-<?php namespace Tests;
+<?php namespace Tests\Uploads;
+use BookStack\Entities\Tools\TrashCan;
+use BookStack\Entities\Repos\PageRepo;
use BookStack\Uploads\Attachment;
-use BookStack\Entities\Page;
+use BookStack\Entities\Models\Page;
use BookStack\Auth\Permissions\PermissionService;
+use BookStack\Uploads\AttachmentService;
+use Illuminate\Http\UploadedFile;
+use Tests\TestCase;
+use Tests\TestResponse;
class AttachmentTest extends TestCase
{
/**
* Get a test file that can be uploaded
- * @param $fileName
- * @return \Illuminate\Http\UploadedFile
*/
- protected function getTestFile($fileName)
+ protected function getTestFile(string $fileName): UploadedFile
{
- return new \Illuminate\Http\UploadedFile(base_path('tests/test-data/test-file.txt'), $fileName, 'text/plain', 55, null, true);
+ return new UploadedFile(base_path('tests/test-data/test-file.txt'), $fileName, 'text/plain', 55, null, true);
}
/**
* Uploads a file with the given name.
- * @param $name
- * @param int $uploadedTo
- * @return \Illuminate\Foundation\Testing\TestResponse
*/
- protected function uploadFile($name, $uploadedTo = 0)
+ protected function uploadFile(string $name, int $uploadedTo = 0): \Illuminate\Foundation\Testing\TestResponse
{
$file = $this->getTestFile($name);
return $this->call('POST', '/attachments/upload', ['uploaded_to' => $uploadedTo], [], ['file' => $file], []);
}
/**
- * Get the expected upload path for a file.
- * @param $fileName
- * @return string
+ * Create a new attachment
*/
- protected function getUploadPath($fileName)
+ protected function createAttachment(Page $page): Attachment
{
- return 'uploads/files/' . Date('Y-m-M') . '/' . $fileName;
+ $this->post('attachments/link', [
+ 'attachment_link_url' => 'https://example.com',
+ 'attachment_link_name' => 'Example Attachment Link',
+ 'attachment_link_uploaded_to' => $page->id,
+ ]);
+
+ return Attachment::query()->latest()->first();
}
/**
*/
protected function deleteUploads()
{
- $fileService = $this->app->make(\BookStack\Uploads\AttachmentService::class);
- foreach (\BookStack\Uploads\Attachment::all() as $file) {
+ $fileService = $this->app->make(AttachmentService::class);
+ foreach (Attachment::all() as $file) {
$fileService->deleteFile($file);
}
}
'order' => 1,
'created_by' => $admin->id,
'updated_by' => $admin->id,
- 'path' => $this->getUploadPath($fileName)
];
$upload = $this->uploadFile($fileName, $page->id);
$upload->assertStatus(200);
+
+ $attachment = Attachment::query()->orderBy('id', 'desc')->first();
+ $expectedResp['path'] = $attachment->path;
+
$upload->assertJson($expectedResp);
$this->assertDatabaseHas('attachments', $expectedResp);
$this->deleteUploads();
}
+ public function test_file_upload_does_not_use_filename()
+ {
+ $page = Page::first();
+ $fileName = 'upload_test_file.txt';
+
+
+ $upload = $this->asAdmin()->uploadFile($fileName, $page->id);
+ $upload->assertStatus(200);
+
+ $attachment = Attachment::query()->orderBy('id', 'desc')->first();
+ $this->assertStringNotContainsString($fileName, $attachment->path);
+ $this->assertStringEndsWith('.txt', $attachment->path);
+ }
+
public function test_file_display_and_access()
{
$page = Page::first();
$this->asAdmin();
$linkReq = $this->call('POST', 'attachments/link', [
- 'link' => 'https://example.com',
- 'name' => 'Example Attachment Link',
- 'uploaded_to' => $page->id,
+ 'attachment_link_url' => 'https://example.com',
+ 'attachment_link_name' => 'Example Attachment Link',
+ 'attachment_link_uploaded_to' => $page->id,
]);
- $expectedResp = [
+ $expectedData = [
'path' => 'https://example.com',
'name' => 'Example Attachment Link',
'uploaded_to' => $page->id,
];
$linkReq->assertStatus(200);
- $linkReq->assertJson($expectedResp);
- $this->assertDatabaseHas('attachments', $expectedResp);
+ $this->assertDatabaseHas('attachments', $expectedData);
$attachment = Attachment::orderBy('id', 'desc')->take(1)->first();
$pageGet = $this->get($page->getUrl());
$page = Page::first();
$this->asAdmin();
- $this->call('POST', 'attachments/link', [
- 'link' => 'https://example.com',
- 'name' => 'Example Attachment Link',
- 'uploaded_to' => $page->id,
- ]);
-
- $attachmentId = \BookStack\Uploads\Attachment::first()->id;
-
- $update = $this->call('PUT', 'attachments/' . $attachmentId, [
- 'uploaded_to' => $page->id,
- 'name' => 'My new attachment name',
- 'link' => 'https://test.example.com'
+ $attachment = $this->createAttachment($page);
+ $update = $this->call('PUT', 'attachments/' . $attachment->id, [
+ 'attachment_edit_name' => 'My new attachment name',
+ 'attachment_edit_url' => 'https://test.example.com'
]);
- $expectedResp = [
+ $expectedData = [
+ 'id' => $attachment->id,
'path' => 'https://test.example.com',
'name' => 'My new attachment name',
'uploaded_to' => $page->id
];
$update->assertStatus(200);
- $update->assertJson($expectedResp);
- $this->assertDatabaseHas('attachments', $expectedResp);
+ $this->assertDatabaseHas('attachments', $expectedData);
$this->deleteUploads();
}
$fileName = 'deletion_test.txt';
$this->uploadFile($fileName, $page->id);
- $filePath = base_path('storage/' . $this->getUploadPath($fileName));
+ $attachment = Attachment::query()->orderBy('id', 'desc')->first();
+ $filePath = storage_path($attachment->path);
$this->assertTrue(file_exists($filePath), 'File at path ' . $filePath . ' does not exist');
- $attachment = \BookStack\Uploads\Attachment::first();
+ $attachment = Attachment::first();
$this->delete($attachment->getUrl());
$this->assertDatabaseMissing('attachments', [
$fileName = 'deletion_test.txt';
$this->uploadFile($fileName, $page->id);
- $filePath = base_path('storage/' . $this->getUploadPath($fileName));
+ $attachment = Attachment::query()->orderBy('id', 'desc')->first();
+ $filePath = storage_path($attachment->path);
$this->assertTrue(file_exists($filePath), 'File at path ' . $filePath . ' does not exist');
$this->assertDatabaseHas('attachments', [
'name' => $fileName
]);
- $this->call('DELETE', $page->getUrl());
+ app(PageRepo::class)->destroy($page);
+ app(TrashCan::class)->empty();
$this->assertDatabaseMissing('attachments', [
'name' => $fileName
{
$admin = $this->getAdmin();
$viewer = $this->getViewer();
- $page = Page::first();
+ $page = Page::first(); /** @var Page $page */
$this->actingAs($admin);
$fileName = 'permission_test.txt';
$page->restricted = true;
$page->permissions()->delete();
$page->save();
- $this->app[PermissionService::class]->buildJointPermissionsForEntity($page);
+ $page->rebuildPermissions();
$page->load('jointPermissions');
$this->actingAs($viewer);
$this->deleteUploads();
}
+
+ public function test_data_and_js_links_cannot_be_attached_to_a_page()
+ {
+ $page = Page::first();
+ $this->asAdmin();
+
+ $badLinks = [
+ 'javascript:alert("bunny")',
+ ' javascript:alert("bunny")',
+ 'JavaScript:alert("bunny")',
+ "\t\n\t\nJavaScript:alert(\"bunny\")",
+ "data:text/html;<a></a>",
+ "Data:text/html;<a></a>",
+ "Data:text/html;<a></a>",
+ ];
+
+ foreach ($badLinks as $badLink) {
+ $linkReq = $this->post('attachments/link', [
+ 'attachment_link_url' => $badLink,
+ 'attachment_link_name' => 'Example Attachment Link',
+ 'attachment_link_uploaded_to' => $page->id,
+ ]);
+ $linkReq->assertStatus(422);
+ $this->assertDatabaseMissing('attachments', [
+ 'path' => $badLink,
+ ]);
+ }
+
+ $attachment = $this->createAttachment($page);
+
+ foreach ($badLinks as $badLink) {
+ $linkReq = $this->put('attachments/' . $attachment->id, [
+ 'attachment_edit_url' => $badLink,
+ 'attachment_edit_name' => 'Example Attachment Link',
+ ]);
+ $linkReq->assertStatus(422);
+ $this->assertDatabaseMissing('attachments', [
+ 'path' => $badLink,
+ ]);
+ }
+ }
}
projects / bookstack / blobdiff