X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/c429cf78187e80deb63982a282a1c6889f30291a..refs/pull/3918/head:/tests/Uploads/AttachmentTest.php diff --git a/tests/Uploads/AttachmentTest.php b/tests/Uploads/AttachmentTest.php index 2248bc2c5..b6fcb8f69 100644 --- a/tests/Uploads/AttachmentTest.php +++ b/tests/Uploads/AttachmentTest.php @@ -17,13 +17,13 @@ class AttachmentTest extends TestCase */ protected function getTestFile(string $fileName): UploadedFile { - return new UploadedFile(base_path('tests/test-data/test-file.txt'), $fileName, 'text/plain', 55, null, true); + return new UploadedFile(base_path('tests/test-data/test-file.txt'), $fileName, 'text/plain', null, true); } /** * Uploads a file with the given name. */ - protected function uploadFile(string $name, int $uploadedTo = 0): \Illuminate\Foundation\Testing\TestResponse + protected function uploadFile(string $name, int $uploadedTo = 0): \Illuminate\Testing\TestResponse { $file = $this->getTestFile($name); @@ -44,6 +44,21 @@ class AttachmentTest extends TestCase return Attachment::query()->latest()->first(); } + /** + * Create a new upload attachment from the given data. + */ + protected function createUploadAttachment(Page $page, string $filename, string $content, string $mimeType): Attachment + { + $file = tmpfile(); + $filePath = stream_get_meta_data($file)['uri']; + file_put_contents($filePath, $content); + $upload = new UploadedFile($filePath, $filename, $mimeType, null, true); + + $this->call('POST', '/attachments/upload', ['uploaded_to' => $page->id], [], ['file' => $upload], []); + + return $page->attachments()->latest()->firstOrFail(); + } + /** * Delete all uploaded files. * To assist with cleanup. @@ -58,14 +73,14 @@ class AttachmentTest extends TestCase public function test_file_upload() { - $page = Page::query()->first(); + $page = $this->entities->page(); $this->asAdmin(); $admin = $this->getAdmin(); $fileName = 'upload_test_file.txt'; $expectedResp = [ 'name' => $fileName, - 'uploaded_to'=> $page->id, + 'uploaded_to' => $page->id, 'extension' => 'txt', 'order' => 1, 'created_by' => $admin->id, @@ -76,9 +91,9 @@ class AttachmentTest extends TestCase $upload->assertStatus(200); $attachment = Attachment::query()->orderBy('id', 'desc')->first(); - $expectedResp['path'] = $attachment->path; - $upload->assertJson($expectedResp); + + $expectedResp['path'] = $attachment->path; $this->assertDatabaseHas('attachments', $expectedResp); $this->deleteUploads(); @@ -86,7 +101,7 @@ class AttachmentTest extends TestCase public function test_file_upload_does_not_use_filename() { - $page = Page::query()->first(); + $page = $this->entities->page(); $fileName = 'upload_test_file.txt'; $upload = $this->asAdmin()->uploadFile($fileName, $page->id); @@ -94,12 +109,13 @@ class AttachmentTest extends TestCase $attachment = Attachment::query()->orderBy('id', 'desc')->first(); $this->assertStringNotContainsString($fileName, $attachment->path); - $this->assertStringEndsWith('.txt', $attachment->path); + $this->assertStringEndsWith('-txt', $attachment->path); + $this->deleteUploads(); } public function test_file_display_and_access() { - $page = Page::query()->first(); + $page = $this->entities->page(); $this->asAdmin(); $fileName = 'upload_test_file.txt'; @@ -112,14 +128,15 @@ class AttachmentTest extends TestCase $pageGet->assertSee($attachment->getUrl()); $attachmentGet = $this->get($attachment->getUrl()); - $attachmentGet->assertSee('Hi, This is a test file for testing the upload process.'); + $content = $attachmentGet->streamedContent(); + $this->assertStringContainsString('Hi, This is a test file for testing the upload process.', $content); $this->deleteUploads(); } public function test_attaching_link_to_page() { - $page = Page::query()->first(); + $page = $this->entities->page(); $admin = $this->getAdmin(); $this->asAdmin(); @@ -156,7 +173,7 @@ class AttachmentTest extends TestCase public function test_attachment_updating() { - $page = Page::query()->first(); + $page = $this->entities->page(); $this->asAdmin(); $attachment = $this->createAttachment($page); @@ -180,7 +197,7 @@ class AttachmentTest extends TestCase public function test_file_deletion() { - $page = Page::query()->first(); + $page = $this->entities->page(); $this->asAdmin(); $fileName = 'deletion_test.txt'; $this->uploadFile($fileName, $page->id); @@ -202,7 +219,7 @@ class AttachmentTest extends TestCase public function test_attachment_deletion_on_page_deletion() { - $page = Page::query()->first(); + $page = $this->entities->page(); $this->asAdmin(); $fileName = 'deletion_test.txt'; $this->uploadFile($fileName, $page->id); @@ -230,17 +247,13 @@ class AttachmentTest extends TestCase { $admin = $this->getAdmin(); $viewer = $this->getViewer(); - $page = Page::query()->first(); /** @var Page $page */ + $page = $this->entities->page(); /** @var Page $page */ $this->actingAs($admin); $fileName = 'permission_test.txt'; $this->uploadFile($fileName, $page->id); $attachment = Attachment::orderBy('id', 'desc')->take(1)->first(); - $page->restricted = true; - $page->permissions()->delete(); - $page->save(); - $page->rebuildPermissions(); - $page->load('jointPermissions'); + $this->entities->setPermissions($page, [], []); $this->actingAs($viewer); $attachmentGet = $this->get($attachment->getUrl()); @@ -252,7 +265,7 @@ class AttachmentTest extends TestCase public function test_data_and_js_links_cannot_be_attached_to_a_page() { - $page = Page::query()->first(); + $page = $this->entities->page(); $this->asAdmin(); $badLinks = [ @@ -293,7 +306,7 @@ class AttachmentTest extends TestCase public function test_file_access_with_open_query_param_provides_inline_response_with_correct_content_type() { - $page = Page::query()->first(); + $page = $this->entities->page(); $this->asAdmin(); $fileName = 'upload_test_file.txt'; @@ -305,7 +318,38 @@ class AttachmentTest extends TestCase // http-foundation/Response does some 'fixing' of responses to add charsets to text responses. $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8'); $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="upload_test_file.txt"'); + $attachmentGet->assertHeader('X-Content-Type-Options', 'nosniff'); + + $this->deleteUploads(); + } + + public function test_html_file_access_with_open_forces_plain_content_type() + { + $page = $this->entities->page(); + $this->asAdmin(); + + $attachment = $this->createUploadAttachment($page, 'test_file.html', '

testing

', 'text/html'); + + $attachmentGet = $this->get($attachment->getUrl(true)); + // http-foundation/Response does some 'fixing' of responses to add charsets to text responses. + $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8'); + $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="test_file.html"'); + + $this->deleteUploads(); + } + + public function test_file_upload_works_when_local_secure_restricted_is_in_use() + { + config()->set('filesystems.attachments', 'local_secure_restricted'); + + $page = $this->entities->page(); + $fileName = 'upload_test_file.txt'; + + $upload = $this->asAdmin()->uploadFile($fileName, $page->id); + $upload->assertStatus(200); + $attachment = Attachment::query()->orderBy('id', 'desc')->where('uploaded_to', '=', $page->id)->first(); + $this->assertFileExists(storage_path($attachment->path)); $this->deleteUploads(); } }