Merge pull request #180 from silverstripe-rebelalliance/issue69

BUG: Fixes #69 by adding a check to see if the form has been processed
This commit is contained in:
Will Rossiter 2014-01-05 19:13:46 -08:00
commit 44ab7a507b
2 changed files with 36 additions and 0 deletions

View File

@ -1046,6 +1046,12 @@ JS
$referrer = (isset($data['Referrer'])) ? '?referrer=' . urlencode($data['Referrer']) : ""; $referrer = (isset($data['Referrer'])) ? '?referrer=' . urlencode($data['Referrer']) : "";
// set a session variable from the security ID to stop people accessing the finished method directly
if (isset($data['SecurityID'])) {
Session::set('FormProcessed',$data['SecurityID']);
}
return $this->redirect($this->Link() . 'finished' . $referrer); return $this->redirect($this->Link() . 'finished' . $referrer);
} }
@ -1058,6 +1064,19 @@ JS
public function finished() { public function finished() {
$referrer = isset($_GET['referrer']) ? urldecode($_GET['referrer']) : null; $referrer = isset($_GET['referrer']) ? urldecode($_GET['referrer']) : null;
$formProcessed = Session::get('FormProcessed');
if (!isset($formProcessed)) {
return $this->redirect($this->Link() . $referrer);
} else {
$securityID = Session::get('SecurityID');
// make sure the session matches the SecurityID and is not left over from another form
if ($formProcessed != $securityID) {
return $this->redirect($this->Link() . $referrer);
}
}
// remove the session variable as we do not want it to be re-used
Session::clear('FormProcessed');
return $this->customise(array( return $this->customise(array(
'Content' => $this->customise( 'Content' => $this->customise(
array( array(

View File

@ -59,11 +59,28 @@ class UserDefinedFormControllerTest extends FunctionalTest {
function testFinished() { function testFinished() {
$form = $this->setupFormFrontend(); $form = $this->setupFormFrontend();
// set formProcessed and SecurityID to replicate the form being filled out
$this->session()->inst_set('SecurityID', 1);
$this->session()->inst_set('FormProcessed', 1);
$response = $this->get($form->URLSegment.'/finished'); $response = $this->get($form->URLSegment.'/finished');
$this->assertContains($form->OnCompleteMessage ,$response->getBody()); $this->assertContains($form->OnCompleteMessage ,$response->getBody());
} }
function testAppendingFinished() {
$form = $this->setupFormFrontend();
// replicate finished being added to the end of the form URL without the form being filled out
$this->session()->inst_set('SecurityID', 1);
$this->session()->inst_set('FormProcessed', null);
$response = $this->get($form->URLSegment.'/finished');
$this->assertNotContains($form->OnCompleteMessage ,$response->getBody());
}
function testForm() { function testForm() {
$form = $this->objFromFixture('UserDefinedForm', 'basic-form-page'); $form = $this->objFromFixture('UserDefinedForm', 'basic-form-page');