if(!empty($input['fids'])){ $fids = []; foreach($input['fids']as$fid){ if($file = File::load($fid)){ $fids[] = $file->id(); if(!$file->access('download')){ $force_default = TRUE; break; } // Temporary files that belong to other users should never be
// allowed.
if($file->isTemporary()){ if($file->getOwnerId() != \Drupal::currentUser()->id()){ $force_default = TRUE; break; } // Since file ownership can't be determined for anonymous users,
// they are not allowed to reuse temporary files at all. But
// they do need to be able to reuse their own files from earlier
// submissions of the same form, so to allow that, check for the
// token added by $this->processManagedFile().
elseif(\Drupal::currentUser()->isAnonymous()){ $token = NestedArray::getValue($form_state->getUserInput(), array_merge($element['#parents'], ['file_' . $file->id(), 'fid_token']));
$assert_session->elementNotExists('css', '.js-media-library-add-form[data-input]'); $this->addMediaFileToField('Add files', $this->container->get('file_system')->realpath($png_image->uri)); $this->assertMediaAdded(); $assert_session->elementExists('css', '.js-media-library-add-form[data-input]'); // We do not have pre-selected items, so the container should not be added
// to the form.
$assert_session->pageTextNotContains('Additional selected media'); // Files are temporary until the form is saved.
$files = $file_storage->loadMultiple(); $file = array_pop($files); $this->assertSame('public://type-three-dir', $file_system->dirname($file->getFileUri())); $this->assertTrue($file->isTemporary()); // Assert the revision_log_message field is not shown.
$upload_form = $assert_session->elementExists('css', '.js-media-library-add-form'); $assert_session->fieldNotExists('Revision log message', $upload_form); // Assert the name field contains the filename and the alt text is required.
$assert_session->fieldValueEquals('Name', $png_image->filename); $this->pressSaveButton(TRUE); $this->waitForText('Alternative text field is required'); $page->fillField('Alternative text', $this->randomString()); $this->pressSaveButton(); $this->assertJsCondition('jQuery("input[name=\'media_library_select_form[0]\']").is(":focus")'); // The file should be permanent now.
// Step 2: create Media entity using the File, makes File entity permanent.
parent::testPost(); $file = $file_storage->loadUnchanged(3); $this->assertFalse($file->isTemporary()); $this->assertTrue($file->isPermanent()); }
/**
* Tests the 'file_upload' REST resource plugin.
*
* This test duplicates some of the 'file_upload' REST resource plugin test
* coverage.
*
* @see \Drupal\Tests\rest\Functional\FileUploadResourceTestBase
*/
// Ensure the first and replaced second files are untouched.
$file = File::load($first_fid); $this->assertTrue($file->isPermanent(), 'First file still exists and is permanent.');
// Ensure the file status of the third file is now temporary.
$file = File::load($third_fid); $this->assertTrue($file->isTemporary());
// Delete the all translations.
$this->drupalGet('node/' . $default_language_node->id() . '/delete'); $this->submitForm([], 'Delete all translations');
// Ensure the file status of the all files are now temporary.
$file = File::load($first_fid); $this->assertTrue($file->isTemporary(), 'First file still exists and is temporary.');
// Test the file again but using 'filename' in the Content-Disposition
// header with no 'file' prefix.
$response = $this->fileRequest($uri, $this->testFileData, ['Content-Disposition' => 'filename="example.txt"']); $this->assertSame(201, $response->getStatusCode()); $expected = $this->getExpectedNormalizedEntity(2, 'example_0.txt'); $this->assertResponseData($expected, $response);
// Verify that we can create an entity that references the uploaded file.
$entity_test_post_url = Url::fromRoute('rest.entity.entity_test.POST') ->setOption('query', ['_format' => static::$format]); $request_options = []; $request_options[RequestOptions::HEADERS]['Content-Type'] = static::$mimeType; $request_options = NestedArray::mergeDeep($request_options, $this->getAuthenticationRequestOptions('POST'));
// Call file_cron() to clean up the file. Make sure the changed timestamp
// of the file is older than the system.file.temporary_maximum_age
// configuration value. We use an UPDATE statement because using the API
// would set the timestamp.
Database::getConnection()->update('file_managed') ->fields([ 'changed' => REQUEST_TIME - ($this->config('system.file')->get('temporary_maximum_age') + 1), ]) ->condition('fid', $file->id())
$test_file = $this->getTestFile('text'); $type = 'no-js'; // Create a temporary file owned by the victim user. This will be as if
// they had uploaded the file, but not saved the node they were editing
// or creating.
$victim_tmp_file = $this->createTemporaryFile('some text', $victim_user); $victim_tmp_file = File::load($victim_tmp_file->id()); $this->assertTrue($victim_tmp_file->isTemporary(), 'New file saved to disk is temporary.'); $this->assertNotEmpty($victim_tmp_file->id(), 'New file has an fid.'); $this->assertEquals($victim_user->id(), $victim_tmp_file->getOwnerId(), 'New file belongs to the victim.');
// Have attacker create a new node with a different uploaded file and
// ensure it got uploaded successfully.
$edit = [ 'title[0][value]' => $type . '-title', ];
// Attach a file to a node.
$edit['files[' . $field_name . '_0]'] = $this->container->get('file_system')->realpath($test_file->getFileUri());
// Ensure the first and replaced second files are untouched.
$file = File::load($first_fid); $this->assertTrue($file->isPermanent(), 'First file still exists and is permanent.');
// Ensure the file status of the third file is now temporary.
$file = File::load($third_fid); $this->assertTrue($file->isTemporary());
// Delete the all translations.
$this->drupalGet('node/' . $default_language_node->id() . '/delete'); $this->submitForm([], 'Delete all translations');
// Ensure the file status of the all files are now temporary.
$file = File::load($first_fid); $this->assertTrue($file->isTemporary(), 'First file still exists and is temporary.');
// Test the file again but using 'filename' in the Content-Disposition
// header with no 'file' prefix.
$response = $this->fileRequest($uri, $this->testFileData, ['Content-Disposition' => 'filename="example.txt"']); $this->assertSame(201, $response->getStatusCode()); $expected = $this->getExpectedDocument(2, 'example_0.txt'); $this->assertResponseData($expected, $response);
// Verify that we can create an entity that references the uploaded file.
$entity_test_post_url = Url::fromRoute('jsonapi.entity_test--entity_test.collection.post'); $request_options = []; $request_options[RequestOptions::HEADERS]['Content-Type'] = 'application/vnd.api+json'; $request_options = NestedArray::mergeDeep($request_options, $this->getAuthenticationRequestOptions());