public function tearDown()
{
SecurityToken::enable();
$this->folder->deleteDatabaseOnly();
Filesystem::removeFolder($this->folder->getFullPath());
parent::tearDown();
}
public function testIsEnabledStatic()
{
$this->assertTrue(SecurityToken::is_enabled());
SecurityToken::disable();
$this->assertFalse(SecurityToken::is_enabled());
SecurityToken::enable();
$this->assertTrue(SecurityToken::is_enabled());
}
public function tearDown()
{
if ($this->securityEnabled) {
SecurityToken::enable();
} else {
SecurityToken::disable();
}
parent::tearDown();
}
public function tearDown()
{
if ($this->securityWasEnabled) {
SecurityToken::enable();
} else {
SecurityToken::disable();
}
Injector::unnest();
Config::unnest();
parent::tearDown();
}
public function testDisableSecurityToken()
{
SecurityToken::enable();
$form = $this->getStubForm();
$this->assertTrue($form->getSecurityToken()->isEnabled());
$form->disableSecurityToken();
$this->assertFalse($form->getSecurityToken()->isEnabled());
SecurityToken::disable();
// restore original
}
function tearDown()
{
SecurityToken::enable();
parent::tearDown();
unset($this->mainSession);
}
public function testSecurityToken()
{
$enabled = SecurityToken::is_enabled();
// enable security tokens
SecurityToken::enable();
$productId = $this->mp3player->ID;
// link should contain the security-token
$link = ShoppingCart_Controller::add_item_link($this->mp3player);
$this->assertRegExp('{^shoppingcart/add/Product/' . $productId . '\\?SecurityID=[a-f0-9]+$}', $link);
// should redirect back to the shop
$response = $this->get($link);
$this->assertEquals($response->getStatusCode(), 302);
// disable security token for cart-links
Config::inst()->update('ShoppingCart_Controller', 'disable_security_token', true);
$link = ShoppingCart_Controller::add_item_link($this->mp3player);
$this->assertEquals('shoppingcart/add/Product/' . $productId, $link);
// should redirect back to the shop
$response = $this->get($link);
$this->assertEquals($response->getStatusCode(), 302);
SecurityToken::disable();
Config::inst()->update('ShoppingCart_Controller', 'disable_security_token', false);
$link = ShoppingCart_Controller::add_item_link($this->mp3player);
$this->assertEquals('shoppingcart/add/Product/' . $productId, $link);
// should redirect back to the shop
$response = $this->get($link);
$this->assertEquals($response->getStatusCode(), 302);
SecurityToken::enable();
// should now return a 400 status
$response = $this->get($link);
$this->assertEquals($response->getStatusCode(), 400);
// restore previous setting
if (!$enabled) {
SecurityToken::disable();
}
}
function testFormActionsCanBypassAllowedActions()
{
SecurityToken::enable();
$response = $this->get('RequestHandlingTest_FormActionController');
$this->assertEquals(200, $response->getStatusCode());
$tokenEls = $this->cssParser()->getBySelector('#Form_Form_SecurityID');
$securityId = (string) $tokenEls[0]['value'];
$data = array('action_formaction' => 1);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(400, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, not contained in $allowed_actions, without CSRF token');
$data = array('action_disallowedcontrollermethod' => 1, 'SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(403, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, controller action instead of form action, not contained in $allowed_actions, with CSRF token');
$data = array('action_formaction' => 1, 'SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(200, $response->getStatusCode());
$this->assertEquals('formaction', $response->getBody(), 'Should pass: Invocation through POST form handler, not contained in $allowed_actions, with CSRF token');
$data = array('action_controlleraction' => 1, 'SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation through POST form handler, controller action instead of form action, contained in $allowed_actions, with CSRF token');
$data = array('action_formactionInAllowedActions' => 1);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(400, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, contained in $allowed_actions, without CSRF token');
$data = array('action_formactionInAllowedActions' => 1, 'SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/Form', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation through POST form handler, contained in $allowed_actions, with CSRF token');
$data = array();
$response = $this->post('RequestHandlingTest_FormActionController/formaction', $data);
$this->assertEquals(404, $response->getStatusCode(), 'Should fail: Invocation through POST URL, not contained in $allowed_actions, without CSRF token');
$data = array();
$response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, without CSRF token');
$data = array('SecurityID' => $securityId);
$response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, with CSRF token');
$data = array();
// CSRF protection doesnt kick in for direct requests
$response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data);
$this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, without CSRF token');
SecurityToken::disable();
}
public function tearDown()
{
SecurityToken::enable();
parent::tearDown();
unset($this->mainSession);
if (static::get_disable_themes()) {
Config::inst()->update('SSViewer', 'theme', $this->originalTheme);
}
}
/**
* creates a form object with a free configurable markup
*
* @param ContentController $controller the calling controller instance
* @param array $params optional parameters
* @param array $preferences optional preferences
* @param bool $barebone defines if a form should only be instanciated or be used too
*
* @return CustomHtmlForm
*
* @author Sebastian Diel <*****@*****.**>,
* Sascha Koehler <*****@*****.**>
* @since 13.01.2015
*/
public function __construct($controller, $params = null, $preferences = null, $barebone = false)
{
$this->extend('onBeforeConstruct', $controller, $params, $preferences, $barebone);
global $project;
$this->barebone = $barebone;
$this->controller = $controller;
if (is_array($params)) {
$this->customParameters = $params;
}
// Hook for setting preferences via a method call
$this->preferences();
if (is_array($preferences)) {
foreach ($preferences as $title => $setting) {
if (!empty($title)) {
$this->basePreferences[$title] = $setting;
}
}
}
$name = $this->getSubmitAction();
if (!$barebone) {
$this->getFormFields();
}
if ($this->securityTokenEnabled) {
SecurityToken::enable();
} else {
SecurityToken::disable();
}
parent::__construct($this->getFormController($controller, $preferences), $name, new FieldList(), new FieldList());
if (!$barebone) {
$this->getFormFields();
$this->fillInFieldValues();
}
// Hook for setting preferences via a method call; we need to do this
// a second time so that the standard Silverstripe mechanism can take
// influence, too (i.e. _config.php files, init methods, etc).
$this->preferences();
if (is_array($preferences)) {
foreach ($preferences as $title => $setting) {
if (!empty($title)) {
$this->basePreferences[$title] = $setting;
}
}
}
// Counter for the form class, init or increment
if (!isset(self::$classInstanceCounter[$this->class])) {
self::$classInstanceCounter[$this->class] = 0;
}
if (!$barebone) {
self::$classInstanceCounter[$this->class]++;
}
// new assignment required, because the controller will be overwritten in the form class
$this->controller = $controller;
// create group structure
if (isset($this->formFields)) {
$this->fieldGroups['formFields'] = $this->getFormFields();
} else {
$this->fieldGroups['formFields'] = array();
}
$this->name = str_replace('/', '', $this->class . '_' . $name . '_' . self::$classInstanceCounter[$this->class]);
$this->jsName = $this->name;
$this->SSformFields = $this->getForm();
$this->SSformFields['fields']->setForm($this);
$this->SSformFields['actions']->setForm($this);
parent::setFields($this->SSformFields['fields']);
parent::setActions($this->SSformFields['actions']);
// define form action
$this->setFormAction($this->buildFormAction());
$this->setHTMLID($this->getName());
/*
* load and init JS validators
* form integration via FormAttributes()
*/
if (!$barebone) {
$javascriptSnippets = $this->getJavascriptValidatorInitialisation();
if (!$this->getLoadShoppingCartModules()) {
SilvercartShoppingCart::setLoadShoppingCartModules(false);
}
if ($this->getCreateShoppingCartForms() && class_exists('SilvercartShoppingCart')) {
SilvercartShoppingCart::setCreateShoppingCartForms(false);
}
$this->controller->addJavascriptSnippet($javascriptSnippets['javascriptSnippets']);
$this->controller->addJavascriptOnloadSnippet($javascriptSnippets['javascriptOnloadSnippets']);
$this->controller->addJavascriptOnloadSnippet($this->getJavascriptFieldInitialisations());
}
// Register the default module directory from mysite/_config.php
self::registerModule($project);
$this->extend('onAfterConstruct', $controller, $params, $preferences, $barebone);
}
function testMarkAsSpamLink()
{
$post = $this->objFromFixture('Post', 'Post1');
//enable token
SecurityToken::enable();
// should be false since we're not logged in.
if ($member = Member::currentUser()) {
$member->logOut();
}
$this->assertFalse($post->EditLink());
$this->assertFalse($post->MarkAsSpamLink());
// logged in as the moderator. Should be able to mark the post as spam.
$member = $this->objFromFixture('Member', 'moderator');
$member->logIn();
$this->assertContains($post->Thread()->URLSegment . '/markasspam/' . $post->ID, $post->MarkAsSpamLink());
// because this is the first post test for the class which is used in javascript
$this->assertContains("class=\"markAsSpamLink firstPost\"", $post->MarkAsSpamLink());
$member->logOut();
// log in as another member who is not in a position to mark post as spam this post
$member = $this->objFromFixture('Member', 'test2');
$member->logIn();
$this->assertFalse($post->MarkAsSpamLink());
// log in as someone who can moderate this post (and therefore mark as spam)
$member = $this->objFromFixture('Member', 'moderator');
$member->logIn();
//check for the existance of a CSRF token
$this->assertContains("SecurityID=", $post->MarkAsSpamLink());
// should be able to edit post since they're moderators
$this->assertContains($post->Thread()->URLSegment . '/markasspam/' . $post->ID, $post->MarkAsSpamLink());
// test that a 2nd post doesn't have the first post ID hook
$memberOthersPost = $this->objFromFixture('Post', 'Post2');
$this->assertFalse(strstr($memberOthersPost->MarkAsSpamLink(), "firstPost"));
}
