Skip to content

Commit

Permalink
[FIX] *.files endpoints returning hidden files (#27617)
Browse files Browse the repository at this point in the history
  • Loading branch information
@sampaiodiego
sampaiodiego committed Jan 25, 2023
1 parent 623fcce commit aebe496
Show file tree
Hide file tree
Showing 5 changed files with 251 additions and 207 deletions.
18 changes: 15 additions & 3 deletions apps/meteor/server/models/raw/Uploads.ts
View file
@@ -1,7 +1,18 @@
// TODO: Lib imports should not exists inside the raw models
import type { IUpload, RocketChatRecordDeleted } from '@rocket.chat/core-typings';
import type { FindPaginated, IUploadsModel } from '@rocket.chat/model-typings';
import type { Collection, FindCursor, Db, DeleteResult, IndexDescription, InsertOneResult, UpdateResult, WithId, Filter } from 'mongodb';
import type {
Collection,
FindCursor,
Db,
DeleteResult,
IndexDescription,
InsertOneResult,
UpdateResult,
WithId,
Filter,
FindOptions,
} from 'mongodb';
import { escapeRegExp } from '@rocket.chat/string-helpers';

import { BaseRaw } from './BaseRaw';
Expand All @@ -20,7 +31,7 @@ export class UploadsRaw extends BaseRaw<IUpload> implements IUploadsModel {
}

protected modelIndexes(): IndexDescription[] {
return [{ key: { rid: 1 } }, { key: { uploadedAt: 1 } }, { key: { typeGroup: 1 } }];
return [{ key: { uploadedAt: -1 } }, { key: { rid: 1, _hidden: 1, typeGroup: 1 } }];
}

findNotHiddenFilesOfRoom(roomId: string, searchText: string, fileType: string, limit: number): FindCursor<IUpload> {
Expand Down Expand Up @@ -100,10 +111,11 @@ export class UploadsRaw extends BaseRaw<IUpload> implements IUploadsModel {
return this.deleteOne({ _id: fileId });
}

findPaginatedWithoutThumbs(query: Filter<IUpload> = {}, options?: any): FindPaginated<FindCursor<WithId<IUpload>>> {
findPaginatedWithoutThumbs(query: Filter<IUpload> = {}, options?: FindOptions<IUpload>): FindPaginated<FindCursor<WithId<IUpload>>> {
return this.findPaginated(
{
...query,
_hidden: { $ne: true },
typeGroup: { $ne: 'thumb' },
},
options,
Expand Down
224 changes: 224 additions & 0 deletions apps/meteor/tests/data/uploads.helper.ts
View file
@@ -0,0 +1,224 @@
import type { Response } from 'supertest';
import { expect } from 'chai';

import { api, request, credentials } from './api-data.js';
import { password } from './user.js';
import { createUser, login } from './users.helper';
import { imgURL } from './interactions.js';
import { updateSetting } from './permissions.helper';
import { createRoom } from './rooms.helper';
import { createVisitor } from './livechat/rooms';

export async function testFileUploads(filesEndpoint: 'channels.files' | 'groups.files' | 'im.files', room: { _id: string; name?: string; t: string;}, invalidRoomError = 'error-room-not-found') {
before(async function () {
await updateSetting('VoIP_Enabled', true);
await updateSetting('Message_KeepHistory', true);
});

after(async function () {
await updateSetting('VoIP_Enabled', false);
await updateSetting('Message_KeepHistory', false);
});

console.log('filesEndpoint', filesEndpoint, room);

const createVoipRoom = async function () {
const testUser = await createUser({ roles: ['user', 'livechat-agent'] });
const testUserCredentials = await login(testUser.username, password);
const visitor = await createVisitor();
const roomResponse = await createRoom({
token: visitor.token,
type: 'v',
agentId: testUser._id,
credentials: testUserCredentials,
name: null,
username: null,
members: null,
});
return roomResponse.body.room;
};

it('should fail if invalid channel', function (done) {
request
.get(api(filesEndpoint))
.set(credentials)
.query({
roomId: 'invalid',
})
.expect('Content-Type', 'application/json')
.expect(400)
.expect(function (res: Response) {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('errorType', invalidRoomError);
})
.end(done);
});

it('should fail for room type v', async function () {
const { _id } = await createVoipRoom();
request
.get(api(filesEndpoint))
.set(credentials)
.query({
roomId: _id,
})
.expect('Content-Type', 'application/json')
.expect(400)
.expect(function (res: Response) {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('errorType', 'error-room-not-found');
});
});

it('should succeed when searching by roomId', function (done) {
console.log('room._id ->', room._id);
request
.get(api(filesEndpoint))
.set(credentials)
.query({
roomId: room._id,
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect(function (res: Response) {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('files').and.to.be.an('array');
})
.end(done);
});

it('should succeed when searching by roomId even requested with count and offset params', function (done) {
request
.get(api(filesEndpoint))
.set(credentials)
.query({
roomId: room._id,
count: 5,
offset: 0,
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect(function (res: Response) {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('files').and.to.be.an('array');
})
.end(done);
});

it('should succeed when searching by roomName', function (done) {
if (!room.name) {
this.skip();
}
request
.get(api(filesEndpoint))
.set(credentials)
.query({
roomName: room.name,
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect(function (res: Response) {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('files').and.to.be.an('array');
})
.end(done);
});

it('should succeed when searching by roomName even requested with count and offset params', function (done) {
if (!room.name) {
this.skip();
}
request
.get(api(filesEndpoint))
.set(credentials)
.query({
roomName: room.name,
count: 5,
offset: 0,
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect(function (res: Response) {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('files').and.to.be.an('array');
})
.end(done);
});

it('should not return thumbnails', async function () {
await request
.post(api(`rooms.upload/${room._id}`))
.set(credentials)
.attach('file', imgURL)
.expect('Content-Type', 'application/json')
.expect(200)
.expect(function (res: Response) {
expect(res.body).to.have.property('success', true);
});

await request
.get(api(filesEndpoint))
.set(credentials)
.query({
roomId: room._id,
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect(function (res: Response) {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('files').and.to.be.an('array').with.lengthOf(1);

const { files } = res.body;

files.forEach(function (file: unknown) {
expect(file).to.not.have.property('originalFileId');
});
});
});

it('should not return hidden files', async function () {
let msgId;
let fileId: string;

await request
.post(api(`rooms.upload/${room._id}`))
.set(credentials)
.attach('file', imgURL)
.expect('Content-Type', 'application/json')
.expect(200)
.expect(function (res: Response) {
expect(res.body).to.have.property('success', true);

msgId = res.body.message._id;
fileId = res.body.message.file._id;
});

await request
.post(api('chat.delete'))
.set(credentials)
.send({
roomId: room._id,
msgId,
})
.expect('Content-Type', 'application/json')
.expect(200);

await request
.get(api(filesEndpoint))
.set(credentials)
.query({
roomId: room._id,
})
.expect('Content-Type', 'application/json')
.expect(200)
.expect(function (res: Response) {
expect(res.body).to.have.property('success', true);
expect(res.body).to.have.property('files').and.to.be.an('array').with.lengthOf(1);

const { files } = res.body;
files.forEach(function (file: unknown) {
expect(file).to.have.property('_id').to.not.be.equal(fileId);
});
});
});
}

0 comments on commit aebe496

Please sign in to comment.