mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
[ss-2016-002] Ensure Gridfield actions respect CSRF
This commit is contained in:
parent
15d4db3b4a
commit
e2c77c5a8f
@ -833,6 +833,18 @@ class GridField extends FormField {
|
|||||||
*/
|
*/
|
||||||
public function gridFieldAlterAction($data, $form, SS_HTTPRequest $request) {
|
public function gridFieldAlterAction($data, $form, SS_HTTPRequest $request) {
|
||||||
$data = $request->requestVars();
|
$data = $request->requestVars();
|
||||||
|
|
||||||
|
// Protection against CSRF attacks
|
||||||
|
$token = $this
|
||||||
|
->getForm()
|
||||||
|
->getSecurityToken();
|
||||||
|
if(!$token->checkRequest($request)) {
|
||||||
|
$this->httpError(400, _t("Form.CSRF_FAILED_MESSAGE",
|
||||||
|
"There seems to have been a technical problem. Please click the back button, ".
|
||||||
|
"refresh your browser, and try again."
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
$name = $this->getName();
|
$name = $this->getName();
|
||||||
|
|
||||||
$fieldData = null;
|
$fieldData = null;
|
||||||
|
@ -42,15 +42,54 @@ class GridFieldDeleteActionTest extends SapphireTest {
|
|||||||
$this->assertEquals(3, count($deleteButtons), 'Delete buttons should show when logged in.');
|
$this->assertEquals(3, count($deleteButtons), 'Delete buttons should show when logged in.');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testActionsRequireCSRF() {
|
||||||
|
$this->logInWithPermission('ADMIN');
|
||||||
|
$this->setExpectedException(
|
||||||
|
'SS_HTTPResponse_Exception',
|
||||||
|
_t("Form.CSRF_FAILED_MESSAGE",
|
||||||
|
"There seems to have been a technical problem. Please click the back button, ".
|
||||||
|
"refresh your browser, and try again."
|
||||||
|
),
|
||||||
|
400
|
||||||
|
);
|
||||||
|
$stateID = 'testGridStateActionField';
|
||||||
|
$request = new SS_HTTPRequest(
|
||||||
|
'POST',
|
||||||
|
'url',
|
||||||
|
array(),
|
||||||
|
array(
|
||||||
|
'action_gridFieldAlterAction?StateID='.$stateID,
|
||||||
|
'SecurityID' => null,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
|
||||||
|
}
|
||||||
|
|
||||||
public function testDeleteActionWithoutCorrectPermission() {
|
public function testDeleteActionWithoutCorrectPermission() {
|
||||||
if(Member::currentUser()) { Member::currentUser()->logOut(); }
|
if(Member::currentUser()) { Member::currentUser()->logOut(); }
|
||||||
$this->setExpectedException('ValidationException');
|
$this->setExpectedException('ValidationException');
|
||||||
|
|
||||||
$stateID = 'testGridStateActionField';
|
$stateID = 'testGridStateActionField';
|
||||||
Session::set($stateID, array('grid'=>'', 'actionName'=>'deleterecord',
|
Session::set(
|
||||||
'args'=>array('RecordID'=>$this->idFromFixture('GridFieldAction_Delete_Team', 'team1'))));
|
$stateID,
|
||||||
$request = new SS_HTTPRequest('POST', 'url', array(),
|
array(
|
||||||
array('action_gridFieldAlterAction?StateID='.$stateID=>true));
|
'grid' => '',
|
||||||
|
'actionName' => 'deleterecord',
|
||||||
|
'args' => array(
|
||||||
|
'RecordID' => $this->idFromFixture('GridFieldAction_Delete_Team', 'team1')
|
||||||
|
)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
$token = SecurityToken::inst();
|
||||||
|
$request = new SS_HTTPRequest(
|
||||||
|
'POST',
|
||||||
|
'url',
|
||||||
|
array(),
|
||||||
|
array(
|
||||||
|
'action_gridFieldAlterAction?StateID='.$stateID => true,
|
||||||
|
$token->getName() => $token->getValue(),
|
||||||
|
)
|
||||||
|
);
|
||||||
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
|
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
|
||||||
$this->assertEquals(3, $this->list->count(),
|
$this->assertEquals(3, $this->list->count(),
|
||||||
'User should\'t be able to delete records without correct permissions.');
|
'User should\'t be able to delete records without correct permissions.');
|
||||||
@ -59,10 +98,26 @@ class GridFieldDeleteActionTest extends SapphireTest {
|
|||||||
public function testDeleteActionWithAdminPermission() {
|
public function testDeleteActionWithAdminPermission() {
|
||||||
$this->logInWithPermission('ADMIN');
|
$this->logInWithPermission('ADMIN');
|
||||||
$stateID = 'testGridStateActionField';
|
$stateID = 'testGridStateActionField';
|
||||||
Session::set($stateID, array('grid'=>'', 'actionName'=>'deleterecord',
|
Session::set(
|
||||||
'args'=>array('RecordID'=>$this->idFromFixture('GridFieldAction_Delete_Team', 'team1'))));
|
$stateID,
|
||||||
$request = new SS_HTTPRequest('POST', 'url', array(),
|
array(
|
||||||
array('action_gridFieldAlterAction?StateID='.$stateID=>true));
|
'grid'=>'',
|
||||||
|
'actionName'=>'deleterecord',
|
||||||
|
'args' => array(
|
||||||
|
'RecordID' => $this->idFromFixture('GridFieldAction_Delete_Team', 'team1')
|
||||||
|
)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
$token = SecurityToken::inst();
|
||||||
|
$request = new SS_HTTPRequest(
|
||||||
|
'POST',
|
||||||
|
'url',
|
||||||
|
array(),
|
||||||
|
array(
|
||||||
|
'action_gridFieldAlterAction?StateID='.$stateID=>true,
|
||||||
|
$token->getName() => $token->getValue(),
|
||||||
|
)
|
||||||
|
);
|
||||||
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
|
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
|
||||||
$this->assertEquals(2, $this->list->count(), 'User should be able to delete records with ADMIN permission.');
|
$this->assertEquals(2, $this->list->count(), 'User should be able to delete records with ADMIN permission.');
|
||||||
}
|
}
|
||||||
@ -76,11 +131,26 @@ class GridFieldDeleteActionTest extends SapphireTest {
|
|||||||
$form = new Form(new Controller(), 'mockform', new FieldList(array($this->gridField)), new FieldList());
|
$form = new Form(new Controller(), 'mockform', new FieldList(array($this->gridField)), new FieldList());
|
||||||
|
|
||||||
$stateID = 'testGridStateActionField';
|
$stateID = 'testGridStateActionField';
|
||||||
Session::set($stateID, array('grid'=>'', 'actionName'=>'deleterecord',
|
Session::set(
|
||||||
'args'=>array('RecordID'=>$this->idFromFixture('GridFieldAction_Delete_Team', 'team1'))));
|
$stateID,
|
||||||
$request = new SS_HTTPRequest('POST', 'url', array(),
|
array(
|
||||||
array('action_gridFieldAlterAction?StateID='.$stateID=>true));
|
'grid'=>'',
|
||||||
|
'actionName'=>'deleterecord',
|
||||||
|
'args' => array(
|
||||||
|
'RecordID' => $this->idFromFixture('GridFieldAction_Delete_Team', 'team1')
|
||||||
|
)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
$token = SecurityToken::inst();
|
||||||
|
$request = new SS_HTTPRequest(
|
||||||
|
'POST',
|
||||||
|
'url',
|
||||||
|
array(),
|
||||||
|
array(
|
||||||
|
'action_gridFieldAlterAction?StateID='.$stateID=>true,
|
||||||
|
$token->getName() => $token->getValue(),
|
||||||
|
)
|
||||||
|
);
|
||||||
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
|
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
|
||||||
$this->assertEquals(2, $this->list->count(), 'User should be able to delete records with ADMIN permission.');
|
$this->assertEquals(2, $this->list->count(), 'User should be able to delete records with ADMIN permission.');
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user