mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-14 23:24:46 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

feat: Add guest file uploads and add deletion for note owners

Browse source 
Signed-off-by: Yannick Bungers <git@innay.de>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
This commit is contained in:
Yannick Bungers 2023-03-25 17:47:46 +01:00 committed by Yannick Bungers
parent 0f464dedfe
commit 485f7cd338
8 changed files with 244 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

38
backend/src/api/private/media/media.controller.ts
View file

@ -23,10 +23,12 @@ import { MediaUploadDto } from '../../../media/media-upload.dto';
import { MediaService } from '../../../media/media.service'; import { MediaService } from '../../../media/media.service';
import { MulterFile } from '../../../media/multer-file.interface'; import { MulterFile } from '../../../media/multer-file.interface';
import { Note } from '../../../notes/note.entity'; import { Note } from '../../../notes/note.entity';
import { NotesService } from '../../../notes/notes.service'; import { Permission } from '../../../permissions/permissions.enum';
import { User } from '../../../users/user.entity'; import { User } from '../../../users/user.entity';
import { NoteHeaderInterceptor } from '../../utils/note-header.interceptor'; import { NoteHeaderInterceptor } from '../../utils/note-header.interceptor';
import { OpenApi } from '../../utils/openapi.decorator'; import { OpenApi } from '../../utils/openapi.decorator';
import { Permissions } from '../../utils/permissions.decorator';
import { PermissionsGuard } from '../../utils/permissions.guard';
import { RequestNote } from '../../utils/request-note.decorator'; import { RequestNote } from '../../utils/request-note.decorator';
import { RequestUser } from '../../utils/request-user.decorator'; import { RequestUser } from '../../utils/request-user.decorator';
@ -38,7 +40,6 @@ export class MediaController {
constructor( constructor(
private readonly logger: ConsoleLoggerService, private readonly logger: ConsoleLoggerService,
private mediaService: MediaService, private mediaService: MediaService,
private noteService: NotesService,
) { ) {
this.logger.setContext(MediaController.name); this.logger.setContext(MediaController.name);
} }
@ -60,8 +61,10 @@ export class MediaController {
name: 'HedgeDoc-Note', name: 'HedgeDoc-Note',
description: 'ID or alias of the parent note', description: 'ID or alias of the parent note',
}) })
@UseGuards(PermissionsGuard)
@UseInterceptors(FileInterceptor('file')) @UseInterceptors(FileInterceptor('file'))
@UseInterceptors(NoteHeaderInterceptor) @UseInterceptors(NoteHeaderInterceptor)
@Permissions(Permission.WRITE)
@OpenApi( @OpenApi(
{ {
code: 201, code: 201,
@ -76,15 +79,22 @@ export class MediaController {
async uploadMedia( async uploadMedia(
@UploadedFile() file: MulterFile | undefined, @UploadedFile() file: MulterFile | undefined,
@RequestNote() note: Note, @RequestNote() note: Note,
@RequestUser() user: User, @RequestUser({ guestsAllowed: true }) user: User | null,
): Promise<MediaUploadDto> { ): Promise<MediaUploadDto> {
if (file === undefined) { if (file === undefined) {
throw new BadRequestException('Request does not contain a file'); throw new BadRequestException('Request does not contain a file');
} }
if (user) {
this.logger.debug( this.logger.debug(
`Received filename '${file.originalname}' for note '${note.id}' from user '${user.username}'`, `Received filename '${file.originalname}' for note '${note.id}' from user '${user.username}'`,
'uploadMedia', 'uploadMedia',
); );
} else {
this.logger.debug(
`Received filename '${file.originalname}' for note '${note.id}' from not logged in user`,
'uploadMedia',
);
}
const upload = await this.mediaService.saveFile(file.buffer, user, note); const upload = await this.mediaService.saveFile(file.buffer, user, note);
return await this.mediaService.toMediaUploadDto(upload); return await this.mediaService.toMediaUploadDto(upload);
} }
@ -95,21 +105,29 @@ export class MediaController {
@RequestUser() user: User, @RequestUser() user: User,
@Param('filename') filename: string, @Param('filename') filename: string,
): Promise<void> { ): Promise<void> {
const username = user.username; const mediaUpload = await this.mediaService.findUploadByFilename(filename);
const mediaUploadOwner = await mediaUpload.user;
const mediaUploadNote = await mediaUpload.note;
const mediaUploadNoteOwner = await mediaUploadNote?.owner;
if (
mediaUploadOwner?.id === user.id ||
user.id === mediaUploadNoteOwner?.id
) {
this.logger.debug( this.logger.debug(
`Deleting '${filename}' for user '${username}'`, `Deleting '${filename}' for user '${user.username}'`,
'deleteMedia', 'deleteMedia',
); );
const mediaUpload = await this.mediaService.findUploadByFilename(filename); await this.mediaService.deleteFile(mediaUpload);
if ((await mediaUpload.user).username !== username) { } else {
this.logger.warn( this.logger.warn(
`${username} tried to delete '${filename}', but is not the owner`, `${user.username} tried to delete '${filename}', but is not the owner of upload or connected note`,
'deleteMedia', 'deleteMedia',
); );
throw new PermissionError( throw new PermissionError(
`File '${filename}' is not owned by '${username}'`, `Neither file '${filename}' nor note '${
mediaUploadNote?.id ?? 'unknown'
}'is not owned by '${user.username}'`,
); );
} }
await this.mediaService.deleteFile(mediaUpload);
} }
} }

42
backend/src/api/public/media/media.controller.ts
View file

@ -4,6 +4,7 @@
* SPDX-License-Identifier: AGPL-3.0-only * SPDX-License-Identifier: AGPL-3.0-only
*/ */
import { import {
BadRequestException,
Controller, Controller,
Delete, Delete,
Param, Param,
@ -28,10 +29,12 @@ import { MediaUploadDto } from '../../../media/media-upload.dto';
import { MediaService } from '../../../media/media.service'; import { MediaService } from '../../../media/media.service';
import { MulterFile } from '../../../media/multer-file.interface'; import { MulterFile } from '../../../media/multer-file.interface';
import { Note } from '../../../notes/note.entity'; import { Note } from '../../../notes/note.entity';
import { NotesService } from '../../../notes/notes.service'; import { Permission } from '../../../permissions/permissions.enum';
import { User } from '../../../users/user.entity'; import { User } from '../../../users/user.entity';
import { NoteHeaderInterceptor } from '../../utils/note-header.interceptor'; import { NoteHeaderInterceptor } from '../../utils/note-header.interceptor';
import { OpenApi } from '../../utils/openapi.decorator'; import { OpenApi } from '../../utils/openapi.decorator';
import { Permissions } from '../../utils/permissions.decorator';
import { PermissionsGuard } from '../../utils/permissions.guard';
import { RequestNote } from '../../utils/request-note.decorator'; import { RequestNote } from '../../utils/request-note.decorator';
import { RequestUser } from '../../utils/request-user.decorator'; import { RequestUser } from '../../utils/request-user.decorator';
@ -44,7 +47,6 @@ export class MediaController {
constructor( constructor(
private readonly logger: ConsoleLoggerService, private readonly logger: ConsoleLoggerService,
private mediaService: MediaService, private mediaService: MediaService,
private noteService: NotesService,
) { ) {
this.logger.setContext(MediaController.name); this.logger.setContext(MediaController.name);
} }
@ -77,17 +79,29 @@ export class MediaController {
404, 404,
500, 500,
) )
@UseGuards(PermissionsGuard)
@UseInterceptors(FileInterceptor('file')) @UseInterceptors(FileInterceptor('file'))
@UseInterceptors(NoteHeaderInterceptor) @UseInterceptors(NoteHeaderInterceptor)
@Permissions(Permission.WRITE)
async uploadMedia( async uploadMedia(
@RequestUser() user: User, @RequestUser() user: User,
@UploadedFile() file: MulterFile, @UploadedFile() file: MulterFile,
@RequestNote() note: Note, @RequestNote() note: Note,
): Promise<MediaUploadDto> { ): Promise<MediaUploadDto> {
if (file === undefined) {
throw new BadRequestException('Request does not contain a file');
}
if (user) {
this.logger.debug( this.logger.debug(
`Recieved filename '${file.originalname}' for note '${note.id}' from user '${user.username}'`, `Received filename '${file.originalname}' for note '${note.publicId}' from user '${user.username}'`,
'uploadMedia', 'uploadMedia',
); );
} else {
this.logger.debug(
`Received filename '${file.originalname}' for note '${note.publicId}' from not logged in user`,
'uploadMedia',
);
}
const upload = await this.mediaService.saveFile(file.buffer, user, note); const upload = await this.mediaService.saveFile(file.buffer, user, note);
return await this.mediaService.toMediaUploadDto(upload); return await this.mediaService.toMediaUploadDto(upload);
} }
@ -98,21 +112,29 @@ export class MediaController {
@RequestUser() user: User, @RequestUser() user: User,
@Param('filename') filename: string, @Param('filename') filename: string,
): Promise<void> { ): Promise<void> {
const username = user.username; const mediaUpload = await this.mediaService.findUploadByFilename(filename);
const mediaUploadOwner = await mediaUpload.user;
const mediaUploadNote = await mediaUpload.note;
const mediaUploadNoteOwner = await mediaUploadNote?.owner;
if (
mediaUploadOwner?.id === user.id ||
user.id === mediaUploadNoteOwner?.id
) {
this.logger.debug( this.logger.debug(
`Deleting '${filename}' for user '${username}'`, `Deleting '${filename}' for user '${user.username}'`,
'deleteMedia', 'deleteMedia',
); );
const mediaUpload = await this.mediaService.findUploadByFilename(filename); await this.mediaService.deleteFile(mediaUpload);
if ((await mediaUpload.user).username !== username) { } else {
this.logger.warn( this.logger.warn(
`${username} tried to delete '${filename}', but is not the owner`, `${user.username} tried to delete '${filename}', but is not the owner of upload or connected note`,
'deleteMedia', 'deleteMedia',
); );
throw new PermissionError( throw new PermissionError(
`File '${filename}' is not owned by '${username}'`, `Neither file '${filename}' nor note '${
mediaUploadNote?.id ?? 'unknown'
}'is not owned by '${user.username}'`,
); );
} }
await this.mediaService.deleteFile(mediaUpload);
} }
} }

10
backend/src/api/utils/permissions.guard.ts
View file

@ -16,6 +16,8 @@ import { CompleteRequest } from './request.type';
/** /**
* This guards controller methods from access, if the user has not the appropriate permissions. * This guards controller methods from access, if the user has not the appropriate permissions.
* The permissions are set via the {@link Permissions} decorator in addition to this guard. * The permissions are set via the {@link Permissions} decorator in addition to this guard.
* If the check permission is not CREATE the method needs to extract the noteIdOrAlias from
* request.params['noteIdOrAlias'] or request.headers['hedgedoc-note'] to check if the user has the permission.
*/ */
@Injectable() @Injectable()
export class PermissionsGuard implements CanActivate { export class PermissionsGuard implements CanActivate {
@ -46,9 +48,11 @@ export class PermissionsGuard implements CanActivate {
if (permissions[0] === Permission.CREATE) { if (permissions[0] === Permission.CREATE) {
return this.permissionsService.mayCreate(user); return this.permissionsService.mayCreate(user);
} }
// Get the note from the parameter noteIdOrAlias // Get the note from the parameter noteIdOrAlias or the http header hedgedoc-note
// Attention: This gets the note an additional time if used in conjunction with GetNoteInterceptor // Attention: This gets the note an additional time if used in conjunction with GetNoteInterceptor or NoteHeaderInterceptor
const noteIdOrAlias = request.params['noteIdOrAlias']; let noteIdOrAlias = request.params['noteIdOrAlias'];
if (noteIdOrAlias === undefined)
noteIdOrAlias = request.headers['hedgedoc-note'] as string;
const note = await getNote(this.noteService, noteIdOrAlias); const note = await getNote(this.noteService, noteIdOrAlias);
switch (permissions[0]) { switch (permissions[0]) {
case Permission.READ: case Permission.READ:

2
backend/src/media/media-upload.dto.ts
View file

@ -42,5 +42,5 @@ export class MediaUploadDto extends BaseDto {
*/ */
@IsString() @IsString()
@ApiProperty() @ApiProperty()
username: string; username: string | null;
} }

6
backend/src/media/media-upload.entity.ts
View file

@ -28,9 +28,9 @@ export class MediaUpload {
note: Promise<Note | null>; note: Promise<Note | null>;
@ManyToOne((_) => User, (user) => user.mediaUploads, { @ManyToOne((_) => User, (user) => user.mediaUploads, {
nullable: false, nullable: true,
}) })
user: Promise<User>; user: Promise<User | null>;
@Column({ @Column({
nullable: false, nullable: false,
@ -65,7 +65,7 @@ export class MediaUpload {
public static create( public static create(
id: string, id: string,
note: Note, note: Note,
user: User, user: User | null,
extension: string, extension: string,
backendType: BackendType, backendType: BackendType,
fileUrl: string, fileUrl: string,

12
backend/src/media/media.service.ts
View file

@ -78,13 +78,20 @@ export class MediaService {
*/ */
async saveFile( async saveFile(
fileBuffer: Buffer, fileBuffer: Buffer,
user: User, user: User | null,
note: Note, note: Note,
): Promise<MediaUpload> { ): Promise<MediaUpload> {
if (user) {
this.logger.debug( this.logger.debug(
`Saving file for note '${note.id}' and user '${user.username}'`, `Saving file for note '${note.id}' and user '${user.username}'`,
'saveFile', 'saveFile',
); );
} else {
this.logger.debug(
`Saving file for note '${note.id}' and not logged in user`,
'saveFile',
);
}
const fileTypeResult = await FileType.fromBuffer(fileBuffer); const fileTypeResult = await FileType.fromBuffer(fileBuffer);
if (!fileTypeResult) { if (!fileTypeResult) {
throw new ClientError('Could not detect file type.'); throw new ClientError('Could not detect file type.');
@ -223,11 +230,12 @@ export class MediaService {
} }
async toMediaUploadDto(mediaUpload: MediaUpload): Promise<MediaUploadDto> { async toMediaUploadDto(mediaUpload: MediaUpload): Promise<MediaUploadDto> {
const user = await mediaUpload.user;
return { return {
url: mediaUpload.fileUrl, url: mediaUpload.fileUrl,
notePublicId: (await mediaUpload.note)?.publicId ?? null, notePublicId: (await mediaUpload.note)?.publicId ?? null,
createdAt: mediaUpload.createdAt, createdAt: mediaUpload.createdAt,
username: (await mediaUpload.user).username, username: user?.username ?? null,
}; };
} }
} }

49
backend/test/private-api/media.e2e-spec.ts
View file

@ -123,12 +123,13 @@ describe('Media', () => {
}); });
}); });
it('DELETE /media/{filename}', async () => { describe('DELETE /media/{filename}', () => {
it('deleting user is owner of file', async () => {
// upload a file with the default test user // upload a file with the default test user
const testNote = await testSetup.notesService.createNote( const testNote = await testSetup.notesService.createNote(
'test content', 'test content',
null, null,
'test_delete_media', 'test_delete_media_file',
); );
const testImage = await fs.readFile('test/private-api/fixtures/test.png'); const testImage = await fs.readFile('test/private-api/fixtures/test.png');
const upload = await testSetup.mediaService.saveFile( const upload = await testSetup.mediaService.saveFile(
@ -148,7 +149,51 @@ describe('Media', () => {
// try to delete upload with second user // try to delete upload with second user
await agent2.delete('/api/private/media/' + filename).expect(403); await agent2.delete('/api/private/media/' + filename).expect(403);
await agent.get('/uploads/' + filename).expect(200);
// delete upload for real // delete upload for real
await agent.delete('/api/private/media/' + filename).expect(204); await agent.delete('/api/private/media/' + filename).expect(204);
// Test if file is really deleted
await agent.get('/uploads/' + filename).expect(404);
});
it('deleting user is owner of note', async () => {
// upload a file with the default test user
const testNote = await testSetup.notesService.createNote(
'test content',
await testSetup.userService.getUserByUsername(username2),
'test_delete_media_note',
);
const testImage = await fs.readFile('test/private-api/fixtures/test.png');
const upload = await testSetup.mediaService.saveFile(
testImage,
null,
testNote,
);
const filename = upload.fileUrl.split('/').pop() || '';
// login with a different user;
const agent2 = request.agent(testSetup.app.getHttpServer());
await agent2
.post('/api/private/auth/local/login')
.send({ username: username2, password: password2 })
.expect(201);
const agentGuest = request.agent(testSetup.app.getHttpServer());
// try to delete upload with second user
await agent.delete('/api/private/media/' + filename).expect(403);
await agent.get('/uploads/' + filename).expect(200);
await agentGuest.delete('/api/private/media/' + filename).expect(401);
await agent.get('/uploads/' + filename).expect(200);
// delete upload for real
await agent2.delete('/api/private/media/' + filename).expect(204);
// Test if file is really deleted
await agent.get('/uploads/' + filename).expect(404);
});
}); });
}); });

79
backend/test/public-api/media.e2e-spec.ts
View file

@ -126,5 +126,84 @@ describe('Media', () => {
.set('Authorization', `Bearer ${testSetup.authTokens[1].secret}`) .set('Authorization', `Bearer ${testSetup.authTokens[1].secret}`)
.expect(403); .expect(403);
}); });
it('deleting user is owner of file', async () => {
// upload a file with the default test user
const testNote = await testSetup.notesService.createNote(
'test content',
null,
'test_delete_media_file',
);
const testImage = await fs.readFile('test/public-api/fixtures/test.png');
const upload = await testSetup.mediaService.saveFile(
testImage,
testSetup.users[0],
testNote,
);
const filename = upload.fileUrl.split('/').pop() || '';
const agent2 = request.agent(testSetup.app.getHttpServer());
// try to delete upload with second user
await agent2
.delete('/api/v2/media/' + filename)
.set('Authorization', `Bearer ${testSetup.authTokens[1].secret}`)
.expect(403);
await agent2
.get('/uploads/' + filename)
.set('Authorization', `Bearer ${testSetup.authTokens[1].secret}`)
.expect(200);
// delete upload for real
await agent2
.delete('/api/v2/media/' + filename)
.set('Authorization', `Bearer ${testSetup.authTokens[0].secret}`)
.expect(204);
// Test if file is really deleted
await agent2
.get('/uploads/' + filename)
.set('Authorization', `Bearer ${testSetup.authTokens[1].secret}`)
.expect(404);
});
it('deleting user is owner of note', async () => {
// upload a file with the default test user
const testNote = await testSetup.notesService.createNote(
'test content',
testSetup.users[2],
'test_delete_media_note',
);
const testImage = await fs.readFile('test/public-api/fixtures/test.png');
const upload = await testSetup.mediaService.saveFile(
testImage,
testSetup.users[0],
testNote,
);
const filename = upload.fileUrl.split('/').pop() || '';
const agent2 = request.agent(testSetup.app.getHttpServer());
// try to delete upload with second user
await agent2
.delete('/api/v2/media/' + filename)
.set('Authorization', `Bearer ${testSetup.authTokens[1].secret}`)
.expect(403);
await agent2
.get('/uploads/' + filename)
.set('Authorization', `Bearer ${testSetup.authTokens[1].secret}`)
.expect(200);
// delete upload for real
await agent2
.delete('/api/v2/media/' + filename)
.set('Authorization', `Bearer ${testSetup.authTokens[2].secret}`)
.expect(204);
// Test if file is really deleted
await agent2
.get('/uploads/' + filename)
.set('Authorization', `Bearer ${testSetup.authTokens[1].secret}`)
.expect(404);
});
}); });
}); });