Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-02-01 12:41:37 +01:00
Code Issues Releases Wiki Activity

Fixed error when accessing non-authed attachment

Browse Source 
Also updated attachment tests to use standard test-case.
Fixes #681
This commit is contained in:
Dan Brown 2018-02-11 12:37:02 +00:00
parent 2d41a4f064
commit 548dcd4db1
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
4 changed files with 91 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/Http/Controllers/AttachmentController.php
View File

@ -2,6 +2,7 @@
use BookStack\Exceptions\FileUploadException; use BookStack\Exceptions\FileUploadException;
use BookStack\Attachment; use BookStack\Attachment;
use BookStack\Exceptions\NotFoundException;
use BookStack\Repos\EntityRepo; use BookStack\Repos\EntityRepo;
use BookStack\Services\AttachmentService; use BookStack\Services\AttachmentService;
use Illuminate\Http\Request; use Illuminate\Http\Request;
@ -182,11 +183,16 @@ class AttachmentController extends Controller
* Get an attachment from storage. * Get an attachment from storage.
* @param $attachmentId * @param $attachmentId
* @return \Illuminate\Contracts\Routing\ResponseFactory|\Illuminate\Http\RedirectResponse|\Illuminate\Routing\Redirector|\Symfony\Component\HttpFoundation\Response * @return \Illuminate\Contracts\Routing\ResponseFactory|\Illuminate\Http\RedirectResponse|\Illuminate\Routing\Redirector|\Symfony\Component\HttpFoundation\Response
* @throws \Illuminate\Contracts\Filesystem\FileNotFoundException
*/ */
public function get($attachmentId) public function get($attachmentId)
{ {
$attachment = $this->attachment->findOrFail($attachmentId); $attachment = $this->attachment->findOrFail($attachmentId);
$page = $this->entityRepo->getById('page', $attachment->uploaded_to); $page = $this->entityRepo->getById('page', $attachment->uploaded_to);
if ($page === null) {
throw new NotFoundException(trans('errors.attachment_not_found'));
}
$this->checkOwnablePermission('page-view', $page); $this->checkOwnablePermission('page-view', $page);
if ($attachment->external) { if ($attachment->external) {
@ -204,6 +210,7 @@ class AttachmentController extends Controller
* Delete a specific attachment in the system. * Delete a specific attachment in the system.
* @param $attachmentId * @param $attachmentId
* @return mixed * @return mixed
* @throws \Exception
*/ */
public function delete($attachmentId) public function delete($attachmentId)
{ {

1
resources/lang/en/errors.php
View File

@ -40,6 +40,7 @@ return [
// Attachments // Attachments
'attachment_page_mismatch' => 'Page mismatch during attachment update', 'attachment_page_mismatch' => 'Page mismatch during attachment update',
'attachment_not_found' => 'Attachment not found',
// Pages // Pages
'page_draft_autosave_fail' => 'Failed to save draft. Ensure you have internet connection before saving this page', 'page_draft_autosave_fail' => 'Failed to save draft. Ensure you have internet connection before saving this page',

105
tests/AttachmentTest.php
View File

@ -1,6 +1,10 @@
<?php namespace Tests; <?php namespace Tests;
class AttachmentTest extends BrowserKitTest use BookStack\Attachment;
use BookStack\Page;
use BookStack\Services\PermissionService;
class AttachmentTest extends TestCase
{ {
/** /**
* Get a test file that can be uploaded * Get a test file that can be uploaded
@ -16,7 +20,7 @@ class AttachmentTest extends BrowserKitTest
* Uploads a file with the given name. * Uploads a file with the given name.
* @param $name * @param $name
* @param int $uploadedTo * @param int $uploadedTo
* @return string * @return \Illuminate\Foundation\Testing\TestResponse
*/ */
protected function uploadFile($name, $uploadedTo = 0) protected function uploadFile($name, $uploadedTo = 0)
{ {
@ -48,7 +52,7 @@ class AttachmentTest extends BrowserKitTest
public function test_file_upload() public function test_file_upload()
{ {
$page = \BookStack\Page::first(); $page = Page::first();
$this->asAdmin(); $this->asAdmin();
$admin = $this->getAdmin(); $admin = $this->getAdmin();
$fileName = 'upload_test_file.txt'; $fileName = 'upload_test_file.txt';
@ -63,37 +67,41 @@ class AttachmentTest extends BrowserKitTest
'path' => $this->getUploadPath($fileName) 'path' => $this->getUploadPath($fileName)
]; ];
$this->uploadFile($fileName, $page->id); $upload = $this->uploadFile($fileName, $page->id);
$this->assertResponseOk(); $upload->assertStatus(200);
$this->seeJsonContains($expectedResp); $upload->assertJson($expectedResp);
$this->seeInDatabase('attachments', $expectedResp); $this->assertDatabaseHas('attachments', $expectedResp);
$this->deleteUploads(); $this->deleteUploads();
} }
public function test_file_display_and_access() public function test_file_display_and_access()
{ {
$page = \BookStack\Page::first(); $page = Page::first();
$this->asAdmin(); $this->asAdmin();
$fileName = 'upload_test_file.txt'; $fileName = 'upload_test_file.txt';
$this->uploadFile($fileName, $page->id); $upload = $this->uploadFile($fileName, $page->id);
$this->assertResponseOk(); $upload->assertStatus(200);
$this->visit($page->getUrl()) $attachment = Attachment::orderBy('id', 'desc')->take(1)->first();
->seeLink($fileName)
->click($fileName) $pageGet = $this->get($page->getUrl());
->see('Hi, This is a test file for testing the upload process.'); $pageGet->assertSeeText($fileName);
$pageGet->assertSee($attachment->getUrl());
$attachmentGet = $this->get($attachment->getUrl());
$attachmentGet->assertSee('Hi, This is a test file for testing the upload process.');
$this->deleteUploads(); $this->deleteUploads();
} }
public function test_attaching_link_to_page() public function test_attaching_link_to_page()
{ {
$page = \BookStack\Page::first(); $page = Page::first();
$admin = $this->getAdmin(); $admin = $this->getAdmin();
$this->asAdmin(); $this->asAdmin();
$this->call('POST', 'attachments/link', [ $linkReq = $this->call('POST', 'attachments/link', [
'link' => 'https://example.com', 'link' => 'https://example.com',
'name' => 'Example Attachment Link', 'name' => 'Example Attachment Link',
'uploaded_to' => $page->id, 'uploaded_to' => $page->id,
@ -110,19 +118,24 @@ class AttachmentTest extends BrowserKitTest
'extension' => '' 'extension' => ''
]; ];
$this->assertResponseOk(); $linkReq->assertStatus(200);
$this->seeJsonContains($expectedResp); $linkReq->assertJson($expectedResp);
$this->seeInDatabase('attachments', $expectedResp); $this->assertDatabaseHas('attachments', $expectedResp);
$attachment = Attachment::orderBy('id', 'desc')->take(1)->first();
$this->visit($page->getUrl())->seeLink('Example Attachment Link') $pageGet = $this->get($page->getUrl());
->click('Example Attachment Link')->seePageIs('https://example.com'); $pageGet->assertSeeText('Example Attachment Link');
$pageGet->assertSee($attachment->getUrl());
$attachmentGet = $this->get($attachment->getUrl());
$attachmentGet->assertRedirect('https://example.com');
$this->deleteUploads(); $this->deleteUploads();
} }
public function test_attachment_updating() public function test_attachment_updating()
{ {
$page = \BookStack\Page::first(); $page = Page::first();
$this->asAdmin(); $this->asAdmin();
$this->call('POST', 'attachments/link', [ $this->call('POST', 'attachments/link', [
@ -133,7 +146,7 @@ class AttachmentTest extends BrowserKitTest
$attachmentId = \BookStack\Attachment::first()->id; $attachmentId = \BookStack\Attachment::first()->id;
$this->call('PUT', 'attachments/' . $attachmentId, [ $update = $this->call('PUT', 'attachments/' . $attachmentId, [
'uploaded_to' => $page->id, 'uploaded_to' => $page->id,
'name' => 'My new attachment name', 'name' => 'My new attachment name',
'link' => 'https://test.example.com' 'link' => 'https://test.example.com'
@ -145,28 +158,27 @@ class AttachmentTest extends BrowserKitTest
'uploaded_to' => $page->id 'uploaded_to' => $page->id
]; ];
$this->assertResponseOk(); $update->assertStatus(200);
$this->seeJsonContains($expectedResp); $update->assertJson($expectedResp);
$this->seeInDatabase('attachments', $expectedResp); $this->assertDatabaseHas('attachments', $expectedResp);
$this->deleteUploads(); $this->deleteUploads();
} }
public function test_file_deletion() public function test_file_deletion()
{ {
$page = \BookStack\Page::first(); $page = Page::first();
$this->asAdmin(); $this->asAdmin();
$fileName = 'deletion_test.txt'; $fileName = 'deletion_test.txt';
$this->uploadFile($fileName, $page->id); $this->uploadFile($fileName, $page->id);
$filePath = base_path('storage/' . $this->getUploadPath($fileName)); $filePath = base_path('storage/' . $this->getUploadPath($fileName));
$this->assertTrue(file_exists($filePath), 'File at path ' . $filePath . ' does not exist'); $this->assertTrue(file_exists($filePath), 'File at path ' . $filePath . ' does not exist');
$attachmentId = \BookStack\Attachment::first()->id; $attachment = \BookStack\Attachment::first();
$this->call('DELETE', 'attachments/' . $attachmentId); $this->delete($attachment->getUrl());
$this->dontSeeInDatabase('attachments', [ $this->assertDatabaseMissing('attachments', [
'name' => $fileName 'name' => $fileName
]); ]);
$this->assertFalse(file_exists($filePath), 'File at path ' . $filePath . ' was not deleted as expected'); $this->assertFalse(file_exists($filePath), 'File at path ' . $filePath . ' was not deleted as expected');
@ -176,7 +188,7 @@ class AttachmentTest extends BrowserKitTest
public function test_attachment_deletion_on_page_deletion() public function test_attachment_deletion_on_page_deletion()
{ {
$page = \BookStack\Page::first(); $page = Page::first();
$this->asAdmin(); $this->asAdmin();
$fileName = 'deletion_test.txt'; $fileName = 'deletion_test.txt';
$this->uploadFile($fileName, $page->id); $this->uploadFile($fileName, $page->id);
@ -184,17 +196,42 @@ class AttachmentTest extends BrowserKitTest
$filePath = base_path('storage/' . $this->getUploadPath($fileName)); $filePath = base_path('storage/' . $this->getUploadPath($fileName));
$this->assertTrue(file_exists($filePath), 'File at path ' . $filePath . ' does not exist'); $this->assertTrue(file_exists($filePath), 'File at path ' . $filePath . ' does not exist');
$this->seeInDatabase('attachments', [ $this->assertDatabaseHas('attachments', [
'name' => $fileName 'name' => $fileName
]); ]);
$this->call('DELETE', $page->getUrl()); $this->call('DELETE', $page->getUrl());
$this->dontSeeInDatabase('attachments', [ $this->assertDatabaseMissing('attachments', [
'name' => $fileName 'name' => $fileName
]); ]);
$this->assertFalse(file_exists($filePath), 'File at path ' . $filePath . ' was not deleted as expected'); $this->assertFalse(file_exists($filePath), 'File at path ' . $filePath . ' was not deleted as expected');
$this->deleteUploads(); $this->deleteUploads();
} }
public function test_attachment_access_without_permission_shows_404()
{
$admin = $this->getAdmin();
$viewer = $this->getViewer();
$page = Page::first();
$this->actingAs($admin);
$fileName = 'permission_test.txt';
$this->uploadFile($fileName, $page->id);
$attachment = Attachment::orderBy('id', 'desc')->take(1)->first();
$page->restricted = true;
$page->permissions()->delete();
$page->save();
$this->app[PermissionService::class]->buildJointPermissionsForEntity($page);
$page->load('jointPermissions');
$this->actingAs($viewer);
$attachmentGet = $this->get($attachment->getUrl());
$attachmentGet->assertStatus(404);
$attachmentGet->assertSee("Attachment not found");
$this->deleteUploads();
}
} }

12
tests/TestCase.php
View File

@ -65,6 +65,18 @@ abstract class TestCase extends BaseTestCase
return $this->editor; return $this->editor;
} }
/**
* Get an instance of a user with 'viewer' permissions
* @param $attributes
* @return mixed
*/
protected function getViewer($attributes = [])
{
$user = \BookStack\Role::getRole('viewer')->users()->first();
if (!empty($attributes)) $user->forceFill($attributes)->save();
return $user;
}
/** /**
* Create and return a new book. * Create and return a new book.
* @param array $input * @param array $input