Uploaded files in published webs should be accessible

File retrieval (but not file uploads) should be allowed on
a published web (this includes BlahTeX/PNG support).
(Reported by Ari Stern).

CHANGELOG

@@ -15,6 +15,7 @@ Bugs Fixed:
 * Add a flash message for redirection to "new" page
   when the target of "show" action is not found.
 * Flash[:info] messages use Web's colour scheme.
+* Uploaded files in published webs should be accessible
 
 ------------------------------------------------------------------------------
 * 0.16.6

app/controllers/application_controller.rb

@@ -222,15 +222,14 @@ class ApplicationController < ActionController::Base
   end
   
   def authorization_needed?
-    not %w( login authenticate feeds published atom_with_headlines atom_with_content).include?(action_name)
+    not %w(login authenticate feeds published atom_with_headlines atom_with_content s5 file blahtex_png).include?(action_name)
   end
 
   def authorized?
     @web.nil? or
     @web.password.nil? or
     cookies[CGI.escape(@web_name)] == @web.password or
-    password_check(params['password']) or
-    (@web.published? and action_name == 's5')
+    password_check(params['password'])
   end
 
 end

app/controllers/file_controller.rb

@@ -28,7 +28,7 @@ class FileController < ApplicationController
       # no form supplied, this is a request to download the file
       file = @web.files_path + '/' + @file_name
       if File.exists?(file)
-        send_file(file)
+        send_file(file) if check_authorized
       else
         return unless check_allow_uploads
         @file = WikiFile.new(:file_name => @file_name)
@@ -86,10 +86,20 @@ class FileController < ApplicationController
   end
 
   protected
+  
+  def check_authorized
+    if authorized? or @web.published?
+      return true
+    else
+      @hide_navigation  = true
+      render(:status => 403, :text => 'This web is private', :layout => true)
+      return false
+    end    
+  end
 
   def check_allow_uploads
     render(:status => 404, :text => "Web #{params['web'].inspect} not found", :layout => 'error') and return false unless @web
-    if @web.allow_uploads?
+    if @web.allow_uploads? and authorized?
       return true
     else
       @hide_navigation  = true

test/functional/file_controller_test.rb

@@ -80,7 +80,32 @@ class FileControllerTest < ActionController::TestCase
     assert_equal pic, r.body
     assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
   end
+
+  def test_pic_download_gif_published_web
+    @web.update_attribute(:published, true)
+    @web.update_attribute(:password, 'pswd')
+    pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
+    @web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
+    
+    r = get :file, :web => 'wiki1', :id => 'rails.gif'
+    
+    assert_response(:success, bypass_body_parsing = true)
+    assert_equal 'image/gif', r.headers['Content-Type']
+    assert_equal pic.size, r.body.size
+    assert_equal pic, r.body
+    assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
+  end
   
+  def test_pic_download_gif_unpublished_web
+    @web.update_attribute(:published, false)
+    @web.update_attribute(:password, 'pswd')
+    pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
+    @web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
+    r = get :file, :web => 'wiki1', :id => 'rails.gif'
+
+    assert_response(:forbidden)
+  end
+
   def test_pic_x_sendfile
     pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
     @web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
@@ -94,6 +119,33 @@ class FileControllerTest < ActionController::TestCase
     assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
   end
   
+  def test_pic_x_sendfile_published_web
+    @web.update_attribute(:published, true)
+    @web.update_attribute(:password, 'pswd')
+    pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
+    @web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
+    @request.env.update({ 'HTTP_X_SENDFILE_TYPE' => 'foo' })
+    @request.remote_addr = '127.0.0.1'
+    r = get :file, :web => 'wiki1', :id => 'rails.gif'
+    
+    assert_response(:success, bypass_body_parsing = true)
+    assert_match  '/rails.gif', r.headers['X-Sendfile']
+    assert_equal 'image/gif', r.headers['Content-Type']
+    assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
+  end
+
+  def test_pic_x_sendfile_unpublished_web
+    @web.update_attribute(:published, false)
+    @web.update_attribute(:password, 'pswd')
+    pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
+    @web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
+    @request.env.update({ 'HTTP_X_SENDFILE_TYPE' => 'foo' })
+    @request.remote_addr = '127.0.0.1'
+    r = get :file, :web => 'wiki1', :id => 'rails.gif'
+    
+    assert_response(:forbidden)
+  end
+
   def test_pic_x_sendfile_type_nonlocal
     pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
     @web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
@@ -114,6 +166,40 @@ class FileControllerTest < ActionController::TestCase
     assert_template 'file/file'
   end
 
+  def test_pic_upload_published_web
+    @web.update_attribute(:published, true)
+    @web.update_attribute(:password, 'pswd')
+    @web.update_attribute(:allow_uploads, true)
+    # edit and re-render a page so that it has an "unknown file" link to 'rails-e2e.gif'
+    PageRenderer.setup_url_generator(StubUrlGenerator.new)
+    renderer = PageRenderer.new
+    @wiki.revise_page('wiki1', 'Oak', 'Oak', '[[rails-e2e.gif:pic]]', 
+        Time.now, 'AnonymousBrave', renderer)
+    assert_equal "<p><span class='newWikiWord'>rails-e2e.gif</span></p>",
+        renderer.display_published
+  
+    # rails-e2e.gif is unknown to the system, so pic action goes to the file [upload] form
+    r = get :file, :web => 'wiki1', :id => 'rails-e2e.gif'
+    assert_response(:forbidden)
+  end
+
+  def test_pic_upload_unpublished_web
+    @web.update_attribute(:published, false)
+    @web.update_attribute(:password, 'pswd')
+    @web.update_attribute(:allow_uploads, true)
+    # edit and re-render a page so that it has an "unknown file" link to 'rails-e2e.gif'
+    PageRenderer.setup_url_generator(StubUrlGenerator.new)
+    renderer = PageRenderer.new
+    @wiki.revise_page('wiki1', 'Oak', 'Oak', '[[rails-e2e.gif:pic]]', 
+        Time.now, 'AnonymousBrave', renderer)
+    assert_equal "<p><span class='newWikiWord'>rails-e2e.gif</span></p>",
+        renderer.display_published
+  
+    # rails-e2e.gif is unknown to the system, so pic action goes to the file [upload] form
+    r = get :file, :web => 'wiki1', :id => 'rails-e2e.gif'
+    assert_response(:forbidden)
+  end
+
   def test_pic_upload_end_to_end
     # edit and re-render a page so that it has an "unknown file" link to 'rails-e2e.gif'
     PageRenderer.setup_url_generator(StubUrlGenerator.new)