public function testIsEnabledStatic() { $this->assertTrue(SecurityToken::is_enabled()); SecurityToken::disable(); $this->assertFalse(SecurityToken::is_enabled()); SecurityToken::enable(); $this->assertTrue(SecurityToken::is_enabled()); }
public function testFormActionsCanBypassAllowedActions() { SecurityToken::enable(); $response = $this->get('RequestHandlingTest_FormActionController'); $this->assertEquals(200, $response->getStatusCode()); $tokenEls = $this->cssParser()->getBySelector('#Form_Form_SecurityID'); $securityId = (string) $tokenEls[0]['value']; $data = array('action_formaction' => 1); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(400, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, not contained in $allowed_actions, without CSRF token'); $data = array('action_disallowedcontrollermethod' => 1, 'SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(403, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, controller action instead of form action,' . ' not contained in $allowed_actions, with CSRF token'); $data = array('action_formaction' => 1, 'SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(200, $response->getStatusCode()); $this->assertEquals('formaction', $response->getBody(), 'Should pass: Invocation through POST form handler, not contained in $allowed_actions, with CSRF token'); $data = array('action_controlleraction' => 1, 'SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation through POST form handler, controller action instead of form action, contained in' . ' $allowed_actions, with CSRF token'); $data = array('action_formactionInAllowedActions' => 1); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(400, $response->getStatusCode(), 'Should fail: Invocation through POST form handler, contained in $allowed_actions, without CSRF token'); $data = array('action_formactionInAllowedActions' => 1, 'SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/Form', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation through POST form handler, contained in $allowed_actions, with CSRF token'); $data = array(); $response = $this->post('RequestHandlingTest_FormActionController/formaction', $data); $this->assertEquals(404, $response->getStatusCode(), 'Should fail: Invocation through POST URL, not contained in $allowed_actions, without CSRF token'); $data = array(); $response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, without CSRF token'); $data = array('SecurityID' => $securityId); $response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, with CSRF token'); $data = array(); // CSRF protection doesnt kick in for direct requests $response = $this->post('RequestHandlingTest_FormActionController/formactionInAllowedActions', $data); $this->assertEquals(200, $response->getStatusCode(), 'Should pass: Invocation of form action through POST URL, contained in $allowed_actions, without CSRF token'); SecurityToken::disable(); }
public function tearDown() { SecurityToken::enable(); parent::tearDown(); unset($this->mainSession); }
public function testDisableSecurityToken() { SecurityToken::enable(); $form = $this->getStubForm(); $this->assertTrue($form->getSecurityToken()->isEnabled()); $form->disableSecurityToken(); $this->assertFalse($form->getSecurityToken()->isEnabled()); SecurityToken::disable(); // restore original }
public function tearDown() { SecurityToken::enable(); parent::tearDown(); unset($this->mainSession); if (static::get_disable_themes()) { Config::inst()->update('SSViewer', 'theme', $this->originalTheme); } }