public function testIsEnabledStatic()
{
$this->assertTrue(SecurityToken::is_enabled());
SecurityToken::disable();
$this->assertFalse(SecurityToken::is_enabled());
SecurityToken::enable();
$this->assertTrue(SecurityToken::is_enabled());
}
public function testFormActionsCanBypassAllowedActions()
{
SecurityToken::enable();
$response = $this->get('RequestHandlingTest_FormActionController');
$this->assertEquals(200, $response->getStatusCode());
$tokenEls = $this->cssParser()->getBySelector('#Form_Form_SecurityID');
$securityId = (string) $tokenEls[0]['value'];
$data = array('action_formaction' => 1);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(400, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, not contained in $allowed_actions, without CSRF token');
$data = array('action_disallowedcontrollermethod' => 1, 'SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(403, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, controller action instead of form action,' . ' not contained in $allowed_actions, with CSRF token');
$data = array('action_formaction' => 1, 'SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(200, $response->getStatusCode());
$this->assertEquals('formaction', $response->getBody(), 'Should pass: Invocation through POST form handler, not contained in $allowed_actions, with CSRF token');
$data = array('action_controlleraction' => 1, 'SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation through POST form handler, controller action instead of form action, contained in' . ' $allowed_actions, with CSRF token');
$data = array('action_formactionInAllowedActions' => 1);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(400, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, contained in $allowed_actions, without CSRF token');
$data = array('action_formactionInAllowedActions' => 1, 'SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation through POST form handler, contained in $allowed_actions, with CSRF token');
$data = array();
$response = $this->post('RequestHandlingTest_FormActionController/formaction', $data);
$this->assertEquals(404, $response->getStatusCode(), 'Should fail: Invocation through POST URL, not contained in $allowed_actions, without CSRF token');
$data = array();
$response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, without CSRF token');
$data = array('SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, with CSRF token');
$data = array();
// CSRF protection doesnt kick in for direct requests
$response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, without CSRF token');
SecurityToken::disable();
}
public function setUp()
{
// Skip calling FunctionalTest directly.
if (get_class($this) == __CLASS__) {
$this->markTestSkipped(sprintf('Skipping %s ', get_class($this)));
}
parent::setUp();
$this->mainSession = new TestSession();
// Disable theme, if necessary
if (static::get_disable_themes()) {
SSViewer::config()->update('theme_enabled', false);
}
// Switch to draft site, if necessary
if (static::get_use_draft_site()) {
$this->useDraftSite();
}
// Unprotect the site, tests are running with the assumption it's off. They will enable it on a case-by-case
// basis.
BasicAuth::protect_entire_site(false);
SecurityToken::disable();
}
public function testDisableSecurityToken()
{
SecurityToken::enable();
$form = $this->getStubForm();
$this->assertTrue($form->getSecurityToken()->isEnabled());
$form->disableSecurityToken();
$this->assertFalse($form->getSecurityToken()->isEnabled());
SecurityToken::disable();
// restore original
}
