public function testIsEnabledStatic()
{
$this->assertTrue(SecurityToken::is_enabled());
SecurityToken::disable();
$this->assertFalse(SecurityToken::is_enabled());
SecurityToken::enable();
$this->assertTrue(SecurityToken::is_enabled());
}
/**
* Coverage for a bug where there's an error generating the link when ProductID = 0
*/
public function testCorruptedOrderItemLinks()
{
SecurityToken::disable();
$product = $this->socks;
$item = $product->Item();
$item->ProductID = 0;
$this->assertEquals('', $item->removeLink());
}
public function tearDown()
{
parent::tearDown();
//if the token is turned on reset it before the next test run
if ($this->useToken) {
SecurityToken::enable();
} else {
SecurityToken::disable();
}
}
/**
* Check the links are accurate
*/
public function testLinks()
{
SecurityToken::disable();
$product = $this->socks;
$item = $product->Item();
$this->assertEquals("shoppingcart/add/Product/{$product->ID}", $item->addLink());
$this->assertEquals("shoppingcart/remove/Product/{$product->ID}", $item->removeLink());
$this->assertEquals("shoppingcart/removeall/Product/{$product->ID}", $item->removeallLink());
$this->assertEquals("shoppingcart/setquantity/Product/{$product->ID}", $item->setquantityLink());
}
public function tearDown()
{
if ($this->securityWasEnabled) {
SecurityToken::enable();
} else {
SecurityToken::disable();
}
Injector::unnest();
Config::unnest();
parent::tearDown();
}
public function setUp()
{
parent::setUp();
$this->folder = Folder::find_or_make(ASSETS_DIR . '/versionedfiles-test');
$file = $this->folder->getFullPath() . 'test-file.txt';
file_put_contents($file, 'first-version');
$this->file = new File();
$this->file->ParentID = $this->folder->ID;
$this->file->Filename = $this->folder->getFilename() . 'test-file.txt';
$this->file->write();
SecurityToken::disable();
}
function setUp()
{
parent::setUp();
$this->mainSession = new TestSession();
// Disable theme, if necessary
if ($this->stat('disable_themes')) {
SSViewer::set_theme(null);
}
// Switch to draft site, if necessary
if ($this->stat('use_draft_site')) {
$this->useDraftSite();
}
// Unprotect the site, tests are running with the assumption it's off. They will enable it on a case-by-case basis.
BasicAuth::protect_entire_site(false);
SecurityToken::disable();
}
public function testCommentsForm()
{
SecurityToken::disable();
$this->autoFollowRedirection = false;
$parent = $this->objFromFixture('CommentableItem', 'first');
// Test posting to base comment
$response = $this->post('CommentingController/CommentsForm', array('Name' => 'Poster', 'Email' => '*****@*****.**', 'Comment' => 'My Comment', 'ParentID' => $parent->ID, 'BaseClass' => 'CommentableItem', 'action_doPostComment' => 'Post'));
$this->assertEquals(302, $response->getStatusCode());
$this->assertStringStartsWith('CommentableItem_Controller#comment-', $response->getHeader('Location'));
$this->assertDOSEquals(array(array('Name' => 'Poster', 'Email' => '*****@*****.**', 'Comment' => 'My Comment', 'ParentID' => $parent->ID, 'BaseClass' => 'CommentableItem')), Comment::get()->filter('Email', '*****@*****.**'));
// Test posting to parent comment
$parentComment = $this->objFromFixture('Comment', 'firstComA');
$this->assertEquals(0, $parentComment->ChildComments()->count());
$response = $this->post('CommentingController/reply/' . $parentComment->ID, array('Name' => 'Test Author', 'Email' => '*****@*****.**', 'Comment' => 'Making a reply to firstComA', 'ParentID' => $parent->ID, 'BaseClass' => 'CommentableItem', 'ParentCommentID' => $parentComment->ID, 'action_doPostComment' => 'Post'));
$this->assertEquals(302, $response->getStatusCode());
$this->assertStringStartsWith('CommentableItem_Controller#comment-', $response->getHeader('Location'));
$this->assertDOSEquals(array(array('Name' => 'Test Author', 'Email' => '*****@*****.**', 'Comment' => 'Making a reply to firstComA', 'ParentID' => $parent->ID, 'BaseClass' => 'CommentableItem', 'ParentCommentID' => $parentComment->ID)), $parentComment->ChildComments());
}
public function AddToWishListForm()
{
if (($member = Member::currentUser()) && ($wishlistitems = $member->WishListItems("PageID = " . $this->owner->ID)) && $wishlistitems->exists()) {
$fields = new FieldSet(new HiddenField('PageID', '', $this->owner->ID));
$actions = new FieldSet(new FormAction('removeFromWishList', 'Remove from wish list'));
$validator = new RequiredFields();
SecurityToken::disable();
// have to do this so once logged in the form still works :{
$Form = new Form($this->owner, 'AddToWishListForm', $fields, $actions, $validator);
return $Form;
} else {
$fields = new FieldSet(new HiddenField('PageID', '', $this->owner->ID));
$actions = new FieldSet(new FormAction('addToWishList', 'Add to wish list'));
$validator = new RequiredFields();
SecurityToken::disable();
// have to do this so once logged in the form still works :{
$Form = new Form($this->owner, 'AddToWishListForm', $fields, $actions, $validator);
return $Form;
}
}
public function setUp()
{
// Skip calling FunctionalTest directly.
if (get_class($this) == "FunctionalTest") {
$this->skipTest = true;
}
parent::setUp();
$this->mainSession = new TestSession();
// Disable theme, if necessary
if (static::get_disable_themes()) {
Config::inst()->update('SSViewer', 'theme', null);
}
// Switch to draft site, if necessary
if (static::get_use_draft_site()) {
$this->useDraftSite();
}
// Unprotect the site, tests are running with the assumption it's off. They will enable it on a case-by-case
// basis.
BasicAuth::protect_entire_site(false);
SecurityToken::disable();
}
public function testDisableSecurityToken()
{
SecurityToken::enable();
$form = $this->getStubForm();
$this->assertTrue($form->getSecurityToken()->isEnabled());
$form->disableSecurityToken();
$this->assertFalse($form->getSecurityToken()->isEnabled());
SecurityToken::disable();
// restore original
}
public function testSecurityToken()
{
$enabled = SecurityToken::is_enabled();
// enable security tokens
SecurityToken::enable();
$productId = $this->mp3player->ID;
// link should contain the security-token
$link = ShoppingCart_Controller::add_item_link($this->mp3player);
$this->assertRegExp('{^shoppingcart/add/Product/' . $productId . '\\?SecurityID=[a-f0-9]+$}', $link);
// should redirect back to the shop
$response = $this->get($link);
$this->assertEquals($response->getStatusCode(), 302);
// disable security token for cart-links
Config::inst()->update('ShoppingCart_Controller', 'disable_security_token', true);
$link = ShoppingCart_Controller::add_item_link($this->mp3player);
$this->assertEquals('shoppingcart/add/Product/' . $productId, $link);
// should redirect back to the shop
$response = $this->get($link);
$this->assertEquals($response->getStatusCode(), 302);
SecurityToken::disable();
Config::inst()->update('ShoppingCart_Controller', 'disable_security_token', false);
$link = ShoppingCart_Controller::add_item_link($this->mp3player);
$this->assertEquals('shoppingcart/add/Product/' . $productId, $link);
// should redirect back to the shop
$response = $this->get($link);
$this->assertEquals($response->getStatusCode(), 302);
SecurityToken::enable();
// should now return a 400 status
$response = $this->get($link);
$this->assertEquals($response->getStatusCode(), 400);
// restore previous setting
if (!$enabled) {
SecurityToken::disable();
}
}
function testFormActionsCanBypassAllowedActions()
{
SecurityToken::enable();
$response = $this->get('RequestHandlingTest_FormActionController');
$this->assertEquals(200, $response->getStatusCode());
$tokenEls = $this->cssParser()->getBySelector('#Form_Form_SecurityID');
$securityId = (string) $tokenEls[0]['value'];
$data = array('action_formaction' => 1);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(400, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, not contained in $allowed_actions, without CSRF token');
$data = array('action_disallowedcontrollermethod' => 1, 'SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(403, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, controller action instead of form action, not contained in $allowed_actions, with CSRF token');
$data = array('action_formaction' => 1, 'SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(200, $response->getStatusCode());
$this->assertEquals('formaction', $response->getBody(), 'Should pass: Invocation through POST form handler, not contained in $allowed_actions, with CSRF token');
$data = array('action_controlleraction' => 1, 'SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation through POST form handler, controller action instead of form action, contained in $allowed_actions, with CSRF token');
$data = array('action_formactionInAllowedActions' => 1);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(400, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, contained in $allowed_actions, without CSRF token');
$data = array('action_formactionInAllowedActions' => 1, 'SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation through POST form handler, contained in $allowed_actions, with CSRF token');
$data = array();
$response = $this->post('RequestHandlingTest_FormActionController/formaction', $data);
$this->assertEquals(404, $response->getStatusCode(), 'Should fail: Invocation through POST URL, not contained in $allowed_actions, without CSRF token');
$data = array();
$response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, without CSRF token');
$data = array('SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, with CSRF token');
$data = array();
// CSRF protection doesnt kick in for direct requests
$response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, without CSRF token');
SecurityToken::disable();
}
/**
* Disable security tokens for every form.
* Note that this doesn't apply to {@link SecurityToken}
* instances outside of the Form class, nor applies
* to existing form instances.
*
* See {@link enable_all_security_tokens()}.
*
* @deprecated 2.5 Use SecurityToken::disable()
*/
public static function disable_all_security_tokens() {
Deprecation::notice('2.5', 'Use SecurityToken::disable() instead.');
SecurityToken::disable();
}
/**
* creates a form object with a free configurable markup
*
* @param ContentController $controller the calling controller instance
* @param array $params optional parameters
* @param array $preferences optional preferences
* @param bool $barebone defines if a form should only be instanciated or be used too
*
* @return CustomHtmlForm
*
* @author Sebastian Diel <*****@*****.**>,
* Sascha Koehler <*****@*****.**>
* @since 13.01.2015
*/
public function __construct($controller, $params = null, $preferences = null, $barebone = false)
{
$this->extend('onBeforeConstruct', $controller, $params, $preferences, $barebone);
global $project;
$this->barebone = $barebone;
$this->controller = $controller;
if (is_array($params)) {
$this->customParameters = $params;
}
// Hook for setting preferences via a method call
$this->preferences();
if (is_array($preferences)) {
foreach ($preferences as $title => $setting) {
if (!empty($title)) {
$this->basePreferences[$title] = $setting;
}
}
}
$name = $this->getSubmitAction();
if (!$barebone) {
$this->getFormFields();
}
if ($this->securityTokenEnabled) {
SecurityToken::enable();
} else {
SecurityToken::disable();
}
parent::__construct($this->getFormController($controller, $preferences), $name, new FieldList(), new FieldList());
if (!$barebone) {
$this->getFormFields();
$this->fillInFieldValues();
}
// Hook for setting preferences via a method call; we need to do this
// a second time so that the standard Silverstripe mechanism can take
// influence, too (i.e. _config.php files, init methods, etc).
$this->preferences();
if (is_array($preferences)) {
foreach ($preferences as $title => $setting) {
if (!empty($title)) {
$this->basePreferences[$title] = $setting;
}
}
}
// Counter for the form class, init or increment
if (!isset(self::$classInstanceCounter[$this->class])) {
self::$classInstanceCounter[$this->class] = 0;
}
if (!$barebone) {
self::$classInstanceCounter[$this->class]++;
}
// new assignment required, because the controller will be overwritten in the form class
$this->controller = $controller;
// create group structure
if (isset($this->formFields)) {
$this->fieldGroups['formFields'] = $this->getFormFields();
} else {
$this->fieldGroups['formFields'] = array();
}
$this->name = str_replace('/', '', $this->class . '_' . $name . '_' . self::$classInstanceCounter[$this->class]);
$this->jsName = $this->name;
$this->SSformFields = $this->getForm();
$this->SSformFields['fields']->setForm($this);
$this->SSformFields['actions']->setForm($this);
parent::setFields($this->SSformFields['fields']);
parent::setActions($this->SSformFields['actions']);
// define form action
$this->setFormAction($this->buildFormAction());
$this->setHTMLID($this->getName());
/*
* load and init JS validators
* form integration via FormAttributes()
*/
if (!$barebone) {
$javascriptSnippets = $this->getJavascriptValidatorInitialisation();
if (!$this->getLoadShoppingCartModules()) {
SilvercartShoppingCart::setLoadShoppingCartModules(false);
}
if ($this->getCreateShoppingCartForms() && class_exists('SilvercartShoppingCart')) {
SilvercartShoppingCart::setCreateShoppingCartForms(false);
}
$this->controller->addJavascriptSnippet($javascriptSnippets['javascriptSnippets']);
$this->controller->addJavascriptOnloadSnippet($javascriptSnippets['javascriptOnloadSnippets']);
$this->controller->addJavascriptOnloadSnippet($this->getJavascriptFieldInitialisations());
}
// Register the default module directory from mysite/_config.php
self::registerModule($project);
$this->extend('onAfterConstruct', $controller, $params, $preferences, $barebone);
}
/**
* Activate caching on a given url
*
* @param string $url
*/
public function run($url)
{
// Get cache and cache details
$responseHeader = self::config()->responseHeader;
$cache = $this->getCache();
// Start hamaka custom - geef IE zijn eigen cachefiles omdat anders de combined files van IE in Chrome doorkomen als een IE bezoeker de cache aanmaakt
// deze 2 regels kunnen in Page.ss om DynamicCache te debuggen:
// <meta name="gen-date" content="{$Now.Nice}" />
// <meta name="dyn-cache" content="{$UsedDynamicCacheKey}" />
$sCacheKeySeed = $url;
if ($iPosIE = strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE')) {
$iVersion = substr($_SERVER['HTTP_USER_AGENT'], $iPosIE + 5, 3);
$sCacheKeySeed .= 'IE' . $iVersion;
}
$cacheKey = $this->getCacheKey($sCacheKeySeed);
DynamicCache::$sUsedCacheKey = $sCacheKeySeed;
// End hamaka custom
// Clear cache if flush = cache or all
$this->checkCacheCommands($cache);
// Disable CSRF - It doesn't work with cached security tokens shared across sessions
SecurityToken::disable();
// Check if caching should be short circuted
$enabled = $this->enabled($url);
$this->extend('updateEnabled', $enabled);
if (!$enabled) {
if ($responseHeader) {
header("{$responseHeader}: skipped");
}
$this->yieldControl();
return;
}
// Check if cached value can be returned
$cachedValue = $cache->load($cacheKey);
if ($this->presentCachedResult($cachedValue)) {
return;
}
// Run this page, caching output and capturing data
if ($responseHeader) {
header("{$responseHeader}: miss at " . @date('r'));
}
ob_start();
$this->yieldControl();
$headers = headers_list();
$result = ob_get_flush();
// Skip blank copy
if (empty($result)) {
return;
}
// Check if any headers match the specified rules forbidding caching
if (!$this->headersAllowCaching($headers)) {
return;
}
// Include any "X-Header" sent with this request. This is necessary to
// ensure that additional CSS, JS, and other files are retained
$saveHeaders = $this->getCacheableHeaders($headers);
// Save data along with sent headers
$this->cacheResult($cache, $result, $saveHeaders, $cacheKey);
}
/**
* Disable security tokens for every form.
* Note that this doesn't apply to {@link SecurityToken}
* instances outside of the Form class, nor applies
* to existing form instances.
*
* See {@link enable_all_security_tokens()}.
*
* @deprecated 2.5 Use SecurityToken::disable()
*/
static function disable_all_security_tokens()
{
SecurityToken::disable();
}
function testNotifyModerators()
{
SecurityToken::disable();
$notifyModerators = Forum::$notify_moderators;
Forum::$notify_moderators = true;
$forum = $this->objFromFixture('Forum', 'general');
$controller = new Forum_Controller($forum);
$user = $this->objFromFixture('Member', 'test1');
$this->session()->inst_set('loggedInAs', $user->ID);
// New thread
$this->post($forum->RelativeLink('PostMessageForm'), array('Title' => 'New thread', 'Content' => 'Meticulously crafted content', 'action_doPostMessageForm' => 1));
$adminEmail = Config::inst()->get('Email', 'admin_email');
$this->assertEmailSent('*****@*****.**', $adminEmail, "New thread \"New thread\" in forum [General Discussion]");
$this->clearEmails();
// New response
$thread = DataObject::get_one('ForumThread', "\"ForumThread\".\"Title\"='New thread'");
$this->post($forum->RelativeLink('PostMessageForm'), array('Title' => 'Re: New thread', 'Content' => 'Rough response', 'ThreadID' => $thread->ID, 'action_doPostMessageForm' => 1));
$this->assertEmailSent('*****@*****.**', $adminEmail, "New post \"Re: New thread\" in forum [General Discussion]");
$this->clearEmails();
// Edit
$post = $thread->Posts()->Last();
$this->post($forum->RelativeLink('PostMessageForm'), array('Title' => 'Re: New thread', 'Content' => 'Pleasant response', 'ThreadID' => $thread->ID, 'ID' => $post->ID, 'action_doPostMessageForm' => 1));
$this->assertEmailSent('*****@*****.**', $adminEmail, "New post \"Re: New thread\" in forum [General Discussion]");
$this->clearEmails();
Forum::$notify_moderators = $notifyModerators;
}
