IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-01 21:19:41 -06:00
Code Issues Packages Projects Releases Wiki Activity
5b75b8c135
discourse/spec/requests/uploads_controller_spec.rb

574 lines
18 KiB
Ruby
Raw Normal View History

DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction
2019-04-29 19:27:42 -05:00
# frozen_string_literal: true
Prepare for separation of RSpec helper files Since rspec-rails 3, the default installation creates two helper files: * `spec_helper.rb` * `rails_helper.rb` `spec_helper.rb` is intended as a way of running specs that do not require Rails, whereas `rails_helper.rb` loads Rails (as Discourse's current `spec_helper.rb` does). For more information: https://www.relishapp.com/rspec/rspec-rails/docs/upgrade#default-helper-files In this commit, I've simply replaced all instances of `spec_helper` with `rails_helper`, and renamed the original `spec_helper.rb`. This brings the Discourse project closer to the standard usage of RSpec in a Rails app. At present, every spec relies on loading Rails, but there are likely many that don't need to. In a future pull request, I hope to introduce a separate, minimal `spec_helper.rb` which can be used in tests which don't rely on Rails.
2015-10-11 04:41:23 -05:00
require 'rails_helper'
add UploadsController specs
2013-04-02 18:17:17 -05:00
describe UploadsController do
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
fab!(:user) { Fabricate(:user) }
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
describe '#create' do
proper content-disposition header when downloading attachments
2013-09-06 12:18:42 -05:00
it 'requires you to be logged in' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json"
FIX: return 429 when admin api key is limited on admin route This also handles a general case where exceptions leak out prior to being handled by the application controller
2018-01-11 21:15:10 -06:00
expect(response.status).to eq(403)
add UploadsController specs
2013-04-02 18:17:17 -05:00
end
proper content-disposition header when downloading attachments
2013-09-06 12:18:42 -05:00
context 'logged in' do
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
before do
sign_in(user)
end
add UploadsController specs
2013-04-02 18:17:17 -05:00
remove useless upload topic direct association
2013-06-15 02:54:49 -05:00
let(:logo) do
Fix all the errors to get our tests green on Rails 5.1.
2017-08-30 23:06:56 -05:00
Rack::Test::UploadedFile.new(file_from_fixtures("logo.png"))
add UploadsController specs
2013-04-02 18:17:17 -05:00
end
SECURITY: ensure we never accept fake images
2015-12-21 09:08:14 -06:00
let(:fake_jpg) do
Fix all the errors to get our tests green on Rails 5.1.
2017-08-30 23:06:56 -05:00
Rack::Test::UploadedFile.new(file_from_fixtures("fake.jpg"))
SECURITY: ensure we never accept fake images
2015-12-21 09:08:14 -06:00
end
remove useless upload topic direct association
2013-06-15 02:54:49 -05:00
let(:text_file) do
Fix all the errors to get our tests green on Rails 5.1.
2017-08-30 23:06:56 -05:00
Rack::Test::UploadedFile.new(File.new("#{Rails.root}/LICENSE.txt"))
remove useless upload topic direct association
2013-06-15 02:54:49 -05:00
end
add UploadsController specs
2013-04-02 18:17:17 -05:00
replace the upload type whitelist with a sanitizer
2017-05-18 05:13:13 -05:00
it 'expects a type' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: { file: logo }
expect(response.status).to eq(400)
FEATURE: image uploads now have short urls Shorten all image uploads to use short urls, this is the client side implementation.
2017-08-22 15:40:01 -05:00
end
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-19 18:39:58 -05:00
it 'is successful with an image' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: { file: logo, type: "avatar" }
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-19 18:39:58 -05:00
expect(response.status).to eq 200
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
expect(JSON.parse(response.body)["id"]).to be_present
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(1)
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-19 18:39:58 -05:00
end
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive
2014-04-29 12:12:35 -05:00
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-19 18:39:58 -05:00
it 'is successful with an attachment' do
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-12 15:41:29 -05:00
SiteSetting.authorized_extensions = "*"
FEATURE: generate (avatar) thumbnails in a background task FIX: keep the "uploading..." indicator until the server replies via the MessageBus FIX: text was disapearing when uploading an avatar PERF: always use a region for S3 (defaults to 'us-east-1') FEATURE: ApplyCDN middleware when using S3 FIX: use the same pattern to store files on S3 and locally PERF: keep a local cache of uploads when generating thumbnails FEATURE: migrate_to_s3 rake task
2015-05-25 10:59:00 -05:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: { file: text_file, type: "composer" }
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-19 18:39:58 -05:00
expect(response.status).to eq 200
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-26 19:43:18 -06:00
id = JSON.parse(response.body)["id"]
expect(id).to be
FIX: Allow api to send uploads with :url
2015-06-21 06:52:52 -05:00
end
FIX: don't double request when downloading a file
2018-02-24 05:35:57 -06:00
it 'is successful with api' do
Support Ruby 2.4.
2017-04-14 23:11:02 -05:00
SiteSetting.authorized_extensions = "*"
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
api_key = Fabricate(:api_key, user: user).key
Use webmock to stub external web requests.
2017-05-26 02:19:09 -05:00
FIX: don't double request when downloading a file
2018-02-24 05:35:57 -06:00
url = "http://example.com/image.png"
png = File.read(Rails.root + "spec/fixtures/images/logo.png")
stub_request(:get, url).to_return(status: 200, body: png)
FIX: Allow api to send uploads with :url
2015-06-21 06:52:52 -05:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: { url: url, type: "avatar", api_key: api_key, api_username: user.username }
FIX: Allow api to send uploads with :url
2015-06-21 06:52:52 -05:00
json = ::JSON.parse(response.body)
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
expect(response.status).to eq(200)
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(1)
expect(json["id"]).to be_present
FEATURE: image uploads now have short urls Shorten all image uploads to use short urls, this is the client side implementation.
2017-08-22 15:40:01 -05:00
expect(json["short_url"]).to eq("upload://qUm0DGR49PAZshIi7HxMd3cAlzn.png")
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-19 18:39:58 -05:00
end
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive
2014-04-29 12:12:35 -05:00
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-19 18:39:58 -05:00
it 'correctly sets retain_hours for admins' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
sign_in(Fabricate(:admin))
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive
2014-04-29 12:12:35 -05:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: {
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-26 19:43:18 -06:00
file: logo,
retain_hours: 100,
type: "profile_background",
}
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive
2014-04-29 12:12:35 -05:00
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-26 19:43:18 -06:00
id = JSON.parse(response.body)["id"]
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-19 18:39:58 -05:00
expect(Upload.find(id).retain_hours).to eq(100)
remove useless upload topic direct association
2013-06-15 02:54:49 -05:00
end
add UploadsController specs
2013-04-02 18:17:17 -05:00
FIX: ensure a file is present when creating an upload
2015-08-18 04:39:51 -05:00
it 'requires a file' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: { type: "composer" }
FIX: ensure a file is present when creating an upload
2015-08-18 04:39:51 -05:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-26 19:43:18 -06:00
message = JSON.parse(response.body)
expect(response.status).to eq 422
expect(message["errors"]).to contain_exactly(I18n.t("upload.file_missing"))
FIX: ensure a file is present when creating an upload
2015-08-18 04:39:51 -05:00
end
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread
2015-05-19 18:39:58 -05:00
it 'properly returns errors' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
SiteSetting.authorized_extensions = "*"
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-12 15:41:29 -05:00
SiteSetting.max_attachment_size_kb = 1
add UploadsController specs
2013-04-02 18:17:17 -05:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: { file: text_file, type: "avatar" }
FEATURE: generate (avatar) thumbnails in a background task FIX: keep the "uploading..." indicator until the server replies via the MessageBus FIX: text was disapearing when uploading an avatar PERF: always use a region for S3 (defaults to 'us-east-1') FEATURE: ApplyCDN middleware when using S3 FIX: use the same pattern to store files on S3 and locally PERF: keep a local cache of uploads when generating thumbnails FEATURE: migrate_to_s3 rake task
2015-05-25 10:59:00 -05:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
expect(response.status).to eq(422)
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-26 19:43:18 -06:00
errors = JSON.parse(response.body)["errors"]
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
expect(errors.first).to eq(I18n.t("upload.attachments.too_large", max_size_kb: 1))
add UploadsController specs
2013-04-02 18:17:17 -05:00
end
FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side
2015-11-12 03:26:45 -06:00
it 'ensures allow_uploaded_avatars is enabled when uploading an avatar' do
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-12 15:41:29 -05:00
SiteSetting.allow_uploaded_avatars = false
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: { file: logo, type: "avatar" }
expect(response.status).to eq(422)
FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side
2015-11-12 03:26:45 -06:00
end
it 'ensures sso_overrides_avatar is not enabled when uploading an avatar' do
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-12 15:41:29 -05:00
SiteSetting.sso_overrides_avatar = true
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: { file: logo, type: "avatar" }
expect(response.status).to eq(422)
FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side
2015-11-12 03:26:45 -06:00
end
FIX: Always allow admins upload selectable avatars.
2018-12-05 06:35:59 -06:00
it 'always allows admins to upload avatars' do
sign_in(Fabricate(:admin))
SiteSetting.allow_uploaded_avatars = false
post "/uploads.json", params: { file: logo, type: "avatar" }
expect(response.status).to eq(200)
end
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-12 15:41:29 -05:00
it 'allows staff to upload any file in PM' do
SiteSetting.authorized_extensions = "jpg"
SiteSetting.allow_staff_to_upload_any_file_in_pm = true
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
user.update_columns(moderator: true)
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-12 15:41:29 -05:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: {
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-26 19:43:18 -06:00
file: text_file,
type: "composer",
for_private_message: "true",
}
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-12 15:41:29 -05:00
DEV: Assert for 200 response code to avoid changing magic helper in the future.
2018-06-07 03:11:09 -05:00
expect(response.status).to eq(200)
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-26 19:43:18 -06:00
id = JSON.parse(response.body)["id"]
FEATURE: Upload Site Settings. (#6573)
2018-11-14 01:03:02 -06:00
expect(Upload.last.id).to eq(id)
end
it 'allows staff to upload supported images for site settings' do
SiteSetting.authorized_extensions = ''
user.update!(admin: true)
post "/uploads.json", params: {
file: logo,
type: "site_setting",
for_site_setting: "true",
}
expect(response.status).to eq(200)
id = JSON.parse(response.body)["id"]
upload = Upload.last
expect(upload.id).to eq(id)
expect(upload.original_filename).to eq('logo.png')
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-12 15:41:29 -05:00
end
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus
2018-02-19 03:44:24 -06:00
it 'respects `authorized_extensions_for_staff` setting when staff upload file' do
SiteSetting.authorized_extensions = ""
SiteSetting.authorized_extensions_for_staff = "*"
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
user.update_columns(moderator: true)
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus
2018-02-19 03:44:24 -06:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: {
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus
2018-02-19 03:44:24 -06:00
file: text_file,
type: "composer",
}
DEV: Assert for 200 response code to avoid changing magic helper in the future.
2018-06-07 03:11:09 -05:00
expect(response.status).to eq(200)
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus
2018-02-19 03:44:24 -06:00
data = JSON.parse(response.body)
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
expect(data["id"]).to be_present
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus
2018-02-19 03:44:24 -06:00
end
it 'ignores `authorized_extensions_for_staff` setting when non-staff upload file' do
SiteSetting.authorized_extensions = ""
SiteSetting.authorized_extensions_for_staff = "*"
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: {
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus
2018-02-19 03:44:24 -06:00
file: text_file,
type: "composer",
}
data = JSON.parse(response.body)
expect(data["errors"].first).to eq(I18n.t("upload.unauthorized", authorized_extensions: ''))
end
SECURITY: ensure we never accept fake images
2015-12-21 09:08:14 -06:00
it 'returns an error when it could not determine the dimensions of an image' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
post "/uploads.json", params: { file: fake_jpg, type: "composer" }
SECURITY: ensure we never accept fake images
2015-12-21 09:08:14 -06:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
expect(response.status).to eq(422)
expect(Jobs::CreateAvatarThumbnails.jobs.size).to eq(0)
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-26 19:43:18 -06:00
message = JSON.parse(response.body)["errors"]
expect(message).to contain_exactly(I18n.t("upload.images.size_not_found"))
SECURITY: ensure we never accept fake images
2015-12-21 09:08:14 -06:00
end
add UploadsController specs
2013-04-02 18:17:17 -05:00
end
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
def upload_file(file, folder = "images")
fake_logo = Rack::Test::UploadedFile.new(file_from_fixtures(file, folder))
SiteSetting.authorized_extensions = "*"
sign_in(user)
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
post "/uploads.json", params: {
file: fake_logo,
type: "composer",
}
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
expect(response.status).to eq(200)
DEV: Improve specs to use `upload_s3` fabricator.
2019-05-14 19:42:17 -05:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
url = JSON.parse(response.body)["url"]
upload = Upload.get_from_url(url)
upload
end
DEV: Improve specs to use `upload_s3` fabricator.
2019-05-14 19:42:17 -05:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
describe '#show' do
let(:site) { "default" }
let(:sha) { Digest::SHA1.hexdigest("discourse") }
FIX: consistent and future-proof upload storage pattern
2015-05-19 05:31:12 -05:00
FIX: return 404 only if upload url also not internal.
2019-05-14 15:36:54 -05:00
context "when using external storage" do
DEV: Improve specs to use `upload_s3` fabricator.
2019-05-14 19:42:17 -05:00
fab!(:upload) { upload_file("small.pdf", "pdf") }
FIX: return 404 only if upload url also not internal.
2019-05-14 15:36:54 -05:00
before do
SiteSetting.enable_s3_uploads = true
SiteSetting.s3_access_key_id = "fakeid7974664"
SiteSetting.s3_secret_access_key = "fakesecretid7974664"
end
FIX: consistent and future-proof upload storage pattern
2015-05-19 05:31:12 -05:00
DEV: Improve specs to use `upload_s3` fabricator.
2019-05-14 19:42:17 -05:00
it "returns 404 " do
upload = Fabricate(:upload_s3)
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
FIX: return 404 only if upload url also not internal.
2019-05-14 15:36:54 -05:00
expect(response.response_code).to eq(404)
end
it "returns upload if url not migrated" do
DEV: Improve specs to use `upload_s3` fabricator.
2019-05-14 19:42:17 -05:00
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
FIX: return 404 only if upload url also not internal.
2019-05-14 15:36:54 -05:00
expect(response.status).to eq(200)
end
proper content-disposition header when downloading attachments
2013-09-06 12:18:42 -05:00
end
add test case for handling uploads without extension
2016-12-19 12:39:04 -06:00
it "returns 404 when the upload doesn't exist" do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
get "/uploads/#{site}/#{sha}.pdf"
expect(response.status).to eq(404)
proper content-disposition header when downloading attachments
2013-09-06 12:18:42 -05:00
end
FIX: Better error handling if a file cannot be sent If for some reason `Discourse.store.path_for` returns `nil`, the forum would throw an error rather than returning 404. Why would it be `nil`? One cause could be changing the type of file store and having the `url` field no longer be relative.
2019-01-29 15:47:25 -06:00
it "returns 404 when the path is nil" do
upload = upload_file("logo.png")
upload.update_column(:url, "invalid-url")
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
expect(response.status).to eq(404)
end
proper content-disposition header when downloading attachments
2013-09-06 12:18:42 -05:00
it 'uses send_file' do
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
upload = upload_file("logo.png")
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
expect(response.status).to eq(200)
DEV: Add support for Rails 6 Minor fixes to add Rails 6 support to Discourse, we now will boot with RAILS_MASTER=1, all specs pass Only one tiny deprecation left Largest change was the way ActiveModel:Errors changed interface a bit but there is a simple backwards compat way of working it
2019-04-30 01:58:18 -05:00
FIX: Correctly encode non-ASCII filenames in HTTP header Backport of fix from Rails 6: https://github.com/rails/rails/commit/890485cfce4c361c03a41ec23b0ba187007818cc
2019-08-07 10:00:43 -05:00
expect(response.headers["Content-Disposition"])
.to eq(%Q|attachment; filename="logo.png"; filename*=UTF-8''logo.png|)
proper content-disposition header when downloading attachments
2013-09-06 12:18:42 -05:00
end
FIX: Allow themes to upload and serve js files (#8188) If you set `config.public_file_server.enabled = false` when you try to get uploaded js file you will get an error: `Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.` The reason is that content type is `application/javascript` and in Rails 5 guard looked like that: https://github.com/rails/rails/blob/5-2-stable/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L278-L280 However, in Rails 6 `application` was added to regex: https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L282-L284 This pull request is related to https://meta.discourse.org/t/uploaded-js-file-for-theme-causes-a-rejection/129753/8
2019-10-13 23:40:33 -05:00
it 'returns 200 when js file' do
Revert "FIX: public_file_server.enabled is false in test (#8192)" (#8196) This reverts commit 5a8fdd02fe209872b2e2452b9b83e227dfed1727.
2019-10-15 18:39:31 -05:00
ActionDispatch::FileHandler.any_instance.stubs(:match?).returns(false)
FIX: Allow themes to upload and serve js files (#8188) If you set `config.public_file_server.enabled = false` when you try to get uploaded js file you will get an error: `Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.` The reason is that content type is `application/javascript` and in Rails 5 guard looked like that: https://github.com/rails/rails/blob/5-2-stable/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L278-L280 However, in Rails 6 `application` was added to regex: https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L282-L284 This pull request is related to https://meta.discourse.org/t/uploaded-js-file-for-theme-causes-a-rejection/129753/8
2019-10-13 23:40:33 -05:00
upload = upload_file("test.js", "themes")
get upload.url
expect(response.status).to eq(200)
end
correct specs
2018-08-19 21:41:46 -05:00
it "handles image without extension" do
add test case for handling uploads without extension
2016-12-19 12:39:04 -06:00
SiteSetting.authorized_extensions = "*"
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
upload = upload_file("image_no_extension")
add test case for handling uploads without extension
2016-12-19 12:39:04 -06:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
get "/uploads/#{site}/#{upload.sha1}.json"
expect(response.status).to eq(200)
FIX: Correctly encode non-ASCII filenames in HTTP header Backport of fix from Rails 6: https://github.com/rails/rails/commit/890485cfce4c361c03a41ec23b0ba187007818cc
2019-08-07 10:00:43 -05:00
expect(response.headers["Content-Disposition"])
.to eq(%Q|attachment; filename="image_no_extension.png"; filename*=UTF-8''image_no_extension.png|)
correct specs
2018-08-19 21:41:46 -05:00
end
it "handles file without extension" do
SiteSetting.authorized_extensions = "*"
upload = upload_file("not_an_image")
get "/uploads/#{site}/#{upload.sha1}.json"
expect(response.status).to eq(200)
FIX: Correctly encode non-ASCII filenames in HTTP header Backport of fix from Rails 6: https://github.com/rails/rails/commit/890485cfce4c361c03a41ec23b0ba187007818cc
2019-08-07 10:00:43 -05:00
expect(response.headers["Content-Disposition"])
.to eq(%Q|attachment; filename="not_an_image"; filename*=UTF-8''not_an_image|)
add test case for handling uploads without extension
2016-12-19 12:39:04 -06:00
end
FEATURE: new 'prevent anons from download files' site setting
2014-09-09 11:40:11 -05:00
context "prevent anons from downloading files" do
it "returns 404 when an anonymous user tries to download a file" do
DEV: fix and skip upload_controller test This test of `prevent_anons_from_downloading_files` was testing an image instead of an attachment and it was testing the wrong upload URL. I fixed the test, but with `config.public_file_server.enabled = true` on the test environment, this will always fail, as preventing anonymous file downloads depends on nginx. So, I marked the test as skipped, for now.
2019-04-18 11:58:39 -05:00
upload = upload_file("small.pdf", "pdf")
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
delete "/session/#{user.username}.json"
FIX: consistent and future-proof upload storage pattern
2015-05-19 05:31:12 -05:00
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
SiteSetting.prevent_anons_from_downloading_files = true
FEATURE: Support private attachments when using S3 storage (#7677) * Support private uploads in S3 * Use localStore for local avatars * Add job to update private upload ACL on S3 * Test multisite paths * update ACL for private uploads in migrate_to_s3 task
2019-06-05 22:27:24 -05:00
get "/uploads/#{site}/#{upload.sha1}.#{upload.extension}"
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
expect(response.status).to eq(404)
FEATURE: new 'prevent anons from download files' site setting
2014-09-09 11:40:11 -05:00
end
end
proper content-disposition header when downloading attachments
2013-09-06 12:18:42 -05:00
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
describe "#show_short" do
SECURITY: Ensure only image uploads can be inlined This prevents malicious files (for example special crafted XMLs) to be used in XSS attacks.
2019-12-11 07:21:41 -06:00
it 'inlines only supported image files' do
upload = upload_file("smallest.png")
get upload.short_path, params: { inline: true }
expect(response.header['Content-Type']).to eq('image/png')
expect(response.header['Content-Disposition']).to include('inline;')
upload.update!(original_filename: "test.xml")
get upload.short_path, params: { inline: true }
expect(response.header['Content-Type']).to eq('application/xml')
expect(response.header['Content-Disposition']).to include('attachment;')
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
describe "local store" do
fab!(:image_upload) { upload_file("smallest.png") }
it "returns the right response" do
get image_upload.short_path
expect(response.status).to eq(200)
expect(response.headers["Content-Disposition"])
.to include("attachment; filename=\"#{image_upload.original_filename}\"")
end
it "returns the right response when `inline` param is given" do
get "#{image_upload.short_path}?inline=1"
expect(response.status).to eq(200)
expect(response.headers["Content-Disposition"])
.to include("inline; filename=\"#{image_upload.original_filename}\"")
end
it "returns the right response when base62 param is invalid " do
get "/uploads/short-url/12345.png"
expect(response.status).to eq(404)
end
FIX: allow underscore in file extension while downloading the uploads.
2020-01-02 22:39:07 -06:00
it "returns uploads with underscore in extension correctly" do
fake_upload = upload_file("fake.not_image")
get fake_upload.short_path
expect(response.status).to eq(200)
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
it "returns the right response when anon tries to download a file " \
"when prevent_anons_from_downloading_files is true" do
delete "/session/#{user.username}.json"
SiteSetting.prevent_anons_from_downloading_files = true
get image_upload.short_path
expect(response.status).to eq(404)
end
end
describe "s3 store" do
let(:upload) { Fabricate(:upload_s3) }
before do
SiteSetting.enable_s3_uploads = true
SiteSetting.s3_access_key_id = "fakeid7974664"
SiteSetting.s3_secret_access_key = "fakesecretid7974664"
end
it "should redirect to the s3 URL" do
get upload.short_path
expect(response).to redirect_to(upload.url)
end
end
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 19:25:42 -06:00
describe "#show_secure" do
describe "local store" do
fab!(:image_upload) { upload_file("smallest.png") }
it "does not return secure media when using local store" do
secure_url = image_upload.url.sub("/uploads", "/secure-media-uploads")
get secure_url
expect(response.status).to eq(404)
end
end
describe "s3 store" do
let(:upload) { Fabricate(:upload_s3) }
before do
SiteSetting.enable_s3_uploads = true
SiteSetting.s3_upload_bucket = "s3-upload-bucket"
SiteSetting.s3_access_key_id = "fakeid7974664"
SiteSetting.s3_secret_access_key = "fakesecretid7974664"
DEV: Bump aws-sdk-sns from 1.13.0 to 1.21.0 (#8490) Bumps [aws-sdk-sns](https://github.com/aws/aws-sdk-ruby) from 1.13.0 to 1.21.0. - [Release notes](https://github.com/aws/aws-sdk-ruby/releases) - [Changelog](https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-sns/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-ruby/compare/1.13.0...1.21.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2019-12-11 08:13:17 -06:00
SiteSetting.s3_region = "us-east-1"
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 19:25:42 -06:00
SiteSetting.secure_media = true
end
it "should return 404 for anonymous requests requests" do
secure_url = upload.url.sub(SiteSetting.Upload.absolute_base_url, "/secure-media-uploads")
get secure_url
expect(response.status).to eq(404)
end
it "should return signed url for legitimate request" do
secure_url = upload.url.sub(SiteSetting.Upload.absolute_base_url, "/secure-media-uploads")
sign_in(user)
FIX: Update S3 stubs for more aws-sdk API changes (#8534)
2019-12-11 13:26:52 -06:00
stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 19:25:42 -06:00
get secure_url
expect(response.status).to eq(302)
expect(response.redirect_url).to match("Amz-Expires")
end
it "should return secure media URL when looking up urls" do
upload.update_column(:secure, true)
sign_in(user)
post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
expect(response.status).to eq(200)
result = JSON.parse(response.body)
expect(result[0]["url"]).to match("secure-media-uploads")
end
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-06 20:27:24 -06:00
context "when secure media is disabled" do
before do
SiteSetting.secure_media = false
end
Still redirect to signed URL for secure uploads if SiteSetting.secure_media is disabled we still want to redirect to the signed url for uploads that are marked as secure because their ACLs are probably still private
2020-01-06 22:02:17 -06:00
context "if the upload is secure false, meaning the ACL is probably public" do
before do
upload.update(secure: false)
end
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-06 20:27:24 -06:00
Still redirect to signed URL for secure uploads if SiteSetting.secure_media is disabled we still want to redirect to the signed url for uploads that are marked as secure because their ACLs are probably still private
2020-01-06 22:02:17 -06:00
it "should redirect to the regular show route" do
secure_url = upload.url.sub(SiteSetting.Upload.absolute_base_url, "/secure-media-uploads")
sign_in(user)
stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-06 20:27:24 -06:00
Still redirect to signed URL for secure uploads if SiteSetting.secure_media is disabled we still want to redirect to the signed url for uploads that are marked as secure because their ACLs are probably still private
2020-01-06 22:02:17 -06:00
get secure_url
expect(response.status).to eq(302)
expect(response.redirect_url).to eq(Discourse.store.cdn_url(upload.url))
end
end
context "if the upload is secure true, meaning the ACL is probably private" do
before do
upload.update(secure: true)
end
it "should redirect to the presigned URL still otherwise we will get a 403" do
secure_url = upload.url.sub(SiteSetting.Upload.absolute_base_url, "/secure-media-uploads")
sign_in(user)
stub_request(:head, "https://#{SiteSetting.s3_upload_bucket}.s3.amazonaws.com/")
get secure_url
expect(response.status).to eq(302)
expect(response.redirect_url).to match("Amz-Expires")
end
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-06 20:27:24 -06:00
end
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 19:25:42 -06:00
end
end
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
describe '#lookup_urls' do
it 'can look up long urls' do
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
sign_in(user)
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
upload = Fabricate(:upload)
post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
expect(response.status).to eq(200)
result = JSON.parse(response.body)
expect(result[0]["url"]).to eq(upload.url)
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
expect(result[0]["short_path"]).to eq(upload.short_path)
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 19:25:42 -06:00
describe 'secure media' do
let(:upload) { Fabricate(:upload_s3, secure: true) }
before do
SiteSetting.authorized_extensions = "pdf|png"
SiteSetting.s3_upload_bucket = "s3-upload-bucket"
SiteSetting.s3_access_key_id = "s3-access-key-id"
SiteSetting.s3_secret_access_key = "s3-secret-access-key"
SiteSetting.enable_s3_uploads = true
SiteSetting.secure_media = true
end
it 'returns secure url for a secure media upload' do
sign_in(user)
post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
expect(response.status).to eq(200)
result = JSON.parse(response.body)
expect(result[0]["url"]).to match("/secure-media-uploads")
expect(result[0]["short_path"]).to eq(upload.short_path)
end
it 'does not return secure urls for non-media uploads' do
upload.update!(original_filename: "not-an-image.pdf", extension: "pdf")
sign_in(user)
post "/uploads/lookup-urls.json", params: { short_urls: [upload.short_url] }
expect(response.status).to eq(200)
result = JSON.parse(response.body)
expect(result[0]["url"]).not_to match("/secure-media-uploads")
expect(result[0]["short_path"]).to eq(upload.short_path)
end
end
REFACTOR: uploads controller specs to requests (#5907)
2018-06-03 22:13:52 -05:00
end
UX: Lightbox support for image uploader. (#7034)
2019-02-20 20:13:37 -06:00
describe '#metadata' do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 22:12:20 -05:00
fab!(:upload) { Fabricate(:upload) }
UX: Lightbox support for image uploader. (#7034)
2019-02-20 20:13:37 -06:00
describe 'when url is missing' do
it 'should return the right response' do
post "/uploads/lookup-metadata.json"
expect(response.status).to eq(403)
end
end
describe 'when not signed in' do
it 'should return the right response' do
post "/uploads/lookup-metadata.json", params: { url: upload.url }
expect(response.status).to eq(403)
end
end
describe 'when signed in' do
before do
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 20:00:25 -05:00
sign_in(user)
UX: Lightbox support for image uploader. (#7034)
2019-02-20 20:13:37 -06:00
end
describe 'when url is invalid' do
it 'should return the right response' do
post "/uploads/lookup-metadata.json", params: { url: 'abc' }
expect(response.status).to eq(404)
end
end
it "should return the right response" do
post "/uploads/lookup-metadata.json", params: { url: upload.url }
expect(response.status).to eq(200)
result = JSON.parse(response.body)
expect(result["original_filename"]).to eq(upload.original_filename)
expect(result["width"]).to eq(upload.width)
expect(result["height"]).to eq(upload.height)
expect(result["human_filesize"]).to eq(upload.human_filesize)
end
end
end
add UploadsController specs
2013-04-02 18:17:17 -05:00
end
Reference in New Issue Copy Permalink