]> BookStack Code Mirror - bookstack/blob - tests/Uploads/AttachmentTest.php
projects / bookstack / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Started work on details/summary blocks
[bookstack] / tests / Uploads / AttachmentTest.php
1 <?php
2
3 namespace Tests\Uploads;
4
5 use BookStack\Entities\Models\Page;
6 use BookStack\Entities\Repos\PageRepo;
7 use BookStack\Entities\Tools\TrashCan;
8 use BookStack\Uploads\Attachment;
9 use BookStack\Uploads\AttachmentService;
10 use Illuminate\Http\UploadedFile;
11 use Tests\TestCase;
12
13 class AttachmentTest extends TestCase
14 {
15     /**
16      * Get a test file that can be uploaded.
17      */
18     protected function getTestFile(string $fileName): UploadedFile
19     {
20         return new UploadedFile(base_path('tests/test-data/test-file.txt'), $fileName, 'text/plain', null, true);
21     }
22
23     /**
24      * Uploads a file with the given name.
25      */
26     protected function uploadFile(string $name, int $uploadedTo = 0): \Illuminate\Testing\TestResponse
27     {
28         $file = $this->getTestFile($name);
29
30         return $this->call('POST', '/attachments/upload', ['uploaded_to' => $uploadedTo], [], ['file' => $file], []);
31     }
32
33     /**
34      * Create a new attachment.
35      */
36     protected function createAttachment(Page $page): Attachment
37     {
38         $this->post('attachments/link', [
39             'attachment_link_url'         => 'https://example.com',
40             'attachment_link_name'        => 'Example Attachment Link',
41             'attachment_link_uploaded_to' => $page->id,
42         ]);
43
44         return Attachment::query()->latest()->first();
45     }
46
47     /**
48      * Create a new upload attachment from the given data.
49      */
50     protected function createUploadAttachment(Page $page, string $filename, string $content, string $mimeType): Attachment
51     {
52         $file = tmpfile();
53         $filePath = stream_get_meta_data($file)['uri'];
54         file_put_contents($filePath, $content);
55         $upload = new UploadedFile($filePath, $filename, $mimeType, null, true);
56
57         $this->call('POST', '/attachments/upload', ['uploaded_to' => $page->id], [], ['file' => $upload], []);
58
59         return $page->attachments()->latest()->firstOrFail();
60     }
61
62     /**
63      * Delete all uploaded files.
64      * To assist with cleanup.
65      */
66     protected function deleteUploads()
67     {
68         $fileService = $this->app->make(AttachmentService::class);
69         foreach (Attachment::all() as $file) {
70             $fileService->deleteFile($file);
71         }
72     }
73
74     public function test_file_upload()
75     {
76         $page = Page::query()->first();
77         $this->asAdmin();
78         $admin = $this->getAdmin();
79         $fileName = 'upload_test_file.txt';
80
81         $expectedResp = [
82             'name'       => $fileName,
83             'uploaded_to'=> $page->id,
84             'extension'  => 'txt',
85             'order'      => 1,
86             'created_by' => $admin->id,
87             'updated_by' => $admin->id,
88         ];
89
90         $upload = $this->uploadFile($fileName, $page->id);
91         $upload->assertStatus(200);
92
93         $attachment = Attachment::query()->orderBy('id', 'desc')->first();
94         $upload->assertJson($expectedResp);
95
96         $expectedResp['path'] = $attachment->path;
97         $this->assertDatabaseHas('attachments', $expectedResp);
98
99         $this->deleteUploads();
100     }
101
102     public function test_file_upload_does_not_use_filename()
103     {
104         $page = Page::query()->first();
105         $fileName = 'upload_test_file.txt';
106
107         $upload = $this->asAdmin()->uploadFile($fileName, $page->id);
108         $upload->assertStatus(200);
109
110         $attachment = Attachment::query()->orderBy('id', 'desc')->first();
111         $this->assertStringNotContainsString($fileName, $attachment->path);
112         $this->assertStringEndsWith('-txt', $attachment->path);
113         $this->deleteUploads();
114     }
115
116     public function test_file_display_and_access()
117     {
118         $page = Page::query()->first();
119         $this->asAdmin();
120         $fileName = 'upload_test_file.txt';
121
122         $upload = $this->uploadFile($fileName, $page->id);
123         $upload->assertStatus(200);
124         $attachment = Attachment::orderBy('id', 'desc')->take(1)->first();
125
126         $pageGet = $this->get($page->getUrl());
127         $pageGet->assertSeeText($fileName);
128         $pageGet->assertSee($attachment->getUrl());
129
130         $attachmentGet = $this->get($attachment->getUrl());
131         $attachmentGet->assertSee('Hi, This is a test file for testing the upload process.');
132
133         $this->deleteUploads();
134     }
135
136     public function test_attaching_link_to_page()
137     {
138         $page = Page::query()->first();
139         $admin = $this->getAdmin();
140         $this->asAdmin();
141
142         $linkReq = $this->call('POST', 'attachments/link', [
143             'attachment_link_url'         => 'https://example.com',
144             'attachment_link_name'        => 'Example Attachment Link',
145             'attachment_link_uploaded_to' => $page->id,
146         ]);
147
148         $expectedData = [
149             'path'        => 'https://example.com',
150             'name'        => 'Example Attachment Link',
151             'uploaded_to' => $page->id,
152             'created_by'  => $admin->id,
153             'updated_by'  => $admin->id,
154             'external'    => true,
155             'order'       => 1,
156             'extension'   => '',
157         ];
158
159         $linkReq->assertStatus(200);
160         $this->assertDatabaseHas('attachments', $expectedData);
161         $attachment = Attachment::orderBy('id', 'desc')->take(1)->first();
162
163         $pageGet = $this->get($page->getUrl());
164         $pageGet->assertSeeText('Example Attachment Link');
165         $pageGet->assertSee($attachment->getUrl());
166
167         $attachmentGet = $this->get($attachment->getUrl());
168         $attachmentGet->assertRedirect('https://example.com');
169
170         $this->deleteUploads();
171     }
172
173     public function test_attachment_updating()
174     {
175         $page = Page::query()->first();
176         $this->asAdmin();
177
178         $attachment = $this->createAttachment($page);
179         $update = $this->call('PUT', 'attachments/' . $attachment->id, [
180             'attachment_edit_name' => 'My new attachment name',
181             'attachment_edit_url'  => 'https://test.example.com',
182         ]);
183
184         $expectedData = [
185             'id'          => $attachment->id,
186             'path'        => 'https://test.example.com',
187             'name'        => 'My new attachment name',
188             'uploaded_to' => $page->id,
189         ];
190
191         $update->assertStatus(200);
192         $this->assertDatabaseHas('attachments', $expectedData);
193
194         $this->deleteUploads();
195     }
196
197     public function test_file_deletion()
198     {
199         $page = Page::query()->first();
200         $this->asAdmin();
201         $fileName = 'deletion_test.txt';
202         $this->uploadFile($fileName, $page->id);
203
204         $attachment = Attachment::query()->orderBy('id', 'desc')->first();
205         $filePath = storage_path($attachment->path);
206         $this->assertTrue(file_exists($filePath), 'File at path ' . $filePath . ' does not exist');
207
208         $attachment = Attachment::first();
209         $this->delete($attachment->getUrl());
210
211         $this->assertDatabaseMissing('attachments', [
212             'name' => $fileName,
213         ]);
214         $this->assertFalse(file_exists($filePath), 'File at path ' . $filePath . ' was not deleted as expected');
215
216         $this->deleteUploads();
217     }
218
219     public function test_attachment_deletion_on_page_deletion()
220     {
221         $page = Page::query()->first();
222         $this->asAdmin();
223         $fileName = 'deletion_test.txt';
224         $this->uploadFile($fileName, $page->id);
225
226         $attachment = Attachment::query()->orderBy('id', 'desc')->first();
227         $filePath = storage_path($attachment->path);
228
229         $this->assertTrue(file_exists($filePath), 'File at path ' . $filePath . ' does not exist');
230         $this->assertDatabaseHas('attachments', [
231             'name' => $fileName,
232         ]);
233
234         app(PageRepo::class)->destroy($page);
235         app(TrashCan::class)->empty();
236
237         $this->assertDatabaseMissing('attachments', [
238             'name' => $fileName,
239         ]);
240         $this->assertFalse(file_exists($filePath), 'File at path ' . $filePath . ' was not deleted as expected');
241
242         $this->deleteUploads();
243     }
244
245     public function test_attachment_access_without_permission_shows_404()
246     {
247         $admin = $this->getAdmin();
248         $viewer = $this->getViewer();
249         $page = Page::query()->first(); /** @var Page $page */
250         $this->actingAs($admin);
251         $fileName = 'permission_test.txt';
252         $this->uploadFile($fileName, $page->id);
253         $attachment = Attachment::orderBy('id', 'desc')->take(1)->first();
254
255         $page->restricted = true;
256         $page->permissions()->delete();
257         $page->save();
258         $page->rebuildPermissions();
259         $page->load('jointPermissions');
260
261         $this->actingAs($viewer);
262         $attachmentGet = $this->get($attachment->getUrl());
263         $attachmentGet->assertStatus(404);
264         $attachmentGet->assertSee('Attachment not found');
265
266         $this->deleteUploads();
267     }
268
269     public function test_data_and_js_links_cannot_be_attached_to_a_page()
270     {
271         $page = Page::query()->first();
272         $this->asAdmin();
273
274         $badLinks = [
275             'javascript:alert("bunny")',
276             ' javascript:alert("bunny")',
277             'JavaScript:alert("bunny")',
278             "\t\n\t\nJavaScript:alert(\"bunny\")",
279             'data:text/html;<a></a>',
280             'Data:text/html;<a></a>',
281             'Data:text/html;<a></a>',
282         ];
283
284         foreach ($badLinks as $badLink) {
285             $linkReq = $this->post('attachments/link', [
286                 'attachment_link_url'         => $badLink,
287                 'attachment_link_name'        => 'Example Attachment Link',
288                 'attachment_link_uploaded_to' => $page->id,
289             ]);
290             $linkReq->assertStatus(422);
291             $this->assertDatabaseMissing('attachments', [
292                 'path' => $badLink,
293             ]);
294         }
295
296         $attachment = $this->createAttachment($page);
297
298         foreach ($badLinks as $badLink) {
299             $linkReq = $this->put('attachments/' . $attachment->id, [
300                 'attachment_edit_url'  => $badLink,
301                 'attachment_edit_name' => 'Example Attachment Link',
302             ]);
303             $linkReq->assertStatus(422);
304             $this->assertDatabaseMissing('attachments', [
305                 'path' => $badLink,
306             ]);
307         }
308     }
309
310     public function test_file_access_with_open_query_param_provides_inline_response_with_correct_content_type()
311     {
312         $page = Page::query()->first();
313         $this->asAdmin();
314         $fileName = 'upload_test_file.txt';
315
316         $upload = $this->uploadFile($fileName, $page->id);
317         $upload->assertStatus(200);
318         $attachment = Attachment::query()->orderBy('id', 'desc')->take(1)->first();
319
320         $attachmentGet = $this->get($attachment->getUrl(true));
321         // http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
322         $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
323         $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="upload_test_file.txt"');
324         $attachmentGet->assertHeader('X-Content-Type-Options', 'nosniff');
325
326         $this->deleteUploads();
327     }
328
329     public function test_html_file_access_with_open_forces_plain_content_type()
330     {
331         $page = Page::query()->first();
332         $this->asAdmin();
333
334         $attachment = $this->createUploadAttachment($page, 'test_file.html', '<html></html><p>testing</p>', 'text/html');
335
336         $attachmentGet = $this->get($attachment->getUrl(true));
337         // http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
338         $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
339         $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="test_file.html"');
340
341         $this->deleteUploads();
342     }
343 }
The core source code for the BookStack project.