gitlab-org--gitlab-foss/spec/controllers/uploads_controller_spec.rb

require 'spec_helper'

describe UploadsController do
  let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }

  describe "GET show" do
    context 'Content-Disposition security measures' do
      let(:project) { create(:empty_project, :public) }

      context 'for PNG files' do
        it 'returns Content-Disposition: inline' do
          note = create(:note, :with_attachment, project: project)
          get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'

          expect(response['Content-Disposition']).to start_with('inline;')
        end
      end

      context 'for SVG files' do
        it 'returns Content-Disposition: attachment' do
          note = create(:note, :with_svg_attachment, project: project)
          get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.svg'

          expect(response['Content-Disposition']).to start_with('attachment;')
        end
      end
    end

    context "when viewing a user avatar" do
      context "when signed in" do
        before do
          sign_in(user)
        end

        context "when the user is blocked" do
          before do
            user.block
          end

          it "redirects to the sign in page" do
            get :show, model: "user", mounted_as: "avatar", id: user.id, filename: "image.png"

            expect(response).to redirect_to(new_user_session_path)
          end
        end

        context "when the user isn't blocked" do
          it "responds with status 200" do
            get :show, model: "user", mounted_as: "avatar", id: user.id, filename: "image.png"

            expect(response).to have_http_status(200)
          end
        end
      end

      context "when not signed in" do
        it "responds with status 200" do
          get :show, model: "user", mounted_as: "avatar", id: user.id, filename: "image.png"

          expect(response).to have_http_status(200)
        end
      end
    end

    context "when viewing a project avatar" do
      let!(:project) { create(:empty_project, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }

      context "when the project is public" do
        before do
          project.update_attribute(:visibility_level, Project::PUBLIC)
        end

        context "when not signed in" do
          it "responds with status 200" do
            get :show, model: "project", mounted_as: "avatar", id: project.id, filename: "image.png"

            expect(response).to have_http_status(200)
          end
        end

        context "when signed in" do
          before do
            sign_in(user)
          end

          it "responds with status 200" do
            get :show, model: "project", mounted_as: "avatar", id: project.id, filename: "image.png"

            expect(response).to have_http_status(200)
          end
        end
      end

      context "when the project is private" do
        before do
          project.update_attribute(:visibility_level, Project::PRIVATE)
        end

        context "when not signed in" do
          it "redirects to the sign in page" do
            get :show, model: "project", mounted_as: "avatar", id: project.id, filename: "image.png"

            expect(response).to redirect_to(new_user_session_path)
          end
        end

        context "when signed in" do
          before do
            sign_in(user)
          end

          context "when the user has access to the project" do
            before do
              project.team << [user, :master]
            end

            context "when the user is blocked" do
              before do
                user.block
                project.team << [user, :master]
              end

              it "redirects to the sign in page" do
                get :show, model: "project", mounted_as: "avatar", id: project.id, filename: "image.png"

                expect(response).to redirect_to(new_user_session_path)
              end
            end

            context "when the user isn't blocked" do
              it "responds with status 200" do
                get :show, model: "project", mounted_as: "avatar", id: project.id, filename: "image.png"

                expect(response).to have_http_status(200)
              end
            end
          end

          context "when the user doesn't have access to the project" do
            it "responds with status 404" do
              get :show, model: "project", mounted_as: "avatar", id: project.id, filename: "image.png"

              expect(response).to have_http_status(404)
            end
          end
        end
      end
    end

    context "when viewing a group avatar" do
      let!(:group)   { create(:group, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }

      context "when the group is public" do
        context "when not signed in" do
          it "responds with status 200" do
            get :show, model: "group", mounted_as: "avatar", id: group.id, filename: "image.png"

            expect(response).to have_http_status(200)
          end
        end

        context "when signed in" do
          before do
            sign_in(user)
          end

          it "responds with status 200" do
            get :show, model: "group", mounted_as: "avatar", id: group.id, filename: "image.png"

            expect(response).to have_http_status(200)
          end
        end
      end

      context "when the group is private" do
        before do
          group.update_attribute(:visibility_level, Gitlab::VisibilityLevel::PRIVATE)
        end

        context "when signed in" do
          before do
            sign_in(user)
          end

          context "when the user has access to the project" do
            before do
              group.add_developer(user)
            end

            context "when the user is blocked" do
              before do
                user.block
              end

              it "redirects to the sign in page" do
                get :show, model: "group", mounted_as: "avatar", id: group.id, filename: "image.png"

                expect(response).to redirect_to(new_user_session_path)
              end
            end

            context "when the user isn't blocked" do
              it "responds with status 200" do
                get :show, model: "group", mounted_as: "avatar", id: group.id, filename: "image.png"

                expect(response).to have_http_status(200)
              end
            end
          end

          context "when the user doesn't have access to the project" do
            it "responds with status 404" do
              get :show, model: "group", mounted_as: "avatar", id: group.id, filename: "image.png"

              expect(response).to have_http_status(404)
            end
          end
        end
      end
    end

    context "when viewing a note attachment" do
      let!(:note) { create(:note, :with_attachment) }
      let(:project) { note.project }

      context "when the project is public" do
        before do
          project.update_attribute(:visibility_level, Project::PUBLIC)
        end

        context "when not signed in" do
          it "responds with status 200" do
            get :show, model: "note", mounted_as: "attachment", id: note.id, filename: "image.png"

            expect(response).to have_http_status(200)
          end
        end

        context "when signed in" do
          before do
            sign_in(user)
          end

          it "responds with status 200" do
            get :show, model: "note", mounted_as: "attachment", id: note.id, filename: "image.png"

            expect(response).to have_http_status(200)
          end
        end
      end

      context "when the project is private" do
        before do
          project.update_attribute(:visibility_level, Project::PRIVATE)
        end

        context "when not signed in" do
          it "redirects to the sign in page" do
            get :show, model: "note", mounted_as: "attachment", id: note.id, filename: "image.png"

            expect(response).to redirect_to(new_user_session_path)
          end
        end

        context "when signed in" do
          before do
            sign_in(user)
          end

          context "when the user has access to the project" do
            before do
              project.team << [user, :master]
            end

            context "when the user is blocked" do
              before do
                user.block
                project.team << [user, :master]
              end

              it "redirects to the sign in page" do
                get :show, model: "note", mounted_as: "attachment", id: note.id, filename: "image.png"

                expect(response).to redirect_to(new_user_session_path)
              end
            end

            context "when the user isn't blocked" do
              it "responds with status 200" do
                get :show, model: "note", mounted_as: "attachment", id: note.id, filename: "image.png"

                expect(response).to have_http_status(200)
              end
            end
          end

          context "when the user doesn't have access to the project" do
            it "responds with status 404" do
              get :show, model: "note", mounted_as: "attachment", id: note.id, filename: "image.png"

              expect(response).to have_http_status(404)
            end
          end
        end
      end
    end
  end
end
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`require 'spec_helper'`

			`describe UploadsController do`
Revert "Merge branch 'avatar-cropping' into 'master' " This reverts commit 01160fc06182de89c400af174861f6545ad6ceb8, reversing changes made to 4bff9daf8b6d85e9c78565e21cfaa3f6d36f0282. 2016-03-15 12:20:54 +00:00			`let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00
			`describe "GET show" do`
Merge branch 'svg-xss-fix' into 'security' Fix for XSS vulnerability in SVG attachments See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2059 2017-02-13 22:42:46 +00:00			`context 'Content-Disposition security measures' do`
			`let(:project) { create(:empty_project, :public) }`

			`context 'for PNG files' do`
			`it 'returns Content-Disposition: inline' do`
			`note = create(:note, :with_attachment, project: project)`
			`get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'`

			`expect(response['Content-Disposition']).to start_with('inline;')`
			`end`
			`end`

			`context 'for SVG files' do`
			`it 'returns Content-Disposition: attachment' do`
			`note = create(:note, :with_svg_attachment, project: project)`
			`get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.svg'`

			`expect(response['Content-Disposition']).to start_with('attachment;')`
			`end`
			`end`
			`end`

Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`context "when viewing a user avatar" do`
			`context "when signed in" do`
			`before do`
			`sign_in(user)`
			`end`

			`context "when the user is blocked" do`
			`before do`
			`user.block`
			`end`

			`it "redirects to the sign in page" do`
			`get :show, model: "user", mounted_as: "avatar", id: user.id, filename: "image.png"`

			`expect(response).to redirect_to(new_user_session_path)`
			`end`
			`end`

			`context "when the user isn't blocked" do`
			`it "responds with status 200" do`
			`get :show, model: "user", mounted_as: "avatar", id: user.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`
			`end`
Fix specs 2016-03-19 00:04:53 +00:00
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`context "when not signed in" do`
			`it "responds with status 200" do`
			`get :show, model: "user", mounted_as: "avatar", id: user.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`
			`end`

			`context "when viewing a project avatar" do`
Use `empty_project` where possible in controller specs 2017-01-25 21:44:33 +00:00			`let!(:project) { create(:empty_project, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00
			`context "when the project is public" do`
			`before do`
			`project.update_attribute(:visibility_level, Project::PUBLIC)`
			`end`

			`context "when not signed in" do`
			`it "responds with status 200" do`
			`get :show, model: "project", mounted_as: "avatar", id: project.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`

			`context "when signed in" do`
			`before do`
			`sign_in(user)`
			`end`

			`it "responds with status 200" do`
			`get :show, model: "project", mounted_as: "avatar", id: project.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`
			`end`

			`context "when the project is private" do`
			`before do`
			`project.update_attribute(:visibility_level, Project::PRIVATE)`
			`end`

			`context "when not signed in" do`
			`it "redirects to the sign in page" do`
			`get :show, model: "project", mounted_as: "avatar", id: project.id, filename: "image.png"`

			`expect(response).to redirect_to(new_user_session_path)`
			`end`
			`end`

			`context "when signed in" do`
			`before do`
			`sign_in(user)`
			`end`

			`context "when the user has access to the project" do`
			`before do`
			`project.team << [user, :master]`
			`end`

			`context "when the user is blocked" do`
			`before do`
			`user.block`
			`project.team << [user, :master]`
			`end`

			`it "redirects to the sign in page" do`
			`get :show, model: "project", mounted_as: "avatar", id: project.id, filename: "image.png"`

			`expect(response).to redirect_to(new_user_session_path)`
			`end`
			`end`

			`context "when the user isn't blocked" do`
			`it "responds with status 200" do`
			`get :show, model: "project", mounted_as: "avatar", id: project.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`
			`end`

			`context "when the user doesn't have access to the project" do`
			`it "responds with status 404" do`
			`get :show, model: "project", mounted_as: "avatar", id: project.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(404)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`
			`end`
			`end`
			`end`

			`context "when viewing a group avatar" do`
Fix specs 2016-03-19 00:04:53 +00:00			`let!(:group) { create(:group, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00
Tweaks, refactoring, and specs 2016-03-20 20:03:53 +00:00			`context "when the group is public" do`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`context "when not signed in" do`
			`it "responds with status 200" do`
			`get :show, model: "group", mounted_as: "avatar", id: group.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`

			`context "when signed in" do`
			`before do`
			`sign_in(user)`
			`end`

			`it "responds with status 200" do`
			`get :show, model: "group", mounted_as: "avatar", id: group.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`
			`end`

Tweaks, refactoring, and specs 2016-03-20 20:03:53 +00:00			`context "when the group is private" do`
Fix more specs 2016-03-20 22:09:33 +00:00			`before do`
			`group.update_attribute(:visibility_level, Gitlab::VisibilityLevel::PRIVATE)`
			`end`

Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`context "when signed in" do`
			`before do`
			`sign_in(user)`
			`end`

			`context "when the user has access to the project" do`
			`before do`
Fix more specs 2016-03-20 22:09:33 +00:00			`group.add_developer(user)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`

			`context "when the user is blocked" do`
			`before do`
			`user.block`
			`end`

			`it "redirects to the sign in page" do`
			`get :show, model: "group", mounted_as: "avatar", id: group.id, filename: "image.png"`

			`expect(response).to redirect_to(new_user_session_path)`
			`end`
			`end`

			`context "when the user isn't blocked" do`
			`it "responds with status 200" do`
			`get :show, model: "group", mounted_as: "avatar", id: group.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`
			`end`

			`context "when the user doesn't have access to the project" do`
			`it "responds with status 404" do`
			`get :show, model: "group", mounted_as: "avatar", id: group.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(404)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`
			`end`
			`end`
			`end`

			`context "when viewing a note attachment" do`
			`let!(:note) { create(:note, :with_attachment) }`
			`let(:project) { note.project }`

			`context "when the project is public" do`
			`before do`
			`project.update_attribute(:visibility_level, Project::PUBLIC)`
			`end`

			`context "when not signed in" do`
			`it "responds with status 200" do`
			`get :show, model: "note", mounted_as: "attachment", id: note.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`

			`context "when signed in" do`
			`before do`
			`sign_in(user)`
			`end`

			`it "responds with status 200" do`
			`get :show, model: "note", mounted_as: "attachment", id: note.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`
			`end`

			`context "when the project is private" do`
			`before do`
			`project.update_attribute(:visibility_level, Project::PRIVATE)`
			`end`

			`context "when not signed in" do`
			`it "redirects to the sign in page" do`
			`get :show, model: "note", mounted_as: "attachment", id: note.id, filename: "image.png"`

			`expect(response).to redirect_to(new_user_session_path)`
			`end`
			`end`

			`context "when signed in" do`
			`before do`
			`sign_in(user)`
			`end`

			`context "when the user has access to the project" do`
			`before do`
			`project.team << [user, :master]`
			`end`

			`context "when the user is blocked" do`
			`before do`
			`user.block`
			`project.team << [user, :master]`
			`end`

			`it "redirects to the sign in page" do`
			`get :show, model: "note", mounted_as: "attachment", id: note.id, filename: "image.png"`

			`expect(response).to redirect_to(new_user_session_path)`
			`end`
			`end`

			`context "when the user isn't blocked" do`
			`it "responds with status 200" do`
			`get :show, model: "note", mounted_as: "attachment", id: note.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(200)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`
			`end`

			`context "when the user doesn't have access to the project" do`
			`it "responds with status 404" do`
			`get :show, model: "note", mounted_as: "attachment", id: note.id, filename: "image.png"`

Use HTTP matchers if possible 2016-06-27 18:10:42 +00:00			`expect(response).to have_http_status(404)`
Reject access to group/project avatar if the user doesn't have access. 2015-03-10 13:50:42 +00:00			`end`
			`end`
			`end`
			`end`
			`end`
			`end`
			`end`