8e2b19dc7a
* save images as private and serve via signed url from images.info api * download private images to directory on export * fix lint errors * private s3 default, AWS.s3 module level scope, default s3 url expiry * combine regex to one, and only replace when there are matches * fix lint * code not needed anymore, remove * updates after pulling master * revert the uploadToS3FromUrl url return * use model gettr to compact code, rename to attachments api * basic checking of document read permission to allow attachment viewing * fix: Continue to upload avatars as public fix: Allow redirect for non-private attachments * add support for publicly shared documents * catch errors which crash the app during zip export and user creation * add tests * enable AWS signature v4 for s3 * switch to use factories to build models for testing * add isDocker flag for local serving of attachment redirect url * fix redirect tests Co-authored-by: Tom Moor <tom.moor@gmail.com>
87 lines
2.4 KiB
JavaScript
87 lines
2.4 KiB
JavaScript
/* eslint-disable flowtype/require-valid-file-annotation */
|
|
import TestServer from 'fetch-test-server';
|
|
import app from '../app';
|
|
import { flushdb } from '../test/support';
|
|
import {
|
|
buildUser,
|
|
buildCollection,
|
|
buildAttachment,
|
|
buildDocument,
|
|
} from '../test/factories';
|
|
|
|
const server = new TestServer(app.callback());
|
|
|
|
beforeEach(flushdb);
|
|
afterAll(server.close);
|
|
|
|
describe('#attachments.redirect', async () => {
|
|
it('should require authentication', async () => {
|
|
const res = await server.post('/api/attachments.redirect');
|
|
expect(res.status).toEqual(401);
|
|
});
|
|
|
|
it('should return a redirect for an attachment belonging to a document user has access to', async () => {
|
|
const user = await buildUser();
|
|
const attachment = await buildAttachment({
|
|
teamId: user.teamId,
|
|
userId: user.id,
|
|
});
|
|
const res = await server.post('/api/attachments.redirect', {
|
|
body: { token: user.getJwtToken(), id: attachment.id },
|
|
redirect: 'manual',
|
|
});
|
|
|
|
expect(res.status).toEqual(302);
|
|
});
|
|
|
|
it('should always return a redirect for a public attachment', async () => {
|
|
const user = await buildUser();
|
|
const collection = await buildCollection({
|
|
teamId: user.teamId,
|
|
userId: user.id,
|
|
private: true,
|
|
});
|
|
const document = await buildDocument({
|
|
teamId: user.teamId,
|
|
userId: user.id,
|
|
collectionId: collection.id,
|
|
});
|
|
const attachment = await buildAttachment({
|
|
teamId: user.teamId,
|
|
userId: user.id,
|
|
documentId: document.id,
|
|
});
|
|
|
|
const res = await server.post('/api/attachments.redirect', {
|
|
body: { token: user.getJwtToken(), id: attachment.id },
|
|
redirect: 'manual',
|
|
});
|
|
|
|
expect(res.status).toEqual(302);
|
|
});
|
|
|
|
it('should not return a redirect for a private attachment belonging to a document user does not have access to', async () => {
|
|
const user = await buildUser();
|
|
const collection = await buildCollection({
|
|
private: true,
|
|
});
|
|
const document = await buildDocument({
|
|
teamId: collection.teamId,
|
|
userId: collection.userId,
|
|
collectionId: collection.id,
|
|
});
|
|
const attachment = await buildAttachment({
|
|
teamId: document.teamId,
|
|
userId: document.userId,
|
|
documentId: document.id,
|
|
acl: 'private',
|
|
});
|
|
|
|
const res = await server.post('/api/attachments.redirect', {
|
|
body: { token: user.getJwtToken(), id: attachment.id },
|
|
});
|
|
|
|
expect(res.status).toEqual(403);
|
|
});
|
|
});
|