FOUR-21235 | Enforce File Upload Limit When Using Chunked File Upload Component

[mcraeteisha]

Issue

Ticket: FOUR-21235

This PR implements FileSizeCheck middleware to enforce file upload limits for chunked uploads processed by vue-simple-uploader and laravel-chunk-upload. The middleware compares the file size against user-specific limits set in php-memory-limits.ini (local) and 99-processmaker.ini (server).

Solution

• Implement FileCheckMiddleware in processmaker
• Handle global implementation of middleware in ProcessMakerServiceProvider.php

How to Test

1. Go to branch task/FOUR-21235 in processmaker.
2. Open your local php-memory-limits.ini file and note the value of upload_max_filesize. If testing on the server, the upload_max_filesize value is 24M.
3. Attempt to hit any of the following routes with a file size that exceeds your upload_max_filesize:
   • Create a Screen with a File Upload component → Add the Screen to a Process Task → Run the Process → Upload a File
     • https://processmaker.test/api/1.0/requests/{request}/files
   • Import a Process
     • https://processmaker.test/api/1.0/processes/import/validation
   • Import a Project
     • https://processmaker.test/api/1.0/projects/import/validation
   • Import a PM Block
     • https://processmaker.test/api/1.0/pm-blocks/import/validation
   • Import a Collection
     • https://processmaker.test/collections/import-chunked
   • Import a Screen
     • https://processmaker.test/api/1.0/screens/import
   • Import a Decision Table
     • https://processmaker.test/designer/decision-tables/import-chunked
   • Go to Admin → File Manager → Public Files → Upload a Public File
     • https://processmaker.test/api/1.0/file-manager

• If you don't have a file that exceeds the upload_max_filesize, such as a really large Collection or Screen, you can test to ensure that no errors are thrown when hitting these endpoints. But for the File Upload control in a Screen and the Public File upload, you should be able to upload any type of large file to test the functionality of the middleware.

ci:package-collections:task/FOUR-21235

Code Review Checklist

• I have pulled this code locally and tested it on my instance, along with any associated packages.
• This code adheres to ProcessMaker Coding Guidelines.
• This code includes a unit test or an E2E test that tests its functionality, or is covered by an existing test.
• This solution fixes the bug reported in the original ticket.
• This solution does not alter the expected output of a component in a way that would break existing Processes.
• This solution does not implement any breaking changes that would invalidate documentation or cause existing Processes to fail.
• This solution has been tested with enterprise packages that rely on its functionality and does not introduce bugs in those packages.
• This code does not duplicate functionality that already exists in the framework or in ProcessMaker.
• This ticket conforms to the PRD associated with this part of ProcessMaker.

[eiresendez]

hi @mcraeteisha, using Route::pushMiddlewareToGroup('api', FileSizeCheck::class) in ProcessMaker/Providers/ProcessMakerServiceProvider.php@boot method simplifies middleware management across the app, that will add the middleware to the api group globally and we can eliminate the need to explicitly include it in route definitions within packages.

example:

use Illuminate\Support\Facades\Route;
use ProcessMaker\Http\Middleware\FileSizeCheck;

class ProcessMakerServiceProvider extends ServiceProvider
{
    public function boot(): void
    {
        parent::boot();
        Route::pushMiddlewareToGroup('api', FileSizeCheck::class);

Do you think that would be useful? or would it be better to apply it only to the selected packages?

Let’s keep the current approach! Applying the middleware manually only where it’s needed and in the specific packages that require it. No global changes needed 👍

[processmaker-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube