PLT-7718 Patch for files (#7564)

* Patch for files * Fix merge * Fix tests * Fix another test
2025-02-25 18:55:24 -06:00 · 2017-10-04 11:42:38 -04:00
parent fa80cb10a8
commit fadd9514f6
7 changed files with 52 additions and 9 deletions
--- a/api/file_test.go
+++ b/api/file_test.go
@@ -24,7 +24,7 @@ import (
 )

 func TestUploadFile(t *testing.T) {
-	th := Setup().InitBasic()
+	th := Setup().InitBasic().InitSystemAdmin()
 	defer th.TearDown()

 	if *utils.Cfg.FileSettings.DriverName == "" {
@@ -38,7 +38,9 @@ func TestUploadFile(t *testing.T) {
 	channel := th.BasicChannel

 	var uploadInfo *model.FileInfo
-	if data, err := readTestFile("test.png"); err != nil {
+	var data []byte
+	var err error
+	if data, err = readTestFile("test.png"); err != nil {
 		t.Fatal(err)
 	} else if resp, err := Client.UploadPostAttachment(data, channel.Id, "test.png"); err != nil {
 		t.Fatal(err)
@@ -103,6 +105,22 @@ func TestUploadFile(t *testing.T) {
 		t.Fatalf("file preview should've been saved in %v", expectedPreviewPath)
 	}

+	if _, err := Client.UploadPostAttachment(data, model.NewId(), "test.png"); err == nil || err.StatusCode != http.StatusForbidden {
+		t.Fatal("should have failed - bad channel id")
+	}
+
+	if _, err := Client.UploadPostAttachment(data, "../../junk", "test.png"); err == nil || err.StatusCode != http.StatusForbidden {
+		t.Fatal("should have failed - bad channel id")
+	}
+
+	if _, err := th.SystemAdminClient.UploadPostAttachment(data, model.NewId(), "test.png"); err == nil || err.StatusCode != http.StatusForbidden {
+		t.Fatal("should have failed - bad channel id")
+	}
+
+	if _, err := th.SystemAdminClient.UploadPostAttachment(data, "../../junk", "test.png"); err == nil || err.StatusCode != http.StatusForbidden {
+		t.Fatal("should have failed - bad channel id")
+	}
+
 	enableFileAttachments := *utils.Cfg.FileSettings.EnableFileAttachments
 	defer func() {
 		*utils.Cfg.FileSettings.EnableFileAttachments = enableFileAttachments
--- a/api4/channel_test.go
+++ b/api4/channel_test.go
@@ -1475,7 +1475,7 @@ func TestGetChannelUnread(t *testing.T) {
 	CheckNoError(t, resp)

 	_, resp = th.SystemAdminClient.GetChannelUnread(model.NewId(), user.Id)
-	CheckNotFoundStatus(t, resp)
+	CheckForbiddenStatus(t, resp)

 	_, resp = th.SystemAdminClient.GetChannelUnread(channel.Id, model.NewId())
 	CheckNotFoundStatus(t, resp)
--- a/api4/file_test.go
+++ b/api4/file_test.go
@@ -102,6 +102,15 @@ func TestUploadFile(t *testing.T) {
 	_, resp := Client.UploadFile(data, model.NewId(), "test.png")
 	CheckForbiddenStatus(t, resp)

+	_, resp = Client.UploadFile(data, "../../junk", "test.png")
+	CheckForbiddenStatus(t, resp)
+
+	_, resp = th.SystemAdminClient.UploadFile(data, model.NewId(), "test.png")
+	CheckForbiddenStatus(t, resp)
+
+	_, resp = th.SystemAdminClient.UploadFile(data, "../../junk", "test.png")
+	CheckForbiddenStatus(t, resp)
+
 	_, resp = th.SystemAdminClient.UploadFile(data, channel.Id, "test.png")
 	CheckNoError(t, resp)

--- a/api4/webhook_test.go
+++ b/api4/webhook_test.go
@@ -391,11 +391,7 @@ func TestGetOutgoingWebhooks(t *testing.T) {
 	}

 	hooks, resp = th.SystemAdminClient.GetOutgoingWebhooksForChannel(model.NewId(), 0, 1000, "")
-	CheckNoError(t, resp)
-
-	if len(hooks) != 0 {
-		t.Fatal("no hooks should be returned")
-	}
+	CheckForbiddenStatus(t, resp)

 	_, resp = Client.GetOutgoingWebhooks(0, 1000, "")
 	CheckForbiddenStatus(t, resp)
--- a/app/authorization.go
+++ b/app/authorization.go
@@ -4,6 +4,7 @@
 package app

 import (
+	"net/http"
 	"strings"

 	l4g "github.com/alecthomas/log4go"
@@ -50,6 +51,8 @@ func (a *App) SessionHasPermissionToChannel(session model.Session, channelId str
 	channel, err := a.GetChannel(channelId)
 	if err == nil && channel.TeamId != "" {
 		return SessionHasPermissionToTeam(session, channel.TeamId, permission)
+	} else if err != nil && err.StatusCode == http.StatusNotFound {
+		return false
 	}

 	return SessionHasPermissionTo(session, permission)
--- a/app/file.go
+++ b/app/file.go
@@ -291,8 +291,11 @@ func (a *App) UploadFiles(teamId string, channelId string, userId string, fileHe
 	return resStruct, nil
 }

-func (a *App) DoUploadFile(now time.Time, teamId string, channelId string, userId string, rawFilename string, data []byte) (*model.FileInfo, *model.AppError) {
+func (a *App) DoUploadFile(now time.Time, rawTeamId string, rawChannelId string, rawUserId string, rawFilename string, data []byte) (*model.FileInfo, *model.AppError) {
 	filename := filepath.Base(rawFilename)
+	teamId := filepath.Base(rawTeamId)
+	channelId := filepath.Base(rawChannelId)
+	userId := filepath.Base(rawUserId)

 	info, err := model.GetInfoForBytes(filename, data)
 	if err != nil {
--- a/app/file_test.go
+++ b/app/file_test.go
@@ -85,4 +85,18 @@ func TestDoUploadFile(t *testing.T) {
 	if info3.Path != fmt.Sprintf("20080305/teams/%v/channels/%v/users/%v/%v/%v", teamId, channelId, userId, info3.Id, filename) {
 		t.Fatal("stored file at incorrect path", info3.Path)
 	}
+
+	info4, err := th.App.DoUploadFile(time.Date(2009, 3, 5, 1, 2, 3, 4, time.Local), "../../"+teamId, "../../"+channelId, "../../"+userId, "../../"+filename, data)
+	if err != nil {
+		t.Fatal(err)
+	} else {
+		defer func() {
+			<-th.App.Srv.Store.FileInfo().PermanentDelete(info3.Id)
+			utils.RemoveFile(info3.Path)
+		}()
+	}
+
+	if info4.Path != fmt.Sprintf("20090305/teams/%v/channels/%v/users/%v/%v/%v", teamId, channelId, userId, info4.Id, filename) {
+		t.Fatal("stored file at incorrect path", info4.Path)
+	}
 }