MAGETWO-95551: Adding restriction for controller

Author: ameysar

app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFiles.php

@@ -79,7 +79,7 @@ public function execute()
                 $filesystem = $this->_objectManager->get(\Magento\Framework\Filesystem::class);
                 $dir = $filesystem->getDirectoryRead(DirectoryList::MEDIA);
                 $filePath = $path . '/' . \Magento\Framework\File\Uploader::getCorrectFileName($file);
-                if ($dir->isFile($dir->getRelativePath($filePath)) && !preg_match('#^\.htaccess$#', $file)) {
+                if ($dir->isFile($dir->getRelativePath($filePath)) && !preg_match('/^\.htaccess$/', $file)) {
                     $this->getStorage()->deleteFile($filePath);
                 }
             }

dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFilesTest.php

@@ -60,10 +60,6 @@ protected function setUp()
         $this->mediaDirectory = $this->filesystem->getDirectoryWrite(DirectoryList::MEDIA);
         $this->model = $this->objectManager->get(\Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::class);
         $this->fullDirectoryPath = $this->imagesHelper->getStorageRoot() . '/directory1';
-        $path = $this->fullDirectoryPath . '/.htaccess';
-        if (!$this->mediaDirectory->isFile($path)) {
-            $this->mediaDirectory->writeFile($path, "Order deny,allow\nDeny from all");
-        }
     }
 
     /**
@@ -74,20 +70,15 @@ protected function setUp()
      */
     public function testExecute()
     {
-        $directoryName = 'directory1';
-        $fullDirectoryPath = $this->imagesHelper->getStorageRoot() . '/' . $directoryName;
-        $this->mediaDirectory->create($this->mediaDirectory->getRelativePath($fullDirectoryPath));
-        $filePath =  $fullDirectoryPath . DIRECTORY_SEPARATOR . $this->fileName;
+        $this->mediaDirectory->create($this->mediaDirectory->getRelativePath($this->fullDirectoryPath));
+        $filePath =  $this->fullDirectoryPath . DIRECTORY_SEPARATOR . $this->fileName;
         $fixtureDir = realpath(__DIR__ . '/../../../../../Catalog/_files');
         copy($fixtureDir . '/' . $this->fileName, $filePath);
 
-        $this->model->getRequest()->setMethod('POST')
-            ->setPostValue('files', [$this->imagesHelper->idEncode($this->fileName)]);
-        $this->model->getStorage()->getSession()->setCurrentPath($fullDirectoryPath);
-        $this->model->execute();
+        $this->executeFileDelete($this->fullDirectoryPath, $this->fileName);
         $this->assertFalse(
             $this->mediaDirectory->isExist(
-                $this->mediaDirectory->getRelativePath($fullDirectoryPath . '/' . $this->fileName)
+                $this->mediaDirectory->getRelativePath($this->fullDirectoryPath . '/' . $this->fileName)
             )
         );
     }
@@ -109,10 +100,7 @@ public function testExecuteWithLinkedMedia()
         copy($fixtureDir . '/' . $this->fileName, $filePath);
 
         $wysiwygDir = $this->mediaDirectory->getAbsolutePath() . '/wysiwyg';
-        $this->model->getRequest()->setMethod('POST')
-            ->setPostValue('files', [$this->imagesHelper->idEncode($this->fileName)]);
-        $this->model->getStorage()->getSession()->setCurrentPath($wysiwygDir);
-        $this->model->execute();
+        $this->executeFileDelete($wysiwygDir, $this->fileName);
         $this->assertFalse(is_file($fullDirectoryPath . DIRECTORY_SEPARATOR . $this->fileName));
     }
 
@@ -124,18 +112,64 @@ public function testExecuteWithLinkedMedia()
      */
     public function testDeleteHtaccess()
     {
-        $this->model->getRequest()->setMethod('POST')
-            ->setPostValue('files', [$this->imagesHelper->idEncode('.htaccess')]);
-        $this->model->getStorage()->getSession()->setCurrentPath($this->fullDirectoryPath);
-        $this->model->execute();
+        $this->createFile($this->fullDirectoryPath, '.htaccess');
+        $this->executeFileDelete($this->fullDirectoryPath, '.htaccess');
 
         $this->assertTrue(
             $this->mediaDirectory->isExist(
-                $this->mediaDirectory->getRelativePath($this->fullDirectoryPath . '/' . '.htaccess')
+                $this->mediaDirectory->getRelativePath($this->fullDirectoryPath . '/.htaccess')
+            )
+        );
+    }
+
+    /**
+     * Check that random file could be removed via
+     * \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::execute method
+     *
+     * @return void
+     */
+    public function testDeleteAnyFile()
+    {
+        $this->createFile($this->fullDirectoryPath, 'ahtaccess');
+        $this->executeFileDelete($this->fullDirectoryPath, 'ahtaccess');
+
+        $this->assertFalse(
+            $this->mediaDirectory->isExist(
+                $this->mediaDirectory->getRelativePath($this->fullDirectoryPath . '/ahtaccess')
             )
         );
     }
 
+    /**
+     * Create file.
+     *
+     * @param string $path
+     * @param string $fileName
+     * @return void
+     */
+    private function createFile(string $path, string $fileName)
+    {
+        $file = $path . '/' . $fileName;
+        if (!$this->mediaDirectory->isFile($file)) {
+            $this->mediaDirectory->writeFile($file, 'Content');
+        }
+    }
+
+    /**
+     * Execute file delete operation.
+     *
+     * @param string $path
+     * @param string $fileName
+     * @return void
+     */
+    private function executeFileDelete(string $path, string $fileName)
+    {
+        $this->model->getRequest()->setMethod('POST')
+            ->setPostValue('files', [$this->imagesHelper->idEncode($fileName)]);
+        $this->model->getStorage()->getSession()->setCurrentPath($path);
+        $this->model->execute();
+    }
+
     /**
      * @inheritdoc
      */