Images: Updated access to consider public secure_restricted

Had prevented public access for images when secure_restricted images was
enabled (and for just secure images) when app settings allowed public
access.

This considers the app public setting, and adds tests to cover extra
scenarios to prevent regression.
This commit is contained in:
Dan Brown
2025-11-21 12:09:25 +00:00
parent 47f12cc8f6
commit 73c6bf4f8d
3 changed files with 68 additions and 3 deletions

View File

@@ -264,7 +264,7 @@ class ImageService
return false;
}
if ($this->storage->usingSecureImages() && user()->isGuest()) {
if ($this->blockedBySecureImages()) {
return false;
}
@@ -280,13 +280,24 @@ class ImageService
return false;
}
if ($this->storage->usingSecureImages() && user()->isGuest()) {
if ($this->blockedBySecureImages()) {
return false;
}
return $this->imageFileExists($image->path, $image->type);
}
/**
* Check if the current user should be blocked from accessing images based on if secure images are enabled
* and if public access is enabled for the application.
*/
protected function blockedBySecureImages(): bool
{
$enforced = $this->storage->usingSecureImages() && !setting('app-public');
return $enforced && user()->isGuest();
}
/**
* Check if the given image path exists for the given image type and that it is likely an image file.
*/

View File

@@ -74,7 +74,7 @@ class ImageStorage
return 'local';
}
// Rename local_secure options to get our image specific storage driver which
// Rename local_secure options to get our image-specific storage driver, which
// is scoped to the relevant image directories.
if ($localSecureInUse) {
return 'local_secure_images';

View File

@@ -5,6 +5,8 @@ namespace Tests\Uploads;
use BookStack\Entities\Repos\PageRepo;
use BookStack\Uploads\Image;
use BookStack\Uploads\ImageService;
use BookStack\Uploads\UserAvatars;
use BookStack\Users\Models\Role;
use Illuminate\Support\Str;
use Tests\TestCase;
@@ -467,6 +469,26 @@ class ImageTest extends TestCase
}
}
public function test_avatar_images_visible_only_when_public_access_enabled_with_local_secure_restricted()
{
config()->set('filesystems.images', 'local_secure_restricted');
$user = $this->users->admin();
$avatars = $this->app->make(UserAvatars::class);
$avatars->assignToUserFromExistingData($user, $this->files->pngImageData(), 'png');
$avatarUrl = $user->getAvatar();
$resp = $this->get($avatarUrl);
$resp->assertRedirect('/login');
$this->permissions->makeAppPublic();
$resp = $this->get($avatarUrl);
$resp->assertOk();
$this->files->deleteAtRelativePath($user->avatar->path);
}
public function test_secure_restricted_images_inaccessible_without_relation_permission()
{
config()->set('filesystems.images', 'local_secure_restricted');
@@ -491,6 +513,38 @@ class ImageTest extends TestCase
}
}
public function test_secure_restricted_images_accessible_with_public_guest_access()
{
config()->set('filesystems.images', 'local_secure_restricted');
$this->permissions->makeAppPublic();
$this->asEditor();
$page = $this->entities->page();
$this->files->uploadGalleryImageToPage($this, $page);
$image = Image::query()->where('type', '=', 'gallery')
->where('uploaded_to', '=', $page->id)
->first();
$expectedUrl = url($image->path);
$expectedPath = storage_path($image->path);
auth()->logout();
$this->get($expectedUrl)->assertOk();
$this->permissions->setEntityPermissions($page, [], []);
$resp = $this->get($expectedUrl);
$resp->assertNotFound();
$this->permissions->setEntityPermissions($page, ['view'], [Role::getSystemRole('public')]);
$this->get($expectedUrl)->assertOk();
if (file_exists($expectedPath)) {
unlink($expectedPath);
}
}
public function test_thumbnail_path_handled_by_secure_restricted_images()
{
config()->set('filesystems.images', 'local_secure_restricted');