MAGETWO-95550: Adding restriction for controller

Author: SeruyV

app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFiles.php

@@ -82,7 +82,7 @@ public function execute()
                 $filesystem = $this->_objectManager->get(\Magento\Framework\Filesystem::class);
                 $dir = $filesystem->getDirectoryRead(DirectoryList::MEDIA);
                 $filePath = $path . '/' . \Magento\Framework\File\Uploader::getCorrectFileName($file);
-                if ($dir->isFile($dir->getRelativePath($filePath)) && !preg_match('#.htaccess#', $file)) {
+                if ($dir->isFile($dir->getRelativePath($filePath)) && !preg_match('/^\\.htaccess$/', $file)) {
                     $this->getStorage()->deleteFile($filePath);
                 }
             }

dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFilesTest.php

@@ -54,10 +54,6 @@ protected function setUp()
         $filePath =  $this->fullDirectoryPath . DIRECTORY_SEPARATOR . $this->fileName;
         $fixtureDir = realpath(__DIR__ . '/../../../../../Catalog/_files');
         copy($fixtureDir . '/' . $this->fileName, $filePath);
-        $path = '/.htaccess';
-        if (!$this->mediaDirectory->isFile($path)) {
-            $this->mediaDirectory->writeFile($path, "Order deny,allow\nDeny from all");
-        }
         $this->model = $objectManager->get(\Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::class);
     }
 
@@ -95,21 +91,54 @@ public static function tearDownAfterClass()
     }
 
     /**
-     * Check that htaccess file couldn't be removed via
+     * Creates file and tried to delete it via
      * \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::execute method
      *
+     * @param  string $fileName
      * @return void
      */
-    public function testDeleteHtaccess()
+    private function createFileAndExecuteDelete($fileName)
     {
+        $path = '/' . $fileName;
+        if (!$this->mediaDirectory->isFile($path)) {
+            $this->mediaDirectory->writeFile($path, "Order deny,allow\nDeny from all");
+        }
         $this->model->getRequest()->setMethod('POST')
-            ->setPostValue('files', [$this->imagesHelper->idEncode('.htaccess')]);
-        $this->model->getStorage()->getSession()->setCurrentPath($this->fullDirectoryPath);
+            ->setPostValue('files', [$this->imagesHelper->idEncode($fileName)]);
+        $this->model->getStorage()->getSession()->setCurrentPath($this->mediaDirectory->getAbsolutePath());
         $this->model->execute();
+    }
 
+    /**
+     * Check that htaccess file couldn't be removed via
+     * \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::execute method
+     *
+     * @return void
+     */
+    public function testCouldNotDeleteHtaccess()
+    {
+        $fileName = '.htaccess';
+        $this->createFileAndExecuteDelete($fileName);
         $this->assertTrue(
             $this->mediaDirectory->isExist(
-                $this->mediaDirectory->getRelativePath('/' . '.htaccess')
+                $this->mediaDirectory->getRelativePath('/' . $fileName)
+            )
+        );
+    }
+
+    /**
+     * Check that random file could be removed via
+     * \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::execute method
+     *
+     * @return void
+     */
+    public function testDeleteAnyFile()
+    {
+        $fileName = 'thtaccess';
+        $this->createFileAndExecuteDelete($fileName);
+        $this->assertFalse(
+            $this->mediaDirectory->isExist(
+                $this->mediaDirectory->getRelativePath('/' . $fileName)
             )
         );
     }