github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-23 06:04:11 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
b061631c18
discourse/spec/system/s3_secure_uploads_spec.rb
Martin Brennan c532f6eb3d
FEATURE: Secure uploads in PMs only (#23398) 
This adds a new secure_uploads_pm_only site setting. When secure_uploads
is true with this setting, only uploads created in PMs will be marked
secure; no uploads in secure categories will be marked as secure, and
the login_required site setting has no bearing on upload security
either.

This is meant to be a stopgap solution to prevent secure uploads
in a single place (private messages) for sensitive admin data exports.
Ideally we would want a more comprehensive way of saying that certain
upload types get secured which is a hybrid/mixed mode secure uploads,
but for now this will do the trick.
2023-09-06 09:39:09 +10:00

119 lines
3.8 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
describe "Uploading files in the composer to S3", type: :system do
fab!(:current_user) { Fabricate(:admin) }
fab!(:other_user) { Fabricate(:user, username: "otherguy") }
let(:modal) { PageObjects::Modals::Base.new }
let(:composer) { PageObjects::Components::Composer.new }
let(:topic_page) { PageObjects::Pages::Topic.new }
describe "secure uploads" do
def first_post_img(wait: Capybara.default_max_wait_time)
first_post = topic_page.post_by_number(1, wait: wait)
expect(first_post).to have_css("img[data-base62-sha1]")
first_post.find(".cooked").first("img")
end
def expect_first_post_to_have_secure_upload
img = first_post_img
expect(img["src"]).to include("/secure-uploads")
topic = topic_page.current_topic
expect(topic.first_post.uploads.first.secure).to eq(true)
end
it "marks uploads inside of private message posts as secure" do
skip_unless_s3_system_specs_enabled!
setup_s3_system_test(enable_secure_uploads: true)
sign_in(current_user)
topic_page.open_new_message
composer.fill_title("This is a test PM for secure uploads")
composer.select_pm_user("otherguy")
file_path = file_from_fixtures("logo.png", "images").path
attach_file(file_path) { composer.click_toolbar_button("upload") }
expect(page).to have_no_css("#file-uploading")
expect(composer.preview).to have_css(".image-wrapper")
composer.submit
expect_first_post_to_have_secure_upload
end
it "marks uploads inside of private category posts as secure" do
skip_unless_s3_system_specs_enabled!
private_category = Fabricate(:private_category, group: Fabricate(:group))
setup_s3_system_test(enable_secure_uploads: true)
sign_in(current_user)
topic_page.open_new_topic
composer.fill_title("This is a test PM for secure uploads")
composer.switch_category(private_category.name)
file_path = file_from_fixtures("logo.png", "images").path
attach_file(file_path) { composer.click_toolbar_button("upload") }
expect(page).to have_no_css("#file-uploading")
expect(composer.preview).to have_css(".image-wrapper")
composer.submit
expect_first_post_to_have_secure_upload
end
it "marks uploads for all posts as secure when login_required" do
skip_unless_s3_system_specs_enabled!
SiteSetting.login_required = true
setup_s3_system_test(enable_secure_uploads: true)
sign_in(current_user)
topic_page.open_new_topic
composer.fill_title("This is a test PM for secure uploads")
file_path = file_from_fixtures("logo.png", "images").path
attach_file(file_path) { composer.click_toolbar_button("upload") }
expect(page).to have_no_css("#file-uploading")
expect(composer.preview).to have_css(".image-wrapper")
composer.submit
expect_first_post_to_have_secure_upload
end
it "doesn't mark uploads for public posts as secure" do
skip_unless_s3_system_specs_enabled!
setup_s3_system_test(enable_secure_uploads: true)
sign_in(current_user)
topic_page.open_new_topic
composer.fill_title("This is a test PM for secure uploads")
file_path = file_from_fixtures("logo.png", "images").path
attach_file(file_path) { composer.click_toolbar_button("upload") }
expect(page).to have_no_css("#file-uploading")
expect(composer.preview).to have_css(".image-wrapper")
Jobs.run_immediately!
composer.submit
# Extra wait time is added because the job can slow down the processing of the request.
img = first_post_img(wait: 10)
expect(img["src"]).not_to include("/secure-uploads")
topic = topic_page.current_topic
expect(topic.first_post.uploads.first.secure).to eq(false)
end
end
end
Reference in New Issue View Git Blame Copy Permalink