public function testIsEnabledStatic() { $this->assertTrue(SecurityToken::is_enabled()); SecurityToken::disable(); $this->assertFalse(SecurityToken::is_enabled()); SecurityToken::enable(); $this->assertTrue(SecurityToken::is_enabled()); }
/** * Coverage for a bug where there's an error generating the link when ProductID = 0 */ public function testCorruptedOrderItemLinks() { SecurityToken::disable(); $product = $this->socks; $item = $product->Item(); $item->ProductID = 0; $this->assertEquals('', $item->removeLink()); }
public function tearDown() { parent::tearDown(); //if the token is turned on reset it before the next test run if ($this->useToken) { SecurityToken::enable(); } else { SecurityToken::disable(); } }
/** * Check the links are accurate */ public function testLinks() { SecurityToken::disable(); $product = $this->socks; $item = $product->Item(); $this->assertEquals("shoppingcart/add/Product/{$product->ID}", $item->addLink()); $this->assertEquals("shoppingcart/remove/Product/{$product->ID}", $item->removeLink()); $this->assertEquals("shoppingcart/removeall/Product/{$product->ID}", $item->removeallLink()); $this->assertEquals("shoppingcart/setquantity/Product/{$product->ID}", $item->setquantityLink()); }
public function tearDown() { if ($this->securityWasEnabled) { SecurityToken::enable(); } else { SecurityToken::disable(); } Injector::unnest(); Config::unnest(); parent::tearDown(); }
public function setUp() { parent::setUp(); $this->folder = Folder::find_or_make(ASSETS_DIR . '/versionedfiles-test'); $file = $this->folder->getFullPath() . 'test-file.txt'; file_put_contents($file, 'first-version'); $this->file = new File(); $this->file->ParentID = $this->folder->ID; $this->file->Filename = $this->folder->getFilename() . 'test-file.txt'; $this->file->write(); SecurityToken::disable(); }
function setUp() { parent::setUp(); $this->mainSession = new TestSession(); // Disable theme, if necessary if ($this->stat('disable_themes')) { SSViewer::set_theme(null); } // Switch to draft site, if necessary if ($this->stat('use_draft_site')) { $this->useDraftSite(); } // Unprotect the site, tests are running with the assumption it's off. They will enable it on a case-by-case basis. BasicAuth::protect_entire_site(false); SecurityToken::disable(); }
public function testCommentsForm() { SecurityToken::disable(); $this->autoFollowRedirection = false; $parent = $this->objFromFixture('CommentableItem', 'first'); // Test posting to base comment $response = $this->post('CommentingController/CommentsForm', array('Name' => 'Poster', 'Email' => '*****@*****.**', 'Comment' => 'My Comment', 'ParentID' => $parent->ID, 'BaseClass' => 'CommentableItem', 'action_doPostComment' => 'Post')); $this->assertEquals(302, $response->getStatusCode()); $this->assertStringStartsWith('CommentableItem_Controller#comment-', $response->getHeader('Location')); $this->assertDOSEquals(array(array('Name' => 'Poster', 'Email' => '*****@*****.**', 'Comment' => 'My Comment', 'ParentID' => $parent->ID, 'BaseClass' => 'CommentableItem')), Comment::get()->filter('Email', '*****@*****.**')); // Test posting to parent comment $parentComment = $this->objFromFixture('Comment', 'firstComA'); $this->assertEquals(0, $parentComment->ChildComments()->count()); $response = $this->post('CommentingController/reply/' . $parentComment->ID, array('Name' => 'Test Author', 'Email' => '*****@*****.**', 'Comment' => 'Making a reply to firstComA', 'ParentID' => $parent->ID, 'BaseClass' => 'CommentableItem', 'ParentCommentID' => $parentComment->ID, 'action_doPostComment' => 'Post')); $this->assertEquals(302, $response->getStatusCode()); $this->assertStringStartsWith('CommentableItem_Controller#comment-', $response->getHeader('Location')); $this->assertDOSEquals(array(array('Name' => 'Test Author', 'Email' => '*****@*****.**', 'Comment' => 'Making a reply to firstComA', 'ParentID' => $parent->ID, 'BaseClass' => 'CommentableItem', 'ParentCommentID' => $parentComment->ID)), $parentComment->ChildComments()); }
public function AddToWishListForm() { if (($member = Member::currentUser()) && ($wishlistitems = $member->WishListItems("PageID = " . $this->owner->ID)) && $wishlistitems->exists()) { $fields = new FieldSet(new HiddenField('PageID', '', $this->owner->ID)); $actions = new FieldSet(new FormAction('removeFromWishList', 'Remove from wish list')); $validator = new RequiredFields(); SecurityToken::disable(); // have to do this so once logged in the form still works :{ $Form = new Form($this->owner, 'AddToWishListForm', $fields, $actions, $validator); return $Form; } else { $fields = new FieldSet(new HiddenField('PageID', '', $this->owner->ID)); $actions = new FieldSet(new FormAction('addToWishList', 'Add to wish list')); $validator = new RequiredFields(); SecurityToken::disable(); // have to do this so once logged in the form still works :{ $Form = new Form($this->owner, 'AddToWishListForm', $fields, $actions, $validator); return $Form; } }
public function setUp() { // Skip calling FunctionalTest directly. if (get_class($this) == "FunctionalTest") { $this->skipTest = true; } parent::setUp(); $this->mainSession = new TestSession(); // Disable theme, if necessary if (static::get_disable_themes()) { Config::inst()->update('SSViewer', 'theme', null); } // Switch to draft site, if necessary if (static::get_use_draft_site()) { $this->useDraftSite(); } // Unprotect the site, tests are running with the assumption it's off. They will enable it on a case-by-case // basis. BasicAuth::protect_entire_site(false); SecurityToken::disable(); }
public function testDisableSecurityToken() { SecurityToken::enable(); $form = $this->getStubForm(); $this->assertTrue($form->getSecurityToken()->isEnabled()); $form->disableSecurityToken(); $this->assertFalse($form->getSecurityToken()->isEnabled()); SecurityToken::disable(); // restore original }
public function testSecurityToken() { $enabled = SecurityToken::is_enabled(); // enable security tokens SecurityToken::enable(); $productId = $this->mp3player->ID; // link should contain the security-token $link = ShoppingCart_Controller::add_item_link($this->mp3player); $this->assertRegExp('{^shoppingcart/add/Product/' . $productId . '\\?SecurityID=[a-f0-9]+$}', $link); // should redirect back to the shop $response = $this->get($link); $this->assertEquals($response->getStatusCode(), 302); // disable security token for cart-links Config::inst()->update('ShoppingCart_Controller', 'disable_security_token', true); $link = ShoppingCart_Controller::add_item_link($this->mp3player); $this->assertEquals('shoppingcart/add/Product/' . $productId, $link); // should redirect back to the shop $response = $this->get($link); $this->assertEquals($response->getStatusCode(), 302); SecurityToken::disable(); Config::inst()->update('ShoppingCart_Controller', 'disable_security_token', false); $link = ShoppingCart_Controller::add_item_link($this->mp3player); $this->assertEquals('shoppingcart/add/Product/' . $productId, $link); // should redirect back to the shop $response = $this->get($link); $this->assertEquals($response->getStatusCode(), 302); SecurityToken::enable(); // should now return a 400 status $response = $this->get($link); $this->assertEquals($response->getStatusCode(), 400); // restore previous setting if (!$enabled) { SecurityToken::disable(); } }
function testFormActionsCanBypassAllowedActions() { SecurityToken::enable(); $response = $this->get('RequestHandlingTest_FormActionController'); $this->assertEquals(200, $response->getStatusCode()); $tokenEls = $this->cssParser()->getBySelector('#Form_Form_SecurityID'); $securityId = (string) $tokenEls[0]['value']; $data = array('action_formaction' => 1); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(400, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, not contained in $allowed_actions, without CSRF token'); $data = array('action_disallowedcontrollermethod' => 1, 'SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(403, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, controller action instead of form action, not contained in $allowed_actions, with CSRF token'); $data = array('action_formaction' => 1, 'SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(200, $response->getStatusCode()); $this->assertEquals('formaction', $response->getBody(), 'Should pass: Invocation through POST form handler, not contained in $allowed_actions, with CSRF token'); $data = array('action_controlleraction' => 1, 'SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation through POST form handler, controller action instead of form action, contained in $allowed_actions, with CSRF token'); $data = array('action_formactionInAllowedActions' => 1); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(400, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, contained in $allowed_actions, without CSRF token'); $data = array('action_formactionInAllowedActions' => 1, 'SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation through POST form handler, contained in $allowed_actions, with CSRF token'); $data = array(); $response = $this->post('RequestHandlingTest_FormActionController/formaction', $data); $this->assertEquals(404, $response->getStatusCode(), 'Should fail: Invocation through POST URL, not contained in $allowed_actions, without CSRF token'); $data = array(); $response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, without CSRF token'); $data = array('SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, with CSRF token'); $data = array(); // CSRF protection doesnt kick in for direct requests $response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, without CSRF token'); SecurityToken::disable(); }
/** * Disable security tokens for every form. * Note that this doesn't apply to {@link SecurityToken} * instances outside of the Form class, nor applies * to existing form instances. * * See {@link enable_all_security_tokens()}. * * @deprecated 2.5 Use SecurityToken::disable() */ public static function disable_all_security_tokens() { Deprecation::notice('2.5', 'Use SecurityToken::disable() instead.'); SecurityToken::disable(); }
/** * creates a form object with a free configurable markup * * @param ContentController $controller the calling controller instance * @param array $params optional parameters * @param array $preferences optional preferences * @param bool $barebone defines if a form should only be instanciated or be used too * * @return CustomHtmlForm * * @author Sebastian Diel <*****@*****.**>, * Sascha Koehler <*****@*****.**> * @since 13.01.2015 */ public function __construct($controller, $params = null, $preferences = null, $barebone = false) { $this->extend('onBeforeConstruct', $controller, $params, $preferences, $barebone); global $project; $this->barebone = $barebone; $this->controller = $controller; if (is_array($params)) { $this->customParameters = $params; } // Hook for setting preferences via a method call $this->preferences(); if (is_array($preferences)) { foreach ($preferences as $title => $setting) { if (!empty($title)) { $this->basePreferences[$title] = $setting; } } } $name = $this->getSubmitAction(); if (!$barebone) { $this->getFormFields(); } if ($this->securityTokenEnabled) { SecurityToken::enable(); } else { SecurityToken::disable(); } parent::__construct($this->getFormController($controller, $preferences), $name, new FieldList(), new FieldList()); if (!$barebone) { $this->getFormFields(); $this->fillInFieldValues(); } // Hook for setting preferences via a method call; we need to do this // a second time so that the standard Silverstripe mechanism can take // influence, too (i.e. _config.php files, init methods, etc). $this->preferences(); if (is_array($preferences)) { foreach ($preferences as $title => $setting) { if (!empty($title)) { $this->basePreferences[$title] = $setting; } } } // Counter for the form class, init or increment if (!isset(self::$classInstanceCounter[$this->class])) { self::$classInstanceCounter[$this->class] = 0; } if (!$barebone) { self::$classInstanceCounter[$this->class]++; } // new assignment required, because the controller will be overwritten in the form class $this->controller = $controller; // create group structure if (isset($this->formFields)) { $this->fieldGroups['formFields'] = $this->getFormFields(); } else { $this->fieldGroups['formFields'] = array(); } $this->name = str_replace('/', '', $this->class . '_' . $name . '_' . self::$classInstanceCounter[$this->class]); $this->jsName = $this->name; $this->SSformFields = $this->getForm(); $this->SSformFields['fields']->setForm($this); $this->SSformFields['actions']->setForm($this); parent::setFields($this->SSformFields['fields']); parent::setActions($this->SSformFields['actions']); // define form action $this->setFormAction($this->buildFormAction()); $this->setHTMLID($this->getName()); /* * load and init JS validators * form integration via FormAttributes() */ if (!$barebone) { $javascriptSnippets = $this->getJavascriptValidatorInitialisation(); if (!$this->getLoadShoppingCartModules()) { SilvercartShoppingCart::setLoadShoppingCartModules(false); } if ($this->getCreateShoppingCartForms() && class_exists('SilvercartShoppingCart')) { SilvercartShoppingCart::setCreateShoppingCartForms(false); } $this->controller->addJavascriptSnippet($javascriptSnippets['javascriptSnippets']); $this->controller->addJavascriptOnloadSnippet($javascriptSnippets['javascriptOnloadSnippets']); $this->controller->addJavascriptOnloadSnippet($this->getJavascriptFieldInitialisations()); } // Register the default module directory from mysite/_config.php self::registerModule($project); $this->extend('onAfterConstruct', $controller, $params, $preferences, $barebone); }
/** * Activate caching on a given url * * @param string $url */ public function run($url) { // Get cache and cache details $responseHeader = self::config()->responseHeader; $cache = $this->getCache(); // Start hamaka custom - geef IE zijn eigen cachefiles omdat anders de combined files van IE in Chrome doorkomen als een IE bezoeker de cache aanmaakt // deze 2 regels kunnen in Page.ss om DynamicCache te debuggen: // <meta name="gen-date" content="{$Now.Nice}" /> // <meta name="dyn-cache" content="{$UsedDynamicCacheKey}" /> $sCacheKeySeed = $url; if ($iPosIE = strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE')) { $iVersion = substr($_SERVER['HTTP_USER_AGENT'], $iPosIE + 5, 3); $sCacheKeySeed .= 'IE' . $iVersion; } $cacheKey = $this->getCacheKey($sCacheKeySeed); DynamicCache::$sUsedCacheKey = $sCacheKeySeed; // End hamaka custom // Clear cache if flush = cache or all $this->checkCacheCommands($cache); // Disable CSRF - It doesn't work with cached security tokens shared across sessions SecurityToken::disable(); // Check if caching should be short circuted $enabled = $this->enabled($url); $this->extend('updateEnabled', $enabled); if (!$enabled) { if ($responseHeader) { header("{$responseHeader}: skipped"); } $this->yieldControl(); return; } // Check if cached value can be returned $cachedValue = $cache->load($cacheKey); if ($this->presentCachedResult($cachedValue)) { return; } // Run this page, caching output and capturing data if ($responseHeader) { header("{$responseHeader}: miss at " . @date('r')); } ob_start(); $this->yieldControl(); $headers = headers_list(); $result = ob_get_flush(); // Skip blank copy if (empty($result)) { return; } // Check if any headers match the specified rules forbidding caching if (!$this->headersAllowCaching($headers)) { return; } // Include any "X-Header" sent with this request. This is necessary to // ensure that additional CSS, JS, and other files are retained $saveHeaders = $this->getCacheableHeaders($headers); // Save data along with sent headers $this->cacheResult($cache, $result, $saveHeaders, $cacheKey); }
/** * Disable security tokens for every form. * Note that this doesn't apply to {@link SecurityToken} * instances outside of the Form class, nor applies * to existing form instances. * * See {@link enable_all_security_tokens()}. * * @deprecated 2.5 Use SecurityToken::disable() */ static function disable_all_security_tokens() { SecurityToken::disable(); }
function testNotifyModerators() { SecurityToken::disable(); $notifyModerators = Forum::$notify_moderators; Forum::$notify_moderators = true; $forum = $this->objFromFixture('Forum', 'general'); $controller = new Forum_Controller($forum); $user = $this->objFromFixture('Member', 'test1'); $this->session()->inst_set('loggedInAs', $user->ID); // New thread $this->post($forum->RelativeLink('PostMessageForm'), array('Title' => 'New thread', 'Content' => 'Meticulously crafted content', 'action_doPostMessageForm' => 1)); $adminEmail = Config::inst()->get('Email', 'admin_email'); $this->assertEmailSent('*****@*****.**', $adminEmail, "New thread \"New thread\" in forum [General Discussion]"); $this->clearEmails(); // New response $thread = DataObject::get_one('ForumThread', "\"ForumThread\".\"Title\"='New thread'"); $this->post($forum->RelativeLink('PostMessageForm'), array('Title' => 'Re: New thread', 'Content' => 'Rough response', 'ThreadID' => $thread->ID, 'action_doPostMessageForm' => 1)); $this->assertEmailSent('*****@*****.**', $adminEmail, "New post \"Re: New thread\" in forum [General Discussion]"); $this->clearEmails(); // Edit $post = $thread->Posts()->Last(); $this->post($forum->RelativeLink('PostMessageForm'), array('Title' => 'Re: New thread', 'Content' => 'Pleasant response', 'ThreadID' => $thread->ID, 'ID' => $post->ID, 'action_doPostMessageForm' => 1)); $this->assertEmailSent('*****@*****.**', $adminEmail, "New post \"Re: New thread\" in forum [General Discussion]"); $this->clearEmails(); Forum::$notify_moderators = $notifyModerators; }