mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
[ss-2016-002] Ensure Gridfield actions respect CSRF
This commit is contained in:
Damian Mooyman
parent
5d2fc0d7ca
commit
013524af50
@ -832,6 +832,18 @@ class GridField extends FormField {
|
||||
*/
|
||||
public function gridFieldAlterAction($data, $form, SS_HTTPRequest $request) {
|
||||
$data = $request->requestVars();
|
||||
|
||||
// Protection against CSRF attacks
|
||||
$token = $this
|
||||
->getForm()
|
||||
->getSecurityToken();
|
||||
if(!$token->checkRequest($request)) {
|
||||
$this->httpError(400, _t("Form.CSRF_FAILED_MESSAGE",
|
||||
"There seems to have been a technical problem. Please click the back button, ".
|
||||
"refresh your browser, and try again."
|
||||
));
|
||||
}
|
||||
|
||||
$name = $this->getName();
|
||||
|
||||
$fieldData = null;
|
||||
|
||||
@ -4,19 +4,19 @@ class GridFieldDeleteActionTest extends SapphireTest {
|
||||
|
||||
/** @var ArrayList */
|
||||
protected $list;
|
||||
|
||||
|
||||
/** @var GridField */
|
||||
protected $gridField;
|
||||
|
||||
|
||||
/** @var Form */
|
||||
protected $form;
|
||||
|
||||
|
||||
/** @var string */
|
||||
protected static $fixture_file = 'GridFieldActionTest.yml';
|
||||
|
||||
/** @var array */
|
||||
protected $extraDataObjects = array('GridFieldAction_Delete_Team', 'GridFieldAction_Edit_Team');
|
||||
|
||||
|
||||
public function setUp() {
|
||||
parent::setUp();
|
||||
$this->list = new DataList('GridFieldAction_Delete_Team');
|
||||
@ -24,7 +24,7 @@ class GridFieldDeleteActionTest extends SapphireTest {
|
||||
$this->gridField = new GridField('testfield', 'testfield', $this->list, $config);
|
||||
$this->form = new Form(new Controller(), 'mockform', new FieldList(array($this->gridField)), new FieldList());
|
||||
}
|
||||
|
||||
|
||||
public function testDontShowDeleteButtons() {
|
||||
if(Member::currentUser()) { Member::currentUser()->logOut(); }
|
||||
$content = new CSSContentParser($this->gridField->FieldHolder());
|
||||
@ -34,56 +34,126 @@ class GridFieldDeleteActionTest extends SapphireTest {
|
||||
$this->assertEquals(0, count($content->getBySelector('.gridfield-button-delete')),
|
||||
'Delete buttons should not show when not logged in.');
|
||||
}
|
||||
|
||||
|
||||
public function testShowDeleteButtonsWithAdminPermission() {
|
||||
$this->logInWithPermission('ADMIN');
|
||||
$content = new CSSContentParser($this->gridField->FieldHolder());
|
||||
$deleteButtons = $content->getBySelector('.gridfield-button-delete');
|
||||
$this->assertEquals(3, count($deleteButtons), 'Delete buttons should show when logged in.');
|
||||
}
|
||||
|
||||
|
||||
public function testActionsRequireCSRF() {
|
||||
$this->logInWithPermission('ADMIN');
|
||||
$this->setExpectedException(
|
||||
'SS_HTTPResponse_Exception',
|
||||
_t("Form.CSRF_FAILED_MESSAGE",
|
||||
"There seems to have been a technical problem. Please click the back button, ".
|
||||
"refresh your browser, and try again."
|
||||
),
|
||||
400
|
||||
);
|
||||
$stateID = 'testGridStateActionField';
|
||||
$request = new SS_HTTPRequest(
|
||||
'POST',
|
||||
'url',
|
||||
array(),
|
||||
array(
|
||||
'action_gridFieldAlterAction?StateID='.$stateID,
|
||||
'SecurityID' => null,
|
||||
)
|
||||
);
|
||||
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
|
||||
}
|
||||
|
||||
public function testDeleteActionWithoutCorrectPermission() {
|
||||
if(Member::currentUser()) { Member::currentUser()->logOut(); }
|
||||
$this->setExpectedException('ValidationException');
|
||||
|
||||
|
||||
$stateID = 'testGridStateActionField';
|
||||
Session::set($stateID, array('grid'=>'', 'actionName'=>'deleterecord',
|
||||
'args'=>array('RecordID'=>$this->idFromFixture('GridFieldAction_Delete_Team', 'team1'))));
|
||||
$request = new SS_HTTPRequest('POST', 'url', array(),
|
||||
array('action_gridFieldAlterAction?StateID='.$stateID=>true));
|
||||
Session::set(
|
||||
$stateID,
|
||||
array(
|
||||
'grid' => '',
|
||||
'actionName' => 'deleterecord',
|
||||
'args' => array(
|
||||
'RecordID' => $this->idFromFixture('GridFieldAction_Delete_Team', 'team1')
|
||||
)
|
||||
)
|
||||
);
|
||||
$token = SecurityToken::inst();
|
||||
$request = new SS_HTTPRequest(
|
||||
'POST',
|
||||
'url',
|
||||
array(),
|
||||
array(
|
||||
'action_gridFieldAlterAction?StateID='.$stateID => true,
|
||||
$token->getName() => $token->getValue(),
|
||||
)
|
||||
);
|
||||
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
|
||||
$this->assertEquals(3, $this->list->count(),
|
||||
'User should\'t be able to delete records without correct permissions.');
|
||||
}
|
||||
|
||||
|
||||
public function testDeleteActionWithAdminPermission() {
|
||||
$this->logInWithPermission('ADMIN');
|
||||
$stateID = 'testGridStateActionField';
|
||||
Session::set($stateID, array('grid'=>'', 'actionName'=>'deleterecord',
|
||||
'args'=>array('RecordID'=>$this->idFromFixture('GridFieldAction_Delete_Team', 'team1'))));
|
||||
$request = new SS_HTTPRequest('POST', 'url', array(),
|
||||
array('action_gridFieldAlterAction?StateID='.$stateID=>true));
|
||||
Session::set(
|
||||
$stateID,
|
||||
array(
|
||||
'grid'=>'',
|
||||
'actionName'=>'deleterecord',
|
||||
'args' => array(
|
||||
'RecordID' => $this->idFromFixture('GridFieldAction_Delete_Team', 'team1')
|
||||
)
|
||||
)
|
||||
);
|
||||
$token = SecurityToken::inst();
|
||||
$request = new SS_HTTPRequest(
|
||||
'POST',
|
||||
'url',
|
||||
array(),
|
||||
array(
|
||||
'action_gridFieldAlterAction?StateID='.$stateID=>true,
|
||||
$token->getName() => $token->getValue(),
|
||||
)
|
||||
);
|
||||
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
|
||||
$this->assertEquals(2, $this->list->count(), 'User should be able to delete records with ADMIN permission.');
|
||||
}
|
||||
|
||||
|
||||
public function testDeleteActionRemoveRelation() {
|
||||
$this->logInWithPermission('ADMIN');
|
||||
|
||||
|
||||
$config = GridFieldConfig::create()->addComponent(new GridFieldDeleteAction(true));
|
||||
|
||||
|
||||
$gridField = new GridField('testfield', 'testfield', $this->list, $config);
|
||||
$form = new Form(new Controller(), 'mockform', new FieldList(array($this->gridField)), new FieldList());
|
||||
|
||||
|
||||
$stateID = 'testGridStateActionField';
|
||||
Session::set($stateID, array('grid'=>'', 'actionName'=>'deleterecord',
|
||||
'args'=>array('RecordID'=>$this->idFromFixture('GridFieldAction_Delete_Team', 'team1'))));
|
||||
$request = new SS_HTTPRequest('POST', 'url', array(),
|
||||
array('action_gridFieldAlterAction?StateID='.$stateID=>true));
|
||||
|
||||
Session::set(
|
||||
$stateID,
|
||||
array(
|
||||
'grid'=>'',
|
||||
'actionName'=>'deleterecord',
|
||||
'args' => array(
|
||||
'RecordID' => $this->idFromFixture('GridFieldAction_Delete_Team', 'team1')
|
||||
)
|
||||
)
|
||||
);
|
||||
$token = SecurityToken::inst();
|
||||
$request = new SS_HTTPRequest(
|
||||
'POST',
|
||||
'url',
|
||||
array(),
|
||||
array(
|
||||
'action_gridFieldAlterAction?StateID='.$stateID=>true,
|
||||
$token->getName() => $token->getValue(),
|
||||
)
|
||||
);
|
||||
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
|
||||
$this->assertEquals(2, $this->list->count(), 'User should be able to delete records with ADMIN permission.');
|
||||
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@ -92,11 +162,11 @@ class GridFieldAction_Delete_Team extends DataObject implements TestOnly {
|
||||
'Name' => 'Varchar',
|
||||
'City' => 'Varchar'
|
||||
);
|
||||
|
||||
|
||||
public function canView($member = null) {
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
public function canDelete($member = null) {
|
||||
return parent::canDelete($member);
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user