#247095: Upload.module hard-codes 'view uploaded files' permission check has been fixed in D7 but we don't have a test for it, so opening this issue.
Steps to reproduce from the original issue which need to be converted into a patch:
To test this you'd need to:
- enable private file transfers
- grant one role 'view uploaded files' permissions
- upload files to a node
- determine the download URL of the uploaded file
- log in as the user with the 'view uploaded files' permissions and ensure that they're able to view the file
- log in as the user without the 'view uploaded files' permissions and ensure that they aren't able to view the file
Comment | File | Size | Author |
---|---|---|---|
#7 | upload_test.patch | 8.45 KB | andreiashu |
#5 | upload_test.patch | 4.95 KB | andreiashu |
Comments
Comment #1
Damien Tournoud CreditAttribution: Damien Tournoud commentedBroadening the scope.
Comment #2
andreiashu CreditAttribution: andreiashu commentedI'll try to take on this one.
I'll give you status in a few hours.
Edit: i need to enable upload module too :)
Edit2: i now saw that is is already enabled ('parent::setUp('upload');')
Comment #3
andreiashu CreditAttribution: andreiashu commentedI'm working on the test but i have a problem at "determine the download URL of the uploaded file". In our case the download URL of the uploaded file should be in the form of 'system/files/FILENAME' right ? Not something like file_directory_path() . '/FILENAME'.
Comment #4
Damien Tournoud CreditAttribution: Damien Tournoud commented@andreiashu: you can probably directly use
file_create_url()
.Comment #5
andreiashu CreditAttribution: andreiashu commentedIt needs some little more work. I'll review it in a couple of hours.
@Damien Tournoud: thanks, it your suggestion came at the right time.
Comment #6
Damien Tournoud CreditAttribution: Damien Tournoud commentedQuick review:
You don't need to specify items that you don't want to change (here you can drop 'file_directory_path' and 'file_downloads'). Also, please use the
FILE_DOWNLOADS_PRIVATE
constant instead of the '2').The assert messages have to go thru
t()
(even if they are not translated, yet). That will allow you to write them in the formt("Uploaded @file is accessible for user with the 'view uploaded files' permission.", array('@file' => $file_url))
. Also, please use"
when you need to have single-quotes in your strings. That's cleaner.Finally, you should extend
UploadTestCase
or integrate your test in that class. This way, you wouldn't have to redefineuploadFile()
andcheckUploadedFile()
.Comment #7
andreiashu CreditAttribution: andreiashu commentedRefactored.
Edit: reattached the correct patch this time.
Comment #8
lilou CreditAttribution: lilou commentedComment #9
chx CreditAttribution: chx commentedAs there is ongoing work already why did you move this to the testing party?
Comment #10
catchStill applies with some fuzz. A few code style issues - some functions missing documentaion, comments should start with a capital letter and end with a full stop etc. All minor stuff and otherwise it looks pretty good :)
Comment #11
catchFixing the critical / pending bugs queues to reflect things which are really bugs or release critical.