public function test_image_upload()
{
- $page = Page::query()->first();
+ $page = $this->entities->page();
$admin = $this->getAdmin();
$this->actingAs($admin);
public function test_image_display_thumbnail_generation_does_not_increase_image_size()
{
- $page = Page::query()->first();
+ $page = $this->entities->page();
$admin = $this->getAdmin();
$this->actingAs($admin);
public function test_image_display_thumbnail_generation_for_apng_images_uses_original_file()
{
- $page = Page::query()->first();
+ $page = $this->entities->page();
$admin = $this->getAdmin();
$this->actingAs($admin);
public function test_image_usage()
{
- $page = Page::query()->first();
+ $page = $this->entities->page();
$editor = $this->getEditor();
$this->actingAs($editor);
public function test_php_files_cannot_be_uploaded()
{
- $page = Page::query()->first();
+ $page = $this->entities->page();
$admin = $this->getAdmin();
$this->actingAs($admin);
public function test_php_like_files_cannot_be_uploaded()
{
- $page = Page::query()->first();
+ $page = $this->entities->page();
$admin = $this->getAdmin();
$this->actingAs($admin);
public function test_files_with_double_extensions_will_get_sanitized()
{
- $page = Page::query()->first();
+ $page = $this->entities->page();
$admin = $this->getAdmin();
$this->actingAs($admin);
];
foreach ($badNames as $name) {
$galleryFile = $this->getTestImage($name);
- $page = Page::query()->first();
+ $page = $this->entities->page();
$badPath = $this->getTestImagePath('gallery', $name);
$this->deleteImage($badPath);
config()->set('filesystems.images', 'local_secure');
$this->asEditor();
$galleryFile = $this->getTestImage('my-secure-test-upload.png');
- $page = Page::query()->first();
+ $page = $this->entities->page();
$expectedPath = storage_path('uploads/images/gallery/' . date('Y-m') . '/my-secure-test-upload.png');
$upload = $this->call('POST', '/images/gallery', ['uploaded_to' => $page->id], [], ['file' => $galleryFile], []);
config()->set('filesystems.images', 'local_secure');
$this->asEditor();
$galleryFile = $this->getTestImage('my-secure-test-upload.png');
- $page = Page::query()->first();
+ $page = $this->entities->page();
$expectedPath = storage_path('uploads/images/gallery/' . date('Y-m') . '/my-secure-test-upload.png');
$upload = $this->call('POST', '/images/gallery', ['uploaded_to' => $page->id], [], ['file' => $galleryFile], []);
}
}
+ public function test_secure_restricted_images_inaccessible_without_relation_permission()
+ {
+ config()->set('filesystems.images', 'local_secure_restricted');
+ $this->asEditor();
+ $galleryFile = $this->getTestImage('my-secure-restricted-test-upload.png');
+ $page = $this->entities->page();
+
+ $upload = $this->call('POST', '/images/gallery', ['uploaded_to' => $page->id], [], ['file' => $galleryFile], []);
+ $upload->assertStatus(200);
+ $expectedUrl = url('uploads/images/gallery/' . date('Y-m') . '/my-secure-restricted-test-upload.png');
+ $expectedPath = storage_path('uploads/images/gallery/' . date('Y-m') . '/my-secure-restricted-test-upload.png');
+
+ $this->get($expectedUrl)->assertOk();
+
+ $this->entities->setPermissions($page, [], []);
+
+ $resp = $this->get($expectedUrl);
+ $resp->assertNotFound();
+
+ if (file_exists($expectedPath)) {
+ unlink($expectedPath);
+ }
+ }
+
+ public function test_thumbnail_path_handled_by_secure_restricted_images()
+ {
+ config()->set('filesystems.images', 'local_secure_restricted');
+ $this->asEditor();
+ $galleryFile = $this->getTestImage('my-secure-restricted-thumb-test-test.png');
+ $page = $this->entities->page();
+
+ $upload = $this->call('POST', '/images/gallery', ['uploaded_to' => $page->id], [], ['file' => $galleryFile], []);
+ $upload->assertStatus(200);
+ $expectedUrl = url('uploads/images/gallery/' . date('Y-m') . '/thumbs-150-150/my-secure-restricted-thumb-test-test.png');
+ $expectedPath = storage_path('uploads/images/gallery/' . date('Y-m') . '/my-secure-restricted-thumb-test-test.png');
+
+ $this->get($expectedUrl)->assertOk();
+
+ $this->entities->setPermissions($page, [], []);
+
+ $resp = $this->get($expectedUrl);
+ $resp->assertNotFound();
+
+ if (file_exists($expectedPath)) {
+ unlink($expectedPath);
+ }
+ }
+
+ public function test_secure_restricted_image_access_controlled_in_exports()
+ {
+ config()->set('filesystems.images', 'local_secure_restricted');
+ $this->asEditor();
+ $galleryFile = $this->getTestImage('my-secure-restricted-export-test.png');
+
+ /** @var Page $pageA */
+ /** @var Page $pageB */
+ $pageA = Page::query()->first();
+ $pageB = Page::query()->where('id', '!=', $pageA->id)->first();
+ $expectedPath = storage_path('uploads/images/gallery/' . date('Y-m') . '/my-secure-restricted-export-test.png');
+
+ $upload = $this->asEditor()->call('POST', '/images/gallery', ['uploaded_to' => $pageA->id], [], ['file' => $galleryFile], []);
+ $upload->assertOk();
+
+ $imageUrl = json_decode($upload->getContent(), true)['url'];
+ $pageB->html .= "<img src=\"{$imageUrl}\">";
+ $pageB->save();
+
+ $encodedImageContent = base64_encode(file_get_contents($expectedPath));
+ $export = $this->get($pageB->getUrl('/export/html'));
+ $this->assertStringContainsString($encodedImageContent, $export->getContent());
+
+ $this->entities->setPermissions($pageA, [], []);
+
+ $export = $this->get($pageB->getUrl('/export/html'));
+ $this->assertStringNotContainsString($encodedImageContent, $export->getContent());
+
+ if (file_exists($expectedPath)) {
+ unlink($expectedPath);
+ }
+ }
+
public function test_image_delete()
{
- $page = Page::query()->first();
+ $page = $this->entities->page();
$this->asAdmin();
$imageName = 'first-image.png';
$relPath = $this->getTestImagePath('gallery', $imageName);
public function test_image_delete_does_not_delete_similar_images()
{
- $page = Page::query()->first();
+ $page = $this->entities->page();
$this->asAdmin();
$imageName = 'first-image.png';
$this->assertFalse(file_exists(public_path($relPath)), 'Uploaded image has not been deleted as expected');
}
+ public function test_image_manager_delete_button_only_shows_with_permission()
+ {
+ $page = $this->entities->page();
+ $this->asAdmin();
+ $imageName = 'first-image.png';
+ $relPath = $this->getTestImagePath('gallery', $imageName);
+ $this->deleteImage($relPath);
+ $viewer = $this->getViewer();
+
+ $this->uploadImage($imageName, $page->id);
+ $image = Image::first();
+
+ $resp = $this->get("/images/edit/{$image->id}");
+ $this->withHtml($resp)->assertElementExists('button#image-manager-delete[title="Delete"]');
+
+ $resp = $this->actingAs($viewer)->get("/images/edit/{$image->id}");
+ $this->withHtml($resp)->assertElementNotExists('button#image-manager-delete[title="Delete"]');
+
+ $this->giveUserPermissions($viewer, ['image-delete-all']);
+
+ $resp = $this->actingAs($viewer)->get("/images/edit/{$image->id}");
+ $this->withHtml($resp)->assertElementExists('button#image-manager-delete[title="Delete"]');
+
+ $this->deleteImage($relPath);
+ }
+
protected function getTestProfileImage()
{
$imageName = 'profile.png';
public function test_deleted_unused_images()
{
- $page = Page::query()->first();
+ $page = $this->entities->page();
$admin = $this->getAdmin();
$this->actingAs($admin);
projects / bookstack / blobdiff