Skip to content

Commit

Permalink
Merge branch '6.0' into 6.1
Browse files Browse the repository at this point in the history
  • Loading branch information
github-actions[bot] committed Sep 17, 2023
2 parents 16c3c51 + ca449db commit b1274c9
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 23 deletions.
39 changes: 27 additions & 12 deletions code/Model/Submission/SubmittedFileField.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@
use SilverStripe\Control\Director;
use SilverStripe\ORM\FieldType\DBField;
use SilverStripe\Versioned\Versioned;
use SilverStripe\Security\Member;
use SilverStripe\Security\Security;

/**
* A file uploaded on a {@link UserDefinedForm} and attached to a single
Expand Down Expand Up @@ -41,27 +43,40 @@ public function getFormattedValue()
{
$name = $this->getFileName();
$link = $this->getLink(false);
$title = _t(__CLASS__ . '.DOWNLOADFILE', 'Download File');
$message = _t(__CLASS__ . '.INSUFFICIENTRIGHTS', 'You don\'t have the right permissions to download this file');
$file = $this->getUploadedFileFromDraft();

if ($link) {
if ($file->canView()) {
$title = _t(__CLASS__ . '.DOWNLOADFILE', 'Download File');
$file = $this->getUploadedFileFromDraft();
if (!$file->canView()) {
if (Security::getCurrentUser()) {
// Logged in CMS user without permissions to view file in the CMS
$default = 'You don\'t have the right permissions to download this file';
$message = _t(__CLASS__ . '..INSUFFICIENTRIGHTS', $default);
return DBField::create_field('HTMLText', sprintf(
'<i class="icon font-icon-lock"></i> %s - <em>%s</em>',
htmlspecialchars($name, ENT_QUOTES),
htmlspecialchars($message, ENT_QUOTES)
));
} else {
// Userforms submission filled in by non-logged in user being emailed to recipient
$message = _t(__CLASS__ . '.YOUMUSTBELOGGEDIN', 'You must be logged in to view this file');
return DBField::create_field('HTMLText', sprintf(
'%s - <a href="%s" target="_blank">%s</a> - <em>%s</em>',
htmlspecialchars($name, ENT_QUOTES),
htmlspecialchars($link, ENT_QUOTES),
htmlspecialchars($title, ENT_QUOTES),
htmlspecialchars($message, ENT_QUOTES)
));
}
} else {
// Logged in CMS user with permissions to view file in the CMS
return DBField::create_field('HTMLText', sprintf(
'%s - <a href="%s" target="_blank">%s</a>',
htmlspecialchars($name, ENT_QUOTES),
htmlspecialchars($link, ENT_QUOTES),
htmlspecialchars($title, ENT_QUOTES)
));
} else {
return DBField::create_field('HTMLText', sprintf(
'<i class="icon font-icon-lock"></i> %s - <em>%s</em>',
htmlspecialchars($name, ENT_QUOTES),
htmlspecialchars($message, ENT_QUOTES)
));
}
}

return false;
}

Expand Down
1 change: 1 addition & 0 deletions lang/en.yml
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,7 @@ en:
one: 'A Submitted File Field'
other: '{count} Submitted File Fields'
SINGULARNAME: 'Submitted File Field'
YOUMUSTBELOGGEDIN: 'You must be logged in to view this file'
has_one_UploadedFile: 'Uploaded file'
SilverStripe\UserForms\Model\Submission\SubmittedForm:
PLURALNAME: 'Submitted Forms'
Expand Down
34 changes: 23 additions & 11 deletions tests/php/Model/SubmittedFileFieldTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -74,35 +74,47 @@ public function testGetFormattedValue()
// Set an explicit base URL so we get a reliable value for the test
Director::config()->set('alternate_base_url', 'http://mysite.com');
$fileName = $this->submittedFile->getFileName();
$message = "You don&#039;t have the right permissions to download this file";
$link = 'http://mysite.com/assets/3c01bdbb26/test-SubmittedFileFieldTest.txt';

$this->file->CanViewType = 'OnlyTheseUsers';
$this->file->write();

$this->loginWithPermission('ADMIN');
// Userforms submission filled in by non-logged in user being emailed to recipient
$this->logOut();
$this->assertEquals(
sprintf(
'%s - <a href="http://mysite.com/assets/3c01bdbb26/test-SubmittedFileFieldTest.txt" target="_blank">Download File</a>',
$fileName
'%s - <a href="%s" target="_blank">%s</a> - <em>%s</em>',
$fileName,
$link,
'Download File',
'You must be logged in to view this file'
),
$this->submittedFile->getFormattedValue()->value
);

$this->logOut();
$this->loginWithPermission('CMS_ACCESS_CMSMain');

// Logged in CMS user without permissions to view file in the CMS
$this->logInWithPermission('CMS_ACCESS_CMSMain');
$this->assertEquals(
sprintf(
'<i class="icon font-icon-lock"></i> %s - <em>%s</em>',
$fileName,
$message
'You don&#039;t have the right permissions to download this file'
),
$this->submittedFile->getFormattedValue()->value
);
$this->logOut();

$store = Injector::inst()->get(AssetStore::class);
$this->assertFalse(
$store->canView($fileName, $this->file->getHash()),
'Users without canView rights on the file should not have been session granted access to it'
// Logged in CMS user with permissions to view file in the CMS
$this->loginWithPermission('ADMIN');
$this->assertEquals(
sprintf(
'%s - <a href="%s" target="_blank">%s</a>',
$fileName,
$link,
'Download File'
),
$this->submittedFile->getFormattedValue()->value
);
}
}

0 comments on commit b1274c9

Please sign in to comment.