mirror of
https://github.com/NodeBB/NodeBB.git
synced 2025-10-31 19:15:58 +01:00
d20b07cfea
* feat: webpack 5 part 1 * fix: gruntfile fixes * fix: fix taskbar warning add app.importScript copy public/src/modules to build folder * refactor: remove commented old code * feat: reenable admin * fix: acp settings pages, fix sortable on manage categories embedded require in html not allowed * fix: bundle serialize/deserizeli so plugins dont break * test: fixe util tests * test: fix require path * test: more test fixes * test: require correct utils module * test: require correct utils * test: log stack * test: fix db require blowing up tests * test: move and disable bundle test * refactor: add aliases * test: disable testing route * fix: move webpack modules necessary for build, into `dependencies` * test: fix one more test remove 500-embed.tpl * fix: restore use of assets/nodebb.min.js, at least for now * fix: remove unnecessary line break * fix: point to proper ACP bundle * test: maybe fix build test * test: composer * refactor: dont need dist * refactor: more cleanup use everything from build/public folder * get rid of conditional import in app.js * fix: ace * refactor: cropper alias * test: lint and test fixes * lint: fix * refactor: rename function to app.require * refactor: go back to using app.require * chore: use github branch * chore: use webpack branch * feat: webpack webinstaller * feat: add chunkFile name with contenthash * refactor: move hooks to top * refactor: get rid of template500Function * fix(deps): use webpack5 branch of 2factor plugin * chore: tagging v2.0.0-beta.0 pre-release version 💥 :shipit: 🎉 🚀 * refactor: disable cache on templates loadTemplate is called once by benchpress and the result is cache internally * refactor: add server side helpers.js * feat: deprecate /plugins shorthand route, closes #10343 * refactor: use build/public for webpack * test: fix filename * fix: more specific selector * lint: ignore * refactor: fix comments * test: add debug for random failing test * refactor: cleanup remove test page, remove dupe functions in utils.common * lint: use relative path for now * chore: bump prerelease version * feat: add translateKeys * fix: optional params * fix: get rid of extra timeago files * refactor: cleanup, require timeago locale earlier remove translator.prepareDOM, it is in header.tpl html tag * refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels (#10378) * refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels - Existing hooks are preserved (to be deprecated at a later date, possibly) - New init hooks are called on NodeBB start, and provide a one-stop shop to add new privileges, instead of having to add to four different hooks * docs: fix typo in comment * test: spec changes * refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels (#10378) * refactor: privileges system to use a Map in the backend instead of separate objects for keys and labels - Existing hooks are preserved (to be deprecated at a later date, possibly) - New init hooks are called on NodeBB start, and provide a one-stop shop to add new privileges, instead of having to add to four different hooks * docs: fix typo in comment * test: spec changes * feat: allow app.require('bootbox'/'benchpressjs') * refactor: require server side utils * test: jquery ready * change istaller to use build/public * test: use document.addEventListener * refactor: closes #10301 * refactor: generateTopicClass * fix: column counts for other privileges * fix: #10443, regression where sorted-list items did not render into the DOM in the predicted order [breaking] * fix: typo in hook name * refactor: introduce a generic autocomplete.init() method that can be called to add nodebb-style autocompletion but using different data sources (e.g. not user/groups/tags) * fix: crash if `delay` not passed in (as it cannot be destructured) * refactor: replace substr * feat: set --panel-offset style in html element based on stored value in localStorage * refactor: addDropupHandler() logic to be less naive - Take into account height of the menu - Don't apply dropUp logic if there's nothing in the dropdown - Remove 'hidden' class (added by default in Persona for post tools) when menu items are added closes #10423 * refactor: simplify utils.params [breaking] Retrospective analysis of the usage of this method suggests that the options passed in are superfluous, and that only `url` is required. Using a browser built-in makes more sense to accomplish what this method sets out to do. * feat: add support for returning full URLSearchParams for utils.params * fix: utils.params() fallback handling * fix: default empty obj for params() * fix: remove \'loggedin\' and \'register\' qs parameters once they have been used, delay invocation of messages until ajaxify.end * fix: utils.params() not allowing relative paths to be passed in * refactor(DRY): new assertPasswordValidity utils method * fix: incorrect error message returned on insufficient privilege on flag edit * fix: read/update/delete access to flags API should be limited for moderators to only post flags in categories they moderate - added failing tests and patched up middleware.assert.flags to fix * refactor: flag api v3 tests to create new post and flags on every round * fix: missing error:no-flag language key * refactor: flags.canView to check flag existence, simplify middleware.assert.flag * feat: flag deletion API endpoint, #10426 * feat: UI for flag deletion, closes #10426 * chore: update plugin versions * chore: up emoji * chore: update markdown * chore: up emoji-android * fix: regression caused by utils.params() refactor, supports arrays and pipes all values through utils.toType, adjusts tests to type check Co-authored-by: Julian Lam <julian@nodebb.org>
167 lines
5.1 KiB
JavaScript
167 lines
5.1 KiB
JavaScript
'use strict';
|
|
|
|
const assert = require('assert');
|
|
const path = require('path');
|
|
const fs = require('fs');
|
|
const crypto = require('crypto');
|
|
|
|
const nconf = require('nconf');
|
|
const db = require('../mocks/databasemock');
|
|
|
|
const user = require('../../src/user');
|
|
const topics = require('../../src/topics');
|
|
const categories = require('../../src/categories');
|
|
const file = require('../../src/file');
|
|
const utils = require('../../src/utils');
|
|
|
|
const md5 = filename => crypto.createHash('md5').update(filename).digest('hex');
|
|
|
|
describe('uploads.js', () => {
|
|
describe('.associateUpload()', () => {
|
|
let uid;
|
|
let relativePath;
|
|
|
|
beforeEach(async () => {
|
|
uid = await user.create({
|
|
username: utils.generateUUID(),
|
|
password: utils.generateUUID(),
|
|
gdpr_consent: 1,
|
|
});
|
|
relativePath = `files/${utils.generateUUID()}`;
|
|
|
|
fs.closeSync(fs.openSync(path.join(nconf.get('upload_path'), relativePath), 'w'));
|
|
});
|
|
|
|
it('should associate an uploaded file to a user', async () => {
|
|
await user.associateUpload(uid, relativePath);
|
|
const uploads = await db.getSortedSetMembers(`uid:${uid}:uploads`);
|
|
const uploadObj = await db.getObject(`upload:${md5(relativePath)}`);
|
|
|
|
assert.strictEqual(uploads.length, 1);
|
|
assert.deepStrictEqual(uploads, [relativePath]);
|
|
assert.strictEqual(parseInt(uploadObj.uid, 10), uid);
|
|
});
|
|
|
|
it('should throw an error if the path is invalid', async () => {
|
|
try {
|
|
await user.associateUpload(uid, `${relativePath}suffix`);
|
|
} catch (e) {
|
|
assert(e);
|
|
assert.strictEqual(e.message, '[[error:invalid-path]]');
|
|
}
|
|
|
|
const uploads = await db.getSortedSetMembers(`uid:${uid}:uploads`);
|
|
|
|
assert.strictEqual(uploads.length, 0);
|
|
assert.deepStrictEqual(uploads, []);
|
|
});
|
|
|
|
it('should guard against path traversal', async () => {
|
|
try {
|
|
await user.associateUpload(uid, `../../config.json`);
|
|
} catch (e) {
|
|
assert(e);
|
|
assert.strictEqual(e.message, '[[error:invalid-path]]');
|
|
}
|
|
|
|
const uploads = await db.getSortedSetMembers(`uid:${uid}:uploads`);
|
|
|
|
assert.strictEqual(uploads.length, 0);
|
|
assert.deepStrictEqual(uploads, []);
|
|
});
|
|
});
|
|
|
|
describe('.deleteUpload', () => {
|
|
let uid;
|
|
let relativePath;
|
|
|
|
beforeEach(async () => {
|
|
uid = await user.create({
|
|
username: utils.generateUUID(),
|
|
password: utils.generateUUID(),
|
|
gdpr_consent: 1,
|
|
});
|
|
relativePath = `files/${utils.generateUUID()}`;
|
|
|
|
fs.closeSync(fs.openSync(path.join(nconf.get('upload_path'), relativePath), 'w'));
|
|
await user.associateUpload(uid, relativePath);
|
|
});
|
|
|
|
it('should remove the upload from the user\'s uploads zset', async () => {
|
|
await user.deleteUpload(uid, uid, relativePath);
|
|
|
|
const uploads = await db.getSortedSetMembers(`uid:${uid}:uploads`);
|
|
assert.deepStrictEqual(uploads, []);
|
|
});
|
|
|
|
it('should delete the file from disk', async () => {
|
|
let exists = await file.exists(`${nconf.get('upload_path')}/${relativePath}`);
|
|
assert.strictEqual(exists, true);
|
|
|
|
await user.deleteUpload(uid, uid, relativePath);
|
|
|
|
exists = await file.exists(`${nconf.get('upload_path')}/${relativePath}`);
|
|
assert.strictEqual(exists, false);
|
|
});
|
|
|
|
it('should clean up references to it from the database', async () => {
|
|
const hash = md5(relativePath);
|
|
let exists = await db.exists(`upload:${hash}`);
|
|
assert.strictEqual(exists, true);
|
|
|
|
await user.deleteUpload(uid, uid, relativePath);
|
|
exists = await db.exists(`upload:${hash}`);
|
|
assert.strictEqual(exists, false);
|
|
});
|
|
|
|
it('should accept multiple paths', async () => {
|
|
const secondPath = `files/${utils.generateUUID()}`;
|
|
fs.closeSync(fs.openSync(path.join(nconf.get('upload_path'), secondPath), 'w'));
|
|
await user.associateUpload(uid, secondPath);
|
|
|
|
assert.strictEqual(await db.sortedSetCard(`uid:${uid}:uploads`), 2);
|
|
|
|
await user.deleteUpload(uid, uid, [relativePath, secondPath]);
|
|
|
|
assert.strictEqual(await db.sortedSetCard(`uid:${uid}:uploads`), 0);
|
|
assert.deepStrictEqual(await db.getSortedSetMembers(`uid:${uid}:uploads`), []);
|
|
});
|
|
|
|
it('should throw an error on a non-existant file', async () => {
|
|
try {
|
|
await user.deleteUpload(uid, uid, `${relativePath}asdbkas`);
|
|
} catch (e) {
|
|
assert(e);
|
|
assert.strictEqual(e.message, '[[error:invalid-path]]');
|
|
}
|
|
});
|
|
|
|
it('should guard against path traversal', async () => {
|
|
assert.strictEqual(await file.exists(path.resolve(nconf.get('upload_path'), '../../config.json')), true);
|
|
|
|
try {
|
|
await user.deleteUpload(uid, uid, `../../config.json`);
|
|
} catch (e) {
|
|
assert(e);
|
|
assert.strictEqual(e.message, '[[error:invalid-path]]');
|
|
}
|
|
});
|
|
|
|
it('should remove the post association as well, if present', async () => {
|
|
const { cid } = await categories.create({ name: utils.generateUUID() });
|
|
const { postData } = await topics.post({
|
|
uid,
|
|
cid,
|
|
title: utils.generateUUID(),
|
|
content: `[an upload](/assets/uploads/${relativePath})`,
|
|
});
|
|
|
|
assert.deepStrictEqual(await db.getSortedSetMembers(`upload:${md5(relativePath)}:pids`), [postData.pid.toString()]);
|
|
|
|
await user.deleteUpload(uid, uid, relativePath);
|
|
|
|
assert.strictEqual(await db.exists(`upload:${md5(relativePath)}:pids`), false);
|
|
});
|
|
});
|
|
});
|