Only serve attachments when linked to issue/release and if accessible by user (#9340)
* test: add current attachement responses * refactor: check if attachement is linked and accessible by user * chore: clean TODO * fix: typo attachement -> attachment * revert un-needed go.sum change * refactor: move models logic to models * fix TestCreateIssueAttachment which was wrongly successful * fix unit tests with unittype added * fix unit tests with changes * use a valid uuid format for pgsql int. test * test: add unit test TestLinkedRepository * refactor: allow uploader to access unlinked attachement * add missing blank line * refactor: move to a separate function repo.GetAttachment * typo * test: remove err test return * refactor: use repo perm for access checking generally + 404 for all rejectlunny/display_deleted_branch2
parent
6a5a2f493a
commit
8b24073713
@ -1,88 +0,0 @@
|
|||||||
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a MIT-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package integrations
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"image"
|
|
||||||
"image/png"
|
|
||||||
"io"
|
|
||||||
"mime/multipart"
|
|
||||||
"net/http"
|
|
||||||
"testing"
|
|
||||||
|
|
||||||
"code.gitea.io/gitea/modules/test"
|
|
||||||
"github.com/stretchr/testify/assert"
|
|
||||||
)
|
|
||||||
|
|
||||||
func generateImg() bytes.Buffer {
|
|
||||||
// Generate image
|
|
||||||
myImage := image.NewRGBA(image.Rect(0, 0, 32, 32))
|
|
||||||
var buff bytes.Buffer
|
|
||||||
png.Encode(&buff, myImage)
|
|
||||||
return buff
|
|
||||||
}
|
|
||||||
|
|
||||||
func createAttachment(t *testing.T, session *TestSession, repoURL, filename string, buff bytes.Buffer, expectedStatus int) string {
|
|
||||||
body := &bytes.Buffer{}
|
|
||||||
|
|
||||||
//Setup multi-part
|
|
||||||
writer := multipart.NewWriter(body)
|
|
||||||
part, err := writer.CreateFormFile("file", filename)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
_, err = io.Copy(part, &buff)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
err = writer.Close()
|
|
||||||
assert.NoError(t, err)
|
|
||||||
|
|
||||||
csrf := GetCSRF(t, session, repoURL)
|
|
||||||
|
|
||||||
req := NewRequestWithBody(t, "POST", "/attachments", body)
|
|
||||||
req.Header.Add("X-Csrf-Token", csrf)
|
|
||||||
req.Header.Add("Content-Type", writer.FormDataContentType())
|
|
||||||
resp := session.MakeRequest(t, req, expectedStatus)
|
|
||||||
|
|
||||||
if expectedStatus != http.StatusOK {
|
|
||||||
return ""
|
|
||||||
}
|
|
||||||
var obj map[string]string
|
|
||||||
DecodeJSON(t, resp, &obj)
|
|
||||||
return obj["uuid"]
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestCreateAnonymousAttachment(t *testing.T) {
|
|
||||||
prepareTestEnv(t)
|
|
||||||
session := emptyTestSession(t)
|
|
||||||
createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusFound)
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestCreateIssueAttachement(t *testing.T) {
|
|
||||||
prepareTestEnv(t)
|
|
||||||
const repoURL = "user2/repo1"
|
|
||||||
session := loginUser(t, "user2")
|
|
||||||
uuid := createAttachment(t, session, repoURL, "image.png", generateImg(), http.StatusOK)
|
|
||||||
|
|
||||||
req := NewRequest(t, "GET", repoURL+"/issues/new")
|
|
||||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
|
||||||
htmlDoc := NewHTMLParser(t, resp.Body)
|
|
||||||
|
|
||||||
link, exists := htmlDoc.doc.Find("form").Attr("action")
|
|
||||||
assert.True(t, exists, "The template has changed")
|
|
||||||
|
|
||||||
postData := map[string]string{
|
|
||||||
"_csrf": htmlDoc.GetCSRF(),
|
|
||||||
"title": "New Issue With Attachement",
|
|
||||||
"content": "some content",
|
|
||||||
"files[0]": uuid,
|
|
||||||
}
|
|
||||||
|
|
||||||
req = NewRequestWithValues(t, "POST", link, postData)
|
|
||||||
resp = session.MakeRequest(t, req, http.StatusFound)
|
|
||||||
test.RedirectURL(resp) // check that redirect URL exists
|
|
||||||
|
|
||||||
//Validate that attachement is available
|
|
||||||
req = NewRequest(t, "GET", "/attachments/"+uuid)
|
|
||||||
session.MakeRequest(t, req, http.StatusOK)
|
|
||||||
}
|
|
@ -0,0 +1,137 @@
|
|||||||
|
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a MIT-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package integrations
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"image"
|
||||||
|
"image/png"
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
|
"mime/multipart"
|
||||||
|
"net/http"
|
||||||
|
"os"
|
||||||
|
"path"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"code.gitea.io/gitea/models"
|
||||||
|
"code.gitea.io/gitea/modules/test"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
func generateImg() bytes.Buffer {
|
||||||
|
// Generate image
|
||||||
|
myImage := image.NewRGBA(image.Rect(0, 0, 32, 32))
|
||||||
|
var buff bytes.Buffer
|
||||||
|
png.Encode(&buff, myImage)
|
||||||
|
return buff
|
||||||
|
}
|
||||||
|
|
||||||
|
func createAttachment(t *testing.T, session *TestSession, repoURL, filename string, buff bytes.Buffer, expectedStatus int) string {
|
||||||
|
body := &bytes.Buffer{}
|
||||||
|
|
||||||
|
//Setup multi-part
|
||||||
|
writer := multipart.NewWriter(body)
|
||||||
|
part, err := writer.CreateFormFile("file", filename)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
_, err = io.Copy(part, &buff)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
err = writer.Close()
|
||||||
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
csrf := GetCSRF(t, session, repoURL)
|
||||||
|
|
||||||
|
req := NewRequestWithBody(t, "POST", "/attachments", body)
|
||||||
|
req.Header.Add("X-Csrf-Token", csrf)
|
||||||
|
req.Header.Add("Content-Type", writer.FormDataContentType())
|
||||||
|
resp := session.MakeRequest(t, req, expectedStatus)
|
||||||
|
|
||||||
|
if expectedStatus != http.StatusOK {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
var obj map[string]string
|
||||||
|
DecodeJSON(t, resp, &obj)
|
||||||
|
return obj["uuid"]
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestCreateAnonymousAttachment(t *testing.T) {
|
||||||
|
prepareTestEnv(t)
|
||||||
|
session := emptyTestSession(t)
|
||||||
|
createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusFound)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestCreateIssueAttachment(t *testing.T) {
|
||||||
|
prepareTestEnv(t)
|
||||||
|
const repoURL = "user2/repo1"
|
||||||
|
session := loginUser(t, "user2")
|
||||||
|
uuid := createAttachment(t, session, repoURL, "image.png", generateImg(), http.StatusOK)
|
||||||
|
|
||||||
|
req := NewRequest(t, "GET", repoURL+"/issues/new")
|
||||||
|
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||||
|
htmlDoc := NewHTMLParser(t, resp.Body)
|
||||||
|
|
||||||
|
link, exists := htmlDoc.doc.Find("form").Attr("action")
|
||||||
|
assert.True(t, exists, "The template has changed")
|
||||||
|
|
||||||
|
postData := map[string]string{
|
||||||
|
"_csrf": htmlDoc.GetCSRF(),
|
||||||
|
"title": "New Issue With Attachment",
|
||||||
|
"content": "some content",
|
||||||
|
"files": uuid,
|
||||||
|
}
|
||||||
|
|
||||||
|
req = NewRequestWithValues(t, "POST", link, postData)
|
||||||
|
resp = session.MakeRequest(t, req, http.StatusFound)
|
||||||
|
test.RedirectURL(resp) // check that redirect URL exists
|
||||||
|
|
||||||
|
//Validate that attachment is available
|
||||||
|
req = NewRequest(t, "GET", "/attachments/"+uuid)
|
||||||
|
session.MakeRequest(t, req, http.StatusOK)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestGetAttachment(t *testing.T) {
|
||||||
|
prepareTestEnv(t)
|
||||||
|
adminSession := loginUser(t, "user1")
|
||||||
|
user2Session := loginUser(t, "user2")
|
||||||
|
user8Session := loginUser(t, "user8")
|
||||||
|
emptySession := emptyTestSession(t)
|
||||||
|
testCases := []struct {
|
||||||
|
name string
|
||||||
|
uuid string
|
||||||
|
createFile bool
|
||||||
|
session *TestSession
|
||||||
|
want int
|
||||||
|
}{
|
||||||
|
{"LinkedIssueUUID", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11", true, user2Session, http.StatusOK},
|
||||||
|
{"LinkedCommentUUID", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a17", true, user2Session, http.StatusOK},
|
||||||
|
{"linked_release_uuid", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a19", true, user2Session, http.StatusOK},
|
||||||
|
{"NotExistingUUID", "b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a18", false, user2Session, http.StatusNotFound},
|
||||||
|
{"FileMissing", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a18", false, user2Session, http.StatusInternalServerError},
|
||||||
|
{"NotLinked", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a20", true, user2Session, http.StatusNotFound},
|
||||||
|
{"NotLinkedAccessibleByUploader", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a20", true, user8Session, http.StatusOK},
|
||||||
|
{"PublicByNonLogged", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11", true, emptySession, http.StatusOK},
|
||||||
|
{"PrivateByNonLogged", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, emptySession, http.StatusNotFound},
|
||||||
|
{"PrivateAccessibleByAdmin", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, adminSession, http.StatusOK},
|
||||||
|
{"PrivateAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, user2Session, http.StatusOK},
|
||||||
|
{"RepoNotAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12", true, user8Session, http.StatusNotFound},
|
||||||
|
{"OrgNotAccessibleByUser", "a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a21", true, user8Session, http.StatusNotFound},
|
||||||
|
}
|
||||||
|
for _, tc := range testCases {
|
||||||
|
t.Run(tc.name, func(t *testing.T) {
|
||||||
|
//Write empty file to be available for response
|
||||||
|
if tc.createFile {
|
||||||
|
localPath := models.AttachmentLocalPath(tc.uuid)
|
||||||
|
err := os.MkdirAll(path.Dir(localPath), os.ModePerm)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
err = ioutil.WriteFile(localPath, []byte("hello world"), 0644)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
}
|
||||||
|
//Actual test
|
||||||
|
req := NewRequest(t, "GET", "/attachments/"+tc.uuid)
|
||||||
|
tc.session.MakeRequest(t, req, tc.want)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in new issue