Merge pull request #814 from nextcloud/bugfix/780/secure-view-compatibility

nickvergessen · web-flow · commit 2fe7b02e59ba · 2025-11-11T19:57:22.000+01:00
test: Add an integration test with richdocuments
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -26,6 +26,7 @@ jobs:
         php-versions: ['8.4']
         databases: ['sqlite', 'mysql', 'pgsql']
         server-versions: ['master']
+        richdocuments-versions: ['main']
         primary-storage: ['local', 'minio']
 
     name: php${{ matrix.php-versions }}-${{ matrix.databases }}-${{ matrix.server-versions }}-${{ matrix.primary-storage}}
@@ -70,6 +71,14 @@ jobs:
           persist-credentials: false
           path: apps/${{ env.APP_NAME }}
 
+      - name: Checkout app (richdocuments)
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          path: apps/richdocuments
+          repository: nextcloud/richdocuments
+          ref: ${{ matrix.richdocuments-versions }}
+
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1
         with:
@@ -91,6 +100,10 @@ jobs:
         working-directory: apps/${{ env.APP_NAME }}/tests/Integration
         run: composer i
 
+      - name: Set up dependencies (richdocuments)
+        working-directory: apps/richdocuments
+        run: composer i --no-dev
+
       - name: Set up Nextcloud for S3 primary storage
         if: matrix.primary-storage == 'minio'
         run: |
diff --git a/.github/workflows/phpunit-mariadb.yml b/.github/workflows/phpunit-mariadb.yml
@@ -71,6 +71,7 @@ jobs:
         php-versions: ${{ fromJson(needs.matrix.outputs.php-version) }}
         server-versions: ${{ fromJson(needs.matrix.outputs.server-max) }}
         mariadb-versions: ['10.6', '11.4']
+        richdocuments-versions: ['main']
 
     name: MariaDB ${{ matrix.mariadb-versions }} PHP ${{ matrix.php-versions }} Nextcloud ${{ matrix.server-versions }}
 
@@ -104,6 +105,14 @@ jobs:
           persist-credentials: false
           path: apps/${{ env.APP_NAME }}
 
+      - name: Checkout app (richdocuments)
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          path: apps/richdocuments
+          repository: nextcloud/richdocuments
+          ref: ${{ matrix.richdocuments-versions }}
+
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2.34.1
         with:
@@ -136,6 +145,10 @@ jobs:
           composer remove nextcloud/ocp --dev --no-scripts
           composer i
 
+      - name: Set up dependencies (richdocuments)
+        working-directory: apps/richdocuments
+        run: composer i --no-dev
+
       - name: Set up Nextcloud
         env:
           DB_PORT: 4444
diff --git a/.github/workflows/phpunit-mysql.yml b/.github/workflows/phpunit-mysql.yml
@@ -32,7 +32,7 @@ jobs:
         id: versions
         uses: icewind1991/nextcloud-version-matrix@58becf3b4bb6dc6cef677b15e2fd8e7d48c0908f # v1.3.1
         with:
-          matrix: '{"mysql-versions": ["8.4"]}'
+          matrix: '{"mysql-versions": ["8.4"], "richdocuments-versions": ["main"]}'
 
   changes:
     runs-on: ubuntu-latest-low
@@ -102,6 +102,14 @@ jobs:
           persist-credentials: false
           path: apps/${{ env.APP_NAME }}
 
+      - name: Checkout app (richdocuments)
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          path: apps/richdocuments
+          repository: nextcloud/richdocuments
+          ref: ${{ matrix.richdocuments-versions }}
+
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2.34.1
         with:
@@ -134,6 +142,10 @@ jobs:
           composer remove nextcloud/ocp --dev --no-scripts
           composer i
 
+      - name: Set up dependencies (richdocuments)
+        working-directory: apps/richdocuments
+        run: composer i --no-dev
+
       - name: Set up Nextcloud
         env:
           DB_PORT: 4444
diff --git a/.github/workflows/phpunit-oci.yml b/.github/workflows/phpunit-oci.yml
@@ -70,6 +70,7 @@ jobs:
       matrix:
         php-versions: ${{ fromJson(needs.matrix.outputs.php-version) }}
         server-versions: ${{ fromJson(needs.matrix.outputs.server-max) }}
+        richdocuments-versions: ['main']
 
     name: OCI PHP ${{ matrix.php-versions }} Nextcloud ${{ matrix.server-versions }}
 
@@ -115,6 +116,14 @@ jobs:
           persist-credentials: false
           path: apps/${{ env.APP_NAME }}
 
+      - name: Checkout app (richdocuments)
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          path: apps/richdocuments
+          repository: nextcloud/richdocuments
+          ref: ${{ matrix.richdocuments-versions }}
+
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2.34.1
         with:
@@ -142,6 +151,10 @@ jobs:
           composer remove nextcloud/ocp --dev --no-scripts
           composer i
 
+      - name: Set up dependencies (richdocuments)
+        working-directory: apps/richdocuments
+        run: composer i --no-dev
+
       - name: Set up Nextcloud
         env:
           DB_PORT: 1521
diff --git a/.github/workflows/phpunit-pgsql.yml b/.github/workflows/phpunit-pgsql.yml
@@ -70,6 +70,7 @@ jobs:
       matrix:
         php-versions: ${{ fromJson(needs.matrix.outputs.php-version) }}
         server-versions: ${{ fromJson(needs.matrix.outputs.server-max) }}
+        richdocuments-versions: ['main']
 
     name: PostgreSQL PHP ${{ matrix.php-versions }} Nextcloud ${{ matrix.server-versions }}
 
@@ -105,6 +106,14 @@ jobs:
           persist-credentials: false
           path: apps/${{ env.APP_NAME }}
 
+      - name: Checkout app (richdocuments)
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          path: apps/richdocuments
+          repository: nextcloud/richdocuments
+          ref: ${{ matrix.richdocuments-versions }}
+
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2.34.1
         with:
@@ -132,6 +141,10 @@ jobs:
           composer remove nextcloud/ocp --dev --no-scripts
           composer i
 
+      - name: Set up dependencies (richdocuments)
+        working-directory: apps/richdocuments
+        run: composer i --no-dev
+
       - name: Set up Nextcloud
         env:
           DB_PORT: 4444
diff --git a/.github/workflows/phpunit-sqlite.yml b/.github/workflows/phpunit-sqlite.yml
@@ -70,6 +70,7 @@ jobs:
       matrix:
         php-versions: ${{ fromJson(needs.matrix.outputs.php-version) }}
         server-versions: ${{ fromJson(needs.matrix.outputs.server-max) }}
+        richdocuments-versions: ['main']
 
     name: SQLite PHP ${{ matrix.php-versions }} Nextcloud ${{ matrix.server-versions }}
 
@@ -94,6 +95,14 @@ jobs:
           persist-credentials: false
           path: apps/${{ env.APP_NAME }}
 
+      - name: Checkout app (richdocuments)
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          path: apps/richdocuments
+          repository: nextcloud/richdocuments
+          ref: ${{ matrix.richdocuments-versions }}
+
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@0f7f1d08e3e32076e51cae65eb0b0c871405b16e # v2.34.1
         with:
@@ -121,6 +130,10 @@ jobs:
           composer remove nextcloud/ocp --dev --no-scripts
           composer i
 
+      - name: Set up dependencies (richdocuments)
+        working-directory: apps/richdocuments
+        run: composer i --no-dev
+
       - name: Set up Nextcloud
         env:
           DB_PORT: 4444
diff --git a/tests/Integration/features/bootstrap/FeatureContext.php b/tests/Integration/features/bootstrap/FeatureContext.php
@@ -45,6 +45,8 @@ class FeatureContext implements Context {
 	protected string $tagId = '';
 	protected array $createdUsers = [];
 
+	protected array $changedConfigs = [];
+
 	/**
 	 * FeatureContext constructor.
 	 */
@@ -61,6 +63,12 @@ public function cleanUpBetweenTests() {
 		$this->setCurrentUser('admin');
 		$this->sendingTo('DELETE', '/apps/files_accesscontrol_testing');
 		$this->assertStatusCode($this->response, 200);
+
+		foreach ($this->changedConfigs as $appId => $configs) {
+			foreach ($configs as $config) {
+				$this->sendingTo('DELETE', '/apps/provisioning_api/api/v1/config/apps/' . $appId . '/' . $config);
+			}
+		}
 	}
 
 	/**
@@ -133,6 +141,20 @@ public function userSharesFile(string $sharer, string $file, string $sharee): vo
 		]);
 	}
 
+	/**
+	 * @Given /^user "([^"]*)" shares file "([^"]*)" publicly$/
+	 */
+	public function userSharesFilePublicly(string $sharer, string $file): void {
+		$this->setCurrentUser($sharer);
+		$this->sendingToWith('POST', '/apps/files_sharing/api/v1/shares', [
+			'path' => $file,
+			'permissions' => 19,
+			'shareType' => 3,
+		]);
+		$responseBody = json_decode($this->response->getBody()->getContents(), true, flags: JSON_THROW_ON_ERROR);
+		$this->lastShareData = $responseBody['ocs']['data'];
+	}
+
 	// ChecksumsContext
 	/**
 	 * @Then The webdav response should have a status code :statusCode
@@ -150,6 +172,18 @@ public function theWebdavResponseShouldHaveAStatusCode($statusCode) {
 		}
 	}
 
+
+	#[\Behat\Step\Given('the following :appId app config is set')]
+	public function setAppConfig(string $appId, TableNode $formData): void {
+		$this->setCurrentUser('admin');
+		foreach ($formData->getRows() as $row) {
+			$this->sendingToWith('POST', '/apps/provisioning_api/api/v1/config/apps/' . $appId . '/' . $row[0], [
+				'value' => $row[1],
+			]);
+			$this->changedConfigs[$appId][] = $row[0];
+		}
+	}
+
 	/**
 	 * User management
 	 */
diff --git a/tests/Integration/features/bootstrap/WebDav.php b/tests/Integration/features/bootstrap/WebDav.php
@@ -20,6 +20,7 @@ trait WebDav {
 	/** @var int */
 	private $storedFileID = null;
 	private array $trashedFiles = [];
+	protected array $lastShareData = [];
 
 	/**
 	 * @Given /^using dav path "([^"]*)"$/
@@ -141,7 +142,7 @@ public function downloadFileWithRange($fileSource, $range) {
 	 * @param string $range
 	 */
 	public function downloadPublicFileWithRange($range) {
-		$token = $this->lastShareData->data->token;
+		$token = $this->lastShareData['token'];
 		$fullUrl = $this->baseUrl . 'public.php/webdav';
 
 		$client = new GClient();
@@ -151,15 +152,19 @@ public function downloadPublicFileWithRange($range) {
 			'Range' => $range
 		];
 
-		$this->response = $client->request('GET', $fullUrl, $options);
+		try {
+			$this->response = $client->request('GET', $fullUrl, $options);
+		} catch (\GuzzleHttp\Exception\ClientException $e) {
+			$this->response = $e->getResponse();
+		}
 	}
 
 	/**
 	 * @When /^Downloading last public shared file inside a folder "([^"]*)" with range "([^"]*)"$/
 	 * @param string $range
 	 */
 	public function downloadPublicFileInsideAFolderWithRange($path, $range) {
-		$token = $this->lastShareData->data->token;
+		$token = $this->lastShareData['token'];
 		$fullUrl = $this->baseUrl . 'public.php/webdav' . "$path";
 
 		$client = new GClient();
@@ -170,7 +175,11 @@ public function downloadPublicFileInsideAFolderWithRange($path, $range) {
 		];
 		$options['auth'] = [$token, ''];
 
-		$this->response = $client->request('GET', $fullUrl, $options);
+		try {
+			$this->response = $client->request('GET', $fullUrl, $options);
+		} catch (\GuzzleHttp\Exception\ClientException $e) {
+			$this->response = $e->getResponse();
+		}
 	}
 
 	/**
@@ -190,8 +199,13 @@ public function downloadedContentShouldBe($content) {
 	 */
 	public function checkPropForFile($file, $prefix, $prop, $value) {
 		$elementList = $this->propfindFile($this->currentUser, $file, "<$prefix:$prop/>");
-		$property = $elementList['/' . $this->getDavFilesPath($this->currentUser) . $file][200]["{DAV:}$prop"];
-		Assert::assertEquals($property, $value);
+		if ($prefix === 'oc') {
+			$prefix = '{http://owncloud.org/ns}';
+		} else {
+			$prefix = '{DAV:}';
+		}
+		$property = $elementList['/' . $this->getDavFilesPath($this->currentUser) . $file][200]["$prefix$prop"];
+		Assert::assertEquals($value, $property);
 	}
 
 	/**
diff --git a/tests/Integration/features/mimetypes.feature b/tests/Integration/features/mimetypes.feature
@@ -5,7 +5,7 @@
     Given as user "test1"
     And using new dav path
 
-   Scenario: Can properly block path detected mimetypes for application/javscript
+   Scenario: Can properly block path detected mimetypes for application/javascript
     And user "admin" creates global flow with 200
     | name      | Admin flow                       |
     | class     | OCA\FilesAccessControl\Operation |
diff --git a/tests/Integration/features/sharing-user.feature b/tests/Integration/features/sharing-user.feature
@@ -172,3 +172,35 @@ Feature: Sharing user
     And The webdav response should have a status code "404"
     And user "test2" should see following elements
       | /nextcloud2.txt |
+
+  Scenario: Downloading is still blocked when Secure View is enabled
+    Given the following files app config is set
+      | watermark_enabled | yes |
+    Given User "test1" uploads file "data/textfile.txt" to "/foobar.txt"
+    And The webdav response should have a status code "201"
+    And user "test1" shares file "/foobar.txt" with user "test2"
+    And as user "test2"
+    When File "/foobar.txt" should have prop "oc:permissions" equal to "SRGDNVW"
+    When Downloading file "/foobar.txt"
+    Then The webdav response should have a status code "200"
+    When Downloading file "/foobar.txt" with range "1-4"
+    Then The webdav response should have a status code "200"
+    And user "test1" shares file "/foobar.txt" publicly
+    And as user "test2"
+    When Downloading last public shared file with range "1-4"
+    Then The webdav response should have a status code "200"
+    And user "admin" creates global flow with 200
+      | name      | Admin flow                       |
+      | class     | OCA\FilesAccessControl\Operation |
+      | entity    | OCA\WorkflowEngine\Entity\File   |
+      | events    | []                               |
+      | operation | deny                             |
+      | checks-0  | {"class":"OCA\\\\WorkflowEngine\\\\Check\\\\FileMimeType", "operator": "is", "value": "text/plain"} |
+    And as user "test2"
+    When File "/foobar.txt" should have prop "oc:permissions" equal to "SRD"
+    When Downloading file "/foobar.txt"
+    Then The webdav response should have a status code "404"
+    When Downloading file "/foobar.txt" with range "1-4"
+    Then The webdav response should have a status code "404"
+    When Downloading last public shared file with range "1-4"
+    Then The webdav response should have a status code "404"
diff --git a/tests/Integration/run.sh b/tests/Integration/run.sh
@@ -16,6 +16,7 @@ composer install
 cp -R ./app "../../../${APP_NAME}_testing"
 ${ROOT_DIR}/occ app:enable $APP_NAME
 ${ROOT_DIR}/occ app:enable --force "${APP_NAME}_testing"
+${ROOT_DIR}/occ app:enable --force richdocuments
 ${ROOT_DIR}/occ app:list | grep $APP_NAME
 
 export TEST_SERVER_URL="http://localhost:8080/"
