diff --git a/security/Security.php b/security/Security.php index 3db0fd967..b483ac082 100644 --- a/security/Security.php +++ b/security/Security.php @@ -93,9 +93,10 @@ class Security extends Controller { /** * Default message set used in permission failures. * + * @config * @var array|string */ - private static $default_message_set = ''; + private static $default_message_set; /** * Random secure token, can be used as a crypto key internally. @@ -176,9 +177,6 @@ class Security extends Controller { * If you pass an array, you can use the * following keys: * - default: The default message - * - logInAgain: The message to show - * if the user has just - * logged out and the * - alreadyLoggedIn: The message to * show if the user * is already logged @@ -209,8 +207,8 @@ class Security extends Controller { } else { // Prepare the messageSet provided if(!$messageSet) { - if(self::$default_message_set) { - $messageSet = self::$default_message_set; + if($configMessageSet = static::config()->get('default_message_set')) { + $messageSet = $configMessageSet; } else { $messageSet = array( 'default' => _t( @@ -224,11 +222,6 @@ class Security extends Controller { . "can access that page, you can log in again below.", "%s will be replaced with a link to log in." - ), - 'logInAgain' => _t( - 'Security.LOGGEDOUT', - "You have been logged out. If you would like to log in again, enter " - . "your credentials below." ) ); } diff --git a/tests/security/SecurityTest.php b/tests/security/SecurityTest.php index 0f0fbc137..91e842f55 100644 --- a/tests/security/SecurityTest.php +++ b/tests/security/SecurityTest.php @@ -73,6 +73,47 @@ class SecurityTest extends FunctionalTest { $this->autoFollowRedirection = true; } + + public function testPermissionFailureSetsCorrectFormMessages() { + Config::nest(); + + // Controller that doesn't attempt redirections + $controller = new SecurityTest_NullController(); + $controller->response = new SS_HTTPResponse(); + + Security::permissionFailure($controller, array('default' => 'Oops, not allowed')); + $this->assertEquals('Oops, not allowed', Session::get('Security.Message.message')); + + // Test that config values are used correctly + Config::inst()->update('Security', 'default_message_set', 'stringvalue'); + Security::permissionFailure($controller); + $this->assertEquals('stringvalue', Session::get('Security.Message.message'), + 'Default permission failure message value was not present'); + + Config::inst()->remove('Security', 'default_message_set'); + Config::inst()->update('Security', 'default_message_set', array('default' => 'arrayvalue')); + Security::permissionFailure($controller); + $this->assertEquals('arrayvalue', Session::get('Security.Message.message'), + 'Default permission failure message value was not present'); + + // Test that non-default messages work. + // NOTE: we inspect the response body here as the session message has already + // been fetched and output as part of it, so has been removed from the session + $this->logInWithPermission('EDITOR'); + + Config::inst()->update('Security', 'default_message_set', + array('default' => 'default', 'alreadyLoggedIn' => 'You are already logged in!')); + Security::permissionFailure($controller); + $this->assertContains('You are already logged in!', $controller->response->getBody(), + 'Custom permission failure message was ignored'); + + Security::permissionFailure($controller, + array('default' => 'default', 'alreadyLoggedIn' => 'One-off failure message')); + $this->assertContains('One-off failure message', $controller->response->getBody(), + "Message set passed to Security::permissionFailure() didn't override Config values"); + + Config::unnest(); + } public function testLogInAsSomeoneElse() { $member = DataObject::get_one('Member'); @@ -501,3 +542,11 @@ class SecurityTest_SecuredController extends Controller implements TestOnly { return 'Success'; } } + +class SecurityTest_NullController extends Controller implements TestOnly { + + public function redirect($url, $code = 302) { + // NOOP + } + +}