Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/spec/system/s3_secure_uploads_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

125 lines
4.2 KiB
Ruby
Raw Normal View History

FEATURE: Secure uploads in PMs only (#23398) This adds a new secure_uploads_pm_only site setting. When secure_uploads is true with this setting, only uploads created in PMs will be marked secure; no uploads in secure categories will be marked as secure, and the login_required site setting has no bearing on upload security either. This is meant to be a stopgap solution to prevent secure uploads in a single place (private messages) for sensitive admin data exports. Ideally we would want a more comprehensive way of saying that certain upload types get secured which is a hybrid/mixed mode secure uploads, but for now this will do the trick.
2023-09-05 19:39:09 -04:00
# frozen_string_literal: true
describe "Uploading files in the composer to S3", type: :system do
fab!(:current_user) { Fabricate(:admin) }
fab!(:other_user) { Fabricate(:user, username: "otherguy") }
let(:modal) { PageObjects::Modals::Base.new }
let(:composer) { PageObjects::Components::Composer.new }
let(:topic_page) { PageObjects::Pages::Topic.new }
describe "secure uploads" do
def first_post_img(wait: Capybara.default_max_wait_time)
first_post = topic_page.post_by_number(1, wait: wait)
expect(first_post).to have_css("img[data-base62-sha1]")
first_post.find(".cooked").first("img")
end
def expect_first_post_to_have_secure_upload
img = first_post_img
expect(img["src"]).to include("/secure-uploads")
topic = topic_page.current_topic
expect(topic.first_post.uploads.first.secure).to eq(true)
end
it "marks uploads inside of private message posts as secure" do
skip_unless_s3_system_specs_enabled!
setup_s3_system_test(enable_secure_uploads: true)
sign_in(current_user)
topic_page.open_new_message
composer.fill_title("This is a test PM for secure uploads")
composer.select_pm_user("otherguy")
file_path = file_from_fixtures("logo.png", "images").path
attach_file(file_path) { composer.click_toolbar_button("upload") }
expect(page).to have_no_css("#file-uploading")
expect(composer.preview).to have_css(".image-wrapper")
composer.submit
expect_first_post_to_have_secure_upload
end
it "marks uploads inside of private category posts as secure" do
skip_unless_s3_system_specs_enabled!
private_category = Fabricate(:private_category, group: Fabricate(:group))
setup_s3_system_test(enable_secure_uploads: true)
sign_in(current_user)
topic_page.open_new_topic
composer.fill_title("This is a test PM for secure uploads")
composer.switch_category(private_category.name)
file_path = file_from_fixtures("logo.png", "images").path
attach_file(file_path) { composer.click_toolbar_button("upload") }
expect(page).to have_no_css("#file-uploading")
expect(composer.preview).to have_css(".image-wrapper")
composer.submit
expect_first_post_to_have_secure_upload
end
it "marks uploads for all posts as secure when login_required" do
skip_unless_s3_system_specs_enabled!
SiteSetting.login_required = true
setup_s3_system_test(enable_secure_uploads: true)
sign_in(current_user)
topic_page.open_new_topic
composer.fill_title("This is a test PM for secure uploads")
file_path = file_from_fixtures("logo.png", "images").path
attach_file(file_path) { composer.click_toolbar_button("upload") }
expect(page).to have_no_css("#file-uploading")
expect(composer.preview).to have_css(".image-wrapper")
composer.submit
expect_first_post_to_have_secure_upload
end
it "doesn't mark uploads for public posts as secure" do
skip_unless_s3_system_specs_enabled!
setup_s3_system_test(enable_secure_uploads: true)
sign_in(current_user)
topic_page.open_new_topic
composer.fill_title("This is a test PM for secure uploads")
file_path = file_from_fixtures("logo.png", "images").path
attach_file(file_path) { composer.click_toolbar_button("upload") }
expect(page).to have_no_css("#file-uploading")
expect(composer.preview).to have_css(".image-wrapper")
Jobs.run_immediately!
composer.submit
# Extra wait time is added because the job can slow down the processing of the request.
img = first_post_img(wait: 10)
DEV: Re-enable minio specs by pre-installing minio binary before test run (#24050) This fixes a similar issue to 8b3eca0 where an Errno::ETXTBSY error was raised because the minio_runner gem was trying to install the binary across multiple processes in rspec. If we just make sure the latest version is installed before the tests run, this shouldn't happen, since MinioRunner.start will not do any further attempts at installation if the latest version is installed.
2023-10-23 22:43:14 -04:00
# At first the image will be secure when created via the composer, usually the
# CookedPostProcessor job fixes this but running it immediately when creating the
# post doesn't work in the test, so we need to rebake here to get the correct result.
expect(page).to have_css("img[src*='secure-uploads']")
Post.last.rebake!
expect(page).not_to have_css("img[src*='secure-uploads']", wait: 5)
FEATURE: Secure uploads in PMs only (#23398) This adds a new secure_uploads_pm_only site setting. When secure_uploads is true with this setting, only uploads created in PMs will be marked secure; no uploads in secure categories will be marked as secure, and the login_required site setting has no bearing on upload security either. This is meant to be a stopgap solution to prevent secure uploads in a single place (private messages) for sensitive admin data exports. Ideally we would want a more comprehensive way of saying that certain upload types get secured which is a hybrid/mixed mode secure uploads, but for now this will do the trick.
2023-09-05 19:39:09 -04:00
topic = topic_page.current_topic
expect(topic.first_post.uploads.first.secure).to eq(false)
end
end
end