discourse/spec/controllers/uploads_controller_spec.rb

require 'rails_helper'

describe UploadsController do

  context '.create' do

    it 'requires you to be logged in' do
      post :create, format: :json
      expect(response.status).to eq(403)
    end

    context 'logged in' do

      before { @user = log_in :user }

      let(:logo) do
        Rack::Test::UploadedFile.new(file_from_fixtures("logo.png"))
      end

      let(:fake_jpg) do
        Rack::Test::UploadedFile.new(file_from_fixtures("fake.jpg"))
      end

      let(:text_file) do
        Rack::Test::UploadedFile.new(File.new("#{Rails.root}/LICENSE.txt"))
      end

      it 'expects a type' do
        expect do
          post :create, params: { format: :json, file: logo }
        end.to raise_error(ActionController::ParameterMissing)
      end

      it 'can look up long urls' do
        upload = Fabricate(:upload)
        post :lookup_urls, params: { short_urls: [upload.short_url], format: :json }
        result = JSON.parse(response.body)
        expect(result[0]["url"]).to eq(upload.url)
      end

      it 'is successful with an image' do
        Jobs.expects(:enqueue).with(:create_avatar_thumbnails, anything)

        post :create, params: { file: logo, type: "avatar", format: :json }

        expect(response.status).to eq 200
        expect(JSON.parse(response.body)["id"]).to be
      end

      it 'is successful with an attachment' do
        SiteSetting.authorized_extensions = "*"

        Jobs.expects(:enqueue).never

        post :create, params: { file: text_file, type: "composer", format: :json }

        expect(response.status).to eq 200
        id = JSON.parse(response.body)["id"]
        expect(id).to be
      end

      it 'is successful with api' do
        SiteSetting.authorized_extensions = "*"
        controller.stubs(:is_api?).returns(true)

        FinalDestination.stubs(:lookup_ip).returns("1.2.3.4")

        Jobs.expects(:enqueue).with(:create_avatar_thumbnails, anything)

        url = "http://example.com/image.png"
        png = File.read(Rails.root + "spec/fixtures/images/logo.png")

        stub_request(:get, url).to_return(status: 200, body: png)

        post :create, params: { url: url, type: "avatar", format: :json }

        json = ::JSON.parse(response.body)

        expect(response.status).to eq 200
        expect(json["id"]).to be
        expect(json["short_url"]).to eq("upload://qUm0DGR49PAZshIi7HxMd3cAlzn.png")
      end

      it 'correctly sets retain_hours for admins' do
        log_in :admin
        Jobs.expects(:enqueue).with(:create_avatar_thumbnails, anything).never

        post :create, params: {
          file: logo,
          retain_hours: 100,
          type: "profile_background",
          format: :json
        }

        id = JSON.parse(response.body)["id"]
        expect(Upload.find(id).retain_hours).to eq(100)
      end

      it 'requires a file' do
        Jobs.expects(:enqueue).never

        post :create, params: { type: "composer", format: :json }

        message = JSON.parse(response.body)
        expect(response.status).to eq 422
        expect(message["errors"]).to contain_exactly(I18n.t("upload.file_missing"))
      end

      it 'properly returns errors' do
        SiteSetting.max_attachment_size_kb = 1

        Jobs.expects(:enqueue).never

        post :create, params: { file: text_file, type: "avatar", format: :json }

        expect(response.status).to eq 422
        errors = JSON.parse(response.body)["errors"]
        expect(errors).to be
      end

      it 'ensures allow_uploaded_avatars is enabled when uploading an avatar' do
        SiteSetting.allow_uploaded_avatars = false
        post :create, params: { file: logo, type: "avatar", format: :json }
        expect(response).to_not be_success
      end

      it 'ensures sso_overrides_avatar is not enabled when uploading an avatar' do
        SiteSetting.sso_overrides_avatar = true
        post :create, params: { file: logo, type: "avatar", format: :json }
        expect(response).to_not be_success
      end

      it 'allows staff to upload any file in PM' do
        SiteSetting.authorized_extensions = "jpg"
        SiteSetting.allow_staff_to_upload_any_file_in_pm = true
        @user.update_columns(moderator: true)

        post :create, params: {
          file: text_file,
          type: "composer",
          for_private_message: "true",
          format: :json
        }

        expect(response).to be_success
        id = JSON.parse(response.body)["id"]
        expect(id).to be
      end

      it 'respects `authorized_extensions_for_staff` setting when staff upload file' do
        SiteSetting.authorized_extensions = ""
        SiteSetting.authorized_extensions_for_staff = "*"
        @user.update_columns(moderator: true)

        post :create, params: {
          file: text_file,
          type: "composer",
          format: :json
        }

        expect(response).to be_success
        data = JSON.parse(response.body)
        expect(data["id"]).to be
      end

      it 'ignores `authorized_extensions_for_staff` setting when non-staff upload file' do
        SiteSetting.authorized_extensions = ""
        SiteSetting.authorized_extensions_for_staff = "*"

        post :create, params: {
          file: text_file,
          type: "composer",
          format: :json
        }

        data = JSON.parse(response.body)
        expect(data["errors"].first).to eq(I18n.t("upload.unauthorized", authorized_extensions: ''))
      end

      it 'returns an error when it could not determine the dimensions of an image' do
        Jobs.expects(:enqueue).with(:create_avatar_thumbnails, anything).never

        post :create, params: { file: fake_jpg, type: "composer", format: :json }

        expect(response.status).to eq 422
        message = JSON.parse(response.body)["errors"]
        expect(message).to contain_exactly(I18n.t("upload.images.size_not_found"))
      end

    end

  end

  context '.show' do

    let(:site) { "default" }
    let(:sha) { Digest::SHA1.hexdigest("discourse") }

    it "returns 404 when using external storage" do
      store = stub(internal?: false)
      Discourse.stubs(:store).returns(store)
      Upload.expects(:find_by).never

      get :show, params: { site: site, sha: sha, extension: "pdf" }
      expect(response.response_code).to eq(404)
    end

    it "returns 404 when the upload doesn't exist" do
      Upload.stubs(:find_by).returns(nil)

      get :show, params: { site: site, sha: sha, extension: "pdf" }
      expect(response.response_code).to eq(404)
    end

    it 'uses send_file' do
      upload = build(:upload)
      Upload.expects(:find_by).with(sha1: sha).returns(upload)

      controller.stubs(:render)
      controller.expects(:send_file)

      get :show, params: { site: site, sha: sha, extension: "zip" }
    end

    it "handles file without extension" do
      SiteSetting.authorized_extensions = "*"
      Fabricate(:upload, original_filename: "image_file", sha1: sha)
      controller.stubs(:render)
      controller.expects(:send_file)

      get :show, params: { site: site, sha: sha, format: :json }
      expect(response).to be_success
    end

    context "prevent anons from downloading files" do

      before { SiteSetting.prevent_anons_from_downloading_files = true }

      it "returns 404 when an anonymous user tries to download a file" do
        Upload.expects(:find_by).never

        get :show, params: { site: site, sha: sha, extension: "pdf", format: :json }
        expect(response.response_code).to eq(404)
      end

    end

  end

end