coolify/tests/Unit/Policies/S3StoragePolicyTest.php

<?php

use App\Models\S3Storage;
use App\Models\User;
use App\Policies\S3StoragePolicy;

it('allows team member to view S3 storage from their team', function () {
    $teams = collect([
        (object) ['id' => 1, 'pivot' => (object) ['role' => 'member']],
    ]);

    $user = Mockery::mock(User::class)->makePartial();
    $user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);

    $storage = Mockery::mock(S3Storage::class)->makePartial();
    $storage->shouldReceive('getAttribute')->with('team_id')->andReturn(1);
    $storage->team_id = 1;

    $policy = new S3StoragePolicy;
    expect($policy->view($user, $storage))->toBeTrue();
});

it('denies team member to view S3 storage from another team', function () {
    $teams = collect([
        (object) ['id' => 1, 'pivot' => (object) ['role' => 'owner']],
    ]);

    $user = Mockery::mock(User::class)->makePartial();
    $user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);

    $storage = Mockery::mock(S3Storage::class)->makePartial();
    $storage->shouldReceive('getAttribute')->with('team_id')->andReturn(2);
    $storage->team_id = 2;

    $policy = new S3StoragePolicy;
    expect($policy->view($user, $storage))->toBeFalse();
});

it('allows team admin to update S3 storage from their team', function () {
    $teams = collect([
        (object) ['id' => 1, 'pivot' => (object) ['role' => 'admin']],
    ]);

    $user = Mockery::mock(User::class)->makePartial();
    $user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);

    $storage = Mockery::mock(S3Storage::class)->makePartial();
    $storage->shouldReceive('getAttribute')->with('team_id')->andReturn(1);
    $storage->team_id = 1;

    $policy = new S3StoragePolicy;
    expect($policy->update($user, $storage))->toBeTrue();
});

it('denies team member to update S3 storage from another team', function () {
    $teams = collect([
        (object) ['id' => 1, 'pivot' => (object) ['role' => 'admin']],
    ]);

    $user = Mockery::mock(User::class)->makePartial();
    $user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);

    $storage = Mockery::mock(S3Storage::class)->makePartial();
    $storage->shouldReceive('getAttribute')->with('team_id')->andReturn(2);
    $storage->team_id = 2;

    $policy = new S3StoragePolicy;
    expect($policy->update($user, $storage))->toBeFalse();
});

it('allows team member to delete S3 storage from their team', function () {
    $teams = collect([
        (object) ['id' => 1, 'pivot' => (object) ['role' => 'member']],
    ]);

    $user = Mockery::mock(User::class)->makePartial();
    $user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);

    $storage = Mockery::mock(S3Storage::class)->makePartial();
    $storage->shouldReceive('getAttribute')->with('team_id')->andReturn(1);
    $storage->team_id = 1;

    $policy = new S3StoragePolicy;
    expect($policy->delete($user, $storage))->toBeTrue();
});

it('denies team member to delete S3 storage from another team', function () {
    $teams = collect([
        (object) ['id' => 1, 'pivot' => (object) ['role' => 'owner']],
    ]);

    $user = Mockery::mock(User::class)->makePartial();
    $user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);

    $storage = Mockery::mock(S3Storage::class)->makePartial();
    $storage->shouldReceive('getAttribute')->with('team_id')->andReturn(2);
    $storage->team_id = 2;

    $policy = new S3StoragePolicy;
    expect($policy->delete($user, $storage))->toBeFalse();
});

it('allows admin to create S3 storage', function () {
    $user = Mockery::mock(User::class)->makePartial();
    $user->shouldReceive('isAdmin')->andReturn(true);

    $policy = new S3StoragePolicy;
    expect($policy->create($user))->toBeTrue();
});

it('denies non-admin to create S3 storage', function () {
    $user = Mockery::mock(User::class)->makePartial();
    $user->shouldReceive('isAdmin')->andReturn(false);

    $policy = new S3StoragePolicy;
    expect($policy->create($user))->toBeFalse();
});

it('allows team member to validate connection of S3 storage from their team', function () {
    $teams = collect([
        (object) ['id' => 1, 'pivot' => (object) ['role' => 'member']],
    ]);

    $user = Mockery::mock(User::class)->makePartial();
    $user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);

    $storage = Mockery::mock(S3Storage::class)->makePartial();
    $storage->shouldReceive('getAttribute')->with('team_id')->andReturn(1);
    $storage->team_id = 1;

    $policy = new S3StoragePolicy;
    expect($policy->validateConnection($user, $storage))->toBeTrue();
});

it('denies team member to validate connection of S3 storage from another team', function () {
    $teams = collect([
        (object) ['id' => 1, 'pivot' => (object) ['role' => 'admin']],
    ]);

    $user = Mockery::mock(User::class)->makePartial();
    $user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);

    $storage = Mockery::mock(S3Storage::class)->makePartial();
    $storage->shouldReceive('getAttribute')->with('team_id')->andReturn(2);
    $storage->team_id = 2;

    $policy = new S3StoragePolicy;
    expect($policy->validateConnection($user, $storage))->toBeFalse();
});
feat: streamline S3 restore with single-step flow and improved UI consistency Major architectural improvements: - Merged download and restore into single atomic operation - Eliminated separate S3DownloadFinished event (redundant) - Files now transfer directly: S3 → helper container → server → database container - Removed download progress tracking in favor of unified restore progress UI/UX improvements: - Unified restore method selection with visual cards - Consistent "File Information" display between local and S3 restore - Single slide-over for all restore operations (removed separate S3 download monitor) - Better visual feedback with loading states Security enhancements: - Added isSafeTmpPath() helper for path traversal protection - URL decode validation to catch encoded attacks - Canonical path resolution to prevent symlink attacks - Comprehensive path validation in all cleanup events Cleanup improvements: - S3RestoreJobFinished now handles all cleanup (helper container + all temp files) - RestoreJobFinished uses new isSafeTmpPath() validation - CoolifyTask dispatches cleanup events even on job failure - All cleanup uses non-throwing commands (2>/dev/null \|\| true) Other improvements: - S3 storage policy authorization on Show component - Storage Form properly syncs is_usable state after test - Removed debug code and improved error handling - Better command organization and documentation 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-17 09:05:18 +00:00			`<?php`

			`use App\Models\S3Storage;`
			`use App\Models\User;`
			`use App\Policies\S3StoragePolicy;`

			`it('allows team member to view S3 storage from their team', function () {`
			`$teams = collect([`
			`(object) ['id' => 1, 'pivot' => (object) ['role' => 'member']],`
			`]);`

			`$user = Mockery::mock(User::class)->makePartial();`
			`$user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);`

			`$storage = Mockery::mock(S3Storage::class)->makePartial();`
			`$storage->shouldReceive('getAttribute')->with('team_id')->andReturn(1);`
			`$storage->team_id = 1;`

			`$policy = new S3StoragePolicy;`
			`expect($policy->view($user, $storage))->toBeTrue();`
			`});`

			`it('denies team member to view S3 storage from another team', function () {`
			`$teams = collect([`
			`(object) ['id' => 1, 'pivot' => (object) ['role' => 'owner']],`
			`]);`

			`$user = Mockery::mock(User::class)->makePartial();`
			`$user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);`

			`$storage = Mockery::mock(S3Storage::class)->makePartial();`
			`$storage->shouldReceive('getAttribute')->with('team_id')->andReturn(2);`
			`$storage->team_id = 2;`

			`$policy = new S3StoragePolicy;`
			`expect($policy->view($user, $storage))->toBeFalse();`
			`});`

			`it('allows team admin to update S3 storage from their team', function () {`
			`$teams = collect([`
			`(object) ['id' => 1, 'pivot' => (object) ['role' => 'admin']],`
			`]);`

			`$user = Mockery::mock(User::class)->makePartial();`
			`$user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);`

			`$storage = Mockery::mock(S3Storage::class)->makePartial();`
			`$storage->shouldReceive('getAttribute')->with('team_id')->andReturn(1);`
			`$storage->team_id = 1;`

			`$policy = new S3StoragePolicy;`
			`expect($policy->update($user, $storage))->toBeTrue();`
			`});`

			`it('denies team member to update S3 storage from another team', function () {`
			`$teams = collect([`
			`(object) ['id' => 1, 'pivot' => (object) ['role' => 'admin']],`
			`]);`

			`$user = Mockery::mock(User::class)->makePartial();`
			`$user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);`

			`$storage = Mockery::mock(S3Storage::class)->makePartial();`
			`$storage->shouldReceive('getAttribute')->with('team_id')->andReturn(2);`
			`$storage->team_id = 2;`

			`$policy = new S3StoragePolicy;`
			`expect($policy->update($user, $storage))->toBeFalse();`
			`});`

			`it('allows team member to delete S3 storage from their team', function () {`
			`$teams = collect([`
			`(object) ['id' => 1, 'pivot' => (object) ['role' => 'member']],`
			`]);`

			`$user = Mockery::mock(User::class)->makePartial();`
			`$user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);`

			`$storage = Mockery::mock(S3Storage::class)->makePartial();`
			`$storage->shouldReceive('getAttribute')->with('team_id')->andReturn(1);`
			`$storage->team_id = 1;`

			`$policy = new S3StoragePolicy;`
			`expect($policy->delete($user, $storage))->toBeTrue();`
			`});`

			`it('denies team member to delete S3 storage from another team', function () {`
			`$teams = collect([`
			`(object) ['id' => 1, 'pivot' => (object) ['role' => 'owner']],`
			`]);`

			`$user = Mockery::mock(User::class)->makePartial();`
			`$user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);`

			`$storage = Mockery::mock(S3Storage::class)->makePartial();`
			`$storage->shouldReceive('getAttribute')->with('team_id')->andReturn(2);`
			`$storage->team_id = 2;`

			`$policy = new S3StoragePolicy;`
			`expect($policy->delete($user, $storage))->toBeFalse();`
			`});`

			`it('allows admin to create S3 storage', function () {`
			`$user = Mockery::mock(User::class)->makePartial();`
			`$user->shouldReceive('isAdmin')->andReturn(true);`

			`$policy = new S3StoragePolicy;`
			`expect($policy->create($user))->toBeTrue();`
			`});`

			`it('denies non-admin to create S3 storage', function () {`
			`$user = Mockery::mock(User::class)->makePartial();`
			`$user->shouldReceive('isAdmin')->andReturn(false);`

			`$policy = new S3StoragePolicy;`
			`expect($policy->create($user))->toBeFalse();`
			`});`

			`it('allows team member to validate connection of S3 storage from their team', function () {`
			`$teams = collect([`
			`(object) ['id' => 1, 'pivot' => (object) ['role' => 'member']],`
			`]);`

			`$user = Mockery::mock(User::class)->makePartial();`
			`$user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);`

			`$storage = Mockery::mock(S3Storage::class)->makePartial();`
			`$storage->shouldReceive('getAttribute')->with('team_id')->andReturn(1);`
			`$storage->team_id = 1;`

			`$policy = new S3StoragePolicy;`
			`expect($policy->validateConnection($user, $storage))->toBeTrue();`
			`});`

			`it('denies team member to validate connection of S3 storage from another team', function () {`
			`$teams = collect([`
			`(object) ['id' => 1, 'pivot' => (object) ['role' => 'admin']],`
			`]);`

			`$user = Mockery::mock(User::class)->makePartial();`
			`$user->shouldReceive('getAttribute')->with('teams')->andReturn($teams);`

			`$storage = Mockery::mock(S3Storage::class)->makePartial();`
			`$storage->shouldReceive('getAttribute')->with('team_id')->andReturn(2);`
			`$storage->team_id = 2;`

			`$policy = new S3StoragePolicy;`
			`expect($policy->validateConnection($user, $storage))->toBeFalse();`
			`});`