MAGETWO-95550: Adding restriction for controller

SeruyV · SeruyV · commit b8daea7bc7f9 · 2018-10-23T17:12:55.000+03:00
diff --git a/app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFiles.php b/app/code/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFiles.php
@@ -82,7 +82,7 @@ public function execute()
                 $filesystem = $this->_objectManager->get(\Magento\Framework\Filesystem::class);
                 $dir = $filesystem->getDirectoryRead(DirectoryList::MEDIA);
                 $filePath = $path . '/' . \Magento\Framework\File\Uploader::getCorrectFileName($file);
-                if ($dir->isFile($dir->getRelativePath($filePath))) {
+                if ($dir->isFile($dir->getRelativePath($filePath)) && !preg_match('#.htaccess#', $file)) {
                     $this->getStorage()->deleteFile($filePath);
                 }
             }
diff --git a/dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFilesTest.php b/dev/tests/integration/testsuite/Magento/Cms/Controller/Adminhtml/Wysiwyg/Images/DeleteFilesTest.php
@@ -54,6 +54,10 @@ protected function setUp()
         $filePath =  $this->fullDirectoryPath . DIRECTORY_SEPARATOR . $this->fileName;
         $fixtureDir = realpath(__DIR__ . '/../../../../../Catalog/_files');
         copy($fixtureDir . '/' . $this->fileName, $filePath);
+        $path = '/.htaccess';
+        if (!$this->mediaDirectory->isFile($path)) {
+            $this->mediaDirectory->writeFile($path, "Order deny,allow\nDeny from all");
+        }
         $this->model = $objectManager->get(\Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::class);
     }
 
@@ -89,4 +93,24 @@ public static function tearDownAfterClass()
             $directory->delete('wysiwyg');
         }
     }
+
+    /**
+     * Check that htaccess file couldn't be removed via
+     * \Magento\Cms\Controller\Adminhtml\Wysiwyg\Images\DeleteFiles::execute method
+     *
+     * @return void
+     */
+    public function testDeleteHtaccess()
+    {
+        $this->model->getRequest()->setMethod('POST')
+            ->setPostValue('files', [$this->imagesHelper->idEncode('.htaccess')]);
+        $this->model->getStorage()->getSession()->setCurrentPath($this->fullDirectoryPath);
+        $this->model->execute();
+
+        $this->assertTrue(
+            $this->mediaDirectory->isExist(
+                $this->mediaDirectory->getRelativePath('/' . '.htaccess')
+            )
+        );
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ public function execute()`
`82`	`82`	`$filesystem = $this->_objectManager->get(\Magento\Framework\Filesystem::class);`
`83`	`83`	`$dir = $filesystem->getDirectoryRead(DirectoryList::MEDIA);`
`84`	`84`	`$filePath = $path . '/' . \Magento\Framework\File\Uploader::getCorrectFileName($file);`
`85`		`- if ($dir->isFile($dir->getRelativePath($filePath))) {`
	`85`	`+ if ($dir->isFile($dir->getRelativePath($filePath)) && !preg_match('#.htaccess#', $file)) {`
`86`	`86`	`$this->getStorage()->deleteFile($filePath);`
`87`	`87`	`}`
`88`	`88`	`}`