From fadd9514f6e71590aba781a7035e1de4150137b0 Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Wed, 4 Oct 2017 11:42:38 -0400 Subject: PLT-7718 Patch for files (#7564) * Patch for files * Fix merge * Fix tests * Fix another test --- api/file_test.go | 22 ++++++++++++++++++++-- api4/channel_test.go | 2 +- api4/file_test.go | 9 +++++++++ api4/webhook_test.go | 6 +----- app/authorization.go | 3 +++ app/file.go | 5 ++++- app/file_test.go | 14 ++++++++++++++ 7 files changed, 52 insertions(+), 9 deletions(-) diff --git a/api/file_test.go b/api/file_test.go index 6d6338395..405e3e7d1 100644 --- a/api/file_test.go +++ b/api/file_test.go @@ -24,7 +24,7 @@ import ( ) func TestUploadFile(t *testing.T) { - th := Setup().InitBasic() + th := Setup().InitBasic().InitSystemAdmin() defer th.TearDown() if *utils.Cfg.FileSettings.DriverName == "" { @@ -38,7 +38,9 @@ func TestUploadFile(t *testing.T) { channel := th.BasicChannel var uploadInfo *model.FileInfo - if data, err := readTestFile("test.png"); err != nil { + var data []byte + var err error + if data, err = readTestFile("test.png"); err != nil { t.Fatal(err) } else if resp, err := Client.UploadPostAttachment(data, channel.Id, "test.png"); err != nil { t.Fatal(err) @@ -103,6 +105,22 @@ func TestUploadFile(t *testing.T) { t.Fatalf("file preview should've been saved in %v", expectedPreviewPath) } + if _, err := Client.UploadPostAttachment(data, model.NewId(), "test.png"); err == nil || err.StatusCode != http.StatusForbidden { + t.Fatal("should have failed - bad channel id") + } + + if _, err := Client.UploadPostAttachment(data, "../../junk", "test.png"); err == nil || err.StatusCode != http.StatusForbidden { + t.Fatal("should have failed - bad channel id") + } + + if _, err := th.SystemAdminClient.UploadPostAttachment(data, model.NewId(), "test.png"); err == nil || err.StatusCode != http.StatusForbidden { + t.Fatal("should have failed - bad channel id") + } + + if _, err := th.SystemAdminClient.UploadPostAttachment(data, "../../junk", "test.png"); err == nil || err.StatusCode != http.StatusForbidden { + t.Fatal("should have failed - bad channel id") + } + enableFileAttachments := *utils.Cfg.FileSettings.EnableFileAttachments defer func() { *utils.Cfg.FileSettings.EnableFileAttachments = enableFileAttachments diff --git a/api4/channel_test.go b/api4/channel_test.go index cda3b5ced..44f3a4ad7 100644 --- a/api4/channel_test.go +++ b/api4/channel_test.go @@ -1475,7 +1475,7 @@ func TestGetChannelUnread(t *testing.T) { CheckNoError(t, resp) _, resp = th.SystemAdminClient.GetChannelUnread(model.NewId(), user.Id) - CheckNotFoundStatus(t, resp) + CheckForbiddenStatus(t, resp) _, resp = th.SystemAdminClient.GetChannelUnread(channel.Id, model.NewId()) CheckNotFoundStatus(t, resp) diff --git a/api4/file_test.go b/api4/file_test.go index 584625f70..615e601dc 100644 --- a/api4/file_test.go +++ b/api4/file_test.go @@ -102,6 +102,15 @@ func TestUploadFile(t *testing.T) { _, resp := Client.UploadFile(data, model.NewId(), "test.png") CheckForbiddenStatus(t, resp) + _, resp = Client.UploadFile(data, "../../junk", "test.png") + CheckForbiddenStatus(t, resp) + + _, resp = th.SystemAdminClient.UploadFile(data, model.NewId(), "test.png") + CheckForbiddenStatus(t, resp) + + _, resp = th.SystemAdminClient.UploadFile(data, "../../junk", "test.png") + CheckForbiddenStatus(t, resp) + _, resp = th.SystemAdminClient.UploadFile(data, channel.Id, "test.png") CheckNoError(t, resp) diff --git a/api4/webhook_test.go b/api4/webhook_test.go index b09f4411e..f8d33e984 100644 --- a/api4/webhook_test.go +++ b/api4/webhook_test.go @@ -391,11 +391,7 @@ func TestGetOutgoingWebhooks(t *testing.T) { } hooks, resp = th.SystemAdminClient.GetOutgoingWebhooksForChannel(model.NewId(), 0, 1000, "") - CheckNoError(t, resp) - - if len(hooks) != 0 { - t.Fatal("no hooks should be returned") - } + CheckForbiddenStatus(t, resp) _, resp = Client.GetOutgoingWebhooks(0, 1000, "") CheckForbiddenStatus(t, resp) diff --git a/app/authorization.go b/app/authorization.go index ae5c7c3b3..01180e8d8 100644 --- a/app/authorization.go +++ b/app/authorization.go @@ -4,6 +4,7 @@ package app import ( + "net/http" "strings" l4g "github.com/alecthomas/log4go" @@ -50,6 +51,8 @@ func (a *App) SessionHasPermissionToChannel(session model.Session, channelId str channel, err := a.GetChannel(channelId) if err == nil && channel.TeamId != "" { return SessionHasPermissionToTeam(session, channel.TeamId, permission) + } else if err != nil && err.StatusCode == http.StatusNotFound { + return false } return SessionHasPermissionTo(session, permission) diff --git a/app/file.go b/app/file.go index 36a23e3d8..2beb7231a 100644 --- a/app/file.go +++ b/app/file.go @@ -291,8 +291,11 @@ func (a *App) UploadFiles(teamId string, channelId string, userId string, fileHe return resStruct, nil } -func (a *App) DoUploadFile(now time.Time, teamId string, channelId string, userId string, rawFilename string, data []byte) (*model.FileInfo, *model.AppError) { +func (a *App) DoUploadFile(now time.Time, rawTeamId string, rawChannelId string, rawUserId string, rawFilename string, data []byte) (*model.FileInfo, *model.AppError) { filename := filepath.Base(rawFilename) + teamId := filepath.Base(rawTeamId) + channelId := filepath.Base(rawChannelId) + userId := filepath.Base(rawUserId) info, err := model.GetInfoForBytes(filename, data) if err != nil { diff --git a/app/file_test.go b/app/file_test.go index 62511ceea..f3141fa18 100644 --- a/app/file_test.go +++ b/app/file_test.go @@ -85,4 +85,18 @@ func TestDoUploadFile(t *testing.T) { if info3.Path != fmt.Sprintf("20080305/teams/%v/channels/%v/users/%v/%v/%v", teamId, channelId, userId, info3.Id, filename) { t.Fatal("stored file at incorrect path", info3.Path) } + + info4, err := th.App.DoUploadFile(time.Date(2009, 3, 5, 1, 2, 3, 4, time.Local), "../../"+teamId, "../../"+channelId, "../../"+userId, "../../"+filename, data) + if err != nil { + t.Fatal(err) + } else { + defer func() { + <-th.App.Srv.Store.FileInfo().PermanentDelete(info3.Id) + utils.RemoveFile(info3.Path) + }() + } + + if info4.Path != fmt.Sprintf("20090305/teams/%v/channels/%v/users/%v/%v/%v", teamId, channelId, userId, info4.Id, filename) { + t.Fatal("stored file at incorrect path", info4.Path) + } } -- cgit v1.2.3-1-g7c22