function testUpdatePassword()
{
clearDB();
$u1 = newUser('*****@*****.**', 'a', 'mysecretpass');
$u2 = newUser('*****@*****.**', 'b', 'sumthingsecret');
$u1->updatePassword('newpass');
$rows = DB\selectAllRows('users');
assertNotEqual($rows[0]['password'], $rows[1]['password']);
}
/**
* Here we aim to assert we're not vulnerable to "CSRF" attacks. We do this simply by
* asserting a "raw" POST request will not be accepted for widget editing, as this should
* indicate the server is requiring some sort of "nonce" or "token" for accepting any
* form submission. More on CSRF here:
* https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
*/
function testResilienceToCrossSiteRequestForgeryAttack()
{
$w = getWidget($this->user);
$this->get("/widget-wiz/step-one?w={$w->id}");
try {
$this->post("/widget-wiz/step-one", array('title' => 'Hijacked', 'goal' => '1000', 'currency' => 'USD', 'ending' => "12/15/2020", 'bitcoinAddress' => '1E3FqrQTZSvTUdw7qZ4NnZppqiqnqqNcUN'));
} catch (UnexpectedHttpResponseCode $_) {
/* That will do... */
}
try {
$this->post("/widget-wiz/step-two", array('about' => 'Show me the money!', 'color' => Widgets\defaultColor(), 'size' => (string) Widgets\defaultSize()));
} catch (UnexpectedHttpResponseCode $_) {
/* That's good... */
}
$widgetNow = Widget::getByID($w->id);
assertNotEqual('Hijacked', $widgetNow->title);
assertNotEqual('1E3FqrQTZSvTUdw7qZ4NnZppqiqnqqNcUN', $widgetNow->bitcoinAddress);
assertNotEqual('Show me the money!', $widgetNow->about);
}
