/** * @depends testInitSessionCredentials */ public function testProtectedConfigSettings($session_token) { $sensitiveSettings = array('proxy_passwd', 'smtp_passwd'); // set a non empty value to the sessionts to check foreach ($sensitiveSettings as $name) { Config::setConfigurationValues('core', array($name => 'not_empty_password')); $value = Config::getConfigurationValues('core', array($name)); $this->assertArrayHasKey($name, $value); $this->assertNotEmpty($value[$name]); } $where = "'" . implode("', '", $sensitiveSettings) . "'"; $config = new config(); $rows = $config->find("`context`='core' AND `name` IN ({$where})"); $this->assertEquals(count($sensitiveSettings), count($rows)); // Check the value is not retrieved for sensitive settings foreach ($rows as $row) { $res = $this->doHttpRequest('GET', "Config/" . $row['id'], ['headers' => ['Session-Token' => $session_token]]); $this->assertEquals(200, $res->getStatusCode()); $body = $res->getBody(); $data = json_decode($body, true); $this->assertEquals('', $data['value']); } // Check an other setting is disclosed (when not empty) $config = new Config(); $config->getFromDBByQuery("WHERE `context`='core' AND `name`='admin_email'"); $res = $this->doHttpRequest('GET', "Config/" . $config->getID(), ['headers' => ['Session-Token' => $session_token]]); $this->assertEquals(200, $res->getStatusCode()); $body = $res->getBody(); $data = json_decode($body, true); $this->assertNotEquals('', $data['value']); // Check a search does not disclose sensitive values $criteria = array(); $queryString = ""; foreach ($rows as $row) { $queryString = "&criteria[][link]=or&criteria[][field]=1&criteria[][searchtype]=equals&criteria[][value]=" . $row['name']; } $res = $this->doHttpRequest('GET', "search/Config" . "?{$queryString}", ['headers' => ['Session-Token' => $session_token], 'query' => array()]); $this->assertEquals(200, $res->getStatusCode()); $body = $res->getBody(); $data = json_decode($body, true); foreach ($data['data'] as $row) { foreach ($row as $col) { $this->assertNotEquals($col, 'not_empty_password'); } } }