Skip to content

Restrict StreamFileProvider paths to only used directories#6183

Merged
VelikovPetar merged 1 commit intodevelopfrom
feature/AND-1091_restrict_stream_filepaths
Feb 24, 2026
Merged

Restrict StreamFileProvider paths to only used directories#6183
VelikovPetar merged 1 commit intodevelopfrom
feature/AND-1091_restrict_stream_filepaths

Conversation

@VelikovPetar
Copy link
Contributor

@VelikovPetar VelikovPetar commented Feb 24, 2026
edited by coderabbitai bot
Loading

Goal

stream_filepaths.xml registered 6 path entries for StreamFileProvider, but only 2 were actually used by the SDK. The unused entries unnecessarily expanded the FileProvider's URI surface area, including <external-path> which mapped to the raw external storage root (Environment.getExternalStorageDirectory()) — the broadest possible grant.

Implementation

  • Removed 4 unused entries: <files-path>, <external-path>, <external-cache-path>, <external-media-path>
  • Tightened <external-files-path> from path="." (entire app-specific external dir) to two scoped entries — Pictures/ and Movies/ — which are the only subdirectories StreamFileManager actually writes to for camera capture

The two remaining entries:

  • <cache-path path="."> — used by audio recording, bitmap sharing, attachment downloads, and the camera fallback path
  • <external-files-path path="Pictures/"> and <external-files-path path="Movies/"> — used exclusively by camera capture (StreamFileManager.createPhotoInExternalDir / createVideoInExternalDir)

🎨 UI Changes

No UI changes.

Testing

Camera photo and video capture should continue to work. All other file sharing (attachments, audio recordings, bitmaps) should be unaffected as they all use cacheDir.

Summary by CodeRabbit

  • Refactor
    • Streamlined file storage path handling to optimize access to pictures and movies directories.

@VelikovPetar VelikovPetar added the pr:internal Internal changes / housekeeping label Feb 24, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026
edited
Loading

PR checklist ✅

All required conditions are satisfied:

  • Title length is OK (or ignored by label).
  • At least one pr: label exists.
  • Sections ### Goal, ### Implementation, and ### Testing are filled.

🎉 Great job! This PR is ready for review.

@VelikovPetar VelikovPetar added pr:improvement Improvement and removed pr:internal Internal changes / housekeeping labels Feb 24, 2026
@VelikovPetar VelikovPetar marked this pull request as ready for review February 24, 2026 09:16
@VelikovPetar VelikovPetar requested a review from a team as a code owner February 24, 2026 09:16
@coderabbitai
Copy link

coderabbitai bot commented Feb 24, 2026

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ab79e25 and 5ed2241.

📒 Files selected for processing (1)
  • stream-chat-android-ui-common/src/main/res/xml/stream_filepaths.xml

Walkthrough

The changes restructure file provider paths in the Android manifest by removing broad external access declarations and replacing them with specific directories. The generic external_files path is renamed to external_pictures targeting the Pictures directory, and a new external_movies path for the Movies directory is added.

Changes

Cohort / File(s) Summary
File Provider Configuration
stream-chat-android-ui-common/src/main/res/xml/stream_filepaths.xml		 Removed broad path access declarations (<files-path>, <external-path>, <external-cache-path>, <external-media-path>). Renamed external_files to external_pictures with path "Pictures/". Added new external_movies path entry pointing to "Movies/" directory.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Our paths grow clearer, more defined,
No broad strokes now, just pictures fine,
And movies tucked where they belong,
The file provider hops along! 🎬📸

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and concisely summarizes the main change: restricting FileProvider paths to only those actually used by the SDK.
Description check ✅ Passed The description includes Goal and Implementation sections with clear technical details, but lacks Testing details, UI Changes confirmation, and Contributor/Reviewer Checklists from the template.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feature/AND-1091_restrict_stream_filepaths

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026

SDK Size Comparison 📏

SDK Before After Difference Status
stream-chat-android-client 5.26 MB 5.26 MB 0.00 MB 🟢
stream-chat-android-offline 5.48 MB 5.48 MB 0.00 MB 🟢
stream-chat-android-ui-components 10.63 MB 10.63 MB 0.00 MB 🟢
stream-chat-android-compose 12.85 MB 12.85 MB 0.00 MB 🟢

@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 24, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@VelikovPetar VelikovPetar merged commit 3b6345c into develop Feb 24, 2026
17 of 19 checks passed
@VelikovPetar VelikovPetar deleted the feature/AND-1091_restrict_stream_filepaths branch February 24, 2026 12:46
@stream-public-bot stream-public-bot added the released Included in a release label Feb 24, 2026
@stream-public-bot
Copy link
Contributor

stream-public-bot commented Feb 24, 2026

🚀 Available in v6.32.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpunto gpunto gpunto approved these changes

Assignees

No one assigned

Labels

pr:improvement Improvement released Included in a release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@VelikovPetar @stream-public-bot @gpunto