Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-54716

Add allowed file type definition to all locations with file upload option for students

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      1) Setup config to allow only certain files

      php admin/cli/cfg.php --name='allowedfiletypes' --set='png, pdf'
      

      • Download the attached zip file MDL-54716_Testing, and extract it, for use with testing this tracker.

      Test uploading files with drag and drop

      2) Visit /user/files.php

      • Verify that there is text underneath the drag and drop box stating 'Accepted file types:'
      • Verify that the only allowed types are 'Image (PNG)' and 'PDF Document'
      • Attempt to drag and drop the blank.txt document from the extracted zip download.
      • Verify that a popup states 'Text file filetype cannot be accepted'
      • Close the window, and verify that the file is not inside of the draft area
      • Drag in the test.pdf file.
      • Verify that the file uploads to the draft area.
      • Click 'Save Changes' and submit the page.
      • Verify that the file just uploaded is still in the files area.
      • Attempt to drag and drop the emptyextension file.
      • Verify that there is an error message 'File filetype cannot be accepted.'.
      • Verify that the pdf is still the only file in the testing area.
      • This shows that empty files are correctly handled by being denied.

      Test uploading files with filepicker

      3) Visit /user/files.php

      • Click the 'Add' button in the top of the files window.
      • Click on 'Upload a file'
      • Browse to the blank.txt document from step 2
      • Click 'Upload this file'
      • Verify that you get the same error message as in Step 2 'Text file filetype cannot be accepted'
      • Close the filepicker
      • Verify that the blank.txt file is not in the files area

      Test uploading from editor

      4) Visit /user/editadvanced.php?id=2 to edit the Admin profile

      • Go to the editor window for 'Description'
      • Click 'Image' in the editor bar, then click 'Browse repositories'
      • Click Upload a file, and browse to the test.png file, and attempt to upload the file.
      • Tick 'Description not necessary, then click save image, and verify that the image is now embedded in the description.
      • Click again on image, and attempt to upload the test.jpg file.
      • Verify that you receive an error message, stating 'Image (JPEG) filetype cannot be accepted'
      • This shows that the restrictions are being applied on top of the 'web_image' type restrictions that already existed, which allows both PNG and JPG

      5) Remain in the Description editor of the profile page

      • Click 'Insert H5P' inside the editor bar.
      • Click Browse repositories
      • Verify that no repositories are listed.
      • Verify there is a message stating 'Sorry, none of your current repositories can return files in the required format.'
      • Close this message
      • In a terminal, set the config to allow .h5p items.
      • php admin/cli/cfg.php --name='allowedfiletypes' --set='png, pdf, h5p'

      • Reload the profile page
      • Attempt to add a H5P to the editor again.
      • Verify that repositories now appear.
      • Click on upload a file
      • Attempt to upload a .png file.
      • Verify there is an error message stating 'Image (PNG) filetype cannot be accepted.'
      • This shows that the restriction on the filetype still doesn't allow non-h5p files.
      • Attempt to upload the blank.h5p file.
      • Verify that you are able to upload and save the H5P, and a placeholder H5P element is embedded in the description.
      • This means the file passed the file extension check.
      • Delete the H5P placeholder element.

      6) Remain in the Description editor of the profile page

      • Click on Manage Files
      • Verify that the file manager states all the filetypes that can be accepted, H5P, PNG and PDF.

      Test filemanager with restrictions already applied

      7) Go the the User Picture section of the profile

      • Verify that the file manager has text underneath that states accepted types is only (PNG).
      • This shows that the previous restriction, 'all web images' is now being further restricted, but PDFs still aren't allowed.
      • Attempt to drag and drop the test.jpg file to the file area.
      • Verify you receive an error 'Image (JPEG) filetype cannot be accepted'.
      • Drop in a test.png file.
      • Verify it uploads correctly.
      • Click 'Update Profile' and revisit the page.
      • Verify the User picture is now the uploaded test.png.

       Test assignment upload with restrictions in place.

      8) Visit the Assignment File submission settings page /admin/settings.php?section=assignsubmission_file#

      • Set the 'filetypes' control to 'image, video, pdf'.
      • Click save changes, and verify that underneath the control, there is a now a list of all image file extensions, video file extensions, and PDF documents.
      • Visit /course/edit.php?category=0
      • Fill in the course creation form with dummy data.
      • Visit the course just created.
      • Turn on editing mode.
      • Click on 'Add an activity or resource' inside any section.
      • Add a new assignment mod
      • Fill in the assignment with dummy data
      • Create a test user, and enrol them in the test course just created.
      • Login as the test user, and attempt to make a submission for the assignment just created.
      • Verify that the file types accepted are 'Image (PNG)' and 'PDF Document'.
      • Now edit the assignment settings again, and set the allowed filetypes control to empty.
      • Log back in as the test user, and attempt to make a submission for the assignment.
      • Verify that the file types accepted are 'Image (PNG)', 'PDF Document' and .H5P
      • This shows that the file restrictions work with both broad types (image) and specific types (pdf) and union with other restrictions.

      Test uploading archive and unzipping banned filetypes

      9) Add .zip to the list of filetypes allowed, and remove .png

       

      php admin/cli/cfg.php --name='allowedfiletypes' --set='zip'

      •  Log back in as the admin user (or whichever account was in use before).
      • Go to /user/files.php
      • Delete any files present from earlier steps.
      • Upload the provided test.zip file.
      • Click on the zip file in the draft area, then click unzip in the popup.
      • Verify that a PNG has been extracted into the draft area.
      • Click 'Save changes' at the bottom of the page.
      • Verify that there is validation text underneath the file area 'Some files (test.png) cannot be uploaded. Only file types of .zip are allowed'

      Test that filelib will drop files after validation

      10) As a defence against any missed attack vectors, filelib will drop any illegal files when attempting to save them.

      • With the .zip still extracted and inside the file area, edit the file /lib/form/filemanager.php
      • In the function validateSubmitValue, immediately return:
      • public function validateSubmitValue($value) {
            return;
         
            if (empty($value)) {
        ...

      • Click 'Save changes' on the files page.
      • Verify validation now passed.
      • Verify that the extracted PNG file was not saved, and that the only file in the draft area is the test.zip file.
      • Verify that there is an error notification on the page, stating 'A file was unable to be saved due to a forbidden file type.'
      • Remove the added return line in lib/form/filemanager.

        public function validateSubmitValue($value) {
         
        if (empty($value)) {
        ...

      Test that filegroup restrictions work

      11) Visit the Site Security Settings at /admin/settings.php?section=sitepolicies

      • Go to 'Allowed upload file types'
      • Click 'Choose'
      • Untick .zip, and tick 'Image files used on the web'
      • Click save changes on the chooser, then save changes on the settings page.
      • Visit /user/files.php
      • Verify that the accepted filetypes now has 'Image (GIF), (JPEG), (PNG), (SVG+XML)
      • Attempt to drag and drop the blank.txt file onto the file area.
      • Verify the error message 'Text file filetype cannot be accepted.'
      • This shows that file categories are also functional inside the admin settings.

       Test that drag and drop inside courses is restricted

      12) Visit the test course you created earlier /course/view.php

      • Enter editing mode from the cog menu.
      • Attempt to drag and drop the test.png file onto the header section of the course, where 'Add file(s) here' appears.
      • Verify the file correctly is embedded inside the course.
      • Click on the file.
      • Verify you are sent to mod/resource/view.php for the file you just uploaded.
      • Go back in your browser, to the course page.
      • Attempt to drag and drop the blank.txt document onto the header section.
      • Verify that the add section now reads 'The file could not be uploaded, filetype is not accepted. Please try a different file.'
      • Verify that the blank.txt is not present on the page.
      • Attempt to drag and drop the test.png file onto the page again.
      • Verify that the error message disappears and is replaced with the 'Add files' text again.
      • Drop the png onto the page again.
      • Verify the upload is successful as before.
      Show
      1) Setup config to allow only certain files php admin/cli/cfg.php --name= 'allowedfiletypes' --set= 'png, pdf' Download the attached zip file MDL-54716 _Testing, and extract it, for use with testing this tracker. Test uploading files with drag and drop 2) Visit /user/files.php Verify that there is text underneath the drag and drop box stating 'Accepted file types:' Verify that the only allowed types are 'Image (PNG)' and 'PDF Document' Attempt to drag and drop the blank.txt document from the extracted zip download. Verify that a popup states 'Text file filetype cannot be accepted' Close the window, and verify that the file is not inside of the draft area Drag in the test.pdf file. Verify that the file uploads to the draft area. Click 'Save Changes' and submit the page. Verify that the file just uploaded is still in the files area. Attempt to drag and drop the emptyextension file. Verify that there is an error message 'File filetype cannot be accepted.'. Verify that the pdf is still the only file in the testing area. This shows that empty files are correctly handled by being denied. Test uploading files with filepicker 3) Visit /user/files.php Click the 'Add' button in the top of the files window. Click on 'Upload a file' Browse to the blank.txt document from step 2 Click 'Upload this file' Verify that you get the same error message as in Step 2 'Text file filetype cannot be accepted' Close the filepicker Verify that the blank.txt file is not in the files area Test uploading from editor 4) Visit /user/editadvanced.php?id=2 to edit the Admin profile Go to the editor window for 'Description' Click 'Image' in the editor bar, then click 'Browse repositories' Click Upload a file, and browse to the test.png file, and attempt to upload the file. Tick 'Description not necessary, then click save image, and verify that the image is now embedded in the description. Click again on image, and attempt to upload the test.jpg file. Verify that you receive an error message, stating 'Image (JPEG) filetype cannot be accepted' This shows that the restrictions are being applied on top of the 'web_image' type restrictions that already existed, which allows both PNG and JPG 5) Remain in the Description editor of the profile page Click 'Insert H5P' inside the editor bar. Click Browse repositories Verify that no repositories are listed. Verify there is a message stating 'Sorry, none of your current repositories can return files in the required format.' Close this message In a terminal, set the config to allow .h5p items. php admin/cli/cfg.php --name= 'allowedfiletypes' --set= 'png, pdf, h5p' Reload the profile page Attempt to add a H5P to the editor again. Verify that repositories now appear. Click on upload a file Attempt to upload a .png file. Verify there is an error message stating 'Image (PNG) filetype cannot be accepted.' This shows that the restriction on the filetype still doesn't allow non-h5p files. Attempt to upload the blank.h5p file. Verify that you are able to upload and save the H5P, and a placeholder H5P element is embedded in the description. This means the file passed the file extension check. Delete the H5P placeholder element. 6) Remain in the Description editor of the profile page Click on Manage Files Verify that the file manager states all the filetypes that can be accepted, H5P, PNG and PDF. Test filemanager with restrictions already applied 7) Go the the User Picture section of the profile Verify that the file manager has text underneath that states accepted types is only (PNG). This shows that the previous restriction, 'all web images' is now being further restricted, but PDFs still aren't allowed. Attempt to drag and drop the test.jpg file to the file area. Verify you receive an error 'Image (JPEG) filetype cannot be accepted'. Drop in a test.png file. Verify it uploads correctly. Click 'Update Profile' and revisit the page. Verify the User picture is now the uploaded test.png.   Test assignment upload with restrictions in place. 8) Visit the Assignment File submission settings page /admin/settings.php?section=assignsubmission_file# Set the 'filetypes' control to 'image, video, pdf'. Click save changes, and verify that underneath the control, there is a now a list of all image file extensions, video file extensions, and PDF documents. Visit /course/edit.php?category=0 Fill in the course creation form with dummy data. Visit the course just created. Turn on editing mode. Click on 'Add an activity or resource' inside any section. Add a new assignment mod Fill in the assignment with dummy data Create a test user, and enrol them in the test course just created. Login as the test user, and attempt to make a submission for the assignment just created. Verify that the file types accepted are 'Image (PNG)' and 'PDF Document'. Now edit the assignment settings again, and set the allowed filetypes control to empty. Log back in as the test user, and attempt to make a submission for the assignment. Verify that the file types accepted are 'Image (PNG)', 'PDF Document' and .H5P This shows that the file restrictions work with both broad types (image) and specific types (pdf) and union with other restrictions. Test uploading archive and unzipping banned filetypes 9) Add .zip to the list of filetypes allowed, and remove .png   php admin/cli/cfg.php --name= 'allowedfiletypes' --set= 'zip'  Log back in as the admin user (or whichever account was in use before). Go to /user/files.php Delete any files present from earlier steps. Upload the provided test.zip file. Click on the zip file in the draft area, then click unzip in the popup. Verify that a PNG has been extracted into the draft area. Click 'Save changes' at the bottom of the page. Verify that there is validation text underneath the file area 'Some files (test.png) cannot be uploaded. Only file types of .zip are allowed' Test that filelib will drop files after validation 10) As a defence against any missed attack vectors, filelib will drop any illegal files when attempting to save them. With the .zip still extracted and inside the file area, edit the file /lib/form/filemanager.php In the function validateSubmitValue, immediately return: public function validateSubmitValue($value) { return ;   if (empty($value)) { ... Click 'Save changes' on the files page. Verify validation now passed. Verify that the extracted PNG file was not saved, and that the only file in the draft area is the test.zip file. Verify that there is an error notification on the page, stating 'A file was unable to be saved due to a forbidden file type.' Remove the added return line in lib/form/filemanager. public function validateSubmitValue($value) {   if (empty($value)) { ... Test that filegroup restrictions work 11) Visit the Site Security Settings at /admin/settings.php?section=sitepolicies Go to 'Allowed upload file types' Click 'Choose' Untick .zip, and tick 'Image files used on the web' Click save changes on the chooser, then save changes on the settings page. Visit /user/files.php Verify that the accepted filetypes now has 'Image (GIF), (JPEG), (PNG), (SVG+XML) Attempt to drag and drop the blank.txt file onto the file area. Verify the error message 'Text file filetype cannot be accepted.' This shows that file categories are also functional inside the admin settings.   Test that drag and drop inside courses is restricted 12) Visit the test course you created earlier /course/view.php Enter editing mode from the cog menu. Attempt to drag and drop the test.png file onto the header section of the course, where 'Add file(s) here' appears. Verify the file correctly is embedded inside the course. Click on the file. Verify you are sent to mod/resource/view.php for the file you just uploaded. Go back in your browser, to the course page. Attempt to drag and drop the blank.txt document onto the header section. Verify that the add section now reads 'The file could not be uploaded, filetype is not accepted. Please try a different file.' Verify that the blank.txt is not present on the page. Attempt to drag and drop the test.png file onto the page again. Verify that the error message disappears and is replaced with the 'Add files' text again. Drop the png onto the page again. Verify the upload is successful as before.
    • Difficulty:
      Moderate
    • Affected Branches:
      MOODLE_32_STABLE, MOODLE_36_STABLE
    • Pull Master Branch:

      Description

      With 3.1 its possible to define which file types are allowed while uploading files by students in workshop activity. This feature should be added to all activity types with file upload option for students. Generally similar features should work in a similar way with same functionalities everywhere.
      If mustache concept is used it should be simple to add this to the activities.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              peterburnett Peter Burnett
              Reporter:
              ralfh Ralf Hilgenstock
              Peer reviewer:
              Brendan Heywood
              Participants:
              Component watchers:
              Matteo Scaramuccia, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Dates

                Created:
                Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 5 minutes
                  5m