From 54a8e673a626eca0319b3413053678cb318ad4c2 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Wed, 26 Feb 2014 13:24:59 +1300 Subject: [PATCH 1/2] Allow setting PHP session state --- README.md | 5 +++++ code/TestSessionController.php | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/README.md b/README.md index 82aed1e..18731c4 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,9 @@ ## Overview +*IMPORTANT: This module poses a security risk if used on production servers.* +*It is a testing module not intended for production use.* + This module starts a testing session in a browser, in order to test a SilverStripe application in a clean state. Usually the session is started on a fresh database with only default records loaded. @@ -39,6 +42,8 @@ Commands: * `dev/testsession/end`: Removes the test state, and resets to the original database. * `dev/testsession/loadfixture?fixture=`: Loads a fixture into an existing test state. * `dev/testsession/clear`: Empties the test state. + * `dev/testsession/browsersessionstate`: Set or unset browser session state (different from test session state). + Use query parameters to define states. While you can use the interface to set the test session state, it can be useful to set them programmatically through query parameters diff --git a/code/TestSessionController.php b/code/TestSessionController.php index 9ee4bf4..b7f6d23 100644 --- a/code/TestSessionController.php +++ b/code/TestSessionController.php @@ -10,6 +10,7 @@ class TestSessionController extends Controller { 'set', 'end', 'clear', + 'browsersessionstate', 'StartForm', 'ProgressForm', ); @@ -87,6 +88,29 @@ class TestSessionController extends Controller { return $this->renderWith('TestSession_inprogress'); } + /** + * Set $_SESSION state for the current browser session. + */ + public function browsersessionstate($request) { + if(!$this->environment->isRunningTests()) { + throw new LogicException("No test session in progress."); + } + + $newSessionStates = array_diff_key($request->getVars(), array('url' => true)); + if(!$newSessionStates) { + throw new LogicException('No query parameters detected'); + } + + $sessionStates = (array)Session::get('_TestSessionController.BrowserSessionState'); + + foreach($newSessionStates as $k => $v) { + Session::set($k, $v); + } + + // Track which state we're setting so we can unset later in end() + Session::set('_TestSessionController.BrowserSessionState', array_merge($sessionStates, $newSessionStates)); + } + public function StartForm() { $databaseTemplates = $this->getDatabaseTemplates(); $fields = new FieldList( @@ -231,6 +255,15 @@ class TestSessionController extends Controller { $this->environment->endTestSession(); + // Clear out all PHP session states which have been set previously + if($sessionStates = Session::get('_TestSessionController.BrowserSessionState')) { + foreach($sessionStates as $k => $v) { + Session::clear($k); + } + Session::clear('_TestSessionController'); + } + + return $this->renderWith('TestSession_end'); } From 6b13c782c33b8edd13ecf48472e3a4ff75257278 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Thu, 27 Feb 2014 15:10:18 +1300 Subject: [PATCH 2/2] Clarified warning --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 18731c4..1519bf8 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,8 @@ ## Overview -*IMPORTANT: This module poses a security risk if used on production servers.* -*It is a testing module not intended for production use.* +*IMPORTANT: This module is intended for development and testing, it poses a security risk if used on production servers.* +*It's completely possible to allow any user to become an admin, or do other nefarious things, if this is installed on a live site* This module starts a testing session in a browser, in order to test a SilverStripe application in a clean state.