public function setUp()
{
parent::setUp();
Config::nest();
Injector::nest();
$this->securityWasEnabled = SecurityToken::is_enabled();
// Check dependencies
if (!class_exists('Phockito')) {
$this->skipTest = true;
return $this->markTestSkipped("These tests need the Phockito module installed to run");
}
// Reset config
Config::inst()->update('SpellController', 'required_permission', 'CMS_ACCESS_CMSMain');
Config::inst()->remove('SpellController', 'locales');
Config::inst()->update('SpellController', 'locales', array('en_US', 'en_NZ', 'fr_FR'));
Config::inst()->update('SpellController', 'enable_security_token', true);
SecurityToken::enable();
// Setup mock for testing provider
$spellChecker = Phockito::mock('SpellProvider');
Phockito::when($spellChecker)->checkWords('en_NZ', array('collor', 'colour', 'color', 'onee', 'correct'))->return(array('collor', 'color', 'onee'));
Phockito::when($spellChecker)->checkWords('en_US', array('collor', 'colour', 'color', 'onee', 'correct'))->return(array('collor', 'colour', 'onee'));
Phockito::when($spellChecker)->getSuggestions('en_NZ', 'collor')->return(array('collar', 'colour'));
Phockito::when($spellChecker)->getSuggestions('en_US', 'collor')->return(array('collar', 'color'));
Injector::inst()->registerService($spellChecker, 'SpellProvider');
}
public function testIsEnabledStatic()
{
$this->assertTrue(SecurityToken::is_enabled());
SecurityToken::disable();
$this->assertFalse(SecurityToken::is_enabled());
SecurityToken::enable();
$this->assertTrue(SecurityToken::is_enabled());
}
public function setUp()
{
parent::setUp();
$this->securityEnabled = SecurityToken::is_enabled();
}
/**
* Create a new form, with the given fields an action buttons.
*
* @param Controller $controller The parent controller, necessary to create the appropriate form action tag.
* @param String $name The method on the controller that will return this form object.
* @param FieldList $fields All of the fields in the form - a {@link FieldList} of {@link FormField} objects.
* @param FieldList $actions All of the action buttons in the form - a {@link FieldLis} of
* {@link FormAction} objects
* @param Validator $validator Override the default validator instance (Default: {@link RequiredFields})
*/
public function __construct($controller, $name, FieldList $fields, FieldList $actions, $validator = null)
{
parent::__construct();
if (!$fields instanceof FieldList) {
throw new InvalidArgumentException('$fields must be a valid FieldList instance');
}
if (!$actions instanceof FieldList) {
throw new InvalidArgumentException('$actions must be a valid FieldList instance');
}
if ($validator && !$validator instanceof Validator) {
throw new InvalidArgumentException('$validator must be a Validator instance');
}
$fields->setForm($this);
$actions->setForm($this);
$this->fields = $fields;
$this->actions = $actions;
$this->controller = $controller;
$this->name = $name;
if (!$this->controller) {
user_error("{$this->class} form created without a controller", E_USER_ERROR);
}
// Form validation
$this->validator = $validator ? $validator : new RequiredFields();
$this->validator->setForm($this);
// Form error controls
$this->setupFormErrors();
// Check if CSRF protection is enabled, either on the parent controller or from the default setting. Note that
// method_exists() is used as some controllers (e.g. GroupTest) do not always extend from Object.
if (method_exists($controller, 'securityTokenEnabled') || method_exists($controller, 'hasMethod') && $controller->hasMethod('securityTokenEnabled')) {
$securityEnabled = $controller->securityTokenEnabled();
} else {
$securityEnabled = SecurityToken::is_enabled();
}
$this->securityToken = $securityEnabled ? new SecurityToken() : new NullSecurityToken();
}
/**
* @return Product|ProductVariation|Buyable
*/
protected function buyableFromRequest()
{
$request = $this->getRequest();
if (SecurityToken::is_enabled() && !SecurityToken::inst()->checkRequest($request)) {
return $this->httpError(400, _t("ShoppingCart.CSRF", "Invalid security token, possible CSRF attack."));
}
$id = (int) $request->param('ID');
if (empty($id)) {
//TODO: store error message
return null;
}
$buyableclass = "Product";
if ($class = $request->param('Buyable')) {
$buyableclass = Convert::raw2sql($class);
}
if (!ClassInfo::exists($buyableclass)) {
//TODO: store error message
return null;
}
//ensure only live products are returned, if they are versioned
$buyable = Object::has_extension($buyableclass, 'Versioned') ? Versioned::get_by_stage($buyableclass, 'Live')->byID($id) : DataObject::get($buyableclass)->byID($id);
if (!$buyable || !$buyable instanceof Buyable) {
//TODO: store error message
return null;
}
return $buyable;
}
public function testSecurityToken()
{
$enabled = SecurityToken::is_enabled();
// enable security tokens
SecurityToken::enable();
$productId = $this->mp3player->ID;
// link should contain the security-token
$link = ShoppingCart_Controller::add_item_link($this->mp3player);
$this->assertRegExp('{^shoppingcart/add/Product/' . $productId . '\\?SecurityID=[a-f0-9]+$}', $link);
// should redirect back to the shop
$response = $this->get($link);
$this->assertEquals($response->getStatusCode(), 302);
// disable security token for cart-links
Config::inst()->update('ShoppingCart_Controller', 'disable_security_token', true);
$link = ShoppingCart_Controller::add_item_link($this->mp3player);
$this->assertEquals('shoppingcart/add/Product/' . $productId, $link);
// should redirect back to the shop
$response = $this->get($link);
$this->assertEquals($response->getStatusCode(), 302);
SecurityToken::disable();
Config::inst()->update('ShoppingCart_Controller', 'disable_security_token', false);
$link = ShoppingCart_Controller::add_item_link($this->mp3player);
$this->assertEquals('shoppingcart/add/Product/' . $productId, $link);
// should redirect back to the shop
$response = $this->get($link);
$this->assertEquals($response->getStatusCode(), 302);
SecurityToken::enable();
// should now return a 400 status
$response = $this->get($link);
$this->assertEquals($response->getStatusCode(), 400);
// restore previous setting
if (!$enabled) {
SecurityToken::disable();
}
}
/**
* Builds the cache key of this form
*
* @return void
*
* @author Sebastian Diel <*****@*****.**>
* @since 26.11.2014
*/
public function buildCacheKey()
{
$customParameters = $this->getCustomParameters();
$request = $this->controller->getRequest();
$requestString = '';
$formFieldString = '';
$formFields = $this->getFormFields();
$this->cacheKey = $this->name;
if (count($customParameters) > 0) {
$customParameterString = '';
foreach ($customParameters as $parameterName => $parameterValue) {
$customParameterString .= $parameterName . ':' . $parameterValue . ';';
}
$this->cacheKey .= sha1($customParameterString);
}
if (!is_null($request)) {
foreach ($formFields as $fieldName => $fieldDefinition) {
$this->addRequiredFieldParams($fieldDefinition, $fieldDefinition);
$requestString .= $fieldName . ':' . $request[$fieldName] . ';';
$fieldDefinitionValue = $fieldDefinition['value'];
if (is_string($fieldDefinitionValue)) {
$formFieldString .= $fieldName . ':' . $fieldDefinitionValue . ';';
} elseif (is_array($fieldDefinitionValue)) {
$formFieldString .= $fieldName . ':' . implode('-', $fieldDefinitionValue) . ';';
}
}
}
if (class_exists('Translatable')) {
$requestString .= '_' . Translatable::get_current_locale();
}
$this->cacheKey .= sha1($requestString);
$this->cacheKey .= sha1($formFieldString);
$this->cacheKey .= md5($formFieldString);
if (SecurityToken::is_enabled()) {
$this->cacheKey .= $this->getSecurityID();
}
if ($this->hasCacheKeyExtension()) {
$this->cacheKey .= $this->getCacheKeyExtension();
}
}
public function setUp()
{
parent::setUp();
//track the default state of tokens
$this->useToken = SecurityToken::is_enabled();
}
