Uploaded files in published webs should be accessible
File retrieval (but not file uploads) should be allowed on a published web (this includes BlahTeX/PNG support). (Reported by Ari Stern).
This commit is contained in:
parent
591c60de09
commit
155dc88891
4 changed files with 101 additions and 5 deletions
|
@ -15,6 +15,7 @@ Bugs Fixed:
|
|||
* Add a flash message for redirection to "new" page
|
||||
when the target of "show" action is not found.
|
||||
* Flash[:info] messages use Web's colour scheme.
|
||||
* Uploaded files in published webs should be accessible
|
||||
|
||||
------------------------------------------------------------------------------
|
||||
* 0.16.6
|
||||
|
|
|
@ -222,15 +222,14 @@ class ApplicationController < ActionController::Base
|
|||
end
|
||||
|
||||
def authorization_needed?
|
||||
not %w( login authenticate feeds published atom_with_headlines atom_with_content).include?(action_name)
|
||||
not %w(login authenticate feeds published atom_with_headlines atom_with_content s5 file blahtex_png).include?(action_name)
|
||||
end
|
||||
|
||||
def authorized?
|
||||
@web.nil? or
|
||||
@web.password.nil? or
|
||||
cookies[CGI.escape(@web_name)] == @web.password or
|
||||
password_check(params['password']) or
|
||||
(@web.published? and action_name == 's5')
|
||||
password_check(params['password'])
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -28,7 +28,7 @@ class FileController < ApplicationController
|
|||
# no form supplied, this is a request to download the file
|
||||
file = @web.files_path + '/' + @file_name
|
||||
if File.exists?(file)
|
||||
send_file(file)
|
||||
send_file(file) if check_authorized
|
||||
else
|
||||
return unless check_allow_uploads
|
||||
@file = WikiFile.new(:file_name => @file_name)
|
||||
|
@ -86,10 +86,20 @@ class FileController < ApplicationController
|
|||
end
|
||||
|
||||
protected
|
||||
|
||||
def check_authorized
|
||||
if authorized? or @web.published?
|
||||
return true
|
||||
else
|
||||
@hide_navigation = true
|
||||
render(:status => 403, :text => 'This web is private', :layout => true)
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
def check_allow_uploads
|
||||
render(:status => 404, :text => "Web #{params['web'].inspect} not found", :layout => 'error') and return false unless @web
|
||||
if @web.allow_uploads?
|
||||
if @web.allow_uploads? and authorized?
|
||||
return true
|
||||
else
|
||||
@hide_navigation = true
|
||||
|
|
|
@ -80,7 +80,32 @@ class FileControllerTest < ActionController::TestCase
|
|||
assert_equal pic, r.body
|
||||
assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
|
||||
end
|
||||
|
||||
def test_pic_download_gif_published_web
|
||||
@web.update_attribute(:published, true)
|
||||
@web.update_attribute(:password, 'pswd')
|
||||
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
||||
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
||||
|
||||
r = get :file, :web => 'wiki1', :id => 'rails.gif'
|
||||
|
||||
assert_response(:success, bypass_body_parsing = true)
|
||||
assert_equal 'image/gif', r.headers['Content-Type']
|
||||
assert_equal pic.size, r.body.size
|
||||
assert_equal pic, r.body
|
||||
assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
|
||||
end
|
||||
|
||||
def test_pic_download_gif_unpublished_web
|
||||
@web.update_attribute(:published, false)
|
||||
@web.update_attribute(:password, 'pswd')
|
||||
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
||||
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
||||
r = get :file, :web => 'wiki1', :id => 'rails.gif'
|
||||
|
||||
assert_response(:forbidden)
|
||||
end
|
||||
|
||||
def test_pic_x_sendfile
|
||||
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
||||
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
||||
|
@ -94,6 +119,33 @@ class FileControllerTest < ActionController::TestCase
|
|||
assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
|
||||
end
|
||||
|
||||
def test_pic_x_sendfile_published_web
|
||||
@web.update_attribute(:published, true)
|
||||
@web.update_attribute(:password, 'pswd')
|
||||
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
||||
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
||||
@request.env.update({ 'HTTP_X_SENDFILE_TYPE' => 'foo' })
|
||||
@request.remote_addr = '127.0.0.1'
|
||||
r = get :file, :web => 'wiki1', :id => 'rails.gif'
|
||||
|
||||
assert_response(:success, bypass_body_parsing = true)
|
||||
assert_match '/rails.gif', r.headers['X-Sendfile']
|
||||
assert_equal 'image/gif', r.headers['Content-Type']
|
||||
assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
|
||||
end
|
||||
|
||||
def test_pic_x_sendfile_unpublished_web
|
||||
@web.update_attribute(:published, false)
|
||||
@web.update_attribute(:password, 'pswd')
|
||||
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
||||
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
||||
@request.env.update({ 'HTTP_X_SENDFILE_TYPE' => 'foo' })
|
||||
@request.remote_addr = '127.0.0.1'
|
||||
r = get :file, :web => 'wiki1', :id => 'rails.gif'
|
||||
|
||||
assert_response(:forbidden)
|
||||
end
|
||||
|
||||
def test_pic_x_sendfile_type_nonlocal
|
||||
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
||||
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
||||
|
@ -114,6 +166,40 @@ class FileControllerTest < ActionController::TestCase
|
|||
assert_template 'file/file'
|
||||
end
|
||||
|
||||
def test_pic_upload_published_web
|
||||
@web.update_attribute(:published, true)
|
||||
@web.update_attribute(:password, 'pswd')
|
||||
@web.update_attribute(:allow_uploads, true)
|
||||
# edit and re-render a page so that it has an "unknown file" link to 'rails-e2e.gif'
|
||||
PageRenderer.setup_url_generator(StubUrlGenerator.new)
|
||||
renderer = PageRenderer.new
|
||||
@wiki.revise_page('wiki1', 'Oak', 'Oak', '[[rails-e2e.gif:pic]]',
|
||||
Time.now, 'AnonymousBrave', renderer)
|
||||
assert_equal "<p><span class='newWikiWord'>rails-e2e.gif</span></p>",
|
||||
renderer.display_published
|
||||
|
||||
# rails-e2e.gif is unknown to the system, so pic action goes to the file [upload] form
|
||||
r = get :file, :web => 'wiki1', :id => 'rails-e2e.gif'
|
||||
assert_response(:forbidden)
|
||||
end
|
||||
|
||||
def test_pic_upload_unpublished_web
|
||||
@web.update_attribute(:published, false)
|
||||
@web.update_attribute(:password, 'pswd')
|
||||
@web.update_attribute(:allow_uploads, true)
|
||||
# edit and re-render a page so that it has an "unknown file" link to 'rails-e2e.gif'
|
||||
PageRenderer.setup_url_generator(StubUrlGenerator.new)
|
||||
renderer = PageRenderer.new
|
||||
@wiki.revise_page('wiki1', 'Oak', 'Oak', '[[rails-e2e.gif:pic]]',
|
||||
Time.now, 'AnonymousBrave', renderer)
|
||||
assert_equal "<p><span class='newWikiWord'>rails-e2e.gif</span></p>",
|
||||
renderer.display_published
|
||||
|
||||
# rails-e2e.gif is unknown to the system, so pic action goes to the file [upload] form
|
||||
r = get :file, :web => 'wiki1', :id => 'rails-e2e.gif'
|
||||
assert_response(:forbidden)
|
||||
end
|
||||
|
||||
def test_pic_upload_end_to_end
|
||||
# edit and re-render a page so that it has an "unknown file" link to 'rails-e2e.gif'
|
||||
PageRenderer.setup_url_generator(StubUrlGenerator.new)
|
||||
|
|
Loading…
Reference in a new issue