Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/spec/models/upload_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

733 lines
25 KiB
Ruby
Raw Normal View History

DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction
2019-04-29 20:27:42 -04:00
# frozen_string_literal: true
Add RSpec 4 compatibility (#17652) * Remove outdated option https://github.com/rspec/rspec-core/commit/04078317ba6577699d06cf4dccf014254dcde7a6 * Use the non-globally exposed RSpec syntax https://github.com/rspec/rspec-core/pull/2803 * Use the non-globally exposed RSpec syntax, cont https://github.com/rspec/rspec-core/pull/2803 * Comply to strict predicate matchers See: - https://github.com/rspec/rspec-expectations/pull/1195 - https://github.com/rspec/rspec-expectations/pull/1196 - https://github.com/rspec/rspec-expectations/pull/1277
2022-07-27 22:27:38 -04:00
RSpec.describe Upload do
FIX: create an upload when FastImage throws an exception FastImage might throw an exception when it isn't able to recognize a file as being an image (ie. happens when users changes the extension manually) Also improved upload specs a lot
2013-07-13 17:42:19 -04:00
let(:upload) { build(:upload) }
let(:user_id) { 1 }
added some tests for uploads
2013-04-07 11:52:46 -04:00
FIX: don't mess with fixtures when running the specs
2014-07-14 11:34:23 -04:00
let(:image_filename) { "logo.png" }
FEATURE: consider SVG as an image when authorized
2014-11-03 13:54:10 -05:00
let(:image) { file_from_fixtures(image_filename) }
FIX: create an upload when FastImage throws an exception FastImage might throw an exception when it isn't able to recognize a file as being an image (ie. happens when users changes the extension manually) Also improved upload specs a lot
2013-07-13 17:42:19 -04:00
FEATURE: consider SVG as an image when authorized
2014-11-03 13:54:10 -05:00
let(:image_svg_filename) { "image.svg" }
let(:image_svg) { file_from_fixtures(image_svg_filename) }
FEATURE: new 'max_image_megapixels' site setting
2017-01-11 17:37:12 -05:00
let(:huge_image_filename) { "huge.jpg" }
let(:huge_image) { file_from_fixtures(huge_image_filename) }
FEATURE: support email attachments
2014-04-14 16:55:57 -04:00
let(:attachment_path) { __FILE__ }
let(:attachment) { File.new(attachment_path) }
add server-side filesize check on uploads
2013-07-23 18:54:18 -04:00
DEV: Improve `script/downsize_uploads.rb` (#13508) * Only shrink images that are used in Posts and no other models * Don't save the upload if the size is the same
2021-06-23 18:09:40 -04:00
describe ".with_no_non_post_relations" do
it "does not find non-post related uploads" do
post_upload = Fabricate(:upload)
post = Fabricate(:post, raw: "<img src='#{post_upload.url}'>")
post.link_post_uploads
badge_upload = Fabricate(:upload)
Fabricate(:badge, image_upload: badge_upload)
avatar_upload = Fabricate(:upload)
Fabricate(:user, uploaded_avatar: avatar_upload)
site_setting_upload = Fabricate(:upload)
SiteSetting.create!(
name: "logo",
data_type: SiteSettings::TypeSupervisor.types[:upload],
value: site_setting_upload.id,
)
upload_ids = Upload.by_users.with_no_non_post_relations.pluck(:id)
expect(upload_ids).to eq([post_upload.id])
end
end
FIX: create an upload when FastImage throws an exception FastImage might throw an exception when it isn't able to recognize a file as being an image (ie. happens when users changes the extension manually) Also improved upload specs a lot
2013-07-13 17:42:19 -04:00
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe ".create_thumbnail!" do
FIX: create an upload when FastImage throws an exception FastImage might throw an exception when it isn't able to recognize a file as being an image (ie. happens when users changes the extension manually) Also improved upload specs a lot
2013-07-13 17:42:19 -04:00
it "does not create a thumbnail when disabled" do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 02:09:14 -04:00
SiteSetting.create_thumbnails = false
enable thumbnailing on S3 - added url to optimized image model - refactored s3_store & local_store
2013-07-31 17:26:34 -04:00
OptimizedImage.expects(:create_for).never
allow users to specify thumbnail size
2013-09-27 04:55:50 -04:00
upload.create_thumbnail!(100, 100)
FIX: create an upload when FastImage throws an exception FastImage might throw an exception when it isn't able to recognize a file as being an image (ie. happens when users changes the extension manually) Also improved upload specs a lot
2013-07-13 17:42:19 -04:00
end
it "creates a thumbnail" do
upload = Fabricate(:upload)
thumbnail = Fabricate(:optimized_image, upload: upload)
SiteSetting.expects(:create_thumbnails?).returns(true)
OptimizedImage.expects(:create_for).returns(thumbnail)
allow users to specify thumbnail size
2013-09-27 04:55:50 -04:00
upload.create_thumbnail!(100, 100)
FIX: create an upload when FastImage throws an exception FastImage might throw an exception when it isn't able to recognize a file as being an image (ie. happens when users changes the extension manually) Also improved upload specs a lot
2013-07-13 17:42:19 -04:00
upload.reload
Update rspec syntax to v3 update rspec syntax to v3 change syntax to rspec v3 oops. fix typo mailers classes with rspec3 syntax helpers with rspec3 syntax jobs with rspec3 syntax serializers with rspec3 syntax views with rspec3 syntax support to rspec3 syntax category spec with rspec3 syntax
2014-12-31 09:55:03 -05:00
expect(upload.optimized_images.count).to eq(1)
FIX: create an upload when FastImage throws an exception FastImage might throw an exception when it isn't able to recognize a file as being an image (ie. happens when users changes the extension manually) Also improved upload specs a lot
2013-07-13 17:42:19 -04:00
end
end
FIX: add support for style element in SVGs
2019-02-07 06:09:06 -05:00
it "supports <style> element in SVG" do
SiteSetting.authorized_extensions = "svg"
upload = UploadCreator.new(image_svg, image_svg_filename).create_for(user_id)
expect(upload.valid?).to eq(true)
path = Discourse.store.path_for(upload)
expect(File.read(path)).to match(/<style>/)
end
FEATURE: correctly store width and height on uploads Previously we used width and height for thumbnails, new code ensures 1. We auto correct width and height 2. We added extra columns for thumbnail_width and height, this is determined by actual upload and no longer passed in as a side effect 3. Optimized Image now stores filesize which can be used for analysis, decisions Also - fixes Android image manifest as a side effect - fixes issue where a thumbnail generated that is smaller than the upload is no longer used
2018-08-27 22:48:43 -04:00
it "can reconstruct dimensions on demand" do
upload = UploadCreator.new(huge_image, "image.png").create_for(user_id)
upload.update_columns(width: nil, height: nil, thumbnail_width: nil, thumbnail_height: nil)
upload = Upload.find(upload.id)
SECURITY: return error on oversized images
2020-09-13 20:10:55 -04:00
expect(upload.width).to eq(8900)
expect(upload.height).to eq(8900)
FEATURE: correctly store width and height on uploads Previously we used width and height for thumbnails, new code ensures 1. We auto correct width and height 2. We added extra columns for thumbnail_width and height, this is determined by actual upload and no longer passed in as a side effect 3. Optimized Image now stores filesize which can be used for analysis, decisions Also - fixes Android image manifest as a side effect - fixes issue where a thumbnail generated that is smaller than the upload is no longer used
2018-08-27 22:48:43 -04:00
PERF: automatic upload size calculation not persisted Previously if upload had missing width and height we would calculate on first use BUT we (me) forgot to save this to the database This was particularly bad on home page cause category images (when old) miss dimensions.
2018-12-26 10:17:08 -05:00
upload.reload
SECURITY: return error on oversized images
2020-09-13 20:10:55 -04:00
expect(upload.read_attribute(:width)).to eq(8900)
PERF: automatic upload size calculation not persisted Previously if upload had missing width and height we would calculate on first use BUT we (me) forgot to save this to the database This was particularly bad on home page cause category images (when old) miss dimensions.
2018-12-26 10:17:08 -05:00
FEATURE: correctly store width and height on uploads Previously we used width and height for thumbnails, new code ensures 1. We auto correct width and height 2. We added extra columns for thumbnail_width and height, this is determined by actual upload and no longer passed in as a side effect 3. Optimized Image now stores filesize which can be used for analysis, decisions Also - fixes Android image manifest as a side effect - fixes issue where a thumbnail generated that is smaller than the upload is no longer used
2018-08-27 22:48:43 -04:00
upload.update_columns(width: nil, height: nil, thumbnail_width: nil, thumbnail_height: nil)
expect(upload.thumbnail_width).to eq(500)
expect(upload.thumbnail_height).to eq(500)
end
FIX: raise exception when getting dimensions of missing image - follow-up on 0eacd45ab15cbd20ed9f444fd447886a7fc6dccb
2018-12-03 10:19:49 -05:00
it "dimension calculation returns nil on missing image" do
upload = UploadCreator.new(huge_image, "image.png").create_for(user_id)
upload.update_columns(width: nil, height: nil, thumbnail_width: nil, thumbnail_height: nil)
missing_url = "wrong_folder#{upload.url}"
upload.update_columns(url: missing_url)
expect(upload.thumbnail_height).to eq(nil)
expect(upload.thumbnail_width).to eq(nil)
end
FIX: spec for oversized images security fix Spec to cover solution presented here - https://github.com/discourse/discourse/commit/333ddd40118bc5324c797d93f369669f6fd8e480
2020-09-14 19:22:57 -04:00
it "returns error when image resolution is to big" do
FIX: improvements after code review
2020-09-14 22:39:46 -04:00
SiteSetting.max_image_megapixels = 10
upload = UploadCreator.new(huge_image, "image.png").create_for(user_id)
expect(upload.persisted?).to eq(false)
expect(upload.errors.messages[:base].first).to eq(
I18n.t("upload.images.larger_than_x_megapixels", max_image_megapixels: 20),
)
FIX: spec for oversized images security fix Spec to cover solution presented here - https://github.com/discourse/discourse/commit/333ddd40118bc5324c797d93f369669f6fd8e480
2020-09-14 19:22:57 -04:00
end
Fix backend code for searching by a filetype as a combination of uploads and topic links. Add rspec test for extracting file extension in upload.
2017-07-04 11:50:08 -04:00
it "extracts file extension" do
created_upload = UploadCreator.new(image, image_filename).create_for(user_id)
expect(created_upload.extension).to eq("png")
end
FIX: empty uploads and blank filenames caused errors during validation
2017-12-13 15:51:09 -05:00
it "should create an invalid upload when the filename is blank" do
SiteSetting.authorized_extensions = "*"
correct specs
2018-08-19 22:41:46 -04:00
created_upload = UploadCreator.new(attachment, nil).create_for(user_id)
FIX: empty uploads and blank filenames caused errors during validation
2017-12-13 15:51:09 -05:00
expect(created_upload.valid?).to eq(false)
end
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe ".extract_url" do
FIX: use new changed method name and remove whitespaces
2019-04-08 16:55:26 -04:00
let(:url) { "https://example.com/uploads/default/original/1X/d1c2d40ab994e8410c.png" }
it "should return the right part of url" do
expect(Upload.extract_url(url).to_s).to eq("/original/1X/d1c2d40ab994e8410c.png")
end
end
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe ".get_from_url" do
PERF: Add fast path to find uploads before resorting to `LIKE` query. For a normal upload url Before ``` Warming up -------------------------------------- 264.000 i/100ms Calculating ------------------------------------- 2.754k (± 8.4%) i/s - 13.728k in 5.022066s ``` After ``` Warming up -------------------------------------- 341.000 i/100ms Calculating ------------------------------------- 3.435k (±11.6%) i/s - 17.050k in 5.045676s ```
2018-09-06 02:29:45 -04:00
let(:sha1) { "10f73034616a796dfd70177dc54b6def44c4ba6f" }
DEV: Test against real `Upload#url` format.
2018-09-14 01:42:59 -04:00
let(:upload) { Fabricate(:upload, sha1: sha1) }
FIX: create an upload when FastImage throws an exception FastImage might throw an exception when it isn't able to recognize a file as being an image (ie. happens when users changes the extension manually) Also improved upload specs a lot
2013-07-13 17:42:19 -04:00
FIX: thumbnailing wasn't working with CDN enabled
2013-07-21 18:37:23 -04:00
it "works when the file has been uploaded" do
FIX: Videos and audio files were not associated to the post.
2016-10-18 03:58:45 -04:00
expect(Upload.get_from_url(upload.url)).to eq(upload)
FIX: thumbnailing wasn't working with CDN enabled
2013-07-21 18:37:23 -04:00
end
Add extra protection in `Upload#get_from_url`. In case the extension goes missing from the URL.
2018-09-12 03:12:14 -04:00
describe "for an extensionless url" do
DEV: Test against real `Upload#url` format.
2018-09-14 01:42:59 -04:00
before do
upload.update!(url: upload.url.sub(".png", ""))
upload.reload
end
Add extra protection in `Upload#get_from_url`. In case the extension goes missing from the URL.
2018-09-12 03:12:14 -04:00
it "should return the right upload" do
expect(Upload.get_from_url(upload.url)).to eq(upload)
end
end
FIX: Old `Upload#url` scheme support for `Upload.get_from_url`. This is for backwards compatibility purposes. Even if `Upload#url` has a format that we don't recognize, we should still return the upload object as long as the upload record is present.
2019-04-23 22:15:47 -04:00
it "should return the right upload as long as the upload's URL matches" do
upload.update!(url: "/uploads/default/12345/971308e535305c51.png")
expect(Upload.get_from_url(upload.url)).to eq(upload)
DEV: Improve `Upload.get_from_url` test case. Follow up to a8baa6d9e711cd962f9a99232f3df76c7657397c.
2019-04-23 22:20:42 -04:00
expect(Upload.get_from_url("/uploads/default/123131/971308e535305c51.png")).to eq(nil)
FIX: Old `Upload#url` scheme support for `Upload.get_from_url`. This is for backwards compatibility purposes. Even if `Upload#url` has a format that we don't recognize, we should still return the upload object as long as the upload record is present.
2019-04-23 22:15:47 -04:00
end
DEV: Test against real `Upload#url` format.
2018-09-14 01:42:59 -04:00
describe "for a url a tree" do
before do
upload.update!(
url:
Discourse.store.get_path_for("original", 16_001, upload.sha1, ".#{upload.extension}"),
)
end
FIX: Uploads not being linked correctly to posts. Regression due to https://github.com/discourse/discourse/commit/1f636c445bcbc66b1765bcc3966887adcb14bdbf.
2018-09-12 02:48:25 -04:00
it "should return the right upload" do
expect(Upload.get_from_url(upload.url)).to eq(upload)
end
end
FIX: thumbnailing wasn't working with CDN enabled
2013-07-21 18:37:23 -04:00
it "works when using a cdn" do
Remove stubs from tests.
2016-10-18 01:39:16 -04:00
begin
original_asset_host = Rails.configuration.action_controller.asset_host
Rails.configuration.action_controller.asset_host = "http://my.cdn.com"
FIX: Videos and audio files were not associated to the post.
2016-10-18 03:58:45 -04:00
expect(Upload.get_from_url(URI.join("http://my.cdn.com", upload.url).to_s)).to eq(upload)
Remove stubs from tests.
2016-10-18 01:39:16 -04:00
ensure
Rails.configuration.action_controller.asset_host = original_asset_host
end
FIX: thumbnailing wasn't working with CDN enabled
2013-07-21 18:37:23 -04:00
end
FIX: Videos and audio files were not associated to the post.
2016-10-18 03:58:45 -04:00
it "should return the right upload when using the full URL" do
expect(
Upload.get_from_url(URI.join("http://discourse.some.com:3000/", upload.url).to_s),
).to eq(upload)
end
FIX: don't :boom: with an invalid URI
2016-10-20 06:34:42 -04:00
it "doesn't blow up with an invalid URI" do
expect { Upload.get_from_url("http://ip:port/index.html") }.not_to raise_error
FIX: handle encoded mailto links when looking for upload record
2018-05-17 03:13:30 -04:00
expect { Upload.get_from_url("mailto:admin%40example.com") }.not_to raise_error
FIX: handle invalid mailto links
2018-05-18 08:31:36 -04:00
expect { Upload.get_from_url("mailto:example") }.not_to raise_error
FIX: don't :boom: with an invalid URI
2016-10-20 06:34:42 -04:00
end
FIX: Videos and audio files were not associated to the post.
2016-10-18 03:58:45 -04:00
describe "s3 store" do
DEV: Test against real `Upload#url` format.
2018-09-14 01:42:59 -04:00
let(:upload) { Fabricate(:upload_s3) }
let(:path) { upload.url.sub(SiteSetting.Upload.s3_base_url, "") }
FIX: Videos and audio files were not associated to the post.
2016-10-18 03:58:45 -04:00
DEV: Clean up S3 specs, stubs, and helpers Extracted commonly used spec helpers into spec/support/uploads_helpers.rb, removed unused stubs and let definitions. Makes it easier to write new S3-related specs without copy and pasting setup steps from other specs.
2020-09-14 07:32:25 -04:00
before { setup_s3 }
FIX: Videos and audio files were not associated to the post.
2016-10-18 03:58:45 -04:00
FEATURE: allow for local theme js assets (#16374) Due to default CSP web workers instantiated from CDN based assets are still treated as "same-origin" meaning that we had no way of safely instansiating a web worker from a theme. This limits the theme system and adds the arbitrary restriction that WASM based components can not be safely used. To resolve this limitation all js assets in about.json are also cached on local domain. { "name": "Header Icons", "assets" : { "worker" : "assets/worker.js" } } This can then be referenced in JS via: settings.theme_uploads_local.worker local_js_assets are unconditionally served from the site directly and bypass the entire CDN, using the pre-existing JavascriptCache Previous to this change this code was completely dormant on sites which used s3 based uploads, this reuses the very well tested and cached asset system on s3 based sites. Note, when creating local_js_assets it is highly recommended to keep the assets lean and keep all the heavy working in CDN based assets. For example wasm files can still live on the CDN but the lean worker that loads it can live on local. This change unlocks wasm in theme components, so wasm is now also allowed in `theme_authorized_extensions` * more usages of upload.content * add a specific test for upload.content * Adjust logic to ensure that after upgrades we still get a cached local js on save
2022-04-06 17:58:10 -04:00
it "can download an s3 upload" do
stub_request(:get, upload.url).to_return(status: 200, body: "hello", headers: {})
expect(upload.content).to eq("hello")
end
fix get from url for external uploads without CDN
2018-06-05 09:19:06 -04:00
it "should return the right upload when using base url (not CDN) for s3" do
upload
DEV: Test against real `Upload#url` format.
2018-09-14 01:42:59 -04:00
expect(Upload.get_from_url(upload.url)).to eq(upload)
fix get from url for external uploads without CDN
2018-06-05 09:19:06 -04:00
end
FIX: `Upload.get_from_url` not respective subfolder in s3 bucket names.
2018-07-05 23:36:29 -04:00
describe "when using a cdn" do
let(:s3_cdn_url) { "https://mycdn.slowly.net" }
before { SiteSetting.s3_cdn_url = s3_cdn_url }
FIX: Videos and audio files were not associated to the post.
2016-10-18 03:58:45 -04:00
FIX: `Upload.get_from_url` not respective subfolder in s3 bucket names.
2018-07-05 23:36:29 -04:00
it "should return the right upload" do
upload
expect(Upload.get_from_url(URI.join(s3_cdn_url, path).to_s)).to eq(upload)
end
describe "when upload bucket contains subfolder" do
before { SiteSetting.s3_upload_bucket = "s3-upload-bucket/path/path2" }
it "should return the right upload" do
upload
expect(Upload.get_from_url(URI.join(s3_cdn_url, path).to_s)).to eq(upload)
end
end
FIX: Videos and audio files were not associated to the post.
2016-10-18 03:58:45 -04:00
end
FIX: Allow shared CDN for s3 and assets
2018-01-11 22:08:15 -05:00
it "should return the right upload when using one CDN for both s3 and assets" do
begin
original_asset_host = Rails.configuration.action_controller.asset_host
cdn_url = "http://my.cdn.com"
Rails.configuration.action_controller.asset_host = cdn_url
SiteSetting.s3_cdn_url = cdn_url
upload
expect(Upload.get_from_url(URI.join(cdn_url, path).to_s)).to eq(upload)
ensure
Rails.configuration.action_controller.asset_host = original_asset_host
end
end
FIX: Videos and audio files were not associated to the post.
2016-10-18 03:58:45 -04:00
end
FIX: create an upload when FastImage throws an exception FastImage might throw an exception when it isn't able to recognize a file as being an image (ie. happens when users changes the extension manually) Also improved upload specs a lot
2013-07-13 17:42:19 -04:00
end
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe ".get_from_urls" do
DEV: Make site setting type uploaded_image_list use upload IDs (#10401) It used to be a list of concatenated upload URLs which was prone to break.
2020-10-13 09:17:06 -04:00
let(:upload) { Fabricate(:upload, sha1: "10f73034616a796dfd70177dc54b6def44c4ba6f") }
let(:upload2) { Fabricate(:upload, sha1: "2a7081e615f9075befd87a9a6d273935c0262cd5") }
it "works with multiple uploads" do
expect(Upload.get_from_urls([upload.url, upload2.url])).to contain_exactly(upload, upload2)
end
it "works for an extensionless URL" do
url = upload.url.sub(".png", "")
upload.update!(url: url)
expect(Upload.get_from_urls([url])).to contain_exactly(upload)
end
it "works with uploads with mismatched URLs" do
upload.update!(url: "/uploads/default/12345/971308e535305c51.png")
expect(Upload.get_from_urls([upload.url])).to contain_exactly(upload)
expect(Upload.get_from_urls(["/uploads/default/123131/971308e535305c51.png"])).to be_empty
end
it "works with an upload with a URL containing a deep tree" do
upload.update!(
url: Discourse.store.get_path_for("original", 16_001, upload.sha1, ".#{upload.extension}"),
)
expect(Upload.get_from_urls([upload.url])).to contain_exactly(upload)
end
it "works when using a CDN" do
begin
original_asset_host = Rails.configuration.action_controller.asset_host
Rails.configuration.action_controller.asset_host = "http://my.cdn.com"
expect(
Upload.get_from_urls([URI.join("http://my.cdn.com", upload.url).to_s]),
).to contain_exactly(upload)
ensure
Rails.configuration.action_controller.asset_host = original_asset_host
end
end
it "works with full URLs" do
expect(
Upload.get_from_urls([URI.join("http://discourse.some.com:3000/", upload.url).to_s]),
).to contain_exactly(upload)
end
it "handles invalid URIs" do
urls = %w[http://ip:port/index.html mailto:admin%40example.com mailto:example]
expect { Upload.get_from_urls(urls) }.not_to raise_error
end
end
FIX: Make clean up upload script a safer task to run.
2016-09-02 02:50:13 -04:00
describe ".generate_digest" do
it "should return the right digest" do
expect(Upload.generate_digest(image.path)).to eq("bc975735dfc6409c1c2aa5ebf2239949bcbdbd65")
end
end
FEATURE: server side support for upload:// markdown This allows uploads to be specified using short sha1 hash instead of full URL Client side change is pending
2017-08-22 11:46:15 -04:00
describe ".short_url" do
it "should generate a correct short url" do
upload = Upload.new(sha1: "bda2c513e1da04f7b4e99230851ea2aafeb8cc4e", extension: "png")
expect(upload.short_url).to eq("upload://r3AYqESanERjladb4vBB7VsMBm6.png")
FIX: `Upload#short_url` generates incorrect URL when extension is `nil`.
2019-06-18 21:10:50 -04:00
upload.extension = nil
expect(upload.short_url).to eq("upload://r3AYqESanERjladb4vBB7VsMBm6")
FEATURE: server side support for upload:// markdown This allows uploads to be specified using short sha1 hash instead of full URL Client side change is pending
2017-08-22 11:46:15 -04:00
end
end
describe ".sha1_from_short_url" do
it "should be able to look up sha1" do
sha1 = "bda2c513e1da04f7b4e99230851ea2aafeb8cc4e"
expect(Upload.sha1_from_short_url("upload://r3AYqESanERjladb4vBB7VsMBm6.png")).to eq(sha1)
expect(Upload.sha1_from_short_url("upload://r3AYqESanERjladb4vBB7VsMBm6")).to eq(sha1)
expect(Upload.sha1_from_short_url("r3AYqESanERjladb4vBB7VsMBm6")).to eq(sha1)
end
Correct short url decoding for sha1s leading with zero This was picked up cause we had a flaky test!
2017-08-23 11:08:18 -04:00
it "should be able to look up sha1 even with leading zeros" do
sha1 = "0000c513e1da04f7b4e99230851ea2aafeb8cc4e"
expect(Upload.sha1_from_short_url("upload://1Eg9p8rrCURq4T3a6iJUk0ri6.png")).to eq(sha1)
end
FEATURE: server side support for upload:// markdown This allows uploads to be specified using short sha1 hash instead of full URL Client side change is pending
2017-08-22 11:46:15 -04:00
end
DEV: Fix broken `Upload#base62_sha1`.
2019-06-04 02:10:46 -04:00
describe "#base62_sha1" do
it "should return the right value" do
upload.update!(sha1: "0000c513e1da04f7b4e99230851ea2aafeb8cc4e")
expect(upload.base62_sha1).to eq("1Eg9p8rrCURq4T3a6iJUk0ri6")
end
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-28 21:00:25 -04:00
describe ".sha1_from_short_path" do
it "should be able to lookup sha1" do
path = "/uploads/short-url/3UjQ4jHoyeoQndk5y3qHzm3QVTQ.png"
sha1 = "1b6453892473a467d07372d45eb05abc2031647a"
expect(Upload.sha1_from_short_path(path)).to eq(sha1)
expect(Upload.sha1_from_short_path(path.sub(".png", ""))).to eq(sha1)
end
end
FEATURE: Upload Site Settings. (#6573)
2018-11-14 02:03:02 -05:00
describe "#to_s" do
it "should return the right value" do
expect(upload.to_s).to eq(upload.url)
end
end
FIX: `Upload#migrate_to_new_scheme` should not migrate system uploads.
2019-03-14 00:38:16 -04:00
describe ".migrate_to_new_scheme" do
it "should not migrate system uploads" do
SiteSetting.migrate_to_new_scheme = true
expect { Upload.migrate_to_new_scheme }.to_not change { Upload.pluck(:url) }
end
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
describe ".update_secure_status" do
DEV: Add security_last_changed_at and security_last_changed_reason to uploads (#11860) This PR adds security_last_changed_at and security_last_changed_reason to uploads. This has been done to make it easier to track down why an upload's secure column has changed and when. This necessitated a refactor of the UploadSecurity class to provide reasons why the upload security would have changed. As well as this, a source is now provided from the location which called for the upload's security status to be updated as they are several (e.g. post creator, topic security updater, rake tasks, manual change).
2021-01-28 18:03:44 -05:00
it "respects the override parameter if provided" do
FIX: Mark secure media upload insecure automatically if used for theme component (#8413) When uploading a file to a theme component, and that file is existing and has already been marked as secure, we now automatically mark the file as secure: false, change the ACL, and log the action as the user (also rebake the posts for the upload)
2019-11-27 16:32:17 -05:00
upload.update!(secure: true)
DEV: Add security_last_changed_at and security_last_changed_reason to uploads (#11860) This PR adds security_last_changed_at and security_last_changed_reason to uploads. This has been done to make it easier to track down why an upload's secure column has changed and when. This necessitated a refactor of the UploadSecurity class to provide reasons why the upload security would have changed. As well as this, a source is now provided from the location which called for the upload's security status to be updated as they are several (e.g. post creator, topic security updater, rake tasks, manual change).
2021-01-28 18:03:44 -05:00
upload.update_secure_status(override: true)
FIX: Mark secure media upload insecure automatically if used for theme component (#8413) When uploading a file to a theme component, and that file is existing and has already been marked as secure, we now automatically mark the file as secure: false, change the ACL, and log the action as the user (also rebake the posts for the upload)
2019-11-27 16:32:17 -05:00
expect(upload.secure).to eq(true)
DEV: Add security_last_changed_at and security_last_changed_reason to uploads (#11860) This PR adds security_last_changed_at and security_last_changed_reason to uploads. This has been done to make it easier to track down why an upload's secure column has changed and when. This necessitated a refactor of the UploadSecurity class to provide reasons why the upload security would have changed. As well as this, a source is now provided from the location which called for the upload's security status to be updated as they are several (e.g. post creator, topic security updater, rake tasks, manual change).
2021-01-28 18:03:44 -05:00
upload.update_secure_status(override: false)
FIX: Mark secure media upload insecure automatically if used for theme component (#8413) When uploading a file to a theme component, and that file is existing and has already been marked as secure, we now automatically mark the file as secure: false, change the ACL, and log the action as the user (also rebake the posts for the upload)
2019-11-27 16:32:17 -05:00
expect(upload.secure).to eq(false)
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
it "marks a local upload as not secure with default settings" do
upload.update!(secure: true)
expect { upload.update_secure_status }.to change { upload.secure }
expect(upload.secure).to eq(false)
end
DEV: Use proper wording for contexts in specs
2022-07-27 12:14:14 -04:00
context "with local attachment" do
FEATURE: Use path from existing URL of uploads and optimized images (#13177) Discourse shouldn't dynamically calculate the path of uploads and optimized images after a file has been stored on disk or S3. Otherwise it might calculate the wrong path if the SHA1 or extension stored in the database doesn't match the actual file path.
2021-05-27 11:42:25 -04:00
before { SiteSetting.authorized_extensions = "pdf" }
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
FEATURE: Use path from existing URL of uploads and optimized images (#13177) Discourse shouldn't dynamically calculate the path of uploads and optimized images after a file has been stored on disk or S3. Otherwise it might calculate the wrong path if the SHA1 or extension stored in the database doesn't match the actual file path.
2021-05-27 11:42:25 -04:00
let(:upload) do
Fabricate(:upload, original_filename: "small.pdf", extension: "pdf", secure: true)
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
it "marks a local attachment as secure if secure uploads enabled" do
FEATURE: Use path from existing URL of uploads and optimized images (#13177) Discourse shouldn't dynamically calculate the path of uploads and optimized images after a file has been stored on disk or S3. Otherwise it might calculate the wrong path if the SHA1 or extension stored in the database doesn't match the actual file path.
2021-05-27 11:42:25 -04:00
upload.update!(secure: false, access_control_post: Fabricate(:private_message_post))
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
enable_secure_uploads
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
FEATURE: Use path from existing URL of uploads and optimized images (#13177) Discourse shouldn't dynamically calculate the path of uploads and optimized images after a file has been stored on disk or S3. Otherwise it might calculate the wrong path if the SHA1 or extension stored in the database doesn't match the actual file path.
2021-05-27 11:42:25 -04:00
expect { upload.update_secure_status }.to change { upload.secure }
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
FEATURE: Use path from existing URL of uploads and optimized images (#13177) Discourse shouldn't dynamically calculate the path of uploads and optimized images after a file has been stored on disk or S3. Otherwise it might calculate the wrong path if the SHA1 or extension stored in the database doesn't match the actual file path.
2021-05-27 11:42:25 -04:00
expect(upload.secure).to eq(true)
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
it "marks a local attachment as not secure if secure uploads enabled" do
FEATURE: Use path from existing URL of uploads and optimized images (#13177) Discourse shouldn't dynamically calculate the path of uploads and optimized images after a file has been stored on disk or S3. Otherwise it might calculate the wrong path if the SHA1 or extension stored in the database doesn't match the actual file path.
2021-05-27 11:42:25 -04:00
expect { upload.update_secure_status }.to change { upload.secure }
expect(upload.secure).to eq(false)
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
end
FIX: Change secure media to encompass attachments as well (#9271) If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”. This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2020-03-25 17:16:02 -04:00
it "does not change secure status of a non-attachment when prevent_anons_from_downloading_files is enabled by itself" do
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
SiteSetting.prevent_anons_from_downloading_files = true
SiteSetting.authorized_extensions = "mp4"
upload.update!(original_filename: "small.mp4", extension: "mp4")
expect { upload.update_secure_status }.not_to change { upload.secure }
expect(upload.secure).to eq(false)
end
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
context "with secure uploads enabled" do
before { enable_secure_uploads }
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
it "does not mark an image upload as not secure when there is no access control post id, to avoid unintentional exposure" do
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
upload.update!(secure: true)
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-15 22:50:27 -05:00
upload.update_secure_status
expect(upload.secure).to eq(true)
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
it "marks the upload as not secure if its access control post is a public post" do
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-15 22:50:27 -05:00
upload.update!(secure: true, access_control_post: Fabricate(:post))
upload.update_secure_status
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
expect(upload.secure).to eq(false)
end
FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
it "leaves the upload as secure if its access control post is a PM post" do
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-15 22:50:27 -05:00
upload.update!(secure: true, access_control_post: Fabricate(:private_message_post))
upload.update_secure_status
expect(upload.secure).to eq(true)
end
FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
it "marks an image upload as secure if login_required is enabled" do
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
SiteSetting.login_required = true
upload.update!(secure: false)
expect { upload.update_secure_status }.to change { upload.secure }
FIX: Never allow custom emoji to be marked secure (#8965) * Because custom emoji count as post "uploads" we were marking them as secure when updating the secure status for post uploads. * We were also giving them an access control post id, which meant broken image previews from 403 errors in the admin custom emoji list. * We now check if an upload is used as a custom emoji and do not assign the access control post + never mark as secure.
2020-02-13 20:17:09 -05:00
expect(upload.reload.secure).to eq(true)
end
FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
it "does not mark an upload used for a custom emoji as secure" do
FIX: Never allow custom emoji to be marked secure (#8965) * Because custom emoji count as post "uploads" we were marking them as secure when updating the secure status for post uploads. * We were also giving them an access control post id, which meant broken image previews from 403 errors in the admin custom emoji list. * We now check if an upload is used as a custom emoji and do not assign the access control post + never mark as secure.
2020-02-13 20:17:09 -05:00
SiteSetting.login_required = true
upload.update!(secure: false)
FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
CustomEmoji.create(name: "meme", upload: upload)
Try fix upload_spec flakys and remove logging from tasks/uploads_spec
2020-02-18 00:08:58 -05:00
upload.update_secure_status
FIX: Never allow custom emoji to be marked secure (#8965) * Because custom emoji count as post "uploads" we were marking them as secure when updating the secure status for post uploads. * We were also giving them an access control post id, which meant broken image previews from 403 errors in the admin custom emoji list. * We now check if an upload is used as a custom emoji and do not assign the access control post + never mark as secure.
2020-02-13 20:17:09 -05:00
expect(upload.reload.secure).to eq(false)
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
end
FIX: Never mark uploads based on regular emoji secure (#8973) Sometimes PullHotlinkedImages pulls down a site emoji and creates a new upload record for it. In the cases where these happen the upload is not created via the normal path that custom emoji follows, so we need to check in UploadSecurity whether the origin of the upload is based on a regular site emoji. If it is we never want to mark it as secure (we don't want emoji not accessible from other posts because of secure media). This only became apparent because the uploads:ensure_correct_acl rake task uses UploadSecurity to check whether an upload should be secure, which would have marked a whole bunch of regular-old-emojis as secure.
2020-02-16 21:30:47 -05:00
FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
it "does not mark an upload whose origin matches a regular emoji as secure (sometimes emojis are downloaded in pull_hotlinked_images)" do
FIX: Never mark uploads based on regular emoji secure (#8973) Sometimes PullHotlinkedImages pulls down a site emoji and creates a new upload record for it. In the cases where these happen the upload is not created via the normal path that custom emoji follows, so we need to check in UploadSecurity whether the origin of the upload is based on a regular site emoji. If it is we never want to mark it as secure (we don't want emoji not accessible from other posts because of secure media). This only became apparent because the uploads:ensure_correct_acl rake task uses UploadSecurity to check whether an upload should be secure, which would have marked a whole bunch of regular-old-emojis as secure.
2020-02-16 21:30:47 -05:00
SiteSetting.login_required = true
FIX: manually adds frowning_face_with_open_mouth for apple (#13528)
2021-07-21 17:27:20 -04:00
falafel =
Emoji.all.find do |e|
e.url == "/images/emoji/twitter/falafel.png?v=#{Emoji::EMOJI_VERSION}"
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
end
Try fix upload_spec flakys and remove logging from tasks/uploads_spec
2020-02-18 00:08:58 -05:00
upload.update!(secure: false, origin: "http://localhost:3000#{falafel.url}")
upload.update_secure_status
FIX: Tweak upload security emoji check (#8981) Further on from my earlier PR #8973 also reject upload as secure if its origin URL contains images/emoji. We still check Emoji.all first to try and be canonical. This may be a little heavy handed (e.g. if an external URL followed this same path it would be a false positive), but there are a lot of emoji aliases where the actual Emoji url is something, but you can have another image that should not be secure that that thing is an alias for. For example slight_smile.png does not show up in Emoji.all BUT slightly_smiling_face does, and it aliases slight_smile e.g. /images/emoji/twitter/slight_smile.png?v=9 and /images/emoji/twitter/slightly_smiling_face.png?v=9 are equivalent.
2020-02-17 00:11:15 -05:00
expect(upload.reload.secure).to eq(false)
end
FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
it "does not mark any upload with origin containing images/emoji in the URL" do
FIX: Tweak upload security emoji check (#8981) Further on from my earlier PR #8973 also reject upload as secure if its origin URL contains images/emoji. We still check Emoji.all first to try and be canonical. This may be a little heavy handed (e.g. if an external URL followed this same path it would be a false positive), but there are a lot of emoji aliases where the actual Emoji url is something, but you can have another image that should not be secure that that thing is an alias for. For example slight_smile.png does not show up in Emoji.all BUT slightly_smiling_face does, and it aliases slight_smile e.g. /images/emoji/twitter/slight_smile.png?v=9 and /images/emoji/twitter/slightly_smiling_face.png?v=9 are equivalent.
2020-02-17 00:11:15 -05:00
SiteSetting.login_required = true
upload.update!(secure: false, origin: "http://localhost:3000/images/emoji/test.png")
Try fix upload_spec flakys and remove logging from tasks/uploads_spec
2020-02-18 00:08:58 -05:00
upload.update_secure_status
FIX: Tweak upload security emoji check (#8981) Further on from my earlier PR #8973 also reject upload as secure if its origin URL contains images/emoji. We still check Emoji.all first to try and be canonical. This may be a little heavy handed (e.g. if an external URL followed this same path it would be a false positive), but there are a lot of emoji aliases where the actual Emoji url is something, but you can have another image that should not be secure that that thing is an alias for. For example slight_smile.png does not show up in Emoji.all BUT slightly_smiling_face does, and it aliases slight_smile e.g. /images/emoji/twitter/slight_smile.png?v=9 and /images/emoji/twitter/slightly_smiling_face.png?v=9 are equivalent.
2020-02-17 00:11:15 -05:00
expect(upload.reload.secure).to eq(false)
FIX: Never mark uploads based on regular emoji secure (#8973) Sometimes PullHotlinkedImages pulls down a site emoji and creates a new upload record for it. In the cases where these happen the upload is not created via the normal path that custom emoji follows, so we need to check in UploadSecurity whether the origin of the upload is based on a regular site emoji. If it is we never want to mark it as secure (we don't want emoji not accessible from other posts because of secure media). This only became apparent because the uploads:ensure_correct_acl rake task uses UploadSecurity to check whether an upload should be secure, which would have marked a whole bunch of regular-old-emojis as secure.
2020-02-16 21:30:47 -05:00
end
FIX: Handle storage providers not implementing ACLs (#13675) When secure media is enabled or when upload secure status is updated, we also try and update the upload ACL. However if the object storage provider does not implement this we get an Aws::S3::Errors::NotImplemented error. This PR handles this error so the update_secure_status method does not error out and still returns whether the secure status changed.
2021-07-08 21:31:44 -04:00
it "does not throw an error if the object storage provider does not support ACLs" do
FileStore::S3Store
.any_instance
.stubs(:update_upload_ACL)
.raises(
Aws::S3::Errors::NotImplemented.new(
"A header you provided implies functionality that is not implemented",
"",
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
),
FIX: Handle storage providers not implementing ACLs (#13675) When secure media is enabled or when upload secure status is updated, we also try and update the upload ACL. However if the object storage provider does not implement this we get an Aws::S3::Errors::NotImplemented error. This PR handles this error so the update_secure_status method does not error out and still returns whether the secure status changed.
2021-07-08 21:31:44 -04:00
)
upload.update!(secure: true, access_control_post: Fabricate(:private_message_post))
expect { upload.update_secure_status }.not_to raise_error
end
FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
it "succeeds even if the extension of the upload is not authorized" do
upload.update!(secure: false, access_control_post: Fabricate(:private_message_post))
SiteSetting.login_required = true
SiteSetting.authorized_extensions = ""
upload.update_secure_status
upload.reload
expect(upload.secure).to eq(true)
end
it "respects the authorized extensions when creating a new upload, no matter its secure status" do
SiteSetting.login_required = true
SiteSetting.authorized_extensions = ""
expect do
upl =
Fabricate(
:upload,
access_control_post: Fabricate(:private_message_post),
security_last_changed_at: Time.zone.now,
security_last_changed_reason: "test",
secure: true,
)
end.to raise_error(ActiveRecord::RecordInvalid)
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-17 20:25:42 -05:00
end
end
FEATURE: Create upload_references table (#16146) This table holds associations between uploads and other models. This can be used to prevent removing uploads that are still in use. * DEV: Create upload_references * DEV: Use UploadReference instead of PostUpload * DEV: Use UploadReference for SiteSetting * DEV: Use UploadReference for Badge * DEV: Use UploadReference for Category * DEV: Use UploadReference for CustomEmoji * DEV: Use UploadReference for Group * DEV: Use UploadReference for ThemeField * DEV: Use UploadReference for ThemeSetting * DEV: Use UploadReference for User * DEV: Use UploadReference for UserAvatar * DEV: Use UploadReference for UserExport * DEV: Use UploadReference for UserProfile * DEV: Add method to extract uploads from raw text * DEV: Use UploadReference for Draft * DEV: Use UploadReference for ReviewableQueuedPost * DEV: Use UploadReference for UserProfile's bio_raw * DEV: Do not copy user uploads to upload references * DEV: Copy post uploads again after deploy * DEV: Use created_at and updated_at from uploads table * FIX: Check if upload site setting is empty * DEV: Copy user uploads to upload references * DEV: Make upload extraction less strict
2022-06-08 19:24:30 -04:00
describe ".extract_upload_ids" do
let(:upload) { Fabricate(:upload) }
FIX: Ensure that extract_upload_ids works with all short URLs (#17070) We do not zero-pad our base62 short URLs, so there is no guarantee that the length is 27. Instead, let's greedily match all consecutive base62 characters and look for a matching upload. This reverts bd3265615712fb60063958e8d87475c845f058bb and 36f5d5eada78ca11f08ad579b6320c0c10292ae1.
2022-06-13 12:01:27 -04:00
it "works with short URLs" do
FEATURE: Create upload_references table (#16146) This table holds associations between uploads and other models. This can be used to prevent removing uploads that are still in use. * DEV: Create upload_references * DEV: Use UploadReference instead of PostUpload * DEV: Use UploadReference for SiteSetting * DEV: Use UploadReference for Badge * DEV: Use UploadReference for Category * DEV: Use UploadReference for CustomEmoji * DEV: Use UploadReference for Group * DEV: Use UploadReference for ThemeField * DEV: Use UploadReference for ThemeSetting * DEV: Use UploadReference for User * DEV: Use UploadReference for UserAvatar * DEV: Use UploadReference for UserExport * DEV: Use UploadReference for UserProfile * DEV: Add method to extract uploads from raw text * DEV: Use UploadReference for Draft * DEV: Use UploadReference for ReviewableQueuedPost * DEV: Use UploadReference for UserProfile's bio_raw * DEV: Do not copy user uploads to upload references * DEV: Copy post uploads again after deploy * DEV: Use created_at and updated_at from uploads table * FIX: Check if upload site setting is empty * DEV: Copy user uploads to upload references * DEV: Make upload extraction less strict
2022-06-08 19:24:30 -04:00
ids = Upload.extract_upload_ids("This URL #{upload.short_url} is an upload")
expect(ids).to contain_exactly(upload.id)
end
it "works with SHA1s" do
ids = Upload.extract_upload_ids("This URL /#{upload.sha1} is an upload")
expect(ids).to contain_exactly(upload.id)
end
FIX: Ensure that extract_upload_ids works with all short URLs (#17070) We do not zero-pad our base62 short URLs, so there is no guarantee that the length is 27. Instead, let's greedily match all consecutive base62 characters and look for a matching upload. This reverts bd3265615712fb60063958e8d87475c845f058bb and 36f5d5eada78ca11f08ad579b6320c0c10292ae1.
2022-06-13 12:01:27 -04:00
it "works with Base62 hashes" do
FEATURE: Create upload_references table (#16146) This table holds associations between uploads and other models. This can be used to prevent removing uploads that are still in use. * DEV: Create upload_references * DEV: Use UploadReference instead of PostUpload * DEV: Use UploadReference for SiteSetting * DEV: Use UploadReference for Badge * DEV: Use UploadReference for Category * DEV: Use UploadReference for CustomEmoji * DEV: Use UploadReference for Group * DEV: Use UploadReference for ThemeField * DEV: Use UploadReference for ThemeSetting * DEV: Use UploadReference for User * DEV: Use UploadReference for UserAvatar * DEV: Use UploadReference for UserExport * DEV: Use UploadReference for UserProfile * DEV: Add method to extract uploads from raw text * DEV: Use UploadReference for Draft * DEV: Use UploadReference for ReviewableQueuedPost * DEV: Use UploadReference for UserProfile's bio_raw * DEV: Do not copy user uploads to upload references * DEV: Copy post uploads again after deploy * DEV: Use created_at and updated_at from uploads table * FIX: Check if upload site setting is empty * DEV: Copy user uploads to upload references * DEV: Make upload extraction less strict
2022-06-08 19:24:30 -04:00
ids = Upload.extract_upload_ids("This URL /#{Upload.base62_sha1(upload.sha1)} is an upload")
expect(ids).to contain_exactly(upload.id)
end
FIX: Ensure that extract_upload_ids works with all short URLs (#17070) We do not zero-pad our base62 short URLs, so there is no guarantee that the length is 27. Instead, let's greedily match all consecutive base62 characters and look for a matching upload. This reverts bd3265615712fb60063958e8d87475c845f058bb and 36f5d5eada78ca11f08ad579b6320c0c10292ae1.
2022-06-13 12:01:27 -04:00
it "works with shorter base62 hashes (when sha1 has leading 0s)" do
upload.update(sha1: "0000c513e1da04f7b4e99230851ea2aafeb8cc4e")
base62 = Upload.base62_sha1(upload.sha1).delete_prefix("0")
ids = Upload.extract_upload_ids("This URL /#{base62} is an upload")
expect(ids).to contain_exactly(upload.id)
end
FEATURE: Create upload_references table (#16146) This table holds associations between uploads and other models. This can be used to prevent removing uploads that are still in use. * DEV: Create upload_references * DEV: Use UploadReference instead of PostUpload * DEV: Use UploadReference for SiteSetting * DEV: Use UploadReference for Badge * DEV: Use UploadReference for Category * DEV: Use UploadReference for CustomEmoji * DEV: Use UploadReference for Group * DEV: Use UploadReference for ThemeField * DEV: Use UploadReference for ThemeSetting * DEV: Use UploadReference for User * DEV: Use UploadReference for UserAvatar * DEV: Use UploadReference for UserExport * DEV: Use UploadReference for UserProfile * DEV: Add method to extract uploads from raw text * DEV: Use UploadReference for Draft * DEV: Use UploadReference for ReviewableQueuedPost * DEV: Use UploadReference for UserProfile's bio_raw * DEV: Do not copy user uploads to upload references * DEV: Copy post uploads again after deploy * DEV: Use created_at and updated_at from uploads table * FIX: Check if upload site setting is empty * DEV: Copy user uploads to upload references * DEV: Make upload extraction less strict
2022-06-08 19:24:30 -04:00
end
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
def enable_secure_uploads
DEV: Clean up S3 specs, stubs, and helpers Extracted commonly used spec helpers into spec/support/uploads_helpers.rb, removed unused stubs and let definitions. Makes it easier to write new S3-related specs without copy and pasting setup steps from other specs.
2020-09-14 07:32:25 -04:00
setup_s3
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
SiteSetting.secure_uploads = true
DEV: Clean up S3 specs, stubs, and helpers Extracted commonly used spec helpers into spec/support/uploads_helpers.rb, removed unused stubs and let definitions. Makes it easier to write new S3-related specs without copy and pasting setup steps from other specs.
2020-09-14 07:32:25 -04:00
stub_upload(upload)
FIX: Mitigate issue where legacy pre-secure hotlinked media would not be redownloaded (#8802) Basically, say you had already downloaded a certain image from a certain URL using pull_hotlinked_images and the onebox. The upload would be stored by its sha as an upload record. Whenever you linked to the same URL again in a post (e.g. in our case an og:image on review.discourse) we would would reuse the original upload record because of the sha1. However when you turned on secure media this could cause problems as the first post that uses that upload after secure media is enabled will set the access control post for the upload to the new post. Then if the post is deleted every single onebox/link to that same image URL will fail forever with 403 as the secure-media-uploads URL fails if the access control post has been deleted. To fix this when cooking posts and pulling hotlinked images, we only allow using an original upload by URL if its access control post matches the current post, and if the original_sha1 is filled in, meaning it was uploaded AFTER secure media was enabled. otherwise we just redownload the media again to be safe, as the URL will always be new then.
2020-01-28 19:11:38 -05:00
end
FIX: when destroying uploads clear card and profile background There is an fk to user_profile that can make destroying uploads fail if they happen to be set as user profile. This ensures we clear this information when destroying uploads. There are more relationships, but this makes some more progress.
2020-08-17 20:55:16 -04:00
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe ".destroy" do
FIX: when destroying uploads clear card and profile background There is an fk to user_profile that can make destroying uploads fail if they happen to be set as user profile. This ensures we clear this information when destroying uploads. There are more relationships, but this makes some more progress.
2020-08-17 20:55:16 -04:00
it "can correctly clear information when destroying an upload" do
upload = Fabricate(:upload)
user = Fabricate(:user)
user.user_profile.update!(
card_background_upload_id: upload.id,
profile_background_upload_id: upload.id,
)
upload.destroy
user.user_profile.reload
expect(user.user_profile.card_background_upload_id).to eq(nil)
expect(user.user_profile.profile_background_upload_id).to eq(nil)
end
DEV: Replace SECURE_MEDIA_ROUTE const with other methods (#10545) This is so if the route changes this const won't be around to bite us, use the Rails route methods instead.
2020-08-27 21:28:11 -04:00
end
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
describe ".secure_uploads_url_from_upload_url" do
DEV: Replace SECURE_MEDIA_ROUTE const with other methods (#10545) This is so if the route changes this const won't be around to bite us, use the Rails route methods instead.
2020-08-27 21:28:11 -04:00
before do
# must be done so signed_url_for_path exists
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
enable_secure_uploads
DEV: Replace SECURE_MEDIA_ROUTE const with other methods (#10545) This is so if the route changes this const won't be around to bite us, use the Rails route methods instead.
2020-08-27 21:28:11 -04:00
end
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
it "gets the secure uploads url from an S3 upload url" do
DEV: Replace SECURE_MEDIA_ROUTE const with other methods (#10545) This is so if the route changes this const won't be around to bite us, use the Rails route methods instead.
2020-08-27 21:28:11 -04:00
upload = Fabricate(:upload_s3, secure: true)
url = upload.url
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
secure_url = Upload.secure_uploads_url_from_upload_url(url)
DEV: Replace SECURE_MEDIA_ROUTE const with other methods (#10545) This is so if the route changes this const won't be around to bite us, use the Rails route methods instead.
2020-08-27 21:28:11 -04:00
expect(secure_url).not_to include(SiteSetting.Upload.absolute_base_url)
end
end
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
describe ".secure_uploads_url?" do
it "works for a secure uploads url with or without schema + host" do
url =
"//localhost:3000/secure-uploads/original/2X/f/f62055931bb702c7fd8f552fb901f977e0289a18.png"
expect(Upload.secure_uploads_url?(url)).to eq(true)
url = "/secure-uploads/original/2X/f/f62055931bb702c7fd8f552fb901f977e0289a18.png"
expect(Upload.secure_uploads_url?(url)).to eq(true)
url =
"http://localhost:3000/secure-uploads/original/2X/f/f62055931bb702c7fd8f552fb901f977e0289a18.png"
expect(Upload.secure_uploads_url?(url)).to eq(true)
DEV: Replace SECURE_MEDIA_ROUTE const with other methods (#10545) This is so if the route changes this const won't be around to bite us, use the Rails route methods instead.
2020-08-27 21:28:11 -04:00
end
FIX: when destroying uploads clear card and profile background There is an fk to user_profile that can make destroying uploads fail if they happen to be set as user profile. This ensures we clear this information when destroying uploads. There are more relationships, but this makes some more progress.
2020-08-17 20:55:16 -04:00
DEV: Replace SECURE_MEDIA_ROUTE const with other methods (#10545) This is so if the route changes this const won't be around to bite us, use the Rails route methods instead.
2020-08-27 21:28:11 -04:00
it "does not get false positives on a topic url" do
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
url = "/t/secure-uploads-are-cool/42839"
expect(Upload.secure_uploads_url?(url)).to eq(false)
DEV: Replace SECURE_MEDIA_ROUTE const with other methods (#10545) This is so if the route changes this const won't be around to bite us, use the Rails route methods instead.
2020-08-27 21:28:11 -04:00
end
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
it "returns true only for secure uploads URL for actual media (images/video/audio)" do
url = "/secure-uploads/original/2X/f/f62055931bb702c7fd8f552fb901f977e0289a18.mp4"
expect(Upload.secure_uploads_url?(url)).to eq(true)
url = "/secure-uploads/original/2X/f/f62055931bb702c7fd8f552fb901f977e0289a18.png"
expect(Upload.secure_uploads_url?(url)).to eq(true)
url = "/secure-uploads/original/2X/f/f62055931bb702c7fd8f552fb901f977e0289a18.mp3"
expect(Upload.secure_uploads_url?(url)).to eq(true)
url = "/secure-uploads/original/2X/f/f62055931bb702c7fd8f552fb901f977e0289a18.pdf"
expect(Upload.secure_uploads_url?(url)).to eq(false)
DEV: Replace SECURE_MEDIA_ROUTE const with other methods (#10545) This is so if the route changes this const won't be around to bite us, use the Rails route methods instead.
2020-08-27 21:28:11 -04:00
end
it "does not work for regular upload urls" do
url = "/uploads/default/test_0/original/1X/e1864389d8252958586c76d747b069e9f68827e3.png"
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
expect(Upload.secure_uploads_url?(url)).to eq(false)
DEV: Replace SECURE_MEDIA_ROUTE const with other methods (#10545) This is so if the route changes this const won't be around to bite us, use the Rails route methods instead.
2020-08-27 21:28:11 -04:00
end
FIX: Invalid URLs could raise exceptions when calling UrlHelper.rails_route_from_url (#10782) Upload.secure_media_url? raised an exceptions when the URL was invalid, which was a issue in some situations where secure media URLs must be removed. For example, sending digests used PrettyText.strip_secure_media, which used Upload.secure_media_url? to replace secure media with placeholders. If the URL was invalid, then an exception would be raised and left unhandled. Now instead in UrlHelper.rails_route_from_url we return nil if there is something wrong with the URL. Co-authored-by: Bianca Nenciu <nenciu.bianca@gmail.com>
2020-09-30 01:20:00 -04:00
it "does not raise for invalid URLs" do
url = "http://URL:%20https://google.com"
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-28 19:24:33 -04:00
expect(Upload.secure_uploads_url?(url)).to eq(false)
FIX: Invalid URLs could raise exceptions when calling UrlHelper.rails_route_from_url (#10782) Upload.secure_media_url? raised an exceptions when the URL was invalid, which was a issue in some situations where secure media URLs must be removed. For example, sending digests used PrettyText.strip_secure_media, which used Upload.secure_media_url? to replace secure media with placeholders. If the URL was invalid, then an exception would be raised and left unhandled. Now instead in UrlHelper.rails_route_from_url we return nil if there is something wrong with the URL. Co-authored-by: Bianca Nenciu <nenciu.bianca@gmail.com>
2020-09-30 01:20:00 -04:00
end
FIX: when destroying uploads clear card and profile background There is an fk to user_profile that can make destroying uploads fail if they happen to be set as user profile. This ensures we clear this information when destroying uploads. There are more relationships, but this makes some more progress.
2020-08-17 20:55:16 -04:00
end
UX: Use dominant color as image loading placeholder (#18248) We previously had a system which would generate a 10x10px preview of images and add their URLs in a data-small-upload attribute. The client would then use that as the background-image of the `<img>` element. This works reasonably well on fast connections, but on slower connections it can take a few seconds for the placeholders to appear. The act of loading the placeholders can also break or delay the loading of the 'real' images. This commit replaces the placeholder logic with a new approach. Instead of a 10x10px preview, we use imagemagick to calculate the average color of an image and store it in the database. The hex color value then added as a `data-dominant-color` attribute on the `<img>` element, and the client can use this as a `background-color` on the element while the real image is loading. That means no extra HTTP request is required, and so the placeholder color can appear instantly. Dominant color will be calculated: 1. When a new upload is created 2. During a post rebake, if the dominant color is missing from an upload, it will be calculated and stored 3. Every 15 minutes, 25 old upload records are fetched and their dominant color calculated and stored. (part of the existing PeriodicalUpdates job) Existing posts will continue to use the old 10x10px placeholder system until they are next rebaked
2022-09-20 05:28:17 -04:00
describe "#dominant_color" do
let(:white_image) { Fabricate(:image_upload, color: "white") }
let(:red_image) { Fabricate(:image_upload, color: "red") }
let(:not_an_image) do
upload = Fabricate(:upload)
file = Tempfile.new(%w[invalid .txt])
file << "Not really an image"
file.rewind
upload.update(url: Discourse.store.store_upload(file, upload), extension: "txt")
upload
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
end
UX: Use dominant color as image loading placeholder (#18248) We previously had a system which would generate a 10x10px preview of images and add their URLs in a data-small-upload attribute. The client would then use that as the background-image of the `<img>` element. This works reasonably well on fast connections, but on slower connections it can take a few seconds for the placeholders to appear. The act of loading the placeholders can also break or delay the loading of the 'real' images. This commit replaces the placeholder logic with a new approach. Instead of a 10x10px preview, we use imagemagick to calculate the average color of an image and store it in the database. The hex color value then added as a `data-dominant-color` attribute on the `<img>` element, and the client can use this as a `background-color` on the element while the real image is loading. That means no extra HTTP request is required, and so the placeholder color can appear instantly. Dominant color will be calculated: 1. When a new upload is created 2. During a post rebake, if the dominant color is missing from an upload, it will be calculated and stored 3. Every 15 minutes, 25 old upload records are fetched and their dominant color calculated and stored. (part of the existing PeriodicalUpdates job) Existing posts will continue to use the old 10x10px placeholder system until they are next rebaked
2022-09-20 05:28:17 -04:00
let(:invalid_image) do
upload = Fabricate(:upload)
file = Tempfile.new(%w[invalid .png])
file << "Not really an image"
file.rewind
upload.update(url: Discourse.store.store_upload(file, upload))
upload
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
end
UX: Use dominant color as image loading placeholder (#18248) We previously had a system which would generate a 10x10px preview of images and add their URLs in a data-small-upload attribute. The client would then use that as the background-image of the `<img>` element. This works reasonably well on fast connections, but on slower connections it can take a few seconds for the placeholders to appear. The act of loading the placeholders can also break or delay the loading of the 'real' images. This commit replaces the placeholder logic with a new approach. Instead of a 10x10px preview, we use imagemagick to calculate the average color of an image and store it in the database. The hex color value then added as a `data-dominant-color` attribute on the `<img>` element, and the client can use this as a `background-color` on the element while the real image is loading. That means no extra HTTP request is required, and so the placeholder color can appear instantly. Dominant color will be calculated: 1. When a new upload is created 2. During a post rebake, if the dominant color is missing from an upload, it will be calculated and stored 3. Every 15 minutes, 25 old upload records are fetched and their dominant color calculated and stored. (part of the existing PeriodicalUpdates job) Existing posts will continue to use the old 10x10px placeholder system until they are next rebaked
2022-09-20 05:28:17 -04:00
it "correctly identifies and stores an image's dominant color" do
expect(white_image.dominant_color).to eq(nil)
expect(white_image.dominant_color(calculate_if_missing: true)).to eq("FFFFFF")
expect(white_image.dominant_color).to eq("FFFFFF")
expect(red_image.dominant_color).to eq(nil)
expect(red_image.dominant_color(calculate_if_missing: true)).to eq("FF0000")
expect(red_image.dominant_color).to eq("FF0000")
end
it "can be backfilled" do
expect(white_image.dominant_color).to eq(nil)
expect(red_image.dominant_color).to eq(nil)
Upload.backfill_dominant_colors!(5)
white_image.reload
red_image.reload
expect(white_image.dominant_color).to eq("FFFFFF")
expect(red_image.dominant_color).to eq("FF0000")
end
PERF: Move dominant color calculation to separate job (#18501) This will ensure that any potential problems with this process do not affect the performance or reliability of the PeriodicalUpdates job.
2022-10-06 08:26:08 -04:00
it "is backfilled by the job" do
expect(white_image.dominant_color).to eq(nil)
expect(red_image.dominant_color).to eq(nil)
Jobs::BackfillDominantColors.new.execute({})
white_image.reload
red_image.reload
expect(white_image.dominant_color).to eq("FFFFFF")
expect(red_image.dominant_color).to eq("FF0000")
end
UX: Use dominant color as image loading placeholder (#18248) We previously had a system which would generate a 10x10px preview of images and add their URLs in a data-small-upload attribute. The client would then use that as the background-image of the `<img>` element. This works reasonably well on fast connections, but on slower connections it can take a few seconds for the placeholders to appear. The act of loading the placeholders can also break or delay the loading of the 'real' images. This commit replaces the placeholder logic with a new approach. Instead of a 10x10px preview, we use imagemagick to calculate the average color of an image and store it in the database. The hex color value then added as a `data-dominant-color` attribute on the `<img>` element, and the client can use this as a `background-color` on the element while the real image is loading. That means no extra HTTP request is required, and so the placeholder color can appear instantly. Dominant color will be calculated: 1. When a new upload is created 2. During a post rebake, if the dominant color is missing from an upload, it will be calculated and stored 3. Every 15 minutes, 25 old upload records are fetched and their dominant color calculated and stored. (part of the existing PeriodicalUpdates job) Existing posts will continue to use the old 10x10px placeholder system until they are next rebaked
2022-09-20 05:28:17 -04:00
it "stores an empty string for non-image uploads" do
expect(not_an_image.dominant_color).to eq(nil)
expect(not_an_image.dominant_color(calculate_if_missing: true)).to eq("")
expect(not_an_image.dominant_color).to eq("")
end
it "correctly handles invalid image files" do
expect(invalid_image.dominant_color).to eq(nil)
expect(invalid_image.dominant_color(calculate_if_missing: true)).to eq("")
expect(invalid_image.dominant_color).to eq("")
end
it "correctly handles unparsable ImageMagick output" do
Discourse::Utils.stubs(:execute_command).returns("someinvalidoutput")
expect(invalid_image.dominant_color).to eq(nil)
expect { invalid_image.dominant_color(calculate_if_missing: true) }.to raise_error(
/Calculated dominant color but unable to parse output/,
)
expect(invalid_image.dominant_color).to eq(nil)
end
DEV: Enforce dominant_color length in validation (#18309) The `add_column` `limit` parameter has no effect on a postgres `text` column. Instead we can perform the check in ActiveRecord. We never expect this condition to be hit - users cannot control this value. It's just a safety net.
2022-09-21 06:01:21 -04:00
FIX: Improve error handling for `calculate_dominant_color!` (#18503) These errors tend to indicate that the upload is missing on the remote store. This is bad, but we don't want it to block the dominant-color calculation process. This commit catches errors when there is an HTTP error, and fixes the `base_store.rb` implementation when `FileHelper.download` returns nil.
2022-10-06 08:44:53 -04:00
it "correctly handles error when file is too large to download" do
FIX: Correctly handle HTTP errors during dominant color calculation (#18565) The previous fix in e83d35d6 was incorrect, and the stub in the test was never actually hit. This commit moves the error handling to the right place and updates the specs to ensure the stub is always used.
2022-10-12 10:50:44 -04:00
white_image.stubs(:local?).returns(false)
FileStore::LocalStore.any_instance.stubs(:download).returns(nil).once
FIX: Handle failed download when calculating image dominant color (#18342) This can happen when the upload size exceeds the maximum upload size, or there is a network issue during download
2022-09-23 07:42:07 -04:00
FIX: Correctly handle HTTP errors during dominant color calculation (#18565) The previous fix in e83d35d6 was incorrect, and the stub in the test was never actually hit. This commit moves the error handling to the right place and updates the specs to ensure the stub is always used.
2022-10-12 10:50:44 -04:00
expect(white_image.dominant_color).to eq(nil)
expect(white_image.dominant_color(calculate_if_missing: true)).to eq("")
expect(white_image.dominant_color).to eq("")
FIX: Handle failed download when calculating image dominant color (#18342) This can happen when the upload size exceeds the maximum upload size, or there is a network issue during download
2022-09-23 07:42:07 -04:00
end
FIX: Improve error handling for `calculate_dominant_color!` (#18503) These errors tend to indicate that the upload is missing on the remote store. This is bad, but we don't want it to block the dominant-color calculation process. This commit catches errors when there is an HTTP error, and fixes the `base_store.rb` implementation when `FileHelper.download` returns nil.
2022-10-06 08:44:53 -04:00
it "correctly handles error when file has HTTP error" do
FIX: Correctly handle HTTP errors during dominant color calculation (#18565) The previous fix in e83d35d6 was incorrect, and the stub in the test was never actually hit. This commit moves the error handling to the right place and updates the specs to ensure the stub is always used.
2022-10-12 10:50:44 -04:00
white_image.stubs(:local?).returns(false)
FileStore::LocalStore
.any_instance
.stubs(:download)
.raises(OpenURI::HTTPError.new("Error", nil))
.once
FIX: Improve error handling for `calculate_dominant_color!` (#18503) These errors tend to indicate that the upload is missing on the remote store. This is bad, but we don't want it to block the dominant-color calculation process. This commit catches errors when there is an HTTP error, and fixes the `base_store.rb` implementation when `FileHelper.download` returns nil.
2022-10-06 08:44:53 -04:00
FIX: Correctly handle HTTP errors during dominant color calculation (#18565) The previous fix in e83d35d6 was incorrect, and the stub in the test was never actually hit. This commit moves the error handling to the right place and updates the specs to ensure the stub is always used.
2022-10-12 10:50:44 -04:00
expect(white_image.dominant_color).to eq(nil)
expect(white_image.dominant_color(calculate_if_missing: true)).to eq("")
expect(white_image.dominant_color).to eq("")
FIX: Improve error handling for `calculate_dominant_color!` (#18503) These errors tend to indicate that the upload is missing on the remote store. This is bad, but we don't want it to block the dominant-color calculation process. This commit catches errors when there is an HTTP error, and fixes the `base_store.rb` implementation when `FileHelper.download` returns nil.
2022-10-06 08:44:53 -04:00
end
DEV: Enforce dominant_color length in validation (#18309) The `add_column` `limit` parameter has no effect on a postgres `text` column. Instead we can perform the check in ActiveRecord. We never expect this condition to be hit - users cannot control this value. It's just a safety net.
2022-09-21 06:01:21 -04:00
it "is validated for length" do
u = Fabricate(:upload)
# Acceptable values
u.update!(dominant_color: nil)
u.update!(dominant_color: "")
u.update!(dominant_color: "abcdef")
expect { u.update!(dominant_color: "toomanycharacters") }.to raise_error(
ActiveRecord::RecordInvalid,
)
expect { u.update!(dominant_color: "abcd") }.to raise_error(ActiveRecord::RecordInvalid)
end
UX: Use dominant color as image loading placeholder (#18248) We previously had a system which would generate a 10x10px preview of images and add their URLs in a data-small-upload attribute. The client would then use that as the background-image of the `<img>` element. This works reasonably well on fast connections, but on slower connections it can take a few seconds for the placeholders to appear. The act of loading the placeholders can also break or delay the loading of the 'real' images. This commit replaces the placeholder logic with a new approach. Instead of a 10x10px preview, we use imagemagick to calculate the average color of an image and store it in the database. The hex color value then added as a `data-dominant-color` attribute on the `<img>` element, and the client can use this as a `background-color` on the element while the real image is loading. That means no extra HTTP request is required, and so the placeholder color can appear instantly. Dominant color will be calculated: 1. When a new upload is created 2. During a post rebake, if the dominant color is missing from an upload, it will be calculated and stored 3. Every 15 minutes, 25 old upload records are fetched and their dominant color calculated and stored. (part of the existing PeriodicalUpdates job) Existing posts will continue to use the old 10x10px placeholder system until they are next rebaked
2022-09-20 05:28:17 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end