svc-admin01/snipe-it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Chekc auth before assigning S3 temporary link

Browse Source
This commit is contained in:
snipe
2026-05-21 14:56:20 +01:00
parent 67fa473281
commit a383033ffa
2 changed files with 84 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Controllers/ActionlogController.php
+3 -2
View File
@@ -4,7 +4,6 @@ namespace App\Http\Controllers;
use App\Helpers\Helper;
use App\Models\Actionlog;
use App\Models\Asset;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Response;
use Illuminate\Support\Facades\Log;
@@ -17,6 +16,9 @@ class ActionlogController extends Controller
{
$filename = basename((string) $filename);
$actionlog = Actionlog::where('accept_signature', $filename)->with('item')->firstOrFail();
$this->authorize('view', $actionlog->item);
// PHP doesn't let you handle file not found errors well with
// file_get_contents, so we set the error reporting for just this class
error_reporting(0);
@@ -29,7 +31,6 @@ class ActionlogController extends Controller
return redirect()->away(Storage::disk($disk)->temporaryUrl($file, now()->addMinutes(5)));
default:
$this->authorize('view', Asset::class);
$file = config('app.private_uploads').'/signatures/'.$filename;
$filetype = Helper::checkUploadIsImage($file);
tests/Feature/ActionLogs/DisplaySigTest.php
+81
View File
@@ -0,0 +1,81 @@
<?php
namespace Tests\Feature\ActionLogs;
use App\Models\Actionlog;
use App\Models\Asset;
use App\Models\License;
use App\Models\User;
use Tests\TestCase;
class DisplaySigTest extends TestCase
{
public function test_requires_authentication(): void
{
$actionlog = Actionlog::factory()->acceptedSignature()->create();
$this->get(route('log.signature.view', ['filename' => $actionlog->accept_signature]))
->assertRedirect(route('login'));
}
public function test_nonexistent_filename_redirects_with_error(): void
{
$this->actingAs(User::factory()->superuser()->create())
->get(route('log.signature.view', ['filename' => 'does-not-exist.png']))
->assertRedirect(route('home'));
}
public function test_user_without_view_permission_cannot_view_asset_signature(): void
{
$actionlog = Actionlog::factory()->acceptedSignature()->create();
$this->actingAs(User::factory()->create())
->get(route('log.signature.view', ['filename' => $actionlog->accept_signature]))
->assertForbidden();
}
public function test_user_with_asset_view_permission_can_view_asset_signature(): void
{
$asset = Asset::factory()->create();
$actionlog = Actionlog::factory()->create([
'action_type' => 'accepted',
'item_id' => $asset->id,
'item_type' => Asset::class,
'accept_signature' => 'test-asset-sig-'.uniqid().'.png',
]);
$this->actingAs(User::factory()->viewAssets()->create())
->get(route('log.signature.view', ['filename' => $actionlog->accept_signature]))
->assertOk();
}
public function test_user_with_asset_view_permission_cannot_view_license_signature(): void
{
$license = License::factory()->create();
$actionlog = Actionlog::factory()->create([
'action_type' => 'accepted',
'item_id' => $license->id,
'item_type' => License::class,
'accept_signature' => 'test-license-sig-'.uniqid().'.png',
]);
$this->actingAs(User::factory()->viewAssets()->create())
->get(route('log.signature.view', ['filename' => $actionlog->accept_signature]))
->assertForbidden();
}
public function test_user_with_license_view_permission_can_view_license_signature(): void
{
$license = License::factory()->create();
$actionlog = Actionlog::factory()->create([
'action_type' => 'accepted',
'item_id' => $license->id,
'item_type' => License::class,
'accept_signature' => 'test-license-sig-'.uniqid().'.png',
]);
$this->actingAs(User::factory()->viewLicenses()->create())
->get(route('log.signature.view', ['filename' => $actionlog->accept_signature]))
->assertOk();
}
}