X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/b9a58859a4ef14b7971ca7d07318e1ac6f276b40..refs/pull/3698/head:/tests/Api/AttachmentsApiTest.php

diff --git a/tests/Api/AttachmentsApiTest.php b/tests/Api/AttachmentsApiTest.php
index ceab5d49a..6077868b2 100644
--- a/tests/Api/AttachmentsApiTest.php
+++ b/tests/Api/AttachmentsApiTest.php
@@ -5,6 +5,7 @@ namespace Tests\Api;
 use BookStack\Entities\Models\Page;
 use BookStack\Uploads\Attachment;
 use Illuminate\Http\UploadedFile;
+use Illuminate\Testing\AssertableJsonString;
 use Tests\TestCase;
 
 class AttachmentsApiTest extends TestCase
@@ -102,6 +103,30 @@ class AttachmentsApiTest extends TestCase
         unlink(storage_path($newItem->path));
     }
 
+    public function test_upload_limit_restricts_attachment_uploads()
+    {
+        $this->actingAsApiAdmin();
+        /** @var Page $page */
+        $page = Page::query()->first();
+
+        config()->set('app.upload_limit', 1);
+
+        $file = tmpfile();
+        $filePath = stream_get_meta_data($file)['uri'];
+        fwrite($file, str_repeat('a', 1200000));
+        $file = new UploadedFile($filePath, 'test.txt', 'text/plain', null, true);
+
+        $details = [
+            'name'        => 'My attachment',
+            'uploaded_to' => $page->id,
+        ];
+        $resp = $this->call('POST', $this->baseEndpoint, $details, [], ['file' => $file]);
+        $resp->assertStatus(422);
+        $resp->assertJson($this->validationResponse([
+            'file' => ['The file may not be greater than 1000 kilobytes.'],
+        ]));
+    }
+
     public function test_name_needed_to_create()
     {
         $this->actingAsApiAdmin();
@@ -115,15 +140,7 @@ class AttachmentsApiTest extends TestCase
 
         $resp = $this->postJson($this->baseEndpoint, $details);
         $resp->assertStatus(422);
-        $resp->assertJson([
-            'error' => [
-                'message'    => 'The given data was invalid.',
-                'validation' => [
-                    'name' => ['The name field is required.'],
-                ],
-                'code' => 422,
-            ],
-        ]);
+        $resp->assertJson($this->validationResponse(['name' => ['The name field is required.']]));
     }
 
     public function test_link_or_file_needed_to_create()
@@ -139,16 +156,27 @@ class AttachmentsApiTest extends TestCase
 
         $resp = $this->postJson($this->baseEndpoint, $details);
         $resp->assertStatus(422);
-        $resp->assertJson([
-            'error' => [
-                'message'    => 'The given data was invalid.',
-                'validation' => [
-                    'file' => ['The file field is required when link is not present.'],
-                    'link' => ['The link field is required when file is not present.'],
-                ],
-                'code' => 422,
-            ],
-        ]);
+        $resp->assertJson($this->validationResponse([
+            'file' => ['The file field is required when link is not present.'],
+            'link' => ['The link field is required when file is not present.'],
+        ]));
+    }
+
+    public function test_message_shown_if_file_is_not_a_valid_file()
+    {
+        $this->actingAsApiAdmin();
+        /** @var Page $page */
+        $page = Page::query()->first();
+
+        $details = [
+            'name'        => 'my attachment',
+            'uploaded_to' => $page->id,
+            'file'        => 'cat',
+        ];
+
+        $resp = $this->postJson($this->baseEndpoint, $details);
+        $resp->assertStatus(422);
+        $resp->assertJson($this->validationResponse(['file' => ['The file must be provided as a valid file.']]));
     }
 
     public function test_read_endpoint_for_link_attachment()
@@ -201,9 +229,11 @@ class AttachmentsApiTest extends TestCase
         $attachment = Attachment::query()->orderByDesc('id')->where('name', '=', $details['name'])->firstOrFail();
 
         $resp = $this->getJson("{$this->baseEndpoint}/{$attachment->id}");
-
         $resp->assertStatus(200);
-        $resp->assertJson([
+        $resp->assertHeader('Content-Type', 'application/json');
+
+        $json = new AssertableJsonString($resp->streamedContent());
+        $json->assertSubset([
             'id'          => $attachment->id,
             'content'     => base64_encode(file_get_contents(storage_path($attachment->path))),
             'external'    => false,
@@ -224,6 +254,29 @@ class AttachmentsApiTest extends TestCase
         unlink(storage_path($attachment->path));
     }
 
+    public function test_attachment_not_visible_on_other_users_draft()
+    {
+        $this->actingAsApiAdmin();
+        $editor = $this->getEditor();
+
+        /** @var Page $page */
+        $page = Page::query()->first();
+        $page->draft = true;
+        $page->owned_by = $editor->id;
+        $page->save();
+        $this->regenEntityPermissions($page);
+
+        $attachment = $this->createAttachmentForPage($page, [
+            'name'  => 'my attachment',
+            'path'  => 'https://example.com',
+            'order' => 1,
+        ]);
+
+        $resp = $this->getJson("{$this->baseEndpoint}/{$attachment->id}");
+
+        $resp->assertStatus(404);
+    }
+
     public function test_update_endpoint()
     {
         $this->actingAsApiAdmin();