Attachments: Moved perm checks before validation

Avoids providing responses with potential sensitive attachment info
before permission checks.
Added tests to cover.

Thanks to Rafael Castilho for reporting.
This commit is contained in:
Dan Brown
2026-06-07 10:22:52 +01:00
parent 81f77a95de
commit b7325fdf0e
2 changed files with 39 additions and 9 deletions

View File

@@ -159,6 +159,38 @@ class AttachmentTest extends TestCase
$this->files->deleteAllAttachmentFiles();
}
public function test_attachment_update_without_permission()
{
$page = $this->entities->page();
$attachment = Attachment::factory()->create(['uploaded_to' => $page->id]);
$this->permissions->disableEntityInheritedPermissions($page);
$resp = $this->asViewer()->put("attachments/{$attachment->id}", [
'attachment_edit_name' => 'My new attachment name',
'attachment_edit_url' => 'https://test.example.com',
]);
$this->assertPermissionError($resp);
}
public function test_attachment_update_without_permission_with_validation_errors()
{
$page = $this->entities->page();
/** @var Attachment $attachment */
$attachment = Attachment::factory()->create(['uploaded_to' => $page->id]);
$this->permissions->disableEntityInheritedPermissions($page);
$resp = $this->asViewer()->put("attachments/{$attachment->id}", [
'attachment_edit_name' => '',
'attachment_edit_url' => 'https://test.example.com',
]);
$this->assertPermissionError($resp);
$resp->assertDontSee($attachment->path);
}
public function test_file_deletion()
{
$page = $this->entities->page();