feat: protect feedback screenshots

2026-04-30 13:15:19 -04:00
parent cb6948aa14
commit 4873f39192
24 changed files with 1900 additions and 0 deletions
--- a/backend/tests/Socialize.Tests/Feedback/FeedbackRulesTests.cs
+++ b/backend/tests/Socialize.Tests/Feedback/FeedbackRulesTests.cs
@@ -105,6 +105,79 @@ public class FeedbackRulesTests
        Assert.False(otherUserAllowed);
    }

+    [Fact]
+    public void CanAccessScreenshot_allows_report_owner()
+    {
+        Guid reporterUserId = Guid.NewGuid();
+        FeedbackReport report = new() { ReporterUserId = reporterUserId };
+
+        bool allowed = FeedbackAccessRules.CanAccessScreenshot(report, reporterUserId, isDeveloper: false);
+
+        Assert.True(allowed);
+    }
+
+    [Fact]
+    public void CanAccessScreenshot_allows_developer()
+    {
+        FeedbackReport report = new() { ReporterUserId = Guid.NewGuid() };
+
+        bool allowed = FeedbackAccessRules.CanAccessScreenshot(report, Guid.NewGuid(), isDeveloper: true);
+
+        Assert.True(allowed);
+    }
+
+    [Fact]
+    public void CanAccessScreenshot_rejects_unrelated_non_developer()
+    {
+        FeedbackReport report = new() { ReporterUserId = Guid.NewGuid() };
+
+        bool allowed = FeedbackAccessRules.CanAccessScreenshot(report, Guid.NewGuid(), isDeveloper: false);
+
+        Assert.False(allowed);
+    }
+
+    [Theory]
+    [InlineData("image/png")]
+    [InlineData("image/jpeg")]
+    [InlineData("image/jpg")]
+    public void Screenshot_content_type_allows_png_and_jpeg(string contentType)
+    {
+        bool allowed = FeedbackScreenshotRules.IsAllowedContentType(contentType);
+
+        Assert.True(allowed);
+    }
+
+    [Theory]
+    [InlineData("text/html")]
+    [InlineData("application/pdf")]
+    [InlineData("")]
+    public void Screenshot_content_type_rejects_non_images(string contentType)
+    {
+        bool allowed = FeedbackScreenshotRules.IsAllowedContentType(contentType);
+
+        Assert.False(allowed);
+    }
+
+    [Theory]
+    [InlineData(1)]
+    [InlineData(FeedbackScreenshotRules.MaxScreenshotBytes)]
+    public void Screenshot_size_allows_non_empty_files_up_to_limit(long sizeBytes)
+    {
+        bool allowed = FeedbackScreenshotRules.IsAllowedSize(sizeBytes);
+
+        Assert.True(allowed);
+    }
+
+    [Theory]
+    [InlineData(0)]
+    [InlineData(FeedbackScreenshotRules.MaxScreenshotBytes + 1)]
+    public void Screenshot_size_rejects_empty_and_oversized_files(long sizeBytes)
+    {
+        bool allowed = FeedbackScreenshotRules.IsAllowedSize(sizeBytes);
+
+        Assert.False(allowed);
+    }
+
    [Fact]
    public void NormalizeTags_trims_deduplicates_and_orders()
    {