Add tests to ensure that verification does/does't happen depending on…

… context
instructure · Jan 3, 2018 · b8d6f36 · b8d6f36
1 parent f11849a
commit b8d6f36
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/spec/controllers/files_controller_spec.rb b/spec/controllers/files_controller_spec.rb
@@ -53,6 +53,10 @@ def user_file
     @file = factory_with_protected_attributes(@user.attachments, :uploaded_data => io)
   end
 
+  def account_js_file
+    @file = factory_with_protected_attributes(@account.attachments, :uploaded_data => fixture_file_upload('test.js', 'text/javascript', false))
+  end
+
   def folder_file
     @file = @folder.active_file_attachments.build(:uploaded_data => io)
     @file.context = @course
@@ -652,6 +656,35 @@ def test_path(path)
         assert_unauthorized
       end
     end
+
+    context "account-context files" do
+      before :once do
+        @account = account_model
+      end
+
+      before :each do
+        allow(HostUrl).to receive(:file_host).and_return('files.test')
+        request.host = 'files.test'
+        user_session(@teacher)
+      end
+
+      it "should skip verification for an account-context file" do
+        account_js_file
+        verifier = Attachments::Verification.new(@file).verifier_for_user(nil)
+        ts, sf_verifier = @teacher.access_verifier
+        get 'show_relative', params: { :download => 1, :inline => 1, :sf_verifier => sf_verifier, :ts => ts, :user_id => @teacher.id, :verifier => verifier, :account_id => @account.id, :file_id => @file.id, :file_path => @file.full_path }
+        expect(response).to be_success
+      end
+
+      it "should enforce verification for contexts other than account" do
+        course_file
+        verifier = Attachments::Verification.new(@file).verifier_for_user(nil)
+        ts, sf_verifier = @teacher.access_verifier
+        get 'show_relative', params: { :download => 1, :inline => 1, :sf_verifier => sf_verifier, :ts => ts, :user_id => @teacher.id, :verifier => verifier, :account_id => @account.id, :file_id => @file.id, :file_path => @file.full_path }
+        assert_unauthorized
+      end
+
+    end
   end
 
   describe "POST 'create'" do

diff --git a/spec/fixtures/test.js b/spec/fixtures/test.js
@@ -0,0 +1 @@
+console.log('This is totally not a malicious JavaScript file.')