From 920edf88e7b29fe25345d060cea8ef19f1291194 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Fri, 12 Jul 2013 13:16:25 +0200
Subject: [PATCH] Test allowedExtensions in UploadField, return correct HTTP
 status

---
 forms/UploadField.php                       |  2 ++
 tests/forms/uploadfield/UploadFieldTest.php | 33 ++++++++++++++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/forms/UploadField.php b/forms/UploadField.php
index 2766b028fcb..cf02fe67614 100644
--- a/forms/UploadField.php
+++ b/forms/UploadField.php
@@ -525,6 +525,7 @@ public function upload(SS_HTTPRequest $request) {
 			}
 
 			// Get the uploaded file into a new file object.
+			// The loadIntoFile() method also validates constraints like allowed extensions
 			try {
 				$this->upload->loadIntoFile($tmpfile, $fileObject, $this->folderName);
 			} catch (Exception $e) {
@@ -559,6 +560,7 @@ public function upload(SS_HTTPRequest $request) {
 		}
 		$response = new SS_HTTPResponse(Convert::raw2json(array($return)));
 		$response->addHeader('Content-Type', 'text/plain');
+		if($return['error']) $response->setStatusCode(403);
 		return $response;
 	}
 
diff --git a/tests/forms/uploadfield/UploadFieldTest.php b/tests/forms/uploadfield/UploadFieldTest.php
index 9543414ab35..6da1d3844b0 100644
--- a/tests/forms/uploadfield/UploadFieldTest.php
+++ b/tests/forms/uploadfield/UploadFieldTest.php
@@ -123,6 +123,33 @@ public function testUploadManyManyRelation() {
 		$this->assertEquals($record->ManyManyFiles()->Last()->Name, $tmpFileName);
 	}
 
+	/**
+	 * Partially covered by {@link UploadTest->testUploadAcceptsAllowedExtension()},
+	 * but this test additionally verifies that those constraints are actually enforced
+	 * in this controller method.
+	 */
+	public function testAllowedExtensions() {
+		$this->loginWithPermission('ADMIN');
+
+		$invalidFile = 'invalid.php';
+		$_FILES = array('AllowedExtensionsField' => $this->getUploadFile($invalidFile));
+		$response = $this->post(
+			'UploadFieldTest_Controller/Form/field/AllowedExtensionsField/upload', 
+			array('AllowedExtensionsField' => $this->getUploadFile($invalidFile))
+		);
+		$this->assertTrue($response->isError());
+		$this->assertContains('Extension is not allowed', $response->getBody());
+
+		$validFile = 'valid.jpg';
+		$_FILES = array('AllowedExtensionsField' => $this->getUploadFile($validFile));
+		$response = $this->post(
+			'UploadFieldTest_Controller/Form/field/AllowedExtensionsField/upload', 
+			array('AllowedExtensionsField' => $this->getUploadFile($validFile))
+		);
+		$this->assertFalse($response->isError());
+		$this->assertNotContains('Extension is not allowed', $response->getBody());
+	}
+
 	public function testAllowedMaxFileNumberWithHasOne() {
 		$this->loginWithPermission('ADMIN');
 		
@@ -831,6 +858,9 @@ public function Form() {
 		$fieldCanAttachExisting->setConfig('canAttachExisting', false);
 		$fieldCanAttachExisting->setRecord($record);
 
+		$fieldAllowedExtensions = new UploadField('AllowedExtensionsField');
+		$fieldAllowedExtensions->getValidator()->setAllowedExtensions(array('jpg'));
+
 		$form = new Form(
 			$this,
 			'Form',
@@ -847,7 +877,8 @@ public function Form() {
 				$fieldDisabled,
 				$fieldSubfolder,
 				$fieldCanUploadFalse,
-				$fieldCanAttachExisting
+				$fieldCanAttachExisting,
+				$fieldAllowedExtensions
 			),
 			new FieldList(
 				new FormAction('submit')