diff --git a/app/console b/app/console index d7491462f..49eec28b8 160000 --- a/app/console +++ b/app/console @@ -1 +1 @@ -Subproject commit d7491462f2ac1605fad0547d7bb6e2e4bbbc2233 +Subproject commit 49eec28b88f1c9f2c3cd29330f4bcd599f8a851c diff --git a/app/controllers/api/avatars.php b/app/controllers/api/avatars.php index 8047adfdd..fbc77d69f 100644 --- a/app/controllers/api/avatars.php +++ b/app/controllers/api/avatars.php @@ -342,7 +342,6 @@ App::get('/v1/avatars/initials') ->desc('Get User Initials') ->groups(['api', 'avatars']) ->label('scope', 'avatars.read') - ->label('cache', true) ->label('cache.resource', 'avatar/initials') ->label('sdk.auth', [APP_AUTH_TYPE_SESSION, APP_AUTH_TYPE_KEY, APP_AUTH_TYPE_JWT]) ->label('sdk.namespace', 'avatars') diff --git a/app/controllers/api/storage.php b/app/controllers/api/storage.php index 657cdd5b7..3c8ffc564 100644 --- a/app/controllers/api/storage.php +++ b/app/controllers/api/storage.php @@ -783,6 +783,7 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/preview') ->groups(['api', 'storage']) ->label('scope', 'files.read') ->label('cache', true) + ->label('cache.resourceType', 'bucket/{request.bucketId}') ->label('cache.resource', 'file/{request.fileId}') ->label('usage.metric', 'files.{scope}.requests.read') ->label('usage.params', ['bucketId:{request.bucketId}']) @@ -840,9 +841,6 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/preview') $outputs = Config::getParam('storage-outputs'); $fileLogos = Config::getParam('storage-logos'); - $date = \date('D, d M Y H:i:s', \time() + (60 * 60 * 24 * 45)) . ' GMT'; // 45 days cache - $key = \md5($fileId . $width . $height . $gravity . $quality . $borderWidth . $borderColor . $borderRadius . $opacity . $rotation . $background . $output); - if ($fileSecurity && !$valid) { $file = $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId); } else { diff --git a/app/controllers/shared/api.php b/app/controllers/shared/api.php index 261f709d4..6a7502522 100644 --- a/app/controllers/shared/api.php +++ b/app/controllers/shared/api.php @@ -208,19 +208,52 @@ App::init() $useCache = $route->getLabel('cache', false); if ($useCache) { - $key = md5($request->getURI() . implode('*', $request->getParams())); + $key = md5($request->getURI() . implode('*', $request->getParams())) . '*' . APP_CACHE_BUSTER; $cache = new Cache( new Filesystem(APP_STORAGE_CACHE . DIRECTORY_SEPARATOR . 'app-' . $project->getId()) ); $timestamp = 60 * 60 * 24 * 30; $data = $cache->load($key, $timestamp); + if (!empty($data)) { $data = json_decode($data, true); + $parts = explode('/', $data['resourceType']); + $type = $parts[0] ?? null; + + if ($type === 'bucket') { + $bucketId = $parts[1] ?? null; + + $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); + + if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && $mode !== APP_MODE_ADMIN)) { + throw new Exception(Exception::STORAGE_BUCKET_NOT_FOUND); + } + + $fileSecurity = $bucket->getAttribute('fileSecurity', false); + $validator = new Authorization(Database::PERMISSION_READ); + $valid = $validator->isValid($bucket->getRead()); + if (!$fileSecurity && !$valid) { + throw new Exception(Exception::USER_UNAUTHORIZED); + } + + $parts = explode('/', $data['resource']); + $fileId = $parts[1] ?? null; + + if ($fileSecurity && !$valid) { + $file = $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId); + } else { + $file = Authorization::skip(fn() => $dbForProject->getDocument('bucket_' . $bucket->getInternalId(), $fileId)); + } + + if ($file->isEmpty()) { + throw new Exception(Exception::STORAGE_FILE_NOT_FOUND); + } + } $response ->addHeader('Expires', \date('D, d M Y H:i:s', \time() + $timestamp) . ' GMT') ->addHeader('X-Appwrite-Cache', 'hit') - ->setContentType($data['content-type']) + ->setContentType($data['contentType']) ->send(base64_decode($data['payload'])) ; @@ -408,7 +441,7 @@ App::shutdown() */ $useCache = $route->getLabel('cache', false); if ($useCache) { - $resource = null; + $resource = $resourceType = null; $data = $response->getPayload(); if (!empty($data['payload'])) { @@ -417,9 +450,16 @@ App::shutdown() $resource = $parseLabel($pattern, $responsePayload, $requestParams, $user); } - $key = md5($request->getURI() . implode('*', $request->getParams())); + $pattern = $route->getLabel('cache.resourceType', null); + if (!empty($pattern)) { + $resourceType = $parseLabel($pattern, $responsePayload, $requestParams, $user); + } + + $key = md5($request->getURI() . implode('*', $request->getParams())) . '*' . APP_CACHE_BUSTER; $data = json_encode([ - 'content-type' => $response->getContentType(), + 'resourceType' => $resourceType, + 'resource' => $resource, + 'contentType' => $response->getContentType(), 'payload' => base64_encode($data['payload']), ]) ; diff --git a/tests/e2e/Services/Storage/StorageCustomClientTest.php b/tests/e2e/Services/Storage/StorageCustomClientTest.php index b63de5648..fdb158ae5 100644 --- a/tests/e2e/Services/Storage/StorageCustomClientTest.php +++ b/tests/e2e/Services/Storage/StorageCustomClientTest.php @@ -25,10 +25,16 @@ class StorageCustomClientTest extends Scope use SideClient; use StoragePermissionsScope; - public function testBucketAnyPermissions(): void + public function testCachedFilePreview(): void { /** - * Test for SUCCESS + Create a bucket with File Level Security with no permissions. + Add a file with no permissions. + Login as UserA from SDK + Call File Preview from SDK all good userA can't see preview. + Add read permission to UserA, all good userA can now see preview. + Remove read permission for UserA. + Call File Preview from SDK and now userA can't see the preview. */ $bucket = $this->client->call(Client::METHOD_POST, '/storage/buckets', [ 'content-type' => 'application/json', @@ -37,22 +43,19 @@ class StorageCustomClientTest extends Scope ], [ 'bucketId' => ID::unique(), 'name' => 'Test Bucket', - 'permissions' => [ - Permission::read(Role::any()), - Permission::create(Role::any()), - Permission::update(Role::any()), - Permission::delete(Role::any()), - ], + 'fileSecurity' => true, + 'permissions' => [], ]); $bucketId = $bucket['body']['$id']; $this->assertEquals(201, $bucket['headers']['status-code']); $this->assertNotEmpty($bucketId); - $file = $this->client->call(Client::METHOD_POST, '/storage/buckets/' . $bucketId . '/files', [ + $file = $this->client->call(Client::METHOD_POST, '/storage/buckets/' . $bucketId . '/files', array_merge([ 'content-type' => 'multipart/form-data', 'x-appwrite-project' => $this->getProject()['$id'], - ], [ + 'x-appwrite-key' => $this->getProject()['apiKey'] + ]), [ 'fileId' => ID::unique(), 'file' => new CURLFile(realpath(__DIR__ . '/../../../resources/logo.png'), 'image/png', 'permissions.png'), ]); @@ -65,46 +68,142 @@ class StorageCustomClientTest extends Scope $this->assertEquals('image/png', $file['body']['mimeType']); $this->assertEquals(47218, $file['body']['sizeOriginal']); - $file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [ + $file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/preview', array_merge([ 'content-type' => 'application/json', 'x-appwrite-project' => $this->getProject()['$id'], + ], $this->getHeaders())); + + $this->assertEquals(404, $file['headers']['status-code']); + + $file = $this->client->call(Client::METHOD_PUT, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + 'x-appwrite-key' => $this->getProject()['apiKey'], + ], [ + 'name' => 'permissions.png', + 'permissions' => [ + Permission::read(Role::user($this->getUser()['$id'])), + ], ]); $this->assertEquals(200, $file['headers']['status-code']); - $file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/preview', [ + $file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/preview', array_merge([ 'content-type' => 'application/json', 'x-appwrite-project' => $this->getProject()['$id'], - ]); - - $this->assertEquals(200, $file['headers']['status-code']); - - $file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/download', [ - 'content-type' => 'application/json', - 'x-appwrite-project' => $this->getProject()['$id'], - ]); - - $this->assertEquals(200, $file['headers']['status-code']); - - $file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/view', [ - 'content-type' => 'application/json', - 'x-appwrite-project' => $this->getProject()['$id'], - ]); + ], $this->getHeaders())); $this->assertEquals(200, $file['headers']['status-code']); $file = $this->client->call(Client::METHOD_PUT, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [ 'content-type' => 'application/json', 'x-appwrite-project' => $this->getProject()['$id'], + 'x-appwrite-key' => $this->getProject()['apiKey'], ], [ 'name' => 'permissions.png', + 'permissions' => [], + ]); + + $this->assertEquals(200, $file['headers']['status-code']); + + $file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/preview', array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ], $this->getHeaders())); + + $this->assertEquals(404, $file['headers']['status-code']); + + $file = $this->client->call(Client::METHOD_DELETE, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + 'x-appwrite-key' => $this->getProject()['apiKey'], + ]); + + $this->assertEquals(204, $file['headers']['status-code']); + $this->assertEmpty($file['body']); + } + + public function testBucketAnyPermissions(): void + { + + /** + * Test for SUCCESS + */ + $bucket = $this->client->call(Client::METHOD_POST, '/storage/buckets', [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + 'x-appwrite-key' => $this->getProject()['apiKey'], + ], [ + 'bucketId' => ID::unique(), + 'name' => 'Test Bucket', + 'permissions' => [ + Permission::read(Role::any()), + Permission::create(Role::any()), + Permission::update(Role::any()), + Permission::delete(Role::any()), + ], + ]); + + $bucketId = $bucket['body']['$id']; + $this->assertEquals(201, $bucket['headers']['status-code']); + $this->assertNotEmpty($bucketId); + + $file = $this->client->call(Client::METHOD_POST, '/storage/buckets/' . $bucketId . '/files', [ + 'content-type' => 'multipart/form-data', + 'x-appwrite-project' => $this->getProject()['$id'], + ], [ + 'fileId' => ID::unique(), + 'file' => new CURLFile(realpath(__DIR__ . '/../../../resources/logo.png'), 'image/png', 'permissions.png'), + ]); + + $fileId = $file['body']['$id']; + $this->assertEquals($file['headers']['status-code'], 201); + $this->assertNotEmpty($fileId); + $this->assertEquals(true, DateTime::isValid($file['body']['$createdAt'])); + $this->assertEquals('permissions.png', $file['body']['name']); + $this->assertEquals('image/png', $file['body']['mimeType']); + $this->assertEquals(47218, $file['body']['sizeOriginal']); + + $file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ]); + + $this->assertEquals(200, $file['headers']['status-code']); + + $file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/preview', [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ]); + + $this->assertEquals(200, $file['headers']['status-code']); + + $file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/download', [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ]); + + $this->assertEquals(200, $file['headers']['status-code']); + + $file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/view', [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ]); + + $this->assertEquals(200, $file['headers']['status-code']); + + $file = $this->client->call(Client::METHOD_PUT, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ], [ + 'name' => 'permissions.png', ]); $this->assertEquals(200, $file['headers']['status-code']); $file = $this->client->call(Client::METHOD_DELETE, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [ - 'content-type' => 'application/json', - 'x-appwrite-project' => $this->getProject()['$id'], + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], ]); $this->assertEquals(204, $file['headers']['status-code']);