From 1f615c54af9ea802da086bbaba1a454595972ed0 Mon Sep 17 00:00:00 2001
From: Peter Papp <peterpapp@makingcg.com>
Date: Sun, 7 Mar 2021 10:46:51 +0100
Subject: [PATCH] added it_get_private_user_file,
 guest_try_to_get_private_user_file,
 logged_user_try_to_get_another_private_user_file test

---
 app/Http/Controllers/FileAccessController.php | 41 ++++-----
 app/Models/File.php                           |  2 +-
 routes/web.php                                |  3 +-
 tests/Feature/FileAccessTest.php              | 85 +++++++++++++++++++
 4 files changed, 109 insertions(+), 22 deletions(-)

diff --git a/app/Http/Controllers/FileAccessController.php b/app/Http/Controllers/FileAccessController.php
index 61577b8f..45023b36 100644
--- a/app/Http/Controllers/FileAccessController.php
+++ b/app/Http/Controllers/FileAccessController.php
@@ -6,7 +6,6 @@ use App\Models\Folder;
 use App\Http\Tools\Editor;
 use App\Http\Tools\Guardian;
 use App\Models\Share;
-use App\Models\User;
 use App\Models\Zip;
 use Illuminate\Support\Arr;
 use Illuminate\Support\Facades\Auth;
@@ -70,29 +69,29 @@ class FileAccessController extends Controller
      */
     public function get_file(Request $request, $filename)
     {
-        // Get user id
-        $user_id = Auth::id();
-
         // Get file record
-        $file = File::withTrashed()
-            ->where('user_id', $user_id)
+        $file = UserFile::withTrashed()
+            ->where('user_id', Auth::id())
             ->where('basename', $filename)
             ->firstOrFail();
 
         // Check user permission
-        if (!$request->user()->tokenCan('master')) {
+        /*if (!$request->user()->tokenCan('master')) {
 
             // Get shared token
             $shared = get_shared($request->cookie('shared_token'));
 
             // Check access to file
             $this->check_file_access($shared, $file);
-        }
+        }*/
+
 
         // Store user download size
-        $request->user()->record_download((int)$file->getRawOriginal('filesize'));
+        $request->user()->record_download(
+            (int) $file->getRawOriginal('filesize')
+        );
 
-        return $this->download_file($file);
+        return $this->download_file($file, Auth::id());
     }
 
     /**
@@ -254,28 +253,32 @@ class FileAccessController extends Controller
      * Call and download file
      *
      * @param $file
+     * @param $user_id
      * @return mixed
-     * @throws \Illuminate\Contracts\Filesystem\FileNotFoundException
      */
-    private function download_file($file)
+    private function download_file($file, $user_id)
     {
-        $file_pretty_name = get_pretty_name($file->basename, $file->name, $file->mimetype);
-
         // Get file path
-        $path = '/file-manager/' . $file->basename;
+        $path = "files/$user_id/$file->basename";
 
         // Check if file exist
-        if (!Storage::exists($path)) abort(404);
+        if (!Storage::exists($path)) {
+            abort(404);
+        }
+
+        // Get pretty name
+        $pretty_name = get_pretty_name($file->basename, $file->name, $file->mimetype);
 
         $headers = [
             "Accept-Ranges"       => "bytes",
             "Content-Type"        => Storage::mimeType($path),
             "Content-Length"      => Storage::size($path),
             "Content-Range"       => "bytes 0-600/" . Storage::size($path),
-            "Content-Disposition" => "attachment; filename=" . $file_pretty_name,
+            "Content-Disposition" => "attachment; filename=$pretty_name",
         ];
 
-        return response()->download(config('filesystems.disks.local.root') . '/file-manager/' . $file->basename, $file_pretty_name, $headers);
+        return response()
+            ->download(Storage::path($path), $pretty_name, $headers);
     }
 
     /**
@@ -286,7 +289,7 @@ class FileAccessController extends Controller
     private function thumbnail_file($file)
     {
         // Get file path
-        $path = '/file-manager/' . $file->getRawOriginal('thumbnail');
+        $path = '/files/' . $file->getRawOriginal('thumbnail');
 
         // Check if file exist
         if (!Storage::exists($path)) abort(404);
diff --git a/app/Models/File.php b/app/Models/File.php
index db89efbd..56ba806b 100644
--- a/app/Models/File.php
+++ b/app/Models/File.php
@@ -137,7 +137,7 @@ class File extends Model
                 'ResponseContentDisposition' => 'attachment; filename=' . $file_pretty_name,
             ];
 
-            return Storage::temporaryUrl('file-manager/' . $this->attributes['basename'], now()->addDay(), $header);
+            return Storage::temporaryUrl('files/' . $this->attributes['basename'], now()->addDay(), $header);
         }
 
         // Get thumbnail from local storage
diff --git a/routes/web.php b/routes/web.php
index d9869d23..58c48814 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -10,8 +10,7 @@ use App\Http\Controllers\WebhookController;
 Route::post('/stripe/webhook', [WebhookController::class, 'handleWebhook']);
 Route::post('/admin-setup', [SetupWizardController::class, 'create_admin_account']);
 
-// App public files
-// TODO: testy
+// Get avatars and system images
 Route::get('/avatars/{avatar}', [FileAccessController::class, 'get_avatar'])->name('avatar');
 Route::get('/system/{image}', [FileAccessController::class, 'get_system_image']);
 
diff --git a/tests/Feature/FileAccessTest.php b/tests/Feature/FileAccessTest.php
index 26c77db1..b5552b5b 100644
--- a/tests/Feature/FileAccessTest.php
+++ b/tests/Feature/FileAccessTest.php
@@ -2,10 +2,12 @@
 
 namespace Tests\Feature;
 
+use App\Models\File;
 use App\Models\User;
 use Illuminate\Foundation\Testing\DatabaseMigrations;
 use App\Services\SetupService;
 use Illuminate\Http\UploadedFile;
+use Illuminate\Support\Str;
 use Laravel\Sanctum\Sanctum;
 use Storage;
 use Tests\TestCase;
@@ -59,4 +61,87 @@ class FileAccessTest extends TestCase
 
         Storage::assertExists('system/fake-logo.jpg');
     }
+
+    /**
+     * @test
+     */
+    public function it_get_private_user_file()
+    {
+        Storage::fake('local');
+
+        $this->setup->create_directories();
+
+        $file = UploadedFile::fake()
+            ->create(Str::random() . '-fake-file.pdf', 1200, 'application/pdf');
+
+        $user = User::factory(User::class)
+            ->create();
+
+        Sanctum::actingAs($user);
+
+        $this->postJson('/api/upload', [
+            'file'      => $file,
+            'folder_id' => null,
+            'is_last'   => true,
+        ])->assertStatus(201);
+
+        $this->get("file/$file->name")
+            ->assertOk();
+    }
+
+    /**
+     * @test
+     */
+    public function guest_try_to_get_private_user_file()
+    {
+        Storage::fake('local');
+
+        $this->setup->create_directories();
+
+        $user = User::factory(User::class)
+            ->create();
+
+        $file = UploadedFile::fake()
+            ->create(Str::random() . '-fake-file.pdf', 1200, 'application/pdf');
+
+        Storage::putFileAs("files/$user->id", $file, $file->name);
+
+        File::factory(File::class)
+            ->create([
+                'basename' => $file->name,
+                'name'     => 'fake-file.pdf',
+            ]);
+
+        $this->get("file/$file->name")
+            ->assertStatus(302);
+    }
+
+    /**
+     * @test
+     */
+    public function logged_user_try_to_get_another_private_user_file()
+    {
+        Storage::fake('local');
+
+        $this->setup->create_directories();
+
+        $user = User::factory(User::class)
+            ->create();
+
+        $file = UploadedFile::fake()
+            ->create(Str::random() . '-fake-file.pdf', 1200, 'application/pdf');
+
+        Storage::putFileAs("files/$user->id", $file, $file->name);
+
+        File::factory(File::class)
+            ->create([
+                'basename' => $file->name,
+                'name'     => 'fake-file.pdf',
+            ]);
+
+        Sanctum::actingAs($user);
+
+        $this->get("file/$file->name")
+            ->assertNotFound();
+    }
 }