diff options
Diffstat (limited to 'spec/controllers/projects/design_management/designs/raw_images_controller_spec.rb')
-rw-r--r-- | spec/controllers/projects/design_management/designs/raw_images_controller_spec.rb | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/spec/controllers/projects/design_management/designs/raw_images_controller_spec.rb b/spec/controllers/projects/design_management/designs/raw_images_controller_spec.rb new file mode 100644 index 00000000000..30d2b79a92f --- /dev/null +++ b/spec/controllers/projects/design_management/designs/raw_images_controller_spec.rb @@ -0,0 +1,153 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Projects::DesignManagement::Designs::RawImagesController do + include DesignManagementTestHelpers + + let_it_be(:project) { create(:project, :private) } + let_it_be(:issue) { create(:issue, project: project) } + let_it_be(:viewer) { issue.author } + let(:design_id) { design.id } + let(:sha) { design.versions.first.sha } + let(:filename) { design.filename } + + before do + enable_design_management + end + + describe 'GET #show' do + subject do + get(:show, + params: { + namespace_id: project.namespace, + project_id: project, + design_id: design_id, + sha: sha + }) + end + + before do + sign_in(viewer) + end + + context 'when the design is not an LFS file' do + let_it_be(:design) { create(:design, :with_file, issue: issue, versions_count: 2) } + + # For security, .svg images should only ever be served with Content-Disposition: attachment. + # If this specs ever fails we must assess whether we should be serving svg images. + # See https://gitlab.com/gitlab-org/gitlab/issues/12771 + it 'serves files with `Content-Disposition: attachment`' do + subject + + expect(response.header['Content-Disposition']).to eq('attachment') + expect(response).to have_gitlab_http_status(:ok) + end + + it 'serves files with Workhorse' do + subject + + expect(response.header[Gitlab::Workhorse::DETECT_HEADER]).to eq "true" + expect(response.header[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with('git-blob:') + expect(response).to have_gitlab_http_status(:ok) + end + + it_behaves_like 'project cache control headers' + + context 'when the user does not have permission' do + let_it_be(:viewer) { create(:user) } + + specify do + subject + + expect(response).to have_gitlab_http_status(:not_found) + end + end + + context 'when design does not exist' do + let(:design_id) { 'foo' } + + specify do + subject + + expect(response).to have_gitlab_http_status(:not_found) + end + end + + describe 'sha param' do + let(:newest_version) { design.versions.ordered.first } + let(:oldest_version) { design.versions.ordered.last } + + shared_examples 'a successful request for sha' do + it do + expect_next_instance_of(DesignManagement::Repository) do |repository| + expect(repository).to receive(:blob_at).with(expected_ref, design.full_path).and_call_original + end + + subject + + expect(response).to have_gitlab_http_status(:ok) + end + end + + specify { expect(newest_version.sha).not_to eq(oldest_version.sha) } + + context 'when sha is the newest version sha' do + let(:sha) { newest_version.sha } + let(:expected_ref) { sha } + + it_behaves_like 'a successful request for sha' + end + + context 'when sha is the oldest version sha' do + let(:sha) { oldest_version.sha } + let(:expected_ref) { sha } + + it_behaves_like 'a successful request for sha' + end + + context 'when sha is nil' do + let(:sha) { nil } + let(:expected_ref) { 'master' } + + it_behaves_like 'a successful request for sha' + end + end + end + + context 'when the design is an LFS file' do + let_it_be(:design) { create(:design, :with_lfs_file, issue: issue) } + + # For security, .svg images should only ever be served with Content-Disposition: attachment. + # If this specs ever fails we must assess whether we should be serving svg images. + # See https://gitlab.com/gitlab-org/gitlab/issues/12771 + it 'serves files with `Content-Disposition: attachment`' do + subject + + expect(response.header['Content-Disposition']).to eq(%Q(attachment; filename=\"#{filename}\"; filename*=UTF-8''#{filename})) + end + + it 'sets appropriate caching headers' do + subject + + expect(response.header['ETag']).to be_present + expect(response.header['Cache-Control']).to eq("max-age=60, private") + end + end + + # Pass `skip_lfs_disabled_tests: true` to this shared example to disable + # the test scenarios for when LFS is disabled globally. + # + # When LFS is disabled then the design management feature also becomes disabled. + # When the feature is disabled, the `authorize :read_design` check within the + # controller will never authorize the user. Therefore #show will return a 403 and + # we cannot test the data that it serves. + it_behaves_like 'a controller that can serve LFS files', skip_lfs_disabled_tests: true do + let(:file) { fixture_file_upload('spec/fixtures/dk.png', '`/png') } + let(:lfs_pointer) { Gitlab::Git::LfsPointerFile.new(file.read) } + let(:design) { create(:design, :with_lfs_file, file: lfs_pointer.pointer, issue: issue) } + let(:lfs_oid) { project.design_repository.blob_at('HEAD', design.full_path).lfs_oid } + let(:filepath) { design.full_path } + end + end +end |