
|
upload2.update(access_control_post: post3)
|
|
upload2.update_secure_status
|
|
upload3.update(access_control_post: post3)
|
|
upload3.update_secure_status
|
|
end
|
|
|
|
it "does not rebake the associated post" do
|
|
freeze_time
|
|
|
|
post3.update_columns(baked_at: 1.week.ago)
|
|
invoke_task
|
|
|
|
expect(post3.reload.baked_at).to eq_time(1.week.ago)
|
|
end
|
|
|
|
it "does not attempt to update the acl" do
|
|
Discourse.store.expects(:update_upload_ACL).with(upload2).never
|
|
invoke_task
|
|
end
|
|
end
|
|
|
|
context "for an upload that is already secure and is changing to not secure" do
|
|
it "changes the upload to not secure and updates the ACL" do
|
|
upload_to_mark_not_secure = Fabricate(:upload_s3, secure: true)
|
|
post_for_upload = Fabricate(:post)
|
|
UploadReference.create(target: post_for_upload, upload: upload_to_mark_not_secure)
|
|
|
|
setup_s3
|
|
uploads.each { |upload| stub_upload(upload) }
|
|
stub_upload(upload_to_mark_not_secure)
|
|
|
|
invoke_task
|
|
expect(upload_to_mark_not_secure.reload.secure).to eq(false)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe "uploads:disable_secure_uploads" do
|
|
def invoke_task
|
|
capture_stdout do
|
|
Rake::Task['uploads:disable_secure_uploads'].invoke
|
|
end
|
|
end
|
|
|
|
before do
|
|
setup_s3
|
|
uploads.each { |upload| stub_upload(upload) }
|
|
|
|
SiteSetting.secure_uploads = true
|
|
UploadReference.create(target: post1, upload: upload1)
|
|
UploadReference.create(target: post1, upload: upload2)
|
|
UploadReference.create(target: post2, upload: upload3)
|
|
UploadReference.create(target: post2, upload: upload4)
|
|
end
|
|
|
|
let!(:uploads) do
|
|
[
|
|
upload1, upload2, upload3, upload4, upload5
|
|
]
|
|
end
|
|
let(:post1) { Fabricate(:post) }
|
|
let(:post2) { Fabricate(:post) }
|
|
let(:upload1) { Fabricate(:upload_s3, secure: true, access_control_post: post1) }
|
|
let(:upload2) { Fabricate(:upload_s3, secure: true, access_control_post: post1) }
|
|
let(:upload3) { Fabricate(:upload_s3, secure: true, access_control_post: post2) }
|
|
let(:upload4) { Fabricate(:upload_s3, secure: true, access_control_post: post2) }
|
|
let(:upload5) { Fabricate(:upload_s3, secure: false) }
|
|
|
|
it "disables the secure upload setting" do
|
|
invoke_task
|
|
expect(SiteSetting.secure_uploads).to eq(false)
|
|
end
|
|
|
|
it "updates all secure uploads to secure: false" do
|
|
invoke_task
|
|
[upload1, upload2, upload3, upload4].each do |upl|
|
|
expect(upl.reload.secure).to eq(false)
|
|
end
|
|
end
|
|
|
|
it "rebakes the associated posts" do
|
|
freeze_time
|
|
|
|
post1.update_columns(baked_at: 1.week.ago)
|
|
post2.update_columns(baked_at: 1.week.ago)
|
|
invoke_task
|
|
|
|
expect(post1.reload.baked_at).not_to eq_time(1.week.ago)
|
|
expect(post2.reload.baked_at).not_to eq_time(1.week.ago)
|
|
end
|
|
|
|
it "updates the affected ACLs" do
|
|
expect_enqueued_with(
|
|
job: :sync_acls_for_uploads,
|
|
args: { upload_ids: [upload1.id, upload2.id, upload3.id, upload4.id] },
|
|
) do
|
|
invoke_task
|
|
end
|
|
end
|
|
end
|
|
end
|