nexus/vuefilemanager
2
0
Fork 0
mirror of https://github.com/VueFileManager/vuefilemanager.git synced 2026-04-18 16:22:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

security of request upload item

Browse Source
This commit is contained in:
Čarodej
2022-02-19 12:49:56 +01:00
parent 1107bf66af
commit 171ee5fa04
15 changed files with 172 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
routes/upload-request.php
View File

@@ -1,7 +1,7 @@
<?php <?php
use Domain\UploadRequest\Controllers\CreateUploadRequestController;
use Domain\UploadRequest\Controllers\GetUploadRequestController; use Domain\UploadRequest\Controllers\GetUploadRequestController;
use Domain\UploadRequest\Controllers\CreateUploadRequestController;
use Domain\UploadRequest\Controllers\UploadFilesForUploadRequestController; use Domain\UploadRequest\Controllers\UploadFilesForUploadRequestController;
Route::get('/{uploadRequest}', GetUploadRequestController::class); Route::get('/{uploadRequest}', GetUploadRequestController::class);

2
src/App/Users/Models/User.php
View File

@@ -15,8 +15,8 @@ use Illuminate\Support\Facades\Storage;
use Illuminate\Notifications\Notifiable; use Illuminate\Notifications\Notifiable;
use App\Users\Notifications\ResetPassword; use App\Users\Notifications\ResetPassword;
use Laravel\Fortify\TwoFactorAuthenticatable; use Laravel\Fortify\TwoFactorAuthenticatable;
use Illuminate\Contracts\Auth\MustVerifyEmail;
use Domain\UploadRequest\Models\UploadRequest; use Domain\UploadRequest\Models\UploadRequest;
use Illuminate\Contracts\Auth\MustVerifyEmail;
use App\Users\Restrictions\RestrictionsManager; use App\Users\Restrictions\RestrictionsManager;
use Illuminate\Database\Eloquent\Relations\HasOne; use Illuminate\Database\Eloquent\Relations\HasOne;
use Illuminate\Database\Eloquent\Relations\HasMany; use Illuminate\Database\Eloquent\Relations\HasMany;

4
src/Domain/Files/Controllers/FileAccess/GetThumbnailController.php
View File

@@ -20,10 +20,8 @@ class GetThumbnailController extends Controller
Request $request, Request $request,
string $filename, string $filename,
): FileNotFoundException | StreamedResponse { ): FileNotFoundException | StreamedResponse {
$originalFileName = substr($filename, 3);
$file = File::withTrashed() $file = File::withTrashed()
->where('basename', $originalFileName) ->where('basename', substr($filename, 3))
->firstOrFail(); ->firstOrFail();
if (! Gate::any(['can-edit', 'can-view'], [$file, null])) { if (! Gate::any(['can-edit', 'can-view'], [$file, null])) {

4
src/Domain/Files/Controllers/FileAccess/VisitorGetThumbnailController.php
View File

@@ -30,11 +30,9 @@ class VisitorGetThumbnailController extends Controller
// Check ability to access protected share files // Check ability to access protected share files
($this->protectShareRecord)($shared); ($this->protectShareRecord)($shared);
$originalFileName = substr($filename, 3);
// Get file record // Get file record
$file = UserFile::where('user_id', $shared->user_id) $file = UserFile::where('user_id', $shared->user_id)
->where('basename', $originalFileName) ->where('basename', substr($filename, 3))
->firstOrFail(); ->firstOrFail();
// Check file access // Check file access

1
src/Domain/Files/Models/File.php
View File

@@ -115,7 +115,6 @@ class File extends Model
// Generate thumbnail link for local storage // Generate thumbnail link for local storage
if ($this->type === 'image') { if ($this->type === 'image') {
foreach ($thumbnail_sizes as $item) { foreach ($thumbnail_sizes as $item) {
$route = route('thumbnail', ['name' => $item['name'] . '-' . $this->basename]); $route = route('thumbnail', ['name' => $item['name'] . '-' . $this->basename]);

9
src/Domain/UploadRequest/Controllers/CreateUploadRequestController.php
View File

@@ -1,13 +1,12 @@
<?php <?php
namespace Domain\UploadRequest\Controllers; namespace Domain\UploadRequest\Controllers;
use App\Http\Controllers\Controller;
use Auth; use Auth;
use Domain\UploadRequest\Notifications\UploadRequestNotification; use Notification;
use App\Http\Controllers\Controller;
use Domain\UploadRequest\Requests\StoreUploadRequest; use Domain\UploadRequest\Requests\StoreUploadRequest;
use Domain\UploadRequest\Resources\UploadRequestResource; use Domain\UploadRequest\Resources\UploadRequestResource;
use Notification; use Domain\UploadRequest\Notifications\UploadRequestNotification;
class CreateUploadRequestController extends Controller class CreateUploadRequestController extends Controller
{ {
@@ -27,4 +26,4 @@ class CreateUploadRequestController extends Controller
return response(new UploadRequestResource($uploadRequest), 201); return response(new UploadRequestResource($uploadRequest), 201);
} }
} }

21
src/Domain/UploadRequest/Controllers/FileAccess/GetFileFromUploadRequestController.php
View File

@@ -1,16 +1,13 @@
<?php <?php
namespace Domain\UploadRequest\Controllers\FileAccess; namespace Domain\UploadRequest\Controllers\FileAccess;
use Domain\Files\Actions\DownloadFileAction;
use Domain\Sharing\Actions\ProtectShareRecordAction;
use Domain\Sharing\Actions\VerifyAccessToItemWithinAction;
use Domain\Traffic\Actions\RecordDownloadAction;
use Domain\UploadRequest\Models\UploadRequest;
use Gate;
use Domain\Files\Models\File; use Domain\Files\Models\File;
use Illuminate\Http\Response; use Illuminate\Http\Response;
use Domain\Sharing\Models\Share; use Domain\Files\Actions\DownloadFileAction;
use Domain\Files\Resources\FileResource; use Domain\UploadRequest\Models\UploadRequest;
use Domain\Traffic\Actions\RecordDownloadAction;
use Illuminate\Contracts\Foundation\Application;
use Illuminate\Contracts\Routing\ResponseFactory;
use Symfony\Component\HttpFoundation\BinaryFileResponse; use Symfony\Component\HttpFoundation\BinaryFileResponse;
/** /**
@@ -27,10 +24,16 @@ class GetFileFromUploadRequestController
public function __invoke( public function __invoke(
string $filename, string $filename,
UploadRequest $uploadRequest UploadRequest $uploadRequest
): BinaryFileResponse { ): Application|ResponseFactory|Response|BinaryFileResponse {
// Check if upload request is active
if ($uploadRequest->status !== 'active') {
return response('Gone', 410);
}
// Get file // Get file
$file = File::where('user_id', $uploadRequest->user_id) $file = File::where('user_id', $uploadRequest->user_id)
->where('basename', $filename) ->where('basename', $filename)
->where('parent_id', $uploadRequest->id)
->firstOrFail(); ->firstOrFail();
// Store user download size // Store user download size

21
src/Domain/UploadRequest/Controllers/FileAccess/GetThumbnailFromUploadRequestController.php
View File

@@ -1,11 +1,14 @@
<?php <?php
namespace Domain\UploadRequest\Controllers\FileAccess; namespace Domain\UploadRequest\Controllers\FileAccess;
use App\Http\Controllers\Controller;
use Domain\Files\Actions\DownloadThumbnailAction;
use Domain\Traffic\Actions\RecordDownloadAction;
use Domain\UploadRequest\Models\UploadRequest;
use Domain\Files\Models\File; use Domain\Files\Models\File;
use Illuminate\Http\Response;
use App\Http\Controllers\Controller;
use Domain\UploadRequest\Models\UploadRequest;
use Domain\Traffic\Actions\RecordDownloadAction;
use Illuminate\Contracts\Foundation\Application;
use Domain\Files\Actions\DownloadThumbnailAction;
use Illuminate\Contracts\Routing\ResponseFactory;
use Symfony\Component\HttpFoundation\StreamedResponse; use Symfony\Component\HttpFoundation\StreamedResponse;
/** /**
@@ -22,12 +25,16 @@ class GetThumbnailFromUploadRequestController extends Controller
public function __invoke( public function __invoke(
string $filename, string $filename,
UploadRequest $uploadRequest UploadRequest $uploadRequest
): StreamedResponse { ): Application|ResponseFactory|Response|StreamedResponse {
$originalFileName = substr($filename, 3); // Check if upload request is active
if ($uploadRequest->status !== 'active') {
return response('Gone', 410);
}
// Get file // Get file
$file = File::where('user_id', $uploadRequest->user_id) $file = File::where('user_id', $uploadRequest->user_id)
->where('basename', $originalFileName) ->where('basename', substr($filename, 3))
->where('parent_id', $uploadRequest->id)
->firstOrFail(); ->firstOrFail();
// Store user download size // Store user download size

19
src/Domain/UploadRequest/Controllers/UploadFilesForUploadRequestController.php
View File

@@ -1,20 +1,20 @@
<?php <?php
namespace Domain\UploadRequest\Controllers; namespace Domain\UploadRequest\Controllers;
use App\Users\Exceptions\InvalidUserActionException;
use Domain\Files\Resources\FileResource;
use Domain\UploadRequest\Models\UploadRequest;
use Domain\Files\Actions\UploadFileAction;
use Domain\Folders\Models\Folder;
use Illuminate\Contracts\Filesystem\FileNotFoundException;
use DB; use DB;
use Domain\Folders\Models\Folder;
use Domain\Files\Resources\FileResource;
use Domain\Files\Actions\UploadFileAction;
use Domain\UploadRequest\Models\UploadRequest;
use App\Users\Exceptions\InvalidUserActionException;
use Illuminate\Contracts\Filesystem\FileNotFoundException;
class UploadFilesForUploadRequestController class UploadFilesForUploadRequestController
{ {
public function __construct( public function __construct(
private UploadFileAction $uploadFile, private UploadFileAction $uploadFile,
) {} ) {
}
/** /**
* @throws FileNotFoundException * @throws FileNotFoundException
@@ -48,7 +48,6 @@ class UploadFilesForUploadRequestController
// Return new uploaded file // Return new uploaded file
return response(new FileResource($file), 201); return response(new FileResource($file), 201);
} catch (InvalidUserActionException $e) { } catch (InvalidUserActionException $e) {
return response([ return response([
'type' => 'error', 'type' => 'error',
@@ -71,4 +70,4 @@ class UploadFilesForUploadRequestController
'name' => "Upload Request from $timestampName", 'name' => "Upload Request from $timestampName",
]); ]);
} }
} }

4
src/Domain/UploadRequest/Models/UploadRequest.php
View File

@@ -2,10 +2,10 @@
namespace Domain\UploadRequest\Models; namespace Domain\UploadRequest\Models;
use App\Users\Models\User; use App\Users\Models\User;
use Database\Factories\UploadRequestFactory;
use Domain\Folders\Models\Folder;
use Illuminate\Support\Str; use Illuminate\Support\Str;
use Domain\Folders\Models\Folder;
use Illuminate\Database\Eloquent\Model; use Illuminate\Database\Eloquent\Model;
use Database\Factories\UploadRequestFactory;
use Illuminate\Database\Eloquent\Relations\HasOne; use Illuminate\Database\Eloquent\Relations\HasOne;
use Illuminate\Database\Eloquent\Factories\HasFactory; use Illuminate\Database\Eloquent\Factories\HasFactory;

11
src/Domain/UploadRequest/Notifications/UploadRequestNotification.php
View File

@@ -1,12 +1,11 @@
<?php <?php
namespace Domain\UploadRequest\Notifications; namespace Domain\UploadRequest\Notifications;
use Domain\UploadRequest\Models\UploadRequest;
use Illuminate\Bus\Queueable; use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Notifications\Messages\MailMessage;
use Illuminate\Notifications\Notification; use Illuminate\Notifications\Notification;
use Illuminate\Contracts\Queue\ShouldQueue;
use Domain\UploadRequest\Models\UploadRequest;
use Illuminate\Notifications\Messages\MailMessage;
class UploadRequestNotification extends Notification implements ShouldQueue class UploadRequestNotification extends Notification implements ShouldQueue
{ {
@@ -19,7 +18,8 @@ class UploadRequestNotification extends Notification implements ShouldQueue
*/ */
public function __construct( public function __construct(
public UploadRequest $uploadRequest public UploadRequest $uploadRequest
) {} ) {
}
/** /**
* Get the notification's delivery channels. * Get the notification's delivery channels.
@@ -58,7 +58,6 @@ class UploadRequestNotification extends Notification implements ShouldQueue
public function toArray($notifiable) public function toArray($notifiable)
{ {
return [ return [
//
]; ];
} }
} }

1
src/Domain/UploadRequest/Requests/StoreUploadRequest.php
View File

@@ -1,5 +1,4 @@
<?php <?php
namespace Domain\UploadRequest\Requests; namespace Domain\UploadRequest\Requests;
use Illuminate\Foundation\Http\FormRequest; use Illuminate\Foundation\Http\FormRequest;

1
src/Domain/UploadRequest/Resources/UploadRequestResource.php
View File

@@ -1,5 +1,4 @@
<?php <?php
namespace Domain\UploadRequest\Resources; namespace Domain\UploadRequest\Resources;
use Domain\Folders\Resources\FolderResource; use Domain\Folders\Resources\FolderResource;

112
tests/Domain/UploadRequest/UploadRequestAccessTest.php Normal file
View File

@@ -0,0 +1,112 @@
<?php
namespace Tests\Domain\UploadRequest;
use Storage;
use Tests\TestCase;
use App\Users\Models\User;
use Illuminate\Support\Str;
use Domain\Files\Models\File;
use Illuminate\Http\UploadedFile;
use Domain\UploadRequest\Models\UploadRequest;
class UploadRequestAccessTest extends TestCase
{
/**
* @test
*/
public function it_get_file_from_upload_request_folder()
{
$user = User::factory()
->hasSettings()
->create();
$uploadRequest = UploadRequest::factory()
->create([
'status' => 'active',
'user_id' => $user->id,
'created_at' => now(),
]);
$file = UploadedFile::fake()
->create(Str::random() . '-fake-file.pdf', 1200, 'application/pdf');
Storage::putFileAs("files/$user->id", $file, $file->name);
File::factory()
->create([
'parent_id' => $uploadRequest->id,
'basename' => $file->name,
'user_id' => $user->id,
'name' => 'fake-file.pdf',
]);
$this
->get("/file/$file->name/upload-request/$uploadRequest->id")
->assertOk();
}
/**
* @test
*/
public function it_get_thumbnail_from_upload_request_folder()
{
$user = User::factory()
->hasSettings()
->create();
$uploadRequest = UploadRequest::factory()
->create([
'status' => 'active',
'user_id' => $user->id,
'created_at' => now(),
]);
$thumbnail = UploadedFile::fake()
->image('fake-thumbnail.jpg');
Storage::putFileAs("files/$user->id", $thumbnail, $thumbnail->name);
File::factory()
->create([
'parent_id' => $uploadRequest->id,
'basename' => 'fake-thumbnail.jpg',
'user_id' => $user->id,
]);
$this
->get("/thumbnail/xs-$thumbnail->name/upload-request/$uploadRequest->id")
->assertOk();
}
/**
* @test
*/
public function it_try_get_file_from_expired_upload_request_folder()
{
$uploadRequest = UploadRequest::factory()
->create([
'status' => 'expired',
'created_at' => now(),
]);
$this
->get("/file/fake-file.pdf/upload-request/$uploadRequest->id")
->assertStatus(410);
}
/**
* @test
*/
public function it_try_get_thumbnail_from_expired_upload_request_folder()
{
$uploadRequest = UploadRequest::factory()
->create([
'status' => 'filled',
'created_at' => now(),
]);
$this
->get("/thumbnail/xs-fake-thumbnail.jpeg/upload-request/$uploadRequest->id")
->assertStatus(410);
}
}

89
tests/Domain/UploadRequest/UploadRequestTest.php
View File

@@ -1,16 +1,14 @@
<?php <?php
namespace Tests\Domain\UploadRequest; namespace Tests\Domain\UploadRequest;
use Domain\Files\Models\File;
use Domain\UploadRequest\Notifications\UploadRequestNotification;
use Domain\UploadRequest\Models\UploadRequest;
use App\Users\Models\User;
use Illuminate\Http\UploadedFile;
use Illuminate\Support\Str;
use Storage; use Storage;
use Tests\TestCase;
use Notification; use Notification;
use Tests\TestCase;
use App\Users\Models\User;
use Domain\Files\Models\File;
use Illuminate\Http\UploadedFile;
use Domain\UploadRequest\Models\UploadRequest;
use Domain\UploadRequest\Notifications\UploadRequestNotification;
class UploadRequestTest extends TestCase class UploadRequestTest extends TestCase
{ {
@@ -36,7 +34,7 @@ class UploadRequestTest extends TestCase
$this $this
->actingAs($user) ->actingAs($user)
->postJson("/api/upload-request", [ ->postJson('/api/upload-request', [
'folder_id' => '00cacdb9-1d09-4a32-8ad7-c0d45d66b758', 'folder_id' => '00cacdb9-1d09-4a32-8ad7-c0d45d66b758',
'email' => 'howdy@hi5ve.digital', 'email' => 'howdy@hi5ve.digital',
'notes' => 'Please send me your files...', 'notes' => 'Please send me your files...',
@@ -63,7 +61,7 @@ class UploadRequestTest extends TestCase
$this $this
->actingAs($user) ->actingAs($user)
->postJson("/api/upload-request", [ ->postJson('/api/upload-request', [
'folder_id' => '00cacdb9-1d09-4a32-8ad7-c0d45d66b758', 'folder_id' => '00cacdb9-1d09-4a32-8ad7-c0d45d66b758',
'notes' => 'Please send me your files...', 'notes' => 'Please send me your files...',
]) ])
@@ -144,7 +142,7 @@ class UploadRequestTest extends TestCase
/** /**
* @test * @test
*/ */
public function it_upload_file_into_non_active_upload_request() public function it_try_upload_file_into_non_active_upload_request()
{ {
$user = User::factory() $user = User::factory()
->hasSettings() ->hasSettings()
@@ -169,71 +167,4 @@ class UploadRequestTest extends TestCase
'is_last' => 'true', 'is_last' => 'true',
])->assertStatus(410); ])->assertStatus(410);
} }
}
/**
* @test
*/
public function it_get_file_from_upload_request_folder()
{
$user = User::factory()
->hasSettings()
->create();
$uploadRequest = UploadRequest::factory()
->create([
'status' => 'active',
'user_id' => $user->id,
'created_at' => now(),
]);
$file = UploadedFile::fake()
->create(Str::random() . '-fake-file.pdf', 1200, 'application/pdf');
Storage::putFileAs("files/$user->id", $file, $file->name);
File::factory()
->create([
'parent_id' => $uploadRequest->id,
'basename' => $file->name,
'user_id' => $user->id,
'name' => 'fake-file.pdf',
]);
$this
->get("/file/$file->name/upload-request/$uploadRequest->id")
->assertOk();
}
/**
* @test
*/
public function it_get_thumbnail_from_upload_request_folder()
{
$user = User::factory()
->hasSettings()
->create();
$uploadRequest = UploadRequest::factory()
->create([
'status' => 'active',
'user_id' => $user->id,
'created_at' => now(),
]);
$thumbnail = UploadedFile::fake()
->image('fake-thumbnail.jpg');
Storage::putFileAs("files/$user->id", $thumbnail, $thumbnail->name);
File::factory()
->create([
'parent_id' => $uploadRequest->id,
'basename' => 'fake-thumbnail.jpg',
'user_id' => $user->id,
]);
$this
->get("/thumbnail/xs-$thumbnail->name/upload-request/$uploadRequest->id")
->assertOk();
}
}