public function tearDown() { SecurityToken::enable(); $this->folder->deleteDatabaseOnly(); Filesystem::removeFolder($this->folder->getFullPath()); parent::tearDown(); }
public function testIsEnabledStatic() { $this->assertTrue(SecurityToken::is_enabled()); SecurityToken::disable(); $this->assertFalse(SecurityToken::is_enabled()); SecurityToken::enable(); $this->assertTrue(SecurityToken::is_enabled()); }
public function tearDown() { if ($this->securityEnabled) { SecurityToken::enable(); } else { SecurityToken::disable(); } parent::tearDown(); }
public function tearDown() { if ($this->securityWasEnabled) { SecurityToken::enable(); } else { SecurityToken::disable(); } Injector::unnest(); Config::unnest(); parent::tearDown(); }
public function testDisableSecurityToken() { SecurityToken::enable(); $form = $this->getStubForm(); $this->assertTrue($form->getSecurityToken()->isEnabled()); $form->disableSecurityToken(); $this->assertFalse($form->getSecurityToken()->isEnabled()); SecurityToken::disable(); // restore original }
function tearDown() { SecurityToken::enable(); parent::tearDown(); unset($this->mainSession); }
public function testSecurityToken() { $enabled = SecurityToken::is_enabled(); // enable security tokens SecurityToken::enable(); $productId = $this->mp3player->ID; // link should contain the security-token $link = ShoppingCart_Controller::add_item_link($this->mp3player); $this->assertRegExp('{^shoppingcart/add/Product/' . $productId . '\\?SecurityID=[a-f0-9]+$}', $link); // should redirect back to the shop $response = $this->get($link); $this->assertEquals($response->getStatusCode(), 302); // disable security token for cart-links Config::inst()->update('ShoppingCart_Controller', 'disable_security_token', true); $link = ShoppingCart_Controller::add_item_link($this->mp3player); $this->assertEquals('shoppingcart/add/Product/' . $productId, $link); // should redirect back to the shop $response = $this->get($link); $this->assertEquals($response->getStatusCode(), 302); SecurityToken::disable(); Config::inst()->update('ShoppingCart_Controller', 'disable_security_token', false); $link = ShoppingCart_Controller::add_item_link($this->mp3player); $this->assertEquals('shoppingcart/add/Product/' . $productId, $link); // should redirect back to the shop $response = $this->get($link); $this->assertEquals($response->getStatusCode(), 302); SecurityToken::enable(); // should now return a 400 status $response = $this->get($link); $this->assertEquals($response->getStatusCode(), 400); // restore previous setting if (!$enabled) { SecurityToken::disable(); } }
function testFormActionsCanBypassAllowedActions() { SecurityToken::enable(); $response = $this->get('RequestHandlingTest_FormActionController'); $this->assertEquals(200, $response->getStatusCode()); $tokenEls = $this->cssParser()->getBySelector('#Form_Form_SecurityID'); $securityId = (string) $tokenEls[0]['value']; $data = array('action_formaction' => 1); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(400, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, not contained in $allowed_actions, without CSRF token'); $data = array('action_disallowedcontrollermethod' => 1, 'SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(403, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, controller action instead of form action, not contained in $allowed_actions, with CSRF token'); $data = array('action_formaction' => 1, 'SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(200, $response->getStatusCode()); $this->assertEquals('formaction', $response->getBody(), 'Should pass: Invocation through POST form handler, not contained in $allowed_actions, with CSRF token'); $data = array('action_controlleraction' => 1, 'SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation through POST form handler, controller action instead of form action, contained in $allowed_actions, with CSRF token'); $data = array('action_formactionInAllowedActions' => 1); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(400, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, contained in $allowed_actions, without CSRF token'); $data = array('action_formactionInAllowedActions' => 1, 'SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation through POST form handler, contained in $allowed_actions, with CSRF token'); $data = array(); $response = $this->post('RequestHandlingTest_FormActionController/formaction', $data); $this->assertEquals(404, $response->getStatusCode(), 'Should fail: Invocation through POST URL, not contained in $allowed_actions, without CSRF token'); $data = array(); $response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, without CSRF token'); $data = array('SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, with CSRF token'); $data = array(); // CSRF protection doesnt kick in for direct requests $response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, without CSRF token'); SecurityToken::disable(); }
public function tearDown() { SecurityToken::enable(); parent::tearDown(); unset($this->mainSession); if (static::get_disable_themes()) { Config::inst()->update('SSViewer', 'theme', $this->originalTheme); } }
/** * creates a form object with a free configurable markup * * @param ContentController $controller the calling controller instance * @param array $params optional parameters * @param array $preferences optional preferences * @param bool $barebone defines if a form should only be instanciated or be used too * * @return CustomHtmlForm * * @author Sebastian Diel <*****@*****.**>, * Sascha Koehler <*****@*****.**> * @since 13.01.2015 */ public function __construct($controller, $params = null, $preferences = null, $barebone = false) { $this->extend('onBeforeConstruct', $controller, $params, $preferences, $barebone); global $project; $this->barebone = $barebone; $this->controller = $controller; if (is_array($params)) { $this->customParameters = $params; } // Hook for setting preferences via a method call $this->preferences(); if (is_array($preferences)) { foreach ($preferences as $title => $setting) { if (!empty($title)) { $this->basePreferences[$title] = $setting; } } } $name = $this->getSubmitAction(); if (!$barebone) { $this->getFormFields(); } if ($this->securityTokenEnabled) { SecurityToken::enable(); } else { SecurityToken::disable(); } parent::__construct($this->getFormController($controller, $preferences), $name, new FieldList(), new FieldList()); if (!$barebone) { $this->getFormFields(); $this->fillInFieldValues(); } // Hook for setting preferences via a method call; we need to do this // a second time so that the standard Silverstripe mechanism can take // influence, too (i.e. _config.php files, init methods, etc). $this->preferences(); if (is_array($preferences)) { foreach ($preferences as $title => $setting) { if (!empty($title)) { $this->basePreferences[$title] = $setting; } } } // Counter for the form class, init or increment if (!isset(self::$classInstanceCounter[$this->class])) { self::$classInstanceCounter[$this->class] = 0; } if (!$barebone) { self::$classInstanceCounter[$this->class]++; } // new assignment required, because the controller will be overwritten in the form class $this->controller = $controller; // create group structure if (isset($this->formFields)) { $this->fieldGroups['formFields'] = $this->getFormFields(); } else { $this->fieldGroups['formFields'] = array(); } $this->name = str_replace('/', '', $this->class . '_' . $name . '_' . self::$classInstanceCounter[$this->class]); $this->jsName = $this->name; $this->SSformFields = $this->getForm(); $this->SSformFields['fields']->setForm($this); $this->SSformFields['actions']->setForm($this); parent::setFields($this->SSformFields['fields']); parent::setActions($this->SSformFields['actions']); // define form action $this->setFormAction($this->buildFormAction()); $this->setHTMLID($this->getName()); /* * load and init JS validators * form integration via FormAttributes() */ if (!$barebone) { $javascriptSnippets = $this->getJavascriptValidatorInitialisation(); if (!$this->getLoadShoppingCartModules()) { SilvercartShoppingCart::setLoadShoppingCartModules(false); } if ($this->getCreateShoppingCartForms() && class_exists('SilvercartShoppingCart')) { SilvercartShoppingCart::setCreateShoppingCartForms(false); } $this->controller->addJavascriptSnippet($javascriptSnippets['javascriptSnippets']); $this->controller->addJavascriptOnloadSnippet($javascriptSnippets['javascriptOnloadSnippets']); $this->controller->addJavascriptOnloadSnippet($this->getJavascriptFieldInitialisations()); } // Register the default module directory from mysite/_config.php self::registerModule($project); $this->extend('onAfterConstruct', $controller, $params, $preferences, $barebone); }
function testMarkAsSpamLink() { $post = $this->objFromFixture('Post', 'Post1'); //enable token SecurityToken::enable(); // should be false since we're not logged in. if ($member = Member::currentUser()) { $member->logOut(); } $this->assertFalse($post->EditLink()); $this->assertFalse($post->MarkAsSpamLink()); // logged in as the moderator. Should be able to mark the post as spam. $member = $this->objFromFixture('Member', 'moderator'); $member->logIn(); $this->assertContains($post->Thread()->URLSegment . '/markasspam/' . $post->ID, $post->MarkAsSpamLink()); // because this is the first post test for the class which is used in javascript $this->assertContains("class=\"markAsSpamLink firstPost\"", $post->MarkAsSpamLink()); $member->logOut(); // log in as another member who is not in a position to mark post as spam this post $member = $this->objFromFixture('Member', 'test2'); $member->logIn(); $this->assertFalse($post->MarkAsSpamLink()); // log in as someone who can moderate this post (and therefore mark as spam) $member = $this->objFromFixture('Member', 'moderator'); $member->logIn(); //check for the existance of a CSRF token $this->assertContains("SecurityID=", $post->MarkAsSpamLink()); // should be able to edit post since they're moderators $this->assertContains($post->Thread()->URLSegment . '/markasspam/' . $post->ID, $post->MarkAsSpamLink()); // test that a 2nd post doesn't have the first post ID hook $memberOthersPost = $this->objFromFixture('Post', 'Post2'); $this->assertFalse(strstr($memberOthersPost->MarkAsSpamLink(), "firstPost")); }