mirror of
https://github.com/we-promise/sure.git
synced 2026-04-09 15:24:48 +00:00
98ae6782dc
* feat(transaction): add support for file attachments using Active Storage * feat(attachments): implement transaction attachments with upload, show, and delete functionality * feat(attachments): enhance attachment upload functionality to support multiple files and improved error handling * feat(attachments): add attachment upload form and display functionality in transaction views * feat(attachments): implement attachment validation for count, size, and content type; enhance upload form with validation hints * fix(attachments): use correct UI components * feat(attachments): Implement Turbo Stream responses for creating and deleting transaction attachments. * fix(attachments): include auth in activestorage controller * test(attachments): add test coverage for turbostream and auth * feat(attachments): extract strings to i18n * fix(attachments): ensure only newly added attachments are purged when transaction validation fails. * fix(attachments): validate attachment params * refactor(attachments): use stimulus declarative actions * fix(attachments): add auth for other representations * refactor(attachments): use Browse component for attachment uploads * fix(attachments): reject empty values on attachment upload * fix(attachments): hide the upload form if reached max uploads * fix(attachments): correctly purge only newly added attachments on upload failure * fix(attachments): ensure attachment count limit is respected within a transaction lock * fix(attachments): update attachment parameter handling to avoid `ParameterMissing` errors. * fix(components): adjust icon_only logic for buttonish --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
59 lines
2.0 KiB
Ruby
59 lines
2.0 KiB
Ruby
require "test_helper"
|
|
|
|
class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest
|
|
setup do
|
|
@user_a = users(:family_admin) # In dylan_family
|
|
@user_b = users(:empty) # In empty family
|
|
|
|
@transaction_a = transactions(:one) # Assuming it belongs to dylan_family via its entry/account
|
|
@transaction_a.attachments.attach(
|
|
io: StringIO.new("Family A Secret Receipt"),
|
|
filename: "receipt.pdf",
|
|
content_type: "application/pdf"
|
|
)
|
|
@attachment_a = @transaction_a.attachments.first
|
|
end
|
|
|
|
test "user can access attachments within their own family" do
|
|
sign_in @user_a
|
|
|
|
# Get the redirect URL from our controller
|
|
get transaction_attachment_path(@transaction_a, @attachment_a)
|
|
assert_response :redirect
|
|
|
|
# Follow the redirect to ActiveStorage::Blobs::RedirectController
|
|
follow_redirect!
|
|
|
|
# In test/local environment, it will redirect again to a disk URL
|
|
assert_response :redirect
|
|
assert_match(/rails\/active_storage\/disk/, response.header["Location"])
|
|
end
|
|
|
|
test "user cannot access attachments from a different family" do
|
|
sign_in @user_b
|
|
|
|
# Even if they find the signed global ID (which is hard but possible),
|
|
# the monkey patch should block them at the blob controller level.
|
|
# We bypass our controller and go straight to the blob serving URL to test the security layer
|
|
get rails_blob_path(@attachment_a)
|
|
|
|
# The monkey patch raises ActiveRecord::RecordNotFound which rails converts to 404
|
|
assert_response :not_found
|
|
end
|
|
|
|
test "user cannot access variants from a different family" do
|
|
# Attach an image to test variants
|
|
file = File.open(Rails.root.join("test/fixtures/files/square-placeholder.png"))
|
|
@transaction_a.attachments.attach(io: file, filename: "test.png", content_type: "image/png")
|
|
attachment = @transaction_a.attachments.last
|
|
variant = attachment.variant(resize_to_limit: [ 100, 100 ]).processed
|
|
|
|
sign_in @user_b
|
|
|
|
# Straight to the representation URL
|
|
get rails_representation_path(variant)
|
|
|
|
assert_response :not_found
|
|
end
|
|
end
|