Merge pull request #4006 from kinglozzer/patch-1

FIX: Security::$default_message_set Config value unusable
This commit is contained in:
Daniel Hensby 2015-03-17 17:05:01 +00:00
commit de2aa47250
2 changed files with 53 additions and 11 deletions

View File

@ -93,9 +93,10 @@ class Security extends Controller {
/** /**
* Default message set used in permission failures. * Default message set used in permission failures.
* *
* @config
* @var array|string * @var array|string
*/ */
private static $default_message_set = ''; private static $default_message_set;
/** /**
* Random secure token, can be used as a crypto key internally. * Random secure token, can be used as a crypto key internally.
@ -176,9 +177,6 @@ class Security extends Controller {
* If you pass an array, you can use the * If you pass an array, you can use the
* following keys: * following keys:
* - default: The default message * - default: The default message
* - logInAgain: The message to show
* if the user has just
* logged out and the
* - alreadyLoggedIn: The message to * - alreadyLoggedIn: The message to
* show if the user * show if the user
* is already logged * is already logged
@ -209,8 +207,8 @@ class Security extends Controller {
} else { } else {
// Prepare the messageSet provided // Prepare the messageSet provided
if(!$messageSet) { if(!$messageSet) {
if(self::$default_message_set) { if($configMessageSet = static::config()->get('default_message_set')) {
$messageSet = self::$default_message_set; $messageSet = $configMessageSet;
} else { } else {
$messageSet = array( $messageSet = array(
'default' => _t( 'default' => _t(
@ -224,11 +222,6 @@ class Security extends Controller {
. "can access that page, you can log in again below.", . "can access that page, you can log in again below.",
"%s will be replaced with a link to log in." "%s will be replaced with a link to log in."
),
'logInAgain' => _t(
'Security.LOGGEDOUT',
"You have been logged out. If you would like to log in again, enter "
. "your credentials below."
) )
); );
} }

View File

@ -73,6 +73,47 @@ class SecurityTest extends FunctionalTest {
$this->autoFollowRedirection = true; $this->autoFollowRedirection = true;
} }
public function testPermissionFailureSetsCorrectFormMessages() {
Config::nest();
// Controller that doesn't attempt redirections
$controller = new SecurityTest_NullController();
$controller->response = new SS_HTTPResponse();
Security::permissionFailure($controller, array('default' => 'Oops, not allowed'));
$this->assertEquals('Oops, not allowed', Session::get('Security.Message.message'));
// Test that config values are used correctly
Config::inst()->update('Security', 'default_message_set', 'stringvalue');
Security::permissionFailure($controller);
$this->assertEquals('stringvalue', Session::get('Security.Message.message'),
'Default permission failure message value was not present');
Config::inst()->remove('Security', 'default_message_set');
Config::inst()->update('Security', 'default_message_set', array('default' => 'arrayvalue'));
Security::permissionFailure($controller);
$this->assertEquals('arrayvalue', Session::get('Security.Message.message'),
'Default permission failure message value was not present');
// Test that non-default messages work.
// NOTE: we inspect the response body here as the session message has already
// been fetched and output as part of it, so has been removed from the session
$this->logInWithPermission('EDITOR');
Config::inst()->update('Security', 'default_message_set',
array('default' => 'default', 'alreadyLoggedIn' => 'You are already logged in!'));
Security::permissionFailure($controller);
$this->assertContains('You are already logged in!', $controller->response->getBody(),
'Custom permission failure message was ignored');
Security::permissionFailure($controller,
array('default' => 'default', 'alreadyLoggedIn' => 'One-off failure message'));
$this->assertContains('One-off failure message', $controller->response->getBody(),
"Message set passed to Security::permissionFailure() didn't override Config values");
Config::unnest();
}
public function testLogInAsSomeoneElse() { public function testLogInAsSomeoneElse() {
$member = DataObject::get_one('Member'); $member = DataObject::get_one('Member');
@ -501,3 +542,11 @@ class SecurityTest_SecuredController extends Controller implements TestOnly {
return 'Success'; return 'Success';
} }
} }
class SecurityTest_NullController extends Controller implements TestOnly {
public function redirect($url, $code = 302) {
// NOOP
}
}