CodeMirror/appwrite
1
0
Fork 0
mirror of synced 2024-06-29 11:40:45 +12:00
Code Issues Projects Releases Wiki Activity

Allow guest write scope for document, file and execution

Browse source
This commit is contained in:
Jake Barnby 2022-08-29 17:53:37 +12:00
parent 6dade9e758
commit ccfd104545
No known key found for this signature in database
GPG key ID: C437A8CC85B96E9C
5 changed files with 274 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
app/config/roles.php
View file

@ -59,9 +59,12 @@ return [
'home',
'console',
'documents.read',
'documents.write',
'files.read',
'files.write',
'locale.read',
'avatars.read',
'execution.write',
],
],
Auth::USER_ROLE_USERS => [

9
app/controllers/api/storage.php
View file

@ -1359,9 +1359,12 @@ App::delete('/v1/storage/buckets/:bucketId/files/:fileId')
->setResource('file/' . $fileId)
;
// Don't need to check valid here because we already ensured validity
if ($fileSecurity) {
$deleted = $dbForProject->deleteDocument('bucket_' . $bucket->getInternalId(), $fileId);
if ($fileSecurity && !$valid) {
try {
$deleted = $dbForProject->deleteDocument('bucket_' . $bucket->getInternalId(), $fileId);
} catch (AuthorizationException) {
throw new Exception(Exception::USER_UNAUTHORIZED);
}
} else {
$deleted = Authorization::skip(fn() => $dbForProject->deleteDocument('bucket_' . $bucket->getInternalId(), $fileId));
}

151
tests/e2e/Services/Databases/DatabasesPermissionsGuestTest.php
View file

@ -31,7 +31,7 @@ class DatabasesPermissionsGuestTest extends Scope
$this->assertEquals('InvalidDocumentDatabase', $database['body']['name']);
$databaseId = $database['body']['$id'];
$movies = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections', $this->getServerHeader(), [
$publicMovies = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections', $this->getServerHeader(), [
'collectionId' => ID::unique(),
'name' => 'Movies',
'permissions' => [
@ -40,12 +40,23 @@ class DatabasesPermissionsGuestTest extends Scope
Permission::update(Role::any()),
Permission::delete(Role::any()),
],
]);
$privateMovies = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections', $this->getServerHeader(), [
'collectionId' => ID::unique(),
'name' => 'Movies',
'permissions' => [],
'documentSecurity' => true,
]);
$collection = ['id' => $movies['body']['$id']];
$publicCollection = ['id' => $publicMovies['body']['$id']];
$privateCollection = ['id' => $privateMovies['body']['$id']];
$this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $collection['id'] . '/attributes/string', $this->getServerHeader(), [
$this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $publicCollection['id'] . '/attributes/string', $this->getServerHeader(), [
'key' => 'title',
'size' => 256,
'required' => true,
]);
$this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $privateCollection['id'] . '/attributes/string', $this->getServerHeader(), [
'key' => 'title',
'size' => 256,
'required' => true,
@ -53,13 +64,14 @@ class DatabasesPermissionsGuestTest extends Scope
sleep(2);
return ['collectionId' => $collection['id'], 'databaseId' => $databaseId];
return [
'databaseId' => $databaseId,
'publicCollectionId' => $publicCollection['id'],
'privateCollectionId' => $privateCollection['id'],
];
}
/**
* [string[] $permissions]
*/
public function readDocumentsProvider()
public function permissionsProvider(): array
{
return [
[[Permission::read(Role::any())]],
@ -72,14 +84,23 @@ class DatabasesPermissionsGuestTest extends Scope
}
/**
* @dataProvider readDocumentsProvider
* @dataProvider permissionsProvider
*/
public function testReadDocuments($permissions)
{
$data = $this->createCollection();
$collectionId = $data['collectionId'];
$publicCollectionId = $data['publicCollectionId'];
$privateCollectionId = $data['privateCollectionId'];
$databaseId = $data['databaseId'];
$response = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $collectionId . '/documents', $this->getServerHeader(), [
$publicResponse = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $publicCollectionId . '/documents', $this->getServerHeader(), [
'documentId' => ID::unique(),
'data' => [
'title' => 'Lorem',
],
'permissions' => $permissions,
]);
$privateResponse = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $privateCollectionId . '/documents', $this->getServerHeader(), [
'documentId' => ID::unique(),
'data' => [
'title' => 'Lorem',
@ -87,18 +108,118 @@ class DatabasesPermissionsGuestTest extends Scope
'permissions' => $permissions,
]);
$this->assertEquals(201, $response['headers']['status-code']);
$this->assertEquals(201, $publicResponse['headers']['status-code']);
$this->assertEquals(201, $privateResponse['headers']['status-code']);
$roles = Authorization::getRoles();
Authorization::cleanRoles();
$documents = $this->client->call(Client::METHOD_GET, '/databases/' . $databaseId . '/collections/' . $collectionId . '/documents', [
$publicDocuments = $this->client->call(Client::METHOD_GET, '/databases/' . $databaseId . '/collections/' . $publicCollectionId . '/documents', [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
]);
$privateDocuments = $this->client->call(Client::METHOD_GET, '/databases/' . $databaseId . '/collections/' . $privateCollectionId . '/documents', [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
]);
$this->assertEquals(1, $documents['body']['total']);
$this->assertEquals($permissions, $documents['body']['documents'][0]['$permissions']);
$this->assertEquals(1, $publicDocuments['body']['total']);
$this->assertEquals($permissions, $publicDocuments['body']['documents'][0]['$permissions']);
if (\in_array(Permission::read(Role::any()), $permissions)) {
$this->assertEquals(1, $privateDocuments['body']['total']);
$this->assertEquals($permissions, $privateDocuments['body']['documents'][0]['$permissions']);
} else {
$this->assertEquals(0, $privateDocuments['body']['total']);
}
foreach ($roles as $role) {
Authorization::setRole($role);
}
}
public function testWriteDocument()
{
$data = $this->createCollection();
$publicCollectionId = $data['publicCollectionId'];
$privateCollectionId = $data['privateCollectionId'];
$databaseId = $data['databaseId'];
$roles = Authorization::getRoles();
Authorization::cleanRoles();
$publicResponse = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $publicCollectionId . '/documents', [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], [
'documentId' => ID::unique(),
'data' => [
'title' => 'Lorem',
]
]);
$publicDocumentId = $publicResponse['body']['$id'];
$this->assertEquals(201, $publicResponse['headers']['status-code']);
$privateResponse = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $privateCollectionId . '/documents', [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], [
'documentId' => ID::unique(),
'data' => [
'title' => 'Lorem',
],
]);
$this->assertEquals(401, $privateResponse['headers']['status-code']);
// Create a document in private collection with API key so we can test that update and delete are also not allowed
$privateResponse = $this->client->call(Client::METHOD_POST, '/databases/' . $databaseId . '/collections/' . $privateCollectionId . '/documents', $this->getServerHeader(), [
'documentId' => ID::unique(),
'data' => [
'title' => 'Lorem',
],
]);
$this->assertEquals(201, $privateResponse['headers']['status-code']);
$privateDocumentId = $privateResponse['body']['$id'];
$publicDocument = $this->client->call(Client::METHOD_PATCH, '/databases/' . $databaseId . '/collections/' . $publicCollectionId . '/documents/' . $publicDocumentId, [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], [
'data' => [
'title' => 'Thor: Ragnarok',
],
]);
$this->assertEquals(200, $publicDocument['headers']['status-code']);
$this->assertEquals('Thor: Ragnarok', $publicDocument['body']['title']);
$privateDocument = $this->client->call(Client::METHOD_PATCH, '/databases/' . $databaseId . '/collections/' . $privateCollectionId . '/documents/' . $privateDocumentId, [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], [
'data' => [
'title' => 'Thor: Ragnarok',
],
]);
$this->assertEquals(401, $privateDocument['headers']['status-code']);
$publicDocument = $this->client->call(Client::METHOD_DELETE, '/databases/' . $databaseId . '/collections/' . $publicCollectionId . '/documents/' . $publicDocumentId, [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
]);
$this->assertEquals(204, $publicDocument['headers']['status-code']);
$privateDocument = $this->client->call(Client::METHOD_DELETE, '/databases/' . $databaseId . '/collections/' . $privateCollectionId . '/documents/' . $privateDocumentId, [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
]);
$this->assertEquals(401, $privateDocument['headers']['status-code']);
foreach ($roles as $role) {
Authorization::setRole($role);

72
tests/e2e/Services/Functions/FunctionsCustomClientTest.php
View file

@ -231,7 +231,75 @@ class FunctionsCustomClientTest extends Scope
];
}
public function testCreateExecutionUnauthorized(): array
public function testCreateCustomExecutionGuest()
{
/**
* Test for SUCCESS
*/
$projectId = $this->getProject()['$id'];
$apikey = $this->getProject()['apiKey'];
$function = $this->client->call(Client::METHOD_POST, '/functions', [
'content-type' => 'application/json',
'x-appwrite-project' => $projectId,
'x-appwrite-key' => $apikey,
], [
'functionId' => ID::unique(),
'name' => 'Test',
'execute' => [Role::any()->toString()],
'runtime' => 'php-8.0',
'vars' => [
'funcKey1' => 'funcValue1',
'funcKey2' => 'funcValue2',
'funcKey3' => 'funcValue3',
],
'timeout' => 10,
]);
$functionId = $function['body']['$id'] ?? '';
$this->assertEquals(201, $function['headers']['status-code']);
$folder = 'php-fn';
$code = realpath(__DIR__ . '/../../../resources/functions') . "/$folder/code.tar.gz";
$this->packageCode($folder);
$deployment = $this->client->call(Client::METHOD_POST, '/functions/' . $functionId . '/deployments', [
'content-type' => 'multipart/form-data',
'x-appwrite-project' => $projectId,
'x-appwrite-key' => $apikey,
], [
'entrypoint' => 'index.php',
'code' => new CURLFile($code, 'application/x-gzip', \basename($code)), //different tarball names intentional
]);
$deploymentId = $deployment['body']['$id'] ?? '';
// Wait for deployment to be built.
sleep(10);
$this->assertEquals(202, $deployment['headers']['status-code']);
// Why do we have to do this?
$function = $this->client->call(Client::METHOD_PATCH, '/functions/' . $functionId . '/deployments/' . $deploymentId, [
'content-type' => 'application/json',
'x-appwrite-project' => $projectId,
'x-appwrite-key' => $apikey,
], []);
$this->assertEquals(200, $function['headers']['status-code']);
$execution = $this->client->call(Client::METHOD_POST, '/functions/' . $functionId . '/executions', [
'content-type' => 'application/json',
'x-appwrite-project' => $projectId,
], [
'data' => 'foobar',
]);
$this->assertEquals(202, $execution['headers']['status-code']);
}
public function testCreateExecutionNoDeployment(): array
{
$function = $this->client->call(Client::METHOD_POST, '/functions', [
'content-type' => 'application/json',
@ -252,7 +320,7 @@ class FunctionsCustomClientTest extends Scope
'async' => true,
]);
$this->assertEquals(401, $execution['headers']['status-code']);
$this->assertEquals(404, $execution['headers']['status-code']);
return [];
}

93
tests/e2e/Services/Storage/StorageCustomClientTest.php
View file

@ -49,13 +49,10 @@ class StorageCustomClientTest extends Scope
$this->assertEquals(201, $bucket['headers']['status-code']);
$this->assertNotEmpty($bucketId);
$roles = Authorization::getRoles();
Authorization::cleanRoles();
$file = $this->client->call(Client::METHOD_POST, '/storage/buckets/' . $bucketId . '/files', array_merge([
$file = $this->client->call(Client::METHOD_POST, '/storage/buckets/' . $bucketId . '/files', [
'content-type' => 'multipart/form-data',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()), [
], [
'fileId' => ID::unique(),
'file' => new CURLFile(realpath(__DIR__ . '/../../../resources/logo.png'), 'image/png', 'permissions.png'),
]);
@ -68,38 +65,47 @@ class StorageCustomClientTest extends Scope
$this->assertEquals('image/png', $file['body']['mimeType']);
$this->assertEquals(47218, $file['body']['sizeOriginal']);
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId, array_merge([
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()));
]);
$this->assertEquals(200, $file['headers']['status-code']);
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/preview', array_merge([
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/preview', [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()));
]);
$this->assertEquals(200, $file['headers']['status-code']);
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/download', array_merge([
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/download', [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()));
]);
$this->assertEquals(200, $file['headers']['status-code']);
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/view', array_merge([
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/view', [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()));
]);
$this->assertEquals(200, $file['headers']['status-code']);
$file = $this->client->call(Client::METHOD_DELETE, '/storage/buckets/' . $bucketId . '/files/' . $fileId, array_merge([
$file = $this->client->call(Client::METHOD_PUT, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()));
], [
'name' => 'permissions.png',
]);
$this->assertEquals(200, $file['headers']['status-code']);
$file = $this->client->call(Client::METHOD_DELETE, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
]);
$this->assertEquals(204, $file['headers']['status-code']);
$this->assertEmpty($file['body']);
@ -173,6 +179,15 @@ class StorageCustomClientTest extends Scope
$this->assertEquals(200, $file['headers']['status-code']);
$file = $this->client->call(Client::METHOD_PUT, '/storage/buckets/' . $bucketId . '/files/' . $fileId, array_merge([
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()), [
'name' => 'permissions.png',
]);
$this->assertEquals(200, $file['headers']['status-code']);
/**
* Test for FAILURE
*/
@ -289,6 +304,15 @@ class StorageCustomClientTest extends Scope
$this->assertEquals(200, $file['headers']['status-code']);
$file = $this->client->call(Client::METHOD_PUT, '/storage/buckets/' . $bucketId . '/files/' . $fileId, array_merge([
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()), [
'name' => 'permissions.png',
]);
$this->assertEquals(200, $file['headers']['status-code']);
/**
* Test for FAILURE
*/
@ -297,7 +321,7 @@ class StorageCustomClientTest extends Scope
'x-appwrite-project' => $this->getProject()['$id'],
]);
$this->assertEquals($file['headers']['status-code'], 401);
$this->assertEquals(401, $file['headers']['status-code']);
$file = $this->client->call(Client::METHOD_POST, '/storage/buckets/' . $bucketId . '/files', [
'content-type' => 'multipart/form-data',
@ -307,6 +331,15 @@ class StorageCustomClientTest extends Scope
'file' => new CURLFile(realpath(__DIR__ . '/../../../resources/logo.png'), 'image/png', 'permissions.png'),
]);
$this->client->call(CLient::METHOD_PUT, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], [
'name' => 'permissions.png',
]);
$this->assertEquals(401, $file['headers']['status-code']);
$this->assertEquals($file['headers']['status-code'], 401);
$file = $this->client->call(Client::METHOD_DELETE, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [
@ -583,35 +616,31 @@ class StorageCustomClientTest extends Scope
$this->assertEquals('image/png', $file1['body']['mimeType']);
$this->assertEquals(47218, $file1['body']['sizeOriginal']);
$roles = Authorization::getRoles();
Authorization::cleanRoles();
Authorization::setRole(Role::any()->toString());
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId, array_merge([
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()));
]);
$this->assertEquals(200, $file['headers']['status-code']);
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/preview', array_merge([
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/preview', [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()));
]);
$this->assertEquals(200, $file['headers']['status-code']);
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/download', array_merge([
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/download', [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()));
]);
$this->assertEquals(200, $file['headers']['status-code']);
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/view', array_merge([
$file = $this->client->call(Client::METHOD_GET, '/storage/buckets/' . $bucketId . '/files/' . $fileId . '/view', [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()));
]);
$this->assertEquals(200, $file['headers']['status-code']);
@ -628,16 +657,12 @@ class StorageCustomClientTest extends Scope
$this->assertEquals(401, $file['headers']['status-code']);
$file = $this->client->call(Client::METHOD_DELETE, '/storage/buckets/' . $bucketId . '/files/' . $fileId, array_merge([
$file = $this->client->call(Client::METHOD_DELETE, '/storage/buckets/' . $bucketId . '/files/' . $fileId, [
'content-type' => 'application/json',
'x-appwrite-project' => $this->getProject()['$id'],
], $this->getHeaders()));
]);
$this->assertEquals(401, $file['headers']['status-code']);
foreach ($roles as $role) {
Authorization::setRole($role);
}
}
public function testFileUsersPermissions(): void