BUG Don't auto grant session access when resampling images

silverstripe · Feb 17, 2022 · 78987e9 · 78987e9
1 parent 0f28fdd
commit 78987e9
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 4 deletions.
diff --git a/src/ImageManipulation.php b/src/ImageManipulation.php
@@ -303,11 +303,10 @@ public function updateURL(&$url)
 
         // Only update if resampled file is a smaller file size
         if ($resampled->getAbsoluteSize() < $this->getAbsoluteSize()) {
-            $url = $resampled->getURL();
+            $url = $resampled->getURL(false);
         }
     }
 
-
     /**
      * Generate a resized copy of this image with the given width & height.
      * This can be used in templates with $ResizedImage but should be avoided,
@@ -705,7 +704,7 @@ public function ThumbnailURL($width, $height)
     {
         $thumbnail = $this->Thumbnail($width, $height);
         if ($thumbnail) {
-            return $thumbnail->getURL();
+            return $thumbnail->getURL(false);
         }
         return $this->getIcon();
     }
@@ -1130,7 +1129,7 @@ protected function getDefaultAttributes(): array
                 'width' => $this->getWidth(),
                 'height' => $this->getHeight(),
                 'alt' => $this->getTitle(),
-                'src' => $this->getURL()
+                'src' => $this->getURL(false)
             ];
 
             if ($this->IsLazyLoaded()) {

diff --git a/tests/php/ImageManipulationTest.php b/tests/php/ImageManipulationTest.php
@@ -427,4 +427,28 @@ public function testRender(string $template, string $expected)
             trim($image->renderWith(SSViewer::fromString($template)))
         );
     }
+
+    public function testThumbnailURL()
+    {
+        $img = $this->objFromFixture(Image::class, 'imageWithTitle');
+
+        // File needs to be in draft and users need to be anonymous to test the access
+        $this->logOut();
+        $img->doUnpublish();
+
+        $fileUrl = 'folder/444065542b/test-image__FillWzEwLDEwXQ.png';
+
+        $this->assertEquals(
+            '/assets/' . $fileUrl,
+            $img->ThumbnailURL(10, 10),
+            'Thumbnail URL is correct'
+        );
+
+        /** @var AssetStore assetStore */
+        $assetStore = Injector::inst()->get(AssetStore::class);
+        $this->assertFalse(
+            $assetStore->isGranted($fileUrl),
+            'Current user should not automatically be granted access to view thumbnail'
+        );
+    }
 }
diff --git a/tests/php/ImageTest.php b/tests/php/ImageTest.php
@@ -231,6 +231,32 @@ public function testForceResample()
         $this->assertNotEquals($imageHQ->getURL(), $imageHQR->getSourceURL(), 'Path to the original image file was returned by getURL()');
     }
 
+    /**
+     * Tests that a URL to a resampled image is provided when force_resample is
+     * set to true, if the resampled file is smaller than the original.
+     */
+    public function testUpdateURL()
+    {
+        // Test resampled file is served when force_resample = true
+        Config::modify()->set(Image::class, 'force_resample', true);
+
+        $imageHQ = $this->objFromFixture(Image::class, 'highQualityJPEG');
+
+        // File needs to be in draft and users need to be anonymous to test the access
+        $this->logOut();
+        $imageHQ->doUnpublish();
+
+        $url = '';
+        $imageHQ->updateURL($url);
+
+        /** @var AssetStore assetStore */
+        $assetStore = Injector::inst()->get(AssetStore::class);
+        $this->assertFalse(
+            $assetStore->isGranted('folder/a870de278b/test-image-high-quality__Resampled.jpg'),
+            'Current user should not automatically be granted access to resampled image'
+        );
+    }
+
     public function testImageResize()
     {
         $image = $this->objFromFixture(Image::class, 'imageWithoutTitle');