nexus/vuefilemanager
2
0
Fork 0
mirror of https://github.com/VueFileManager/vuefilemanager.git synced 2026-04-05 18:23:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

security of request upload item

Browse Source
This commit is contained in:
Čarodej
2022-02-19 12:49:56 +01:00
parent 1107bf66af
commit 171ee5fa04
15 changed files with 172 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
routes/upload-request.php
View File

@@ -1,7 +1,7 @@
<?php
use Domain\UploadRequest\Controllers\CreateUploadRequestController;
use Domain\UploadRequest\Controllers\GetUploadRequestController;
use Domain\UploadRequest\Controllers\CreateUploadRequestController;
use Domain\UploadRequest\Controllers\UploadFilesForUploadRequestController;
Route::get('/{uploadRequest}', GetUploadRequestController::class);

2
src/App/Users/Models/User.php
View File

@@ -15,8 +15,8 @@ use Illuminate\Support\Facades\Storage;
use Illuminate\Notifications\Notifiable;
use App\Users\Notifications\ResetPassword;
use Laravel\Fortify\TwoFactorAuthenticatable;
use Illuminate\Contracts\Auth\MustVerifyEmail;
use Domain\UploadRequest\Models\UploadRequest;
use Illuminate\Contracts\Auth\MustVerifyEmail;
use App\Users\Restrictions\RestrictionsManager;
use Illuminate\Database\Eloquent\Relations\HasOne;
use Illuminate\Database\Eloquent\Relations\HasMany;

4
src/Domain/Files/Controllers/FileAccess/GetThumbnailController.php
View File

@@ -20,10 +20,8 @@ class GetThumbnailController extends Controller
Request $request,
string $filename,
): FileNotFoundException | StreamedResponse {
$originalFileName = substr($filename, 3);
$file = File::withTrashed()
->where('basename', $originalFileName)
->where('basename', substr($filename, 3))
->firstOrFail();
if (! Gate::any(['can-edit', 'can-view'], [$file, null])) {

4
src/Domain/Files/Controllers/FileAccess/VisitorGetThumbnailController.php
View File

@@ -30,11 +30,9 @@ class VisitorGetThumbnailController extends Controller
// Check ability to access protected share files
($this->protectShareRecord)($shared);
$originalFileName = substr($filename, 3);
// Get file record
$file = UserFile::where('user_id', $shared->user_id)
->where('basename', $originalFileName)
->where('basename', substr($filename, 3))
->firstOrFail();
// Check file access

1
src/Domain/Files/Models/File.php
View File

@@ -115,7 +115,6 @@ class File extends Model
// Generate thumbnail link for local storage
if ($this->type === 'image') {
foreach ($thumbnail_sizes as $item) {
$route = route('thumbnail', ['name' => $item['name'] . '-' . $this->basename]);

9
src/Domain/UploadRequest/Controllers/CreateUploadRequestController.php
View File

@@ -1,13 +1,12 @@
<?php
namespace Domain\UploadRequest\Controllers;
use App\Http\Controllers\Controller;
use Auth;
use Domain\UploadRequest\Notifications\UploadRequestNotification;
use Notification;
use App\Http\Controllers\Controller;
use Domain\UploadRequest\Requests\StoreUploadRequest;
use Domain\UploadRequest\Resources\UploadRequestResource;
use Notification;
use Domain\UploadRequest\Notifications\UploadRequestNotification;
class CreateUploadRequestController extends Controller
{
@@ -27,4 +26,4 @@ class CreateUploadRequestController extends Controller
return response(new UploadRequestResource($uploadRequest), 201);
}
}
}

21
src/Domain/UploadRequest/Controllers/FileAccess/GetFileFromUploadRequestController.php
View File

@@ -1,16 +1,13 @@
<?php
namespace Domain\UploadRequest\Controllers\FileAccess;
use Domain\Files\Actions\DownloadFileAction;
use Domain\Sharing\Actions\ProtectShareRecordAction;
use Domain\Sharing\Actions\VerifyAccessToItemWithinAction;
use Domain\Traffic\Actions\RecordDownloadAction;
use Domain\UploadRequest\Models\UploadRequest;
use Gate;
use Domain\Files\Models\File;
use Illuminate\Http\Response;
use Domain\Sharing\Models\Share;
use Domain\Files\Resources\FileResource;
use Domain\Files\Actions\DownloadFileAction;
use Domain\UploadRequest\Models\UploadRequest;
use Domain\Traffic\Actions\RecordDownloadAction;
use Illuminate\Contracts\Foundation\Application;
use Illuminate\Contracts\Routing\ResponseFactory;
use Symfony\Component\HttpFoundation\BinaryFileResponse;
/**
@@ -27,10 +24,16 @@ class GetFileFromUploadRequestController
public function __invoke(
string $filename,
UploadRequest $uploadRequest
): BinaryFileResponse {
): Application|ResponseFactory|Response|BinaryFileResponse {
// Check if upload request is active
if ($uploadRequest->status !== 'active') {
return response('Gone', 410);
}
// Get file
$file = File::where('user_id', $uploadRequest->user_id)
->where('basename', $filename)
->where('parent_id', $uploadRequest->id)
->firstOrFail();
// Store user download size

21
src/Domain/UploadRequest/Controllers/FileAccess/GetThumbnailFromUploadRequestController.php
View File

@@ -1,11 +1,14 @@
<?php
namespace Domain\UploadRequest\Controllers\FileAccess;
use App\Http\Controllers\Controller;
use Domain\Files\Actions\DownloadThumbnailAction;
use Domain\Traffic\Actions\RecordDownloadAction;
use Domain\UploadRequest\Models\UploadRequest;
use Domain\Files\Models\File;
use Illuminate\Http\Response;
use App\Http\Controllers\Controller;
use Domain\UploadRequest\Models\UploadRequest;
use Domain\Traffic\Actions\RecordDownloadAction;
use Illuminate\Contracts\Foundation\Application;
use Domain\Files\Actions\DownloadThumbnailAction;
use Illuminate\Contracts\Routing\ResponseFactory;
use Symfony\Component\HttpFoundation\StreamedResponse;
/**
@@ -22,12 +25,16 @@ class GetThumbnailFromUploadRequestController extends Controller
public function __invoke(
string $filename,
UploadRequest $uploadRequest
): StreamedResponse {
$originalFileName = substr($filename, 3);
): Application|ResponseFactory|Response|StreamedResponse {
// Check if upload request is active
if ($uploadRequest->status !== 'active') {
return response('Gone', 410);
}
// Get file
$file = File::where('user_id', $uploadRequest->user_id)
->where('basename', $originalFileName)
->where('basename', substr($filename, 3))
->where('parent_id', $uploadRequest->id)
->firstOrFail();
// Store user download size

19
src/Domain/UploadRequest/Controllers/UploadFilesForUploadRequestController.php
View File

@@ -1,20 +1,20 @@
<?php
namespace Domain\UploadRequest\Controllers;
use App\Users\Exceptions\InvalidUserActionException;
use Domain\Files\Resources\FileResource;
use Domain\UploadRequest\Models\UploadRequest;
use Domain\Files\Actions\UploadFileAction;
use Domain\Folders\Models\Folder;
use Illuminate\Contracts\Filesystem\FileNotFoundException;
use DB;
use Domain\Folders\Models\Folder;
use Domain\Files\Resources\FileResource;
use Domain\Files\Actions\UploadFileAction;
use Domain\UploadRequest\Models\UploadRequest;
use App\Users\Exceptions\InvalidUserActionException;
use Illuminate\Contracts\Filesystem\FileNotFoundException;
class UploadFilesForUploadRequestController
{
public function __construct(
private UploadFileAction $uploadFile,
) {}
) {
}
/**
* @throws FileNotFoundException
@@ -48,7 +48,6 @@ class UploadFilesForUploadRequestController
// Return new uploaded file
return response(new FileResource($file), 201);
} catch (InvalidUserActionException $e) {
return response([
'type' => 'error',
@@ -71,4 +70,4 @@ class UploadFilesForUploadRequestController
'name' => "Upload Request from $timestampName",
]);
}
}
}

4
src/Domain/UploadRequest/Models/UploadRequest.php
View File

@@ -2,10 +2,10 @@
namespace Domain\UploadRequest\Models;
use App\Users\Models\User;
use Database\Factories\UploadRequestFactory;
use Domain\Folders\Models\Folder;
use Illuminate\Support\Str;
use Domain\Folders\Models\Folder;
use Illuminate\Database\Eloquent\Model;
use Database\Factories\UploadRequestFactory;
use Illuminate\Database\Eloquent\Relations\HasOne;
use Illuminate\Database\Eloquent\Factories\HasFactory;

11
src/Domain/UploadRequest/Notifications/UploadRequestNotification.php
View File

@@ -1,12 +1,11 @@
<?php
namespace Domain\UploadRequest\Notifications;
use Domain\UploadRequest\Models\UploadRequest;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Notifications\Messages\MailMessage;
use Illuminate\Notifications\Notification;
use Illuminate\Contracts\Queue\ShouldQueue;
use Domain\UploadRequest\Models\UploadRequest;
use Illuminate\Notifications\Messages\MailMessage;
class UploadRequestNotification extends Notification implements ShouldQueue
{
@@ -19,7 +18,8 @@ class UploadRequestNotification extends Notification implements ShouldQueue
*/
public function __construct(
public UploadRequest $uploadRequest
) {}
) {
}
/**
* Get the notification's delivery channels.
@@ -58,7 +58,6 @@ class UploadRequestNotification extends Notification implements ShouldQueue
public function toArray($notifiable)
{
return [
//
];
}
}

1
src/Domain/UploadRequest/Requests/StoreUploadRequest.php
View File

@@ -1,5 +1,4 @@
<?php
namespace Domain\UploadRequest\Requests;
use Illuminate\Foundation\Http\FormRequest;

1
src/Domain/UploadRequest/Resources/UploadRequestResource.php
View File

@@ -1,5 +1,4 @@
<?php
namespace Domain\UploadRequest\Resources;
use Domain\Folders\Resources\FolderResource;

112
tests/Domain/UploadRequest/UploadRequestAccessTest.php Normal file
View File

@@ -0,0 +1,112 @@
<?php
namespace Tests\Domain\UploadRequest;
use Storage;
use Tests\TestCase;
use App\Users\Models\User;
use Illuminate\Support\Str;
use Domain\Files\Models\File;
use Illuminate\Http\UploadedFile;
use Domain\UploadRequest\Models\UploadRequest;
class UploadRequestAccessTest extends TestCase
{
/**
* @test
*/
public function it_get_file_from_upload_request_folder()
{
$user = User::factory()
->hasSettings()
->create();
$uploadRequest = UploadRequest::factory()
->create([
'status' => 'active',
'user_id' => $user->id,
'created_at' => now(),
]);
$file = UploadedFile::fake()
->create(Str::random() . '-fake-file.pdf', 1200, 'application/pdf');
Storage::putFileAs("files/$user->id", $file, $file->name);
File::factory()
->create([
'parent_id' => $uploadRequest->id,
'basename' => $file->name,
'user_id' => $user->id,
'name' => 'fake-file.pdf',
]);
$this
->get("/file/$file->name/upload-request/$uploadRequest->id")
->assertOk();
}
/**
* @test
*/
public function it_get_thumbnail_from_upload_request_folder()
{
$user = User::factory()
->hasSettings()
->create();
$uploadRequest = UploadRequest::factory()
->create([
'status' => 'active',
'user_id' => $user->id,
'created_at' => now(),
]);
$thumbnail = UploadedFile::fake()
->image('fake-thumbnail.jpg');
Storage::putFileAs("files/$user->id", $thumbnail, $thumbnail->name);
File::factory()
->create([
'parent_id' => $uploadRequest->id,
'basename' => 'fake-thumbnail.jpg',
'user_id' => $user->id,
]);
$this
->get("/thumbnail/xs-$thumbnail->name/upload-request/$uploadRequest->id")
->assertOk();
}
/**
* @test
*/
public function it_try_get_file_from_expired_upload_request_folder()
{
$uploadRequest = UploadRequest::factory()
->create([
'status' => 'expired',
'created_at' => now(),
]);
$this
->get("/file/fake-file.pdf/upload-request/$uploadRequest->id")
->assertStatus(410);
}
/**
* @test
*/
public function it_try_get_thumbnail_from_expired_upload_request_folder()
{
$uploadRequest = UploadRequest::factory()
->create([
'status' => 'filled',
'created_at' => now(),
]);
$this
->get("/thumbnail/xs-fake-thumbnail.jpeg/upload-request/$uploadRequest->id")
->assertStatus(410);
}
}

89
tests/Domain/UploadRequest/UploadRequestTest.php
View File

@@ -1,16 +1,14 @@
<?php
namespace Tests\Domain\UploadRequest;
use Domain\Files\Models\File;
use Domain\UploadRequest\Notifications\UploadRequestNotification;
use Domain\UploadRequest\Models\UploadRequest;
use App\Users\Models\User;
use Illuminate\Http\UploadedFile;
use Illuminate\Support\Str;
use Storage;
use Tests\TestCase;
use Notification;
use Tests\TestCase;
use App\Users\Models\User;
use Domain\Files\Models\File;
use Illuminate\Http\UploadedFile;
use Domain\UploadRequest\Models\UploadRequest;
use Domain\UploadRequest\Notifications\UploadRequestNotification;
class UploadRequestTest extends TestCase
{
@@ -36,7 +34,7 @@ class UploadRequestTest extends TestCase
$this
->actingAs($user)
->postJson("/api/upload-request", [
->postJson('/api/upload-request', [
'folder_id' => '00cacdb9-1d09-4a32-8ad7-c0d45d66b758',
'email' => 'howdy@hi5ve.digital',
'notes' => 'Please send me your files...',
@@ -63,7 +61,7 @@ class UploadRequestTest extends TestCase
$this
->actingAs($user)
->postJson("/api/upload-request", [
->postJson('/api/upload-request', [
'folder_id' => '00cacdb9-1d09-4a32-8ad7-c0d45d66b758',
'notes' => 'Please send me your files...',
])
@@ -144,7 +142,7 @@ class UploadRequestTest extends TestCase
/**
* @test
*/
public function it_upload_file_into_non_active_upload_request()
public function it_try_upload_file_into_non_active_upload_request()
{
$user = User::factory()
->hasSettings()
@@ -169,71 +167,4 @@ class UploadRequestTest extends TestCase
'is_last' => 'true',
])->assertStatus(410);
}
/**
* @test
*/
public function it_get_file_from_upload_request_folder()
{
$user = User::factory()
->hasSettings()
->create();
$uploadRequest = UploadRequest::factory()
->create([
'status' => 'active',
'user_id' => $user->id,
'created_at' => now(),
]);
$file = UploadedFile::fake()
->create(Str::random() . '-fake-file.pdf', 1200, 'application/pdf');
Storage::putFileAs("files/$user->id", $file, $file->name);
File::factory()
->create([
'parent_id' => $uploadRequest->id,
'basename' => $file->name,
'user_id' => $user->id,
'name' => 'fake-file.pdf',
]);
$this
->get("/file/$file->name/upload-request/$uploadRequest->id")
->assertOk();
}
/**
* @test
*/
public function it_get_thumbnail_from_upload_request_folder()
{
$user = User::factory()
->hasSettings()
->create();
$uploadRequest = UploadRequest::factory()
->create([
'status' => 'active',
'user_id' => $user->id,
'created_at' => now(),
]);
$thumbnail = UploadedFile::fake()
->image('fake-thumbnail.jpg');
Storage::putFileAs("files/$user->id", $thumbnail, $thumbnail->name);
File::factory()
->create([
'parent_id' => $uploadRequest->id,
'basename' => 'fake-thumbnail.jpg',
'user_id' => $user->id,
]);
$this
->get("/thumbnail/xs-$thumbnail->name/upload-request/$uploadRequest->id")
->assertOk();
}
}
}