ddidderr/upl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: reject duplicate completed upload names

Browse Source 
A user could select another local file with the same name as one that already
exists in completed storage. The upload would be allowed to start and only hit
an existing-file conflict late in the flow, which made the UI look like the
file was uploadable.

Reject duplicate sanitized names during upload creation so no staging record or
chunk transfer starts for a file that cannot be completed. Keep the completion
path non-replacing as a second guard by promoting through a no-overwrite file
creation path, with a hard-link fast path and copy fallback for custom temp
locations.

The browser now treats the server's duplicate-name conflict as a terminal row:
it disables the action, marks the item visually, and tells the user to rename
the file if they want to upload that copy.

Test Plan:
- just check

Refs: none
This commit is contained in:
ddidderr
2026-05-30 18:42:55 +02:00
parent 1923ff2a6f
commit 60663a461c
7 changed files with 184 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
TESTS.md
+5 -1
View File
@@ -13,17 +13,21 @@ Keep this file as the reusable verification checklist while implementing
- `POST /api/uploads` creates `meta.json`, a temp upload file, and a
completion-marker directory.
- `POST /api/uploads` rejects an empty file name.
- `POST /api/uploads` rejects a name that already exists in completed
storage before staging begins.
- `PUT /api/uploads/:id/chunks/:index` writes validated chunks into the
temp upload file and records completion markers.
- `PUT /api/uploads/:id/chunks/:index` rejects wrong-size chunks.
- `PUT /api/uploads/:id/chunks/:index` rejects out-of-range indexes.
- `PUT /api/uploads/:id/chunks/:index` accepts duplicate chunks.
- `GET /api/uploads/:id` reports completed chunks from disk markers.
- `POST /api/uploads/:id/complete` renames the verified temp upload file
- `POST /api/uploads/:id/complete` promotes the verified temp upload file
and removes staging data.
- Parallel upload requests for separate files complete without crossing
bytes between temp upload files.
- `POST /api/uploads/:id/complete` rejects incomplete uploads.
- `POST /api/uploads/:id/complete` refuses to replace a completed file that
appears after the upload was created.
- `POST /api/uploads/:id/complete` rejects tampered temp upload files.
- `static/app.js` passes `node --check`.
- `just nginx-smoke`