tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

[ss-2016-002] Ensure Gridfield actions respect CSRF

Browse Source
This commit is contained in:
Damian Mooyman 2016-02-17 15:09:21 +13:00
parent 15d4db3b4a
commit e2c77c5a8f
2 changed files with 95 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
forms/gridfield/GridField.php
View File

@ -833,6 +833,18 @@ class GridField extends FormField {
*/ */
public function gridFieldAlterAction($data, $form, SS_HTTPRequest $request) { public function gridFieldAlterAction($data, $form, SS_HTTPRequest $request) {
$data = $request->requestVars(); $data = $request->requestVars();
// Protection against CSRF attacks
$token = $this
->getForm()
->getSecurityToken();
if(!$token->checkRequest($request)) {
$this->httpError(400, _t("Form.CSRF_FAILED_MESSAGE",
"There seems to have been a technical problem. Please click the back button, ".
"refresh your browser, and try again."
));
}
$name = $this->getName(); $name = $this->getName();
$fieldData = null; $fieldData = null;

96
tests/forms/gridfield/GridFieldDeleteActionTest.php
View File

@ -42,15 +42,54 @@ class GridFieldDeleteActionTest extends SapphireTest {
$this->assertEquals(3, count($deleteButtons), 'Delete buttons should show when logged in.'); $this->assertEquals(3, count($deleteButtons), 'Delete buttons should show when logged in.');
} }
public function testActionsRequireCSRF() {
$this->logInWithPermission('ADMIN');
$this->setExpectedException(
'SS_HTTPResponse_Exception',
_t("Form.CSRF_FAILED_MESSAGE",
"There seems to have been a technical problem. Please click the back button, ".
"refresh your browser, and try again."
),
400
);
$stateID = 'testGridStateActionField';
$request = new SS_HTTPRequest(
'POST',
'url',
array(),
array(
'action_gridFieldAlterAction?StateID='.$stateID,
'SecurityID' => null,
)
);
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
}
public function testDeleteActionWithoutCorrectPermission() { public function testDeleteActionWithoutCorrectPermission() {
if(Member::currentUser()) { Member::currentUser()->logOut(); } if(Member::currentUser()) { Member::currentUser()->logOut(); }
$this->setExpectedException('ValidationException'); $this->setExpectedException('ValidationException');
$stateID = 'testGridStateActionField'; $stateID = 'testGridStateActionField';
Session::set($stateID, array('grid'=>'', 'actionName'=>'deleterecord', Session::set(
'args'=>array('RecordID'=>$this->idFromFixture('GridFieldAction_Delete_Team', 'team1')))); $stateID,
$request = new SS_HTTPRequest('POST', 'url', array(), array(
array('action_gridFieldAlterAction?StateID='.$stateID=>true)); 'grid' => '',
'actionName' => 'deleterecord',
'args' => array(
'RecordID' => $this->idFromFixture('GridFieldAction_Delete_Team', 'team1')
)
)
);
$token = SecurityToken::inst();
$request = new SS_HTTPRequest(
'POST',
'url',
array(),
array(
'action_gridFieldAlterAction?StateID='.$stateID => true,
$token->getName() => $token->getValue(),
)
);
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request); $this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
$this->assertEquals(3, $this->list->count(), $this->assertEquals(3, $this->list->count(),
'User should\'t be able to delete records without correct permissions.'); 'User should\'t be able to delete records without correct permissions.');
@ -59,10 +98,26 @@ class GridFieldDeleteActionTest extends SapphireTest {
public function testDeleteActionWithAdminPermission() { public function testDeleteActionWithAdminPermission() {
$this->logInWithPermission('ADMIN'); $this->logInWithPermission('ADMIN');
$stateID = 'testGridStateActionField'; $stateID = 'testGridStateActionField';
Session::set($stateID, array('grid'=>'', 'actionName'=>'deleterecord', Session::set(
'args'=>array('RecordID'=>$this->idFromFixture('GridFieldAction_Delete_Team', 'team1')))); $stateID,
$request = new SS_HTTPRequest('POST', 'url', array(), array(
array('action_gridFieldAlterAction?StateID='.$stateID=>true)); 'grid'=>'',
'actionName'=>'deleterecord',
'args' => array(
'RecordID' => $this->idFromFixture('GridFieldAction_Delete_Team', 'team1')
)
)
);
$token = SecurityToken::inst();
$request = new SS_HTTPRequest(
'POST',
'url',
array(),
array(
'action_gridFieldAlterAction?StateID='.$stateID=>true,
$token->getName() => $token->getValue(),
)
);
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request); $this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
$this->assertEquals(2, $this->list->count(), 'User should be able to delete records with ADMIN permission.'); $this->assertEquals(2, $this->list->count(), 'User should be able to delete records with ADMIN permission.');
} }
@ -76,11 +131,26 @@ class GridFieldDeleteActionTest extends SapphireTest {
$form = new Form(new Controller(), 'mockform', new FieldList(array($this->gridField)), new FieldList()); $form = new Form(new Controller(), 'mockform', new FieldList(array($this->gridField)), new FieldList());
$stateID = 'testGridStateActionField'; $stateID = 'testGridStateActionField';
Session::set($stateID, array('grid'=>'', 'actionName'=>'deleterecord', Session::set(
'args'=>array('RecordID'=>$this->idFromFixture('GridFieldAction_Delete_Team', 'team1')))); $stateID,
$request = new SS_HTTPRequest('POST', 'url', array(), array(
array('action_gridFieldAlterAction?StateID='.$stateID=>true)); 'grid'=>'',
'actionName'=>'deleterecord',
'args' => array(
'RecordID' => $this->idFromFixture('GridFieldAction_Delete_Team', 'team1')
)
)
);
$token = SecurityToken::inst();
$request = new SS_HTTPRequest(
'POST',
'url',
array(),
array(
'action_gridFieldAlterAction?StateID='.$stateID=>true,
$token->getName() => $token->getValue(),
)
);
$this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request); $this->gridField->gridFieldAlterAction(array('StateID'=>$stateID), $this->form, $request);
$this->assertEquals(2, $this->list->count(), 'User should be able to delete records with ADMIN permission.'); $this->assertEquals(2, $this->list->count(), 'User should be able to delete records with ADMIN permission.');