1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Projects::DesignManagement::Designs::RawImagesController do
include DesignManagementTestHelpers
let_it_be(:project) { create(:project, :private) }
let_it_be(:issue) { create(:issue, project: project) }
let_it_be(:viewer) { issue.author }
let(:design_id) { design.id }
let(:sha) { design.versions.first.sha }
let(:filename) { design.filename }
before do
enable_design_management
end
describe 'GET #show' do
subject do
get(:show,
params: {
namespace_id: project.namespace,
project_id: project,
design_id: design_id,
sha: sha
})
end
before do
sign_in(viewer)
end
context 'when the design is not an LFS file' do
let_it_be(:design) { create(:design, :with_file, issue: issue, versions_count: 2) }
# For security, .svg images should only ever be served with Content-Disposition: attachment.
# If this specs ever fails we must assess whether we should be serving svg images.
# See https://gitlab.com/gitlab-org/gitlab/issues/12771
it 'serves files with `Content-Disposition` header set to attachment plus the filename' do
subject
expect(response.header['Content-Disposition']).to match "attachment; filename=\"#{design.filename}\""
expect(response).to have_gitlab_http_status(:ok)
end
context 'when the feature flag attachment_with_filename is disabled' do
it 'serves files with just `attachment` in the disposition header' do
stub_feature_flags(attachment_with_filename: false)
subject
expect(response.header['Content-Disposition']).to eq('attachment')
expect(response).to have_gitlab_http_status(:ok)
end
end
it 'serves files with Workhorse' do
subject
expect(response.header[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
expect(response.header[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with('git-blob:')
expect(response).to have_gitlab_http_status(:ok)
end
it_behaves_like 'project cache control headers'
context 'when the user does not have permission' do
let_it_be(:viewer) { create(:user) }
specify do
subject
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when design does not exist' do
let(:design_id) { 'foo' }
specify do
subject
expect(response).to have_gitlab_http_status(:not_found)
end
end
describe 'sha param' do
let(:newest_version) { design.versions.ordered.first }
let(:oldest_version) { design.versions.ordered.last }
shared_examples 'a successful request for sha' do
it do
expect_next_instance_of(DesignManagement::Repository) do |repository|
expect(repository).to receive(:blob_at).with(expected_ref, design.full_path).and_call_original
end
subject
expect(response).to have_gitlab_http_status(:ok)
end
end
specify { expect(newest_version.sha).not_to eq(oldest_version.sha) }
context 'when sha is the newest version sha' do
let(:sha) { newest_version.sha }
let(:expected_ref) { sha }
it_behaves_like 'a successful request for sha'
end
context 'when sha is the oldest version sha' do
let(:sha) { oldest_version.sha }
let(:expected_ref) { sha }
it_behaves_like 'a successful request for sha'
end
context 'when sha is nil' do
let(:sha) { nil }
let(:expected_ref) { 'master' }
it_behaves_like 'a successful request for sha'
end
end
end
context 'when the design is an LFS file' do
let_it_be(:design) { create(:design, :with_lfs_file, issue: issue) }
# For security, .svg images should only ever be served with Content-Disposition: attachment.
# If this specs ever fails we must assess whether we should be serving svg images.
# See https://gitlab.com/gitlab-org/gitlab/issues/12771
it 'serves files with `Content-Disposition: attachment`' do
subject
expect(response.header['Content-Disposition']).to eq(%Q(attachment; filename=\"#{filename}\"; filename*=UTF-8''#{filename}))
end
it 'sets appropriate caching headers' do
subject
expect(response.header['ETag']).to be_present
expect(response.header['Cache-Control']).to eq("max-age=60, private")
end
end
# Pass `skip_lfs_disabled_tests: true` to this shared example to disable
# the test scenarios for when LFS is disabled globally.
#
# When LFS is disabled then the design management feature also becomes disabled.
# When the feature is disabled, the `authorize :read_design` check within the
# controller will never authorize the user. Therefore #show will return a 403 and
# we cannot test the data that it serves.
it_behaves_like 'a controller that can serve LFS files', skip_lfs_disabled_tests: true do
let(:file) { fixture_file_upload('spec/fixtures/dk.png', '`/png') }
let(:lfs_pointer) { Gitlab::Git::LfsPointerFile.new(file.read) }
let(:design) { create(:design, :with_lfs_file, file: lfs_pointer.pointer, issue: issue) }
let(:lfs_oid) { project.design_repository.blob_at('HEAD', design.full_path).lfs_oid }
let(:filepath) { design.full_path }
end
end
end
|