Using the Security helper, FormSignature calculates a hash of all fields in a form, so that
when the form is submitted, the fields may be validated to ensure that none were added or
removed, and that fields designated as _locked_ have not had their values altered.
To enable form signing in a view, simply call $this->security->sign() before generating your
form. In the controller, you may then validate the request by passing $this->request to the
check() method.
/**
* Tests that `FormSignature` correctly ignores other fields in the `'security'` array when
* generating signatures.
*/
public function testIgnoreSecurityFields()
{
$components = array('a%3A1%3A%7Bs%3A6%3A%22active%22%3Bs%3A4%3A%22true%22%3B%7D', 'a%3A0%3A%7B%7D', '$2a$10$NuNTOeXv4OHpPJtbdAmfReFiSmFw5hmc6sSy8qwns6/DWNSSOjR1y');
$signature = join('::', $components);
$request = new Request(array('data' => array('email' => 'foo@baz', 'pass' => 'whatever', 'active' => 'true', 'security' => compact('signature') + array('foo' => 'bar'))));
$this->assertTrue(FormSignature::check($request));
}
/**
* Tests that the `Security` helper correctly binds to the `Form` helper to collect field
* information and generate a signature.
*/
public function testFormSignatureGeneration()
{
$form = new Form(array('context' => $this->context));
$this->subject->sign($form);
ob_start();
$content = array($form->create(null, array('url' => 'http:///')), $form->text('email', array('value' => 'foo@bar')), $form->password('pass'), $form->hidden('active', array('value' => 'true')), $form->end());
$signature = ob_get_clean();
preg_match('/value="([^"]+)"/', $signature, $match);
list(, $signature) = $match;
$expected = array('a%3A1%3A%7Bs%3A6%3A%22active%22%3Bs%3A4%3A%22true%22%3B%7D', 'a%3A0%3A%7B%7D', '$2a$10$NuNTOeXv4OHpPJtbdAmfReFiSmFw5hmc6sSy8qwns6/DWNSSOjR1y');
$this->assertEqual(join('::', $expected), $signature);
$request = new Request(array('data' => array('email' => 'foo@baz', 'pass' => 'whatever', 'active' => 'true', 'security' => compact('signature'))));
$this->assertTrue(FormSignature::check($request));
}
public function testFormSignatureWithMethodPUT()
{
$form = new Form(array('context' => $this->context));
$this->subject->sign($form);
ob_start();
$content = array($form->create(null, array('url' => 'http:///', 'method' => 'PUT')), $form->text('email', array('value' => 'foo@bar')), $form->end());
$signature = ob_get_clean();
preg_match('/value="([^"]+)"/', $signature, $match);
list(, $signature) = $match;
$request = new Request(array('data' => array('_method' => 'PUT', 'email' => 'foo@baz', 'security' => compact('signature'))));
$this->assertTrue(FormSignature::check($request));
}
protected static function _parse($signature)
{
$result = parent::_parse($signature);
static::$parse[] = array('in' => compact('signature'), 'out' => $result);
return $result;
}
public function testFailsTamperedFieldsAndLockedWithManyAndFieldsChange()
{
for ($originalFields = array(), $i = 0; $i < 20; $i++) {
$originalFields['fooa' . $i] = 'bara' . $i;
}
for ($originalLocked = array(), $i = 0; $i < 20; $i++) {
$originalLocked['foob' . $i] = 'barb' . $i;
}
$signature0 = FormSignature::key(array('fields' => $originalFields, 'locked' => $originalLocked));
$changed = $originalFields;
$changed['foo10000'] = 'barAdded';
$signature1 = FormSignature::key(array('fields' => $changed, 'locked' => $originalLocked));
$this->assertNotIdentical($signature0, $signature1);
$changed = $originalFields;
unset($changed['fooa1']);
$signature1 = FormSignature::key(array('fields' => $changed, 'locked' => $originalLocked));
$this->assertNotIdentical($signature0, $signature1);
}
