Folders.

tests/acceptance/dashboard_tests.rb

@@ -0,0 +1,26 @@
+require_relative './environment.rb'
+
+describe 'dashboard' do
+  describe 'create directory' do
+
+    describe 'logged in' do
+
+      include Capybara::DSL
+
+      before do
+        Capybara.reset_sessions!
+        @site = Fabricate :site
+        page.set_rack_session id: @site.id
+      end
+
+      it 'creates a base directory' do
+        visit '/dashboard'
+        click_link 'New Folder'
+        fill_in 'name', with: 'testimages'
+        click_button 'Create'
+        page.must_have_content /testimages/
+        File.directory?(@site.files_path('testimages')).must_equal true
+      end
+    end
+  end
+end

tests/acceptance/environment.rb

@@ -0,0 +1,7 @@
+require_relative '../environment'
+
+Capybara.app = Sinatra::Application
+
+def teardown
+  Capybara.reset_sessions!
+end

tests/acceptance/index_tests.rb

@@ -0,0 +1,11 @@
+require_relative './environment.rb'
+
+describe 'index' do
+  include Capybara::DSL
+  it 'goes to signup' do
+    Capybara.reset_sessions!
+    visit '/'
+    click_button 'Create My Website'
+    page.must_have_content('Create a New Website')
+  end
+end

tests/acceptance/settings_tests.rb

@@ -0,0 +1,44 @@
+require_relative './environment.rb'
+
+describe 'site/settings' do
+  describe 'change username' do
+    include Capybara::DSL
+
+    def visit_signup
+      visit '/'
+      click_button 'Create My Website'
+    end
+
+    def fill_in_valid
+      @site = Fabricate.attributes_for(:site)
+      fill_in 'username', with: @site[:username]
+      fill_in 'password', with: @site[:password]
+      fill_in 'email',    with: @site[:email]
+    end
+
+    before do
+      Capybara.reset_sessions!
+      visit_signup
+    end
+
+    it 'does not allow bad usernames' do
+      visit '/'
+      click_button 'Create My Website'
+      fill_in_valid
+      click_button 'Create Home Page'
+      visit '/settings'
+      fill_in 'name', with: ''
+      click_button 'Change Name'
+      fill_in 'name', with: '../hack'
+      click_button 'Change Name'
+      fill_in 'name', with: 'derp../hack'
+      click_button 'Change Name'
+      ## TODO fix this without screwing up legacy sites
+      #fill_in 'name', with: '-'
+      #click_button 'Change Name'
+      page.must_have_content /valid.+name.+required/i
+      Site[username: @site[:username]].wont_equal nil
+      Site[username: ''].must_equal nil
+    end
+  end
+end

tests/acceptance/signin_tests.rb

@@ -0,0 +1,53 @@
+require_relative './environment.rb'
+
+describe 'signin' do
+  include Capybara::DSL
+
+  def fill_in_valid
+    @site = Fabricate.attributes_for :site
+    fill_in 'username', with: @site[:username]
+    fill_in 'password', with: @site[:password]
+  end
+
+  def fill_in_valid_signup
+    fill_in_valid
+    fill_in 'email', with: @site[:email]
+  end
+
+  before do
+    Capybara.reset_sessions!
+  end
+
+  it 'fails for invalid login' do
+    visit '/'
+    click_link 'Sign In'
+    page.must_have_content 'Welcome Back'
+    fill_in_valid
+    click_button 'Sign In'
+    page.must_have_content 'Invalid login'
+  end
+
+  it 'fails for missing login' do
+    visit '/'
+    click_link 'Sign In'
+    auth = {username: SecureRandom.hex, password: Faker::Internet.password}
+    fill_in 'username', with: auth[:username]
+    fill_in 'password', with: auth[:password]
+    click_button 'Sign In'
+    page.must_have_content 'Invalid login'
+  end
+
+  it 'logs in with proper credentials' do
+    visit '/'
+    click_button 'Create My Website'
+    fill_in_valid_signup
+    click_button 'Create Home Page'
+    Capybara.reset_sessions!
+    visit '/'
+    click_link 'Sign In'
+    fill_in 'username', with: @site[:username]
+    fill_in 'password', with: @site[:password]
+    click_button 'Sign In'
+    page.must_have_content 'Your Feed'
+  end
+end

tests/acceptance/signup_tests.rb

@@ -1,61 +1,4 @@
-require_relative './environment'
-
-Capybara.app = Sinatra::Application
-
-def teardown
-  Capybara.reset_sessions!
-  Capybara.use_default_driver
-end
-
-describe 'index' do
-  include Capybara::DSL
-  it 'goes to signup' do
-    visit '/'
-    click_button 'Create My Website'
-    page.must_have_content('Create a New Website')
-  end
-end
-
-describe 'change username' do
-  include Capybara::DSL
-
-  def visit_signup
-    visit '/'
-    click_button 'Create My Website'
-  end
-
-  def fill_in_valid
-    @site = Fabricate.attributes_for(:site)
-    fill_in 'username', with: @site[:username]
-    fill_in 'password', with: @site[:password]
-    fill_in 'email',    with: @site[:email]
-  end
-
-  before do
-    Capybara.reset_sessions!
-    visit_signup
-  end
-
-  it 'does not allow bad usernames' do
-    visit '/'
-    click_button 'Create My Website'
-    fill_in_valid
-    click_button 'Create Home Page'
-    visit '/settings'
-    fill_in 'name', with: ''
-    click_button 'Change Name'
-    fill_in 'name', with: '../hack'
-    click_button 'Change Name'
-    fill_in 'name', with: 'derp../hack'
-    click_button 'Change Name'
-    ## TODO fix this without screwing up legacy sites
-    #fill_in 'name', with: '-'
-    #click_button 'Change Name'
-    page.must_have_content /valid.+name.+required/i
-    Site[username: @site[:username]].wont_equal nil
-    Site[username: ''].must_equal nil
-  end
-end
+require_relative './environment.rb'
 
 describe 'signup' do
   include Capybara::DSL
@@ -215,56 +158,4 @@ describe 'signup' do
     page.must_have_content 'Your Feed'
     Site.last.tags.collect {|t| t.name}.must_equal ['derpie', 'shoujo']
   end
-end
-
-describe 'signin' do
-  include Capybara::DSL
-
-  def fill_in_valid
-    @site = Fabricate.attributes_for :site
-    fill_in 'username', with: @site[:username]
-    fill_in 'password', with: @site[:password]
-  end
-
-  def fill_in_valid_signup
-    fill_in_valid
-    fill_in 'email', with: @site[:email]
-  end
-
-  before do
-    Capybara.reset_sessions!
-  end
-
-  it 'fails for invalid login' do
-    visit '/'
-    click_link 'Sign In'
-    page.must_have_content 'Welcome Back'
-    fill_in_valid
-    click_button 'Sign In'
-    page.must_have_content 'Invalid login'
-  end
-
-  it 'fails for missing login' do
-    visit '/'
-    click_link 'Sign In'
-    auth = {username: SecureRandom.hex, password: Faker::Internet.password}
-    fill_in 'username', with: auth[:username]
-    fill_in 'password', with: auth[:password]
-    click_button 'Sign In'
-    page.must_have_content 'Invalid login'
-  end
-
-  it 'logs in with proper credentials' do
-    visit '/'
-    click_button 'Create My Website'
-    fill_in_valid_signup
-    click_button 'Create Home Page'
-    Capybara.reset_sessions!
-    visit '/'
-    click_link 'Sign In'
-    fill_in 'username', with: @site[:username]
-    fill_in 'password', with: @site[:password]
-    click_button 'Sign In'
-    page.must_have_content 'Your Feed'
-  end
-end
+end

tests/api_tests.rb

@@ -84,17 +84,17 @@ describe 'api delete' do
     res[:error_type].must_equal 'cannot_delete_index'
   end
 
-  it 'fails with bad filename' do
+  it 'succeeds with weird filenames' do
     create_site
     basic_authorize @user, @pass
     @site.store_file 't$st.jpg', Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg')
     post '/api/delete', filenames: ['t$st.jpg']
-    res[:error_type].must_equal 'bad_filename'
+    res[:result].must_equal 'success'
 
     create_site
     basic_authorize @user, @pass
     post '/api/delete', filenames: ['./config.yml']
-    res[:error_type].must_equal 'bad_filename'
+    res[:error_type].must_equal 'missing_files'
   end
 
   it 'fails with missing files' do
@@ -137,13 +137,59 @@ describe 'api upload' do
     res[:error_type].must_equal 'missing_files'
   end
 
-  it 'fails for invalid filenames' do
+  it 'resists directory traversal attack' do
     create_site
     basic_authorize @user, @pass
     post '/api/upload', {
       '../lol.jpg' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg')
     }
-    res[:error_type].must_equal 'bad_filename'
+    res[:result].must_equal 'success'
+    File.exist?(File.join(Site::SITE_FILES_ROOT, @site.username, 'lol.jpg')).must_equal true
+  end
+
+  it 'scrubs root path slash' do
+    create_site
+    basic_authorize @user, @pass
+    post '/api/upload', {
+      '/lol.jpg' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg')
+    }
+    res[:result].must_equal 'success'
+    File.exist?(File.join(Site::SITE_FILES_ROOT, @site.username, 'lol.jpg')).must_equal true
+  end
+
+  it 'fails for missing file name' do
+    create_site
+    basic_authorize @user, @pass
+    post '/api/upload', {
+      '/' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg')
+    }
+    res[:error_type].must_equal 'invalid_file_type'
+
+    create_site
+    basic_authorize @user, @pass
+    post '/api/upload', {
+      '' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg')
+    }
+    res[:error_type].must_equal 'missing_files'
+  end
+
+  it 'fails for file with no extension' do
+    create_site
+    basic_authorize @user, @pass
+    post '/api/upload', {
+      'derpie' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg')
+    }
+    res[:error_type].must_equal 'invalid_file_type'
+  end
+
+  it 'creates path for file uploads' do
+    create_site
+    basic_authorize @user, @pass
+    post '/api/upload', {
+      'derpie/derpingtons/lol.jpg' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg')
+    }
+    res[:result].must_equal 'success'
+    File.exist?(@site.files_path('derpie/derpingtons/lol.jpg')).must_equal true
   end
 
   it 'fails for invalid files' do
@@ -180,7 +226,7 @@ describe 'api upload' do
 end
 
 def site_file_exists?(file)
-  File.exist?(@site.file_path('test.jpg'))
+  File.exist?(@site.files_path('test.jpg'))
 end
 
 def res

tests/environment.rb

@@ -9,18 +9,23 @@ end
 
 SimpleCov.command_name 'minitest'
 
+require 'rack_session_access'
 require './environment'
-require 'webmock'
-include WebMock::API
 require './app'
 
 Bundler.require :test
 
 #require 'minitest/pride'
 require 'minitest/autorun'
-
 require 'sidekiq/testing'
 
+Sinatra::Application.configure do |app|
+  app.use RackSessionAccess::Middleware
+end
+
+require 'capybara/poltergeist'
+require 'rack_session_access/capybara'
+
 Site.bcrypt_cost = BCrypt::Engine::MIN_COST
 
 MiniTest::Reporters.use! MiniTest::Reporters::SpecReporter.new

tests/site_file_tests.rb

@@ -0,0 +1,33 @@
+require_relative './environment.rb'
+require 'rack/test'
+
+include Rack::Test::Methods
+
+def app
+  Sinatra::Application
+end
+
+describe 'site_files' do
+  describe 'upload' do
+    it 'succeeds with valid file' do
+      site = Fabricate :site
+      post '/site_files/upload', {
+        'files[]' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg'),
+        'csrf_token' => 'abcd'
+      }, {'rack.session' => { 'id' => site.id, '_csrf_token' => 'abcd' }}
+      last_response.body.must_match /successfully uploaded/i
+      File.exists?(site.files_path('test.jpg')).must_equal true
+    end
+
+    it 'works with directory path' do
+      site = Fabricate :site
+      post '/site_files/upload', {
+        'dir' => 'derpie/derptest',
+        'files[]' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg'),
+        'csrf_token' => 'abcd'
+      }, {'rack.session' => { 'id' => site.id, '_csrf_token' => 'abcd' }}
+      last_response.body.must_match /successfully uploaded/i
+      File.exists?(site.files_path('derpie/derptest/test.jpg')).must_equal true
+    end
+  end
+end