XWIKI-20454: Client side mimetype restriction check does not take into account the right document

- Attachment restrictions are now lazily loaded when the editor document is not the current document

xwiki-platform-core/pom.xml

@@ -157,6 +157,22 @@
                 </item>
               </differences>
             </revapi.differences>
+            <revapi.differences>
+              <criticality>documented</criticality>
+              <justification>New methods on unstable code, allowing to get the mimetype configuration for a given document.</justification>
+              <differences>
+                <item>
+                  <ignore>true</ignore>
+                  <code>java.method.addedToInterface</code>
+                  <new>method java.util.List&lt;java.lang.String&gt; org.xwiki.attachment.validation.AttachmentValidationConfiguration::getAllowedMimetypes(org.xwiki.model.reference.DocumentReference)</new>
+                </item>
+                <item>
+                  <ignore>true</ignore>
+                  <code>java.method.addedToInterface</code>
+                  <new>method java.util.List&lt;java.lang.String&gt; org.xwiki.attachment.validation.AttachmentValidationConfiguration::getBlockerMimetypes(org.xwiki.model.reference.DocumentReference)</new>
+                </item>
+              </differences>
+            </revapi.differences>
           </analysisConfiguration>
         </configuration>
       </plugin>

xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-validation/xwiki-platform-attachment-validation-api/src/main/java/org/xwiki/attachment/validation/AttachmentValidationConfiguration.java

@@ -22,6 +22,7 @@
 import java.util.List;
 
 import org.xwiki.component.annotation.Role;
+import org.xwiki.model.reference.DocumentReference;
 import org.xwiki.stability.Unstable;
 
 /**
@@ -35,14 +36,32 @@
 public interface AttachmentValidationConfiguration
 {
     /**
-     * @return the list of allowed attachment mimetypes. A joker (@code '*') can be used to match any media (e.g.,
-     *     "image/png", "text/*")
+     * @return the list of allowed attachment mimetypes of the current document. A joker (@code '*') can be used to
+     *     match any media (e.g., "image/png", "text/*")
      */
     List<String> getAllowedMimetypes();
 
     /**
-     * @return the list of blocker attachment mimetype. A joker (@code '*') can be used to match any media (e.g.,
-     *     "image/png", "text/*")
+     * @param documentReference the reference of a document
+     * @return the list of allowed attachment mimetypes of the provided document. A joker (@code '*') can be used to
+     *     match any media (e.g., * "image/png", "text/*")
+     * @since 14.10.2
+     * @since 15.0RC1
+     */
+    List<String> getAllowedMimetypes(DocumentReference documentReference);
+
+    /**
+     * @return the list of blocker attachment mimetype of the current document. A joker (@code '*') can be used to match
+     *     any media (e.g., "image/png", "text/*")
      */
     List<String> getBlockerMimetypes();
+
+    /**
+     * @param documentReference the reference of a document
+     * @return the list of blocker attachment mimetypes of the provided document. A joker (@code '*') can be used to
+     *     match any media (e.g., * "image/png", "text/*")
+     * @since 14.10.2
+     * @since 15.0RC1
+     */
+    List<String> getBlockerMimetypes(DocumentReference documentReference);
 }

xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-validation/xwiki-platform-attachment-validation-api/src/main/java/org/xwiki/attachment/validation/AttachmentValidationScriptService.java

@@ -31,6 +31,7 @@
 import org.xwiki.component.annotation.Component;
 import org.xwiki.component.manager.ComponentLookupException;
 import org.xwiki.component.manager.ComponentManager;
+import org.xwiki.model.reference.DocumentReference;
 import org.xwiki.script.service.ScriptService;
 import org.xwiki.stability.Unstable;
 
@@ -54,8 +55,8 @@ public class AttachmentValidationScriptService implements ScriptService
     private Logger logger;
 
     /**
-     * @return the list of allowed attachment mimetypes. A joker (@code '*') can be used to match any media (e.g.,
-     *     "image/png", "text/*")
+     * @return the list of allowed attachment mimetypes of the current document. A joker (@code '*') can be used to
+     *     match any media (e.g., "image/png", "text/*")
      */
     public List<String> getAllowedMimetypes()
     {
@@ -65,8 +66,23 @@ public List<String> getAllowedMimetypes()
     }
 
     /**
-     * @return the list of blocker attachment mimetype. A joker (@code '*') can be used to match any media (e.g.,
-     *     "image/png", "text/*")
+     * @param documentReference the reference of a document
+     * @return the list of allowed attachment mimetypes of the provided document. A joker (@code '*') can be used to
+     *     match any media (e.g., "image/png", "text/*")
+     * @since 14.10.2
+     * @since 15.0RC1
+     */
+    public List<String> getAllowedMimetypes(DocumentReference documentReference)
+    {
+        return getAttachmentValidationConfiguration()
+            .map(attachmentValidationConfiguration -> attachmentValidationConfiguration.getAllowedMimetypes(
+                documentReference))
+            .orElse(List.of());
+    }
+
+    /**
+     * @return the list of blocker attachment mimetype of the current document. A joker (@code '*') can be used to match
+     *     any media (e.g., "image/png", "text/*")
      */
     public List<String> getBlockerMimetypes()
     {
@@ -75,6 +91,21 @@ public List<String> getBlockerMimetypes()
             .orElse(List.of());
     }
 
+    /**
+     * @param documentReference the reference of a document
+     * @return the list of blocker attachment mimetypes of the provided document. A joker (@code '*') can be used to
+     *     match any media (e.g., "image/png", "text/*")
+     * @since 14.10.2
+     * @since 15.0RC1
+     */
+    public List<String> getBlockerMimetypes(DocumentReference documentReference)
+    {
+        return getAttachmentValidationConfiguration()
+            .map(attachmentValidationConfiguration -> attachmentValidationConfiguration.getBlockerMimetypes(
+                documentReference))
+            .orElse(List.of());
+    }
+
     private Optional<AttachmentValidationConfiguration> getAttachmentValidationConfiguration()
     {
         try {

xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-validation/xwiki-platform-attachment-validation-default/src/main/java/org/xwiki/attachment/validation/internal/DefaultAttachmentValidationConfiguration.java

@@ -21,15 +21,24 @@
 
 import java.util.List;
 import java.util.Optional;
+import java.util.function.Supplier;
 
 import javax.inject.Inject;
 import javax.inject.Named;
+import javax.inject.Provider;
 import javax.inject.Singleton;
 
+import org.slf4j.Logger;
 import org.xwiki.attachment.validation.AttachmentValidationConfiguration;
 import org.xwiki.component.annotation.Component;
 import org.xwiki.configuration.ConfigurationSource;
+import org.xwiki.model.reference.DocumentReference;
 
+import com.xpn.xwiki.XWikiContext;
+import com.xpn.xwiki.XWikiException;
+import com.xpn.xwiki.doc.XWikiDocument;
+
+import static org.apache.commons.lang3.exception.ExceptionUtils.getRootCauseMessage;
 import static org.xwiki.attachment.validation.internal.AttachmentMimetypeRestrictionClassDocumentInitializer.ALLOWED_MIMETYPES_FIELD;
 import static org.xwiki.attachment.validation.internal.AttachmentMimetypeRestrictionClassDocumentInitializer.BLOCKED_MIMETYPES_FIELD;
 
@@ -64,18 +73,36 @@ public class DefaultAttachmentValidationConfiguration implements AttachmentValid
     @Named("xwikiproperties")
     private ConfigurationSource xWikiPropertiesConfigurationSource;
 
+    @Inject
+    private Provider<XWikiContext> contextProvider;
+
+    @Inject
+    private Logger logger;
+
     @Override
     public List<String> getAllowedMimetypes()
     {
         return getPropertyWithFallback(ALLOWED_MIMETYPES_FIELD, ATTACHMENT_MIMETYPE_ALLOW_LIST_PROPERTY);
     }
 
+    @Override
+    public List<String> getAllowedMimetypes(DocumentReference documentReference)
+    {
+        return wrapWithScope(documentReference, this::getAllowedMimetypes);
+    }
+
     @Override
     public List<String> getBlockerMimetypes()
     {
         return getPropertyWithFallback(BLOCKED_MIMETYPES_FIELD, ATTACHMENT_MIMETYPE_BLOCK_LIST_PROPERTY);
     }
 
+    @Override
+    public List<String> getBlockerMimetypes(DocumentReference documentReference)
+    {
+        return wrapWithScope(documentReference, this::getBlockerMimetypes);
+    }
+
     private List<String> getPropertyWithFallback(String attachmentXObjectProperty, String xWikiPropertiesProperty)
     {
         return get(this.attachmentConfigurationSource, attachmentXObjectProperty)
@@ -99,4 +126,19 @@ private Optional<List<String>> get(ConfigurationSource attachmentConfigurationSo
         }
         return result;
     }
+
+    private List<String> wrapWithScope(DocumentReference documentReference, Supplier<List<String>> supplier)
+    {
+        XWikiContext xWikiContext = this.contextProvider.get();
+        XWikiDocument oldDoc = xWikiContext.getDoc();
+        try {
+            xWikiContext.setDoc(xWikiContext.getWiki().getDocument(documentReference, xWikiContext));
+            return supplier.get();
+        } catch (XWikiException e) {
+            this.logger.warn("Failed to get document [{}]. Cause: [{}]", documentReference, getRootCauseMessage(e));
+            return List.of();
+        } finally {
+            xWikiContext.setDoc(oldDoc);
+        }
+    }
 }

xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-validation/xwiki-platform-attachment-validation-ui/src/main/resources/XWiki/Attachment/Validation/Code/FileSizeValidation.xml

@@ -36,7 +36,12 @@
   <minorEdit>false</minorEdit>
   <syntaxId>xwiki/2.1</syntaxId>
   <hidden>true</hidden>
-  <content/>
+  <content>{{velocity wiki='false'}}
+#set ($spaceReference = $services.model.resolveDocument($!request.documentReference).extractReference('SPACE'))
+$jsontool.serialize({
+    "maxFileSize": $xwiki.getSpacePreferenceFor('upload_maxsize', $spaceReference)
+})
+{{/velocity}}</content>
   <object>
     <name>XWiki.Attachment.Validation.Code.FileSizeValidation</name>
     <number>0</number>
@@ -146,9 +151,30 @@
     return `${parseFloat((bytes / Math.pow(k, i)).toFixed(2))}${sizes[i]}`
   }
 
+  const configCache = {};
+
   $(document).on('xwiki:actions:beforeUpload', (event, data) =&gt; {
-    const configElement = document.getElementById('attachment-validation-filesize-configuration');
-    const config = JSON.parse(configElement.textContent);
+    let jsonString;
+    if (data.documentReference) {
+      if (!configCache[data.documentReference]) {
+        $.ajax({
+          url: new XWiki.Document(XWiki.Model.resolve('XWiki.Attachment.Validation.Code.FileSizeValidation',
+            XWiki.EntityType.DOCUMENT)).getURL('get', $.param({
+            outputSyntax: 'plain',
+            documentReference: data.documentReference
+          })),
+          async: false,
+          method: 'GET',
+          success: function (getData) {
+            configCache[data.documentReference] = getData;
+          }
+        })
+      }
+      jsonString = configCache[data.documentReference];
+    } else {
+      jsonString = document.getElementById('attachment-validation-filesize-configuration').textContent;
+    }
+    const config = JSON.parse(jsonString);
     const maxFileSize = config.maxFileSize;
     const tooLarge = data.file.size &gt; maxFileSize;
     if (tooLarge) {

xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-validation/xwiki-platform-attachment-validation-ui/src/main/resources/XWiki/Attachment/Validation/Code/MimetypeValidation.xml

@@ -36,7 +36,12 @@
   <minorEdit>false</minorEdit>
   <syntaxId>xwiki/2.1</syntaxId>
   <hidden>true</hidden>
-  <content/>
+  <content>{{velocity wiki='false'}}
+$jsontool.serialize({
+  "allowedMimetypes": $services.attachmentValidation.getAllowedMimetypes($!request.documentReference),
+  "blockerMimetypes": $services.attachmentValidation.getBlockerMimetypes($!request.documentReference)
+})
+{{/velocity}}</content>
   <object>
     <name>XWiki.Attachment.Validation.Code.MimetypeValidation</name>
     <number>0</number>
@@ -147,9 +152,30 @@
     });
   }
 
+  const configCache = {};
+
   $(document).on('xwiki:actions:beforeUpload', function (event, data) {
-    const configElement = document.getElementById('attachment-validation-mimetypes-configuration');
-    const config = JSON.parse(configElement.textContent);
+    let jsonString;
+    if (data.documentReference) {
+      if (!configCache[data.documentReference]) {
+        $.ajax({
+          url: new XWiki.Document(XWiki.Model.resolve('XWiki.Attachment.Validation.Code.MimetypeValidation',
+            XWiki.EntityType.DOCUMENT)).getURL('get', $.param({
+            outputSyntax: 'plain',
+            documentReference: data.documentReference
+          })),
+          async: false,
+          method: 'GET',
+          success: function (getData) {
+            configCache[data.documentReference] = getData;
+          }
+        })
+      }
+      jsonString = configCache[data.documentReference];
+    } else {
+      jsonString = document.getElementById('attachment-validation-mimetypes-configuration').textContent;
+    }
+    const config = JSON.parse(jsonString);
     const mimeType = data.file.type.toLowerCase();
     const allowedMimetypes = config.allowedMimetypes;
     const blockerMimetypes = config.blockerMimetypes;

xwiki-platform-core/xwiki-platform-ckeditor/xwiki-platform-ckeditor-plugins/src/main/resources/xwiki-image/imageSelector.js

@@ -233,6 +233,9 @@ define('imageSelector', ['jquery', 'modal', 'resource', 'l10n!imageSelector'],
     return {
       open: createModal,
       updateSelectedImageReferences: updateSelectedImageReferences,
-      createLoader: createLoader
+      createLoader: createLoader,
+      getDocumentReference: function (element) {
+        return getDocumentReference(element.parents('.image-selector-modal').data('input'));
+      }
     };
   });

xwiki-platform-core/xwiki-platform-ckeditor/xwiki-platform-ckeditor-ui/src/main/resources/CKEditor/ImageSelectorServiceUIX/Upload.xml

@@ -145,7 +145,10 @@
         const uploadedFile = element.find("input[type='file']").prop('files')[0];
 
         const beforeUploadEvent = $.Event("xwiki:actions:beforeUpload");
-        $(document).trigger(beforeUploadEvent, {file: uploadedFile});
+        $(document).trigger(beforeUploadEvent, {
+          file: uploadedFile,
+          documentReference: imageSelector.getDocumentReference(element)
+        });
 
         if (!beforeUploadEvent.isDefaultPrevented()) {
           element.addClass('loading');