BookStack Code Mirror - bookstack/blobdiff - tests/Uploads/AttachmentTest.php

-<?php namespace Tests\Uploads;

+<?php

-use BookStack\Entities\Tools\TrashCan;

+namespace Tests\Uploads;

+

+use BookStack\Entities\Models\Page;

use BookStack\Entities\Repos\PageRepo;

+use BookStack\Entities\Tools\TrashCan;

use BookStack\Uploads\Attachment;

-use BookStack\Entities\Models\Page;

-use BookStack\Auth\Permissions\PermissionService;

-use BookStack\Uploads\AttachmentService;

-use Illuminate\Http\UploadedFile;

use Tests\TestCase;

-use Tests\TestResponse;

class AttachmentTest extends TestCase

{

class AttachmentTest extends TestCase

{

- /**

- * Get a test file that can be uploaded

- */

- protected function getTestFile(string $fileName): UploadedFile

- {

- return new UploadedFile(base_path('tests/test-data/test-file.txt'), $fileName, 'text/plain', 55, null, true);

- }

-

- /**

- * Uploads a file with the given name.

- */

- protected function uploadFile(string $name, int $uploadedTo = 0): \Illuminate\Foundation\Testing\TestResponse

- {

- $file = $this->getTestFile($name);

- return $this->call('POST', '/attachments/upload', ['uploaded_to' => $uploadedTo], [], ['file' => $file], []);

- }

-

- /**

- * Create a new attachment

- */

- protected function createAttachment(Page $page): Attachment

- {

- $this->post('attachments/link', [

- 'attachment_link_url' => 'https://example.com',

- 'attachment_link_name' => 'Example Attachment Link',

- 'attachment_link_uploaded_to' => $page->id,

- ]);

-

- return Attachment::query()->latest()->first();

- }

-

- /**

- * Delete all uploaded files.

- * To assist with cleanup.

- */

- protected function deleteUploads()

- {

- $fileService = $this->app->make(AttachmentService::class);

- foreach (Attachment::all() as $file) {

- $fileService->deleteFile($file);

- }

-

public function test_file_upload()

{

public function test_file_upload()

{

- $page = Page::first();

+ $page = $this->entities->page();

$this->asAdmin();

- $admin = $this->getAdmin();

+ $admin = $this->users->admin();

$fileName = 'upload_test_file.txt';

$expectedResp = [

$fileName = 'upload_test_file.txt';

$expectedResp = [

- 'name' => $fileName,

- 'uploaded_to'=> $page->id,

- 'extension' => 'txt',

- 'order' => 1,

+ 'name' => $fileName,

+ 'uploaded_to' => $page->id,

+ 'extension' => 'txt',

+ 'order' => 1,

'created_by' => $admin->id,

'updated_by' => $admin->id,

];

'created_by' => $admin->id,

'updated_by' => $admin->id,

];

- $upload = $this->uploadFile($fileName, $page->id);

+ $upload = $this->files->uploadAttachmentFile($this, $fileName, $page->id);

$upload->assertStatus(200);

$attachment = Attachment::query()->orderBy('id', 'desc')->first();

$upload->assertStatus(200);

$attachment = Attachment::query()->orderBy('id', 'desc')->first();

- $expectedResp['path'] = $attachment->path;

-

$upload->assertJson($expectedResp);

+

+ $expectedResp['path'] = $attachment->path;

$this->assertDatabaseHas('attachments', $expectedResp);

- $this->deleteUploads();

+ $this->files->deleteAllAttachmentFiles();

}

public function test_file_upload_does_not_use_filename()

{

}

public function test_file_upload_does_not_use_filename()

{

- $page = Page::first();

+ $page = $this->entities->page();

$fileName = 'upload_test_file.txt';

-

- $upload = $this->asAdmin()->uploadFile($fileName, $page->id);

+ $this->asAdmin();

+ $upload = $this->files->uploadAttachmentFile($this, $fileName, $page->id);

$upload->assertStatus(200);

$attachment = Attachment::query()->orderBy('id', 'desc')->first();

$this->assertStringNotContainsString($fileName, $attachment->path);

$upload->assertStatus(200);

$attachment = Attachment::query()->orderBy('id', 'desc')->first();

$this->assertStringNotContainsString($fileName, $attachment->path);

- $this->assertStringEndsWith('.txt', $attachment->path);

+ $this->assertStringEndsWith('-txt', $attachment->path);

+ $this->files->deleteAllAttachmentFiles();

}

public function test_file_display_and_access()

{

}

public function test_file_display_and_access()

{

- $page = Page::first();

+ $page = $this->entities->page();

$this->asAdmin();

$fileName = 'upload_test_file.txt';

$this->asAdmin();

$fileName = 'upload_test_file.txt';

- $upload = $this->uploadFile($fileName, $page->id);

+ $upload = $this->files->uploadAttachmentFile($this, $fileName, $page->id);

$upload->assertStatus(200);

$attachment = Attachment::orderBy('id', 'desc')->take(1)->first();

$upload->assertStatus(200);

$attachment = Attachment::orderBy('id', 'desc')->take(1)->first();

$pageGet->assertSee($attachment->getUrl());

$attachmentGet = $this->get($attachment->getUrl());

$pageGet->assertSee($attachment->getUrl());

$attachmentGet = $this->get($attachment->getUrl());

- $attachmentGet->assertSee('Hi, This is a test file for testing the upload process.');

+ $content = $attachmentGet->streamedContent();

+ $this->assertStringContainsString('Hi, This is a test file for testing the upload process.', $content);

- $this->deleteUploads();

+ $this->files->deleteAllAttachmentFiles();

}

public function test_attaching_link_to_page()

{

}

public function test_attaching_link_to_page()

{

- $page = Page::first();

- $admin = $this->getAdmin();

+ $page = $this->entities->page();

+ $admin = $this->users->admin();

$this->asAdmin();

$linkReq = $this->call('POST', 'attachments/link', [

$this->asAdmin();

$linkReq = $this->call('POST', 'attachments/link', [

- 'attachment_link_url' => 'https://example.com',

- 'attachment_link_name' => 'Example Attachment Link',

+ 'attachment_link_url' => 'https://example.com',

+ 'attachment_link_name' => 'Example Attachment Link',

'attachment_link_uploaded_to' => $page->id,

]);

$expectedData = [

'attachment_link_uploaded_to' => $page->id,

]);

$expectedData = [

- 'path' => 'https://example.com',

- 'name' => 'Example Attachment Link',

+ 'path' => 'https://example.com',

+ 'name' => 'Example Attachment Link',

'uploaded_to' => $page->id,

- 'created_by' => $admin->id,

- 'updated_by' => $admin->id,

- 'external' => true,

- 'order' => 1,

- 'extension' => ''

+ 'created_by' => $admin->id,

+ 'updated_by' => $admin->id,

+ 'external' => true,

+ 'order' => 1,

+ 'extension' => '',

];

$linkReq->assertStatus(200);

];

$linkReq->assertStatus(200);

$attachmentGet = $this->get($attachment->getUrl());

$attachmentGet->assertRedirect('https://example.com');

$attachmentGet = $this->get($attachment->getUrl());

$attachmentGet->assertRedirect('https://example.com');

- $this->deleteUploads();

+ $this->files->deleteAllAttachmentFiles();

+ }

+

+ public function test_attaching_long_links_to_a_page()

+ {

+ $page = $this->entities->page();

+

+ $link = 'https://example.com?query=' . str_repeat('catsIScool', 195);

+ $linkReq = $this->asAdmin()->post('attachments/link', [

+ 'attachment_link_url' => $link,

+ 'attachment_link_name' => 'Example Attachment Link',

+ 'attachment_link_uploaded_to' => $page->id,

+ ]);

+

+ $linkReq->assertStatus(200);

+ $this->assertDatabaseHas('attachments', [

+ 'uploaded_to' => $page->id,

+ 'path' => $link,

+ 'external' => true,

+ ]);

+

+ $attachment = $page->attachments()->where('external', '=', true)->first();

+ $resp = $this->get($attachment->getUrl());

+ $resp->assertRedirect($link);

}

public function test_attachment_updating()

{

}

public function test_attachment_updating()

{

- $page = Page::first();

+ $page = $this->entities->page();

$this->asAdmin();

- $attachment = $this->createAttachment($page);

+ $attachment = Attachment::factory()->create(['uploaded_to' => $page->id]);

$update = $this->call('PUT', 'attachments/' . $attachment->id, [

'attachment_edit_name' => 'My new attachment name',

$update = $this->call('PUT', 'attachments/' . $attachment->id, [

'attachment_edit_name' => 'My new attachment name',

- 'attachment_edit_url' => 'https://test.example.com'

+ 'attachment_edit_url' => 'https://test.example.com',

]);

$expectedData = [

]);

$expectedData = [

- 'id' => $attachment->id,

- 'path' => 'https://test.example.com',

- 'name' => 'My new attachment name',

- 'uploaded_to' => $page->id

+ 'id' => $attachment->id,

+ 'path' => 'https://test.example.com',

+ 'name' => 'My new attachment name',

+ 'uploaded_to' => $page->id,

];

$update->assertStatus(200);

$this->assertDatabaseHas('attachments', $expectedData);

];

$update->assertStatus(200);

$this->assertDatabaseHas('attachments', $expectedData);

- $this->deleteUploads();

+ $this->files->deleteAllAttachmentFiles();

}

public function test_file_deletion()

{

}

public function test_file_deletion()

{

- $page = Page::first();

+ $page = $this->entities->page();

$this->asAdmin();

$fileName = 'deletion_test.txt';

$this->asAdmin();

$fileName = 'deletion_test.txt';

- $this->uploadFile($fileName, $page->id);

+ $this->files->uploadAttachmentFile($this, $fileName, $page->id);

$attachment = Attachment::query()->orderBy('id', 'desc')->first();

$filePath = storage_path($attachment->path);

$attachment = Attachment::query()->orderBy('id', 'desc')->first();

$filePath = storage_path($attachment->path);

$this->delete($attachment->getUrl());

$this->assertDatabaseMissing('attachments', [

$this->delete($attachment->getUrl());

$this->assertDatabaseMissing('attachments', [

- 'name' => $fileName

+ 'name' => $fileName,

]);

$this->assertFalse(file_exists($filePath), 'File at path ' . $filePath . ' was not deleted as expected');

]);

$this->assertFalse(file_exists($filePath), 'File at path ' . $filePath . ' was not deleted as expected');

- $this->deleteUploads();

+ $this->files->deleteAllAttachmentFiles();

}

public function test_attachment_deletion_on_page_deletion()

{

}

public function test_attachment_deletion_on_page_deletion()

{

- $page = Page::first();

+ $page = $this->entities->page();

$this->asAdmin();

$fileName = 'deletion_test.txt';

$this->asAdmin();

$fileName = 'deletion_test.txt';

- $this->uploadFile($fileName, $page->id);

+ $this->files->uploadAttachmentFile($this, $fileName, $page->id);

$attachment = Attachment::query()->orderBy('id', 'desc')->first();

$filePath = storage_path($attachment->path);

$this->assertTrue(file_exists($filePath), 'File at path ' . $filePath . ' does not exist');

$this->assertDatabaseHas('attachments', [

$attachment = Attachment::query()->orderBy('id', 'desc')->first();

$filePath = storage_path($attachment->path);

$this->assertTrue(file_exists($filePath), 'File at path ' . $filePath . ' does not exist');

$this->assertDatabaseHas('attachments', [

- 'name' => $fileName

+ 'name' => $fileName,

]);

app(PageRepo::class)->destroy($page);

app(TrashCan::class)->empty();

$this->assertDatabaseMissing('attachments', [

]);

app(PageRepo::class)->destroy($page);

app(TrashCan::class)->empty();

$this->assertDatabaseMissing('attachments', [

- 'name' => $fileName

+ 'name' => $fileName,

]);

$this->assertFalse(file_exists($filePath), 'File at path ' . $filePath . ' was not deleted as expected');

]);

$this->assertFalse(file_exists($filePath), 'File at path ' . $filePath . ' was not deleted as expected');

- $this->deleteUploads();

+ $this->files->deleteAllAttachmentFiles();

}

public function test_attachment_access_without_permission_shows_404()

{

}

public function test_attachment_access_without_permission_shows_404()

{

- $admin = $this->getAdmin();

- $viewer = $this->getViewer();

- $page = Page::first(); /** @var Page $page */

-

+ $admin = $this->users->admin();

+ $viewer = $this->users->viewer();

+ $page = $this->entities->page(); /** @var Page $page */

$this->actingAs($admin);

$fileName = 'permission_test.txt';

$this->actingAs($admin);

$fileName = 'permission_test.txt';

- $this->uploadFile($fileName, $page->id);

+ $this->files->uploadAttachmentFile($this, $fileName, $page->id);

$attachment = Attachment::orderBy('id', 'desc')->take(1)->first();

- $page->restricted = true;

- $page->permissions()->delete();

- $page->save();

- $page->rebuildPermissions();

- $page->load('jointPermissions');

+ $this->permissions->setEntityPermissions($page, [], []);

$this->actingAs($viewer);

$attachmentGet = $this->get($attachment->getUrl());

$attachmentGet->assertStatus(404);

$this->actingAs($viewer);

$attachmentGet = $this->get($attachment->getUrl());

$attachmentGet->assertStatus(404);

- $attachmentGet->assertSee("Attachment not found");

+ $attachmentGet->assertSee('Attachment not found');

- $this->deleteUploads();

+ $this->files->deleteAllAttachmentFiles();

}

public function test_data_and_js_links_cannot_be_attached_to_a_page()

{

}

public function test_data_and_js_links_cannot_be_attached_to_a_page()

{

- $page = Page::first();

+ $page = $this->entities->page();

$this->asAdmin();

$badLinks = [

$this->asAdmin();

$badLinks = [

' javascript:alert("bunny")',

'JavaScript:alert("bunny")',

"\t\n\t\nJavaScript:alert(\"bunny\")",

' javascript:alert("bunny")',

'JavaScript:alert("bunny")',

"\t\n\t\nJavaScript:alert(\"bunny\")",

- "data:text/html;<a></a>",

- "Data:text/html;<a></a>",

+ 'data:text/html;<a></a>',

+ 'Data:text/html;<a></a>',

];

foreach ($badLinks as $badLink) {

$linkReq = $this->post('attachments/link', [

];

foreach ($badLinks as $badLink) {

$linkReq = $this->post('attachments/link', [

- 'attachment_link_url' => $badLink,

- 'attachment_link_name' => 'Example Attachment Link',

+ 'attachment_link_url' => $badLink,

+ 'attachment_link_name' => 'Example Attachment Link',

'attachment_link_uploaded_to' => $page->id,

]);

$linkReq->assertStatus(422);

'attachment_link_uploaded_to' => $page->id,

]);

$linkReq->assertStatus(422);

]);

}

]);

}

- $attachment = $this->createAttachment($page);

+ $attachment = Attachment::factory()->create(['uploaded_to' => $page->id]);

foreach ($badLinks as $badLink) {

$linkReq = $this->put('attachments/' . $attachment->id, [

foreach ($badLinks as $badLink) {

$linkReq = $this->put('attachments/' . $attachment->id, [

- 'attachment_edit_url' => $badLink,

+ 'attachment_edit_url' => $badLink,

'attachment_edit_name' => 'Example Attachment Link',

]);

$linkReq->assertStatus(422);

'attachment_edit_name' => 'Example Attachment Link',

]);

$linkReq->assertStatus(422);

]);

}

]);

}

+

+ public function test_file_access_with_open_query_param_provides_inline_response_with_correct_content_type()

+ {

+ $page = $this->entities->page();

+ $this->asAdmin();

+ $fileName = 'upload_test_file.txt';

+

+ $upload = $this->files->uploadAttachmentFile($this, $fileName, $page->id);

+ $upload->assertStatus(200);

+ $attachment = Attachment::query()->orderBy('id', 'desc')->take(1)->first();

+

+ $attachmentGet = $this->get($attachment->getUrl(true));

+ // http-foundation/Response does some 'fixing' of responses to add charsets to text responses.

+ $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');

+ $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="upload_test_file.txt"');

+ $attachmentGet->assertHeader('X-Content-Type-Options', 'nosniff');

+

+ $this->files->deleteAllAttachmentFiles();

+ }

+

+ public function test_html_file_access_with_open_forces_plain_content_type()

+ {

+ $page = $this->entities->page();

+ $this->asAdmin();

+

+ $attachment = $this->files->uploadAttachmentDataToPage($this, $page, 'test_file.html', '<html></html><p>testing</p>', 'text/html');

+

+ $attachmentGet = $this->get($attachment->getUrl(true));

+ // http-foundation/Response does some 'fixing' of responses to add charsets to text responses.

+ $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');

+ $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="test_file.html"');

+

+ $this->files->deleteAllAttachmentFiles();

+ }

+

+ public function test_file_upload_works_when_local_secure_restricted_is_in_use()

+ {

+ config()->set('filesystems.attachments', 'local_secure_restricted');

+

+ $page = $this->entities->page();

+ $fileName = 'upload_test_file.txt';

+

+ $this->asAdmin();

+ $upload = $this->files->uploadAttachmentFile($this, $fileName, $page->id);

+ $upload->assertStatus(200);

+

+ $attachment = Attachment::query()->orderBy('id', 'desc')->where('uploaded_to', '=', $page->id)->first();

+ $this->assertFileExists(storage_path($attachment->path));

+ $this->files->deleteAllAttachmentFiles();

+ }

}