mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
ENHANCEMENT Added SecurityToken to wrap CSRF protection via "SecurityID" request parameter (from r113272)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@113293 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
fd97e80224
commit
9fff91dc08
@ -72,9 +72,13 @@ class FunctionalTest extends SapphireTest {
|
|||||||
if($this->stat('use_draft_site')) {
|
if($this->stat('use_draft_site')) {
|
||||||
$this->useDraftSite();
|
$this->useDraftSite();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
SecurityToken::disable();
|
||||||
}
|
}
|
||||||
|
|
||||||
function tearDown() {
|
function tearDown() {
|
||||||
|
SecurityToken::enable();
|
||||||
|
|
||||||
parent::tearDown();
|
parent::tearDown();
|
||||||
unset($this->mainSession);
|
unset($this->mainSession);
|
||||||
|
|
||||||
|
@ -95,6 +95,11 @@ class Form extends RequestHandler {
|
|||||||
|
|
||||||
protected $security = true;
|
protected $security = true;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var SecurityToken
|
||||||
|
*/
|
||||||
|
protected $securityToken = null;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* HACK This is a temporary hack to allow multiple calls to includeJavascriptValidation on
|
* HACK This is a temporary hack to allow multiple calls to includeJavascriptValidation on
|
||||||
* the validator (if one is present).
|
* the validator (if one is present).
|
||||||
@ -132,7 +137,15 @@ class Form extends RequestHandler {
|
|||||||
// Form error controls
|
// Form error controls
|
||||||
$this->setupFormErrors();
|
$this->setupFormErrors();
|
||||||
|
|
||||||
$this->security = self::$default_security;
|
// Check if CSRF protection is enabled, either on the parent controller or from the default setting. Note that
|
||||||
|
// method_exists() is used as some controllers (e.g. GroupTest) do not always extend from Object.
|
||||||
|
if(method_exists($controller, 'securityTokenEnabled') || (method_exists($controller, 'hasMethod') && $controller->hasMethod('securityTokenEnabled'))) {
|
||||||
|
$securityEnabled = $controller->securityTokenEnabled();
|
||||||
|
} else {
|
||||||
|
$securityEnabled = SecurityToken::is_enabled();
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->securityToken = ($securityEnabled) ? new SecurityToken() : new NullSecurityToken();
|
||||||
}
|
}
|
||||||
|
|
||||||
static $url_handlers = array(
|
static $url_handlers = array(
|
||||||
@ -201,12 +214,9 @@ class Form extends RequestHandler {
|
|||||||
|
|
||||||
|
|
||||||
// Protection against CSRF attacks
|
// Protection against CSRF attacks
|
||||||
if($this->securityTokenEnabled()) {
|
$token = $this->getSecurityToken();
|
||||||
$securityID = Session::get('SecurityID');
|
if(!$token->checkRequest($request)) {
|
||||||
|
return $this->httpError(400, "Security token doesn't match, possible CSRF attack.");
|
||||||
if(!$securityID || !isset($vars['SecurityID']) || $securityID != $vars['SecurityID']) {
|
|
||||||
$this->httpError(400, "SecurityID doesn't match, possible CRSF attack.");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Determine the action button clicked
|
// Determine the action button clicked
|
||||||
@ -356,26 +366,17 @@ class Form extends RequestHandler {
|
|||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Generate extra special fields - namely the SecurityID field
|
* Generate extra special fields - namely the security token field (if required).
|
||||||
*
|
*
|
||||||
* @return FieldSet
|
* @return FieldSet
|
||||||
*/
|
*/
|
||||||
public function getExtraFields() {
|
public function getExtraFields() {
|
||||||
$extraFields = new FieldSet();
|
$extraFields = new FieldSet();
|
||||||
|
|
||||||
if(!$this->fields->fieldByName('SecurityID') && $this->securityTokenEnabled()) {
|
$token = $this->getSecurityToken();
|
||||||
if(Session::get('SecurityID')) {
|
$tokenField = $token->updateFieldSet($this->fields);
|
||||||
$securityID = Session::get('SecurityID');
|
if($tokenField) $tokenField->setForm($this);
|
||||||
} else {
|
|
||||||
$securityID = rand();
|
|
||||||
Session::set('SecurityID', $securityID);
|
|
||||||
}
|
|
||||||
|
|
||||||
$securityField = new HiddenField('SecurityID', '', $securityID);
|
|
||||||
$securityField->setForm($this);
|
|
||||||
$extraFields->push($securityField);
|
|
||||||
$this->securityTokenAdded = true;
|
$this->securityTokenAdded = true;
|
||||||
}
|
|
||||||
|
|
||||||
// add the "real" HTTP method if necessary (for PUT, DELETE and HEAD)
|
// add the "real" HTTP method if necessary (for PUT, DELETE and HEAD)
|
||||||
if($this->FormMethod() != $this->FormHttpMethod()) {
|
if($this->FormMethod() != $this->FormHttpMethod()) {
|
||||||
@ -742,7 +743,11 @@ class Form extends RequestHandler {
|
|||||||
* Processing that occurs before a form is executed.
|
* Processing that occurs before a form is executed.
|
||||||
* This includes form validation, if it fails, we redirect back
|
* This includes form validation, if it fails, we redirect back
|
||||||
* to the form with appropriate error messages.
|
* to the form with appropriate error messages.
|
||||||
* Triggered through {@link httpSubmission()} which is triggered
|
* Triggered through {@link httpSubmission()}.
|
||||||
|
* Note that CSRF protection takes place in {@link httpSubmission()},
|
||||||
|
* if it fails the form data will never reach this method.
|
||||||
|
*
|
||||||
|
* @return boolean
|
||||||
* @usedby Form->httpSubmission()
|
* @usedby Form->httpSubmission()
|
||||||
*
|
*
|
||||||
* @todo Replace hardcoded exclude fields like CreditCardNumber with hook to specify sensitive fields in model
|
* @todo Replace hardcoded exclude fields like CreditCardNumber with hook to specify sensitive fields in model
|
||||||
@ -1059,32 +1064,49 @@ class Form extends RequestHandler {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Disable the requirement of a SecurityID in the Form. This security protects
|
* Disable the requirement of a security token in the Form. This security protects
|
||||||
* against CSRF attacks, but you should disable this if you don't want to tie
|
* against CSRF attacks, but you should disable this if you don't want to tie
|
||||||
* a form to a session - eg a search form.
|
* a form to a session - eg a search form.
|
||||||
*/
|
*/
|
||||||
function disableSecurityToken() {
|
function disableSecurityToken() {
|
||||||
$this->security = false;
|
$this->securityToken = new NullSecurityToken();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
private static $default_security = true;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Disable security tokens for every form on this site.
|
* Disable security tokens for every form.
|
||||||
|
* Note that this doesn't apply to {@link SecurityToken}
|
||||||
|
* instances outside of the Form class, nor applies
|
||||||
|
* to existing form instances.
|
||||||
|
*
|
||||||
|
* See {@link enable_all_security_tokens()}.
|
||||||
|
*
|
||||||
|
* @deprecated 2.5 Use SecurityToken::disable()
|
||||||
*/
|
*/
|
||||||
static function disable_all_security_tokens() {
|
static function disable_all_security_tokens() {
|
||||||
self::$default_security = false;
|
SecurityToken::disable();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns true if security is enabled - that is if the SecurityID
|
* Returns true if security is enabled - that is if the security token
|
||||||
* should be included and checked on this form.
|
* should be included and checked on this form.
|
||||||
*
|
*
|
||||||
|
* @deprecated 2.5 Use Form->getSecurityToken()->isEnabled()
|
||||||
|
*
|
||||||
* @return bool
|
* @return bool
|
||||||
*/
|
*/
|
||||||
function securityTokenEnabled() {
|
function securityTokenEnabled() {
|
||||||
return $this->security;
|
return $this->securityToken->isEnabled();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the security token for this form (if any exists).
|
||||||
|
* Doesn't check for {@link securityTokenEnabled()}.
|
||||||
|
* Use {@link SecurityToken::inst()} to get a global token.
|
||||||
|
*
|
||||||
|
* @return SecurityToken|null
|
||||||
|
*/
|
||||||
|
function getSecurityToken() {
|
||||||
|
return $this->securityToken;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
273
security/SecurityToken.php
Normal file
273
security/SecurityToken.php
Normal file
@ -0,0 +1,273 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* @package sapphire
|
||||||
|
* @subpackage security
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Cross Site Request Forgery (CSRF) protection for the {@link Form} class and other GET links.
|
||||||
|
* Can be used globally (through {@link SecurityToken::inst()})
|
||||||
|
* or on a form-by-form basis {@link Form->getSecurityToken()}.
|
||||||
|
*
|
||||||
|
* <b>Usage in forms</b>
|
||||||
|
*
|
||||||
|
* This protective measure is automatically turned on for all new {@link Form} instances,
|
||||||
|
* and can be globally disabled through {@link disable()}.
|
||||||
|
*
|
||||||
|
* <b>Usage in custom controller actions</b>
|
||||||
|
*
|
||||||
|
* <code>
|
||||||
|
* class MyController extends Controller {
|
||||||
|
* function mygetaction($request) {
|
||||||
|
* if(!SecurityToken::inst()->checkRequest($request)) return $this->httpError(400);
|
||||||
|
*
|
||||||
|
* // valid action logic ...
|
||||||
|
* }
|
||||||
|
* }
|
||||||
|
* </code>
|
||||||
|
*
|
||||||
|
* @todo Make token name form specific for additional forgery protection.
|
||||||
|
*/
|
||||||
|
class SecurityToken extends Object {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var String
|
||||||
|
*/
|
||||||
|
protected static $default_name = 'SecurityID';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var SecurityToken
|
||||||
|
*/
|
||||||
|
protected static $inst = null;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var boolean
|
||||||
|
*/
|
||||||
|
protected static $enabled = true;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var String $name
|
||||||
|
*/
|
||||||
|
protected $name = null;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param $name
|
||||||
|
*/
|
||||||
|
function __construct($name = null) {
|
||||||
|
$this->name = ($name) ? $name : self::get_default_name();
|
||||||
|
// only regenerate if the token isn't already set in the session
|
||||||
|
if(!$this->getValue()) $this->setValue($this->generate());
|
||||||
|
|
||||||
|
parent::__construct();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets a global token (or creates one if it doesnt exist already).
|
||||||
|
*
|
||||||
|
* @return SecurityToken
|
||||||
|
*/
|
||||||
|
static function inst() {
|
||||||
|
if(!self::$inst) self::$inst = new SecurityToken();
|
||||||
|
|
||||||
|
return self::$inst;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Globally disable the token (override with {@link NullSecurityToken})
|
||||||
|
* implementation. Note: Does not apply for
|
||||||
|
*/
|
||||||
|
static function disable() {
|
||||||
|
self::$enabled = false;
|
||||||
|
self::$inst = new NullSecurityToken();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Globally enable tokens that have been previously disabled through {@link disable}.
|
||||||
|
*/
|
||||||
|
static function enable() {
|
||||||
|
self::$enabled = true;
|
||||||
|
self::$inst = new SecurityToken();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
static function is_enabled() {
|
||||||
|
return self::$enabled;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return String
|
||||||
|
*/
|
||||||
|
static function get_default_name() {
|
||||||
|
return self::$default_name;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return String
|
||||||
|
*/
|
||||||
|
function setName($name) {
|
||||||
|
$val = $this->getValue();
|
||||||
|
$this->name = $name;
|
||||||
|
$this->setValue($val);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return String
|
||||||
|
*/
|
||||||
|
function getName() {
|
||||||
|
return $this->name;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return String
|
||||||
|
*/
|
||||||
|
function getValue() {
|
||||||
|
return Session::get($this->getName());
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param String $val
|
||||||
|
*/
|
||||||
|
function setValue($val) {
|
||||||
|
Session::set($this->getName(), $val);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks for an existing CSRF token in the current users session.
|
||||||
|
* This check is automatically performed in {@link Form->httpSubmission()}
|
||||||
|
* if a form has security tokens enabled.
|
||||||
|
* This direct check is mainly used for URL actions on {@link FormField} that are not routed
|
||||||
|
* through {@link Form->httpSubmission()}.
|
||||||
|
*
|
||||||
|
* Typically you'll want to check {@link Form->securityTokenEnabled()} before calling this method.
|
||||||
|
*
|
||||||
|
* @param String $compare
|
||||||
|
* @return Boolean
|
||||||
|
*/
|
||||||
|
function check($compare) {
|
||||||
|
return ($compare && $this->getValue() && $compare == $this->getValue());
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* See {@link check()}.
|
||||||
|
*
|
||||||
|
* @param SS_HTTPRequest $request
|
||||||
|
* @return Boolean
|
||||||
|
*/
|
||||||
|
function checkRequest($request) {
|
||||||
|
return $this->check($request->requestVar($this->getName()));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Note: Doesn't call {@link FormField->setForm()}
|
||||||
|
* on the returned {@link HiddenField}, you'll need to take
|
||||||
|
* care of this yourself.
|
||||||
|
*
|
||||||
|
* @param FieldSet $fieldset
|
||||||
|
* @return HiddenField|false
|
||||||
|
*/
|
||||||
|
function updateFieldSet(&$fieldset) {
|
||||||
|
if(!$fieldset->fieldByName($this->getName())) {
|
||||||
|
$field = new HiddenField($this->getName(), null, $this->getValue());
|
||||||
|
$fieldset->push($field);
|
||||||
|
return $field;
|
||||||
|
} else {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param String $url
|
||||||
|
* @return String
|
||||||
|
*/
|
||||||
|
function addToUrl($url) {
|
||||||
|
return Controller::join_links($url, sprintf('?%s=%s', $this->getName(), $this->getValue()));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* You can't disable an existing instance, it will need to be overwritten like this:
|
||||||
|
* <code>
|
||||||
|
* $old = SecurityToken::inst(); // isEnabled() returns true
|
||||||
|
* SecurityToken::disable();
|
||||||
|
* $new = SecurityToken::inst(); // isEnabled() returns false
|
||||||
|
* </code>
|
||||||
|
*
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
function isEnabled() {
|
||||||
|
return !($this instanceof NullSecurityToken);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return String
|
||||||
|
*/
|
||||||
|
protected function generate() {
|
||||||
|
return rand();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Specialized subclass for disabled security tokens - always returns
|
||||||
|
* TRUE for token checks. Use through {@link SecurityToken::disable()}.
|
||||||
|
*/
|
||||||
|
class NullSecurityToken extends SecurityToken {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param String
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
function check($compare) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param SS_HTTPRequest $request
|
||||||
|
* @return Boolean
|
||||||
|
*/
|
||||||
|
function checkRequest($request) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param FieldSet $fieldset
|
||||||
|
* @return false
|
||||||
|
*/
|
||||||
|
function updateFieldSet(&$fieldset) {
|
||||||
|
// Remove, in case it was added beforehand
|
||||||
|
$fieldset->removeByName($this->getName());
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param String $url
|
||||||
|
* @return String
|
||||||
|
*/
|
||||||
|
function addToUrl($url) {
|
||||||
|
return $url;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return String
|
||||||
|
*/
|
||||||
|
function getValue() {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param String $val
|
||||||
|
*/
|
||||||
|
function setValue($val) {
|
||||||
|
// no-op
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return String
|
||||||
|
*/
|
||||||
|
function generate() {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -7,231 +7,297 @@ class FormTest extends FunctionalTest {
|
|||||||
|
|
||||||
static $fixture_file = 'sapphire/tests/forms/FormTest.yml';
|
static $fixture_file = 'sapphire/tests/forms/FormTest.yml';
|
||||||
|
|
||||||
public function testLoadDataFromRequest() {
|
// public function testLoadDataFromRequest() {
|
||||||
$form = new Form(
|
// $form = new Form(
|
||||||
new Controller(),
|
// new Controller(),
|
||||||
'Form',
|
// 'Form',
|
||||||
new FieldSet(
|
// new FieldSet(
|
||||||
new TextField('key1'),
|
// new TextField('key1'),
|
||||||
new TextField('namespace[key2]'),
|
// new TextField('namespace[key2]'),
|
||||||
new TextField('namespace[key3][key4]'),
|
// new TextField('namespace[key3][key4]'),
|
||||||
new TextField('othernamespace[key5][key6][key7]')
|
// new TextField('othernamespace[key5][key6][key7]')
|
||||||
),
|
// ),
|
||||||
new FieldSet()
|
// new FieldSet()
|
||||||
);
|
// );
|
||||||
|
//
|
||||||
|
// // url would be ?key1=val1&namespace[key2]=val2&namespace[key3][key4]=val4&othernamespace[key5][key6][key7]=val7
|
||||||
|
// $requestData = array(
|
||||||
|
// 'key1' => 'val1',
|
||||||
|
// 'namespace' => array(
|
||||||
|
// 'key2' => 'val2',
|
||||||
|
// 'key3' => array(
|
||||||
|
// 'key4' => 'val4',
|
||||||
|
// )
|
||||||
|
// ),
|
||||||
|
// 'othernamespace' => array(
|
||||||
|
// 'key5' => array(
|
||||||
|
// 'key6' =>array(
|
||||||
|
// 'key7' => 'val7'
|
||||||
|
// )
|
||||||
|
// )
|
||||||
|
// )
|
||||||
|
// );
|
||||||
|
//
|
||||||
|
// $form->loadDataFrom($requestData);
|
||||||
|
//
|
||||||
|
// $fields = $form->Fields();
|
||||||
|
// $this->assertEquals($fields->fieldByName('key1')->Value(), 'val1');
|
||||||
|
// $this->assertEquals($fields->fieldByName('namespace[key2]')->Value(), 'val2');
|
||||||
|
// $this->assertEquals($fields->fieldByName('namespace[key3][key4]')->Value(), 'val4');
|
||||||
|
// $this->assertEquals($fields->fieldByName('othernamespace[key5][key6][key7]')->Value(), 'val7');
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
// public function testLoadDataFromUnchangedHandling() {
|
||||||
|
// $form = new Form(
|
||||||
|
// new Controller(),
|
||||||
|
// 'Form',
|
||||||
|
// new FieldSet(
|
||||||
|
// new TextField('key1'),
|
||||||
|
// new TextField('key2')
|
||||||
|
// ),
|
||||||
|
// new FieldSet()
|
||||||
|
// );
|
||||||
|
// $form->loadDataFrom(array(
|
||||||
|
// 'key1' => 'save',
|
||||||
|
// 'key2' => 'dontsave',
|
||||||
|
// 'key2_unchanged' => '1'
|
||||||
|
// ));
|
||||||
|
// $this->assertEquals(
|
||||||
|
// $form->getData(),
|
||||||
|
// array(
|
||||||
|
// 'key1' => 'save',
|
||||||
|
// 'key2' => null,
|
||||||
|
// ),
|
||||||
|
// 'loadDataFrom() doesnt save a field if a matching "<fieldname>_unchanged" flag is set'
|
||||||
|
// );
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
// public function testLoadDataFromObject() {
|
||||||
|
// $form = new Form(
|
||||||
|
// new Controller(),
|
||||||
|
// 'Form',
|
||||||
|
// new FieldSet(
|
||||||
|
// new HeaderField('MyPlayerHeader','My Player'),
|
||||||
|
// new TextField('Name'), // appears in both Player and Team
|
||||||
|
// new TextareaField('Biography'),
|
||||||
|
// new DateField('Birthday'),
|
||||||
|
// new NumericField('BirthdayYear') // dynamic property
|
||||||
|
// ),
|
||||||
|
// new FieldSet()
|
||||||
|
// );
|
||||||
|
//
|
||||||
|
// $captainWithDetails = $this->objFromFixture('FormTest_Player', 'captainWithDetails');
|
||||||
|
// $form->loadDataFrom($captainWithDetails);
|
||||||
|
// $this->assertEquals(
|
||||||
|
// $form->getData(),
|
||||||
|
// array(
|
||||||
|
// 'Name' => 'Captain Details',
|
||||||
|
// 'Biography' => 'Bio 1',
|
||||||
|
// 'Birthday' => '1982-01-01',
|
||||||
|
// 'BirthdayYear' => '1982',
|
||||||
|
// ),
|
||||||
|
// 'LoadDataFrom() loads simple fields and dynamic getters'
|
||||||
|
// );
|
||||||
|
//
|
||||||
|
// $captainNoDetails = $this->objFromFixture('FormTest_Player', 'captainNoDetails');
|
||||||
|
// $form->loadDataFrom($captainNoDetails);
|
||||||
|
// $this->assertEquals(
|
||||||
|
// $form->getData(),
|
||||||
|
// array(
|
||||||
|
// 'Name' => 'Captain No Details',
|
||||||
|
// 'Biography' => null,
|
||||||
|
// 'Birthday' => null,
|
||||||
|
// 'BirthdayYear' => 0,
|
||||||
|
// ),
|
||||||
|
// 'LoadNonBlankDataFrom() loads only fields with values, and doesnt overwrite existing values'
|
||||||
|
// );
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
// public function testLoadDataFromClearMissingFields() {
|
||||||
|
// $form = new Form(
|
||||||
|
// new Controller(),
|
||||||
|
// 'Form',
|
||||||
|
// new FieldSet(
|
||||||
|
// new HeaderField('MyPlayerHeader','My Player'),
|
||||||
|
// new TextField('Name'), // appears in both Player and Team
|
||||||
|
// new TextareaField('Biography'),
|
||||||
|
// new DateField('Birthday'),
|
||||||
|
// new NumericField('BirthdayYear'), // dynamic property
|
||||||
|
// $unrelatedField = new TextField('UnrelatedFormField')
|
||||||
|
// //new CheckboxSetField('Teams') // relation editing
|
||||||
|
// ),
|
||||||
|
// new FieldSet()
|
||||||
|
// );
|
||||||
|
// $unrelatedField->setValue("random value");
|
||||||
|
//
|
||||||
|
// $captainWithDetails = $this->objFromFixture('FormTest_Player', 'captainWithDetails');
|
||||||
|
// $captainNoDetails = $this->objFromFixture('FormTest_Player', 'captainNoDetails');
|
||||||
|
// $form->loadDataFrom($captainWithDetails);
|
||||||
|
// $this->assertEquals(
|
||||||
|
// $form->getData(),
|
||||||
|
// array(
|
||||||
|
// 'Name' => 'Captain Details',
|
||||||
|
// 'Biography' => 'Bio 1',
|
||||||
|
// 'Birthday' => '1982-01-01',
|
||||||
|
// 'BirthdayYear' => '1982',
|
||||||
|
// 'UnrelatedFormField' => 'random value',
|
||||||
|
// ),
|
||||||
|
// 'LoadDataFrom() doesnt overwrite fields not found in the object'
|
||||||
|
// );
|
||||||
|
//
|
||||||
|
// $captainWithDetails = $this->objFromFixture('FormTest_Player', 'captainNoDetails');
|
||||||
|
// $team2 = $this->objFromFixture('FormTest_Team', 'team2');
|
||||||
|
// $form->loadDataFrom($captainWithDetails);
|
||||||
|
// $form->loadDataFrom($team2, true);
|
||||||
|
// $this->assertEquals(
|
||||||
|
// $form->getData(),
|
||||||
|
// array(
|
||||||
|
// 'Name' => 'Team 2',
|
||||||
|
// 'Biography' => '',
|
||||||
|
// 'Birthday' => '',
|
||||||
|
// 'BirthdayYear' => 0,
|
||||||
|
// 'UnrelatedFormField' => null,
|
||||||
|
// ),
|
||||||
|
// 'LoadDataFrom() overwrites fields not found in the object with $clearMissingFields=true'
|
||||||
|
// );
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
// public function testFormMethodOverride() {
|
||||||
|
// $form = $this->getStubForm();
|
||||||
|
// $form->setFormMethod('GET');
|
||||||
|
// $this->assertNull($form->dataFieldByName('_method'));
|
||||||
|
//
|
||||||
|
// $form = $this->getStubForm();
|
||||||
|
// $form->setFormMethod('PUT');
|
||||||
|
// $this->assertEquals($form->dataFieldByName('_method')->Value(), 'put',
|
||||||
|
// 'PUT override in forms has PUT in hiddenfield'
|
||||||
|
// );
|
||||||
|
// $this->assertEquals($form->FormMethod(), 'post',
|
||||||
|
// 'PUT override in forms has POST in <form> tag'
|
||||||
|
// );
|
||||||
|
//
|
||||||
|
// $form = $this->getStubForm();
|
||||||
|
// $form->setFormMethod('DELETE');
|
||||||
|
// $this->assertEquals($form->dataFieldByName('_method')->Value(), 'delete',
|
||||||
|
// 'PUT override in forms has PUT in hiddenfield'
|
||||||
|
// );
|
||||||
|
// $this->assertEquals($form->FormMethod(), 'post',
|
||||||
|
// 'PUT override in forms has POST in <form> tag'
|
||||||
|
// );
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
// function testSessionValidationMessage() {
|
||||||
|
// $this->get('FormTest_Controller');
|
||||||
|
//
|
||||||
|
// $response = $this->submitForm(
|
||||||
|
// 'Form_Form',
|
||||||
|
// null,
|
||||||
|
// array(
|
||||||
|
// 'Email' => 'invalid',
|
||||||
|
// // leaving out "Required" field
|
||||||
|
// )
|
||||||
|
// );
|
||||||
|
// $this->assertPartialMatchBySelector(
|
||||||
|
// '#Email span.message',
|
||||||
|
// array(
|
||||||
|
// _t('EmailField.VALIDATION', "Please enter an email address.")
|
||||||
|
// ),
|
||||||
|
// 'Formfield validation shows note on field if invalid'
|
||||||
|
// );
|
||||||
|
// $this->assertPartialMatchBySelector(
|
||||||
|
// '#SomeRequiredField span.required',
|
||||||
|
// array(
|
||||||
|
// sprintf(_t('Form.FIELDISREQUIRED').'.','"SomeRequiredField"')
|
||||||
|
// ),
|
||||||
|
// 'Required fields show a notification on field when left blank'
|
||||||
|
// );
|
||||||
|
//
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
// function testSessionSuccessMessage() {
|
||||||
|
// $this->get('FormTest_Controller');
|
||||||
|
//
|
||||||
|
// $response = $this->submitForm(
|
||||||
|
// 'Form_Form',
|
||||||
|
// null,
|
||||||
|
// array(
|
||||||
|
// 'Email' => 'test@test.com',
|
||||||
|
// 'SomeRequiredField' => 'test',
|
||||||
|
// )
|
||||||
|
// );
|
||||||
|
// $this->assertPartialMatchBySelector(
|
||||||
|
// '#Form_Form_error',
|
||||||
|
// array(
|
||||||
|
// 'Test save was successful'
|
||||||
|
// ),
|
||||||
|
// 'Form->sessionMessage() shows up after reloading the form'
|
||||||
|
// );
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
// function testGloballyDisabledSecurityTokenInheritsToNewForm() {
|
||||||
|
// SecurityToken::enable();
|
||||||
|
//
|
||||||
|
// $form1 = $this->getStubForm();
|
||||||
|
// $this->assertType('SecurityToken', $form1->getSecurityToken());
|
||||||
|
//
|
||||||
|
// SecurityToken::disable();
|
||||||
|
//
|
||||||
|
// $form2 = $this->getStubForm();
|
||||||
|
// $this->assertType('NullSecurityToken', $form2->getSecurityToken());
|
||||||
|
//
|
||||||
|
// SecurityToken::enable();
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
// function testDisableSecurityTokenDoesntAddTokenFormField() {
|
||||||
|
// SecurityToken::enable();
|
||||||
|
//
|
||||||
|
// $formWithToken = $this->getStubForm();
|
||||||
|
// $this->assertType(
|
||||||
|
// 'HiddenField',
|
||||||
|
// $formWithToken->Fields()->fieldByName(SecurityToken::get_default_name()),
|
||||||
|
// 'Token field added by default'
|
||||||
|
// );
|
||||||
|
//
|
||||||
|
// $formWithoutToken = $this->getStubForm();
|
||||||
|
// $formWithoutToken->disableSecurityToken();
|
||||||
|
// $this->assertNull(
|
||||||
|
// $formWithoutToken->Fields()->fieldByName(SecurityToken::get_default_name()),
|
||||||
|
// 'Token field not added if disableSecurityToken() is set'
|
||||||
|
// );
|
||||||
|
// }
|
||||||
|
|
||||||
// url would be ?key1=val1&namespace[key2]=val2&namespace[key3][key4]=val4&othernamespace[key5][key6][key7]=val7
|
function testDisableSecurityTokenAcceptsSubmissionWithoutToken() {
|
||||||
$requestData = array(
|
SecurityToken::enable();
|
||||||
'key1' => 'val1',
|
|
||||||
'namespace' => array(
|
$response = $this->get('FormTest_ControllerWithSecurityToken');
|
||||||
'key2' => 'val2',
|
// can't use submitForm() as it'll automatically insert SecurityID into the POST data
|
||||||
'key3' => array(
|
$response = $this->post(
|
||||||
'key4' => 'val4',
|
'FormTest_ControllerWithSecurityToken/Form',
|
||||||
)
|
array(
|
||||||
),
|
'Email' => 'test@test.com',
|
||||||
'othernamespace' => array(
|
'action_doSubmit' => 1
|
||||||
'key5' => array(
|
// leaving out security token
|
||||||
'key6' =>array(
|
|
||||||
'key7' => 'val7'
|
|
||||||
)
|
|
||||||
)
|
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
$this->assertEquals(400, $response->getStatusCode(), 'Submission fails without security token');
|
||||||
|
|
||||||
$form->loadDataFrom($requestData);
|
$response = $this->get('FormTest_ControllerWithSecurityToken');
|
||||||
|
$tokenEls = $this->cssParser()->getBySelector('#Form_Form_SecurityID');
|
||||||
$fields = $form->Fields();
|
|
||||||
$this->assertEquals($fields->fieldByName('key1')->Value(), 'val1');
|
|
||||||
$this->assertEquals($fields->fieldByName('namespace[key2]')->Value(), 'val2');
|
|
||||||
$this->assertEquals($fields->fieldByName('namespace[key3][key4]')->Value(), 'val4');
|
|
||||||
$this->assertEquals($fields->fieldByName('othernamespace[key5][key6][key7]')->Value(), 'val7');
|
|
||||||
}
|
|
||||||
|
|
||||||
public function testLoadDataFromUnchangedHandling() {
|
|
||||||
$form = new Form(
|
|
||||||
new Controller(),
|
|
||||||
'Form',
|
|
||||||
new FieldSet(
|
|
||||||
new TextField('key1'),
|
|
||||||
new TextField('key2')
|
|
||||||
),
|
|
||||||
new FieldSet()
|
|
||||||
);
|
|
||||||
$form->loadDataFrom(array(
|
|
||||||
'key1' => 'save',
|
|
||||||
'key2' => 'dontsave',
|
|
||||||
'key2_unchanged' => '1'
|
|
||||||
));
|
|
||||||
$this->assertEquals(
|
$this->assertEquals(
|
||||||
$form->getData(),
|
1,
|
||||||
array(
|
count($tokenEls),
|
||||||
'key1' => 'save',
|
'Token form field added for controller without disableSecurityToken()'
|
||||||
'key2' => null,
|
|
||||||
),
|
|
||||||
'loadDataFrom() doesnt save a field if a matching "<fieldname>_unchanged" flag is set'
|
|
||||||
);
|
);
|
||||||
}
|
$token = (string)$tokenEls[0];
|
||||||
|
|
||||||
public function testLoadDataFromObject() {
|
|
||||||
$form = new Form(
|
|
||||||
new Controller(),
|
|
||||||
'Form',
|
|
||||||
new FieldSet(
|
|
||||||
new HeaderField('MyPlayerHeader','My Player'),
|
|
||||||
new TextField('Name'), // appears in both Player and Team
|
|
||||||
new TextareaField('Biography'),
|
|
||||||
new DateField('Birthday'),
|
|
||||||
new NumericField('BirthdayYear') // dynamic property
|
|
||||||
),
|
|
||||||
new FieldSet()
|
|
||||||
);
|
|
||||||
|
|
||||||
$captainWithDetails = $this->objFromFixture('FormTest_Player', 'captainWithDetails');
|
|
||||||
$form->loadDataFrom($captainWithDetails);
|
|
||||||
$this->assertEquals(
|
|
||||||
$form->getData(),
|
|
||||||
array(
|
|
||||||
'Name' => 'Captain Details',
|
|
||||||
'Biography' => 'Bio 1',
|
|
||||||
'Birthday' => '1982-01-01',
|
|
||||||
'BirthdayYear' => '1982',
|
|
||||||
),
|
|
||||||
'LoadDataFrom() loads simple fields and dynamic getters'
|
|
||||||
);
|
|
||||||
|
|
||||||
$captainNoDetails = $this->objFromFixture('FormTest_Player', 'captainNoDetails');
|
|
||||||
$form->loadDataFrom($captainNoDetails);
|
|
||||||
$this->assertEquals(
|
|
||||||
$form->getData(),
|
|
||||||
array(
|
|
||||||
'Name' => 'Captain No Details',
|
|
||||||
'Biography' => null,
|
|
||||||
'Birthday' => null,
|
|
||||||
'BirthdayYear' => 0,
|
|
||||||
),
|
|
||||||
'LoadNonBlankDataFrom() loads only fields with values, and doesnt overwrite existing values'
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
public function testLoadDataFromClearMissingFields() {
|
|
||||||
$form = new Form(
|
|
||||||
new Controller(),
|
|
||||||
'Form',
|
|
||||||
new FieldSet(
|
|
||||||
new HeaderField('MyPlayerHeader','My Player'),
|
|
||||||
new TextField('Name'), // appears in both Player and Team
|
|
||||||
new TextareaField('Biography'),
|
|
||||||
new DateField('Birthday'),
|
|
||||||
new NumericField('BirthdayYear'), // dynamic property
|
|
||||||
$unrelatedField = new TextField('UnrelatedFormField')
|
|
||||||
//new CheckboxSetField('Teams') // relation editing
|
|
||||||
),
|
|
||||||
new FieldSet()
|
|
||||||
);
|
|
||||||
$unrelatedField->setValue("random value");
|
|
||||||
|
|
||||||
$captainWithDetails = $this->objFromFixture('FormTest_Player', 'captainWithDetails');
|
|
||||||
$captainNoDetails = $this->objFromFixture('FormTest_Player', 'captainNoDetails');
|
|
||||||
$form->loadDataFrom($captainWithDetails);
|
|
||||||
$this->assertEquals(
|
|
||||||
$form->getData(),
|
|
||||||
array(
|
|
||||||
'Name' => 'Captain Details',
|
|
||||||
'Biography' => 'Bio 1',
|
|
||||||
'Birthday' => '1982-01-01',
|
|
||||||
'BirthdayYear' => '1982',
|
|
||||||
'UnrelatedFormField' => 'random value',
|
|
||||||
),
|
|
||||||
'LoadDataFrom() doesnt overwrite fields not found in the object'
|
|
||||||
);
|
|
||||||
|
|
||||||
$captainWithDetails = $this->objFromFixture('FormTest_Player', 'captainNoDetails');
|
|
||||||
$team2 = $this->objFromFixture('FormTest_Team', 'team2');
|
|
||||||
$form->loadDataFrom($captainWithDetails);
|
|
||||||
$form->loadDataFrom($team2, true);
|
|
||||||
$this->assertEquals(
|
|
||||||
$form->getData(),
|
|
||||||
array(
|
|
||||||
'Name' => 'Team 2',
|
|
||||||
'Biography' => '',
|
|
||||||
'Birthday' => '',
|
|
||||||
'BirthdayYear' => 0,
|
|
||||||
'UnrelatedFormField' => null,
|
|
||||||
),
|
|
||||||
'LoadDataFrom() overwrites fields not found in the object with $clearMissingFields=true'
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
public function testFormMethodOverride() {
|
|
||||||
$form = $this->getStubForm();
|
|
||||||
$form->setFormMethod('GET');
|
|
||||||
$this->assertNull($form->dataFieldByName('_method'));
|
|
||||||
|
|
||||||
$form = $this->getStubForm();
|
|
||||||
$form->setFormMethod('PUT');
|
|
||||||
$this->assertEquals($form->dataFieldByName('_method')->Value(), 'put',
|
|
||||||
'PUT override in forms has PUT in hiddenfield'
|
|
||||||
);
|
|
||||||
$this->assertEquals($form->FormMethod(), 'post',
|
|
||||||
'PUT override in forms has POST in <form> tag'
|
|
||||||
);
|
|
||||||
|
|
||||||
$form = $this->getStubForm();
|
|
||||||
$form->setFormMethod('DELETE');
|
|
||||||
$this->assertEquals($form->dataFieldByName('_method')->Value(), 'delete',
|
|
||||||
'PUT override in forms has PUT in hiddenfield'
|
|
||||||
);
|
|
||||||
$this->assertEquals($form->FormMethod(), 'post',
|
|
||||||
'PUT override in forms has POST in <form> tag'
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
function testSessionValidationMessage() {
|
|
||||||
$this->get('FormTest_Controller');
|
|
||||||
|
|
||||||
$response = $this->submitForm(
|
|
||||||
'Form_Form',
|
|
||||||
null,
|
|
||||||
array(
|
|
||||||
'Email' => 'invalid',
|
|
||||||
// leaving out "Required" field
|
|
||||||
)
|
|
||||||
);
|
|
||||||
$this->assertPartialMatchBySelector(
|
|
||||||
'#Email span.message',
|
|
||||||
array(
|
|
||||||
_t('EmailField.VALIDATION', "Please enter an email address.")
|
|
||||||
),
|
|
||||||
'Formfield validation shows note on field if invalid'
|
|
||||||
);
|
|
||||||
$this->assertPartialMatchBySelector(
|
|
||||||
'#SomeRequiredField span.required',
|
|
||||||
array(
|
|
||||||
sprintf(_t('Form.FIELDISREQUIRED').'.','"SomeRequiredField"')
|
|
||||||
),
|
|
||||||
'Required fields show a notification on field when left blank'
|
|
||||||
);
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
function testSessionSuccessMessage() {
|
|
||||||
$this->get('FormTest_Controller');
|
|
||||||
|
|
||||||
$response = $this->submitForm(
|
$response = $this->submitForm(
|
||||||
'Form_Form',
|
'Form_Form',
|
||||||
null,
|
null,
|
||||||
array(
|
array(
|
||||||
'Email' => 'test@test.com',
|
'Email' => 'test@test.com',
|
||||||
'SomeRequiredField' => 'test',
|
'SecurityID' => $token
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
$this->assertPartialMatchBySelector(
|
$this->assertEquals(200, $response->getStatusCode(), 'Submission suceeds with security token');
|
||||||
'#Form_Form_error',
|
|
||||||
array(
|
|
||||||
'Test save was successful'
|
|
||||||
),
|
|
||||||
'Form->sessionMessage() shows up after reloading the form'
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function getStubForm() {
|
protected function getStubForm() {
|
||||||
@ -305,6 +371,57 @@ class FormTest_Controller extends Controller {
|
|||||||
'SomeRequiredField'
|
'SomeRequiredField'
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
// Disable CSRF protection for easier form submission handling
|
||||||
|
$form->disableSecurityToken();
|
||||||
|
|
||||||
|
return $form;
|
||||||
|
}
|
||||||
|
|
||||||
|
function FormWithSecurityToken() {
|
||||||
|
$form = new Form(
|
||||||
|
$this,
|
||||||
|
'FormWithSecurityToken',
|
||||||
|
new FieldSet(
|
||||||
|
new EmailField('Email')
|
||||||
|
),
|
||||||
|
new FieldSet(
|
||||||
|
new FormAction('doSubmit')
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
return $form;
|
||||||
|
}
|
||||||
|
|
||||||
|
function doSubmit($data, $form, $request) {
|
||||||
|
$form->sessionMessage('Test save was successful', 'good');
|
||||||
|
return $this->redirectBack();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
class FormTest_ControllerWithSecurityToken extends Controller {
|
||||||
|
static $url_handlers = array(
|
||||||
|
'$Action//$ID/$OtherID' => "handleAction",
|
||||||
|
);
|
||||||
|
|
||||||
|
protected $template = 'BlankPage';
|
||||||
|
|
||||||
|
function Link($action = null) {
|
||||||
|
return Controller::join_links('FormTest_ControllerWithSecurityToken', $this->request->latestParam('Action'), $this->request->latestParam('ID'), $action);
|
||||||
|
}
|
||||||
|
|
||||||
|
function Form() {
|
||||||
|
$form = new Form(
|
||||||
|
$this,
|
||||||
|
'Form',
|
||||||
|
new FieldSet(
|
||||||
|
new EmailField('Email')
|
||||||
|
),
|
||||||
|
new FieldSet(
|
||||||
|
new FormAction('doSubmit')
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
return $form;
|
return $form;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
145
tests/security/SecurityTokenTest.php
Normal file
145
tests/security/SecurityTokenTest.php
Normal file
@ -0,0 +1,145 @@
|
|||||||
|
<?
|
||||||
|
/**
|
||||||
|
* @package sapphire
|
||||||
|
* @subpackage tests
|
||||||
|
*/
|
||||||
|
class SecurityTokenTest extends SapphireTest {
|
||||||
|
|
||||||
|
function testIsEnabled() {
|
||||||
|
$inst1 = SecurityToken::inst();
|
||||||
|
$this->assertTrue($inst1->isEnabled());
|
||||||
|
|
||||||
|
SecurityToken::disable();
|
||||||
|
$inst2 = SecurityToken::inst();
|
||||||
|
$this->assertFalse($inst2->isEnabled());
|
||||||
|
|
||||||
|
SecurityToken::enable();
|
||||||
|
}
|
||||||
|
|
||||||
|
function testEnableAndDisable() {
|
||||||
|
$inst = SecurityToken::inst();
|
||||||
|
$this->assertFalse($inst->check('randomvalue'));
|
||||||
|
|
||||||
|
SecurityToken::disable();
|
||||||
|
$inst = SecurityToken::inst();
|
||||||
|
$this->assertTrue($inst->check('randomvalue'));
|
||||||
|
|
||||||
|
SecurityToken::enable();
|
||||||
|
$inst = SecurityToken::inst();
|
||||||
|
$this->assertFalse($inst->check('randomvalue'));
|
||||||
|
}
|
||||||
|
|
||||||
|
function testIsEnabledStatic() {
|
||||||
|
$this->assertTrue(SecurityToken::is_enabled());
|
||||||
|
|
||||||
|
SecurityToken::disable();
|
||||||
|
$this->assertFalse(SecurityToken::is_enabled());
|
||||||
|
|
||||||
|
SecurityToken::enable();
|
||||||
|
$this->assertTrue(SecurityToken::is_enabled());
|
||||||
|
}
|
||||||
|
|
||||||
|
function testInst() {
|
||||||
|
$inst1 = SecurityToken::inst();
|
||||||
|
$this->assertType('SecurityToken', $inst1);
|
||||||
|
}
|
||||||
|
|
||||||
|
function testInstReturnsSingleton() {
|
||||||
|
$inst1 = SecurityToken::inst();
|
||||||
|
$inst2 = SecurityToken::inst();
|
||||||
|
$this->assertEquals($inst1, $inst2);
|
||||||
|
}
|
||||||
|
|
||||||
|
function testCheck() {
|
||||||
|
$t = new SecurityToken();
|
||||||
|
|
||||||
|
$t->setValue(null);
|
||||||
|
$this->assertFalse($t->check('invalidtoken'), 'Any token is invalid if no token is stored');
|
||||||
|
|
||||||
|
$t->setValue(null);
|
||||||
|
$this->assertFalse($t->check(null), 'NULL token is invalid if no token is stored');
|
||||||
|
|
||||||
|
$t->setValue('mytoken');
|
||||||
|
$this->assertFalse($t->check('invalidtoken'), 'Invalid token returns false');
|
||||||
|
|
||||||
|
$t->setValue('mytoken');
|
||||||
|
$this->assertTrue($t->check('mytoken'), 'Valid token returns true');
|
||||||
|
}
|
||||||
|
|
||||||
|
function testCheckRequest() {
|
||||||
|
$t = new SecurityToken();
|
||||||
|
$n = $t->getName();
|
||||||
|
|
||||||
|
$t->setValue(null);
|
||||||
|
$r = new SS_HTTPRequest('GET', 'dummy', array($n => 'invalidtoken'));
|
||||||
|
$this->assertFalse($t->checkRequest($r), 'Any token is invalid if no token is stored');
|
||||||
|
|
||||||
|
$t->setValue(null);
|
||||||
|
$r = new SS_HTTPRequest('GET', 'dummy', array($n => null));
|
||||||
|
$this->assertFalse($t->checkRequest($r), 'NULL token is invalid if no token is stored');
|
||||||
|
|
||||||
|
$t->setValue('mytoken');
|
||||||
|
$r = new SS_HTTPRequest('GET', 'dummy', array($n => 'invalidtoken'));
|
||||||
|
$this->assertFalse($t->checkRequest($r), 'Invalid token returns false');
|
||||||
|
|
||||||
|
$t->setValue('mytoken');
|
||||||
|
$r = new SS_HTTPRequest('GET', 'dummy', array($n => 'mytoken'));
|
||||||
|
$this->assertTrue($t->checkRequest($r), 'Valid token returns true');
|
||||||
|
}
|
||||||
|
|
||||||
|
function testAddToUrl() {
|
||||||
|
$t = new SecurityToken();
|
||||||
|
|
||||||
|
$url = 'http://absolute.tld/action/';
|
||||||
|
$this->assertEquals(
|
||||||
|
sprintf('%s?%s=%s', $url, $t->getName(), $t->getValue()),
|
||||||
|
$t->addToUrl($url),
|
||||||
|
'Urls without existing GET parameters'
|
||||||
|
);
|
||||||
|
|
||||||
|
$url = 'http://absolute.tld/?getparam=1';
|
||||||
|
$this->assertEquals(
|
||||||
|
sprintf('%s&%s=%s', $url, $t->getName(), $t->getValue()),
|
||||||
|
$t->addToUrl($url),
|
||||||
|
'Urls with existing GET parameters'
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
function testUpdateFieldSet() {
|
||||||
|
$fs = new FieldSet();
|
||||||
|
$t = new SecurityToken();
|
||||||
|
$t->updateFieldSet($fs);
|
||||||
|
$f = $fs->dataFieldByName($t->getName());
|
||||||
|
|
||||||
|
$this->assertType('HiddenField', $f);
|
||||||
|
$this->assertEquals($f->Name(), $t->getName(), 'Name matches');
|
||||||
|
$this->assertEquals($f->Value(), $t->getValue(), 'Value matches');
|
||||||
|
}
|
||||||
|
|
||||||
|
function testUpdateFieldSetDoesntAddTwice() {
|
||||||
|
$fs = new FieldSet();
|
||||||
|
$t = new SecurityToken();
|
||||||
|
$t->updateFieldSet($fs); // first
|
||||||
|
$t->updateFieldSet($fs); // second
|
||||||
|
$f = $fs->dataFieldByName($t->getName());
|
||||||
|
|
||||||
|
$this->assertType('HiddenField', $f);
|
||||||
|
$this->assertEquals(1, $fs->Count());
|
||||||
|
}
|
||||||
|
|
||||||
|
function testUnnamedTokensCarrySameValue() {
|
||||||
|
$t1 = new SecurityToken();
|
||||||
|
$t2 = new SecurityToken();
|
||||||
|
|
||||||
|
$this->assertEquals($t1->getName(), $t2->getName());
|
||||||
|
$this->assertEquals($t1->getValue(), $t2->getValue());
|
||||||
|
}
|
||||||
|
|
||||||
|
function testNamedTokensCarryDifferentValues() {
|
||||||
|
$t1 = new SecurityToken('one');
|
||||||
|
$t2 = new SecurityToken('two');
|
||||||
|
|
||||||
|
$this->assertNotEquals($t1->getName(), $t2->getName());
|
||||||
|
$this->assertNotEquals($t1->getValue(), $t2->getValue());
|
||||||
|
}
|
||||||
|
}
|
Loading…
x
Reference in New Issue
Block a user