Uploaded files in published webs should be accessible
File retrieval (but not file uploads) should be allowed on a published web (this includes BlahTeX/PNG support). (Reported by Ari Stern).
This commit is contained in:
parent
591c60de09
commit
155dc88891
|
@ -15,6 +15,7 @@ Bugs Fixed:
|
||||||
* Add a flash message for redirection to "new" page
|
* Add a flash message for redirection to "new" page
|
||||||
when the target of "show" action is not found.
|
when the target of "show" action is not found.
|
||||||
* Flash[:info] messages use Web's colour scheme.
|
* Flash[:info] messages use Web's colour scheme.
|
||||||
|
* Uploaded files in published webs should be accessible
|
||||||
|
|
||||||
------------------------------------------------------------------------------
|
------------------------------------------------------------------------------
|
||||||
* 0.16.6
|
* 0.16.6
|
||||||
|
|
|
@ -222,15 +222,14 @@ class ApplicationController < ActionController::Base
|
||||||
end
|
end
|
||||||
|
|
||||||
def authorization_needed?
|
def authorization_needed?
|
||||||
not %w( login authenticate feeds published atom_with_headlines atom_with_content).include?(action_name)
|
not %w(login authenticate feeds published atom_with_headlines atom_with_content s5 file blahtex_png).include?(action_name)
|
||||||
end
|
end
|
||||||
|
|
||||||
def authorized?
|
def authorized?
|
||||||
@web.nil? or
|
@web.nil? or
|
||||||
@web.password.nil? or
|
@web.password.nil? or
|
||||||
cookies[CGI.escape(@web_name)] == @web.password or
|
cookies[CGI.escape(@web_name)] == @web.password or
|
||||||
password_check(params['password']) or
|
password_check(params['password'])
|
||||||
(@web.published? and action_name == 's5')
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -28,7 +28,7 @@ class FileController < ApplicationController
|
||||||
# no form supplied, this is a request to download the file
|
# no form supplied, this is a request to download the file
|
||||||
file = @web.files_path + '/' + @file_name
|
file = @web.files_path + '/' + @file_name
|
||||||
if File.exists?(file)
|
if File.exists?(file)
|
||||||
send_file(file)
|
send_file(file) if check_authorized
|
||||||
else
|
else
|
||||||
return unless check_allow_uploads
|
return unless check_allow_uploads
|
||||||
@file = WikiFile.new(:file_name => @file_name)
|
@file = WikiFile.new(:file_name => @file_name)
|
||||||
|
@ -87,9 +87,19 @@ class FileController < ApplicationController
|
||||||
|
|
||||||
protected
|
protected
|
||||||
|
|
||||||
|
def check_authorized
|
||||||
|
if authorized? or @web.published?
|
||||||
|
return true
|
||||||
|
else
|
||||||
|
@hide_navigation = true
|
||||||
|
render(:status => 403, :text => 'This web is private', :layout => true)
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def check_allow_uploads
|
def check_allow_uploads
|
||||||
render(:status => 404, :text => "Web #{params['web'].inspect} not found", :layout => 'error') and return false unless @web
|
render(:status => 404, :text => "Web #{params['web'].inspect} not found", :layout => 'error') and return false unless @web
|
||||||
if @web.allow_uploads?
|
if @web.allow_uploads? and authorized?
|
||||||
return true
|
return true
|
||||||
else
|
else
|
||||||
@hide_navigation = true
|
@hide_navigation = true
|
||||||
|
|
|
@ -81,6 +81,31 @@ class FileControllerTest < ActionController::TestCase
|
||||||
assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
|
assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_pic_download_gif_published_web
|
||||||
|
@web.update_attribute(:published, true)
|
||||||
|
@web.update_attribute(:password, 'pswd')
|
||||||
|
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
||||||
|
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
||||||
|
|
||||||
|
r = get :file, :web => 'wiki1', :id => 'rails.gif'
|
||||||
|
|
||||||
|
assert_response(:success, bypass_body_parsing = true)
|
||||||
|
assert_equal 'image/gif', r.headers['Content-Type']
|
||||||
|
assert_equal pic.size, r.body.size
|
||||||
|
assert_equal pic, r.body
|
||||||
|
assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_pic_download_gif_unpublished_web
|
||||||
|
@web.update_attribute(:published, false)
|
||||||
|
@web.update_attribute(:password, 'pswd')
|
||||||
|
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
||||||
|
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
||||||
|
r = get :file, :web => 'wiki1', :id => 'rails.gif'
|
||||||
|
|
||||||
|
assert_response(:forbidden)
|
||||||
|
end
|
||||||
|
|
||||||
def test_pic_x_sendfile
|
def test_pic_x_sendfile
|
||||||
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
||||||
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
||||||
|
@ -94,6 +119,33 @@ class FileControllerTest < ActionController::TestCase
|
||||||
assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
|
assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_pic_x_sendfile_published_web
|
||||||
|
@web.update_attribute(:published, true)
|
||||||
|
@web.update_attribute(:password, 'pswd')
|
||||||
|
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
||||||
|
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
||||||
|
@request.env.update({ 'HTTP_X_SENDFILE_TYPE' => 'foo' })
|
||||||
|
@request.remote_addr = '127.0.0.1'
|
||||||
|
r = get :file, :web => 'wiki1', :id => 'rails.gif'
|
||||||
|
|
||||||
|
assert_response(:success, bypass_body_parsing = true)
|
||||||
|
assert_match '/rails.gif', r.headers['X-Sendfile']
|
||||||
|
assert_equal 'image/gif', r.headers['Content-Type']
|
||||||
|
assert_equal 'inline; filename="rails.gif"', r.headers['Content-Disposition']
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_pic_x_sendfile_unpublished_web
|
||||||
|
@web.update_attribute(:published, false)
|
||||||
|
@web.update_attribute(:password, 'pswd')
|
||||||
|
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
||||||
|
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
||||||
|
@request.env.update({ 'HTTP_X_SENDFILE_TYPE' => 'foo' })
|
||||||
|
@request.remote_addr = '127.0.0.1'
|
||||||
|
r = get :file, :web => 'wiki1', :id => 'rails.gif'
|
||||||
|
|
||||||
|
assert_response(:forbidden)
|
||||||
|
end
|
||||||
|
|
||||||
def test_pic_x_sendfile_type_nonlocal
|
def test_pic_x_sendfile_type_nonlocal
|
||||||
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
pic = File.open("#{RAILS_ROOT}/test/fixtures/rails.gif", 'rb') { |f| f.read }
|
||||||
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
@web.wiki_files.create(:file_name => 'rails.gif', :description => 'An image', :content => pic)
|
||||||
|
@ -114,6 +166,40 @@ class FileControllerTest < ActionController::TestCase
|
||||||
assert_template 'file/file'
|
assert_template 'file/file'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_pic_upload_published_web
|
||||||
|
@web.update_attribute(:published, true)
|
||||||
|
@web.update_attribute(:password, 'pswd')
|
||||||
|
@web.update_attribute(:allow_uploads, true)
|
||||||
|
# edit and re-render a page so that it has an "unknown file" link to 'rails-e2e.gif'
|
||||||
|
PageRenderer.setup_url_generator(StubUrlGenerator.new)
|
||||||
|
renderer = PageRenderer.new
|
||||||
|
@wiki.revise_page('wiki1', 'Oak', 'Oak', '[[rails-e2e.gif:pic]]',
|
||||||
|
Time.now, 'AnonymousBrave', renderer)
|
||||||
|
assert_equal "<p><span class='newWikiWord'>rails-e2e.gif</span></p>",
|
||||||
|
renderer.display_published
|
||||||
|
|
||||||
|
# rails-e2e.gif is unknown to the system, so pic action goes to the file [upload] form
|
||||||
|
r = get :file, :web => 'wiki1', :id => 'rails-e2e.gif'
|
||||||
|
assert_response(:forbidden)
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_pic_upload_unpublished_web
|
||||||
|
@web.update_attribute(:published, false)
|
||||||
|
@web.update_attribute(:password, 'pswd')
|
||||||
|
@web.update_attribute(:allow_uploads, true)
|
||||||
|
# edit and re-render a page so that it has an "unknown file" link to 'rails-e2e.gif'
|
||||||
|
PageRenderer.setup_url_generator(StubUrlGenerator.new)
|
||||||
|
renderer = PageRenderer.new
|
||||||
|
@wiki.revise_page('wiki1', 'Oak', 'Oak', '[[rails-e2e.gif:pic]]',
|
||||||
|
Time.now, 'AnonymousBrave', renderer)
|
||||||
|
assert_equal "<p><span class='newWikiWord'>rails-e2e.gif</span></p>",
|
||||||
|
renderer.display_published
|
||||||
|
|
||||||
|
# rails-e2e.gif is unknown to the system, so pic action goes to the file [upload] form
|
||||||
|
r = get :file, :web => 'wiki1', :id => 'rails-e2e.gif'
|
||||||
|
assert_response(:forbidden)
|
||||||
|
end
|
||||||
|
|
||||||
def test_pic_upload_end_to_end
|
def test_pic_upload_end_to_end
|
||||||
# edit and re-render a page so that it has an "unknown file" link to 'rails-e2e.gif'
|
# edit and re-render a page so that it has an "unknown file" link to 'rails-e2e.gif'
|
||||||
PageRenderer.setup_url_generator(StubUrlGenerator.new)
|
PageRenderer.setup_url_generator(StubUrlGenerator.new)
|
||||||
|
|
Loading…
Reference in a new issue