debian-mirror-gitlab/spec/controllers/uploads_controller_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

787 lines
25 KiB
Ruby
Raw Normal View History

2019-07-31 22:56:46 +05:30
# frozen_string_literal: true
2015-04-26 12:48:37 +05:30
require 'spec_helper'
2020-06-23 00:09:42 +05:30
RSpec.shared_examples 'content 5 min private cached with revalidation' do
2017-08-17 22:00:37 +05:30
it 'ensures content will not be cached without revalidation' do
2019-12-21 20:55:43 +05:30
expect(subject['Cache-Control']).to eq('max-age=300, private, must-revalidate')
2017-08-17 22:00:37 +05:30
end
end
2015-04-26 12:48:37 +05:30
2020-06-23 00:09:42 +05:30
RSpec.shared_examples 'content not cached' do
2018-11-18 11:00:15 +05:30
it 'ensures content will not be cached without revalidation' do
2019-12-21 20:55:43 +05:30
expect(subject['Cache-Control']).to eq('max-age=0, private, must-revalidate')
2018-11-18 11:00:15 +05:30
end
end
2020-06-23 00:09:42 +05:30
RSpec.shared_examples 'content publicly cached' do
2019-03-02 22:35:43 +05:30
it 'ensures content is publicly cached' do
expect(subject['Cache-Control']).to eq('max-age=300, public')
end
end
2020-06-23 00:09:42 +05:30
RSpec.describe UploadsController do
2019-09-04 21:01:54 +05:30
include WorkhorseHelpers
2018-11-08 19:23:39 +05:30
let!(:user) { create(:user, avatar: fixture_file_upload("spec/fixtures/dk.png", "image/png")) }
2015-04-26 12:48:37 +05:30
2019-09-04 21:01:54 +05:30
describe 'POST #authorize' do
it_behaves_like 'handle uploads authorize' do
let(:uploader_class) { PersonalFileUploader }
let(:model) { create(:personal_snippet, :public) }
let(:params) do
{ model: 'personal_snippet', id: model.id }
end
end
end
2017-08-17 22:00:37 +05:30
describe 'POST create' do
2018-11-08 19:23:39 +05:30
let(:jpg) { fixture_file_upload('spec/fixtures/rails_sample.jpg', 'image/jpg') }
let(:txt) { fixture_file_upload('spec/fixtures/doc_sample.txt', 'text/plain') }
2017-08-17 22:00:37 +05:30
2019-07-07 11:18:12 +05:30
context 'snippet uploads' do
let(:model) { 'personal_snippet' }
let(:snippet) { create(:personal_snippet, :public) }
2017-08-17 22:00:37 +05:30
2019-07-07 11:18:12 +05:30
context 'when a user does not have permissions to upload a file' do
it "returns 401 when the user is not logged in" do
post :create, params: { model: model, id: snippet.id }, format: :json
2017-08-17 22:00:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:unauthorized)
2019-07-07 11:18:12 +05:30
end
2017-08-17 22:00:37 +05:30
2019-07-07 11:18:12 +05:30
it "returns 404 when user can't comment on a snippet" do
private_snippet = create(:personal_snippet, :private)
2017-08-17 22:00:37 +05:30
2019-07-07 11:18:12 +05:30
sign_in(user)
post :create, params: { model: model, id: private_snippet.id }, format: :json
2017-08-17 22:00:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:not_found)
2019-07-07 11:18:12 +05:30
end
2017-08-17 22:00:37 +05:30
end
2019-07-07 11:18:12 +05:30
context 'when a user is logged in' do
before do
sign_in(user)
end
2017-08-17 22:00:37 +05:30
2019-07-07 11:18:12 +05:30
it "returns an error without file" do
post :create, params: { model: model, id: snippet.id }, format: :json
2017-08-17 22:00:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:unprocessable_entity)
2019-07-07 11:18:12 +05:30
end
2017-08-17 22:00:37 +05:30
2019-07-07 11:18:12 +05:30
it "returns an error with invalid model" do
expect { post :create, params: { model: 'invalid', id: snippet.id }, format: :json }
.to raise_error(ActionController::UrlGenerationError)
end
2017-08-17 22:00:37 +05:30
2019-07-07 11:18:12 +05:30
it "returns 404 status when object not found" do
2020-04-22 19:07:51 +05:30
post :create, params: { model: model, id: non_existing_record_id }, format: :json
2017-08-17 22:00:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:not_found)
2017-08-17 22:00:37 +05:30
end
2019-07-07 11:18:12 +05:30
context 'with valid image' do
before do
post :create, params: { model: 'personal_snippet', id: snippet.id, file: jpg }, format: :json
end
it 'returns a content with original filename, new link, and correct type.' do
expect(response.body).to match '\"alt\":\"rails_sample\"'
expect(response.body).to match "\"url\":\"/uploads"
end
it 'creates a corresponding Upload record' do
upload = Upload.last
aggregate_failures do
expect(upload).to exist
expect(upload.model).to eq snippet
end
end
2017-08-17 22:00:37 +05:30
end
2019-07-07 11:18:12 +05:30
context 'with valid non-image file' do
before do
post :create, params: { model: 'personal_snippet', id: snippet.id, file: txt }, format: :json
end
2017-08-17 22:00:37 +05:30
2019-07-07 11:18:12 +05:30
it 'returns a content with original filename, new link, and correct type.' do
expect(response.body).to match '\"alt\":\"doc_sample.txt\"'
expect(response.body).to match "\"url\":\"/uploads"
end
it 'creates a corresponding Upload record' do
upload = Upload.last
aggregate_failures do
expect(upload).to exist
expect(upload.model).to eq snippet
end
2017-08-17 22:00:37 +05:30
end
end
end
2019-07-07 11:18:12 +05:30
end
context 'user uploads' do
let(:model) { 'user' }
it 'returns 401 when the user has no access' do
post :create, params: { model: 'user', id: user.id }, format: :json
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:unauthorized)
2019-07-07 11:18:12 +05:30
end
2017-08-17 22:00:37 +05:30
2019-07-07 11:18:12 +05:30
context 'when user is logged in' do
2017-08-17 22:00:37 +05:30
before do
2019-07-07 11:18:12 +05:30
sign_in(user)
end
subject do
post :create, params: { model: model, id: user.id, file: jpg }, format: :json
2017-08-17 22:00:37 +05:30
end
it 'returns a content with original filename, new link, and correct type.' do
2019-07-07 11:18:12 +05:30
subject
expect(response.body).to match '\"alt\":\"rails_sample\"'
expect(response.body).to match "\"url\":\"/uploads/-/system/user/#{user.id}/"
2017-08-17 22:00:37 +05:30
end
it 'creates a corresponding Upload record' do
2019-07-07 11:18:12 +05:30
expect { subject }.to change { Upload.count }
2017-08-17 22:00:37 +05:30
upload = Upload.last
aggregate_failures do
expect(upload).to exist
2019-07-07 11:18:12 +05:30
expect(upload.model).to eq user
2017-08-17 22:00:37 +05:30
end
end
2017-09-10 17:25:29 +05:30
2019-07-07 11:18:12 +05:30
context 'with valid non-image file' do
subject do
post :create, params: { model: model, id: user.id, file: txt }, format: :json
end
2017-09-10 17:25:29 +05:30
2019-07-07 11:18:12 +05:30
it 'returns a content with original filename, new link, and correct type.' do
subject
2017-09-10 17:25:29 +05:30
2019-07-07 11:18:12 +05:30
expect(response.body).to match '\"alt\":\"doc_sample.txt\"'
expect(response.body).to match "\"url\":\"/uploads/-/system/user/#{user.id}/"
end
2017-09-10 17:25:29 +05:30
2019-07-07 11:18:12 +05:30
it 'creates a corresponding Upload record' do
expect { subject }.to change { Upload.count }
2017-09-10 17:25:29 +05:30
2019-07-07 11:18:12 +05:30
upload = Upload.last
aggregate_failures do
expect(upload).to exist
expect(upload.model).to eq user
end
end
2017-09-10 17:25:29 +05:30
end
2019-07-07 11:18:12 +05:30
it 'returns 404 when given user is not the logged in one' do
another_user = create(:user)
2017-09-10 17:25:29 +05:30
2019-07-07 11:18:12 +05:30
post :create, params: { model: model, id: another_user.id, file: txt }, format: :json
2017-09-10 17:25:29 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:not_found)
2017-09-10 17:25:29 +05:30
end
end
2017-08-17 22:00:37 +05:30
end
end
2015-04-26 12:48:37 +05:30
describe "GET show" do
2017-08-17 22:00:37 +05:30
context 'Content-Disposition security measures' do
2020-01-01 13:55:28 +05:30
let(:expected_disposition) { 'inline;' }
2017-09-10 17:25:29 +05:30
let(:project) { create(:project, :public) }
2017-08-17 22:00:37 +05:30
2020-01-01 13:55:28 +05:30
shared_examples_for 'uploaded file with disposition' do
it 'returns correct Content-Disposition' do
get :show, params: { model: 'note', mounted_as: 'attachment', id: note.id, filename: filename }
2017-08-17 22:00:37 +05:30
2020-01-01 13:55:28 +05:30
expect(response['Content-Disposition']).to start_with(expected_disposition)
2017-08-17 22:00:37 +05:30
end
end
2020-01-01 13:55:28 +05:30
context 'for PNG files' do
let(:filename) { 'dk.png' }
let(:expected_disposition) { 'inline;' }
let(:note) { create(:note, :with_attachment, project: project) }
it_behaves_like 'uploaded file with disposition'
end
context 'for PDF files' do
2022-11-25 23:54:43 +05:30
let(:filename) { 'sample.pdf' }
2020-01-01 13:55:28 +05:30
let(:expected_disposition) { 'inline;' }
let(:note) { create(:note, :with_pdf_attachment, project: project) }
it_behaves_like 'uploaded file with disposition'
end
2017-08-17 22:00:37 +05:30
context 'for SVG files' do
2020-01-01 13:55:28 +05:30
let(:filename) { 'unsanitized.svg' }
let(:expected_disposition) { 'attachment;' }
let(:note) { create(:note, :with_svg_attachment, project: project) }
2017-08-17 22:00:37 +05:30
2020-01-01 13:55:28 +05:30
it_behaves_like 'uploaded file with disposition'
2017-08-17 22:00:37 +05:30
end
end
2015-04-26 12:48:37 +05:30
context "when viewing a user avatar" do
context "when signed in" do
before do
sign_in(user)
end
context "when the user is blocked" do
before do
user.block
end
2020-01-01 13:55:28 +05:30
it "responds with status 401" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:unauthorized)
2015-04-26 12:48:37 +05:30
end
end
context "when the user isn't blocked" do
it "responds with status 200" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:ok)
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
2019-03-02 22:35:43 +05:30
it_behaves_like 'content publicly cached' do
2017-08-17 22:00:37 +05:30
subject do
2019-02-15 15:39:39 +05:30
get :show, params: { model: 'user', mounted_as: 'avatar', id: user.id, filename: 'dk.png' }
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
response
end
end
2015-04-26 12:48:37 +05:30
end
end
2016-06-02 11:05:42 +05:30
2015-04-26 12:48:37 +05:30
context "when not signed in" do
2023-01-10 11:22:00 +05:30
context "when restricted visibility level is not set to public" do
before do
stub_application_setting(restricted_visibility_levels: [])
end
it "responds with status 200" do
get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" }
expect(response).to have_gitlab_http_status(:ok)
end
it_behaves_like 'content publicly cached' do
subject do
get :show, params: { model: 'user', mounted_as: 'avatar', id: user.id, filename: 'dk.png' }
2015-04-26 12:48:37 +05:30
2023-01-10 11:22:00 +05:30
response
end
end
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
2023-01-10 11:22:00 +05:30
context "when restricted visibility level is set to public" do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end
2018-03-17 18:26:18 +05:30
2023-01-10 11:22:00 +05:30
it "responds with status 401" do
get :show, params: { model: "user", mounted_as: "avatar", id: user.id, filename: "dk.png" }
expect(response).to have_gitlab_http_status(:unauthorized)
2017-08-17 22:00:37 +05:30
end
end
2015-04-26 12:48:37 +05:30
end
end
context "when viewing a project avatar" do
2018-11-08 19:23:39 +05:30
let!(:project) { create(:project, avatar: fixture_file_upload("spec/fixtures/dk.png", "image/png")) }
2015-04-26 12:48:37 +05:30
context "when the project is public" do
before do
project.update_attribute(:visibility_level, Project::PUBLIC)
end
context "when not signed in" do
it "responds with status 200" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "project", mounted_as: "avatar", id: project.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:ok)
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
2019-12-21 20:55:43 +05:30
it_behaves_like 'content 5 min private cached with revalidation' do
2017-08-17 22:00:37 +05:30
subject do
2019-02-15 15:39:39 +05:30
get :show, params: { model: 'project', mounted_as: 'avatar', id: project.id, filename: 'dk.png' }
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
response
end
end
2015-04-26 12:48:37 +05:30
end
context "when signed in" do
before do
sign_in(user)
end
it "responds with status 200" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "project", mounted_as: "avatar", id: project.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:ok)
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
2019-12-21 20:55:43 +05:30
it_behaves_like 'content 5 min private cached with revalidation' do
2017-08-17 22:00:37 +05:30
subject do
2019-02-15 15:39:39 +05:30
get :show, params: { model: 'project', mounted_as: 'avatar', id: project.id, filename: 'dk.png' }
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
response
end
end
2015-04-26 12:48:37 +05:30
end
end
context "when the project is private" do
before do
project.update_attribute(:visibility_level, Project::PRIVATE)
end
context "when not signed in" do
2020-01-01 13:55:28 +05:30
it "responds with status 401" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "project", mounted_as: "avatar", id: project.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:unauthorized)
2015-04-26 12:48:37 +05:30
end
end
context "when signed in" do
before do
sign_in(user)
end
context "when the user has access to the project" do
before do
2018-11-18 11:00:15 +05:30
project.add_maintainer(user)
2015-04-26 12:48:37 +05:30
end
context "when the user is blocked" do
before do
user.block
2018-11-18 11:00:15 +05:30
project.add_maintainer(user)
2015-04-26 12:48:37 +05:30
end
2020-01-01 13:55:28 +05:30
it "responds with status 401" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "project", mounted_as: "avatar", id: project.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:unauthorized)
2015-04-26 12:48:37 +05:30
end
end
context "when the user isn't blocked" do
it "responds with status 200" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "project", mounted_as: "avatar", id: project.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:ok)
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
2019-12-21 20:55:43 +05:30
it_behaves_like 'content 5 min private cached with revalidation' do
2017-08-17 22:00:37 +05:30
subject do
2019-02-15 15:39:39 +05:30
get :show, params: { model: 'project', mounted_as: 'avatar', id: project.id, filename: 'dk.png' }
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
response
end
end
2015-04-26 12:48:37 +05:30
end
end
context "when the user doesn't have access to the project" do
it "responds with status 404" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "project", mounted_as: "avatar", id: project.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:not_found)
2015-04-26 12:48:37 +05:30
end
end
end
end
end
context "when viewing a group avatar" do
2019-03-02 22:35:43 +05:30
let!(:group) { create(:group, avatar: fixture_file_upload("spec/fixtures/dk.png", "image/png")) }
2015-04-26 12:48:37 +05:30
2016-06-02 11:05:42 +05:30
context "when the group is public" do
2015-04-26 12:48:37 +05:30
context "when not signed in" do
it "responds with status 200" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "group", mounted_as: "avatar", id: group.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:ok)
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
2019-12-21 20:55:43 +05:30
it_behaves_like 'content 5 min private cached with revalidation' do
2017-08-17 22:00:37 +05:30
subject do
2019-02-15 15:39:39 +05:30
get :show, params: { model: 'group', mounted_as: 'avatar', id: group.id, filename: 'dk.png' }
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
response
end
end
2015-04-26 12:48:37 +05:30
end
context "when signed in" do
before do
sign_in(user)
end
it "responds with status 200" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "group", mounted_as: "avatar", id: group.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:ok)
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
2019-12-21 20:55:43 +05:30
it_behaves_like 'content 5 min private cached with revalidation' do
2017-08-17 22:00:37 +05:30
subject do
2019-02-15 15:39:39 +05:30
get :show, params: { model: 'group', mounted_as: 'avatar', id: group.id, filename: 'dk.png' }
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
response
end
end
2015-04-26 12:48:37 +05:30
end
end
2016-06-02 11:05:42 +05:30
context "when the group is private" do
before do
group.update_attribute(:visibility_level, Gitlab::VisibilityLevel::PRIVATE)
end
2015-04-26 12:48:37 +05:30
context "when signed in" do
before do
sign_in(user)
end
context "when the user has access to the project" do
before do
2016-06-02 11:05:42 +05:30
group.add_developer(user)
2015-04-26 12:48:37 +05:30
end
context "when the user is blocked" do
before do
user.block
end
2020-01-01 13:55:28 +05:30
it "responds with status 401" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "group", mounted_as: "avatar", id: group.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:unauthorized)
2015-04-26 12:48:37 +05:30
end
end
context "when the user isn't blocked" do
it "responds with status 200" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "group", mounted_as: "avatar", id: group.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:ok)
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
2019-12-21 20:55:43 +05:30
it_behaves_like 'content 5 min private cached with revalidation' do
2017-08-17 22:00:37 +05:30
subject do
2019-02-15 15:39:39 +05:30
get :show, params: { model: 'group', mounted_as: 'avatar', id: group.id, filename: 'dk.png' }
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
response
end
end
2015-04-26 12:48:37 +05:30
end
end
context "when the user doesn't have access to the project" do
it "responds with status 404" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "group", mounted_as: "avatar", id: group.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:not_found)
2015-04-26 12:48:37 +05:30
end
end
end
end
end
context "when viewing a note attachment" do
let!(:note) { create(:note, :with_attachment) }
let(:project) { note.project }
context "when the project is public" do
before do
project.update_attribute(:visibility_level, Project::PUBLIC)
end
context "when not signed in" do
it "responds with status 200" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "note", mounted_as: "attachment", id: note.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:ok)
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
2019-12-21 20:55:43 +05:30
it_behaves_like 'content not cached' do
2017-08-17 22:00:37 +05:30
subject do
2019-02-15 15:39:39 +05:30
get :show, params: { model: 'note', mounted_as: 'attachment', id: note.id, filename: 'dk.png' }
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
response
end
end
2015-04-26 12:48:37 +05:30
end
context "when signed in" do
before do
sign_in(user)
end
it "responds with status 200" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "note", mounted_as: "attachment", id: note.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:ok)
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
2019-12-21 20:55:43 +05:30
it_behaves_like 'content not cached' do
2017-08-17 22:00:37 +05:30
subject do
2019-02-15 15:39:39 +05:30
get :show, params: { model: 'note', mounted_as: 'attachment', id: note.id, filename: 'dk.png' }
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
response
end
end
2015-04-26 12:48:37 +05:30
end
end
context "when the project is private" do
before do
project.update_attribute(:visibility_level, Project::PRIVATE)
end
context "when not signed in" do
2020-01-01 13:55:28 +05:30
it "responds with status 401" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "note", mounted_as: "attachment", id: note.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:unauthorized)
2015-04-26 12:48:37 +05:30
end
end
context "when signed in" do
before do
sign_in(user)
end
context "when the user has access to the project" do
before do
2018-11-18 11:00:15 +05:30
project.add_maintainer(user)
2015-04-26 12:48:37 +05:30
end
context "when the user is blocked" do
before do
user.block
2018-11-18 11:00:15 +05:30
project.add_maintainer(user)
2015-04-26 12:48:37 +05:30
end
2020-01-01 13:55:28 +05:30
it "responds with status 401" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "note", mounted_as: "attachment", id: note.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:unauthorized)
2015-04-26 12:48:37 +05:30
end
end
context "when the user isn't blocked" do
it "responds with status 200" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "note", mounted_as: "attachment", id: note.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:ok)
2015-04-26 12:48:37 +05:30
end
2017-08-17 22:00:37 +05:30
2019-12-21 20:55:43 +05:30
it_behaves_like 'content not cached' do
2017-08-17 22:00:37 +05:30
subject do
2019-02-15 15:39:39 +05:30
get :show, params: { model: 'note', mounted_as: 'attachment', id: note.id, filename: 'dk.png' }
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
response
end
end
2015-04-26 12:48:37 +05:30
end
end
context "when the user doesn't have access to the project" do
it "responds with status 404" do
2019-02-15 15:39:39 +05:30
get :show, params: { model: "note", mounted_as: "attachment", id: note.id, filename: "dk.png" }
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:not_found)
2015-04-26 12:48:37 +05:30
end
end
end
end
end
2017-08-17 22:00:37 +05:30
2021-11-18 22:05:49 +05:30
context "when viewing a topic avatar" do
let!(:topic) { create(:topic, avatar: fixture_file_upload("spec/fixtures/dk.png", "image/png")) }
context "when signed in" do
before do
sign_in(user)
end
it "responds with status 200" do
get :show, params: { model: "projects/topic", mounted_as: "avatar", id: topic.id, filename: "dk.png" }
expect(response).to have_gitlab_http_status(:ok)
end
it_behaves_like 'content publicly cached' do
subject do
get :show, params: { model: "projects/topic", mounted_as: "avatar", id: topic.id, filename: "dk.png" }
response
end
end
end
context "when not signed in" do
it "responds with status 200" do
get :show, params: { model: "projects/topic", mounted_as: "avatar", id: topic.id, filename: "dk.png" }
expect(response).to have_gitlab_http_status(:ok)
end
it_behaves_like 'content publicly cached' do
subject do
get :show, params: { model: "projects/topic", mounted_as: "avatar", id: topic.id, filename: "dk.png" }
response
end
end
end
end
2017-08-17 22:00:37 +05:30
context 'Appearance' do
2023-03-17 16:20:25 +05:30
shared_examples 'view custom logo' do |mounted_as|
2017-08-17 22:00:37 +05:30
context 'when not signed in' do
it 'responds with status 200' do
2023-03-17 16:20:25 +05:30
get :show, params: { model: 'appearance', mounted_as: mounted_as, id: appearance.id, filename: 'dk.png' }
2017-08-17 22:00:37 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:ok)
2017-08-17 22:00:37 +05:30
end
2019-03-02 22:35:43 +05:30
it_behaves_like 'content publicly cached' do
2017-08-17 22:00:37 +05:30
subject do
2023-03-17 16:20:25 +05:30
get :show, params: { model: 'appearance', mounted_as: mounted_as, id: appearance.id, filename: 'dk.png' }
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
response
end
end
end
end
2023-03-17 16:20:25 +05:30
context 'when viewing a custom pwa icon' do
let!(:appearance) { create :appearance, pwa_icon: fixture_file_upload('spec/fixtures/dk.png', 'image/png') }
2017-08-17 22:00:37 +05:30
2023-03-17 16:20:25 +05:30
it_behaves_like 'view custom logo', 'pwa_icon'
end
2017-08-17 22:00:37 +05:30
2023-03-17 16:20:25 +05:30
context 'when viewing a custom header logo' do
let!(:appearance) { create :appearance, header_logo: fixture_file_upload('spec/fixtures/dk.png', 'image/png') }
2017-08-17 22:00:37 +05:30
2023-03-17 16:20:25 +05:30
it_behaves_like 'view custom logo', 'header_logo'
end
2018-03-17 18:26:18 +05:30
2023-03-17 16:20:25 +05:30
context 'when viewing a custom logo' do
let!(:appearance) { create :appearance, logo: fixture_file_upload('spec/fixtures/dk.png', 'image/png') }
it_behaves_like 'view custom logo', 'logo'
2017-08-17 22:00:37 +05:30
end
end
2018-11-08 19:23:39 +05:30
context 'original filename or a version filename must match' do
let!(:appearance) { create :appearance, favicon: fixture_file_upload('spec/fixtures/dk.png', 'image/png') }
context 'has a valid filename on the original file' do
it 'successfully returns the file' do
2019-02-15 15:39:39 +05:30
get :show, params: { model: 'appearance', mounted_as: 'favicon', id: appearance.id, filename: 'dk.png' }
2018-11-08 19:23:39 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:ok)
expect(response.header['Content-Disposition']).to include('filename="dk.png"')
2018-11-08 19:23:39 +05:30
end
end
context 'has an invalid filename on the original file' do
it 'returns a 404' do
2019-02-15 15:39:39 +05:30
get :show, params: { model: 'appearance', mounted_as: 'favicon', id: appearance.id, filename: 'bogus.png' }
2018-11-08 19:23:39 +05:30
2020-03-13 15:44:24 +05:30
expect(response).to have_gitlab_http_status(:not_found)
2018-11-08 19:23:39 +05:30
end
end
end
2022-06-21 17:19:12 +05:30
context 'when viewing alert metric images' do
2022-07-16 23:28:13 +05:30
let_it_be(:user) { create(:user) }
let_it_be(:project) { create(:project) }
let_it_be(:alert) { create(:alert_management_alert, project: project) }
let_it_be(:metric_image) { create(:alert_metric_image, alert: alert) }
2022-06-21 17:19:12 +05:30
2022-07-16 23:28:13 +05:30
before_all do
2022-06-21 17:19:12 +05:30
project.add_developer(user)
2022-07-16 23:28:13 +05:30
end
before do
2022-06-21 17:19:12 +05:30
sign_in(user)
end
it "responds with status 200" do
get :show, params: { model: "alert_management_metric_image", mounted_as: 'file', id: metric_image.id, filename: metric_image.filename }
expect(response).to have_gitlab_http_status(:ok)
end
end
2023-03-17 16:20:25 +05:30
context "when viewing an achievement" do
let!(:achievement) { create(:achievement, avatar: fixture_file_upload("spec/fixtures/dk.png", "image/png")) }
context "when signed in" do
before do
sign_in(user)
end
it "responds with status 200" do
get :show, params: { model: "achievements/achievement", mounted_as: "avatar", id: achievement.id, filename: "dk.png" }
expect(response).to have_gitlab_http_status(:ok)
end
it_behaves_like 'content publicly cached' do
subject do
get :show, params: { model: "achievements/achievement", mounted_as: "avatar", id: achievement.id, filename: "dk.png" }
response
end
end
end
context "when not signed in" do
it "responds with status 200" do
get :show, params: { model: "achievements/achievement", mounted_as: "avatar", id: achievement.id, filename: "dk.png" }
expect(response).to have_gitlab_http_status(:ok)
end
it_behaves_like 'content publicly cached' do
subject do
get :show, params: { model: "achievements/achievement", mounted_as: "avatar", id: achievement.id, filename: "dk.png" }
response
end
end
end
end
2015-04-26 12:48:37 +05:30
end
2019-09-04 21:01:54 +05:30
def post_authorize(verified: true)
request.headers.merge!(workhorse_internal_api_request_header) if verified
2021-09-30 23:02:18 +05:30
post :authorize, params: params, format: :json
2019-09-04 21:01:54 +05:30
end
2015-04-26 12:48:37 +05:30
end