mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Merge pull request #4006 from kinglozzer/patch-1
FIX: Security::$default_message_set Config value unusable
This commit is contained in:
commit
de2aa47250
@ -93,9 +93,10 @@ class Security extends Controller {
|
||||
/**
|
||||
* Default message set used in permission failures.
|
||||
*
|
||||
* @config
|
||||
* @var array|string
|
||||
*/
|
||||
private static $default_message_set = '';
|
||||
private static $default_message_set;
|
||||
|
||||
/**
|
||||
* Random secure token, can be used as a crypto key internally.
|
||||
@ -176,9 +177,6 @@ class Security extends Controller {
|
||||
* If you pass an array, you can use the
|
||||
* following keys:
|
||||
* - default: The default message
|
||||
* - logInAgain: The message to show
|
||||
* if the user has just
|
||||
* logged out and the
|
||||
* - alreadyLoggedIn: The message to
|
||||
* show if the user
|
||||
* is already logged
|
||||
@ -209,8 +207,8 @@ class Security extends Controller {
|
||||
} else {
|
||||
// Prepare the messageSet provided
|
||||
if(!$messageSet) {
|
||||
if(self::$default_message_set) {
|
||||
$messageSet = self::$default_message_set;
|
||||
if($configMessageSet = static::config()->get('default_message_set')) {
|
||||
$messageSet = $configMessageSet;
|
||||
} else {
|
||||
$messageSet = array(
|
||||
'default' => _t(
|
||||
@ -224,11 +222,6 @@ class Security extends Controller {
|
||||
. "can access that page, you can log in again below.",
|
||||
|
||||
"%s will be replaced with a link to log in."
|
||||
),
|
||||
'logInAgain' => _t(
|
||||
'Security.LOGGEDOUT',
|
||||
"You have been logged out. If you would like to log in again, enter "
|
||||
. "your credentials below."
|
||||
)
|
||||
);
|
||||
}
|
||||
|
@ -74,6 +74,47 @@ class SecurityTest extends FunctionalTest {
|
||||
$this->autoFollowRedirection = true;
|
||||
}
|
||||
|
||||
public function testPermissionFailureSetsCorrectFormMessages() {
|
||||
Config::nest();
|
||||
|
||||
// Controller that doesn't attempt redirections
|
||||
$controller = new SecurityTest_NullController();
|
||||
$controller->response = new SS_HTTPResponse();
|
||||
|
||||
Security::permissionFailure($controller, array('default' => 'Oops, not allowed'));
|
||||
$this->assertEquals('Oops, not allowed', Session::get('Security.Message.message'));
|
||||
|
||||
// Test that config values are used correctly
|
||||
Config::inst()->update('Security', 'default_message_set', 'stringvalue');
|
||||
Security::permissionFailure($controller);
|
||||
$this->assertEquals('stringvalue', Session::get('Security.Message.message'),
|
||||
'Default permission failure message value was not present');
|
||||
|
||||
Config::inst()->remove('Security', 'default_message_set');
|
||||
Config::inst()->update('Security', 'default_message_set', array('default' => 'arrayvalue'));
|
||||
Security::permissionFailure($controller);
|
||||
$this->assertEquals('arrayvalue', Session::get('Security.Message.message'),
|
||||
'Default permission failure message value was not present');
|
||||
|
||||
// Test that non-default messages work.
|
||||
// NOTE: we inspect the response body here as the session message has already
|
||||
// been fetched and output as part of it, so has been removed from the session
|
||||
$this->logInWithPermission('EDITOR');
|
||||
|
||||
Config::inst()->update('Security', 'default_message_set',
|
||||
array('default' => 'default', 'alreadyLoggedIn' => 'You are already logged in!'));
|
||||
Security::permissionFailure($controller);
|
||||
$this->assertContains('You are already logged in!', $controller->response->getBody(),
|
||||
'Custom permission failure message was ignored');
|
||||
|
||||
Security::permissionFailure($controller,
|
||||
array('default' => 'default', 'alreadyLoggedIn' => 'One-off failure message'));
|
||||
$this->assertContains('One-off failure message', $controller->response->getBody(),
|
||||
"Message set passed to Security::permissionFailure() didn't override Config values");
|
||||
|
||||
Config::unnest();
|
||||
}
|
||||
|
||||
public function testLogInAsSomeoneElse() {
|
||||
$member = DataObject::get_one('Member');
|
||||
|
||||
@ -501,3 +542,11 @@ class SecurityTest_SecuredController extends Controller implements TestOnly {
|
||||
return 'Success';
|
||||
}
|
||||
}
|
||||
|
||||
class SecurityTest_NullController extends Controller implements TestOnly {
|
||||
|
||||
public function redirect($url, $code = 302) {
|
||||
// NOOP
|
||||
}
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user