2008-05-30 11:40:08 +00:00
< ? php
/**
2009-03-18 17:55:58 +00:00
* SecurityComponentTest file
2008-05-30 11:40:08 +00:00
*
2017-06-10 22:15:34 +00:00
* CakePHP ( tm ) Tests < https :// book . cakephp . org / 2.0 / en / development / testing . html >
2017-06-10 22:10:52 +00:00
* Copyright ( c ) Cake Software Foundation , Inc . ( https :// cakefoundation . org )
2008-05-30 11:40:08 +00:00
*
2010-10-03 16:31:21 +00:00
* Licensed under The MIT License
2013-02-08 12:22:51 +00:00
* For full copyright and license information , please see the LICENSE . txt
2010-10-03 16:31:21 +00:00
* Redistributions of files must retain the above copyright notice
2008-05-30 11:40:08 +00:00
*
2017-06-10 22:10:52 +00:00
* @ copyright Copyright ( c ) Cake Software Foundation , Inc . ( https :// cakefoundation . org )
2017-06-10 22:15:34 +00:00
* @ link https :// book . cakephp . org / 2.0 / en / development / testing . html CakePHP ( tm ) Tests
2011-07-26 06:16:14 +00:00
* @ package Cake . Test . Case . Controller . Component
2008-10-30 17:30:26 +00:00
* @ since CakePHP ( tm ) v 1.2 . 0.5435
2017-06-10 22:23:14 +00:00
* @ license https :// opensource . org / licenses / mit - license . php MIT License
2008-05-30 11:40:08 +00:00
*/
2011-01-28 06:32:33 +00:00
App :: uses ( 'SecurityComponent' , 'Controller/Component' );
2010-12-09 05:55:24 +00:00
App :: uses ( 'Controller' , 'Controller' );
2022-12-31 01:56:11 +00:00
App :: uses ( 'CakeRequest' , 'Network' );
2009-07-24 19:18:37 +00:00
2008-07-04 14:18:01 +00:00
/**
2012-03-12 02:20:25 +00:00
* TestSecurityComponent
*
* @ package Cake . Test . Case . Controller . Component
*/
2008-07-04 14:18:01 +00:00
class TestSecurityComponent extends SecurityComponent {
2009-07-24 19:18:37 +00:00
2009-03-18 17:55:58 +00:00
/**
* validatePost method
*
* @ param Controller $controller
2014-07-03 13:36:42 +00:00
* @ return bool
2009-03-18 17:55:58 +00:00
*/
2012-02-23 14:06:25 +00:00
public function validatePost ( Controller $controller ) {
2008-09-16 01:39:20 +00:00
return $this -> _validatePost ( $controller );
2008-07-04 14:18:01 +00:00
}
2012-03-12 02:20:25 +00:00
2016-10-16 11:20:11 +00:00
/**
* authRequired method
*
* @ param Controller $controller
* @ return bool
*/
public function authRequired ( Controller $controller ) {
return $this -> _authRequired ( $controller );
}
2016-10-16 13:28:28 +00:00
/**
* methodRequired method
*
* @ param Controller $controller
* @ return bool
*/
public function methodsRequired ( Controller $controller ) {
return $this -> _methodsRequired ( $controller );
}
2008-07-04 14:18:01 +00:00
}
2009-07-24 19:18:37 +00:00
2008-05-30 11:40:08 +00:00
/**
2012-03-12 02:20:25 +00:00
* SecurityTestController
*
* @ package Cake . Test . Case . Controller . Component
*/
2008-05-30 11:40:08 +00:00
class SecurityTestController extends Controller {
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* components property
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ var array
*/
2010-04-04 07:14:00 +00:00
public $components = array ( 'Session' , 'TestSecurity' );
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* failed property
2008-07-04 14:18:01 +00:00
*
2014-07-03 13:36:42 +00:00
* @ var bool
2008-06-02 19:22:55 +00:00
*/
2010-04-04 07:14:00 +00:00
public $failed = false ;
2009-07-24 19:18:37 +00:00
2008-11-10 17:18:00 +00:00
/**
* Used for keeping track of headers in test
*
* @ var array
*/
2010-04-04 07:14:00 +00:00
public $testHeaders = array ();
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* fail method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function fail () {
2008-05-30 11:40:08 +00:00
$this -> failed = true ;
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* redirect method
2008-07-04 14:18:01 +00:00
*
2012-05-13 00:43:31 +00:00
* @ param string | array $url
2008-07-04 14:18:01 +00:00
* @ param mixed $code
* @ param mixed $exit
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function redirect ( $url , $status = null , $exit = true ) {
2010-12-18 05:03:03 +00:00
return $status ;
2008-05-30 11:40:08 +00:00
}
2009-07-24 19:18:37 +00:00
2008-11-10 17:18:00 +00:00
/**
2012-02-23 23:29:53 +00:00
* Convenience method for header ()
2008-11-10 17:18:00 +00:00
*
* @ param string $status
* @ return void
*/
2010-04-05 03:19:38 +00:00
public function header ( $status ) {
2008-11-10 17:18:00 +00:00
$this -> testHeaders [] = $status ;
}
2012-03-12 02:20:25 +00:00
2008-05-30 11:40:08 +00:00
}
2009-07-24 19:18:37 +00:00
2012-07-03 12:23:21 +00:00
class BrokenCallbackController extends Controller {
public $name = 'UncallableCallback' ;
public $components = array ( 'Session' , 'TestSecurity' );
public function index () {
}
protected function _fail () {
}
}
2008-05-30 11:40:08 +00:00
/**
2009-03-18 17:55:58 +00:00
* SecurityComponentTest class
2008-05-30 11:40:08 +00:00
*
2011-07-26 06:16:14 +00:00
* @ package Cake . Test . Case . Controller . Component
2008-05-30 11:40:08 +00:00
*/
class SecurityComponentTest extends CakeTestCase {
2009-07-24 19:18:37 +00:00
2009-03-18 17:55:58 +00:00
/**
* Controller property
*
* @ var SecurityTestController
*/
2010-04-04 07:14:00 +00:00
public $Controller ;
2009-07-24 19:18:37 +00:00
2009-03-18 17:55:58 +00:00
/**
* oldSalt property
*
* @ var string
*/
2010-04-04 07:14:00 +00:00
public $oldSalt ;
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* setUp method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2022-12-28 07:03:39 +00:00
public function setUp () : void {
2010-09-26 01:36:49 +00:00
parent :: setUp ();
2011-10-28 05:01:17 +00:00
2014-04-26 11:59:09 +00:00
$request = $this -> getMock ( 'CakeRequest' , array ( 'here' ), array ( 'posts/index' , false ));
2010-09-15 02:20:30 +00:00
$request -> addParams ( array ( 'controller' => 'posts' , 'action' => 'index' ));
2014-04-26 02:05:58 +00:00
$request -> expects ( $this -> any ())
-> method ( 'here' )
-> will ( $this -> returnValue ( '/posts/index' ));
2010-09-15 02:20:30 +00:00
$this -> Controller = new SecurityTestController ( $request );
2010-07-05 00:34:07 +00:00
$this -> Controller -> Components -> init ( $this -> Controller );
2010-05-29 03:57:43 +00:00
$this -> Controller -> Security = $this -> Controller -> TestSecurity ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> blackHoleCallback = 'fail' ;
2010-09-30 04:06:38 +00:00
$this -> Security = $this -> Controller -> Security ;
2010-10-01 04:13:34 +00:00
$this -> Security -> csrfCheck = false ;
2010-09-26 01:36:49 +00:00
2008-09-24 23:02:14 +00:00
Configure :: write ( 'Security.salt' , 'foo!' );
}
2009-07-24 19:18:37 +00:00
2008-09-24 23:02:14 +00:00
/**
2009-03-18 17:55:58 +00:00
* Tear - down method . Resets environment state .
2008-09-24 23:02:14 +00:00
*
* @ return void
*/
2022-12-28 07:03:39 +00:00
public function tearDown () : void {
2010-09-26 01:36:49 +00:00
parent :: tearDown ();
2009-10-21 11:00:51 +00:00
$this -> Controller -> Session -> delete ( '_Token' );
2018-01-15 15:43:16 +00:00
$this -> Controller -> Session -> destroy ();
2008-09-24 23:02:14 +00:00
unset ( $this -> Controller -> Security );
unset ( $this -> Controller -> Component );
unset ( $this -> Controller );
2008-05-30 11:40:08 +00:00
}
2009-07-24 19:18:37 +00:00
2016-10-16 11:20:11 +00:00
public function validatePost ( $expectedException = null , $expectedExceptionMessage = null ) {
try {
return $this -> Controller -> Security -> validatePost ( $this -> Controller );
} catch ( SecurityException $ex ) {
$this -> assertInstanceOf ( $expectedException , $ex );
$this -> assertEquals ( $expectedExceptionMessage , $ex -> getMessage ());
return false ;
}
}
2012-07-03 12:23:21 +00:00
/**
* Test that requests are still blackholed when controller has incorrect
* visibility keyword in the blackhole callback
*
2014-04-02 01:02:37 +00:00
* @ return void
2012-07-03 12:23:21 +00:00
*/
public function testBlackholeWithBrokenCallback () {
2022-12-31 04:13:42 +00:00
$this -> expectException ( BadRequestException :: class );
2012-07-03 12:23:21 +00:00
$request = new CakeRequest ( 'posts/index' , false );
$request -> addParams ( array (
'controller' => 'posts' , 'action' => 'index' )
);
$this -> Controller = new BrokenCallbackController ( $request );
$this -> Controller -> Components -> init ( $this -> Controller );
$this -> Controller -> Security = $this -> Controller -> TestSecurity ;
$this -> Controller -> Security -> blackHoleCallback = '_fail' ;
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> Controller -> Security -> blackHole ( $this -> Controller , 'csrf' );
}
2012-12-29 16:43:06 +00:00
/**
* Ensure that directly requesting the blackholeCallback as the controller
* action results in an exception .
*
* @ return void
*/
public function testExceptionWhenActionIsBlackholeCallback () {
$this -> Controller -> request -> addParams ( array (
'controller' => 'posts' ,
'action' => 'fail'
));
$this -> assertFalse ( $this -> Controller -> failed );
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> failed , 'Request was blackholed.' );
}
2009-12-17 03:39:01 +00:00
/**
2012-02-23 23:29:53 +00:00
* test that initialize can set properties .
2009-12-17 03:39:01 +00:00
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testConstructorSettingProperties () {
2009-12-17 03:39:01 +00:00
$settings = array (
'requirePost' => array ( 'edit' , 'update' ),
'requireSecure' => array ( 'update_account' ),
'requireGet' => array ( 'index' ),
'validatePost' => false ,
);
2010-07-31 19:49:10 +00:00
$Security = new SecurityComponent ( $this -> Controller -> Components , $settings );
2009-12-17 03:39:01 +00:00
$this -> Controller -> Security -> initialize ( $this -> Controller , $settings );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $Security -> requirePost , $settings [ 'requirePost' ]);
$this -> assertEquals ( $Security -> requireSecure , $settings [ 'requireSecure' ]);
$this -> assertEquals ( $Security -> requireGet , $settings [ 'requireGet' ]);
$this -> assertEquals ( $Security -> validatePost , $settings [ 'validatePost' ]);
2009-12-17 03:39:01 +00:00
}
2008-06-02 19:22:55 +00:00
/**
* testStartup method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testStartup () {
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$result = $this -> Controller -> params [ '_Token' ][ 'key' ];
$this -> assertNotNull ( $result );
$this -> assertTrue ( $this -> Controller -> Session -> check ( '_Token' ));
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequirePostFail method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequirePostFail () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'GET' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'posted' ;
2009-12-02 22:56:52 +00:00
$this -> Controller -> Security -> requirePost ( array ( 'posted' ));
2017-05-06 12:43:51 +00:00
$this -> Controller -> Security -> validatePost = false ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequirePostSucceed method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequirePostSucceed () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'POST' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'posted' ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> requirePost ( 'posted' );
2017-05-06 12:43:51 +00:00
$this -> Controller -> Security -> validatePost = false ;
2010-10-01 04:13:34 +00:00
$this -> Security -> startup ( $this -> Controller );
2008-05-30 11:40:08 +00:00
$this -> assertFalse ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequireSecureFail method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequireSecureFail () {
2009-10-31 17:41:16 +00:00
$_SERVER [ 'HTTPS' ] = 'off' ;
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'POST' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'posted' ;
2009-12-02 22:56:52 +00:00
$this -> Controller -> Security -> requireSecure ( array ( 'posted' ));
2017-05-06 12:43:51 +00:00
$this -> Controller -> Security -> validatePost = false ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequireSecureSucceed method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequireSecureSucceed () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'Secure' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'posted' ;
2008-10-23 03:18:08 +00:00
$_SERVER [ 'HTTPS' ] = 'on' ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> requireSecure ( 'posted' );
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertFalse ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequireAuthFail method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequireAuthFail () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'AUTH' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'posted' ;
$this -> Controller -> request -> data = array ( 'username' => 'willy' , 'password' => 'somePass' );
2009-12-02 22:56:52 +00:00
$this -> Controller -> Security -> requireAuth ( array ( 'posted' ));
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> failed );
2010-09-30 04:26:44 +00:00
$this -> Controller -> Session -> write ( '_Token' , array ( 'allowedControllers' => array ()));
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array ( 'username' => 'willy' , 'password' => 'somePass' );
$this -> Controller -> request [ 'action' ] = 'posted' ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> requireAuth ( 'posted' );
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> failed );
2010-09-30 04:26:44 +00:00
$this -> Controller -> Session -> write ( '_Token' , array (
2008-09-24 23:02:14 +00:00
'allowedControllers' => array ( 'SecurityTest' ), 'allowedActions' => array ( 'posted2' )
2010-09-30 04:26:44 +00:00
));
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array ( 'username' => 'willy' , 'password' => 'somePass' );
$this -> Controller -> request [ 'action' ] = 'posted' ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> requireAuth ( 'posted' );
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequireAuthSucceed method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequireAuthSucceed () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'AUTH' ;
2016-01-21 02:17:27 +00:00
$this -> Controller -> Security -> unlockedActions = array ( 'posted' );
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'posted' ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> requireAuth ( 'posted' );
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertFalse ( $this -> Controller -> failed );
2010-09-30 04:26:44 +00:00
$this -> Controller -> Security -> Session -> write ( '_Token' , array (
2016-01-21 02:17:27 +00:00
'allowedControllers' => array ( 'SecurityTest' ),
'allowedActions' => array ( 'posted' )
2010-09-30 04:26:44 +00:00
));
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'controller' ] = 'SecurityTest' ;
$this -> Controller -> request [ 'action' ] = 'posted' ;
2008-05-30 11:40:08 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2016-01-21 02:17:27 +00:00
'username' => 'willy' ,
'password' => 'somePass' ,
'_Token' => ''
2008-09-24 23:02:14 +00:00
);
2008-05-30 11:40:08 +00:00
$this -> Controller -> action = 'posted' ;
$this -> Controller -> Security -> requireAuth ( 'posted' );
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertFalse ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequirePostSucceedWrongMethod method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequirePostSucceedWrongMethod () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'GET' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'getted' ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> requirePost ( 'posted' );
2017-05-06 12:43:51 +00:00
$this -> Controller -> Security -> validatePost = false ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertFalse ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequireGetFail method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequireGetFail () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'POST' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'getted' ;
2009-12-02 22:56:52 +00:00
$this -> Controller -> Security -> requireGet ( array ( 'getted' ));
2017-05-06 12:43:51 +00:00
$this -> Controller -> Security -> validatePost = false ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequireGetSucceed method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequireGetSucceed () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'GET' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'getted' ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> requireGet ( 'getted' );
2017-05-06 12:43:51 +00:00
$this -> Controller -> Security -> validatePost = false ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertFalse ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequireGetSucceedWrongMethod method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequireGetSucceedWrongMethod () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'POST' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'posted' ;
2010-10-01 04:13:34 +00:00
$this -> Security -> requireGet ( 'getted' );
2017-05-06 12:43:51 +00:00
$this -> Security -> validatePost = false ;
2010-10-01 04:13:34 +00:00
$this -> Security -> startup ( $this -> Controller );
2008-05-30 11:40:08 +00:00
$this -> assertFalse ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequirePutFail method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequirePutFail () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'POST' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'putted' ;
2009-12-02 22:56:52 +00:00
$this -> Controller -> Security -> requirePut ( array ( 'putted' ));
2017-05-06 12:43:51 +00:00
$this -> Controller -> Security -> validatePost = false ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequirePutSucceed method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequirePutSucceed () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'PUT' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'putted' ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> requirePut ( 'putted' );
2017-05-06 12:43:51 +00:00
$this -> Controller -> Security -> validatePost = false ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertFalse ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequirePutSucceedWrongMethod method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequirePutSucceedWrongMethod () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'POST' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'posted' ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> requirePut ( 'putted' );
2017-05-06 12:43:51 +00:00
$this -> Controller -> Security -> validatePost = false ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertFalse ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequireDeleteFail method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequireDeleteFail () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'POST' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'deleted' ;
2009-12-02 22:56:52 +00:00
$this -> Controller -> Security -> requireDelete ( array ( 'deleted' , 'other_method' ));
2017-05-06 12:43:51 +00:00
$this -> Controller -> Security -> validatePost = false ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequireDeleteSucceed method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequireDeleteSucceed () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'DELETE' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'deleted' ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> requireDelete ( 'deleted' );
2017-05-06 12:43:51 +00:00
$this -> Controller -> Security -> validatePost = false ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertFalse ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testRequireDeleteSucceedWrongMethod method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testRequireDeleteSucceedWrongMethod () {
2008-05-30 11:40:08 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'POST' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request [ 'action' ] = 'posted' ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> requireDelete ( 'deleted' );
2017-05-06 12:43:51 +00:00
$this -> Controller -> Security -> validatePost = false ;
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertFalse ( $this -> Controller -> failed );
}
2009-07-24 19:18:37 +00:00
2016-01-21 02:17:27 +00:00
/**
* Test that validatePost fires on GET with request data .
* This could happen when method overriding is used .
*
* @ return void
*/
public function testValidatePostOnGetWithData () {
$_SERVER [ 'REQUEST_METHOD' ] = 'GET' ;
$this -> Controller -> Security -> startup ( $this -> Controller );
$fields = 'an-invalid-token' ;
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$unlocked = '' ;
$debug = urlencode ( json_encode ( array (
'some-action' ,
array (),
array ()
)));
2016-01-21 02:17:27 +00:00
2016-01-29 02:50:56 +00:00
$this -> Controller -> request -> data = array (
2016-01-21 02:17:27 +00:00
'Model' => array ( 'username' => 'nate' , 'password' => 'foo' , 'valid' => '0' ),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'fields' , 'unlocked' , 'debug' )
2016-01-29 02:50:56 +00:00
);
2016-01-21 02:17:27 +00:00
$this -> assertFalse ( $this -> Controller -> failed , 'Should not be failed yet' );
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> failed , 'Should fail because of validatePost.' );
}
2008-09-24 23:02:14 +00:00
/**
* Simple hash validation test
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidatePost () {
2008-09-24 23:02:14 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-12-11 03:24:31 +00:00
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = '01c1f6dbba02ac6f21b229eab1cc666839b14303%3AModel.valid' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = '' ;
2008-09-24 23:02:14 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-09-24 23:02:14 +00:00
'Model' => array ( 'username' => 'nate' , 'password' => 'foo' , 'valid' => '0' ),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-09-24 23:02:14 +00:00
);
2016-10-16 11:20:11 +00:00
$this -> assertTrue ( $this -> validatePost ( $this -> Controller ));
2008-09-24 23:02:14 +00:00
}
2009-07-24 19:18:37 +00:00
2011-07-30 14:44:28 +00:00
/**
* Test that validatePost fails if you are missing the session information .
*
* @ return void
*/
2011-08-17 02:40:38 +00:00
public function testValidatePostNoSession () {
2011-07-30 14:44:28 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> Controller -> Session -> delete ( '_Token' );
2016-10-16 11:20:11 +00:00
$unlocked = '' ;
$debug = urlencode ( json_encode ( array (
'/posts/index' ,
array (),
array ()
)));
2011-07-30 14:44:28 +00:00
$key = $this -> Controller -> params [ '_Token' ][ 'key' ];
$fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid' ;
$this -> Controller -> data = array (
'Model' => array ( 'username' => 'nate' , 'password' => 'foo' , 'valid' => '0' ),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2011-07-30 14:44:28 +00:00
);
2016-10-16 11:20:11 +00:00
$this -> assertFalse ( $this -> validatePost ( 'AuthSecurityException' , 'Unexpected field \'Model.password\' in POST data, Unexpected field \'Model.username\' in POST data' ));
2011-07-30 14:44:28 +00:00
}
2009-11-08 19:12:18 +00:00
/**
* test that validatePost fails if any of its required fields are missing .
*
* @ return void
2009-11-14 12:19:25 +00:00
*/
2011-05-30 20:02:32 +00:00
public function testValidatePostFormHacking () {
2009-11-08 19:12:18 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$key = $this -> Controller -> params [ '_Token' ][ 'key' ];
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2009-11-08 19:12:18 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2009-11-08 19:12:18 +00:00
'Model' => array ( 'username' => 'nate' , 'password' => 'foo' , 'valid' => '0' ),
2011-06-15 02:01:59 +00:00
'_Token' => compact ( 'key' , 'unlocked' )
2009-11-08 19:12:18 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ( 'AuthSecurityException' , '\'_Token.fields\' was not found in request data.' );
2009-11-08 19:12:18 +00:00
$this -> assertFalse ( $result , 'validatePost passed when fields were missing. %s' );
}
2010-10-02 21:16:40 +00:00
2017-05-06 12:43:51 +00:00
/**
* testValidatePostEmptyForm method
*
* Test that validatePost fails if empty form is submitted .
*
* @ return void
*/
public function testValidatePostEmptyForm () {
$_SERVER [ 'REQUEST_METHOD' ] = 'POST' ;
$this -> Controller -> request -> data = array ();
$this -> Controller -> Security -> startup ( $this -> Controller );
$result = $this -> validatePost ( 'AuthSecurityException' , '\'_Token\' was not found in request data.' );
$this -> assertFalse ( $result , 'validatePost passed when empty form is submitted' );
}
2010-11-08 01:53:04 +00:00
/**
2011-10-28 05:01:17 +00:00
* Test that objects can ' t be passed into the serialized string . This was a vector for RFI and LFI
2010-11-08 01:53:04 +00:00
* attacks . Thanks to Felix Wilhelm
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidatePostObjectDeserialize () {
2010-11-08 01:53:04 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-11-17 02:48:13 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2010-11-08 01:53:04 +00:00
$fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = urlencode ( json_encode ( array (
'/posts/index' ,
array ( 'Model.password' , 'Model.username' , 'Model.valid' ),
array ()
)));
2010-11-08 01:53:04 +00:00
// a corrupted serialized object, so we can see if it ever gets to deserialize
$attack = 'O:3:"App":1:{s:5:"__map";a:1:{s:3:"foo";s:7:"Hacked!";s:1:"fail"}}' ;
$fields .= urlencode ( ':' . str_rot13 ( $attack ));
2010-11-17 02:48:13 +00:00
$this -> Controller -> request -> data = array (
2010-11-08 01:53:04 +00:00
'Model' => array ( 'username' => 'mark' , 'password' => 'foo' , 'valid' => '0' ),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2010-11-08 01:53:04 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ( 'SecurityException' , 'Bad Request' );
2010-11-08 01:53:04 +00:00
$this -> assertFalse ( $result , 'validatePost passed when key was missing. %s' );
}
2008-12-23 08:13:00 +00:00
/**
* Tests validation of checkbox arrays
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidatePostArray () {
2008-12-23 08:13:00 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-12-11 03:24:31 +00:00
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = '38504e4a341d4e6eadb437217efd91270e558d55%3A' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = urlencode ( json_encode ( array (
'some-action' ,
array (),
array ()
)));
2008-12-23 08:13:00 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-12-23 08:13:00 +00:00
'Model' => array ( 'multi_field' => array ( '1' , '3' )),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-12-23 08:13:00 +00:00
);
2016-10-16 11:20:11 +00:00
$this -> assertTrue ( $this -> validatePost ());
2008-12-23 08:13:00 +00:00
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testValidatePostNoModel method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidatePostNoModel () {
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-12-11 03:24:31 +00:00
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = 'c5bc49a6c938c820e7e538df3d8ab7bffbc97ef9%3A' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = 'not used' ;
2008-05-30 11:40:08 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-09-24 23:02:14 +00:00
'anything' => 'some_data' ,
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-09-24 23:02:14 +00:00
);
2008-05-30 11:40:08 +00:00
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-05-30 11:40:08 +00:00
$this -> assertTrue ( $result );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testValidatePostSimple method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidatePostSimple () {
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-12-11 03:24:31 +00:00
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = '5415d31b4483c1e09ddb58d2a91ba9650b12aa83%3A' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = 'not used' ;
2008-05-30 11:40:08 +00:00
2014-02-11 21:38:24 +00:00
$this -> Controller -> request -> data = array (
2008-09-24 23:02:14 +00:00
'Model' => array ( 'username' => '' , 'password' => '' ),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-09-24 23:02:14 +00:00
);
2008-05-30 11:40:08 +00:00
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-05-30 11:40:08 +00:00
$this -> assertTrue ( $result );
2008-09-24 23:02:14 +00:00
}
2009-07-24 19:18:37 +00:00
2008-09-24 23:02:14 +00:00
/**
* Tests hash validation for multiple records , including locked fields
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidatePostComplex () {
2008-09-24 23:02:14 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-12-11 03:24:31 +00:00
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = 'b72a99e923687687bb5e64025d3cc65e1cecced4%3AAddresses.0.id%7CAddresses.1.id' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = 'not used' ;
2008-09-24 23:02:14 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-09-24 23:02:14 +00:00
'Addresses' => array (
'0' => array (
'id' => '123456' , 'title' => '' , 'first_name' => '' , 'last_name' => '' ,
'address' => '' , 'city' => '' , 'phone' => '' , 'primary' => ''
),
'1' => array (
'id' => '654321' , 'title' => '' , 'first_name' => '' , 'last_name' => '' ,
'address' => '' , 'city' => '' , 'phone' => '' , 'primary' => ''
)
),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-09-24 23:02:14 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-10-23 03:18:08 +00:00
$this -> assertTrue ( $result );
}
2009-07-24 19:18:37 +00:00
2008-10-23 03:18:08 +00:00
/**
* test ValidatePost with multiple select elements .
*
* @ return void
2009-11-14 12:19:25 +00:00
*/
2011-05-30 20:02:32 +00:00
public function testValidatePostMultipleSelect () {
2008-10-23 03:18:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-12-11 03:24:31 +00:00
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = '8a764bdb989132c1d46f9a45f64ce2da5f9eebb9%3A' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = 'not used' ;
2008-10-23 03:18:08 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-10-23 03:18:08 +00:00
'Tag' => array ( 'Tag' => array ( 1 , 2 )),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' ),
2008-10-23 03:18:08 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-10-23 03:18:08 +00:00
$this -> assertTrue ( $result );
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-10-23 03:18:08 +00:00
'Tag' => array ( 'Tag' => array ( 1 , 2 , 3 )),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' ),
2008-10-23 03:18:08 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-10-23 03:18:08 +00:00
$this -> assertTrue ( $result );
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-10-23 03:18:08 +00:00
'Tag' => array ( 'Tag' => array ( 1 , 2 , 3 , 4 )),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' ),
2008-10-23 03:18:08 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-10-29 06:55:42 +00:00
$this -> assertTrue ( $result );
2014-04-26 02:05:58 +00:00
$fields = '722de3615e63fdff899e86e85e6498b11c50bb66%3A' ;
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-10-29 06:55:42 +00:00
'User.password' => 'bar' , 'User.name' => 'foo' , 'User.is_valid' => '1' ,
2011-10-28 05:01:17 +00:00
'Tag' => array ( 'Tag' => array ( 1 )),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' ),
2008-10-29 06:55:42 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-09-24 23:02:14 +00:00
$this -> assertTrue ( $result );
2008-05-30 11:40:08 +00:00
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testValidatePostCheckbox method
2008-09-12 05:11:34 +00:00
*
2008-08-29 03:11:35 +00:00
* First block tests un - checked checkbox
2008-09-12 05:11:34 +00:00
* Second block tests checked checkbox
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidatePostCheckbox () {
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = '01c1f6dbba02ac6f21b229eab1cc666839b14303%3AModel.valid' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = 'not used' ;
2008-05-30 11:40:08 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-09-24 23:02:14 +00:00
'Model' => array ( 'username' => '' , 'password' => '' , 'valid' => '0' ),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-05-30 11:40:08 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-05-30 11:40:08 +00:00
$this -> assertTrue ( $result );
2014-04-26 02:05:58 +00:00
$fields = 'efbcf463a2c31e97c85d95eedc41dff9e9c6a026%3A' ;
2008-09-24 23:02:14 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-09-24 23:02:14 +00:00
'Model' => array ( 'username' => '' , 'password' => '' , 'valid' => '0' ),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-09-24 23:02:14 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-09-24 23:02:14 +00:00
$this -> assertTrue ( $result );
2008-09-12 05:11:34 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array ();
2008-08-29 03:11:35 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2008-08-29 03:11:35 +00:00
2013-01-23 12:45:50 +00:00
$this -> Controller -> request -> data = array (
2008-09-24 23:02:14 +00:00
'Model' => array ( 'username' => '' , 'password' => '' , 'valid' => '0' ),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-08-29 03:11:35 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-08-29 03:11:35 +00:00
$this -> assertTrue ( $result );
2008-05-30 11:40:08 +00:00
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testValidatePostHidden method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidatePostHidden () {
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = 'baaf832a714b39a0618238ac89c7065fc8ec853e%3AModel.hidden%7CModel.other_hidden' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = 'not used' ;
2008-05-30 11:40:08 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-09-24 23:02:14 +00:00
'Model' => array (
'username' => '' , 'password' => '' , 'hidden' => '0' ,
'other_hidden' => 'some hidden value'
),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-05-30 11:40:08 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-05-30 11:40:08 +00:00
$this -> assertTrue ( $result );
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testValidatePostWithDisabledFields method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidatePostWithDisabledFields () {
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> disabledFields = array ( 'Model.username' , 'Model.password' );
2008-09-24 23:02:14 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = 'aa7f254ebd8bf2ef118bc5ca1e191d1ae96857f5%3AModel.hidden' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = 'not used' ;
2008-05-30 11:40:08 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-09-24 23:02:14 +00:00
'Model' => array (
'username' => '' , 'password' => '' , 'hidden' => '0'
),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'fields' , 'key' , 'unlocked' , 'debug' )
2008-05-30 11:40:08 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-05-30 11:40:08 +00:00
$this -> assertTrue ( $result );
}
2009-07-24 19:18:37 +00:00
2011-06-10 02:48:47 +00:00
/**
2011-06-15 02:01:59 +00:00
* test validating post data with posted unlocked fields .
2011-06-10 02:48:47 +00:00
*
* @ return void
*/
public function testValidatePostDisabledFieldsInData () {
$this -> Controller -> Security -> startup ( $this -> Controller );
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2011-06-15 02:01:59 +00:00
$unlocked = 'Model.username' ;
2011-06-10 02:48:47 +00:00
$fields = array ( 'Model.hidden' , 'Model.password' );
2014-04-26 02:05:58 +00:00
$fields = urlencode ( Security :: hash (
2014-04-26 11:59:09 +00:00
'/posts/index' .
2014-04-26 02:05:58 +00:00
serialize ( $fields ) .
$unlocked .
Configure :: read ( 'Security.salt' ))
);
2016-10-16 11:20:11 +00:00
$debug = 'not used' ;
2011-06-10 02:48:47 +00:00
$this -> Controller -> request -> data = array (
'Model' => array (
'username' => 'mark' ,
'password' => 'sekret' ,
'hidden' => '0'
),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'fields' , 'key' , 'unlocked' , 'debug' )
2011-06-10 02:48:47 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2011-06-10 02:48:47 +00:00
$this -> assertTrue ( $result );
}
/**
2011-06-15 02:01:59 +00:00
* test that missing 'unlocked' input causes failure
2011-06-10 02:48:47 +00:00
*
* @ return void
*/
public function testValidatePostFailNoDisabled () {
$this -> Controller -> Security -> startup ( $this -> Controller );
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
$fields = array ( 'Model.hidden' , 'Model.password' , 'Model.username' );
$fields = urlencode ( Security :: hash ( serialize ( $fields ) . Configure :: read ( 'Security.salt' )));
$this -> Controller -> request -> data = array (
'Model' => array (
'username' => 'mark' ,
'password' => 'sekret' ,
'hidden' => '0'
),
'_Token' => compact ( 'fields' , 'key' )
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ( 'SecurityException' , '\'_Token.unlocked\' was not found in request data.' );
2011-06-10 02:48:47 +00:00
$this -> assertFalse ( $result );
}
2016-10-16 11:20:11 +00:00
/**
* test that missing 'debug' input causes failure
*
* @ return void
*/
public function testValidatePostFailNoDebug () {
$this -> Controller -> Security -> startup ( $this -> Controller );
$fields = array ( 'Model.hidden' , 'Model.password' , 'Model.username' );
$fields = urlencode ( Security :: hash ( serialize ( $fields ) . Configure :: read ( 'Security.salt' )));
$unlocked = '' ;
$this -> Controller -> request -> data = array (
'Model' => array (
'username' => 'mark' ,
'password' => 'sekret' ,
'hidden' => '0'
),
'_Token' => compact ( 'fields' , 'unlocked' )
);
$result = $this -> validatePost ( 'SecurityException' , '\'_Token.debug\' was not found in request data.' );
$this -> assertFalse ( $result );
}
/**
* test that missing 'debug' input is not the problem when debug mode disabled
*
* @ return void
*/
public function testValidatePostFailNoDebugMode () {
$this -> Controller -> Security -> startup ( $this -> Controller );
$fields = array ( 'Model.hidden' , 'Model.password' , 'Model.username' );
$fields = urlencode ( Security :: hash ( serialize ( $fields ) . Configure :: read ( 'Security.salt' )));
$unlocked = '' ;
$this -> Controller -> request -> data = array (
'Model' => array (
'username' => 'mark' ,
'password' => 'sekret' ,
'hidden' => '0'
),
'_Token' => compact ( 'fields' , 'unlocked' )
);
Configure :: write ( 'debug' , false );
$result = $this -> validatePost ( 'SecurityException' , 'The request has been black-holed' );
}
2011-06-10 02:48:47 +00:00
/**
2011-06-15 02:01:59 +00:00
* Test that validatePost fails when unlocked fields are changed .
2011-06-10 02:48:47 +00:00
*
2014-04-02 01:02:37 +00:00
* @ return void
2011-06-10 02:48:47 +00:00
*/
public function testValidatePostFailDisabledFieldTampering () {
$this -> Controller -> Security -> startup ( $this -> Controller );
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2011-06-15 02:01:59 +00:00
$unlocked = 'Model.username' ;
2011-06-10 02:48:47 +00:00
$fields = array ( 'Model.hidden' , 'Model.password' );
2011-06-15 02:01:59 +00:00
$fields = urlencode ( Security :: hash ( serialize ( $fields ) . $unlocked . Configure :: read ( 'Security.salt' )));
2016-10-16 11:20:11 +00:00
$debug = urlencode ( json_encode ( array (
'/posts/index' ,
array ( 'Model.hidden' , 'Model.password' ),
array ( 'Model.username' )
)));
2011-06-10 02:48:47 +00:00
// Tamper the values.
2011-06-15 02:01:59 +00:00
$unlocked = 'Model.username|Model.password' ;
2011-06-10 02:48:47 +00:00
$this -> Controller -> request -> data = array (
'Model' => array (
'username' => 'mark' ,
'password' => 'sekret' ,
'hidden' => '0'
),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'fields' , 'key' , 'unlocked' , 'debug' )
2011-06-10 02:48:47 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ( 'SecurityException' , 'Missing field \'Model.password\' in POST data, Unexpected unlocked field \'Model.password\' in POST data' );
2011-06-10 02:48:47 +00:00
$this -> assertFalse ( $result );
}
2008-06-02 19:22:55 +00:00
/**
* testValidateHiddenMultipleModel method
2008-07-04 14:18:01 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidateHiddenMultipleModel () {
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = '38dd8a37bbb52e67ee4eb812bf1725a6a18b989b%3AModel.valid%7CModel2.valid%7CModel3.valid' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = 'not used' ;
2008-09-24 23:02:14 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-09-24 23:02:14 +00:00
'Model' => array ( 'username' => '' , 'password' => '' , 'valid' => '0' ),
'Model2' => array ( 'valid' => '0' ),
'Model3' => array ( 'valid' => '0' ),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-05-30 11:40:08 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-05-30 11:40:08 +00:00
$this -> assertTrue ( $result );
}
2009-07-24 19:18:37 +00:00
2008-06-05 15:20:45 +00:00
/**
* testValidateHasManyModel method
2008-07-04 14:18:01 +00:00
*
2008-06-05 15:20:45 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidateHasManyModel () {
2008-05-30 11:40:08 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = 'dcef68de6634c60d2e60484ad0e2faec003456e6%3AModel.0.hidden%7CModel.0.valid' ;
2010-11-21 04:42:54 +00:00
$fields .= '%7CModel.1.hidden%7CModel.1.valid' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = 'not used' ;
2008-05-30 11:40:08 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-05-30 11:40:08 +00:00
'Model' => array (
2008-09-24 23:02:14 +00:00
array (
'username' => 'username' , 'password' => 'password' ,
'hidden' => 'value' , 'valid' => '0'
),
array (
'username' => 'username' , 'password' => 'password' ,
'hidden' => 'value' , 'valid' => '0'
)
),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-09-24 23:02:14 +00:00
);
2008-05-30 11:40:08 +00:00
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-05-30 11:40:08 +00:00
$this -> assertTrue ( $result );
}
2009-07-24 19:18:37 +00:00
2008-08-29 03:11:35 +00:00
/**
* testValidateHasManyRecordsPass method
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidateHasManyRecordsPass () {
2008-08-29 03:11:35 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = '8b6880fbbd4b69279155f899652ecffdd9b4c5a1%3AAddress.0.id%7CAddress.0.primary%7C' ;
2010-11-21 04:42:54 +00:00
$fields .= 'Address.1.id%7CAddress.1.primary' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = 'not used' ;
2008-08-29 03:11:35 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-08-29 03:11:35 +00:00
'Address' => array (
0 => array (
2008-09-24 23:02:14 +00:00
'id' => '123' ,
2008-08-29 03:11:35 +00:00
'title' => 'home' ,
'first_name' => 'Bilbo' ,
'last_name' => 'Baggins' ,
'address' => '23 Bag end way' ,
'city' => 'the shire' ,
'phone' => 'N/A' ,
'primary' => '1' ,
),
1 => array (
2008-09-24 23:02:14 +00:00
'id' => '124' ,
2008-08-29 03:11:35 +00:00
'title' => 'home' ,
'first_name' => 'Frodo' ,
'last_name' => 'Baggins' ,
'address' => '50 Bag end way' ,
2008-09-12 05:11:34 +00:00
'city' => 'the shire' ,
2008-08-29 03:11:35 +00:00
'phone' => 'N/A' ,
2008-09-24 23:02:14 +00:00
'primary' => '1'
2008-08-29 03:11:35 +00:00
)
),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-08-29 03:11:35 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-08-29 03:11:35 +00:00
$this -> assertTrue ( $result );
}
2009-07-24 19:18:37 +00:00
2012-01-20 02:49:59 +00:00
/**
* Test that values like Foo . 0.1
*
* @ return void
*/
public function testValidateNestedNumericSets () {
$this -> Controller -> Security -> startup ( $this -> Controller );
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
$unlocked = '' ;
$hashFields = array ( 'TaxonomyData' );
2014-04-26 02:05:58 +00:00
$fields = urlencode (
Security :: hash (
'/posts/index' .
serialize ( $hashFields ) .
$unlocked .
Configure :: read ( 'Security.salt' ), 'sha1' )
);
2016-10-16 11:20:11 +00:00
$debug = 'not used' ;
2012-01-20 02:49:59 +00:00
$this -> Controller -> request -> data = array (
'TaxonomyData' => array (
1 => array ( array ( 2 )),
2 => array ( array ( 3 ))
),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2012-01-20 02:49:59 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2012-01-20 02:49:59 +00:00
$this -> assertTrue ( $result );
}
2008-08-29 03:11:35 +00:00
/**
* testValidateHasManyRecords method
*
* validatePost should fail , hidden fields have been changed .
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testValidateHasManyRecordsFail () {
2008-08-29 03:11:35 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2010-11-21 04:42:54 +00:00
$fields = '7a203edb3d345bbf38fe0dccae960da8842e11d7%3AAddress.0.id%7CAddress.0.primary%7C' ;
$fields .= 'Address.1.id%7CAddress.1.primary' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = urlencode ( json_encode ( array (
'/posts/index' ,
array (
'Address.0.address' ,
'Address.0.city' ,
'Address.0.first_name' ,
'Address.0.last_name' ,
'Address.0.phone' ,
'Address.0.title' ,
'Address.1.address' ,
'Address.1.city' ,
'Address.1.first_name' ,
'Address.1.last_name' ,
'Address.1.phone' ,
'Address.1.title' ,
'Address.0.id' => '123' ,
'Address.0.primary' => '5' ,
'Address.1.id' => '124' ,
'Address.1.primary' => '1'
),
array ()
)));
2008-08-29 03:11:35 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-08-29 03:11:35 +00:00
'Address' => array (
0 => array (
2008-09-24 23:02:14 +00:00
'id' => '123' ,
2008-08-29 03:11:35 +00:00
'title' => 'home' ,
'first_name' => 'Bilbo' ,
'last_name' => 'Baggins' ,
'address' => '23 Bag end way' ,
'city' => 'the shire' ,
'phone' => 'N/A' ,
2008-09-24 23:02:14 +00:00
'primary' => '5' ,
2008-08-29 03:11:35 +00:00
),
1 => array (
2008-09-24 23:02:14 +00:00
'id' => '124' ,
2008-08-29 03:11:35 +00:00
'title' => 'home' ,
'first_name' => 'Frodo' ,
'last_name' => 'Baggins' ,
'address' => '50 Bag end way' ,
2008-09-12 05:11:34 +00:00
'city' => 'the shire' ,
2008-08-29 03:11:35 +00:00
'phone' => 'N/A' ,
2008-09-24 23:02:14 +00:00
'primary' => '1'
2008-08-29 03:11:35 +00:00
)
),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-08-29 03:11:35 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ( 'SecurityException' , 'Bad Request' );
2008-08-29 03:11:35 +00:00
$this -> assertFalse ( $result );
}
2009-07-24 19:18:37 +00:00
2008-07-05 10:27:29 +00:00
/**
* testFormDisabledFields method
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testFormDisabledFields () {
2008-07-05 10:27:29 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = '216ee717efd1a251a6d6e9efbb96005a9d09f1eb%3An%3A0%3A%7B%7D' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = urlencode ( json_encode ( array (
'/posts/index' ,
array (),
array ()
)));
2008-07-05 10:27:29 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-09-24 23:02:14 +00:00
'MyModel' => array ( 'name' => 'some data' ),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-09-24 23:02:14 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ( 'SecurityException' , 'Unexpected field \'MyModel.name\' in POST data' );
2008-07-05 10:27:29 +00:00
$this -> assertFalse ( $result );
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> Controller -> Security -> disabledFields = array ( 'MyModel.name' );
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2008-07-05 10:27:29 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2008-09-24 23:02:14 +00:00
'MyModel' => array ( 'name' => 'some data' ),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-09-24 23:02:14 +00:00
);
2008-07-05 10:27:29 +00:00
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-07-05 10:27:29 +00:00
$this -> assertTrue ( $result );
2008-05-30 11:40:08 +00:00
}
2009-07-24 19:18:37 +00:00
2008-11-10 17:18:00 +00:00
/**
2008-11-25 16:32:54 +00:00
* testRadio method
*
* @ return void
*/
2014-04-26 14:22:14 +00:00
public function testValidatePostRadio () {
2008-11-25 16:32:54 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2014-04-26 02:05:58 +00:00
$fields = '3be63770e7953c6d2119f5377a9303372040f66f%3An%3A0%3A%7B%7D' ;
2011-06-15 02:01:59 +00:00
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = urlencode ( json_encode ( array (
'/posts/index' ,
array (),
array ()
)));
2008-11-25 16:32:54 +00:00
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2008-11-25 16:32:54 +00:00
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ( 'SecurityException' , 'Bad Request' );
2008-11-25 16:32:54 +00:00
$this -> assertFalse ( $result );
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' ),
2008-11-25 16:32:54 +00:00
'Test' => array ( 'test' => '' )
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-11-25 16:32:54 +00:00
$this -> assertTrue ( $result );
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' ),
2008-11-25 16:32:54 +00:00
'Test' => array ( 'test' => '1' )
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-11-25 16:32:54 +00:00
$this -> assertTrue ( $result );
2010-05-29 03:57:43 +00:00
$this -> Controller -> request -> data = array (
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' ),
2008-11-25 16:32:54 +00:00
'Test' => array ( 'test' => '2' )
);
2016-10-16 11:20:11 +00:00
$result = $this -> validatePost ();
2008-11-25 16:32:54 +00:00
$this -> assertTrue ( $result );
}
2009-07-24 19:18:37 +00:00
2014-04-26 14:22:14 +00:00
/**
* test validatePost uses here () as a hash input .
*
* @ return void
*/
public function testValidatePostUrlAsHashInput () {
$this -> Controller -> Security -> startup ( $this -> Controller );
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
$fields = '5415d31b4483c1e09ddb58d2a91ba9650b12aa83%3A' ;
$unlocked = '' ;
2016-10-16 11:20:11 +00:00
$debug = urlencode ( json_encode ( array (
'another-url' ,
array ( 'Model.username' , 'Model.password' ),
array ()
)));
2014-04-26 14:22:14 +00:00
$this -> Controller -> request -> data = array (
'Model' => array ( 'username' => '' , 'password' => '' ),
2016-10-16 11:20:11 +00:00
'_Token' => compact ( 'key' , 'fields' , 'unlocked' , 'debug' )
2014-04-26 14:22:14 +00:00
);
2016-10-16 11:20:11 +00:00
$this -> assertTrue ( $this -> validatePost ());
2014-04-26 14:22:14 +00:00
$request = $this -> getMock ( 'CakeRequest' , array ( 'here' ), array ( 'articles/edit/1' , false ));
$request -> expects ( $this -> at ( 0 ))
-> method ( 'here' )
-> will ( $this -> returnValue ( '/posts/index?page=1' ));
$request -> expects ( $this -> at ( 1 ))
-> method ( 'here' )
-> will ( $this -> returnValue ( '/posts/edit/1' ));
2016-10-16 11:20:11 +00:00
$request -> data = $this -> Controller -> request -> data ;
$this -> Controller -> request = $request ;
$this -> assertFalse ( $this -> validatePost ( 'SecurityException' , 'URL mismatch in POST data (expected \'another-url\' but found \'/posts/index?page=1\')' ));
$this -> assertFalse ( $this -> validatePost ( 'SecurityException' , 'URL mismatch in POST data (expected \'another-url\' but found \'/posts/edit/1\')' ));
2014-04-26 14:22:14 +00:00
}
2009-12-19 00:05:33 +00:00
/**
* test that a requestAction ' s controller will have the _Token appended to
* the params .
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testSettingTokenForRequestAction () {
2009-12-19 00:05:33 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2010-05-29 03:57:43 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
2009-12-19 00:05:33 +00:00
$this -> Controller -> params [ 'requested' ] = 1 ;
2010-05-29 03:57:43 +00:00
unset ( $this -> Controller -> request -> params [ '_Token' ]);
2009-12-19 00:05:33 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $this -> Controller -> request -> params [ '_Token' ][ 'key' ], $key );
2009-12-19 00:05:33 +00:00
}
2010-01-26 18:59:26 +00:00
/**
* test that blackhole doesn ' t delete the _Token session key so repeat data submissions
* stay blackholed .
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testBlackHoleNotDeletingSessionInformation () {
2010-01-26 18:59:26 +00:00
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> Controller -> Security -> blackHole ( $this -> Controller , 'auth' );
$this -> assertTrue ( $this -> Controller -> Security -> Session -> check ( '_Token' ), '_Token was deleted by blackHole %s' );
}
2010-09-30 04:06:38 +00:00
2011-08-13 00:38:24 +00:00
/**
2011-10-28 05:01:17 +00:00
* test that csrf checks are skipped for request action .
2011-08-13 00:38:24 +00:00
*
* @ return void
*/
public function testCsrfSkipRequestAction () {
$_SERVER [ 'REQUEST_METHOD' ] = 'POST' ;
$this -> Security -> validatePost = false ;
$this -> Security -> csrfCheck = true ;
$this -> Security -> csrfExpires = '+10 minutes' ;
$this -> Controller -> request -> params [ 'requested' ] = 1 ;
$this -> Security -> startup ( $this -> Controller );
$this -> assertFalse ( $this -> Controller -> failed , 'fail() was called.' );
}
2010-09-30 04:06:38 +00:00
/**
2011-10-28 05:01:17 +00:00
* test setting
2010-09-30 04:06:38 +00:00
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testCsrfSettings () {
2010-09-30 04:06:38 +00:00
$this -> Security -> validatePost = false ;
2010-09-30 04:18:25 +00:00
$this -> Security -> csrfCheck = true ;
2010-09-30 04:06:38 +00:00
$this -> Security -> csrfExpires = '+10 minutes' ;
$this -> Security -> startup ( $this -> Controller );
2010-09-30 04:26:44 +00:00
2010-09-30 04:06:38 +00:00
$token = $this -> Security -> Session -> read ( '_Token' );
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( 1 , count ( $token [ 'csrfTokens' ]), 'Missing the csrf token.' );
2010-09-30 04:18:25 +00:00
$this -> assertEquals ( strtotime ( '+10 minutes' ), current ( $token [ 'csrfTokens' ]), 'Token expiry does not match' );
2011-06-20 05:42:25 +00:00
$this -> assertEquals ( array ( 'key' , 'unlockedFields' ), array_keys ( $this -> Controller -> request -> params [ '_Token' ]), 'Keys don not match' );
2010-09-30 04:26:44 +00:00
}
2010-10-01 04:13:34 +00:00
/**
* Test setting multiple nonces , when startup () is called more than once , ( ie more than one request . )
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testCsrfSettingMultipleNonces () {
2010-09-30 04:26:44 +00:00
$this -> Security -> validatePost = false ;
$this -> Security -> csrfCheck = true ;
$this -> Security -> csrfExpires = '+10 minutes' ;
2012-02-10 17:29:25 +00:00
$csrfExpires = strtotime ( '+10 minutes' );
2010-09-30 04:26:44 +00:00
$this -> Security -> startup ( $this -> Controller );
$this -> Security -> startup ( $this -> Controller );
$token = $this -> Security -> Session -> read ( '_Token' );
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( 2 , count ( $token [ 'csrfTokens' ]), 'Missing the csrf token.' );
2013-01-23 12:45:50 +00:00
foreach ( $token [ 'csrfTokens' ] as $expires ) {
2014-07-06 11:54:24 +00:00
$this -> assertWithinMargin ( $expires , $csrfExpires , 2 , 'Token expiry does not match' );
2010-09-30 04:26:44 +00:00
}
2010-09-30 04:06:38 +00:00
}
2010-10-01 04:13:34 +00:00
/**
* test that nonces are consumed by form submits .
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testCsrfNonceConsumption () {
2010-10-01 04:13:34 +00:00
$this -> Security -> validatePost = false ;
$this -> Security -> csrfCheck = true ;
$this -> Security -> csrfExpires = '+10 minutes' ;
2011-10-28 05:01:17 +00:00
2010-10-01 04:13:34 +00:00
$this -> Security -> Session -> write ( '_Token.csrfTokens' , array ( 'nonce1' => strtotime ( '+10 minutes' )));
2011-10-28 05:01:17 +00:00
2010-10-01 04:13:34 +00:00
$this -> Controller -> request -> params [ 'action' ] = 'index' ;
$this -> Controller -> request -> data = array (
'_Token' => array (
2010-10-02 21:16:40 +00:00
'key' => 'nonce1'
2010-10-01 04:13:34 +00:00
),
'Post' => array (
'title' => 'Woot'
)
);
$this -> Security -> startup ( $this -> Controller );
$token = $this -> Security -> Session -> read ( '_Token' );
$this -> assertFalse ( isset ( $token [ 'csrfTokens' ][ 'nonce1' ]), 'Token was not consumed' );
}
2010-10-02 04:20:58 +00:00
2014-07-06 08:39:00 +00:00
/**
* tests that reusable CSRF - token expiry is renewed
*/
public function testCsrfReusableTokenRenewal () {
$this -> Security -> validatePost = false ;
$this -> Security -> csrfCheck = true ;
$this -> Security -> csrfUseOnce = false ;
$csrfExpires = '+10 minutes' ;
$this -> Security -> csrfExpires = $csrfExpires ;
$this -> Security -> Session -> write ( '_Token.csrfTokens' , array ( 'token' => strtotime ( '+1 minutes' )));
$this -> Security -> startup ( $this -> Controller );
$tokens = $this -> Security -> Session -> read ( '_Token.csrfTokens' );
2014-07-06 11:54:24 +00:00
$this -> assertWithinMargin ( $tokens [ 'token' ], strtotime ( $csrfExpires ), 2 , 'Token expiry was not renewed' );
2014-07-06 08:39:00 +00:00
}
2010-10-02 04:20:58 +00:00
/**
* test that expired values in the csrfTokens are cleaned up .
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testCsrfNonceVacuum () {
2010-10-02 04:20:58 +00:00
$this -> Security -> validatePost = false ;
$this -> Security -> csrfCheck = true ;
$this -> Security -> csrfExpires = '+10 minutes' ;
2011-10-28 05:01:17 +00:00
2010-10-02 04:20:58 +00:00
$this -> Security -> Session -> write ( '_Token.csrfTokens' , array (
2010-10-02 22:27:39 +00:00
'valid' => strtotime ( '+30 minutes' ),
2010-10-02 04:20:58 +00:00
'poof' => strtotime ( '-11 minutes' ),
'dust' => strtotime ( '-20 minutes' )
));
$this -> Security -> startup ( $this -> Controller );
$tokens = $this -> Security -> Session -> read ( '_Token.csrfTokens' );
2010-10-02 22:27:39 +00:00
$this -> assertEquals ( 2 , count ( $tokens ), 'Too many tokens left behind' );
2023-01-07 11:03:00 +00:00
$this -> assertNotEmpty ( $tokens [ 'valid' ], 'Valid token was removed.' );
2010-10-02 04:20:58 +00:00
}
2010-10-02 21:16:40 +00:00
/**
2016-10-16 13:28:28 +00:00
* test that blackhole throws an exception when the key is missing and balckHoleCallback is not set .
*
* @ return void
*/
public function testCsrfExceptionOnMissingKey () {
2022-12-31 04:13:42 +00:00
$this -> expectException ( SecurityException :: class );
$this -> expectExceptionMessage ( " Missing CSRF token " );
2016-10-16 13:28:28 +00:00
$this -> Security -> validatePost = false ;
$this -> Security -> csrfCheck = true ;
$this -> Security -> blackHoleCallback = '' ;
$this -> Controller -> request -> params [ 'action' ] = 'index' ;
$this -> Controller -> request -> data = array (
'Post' => array (
'title' => 'Woot'
)
);
$this -> Security -> startup ( $this -> Controller );
}
/**
* test that when the keys are mismatched the request is blackHoled
2010-10-02 21:16:40 +00:00
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testCsrfBlackHoleOnKeyMismatch () {
2010-10-02 21:16:40 +00:00
$this -> Security -> validatePost = false ;
$this -> Security -> csrfCheck = true ;
$this -> Security -> csrfExpires = '+10 minutes' ;
2011-10-28 05:01:17 +00:00
2010-10-02 21:16:40 +00:00
$this -> Security -> Session -> write ( '_Token.csrfTokens' , array ( 'nonce1' => strtotime ( '+10 minutes' )));
2011-10-28 05:01:17 +00:00
2010-10-02 21:16:40 +00:00
$this -> Controller -> request -> params [ 'action' ] = 'index' ;
$this -> Controller -> request -> data = array (
'_Token' => array (
'key' => 'not the right value'
),
'Post' => array (
'title' => 'Woot'
)
);
$this -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> failed , 'fail() was not called.' );
}
/**
2016-10-16 13:28:28 +00:00
* test that blackhole throws an exception when the keys are mismatched and balckHoleCallback is not set .
*
* @ return void
*/
public function testCsrfExceptionOnKeyMismatch () {
2022-12-31 04:13:42 +00:00
$this -> expectException ( SecurityException :: class );
$this -> expectExceptionMessage ( " CSRF token mismatch " );
2016-10-16 13:28:28 +00:00
$this -> Security -> validatePost = false ;
$this -> Security -> csrfCheck = true ;
$this -> Security -> csrfExpires = '+10 minutes' ;
$this -> Security -> blackHoleCallback = '' ;
$this -> Security -> Session -> write ( '_Token.csrfTokens' , array ( 'nonce1' => strtotime ( '+10 minutes' )));
$this -> Controller -> request -> params [ 'action' ] = 'index' ;
$this -> Controller -> request -> data = array (
'_Token' => array (
'key' => 'not the right value'
),
'Post' => array (
'title' => 'Woot'
)
);
$this -> Security -> startup ( $this -> Controller );
}
/**
* test that when the key is expried the request is blackHoled
2010-10-02 21:16:40 +00:00
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testCsrfBlackHoleOnExpiredKey () {
2010-10-02 21:16:40 +00:00
$this -> Security -> validatePost = false ;
$this -> Security -> csrfCheck = true ;
$this -> Security -> csrfExpires = '+10 minutes' ;
$this -> Security -> Session -> write ( '_Token.csrfTokens' , array ( 'nonce1' => strtotime ( '-5 minutes' )));
$this -> Controller -> request -> params [ 'action' ] = 'index' ;
$this -> Controller -> request -> data = array (
'_Token' => array (
'key' => 'nonce1'
),
'Post' => array (
'title' => 'Woot'
)
);
$this -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> failed , 'fail() was not called.' );
}
2010-10-25 00:26:31 +00:00
2016-10-16 13:28:28 +00:00
/**
* test that blackhole throws an exception when the key is expired and balckHoleCallback is not set
*
* @ return void
*/
public function testCsrfExceptionOnExpiredKey () {
2022-12-31 04:13:42 +00:00
$this -> expectException ( SecurityException :: class );
$this -> expectExceptionMessage ( " CSRF token expired " );
2016-10-16 13:28:28 +00:00
$this -> Security -> validatePost = false ;
$this -> Security -> csrfCheck = true ;
$this -> Security -> csrfExpires = '+10 minutes' ;
$this -> Security -> blackHoleCallback = '' ;
$this -> Security -> Session -> write ( '_Token.csrfTokens' , array ( 'nonce1' => strtotime ( '-5 minutes' )));
$this -> Controller -> request -> params [ 'action' ] = 'index' ;
$this -> Controller -> request -> data = array (
'_Token' => array (
'key' => 'nonce1'
),
'Post' => array (
'title' => 'Woot'
)
);
$this -> Security -> startup ( $this -> Controller );
}
2010-10-25 00:26:31 +00:00
/**
* test that csrfUseOnce = false works .
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testCsrfNotUseOnce () {
2010-10-25 00:26:31 +00:00
$this -> Security -> validatePost = false ;
$this -> Security -> csrfCheck = true ;
$this -> Security -> csrfUseOnce = false ;
$this -> Security -> csrfExpires = '+10 minutes' ;
// Generate one token
$this -> Security -> startup ( $this -> Controller );
$token = $this -> Security -> Session -> read ( '_Token.csrfTokens' );
$this -> assertEquals ( 1 , count ( $token ), 'Should only be one token.' );
$this -> Security -> startup ( $this -> Controller );
2012-03-12 02:20:25 +00:00
$tokenTwo = $this -> Security -> Session -> read ( '_Token.csrfTokens' );
$this -> assertEquals ( 1 , count ( $tokenTwo ), 'Should only be one token.' );
$this -> assertEquals ( $token , $tokenTwo , 'Tokens should not be different.' );
2011-05-31 01:48:26 +00:00
$key = $this -> Controller -> request -> params [ '_Token' ][ 'key' ];
$this -> assertEquals ( array ( $key ), array_keys ( $token ), '_Token.key and csrfToken do not match request will blackhole.' );
2010-10-25 00:26:31 +00:00
}
2010-10-25 00:57:12 +00:00
/**
* ensure that longer session tokens are not consumed
*
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testCsrfNotUseOnceValidationLeavingToken () {
2010-10-25 00:57:12 +00:00
$this -> Security -> validatePost = false ;
$this -> Security -> csrfCheck = true ;
$this -> Security -> csrfUseOnce = false ;
$this -> Security -> csrfExpires = '+10 minutes' ;
$this -> Security -> Session -> write ( '_Token.csrfTokens' , array ( 'nonce1' => strtotime ( '+10 minutes' )));
$this -> Controller -> request = $this -> getMock ( 'CakeRequest' , array ( 'is' ));
$this -> Controller -> request -> params [ 'action' ] = 'index' ;
$this -> Controller -> request -> data = array (
'_Token' => array (
'key' => 'nonce1'
),
'Post' => array (
'title' => 'Woot'
)
);
$this -> Security -> startup ( $this -> Controller );
$token = $this -> Security -> Session -> read ( '_Token' );
$this -> assertTrue ( isset ( $token [ 'csrfTokens' ][ 'nonce1' ]), 'Token was consumed' );
}
2011-12-04 00:37:23 +00:00
/**
* Test generateToken ()
*
* @ return void
*/
public function testGenerateToken () {
$request = $this -> Controller -> request ;
$this -> Security -> generateToken ( $request );
$this -> assertNotEmpty ( $request -> params [ '_Token' ]);
2011-12-04 01:12:40 +00:00
$this -> assertTrue ( isset ( $request -> params [ '_Token' ][ 'unlockedFields' ]));
$this -> assertTrue ( isset ( $request -> params [ '_Token' ][ 'key' ]));
}
/**
* Test the limiting of CSRF tokens .
*
* @ return void
*/
public function testCsrfLimit () {
$this -> Security -> csrfLimit = 3 ;
$time = strtotime ( '+10 minutes' );
$tokens = array (
'1' => $time ,
'2' => $time ,
'3' => $time ,
'4' => $time ,
'5' => $time ,
);
$this -> Security -> Session -> write ( '_Token' , array ( 'csrfTokens' => $tokens ));
$this -> Security -> generateToken ( $this -> Controller -> request );
$result = $this -> Security -> Session -> read ( '_Token.csrfTokens' );
$this -> assertFalse ( isset ( $result [ '1' ]));
$this -> assertFalse ( isset ( $result [ '2' ]));
$this -> assertFalse ( isset ( $result [ '3' ]));
$this -> assertTrue ( isset ( $result [ '4' ]));
$this -> assertTrue ( isset ( $result [ '5' ]));
2011-12-04 00:37:23 +00:00
}
2012-08-02 04:28:24 +00:00
/**
2012-08-03 18:01:19 +00:00
* Test unlocked actions
2012-08-02 04:28:24 +00:00
*
* @ return void
*/
2012-08-03 18:01:19 +00:00
public function testUnlockedActions () {
2012-08-02 04:28:24 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'POST' ;
$this -> Controller -> request -> data = array ( 'data' );
2012-08-03 18:01:19 +00:00
$this -> Controller -> Security -> unlockedActions = 'index' ;
2012-08-02 04:28:24 +00:00
$this -> Controller -> Security -> blackHoleCallback = null ;
$result = $this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertNull ( $result );
}
2016-10-16 11:20:11 +00:00
/**
* Test that debug token format is right
*
* @ return void
*/
public function testValidatePostDebugFormat () {
$this -> Controller -> Security -> startup ( $this -> Controller );
$unlocked = 'Model.username' ;
$fields = array ( 'Model.hidden' , 'Model.password' );
$fields = urlencode ( Security :: hash ( serialize ( $fields ) . $unlocked . Configure :: read ( 'Security.salt' )));
$debug = urlencode ( json_encode ( array (
'/posts/index' ,
array ( 'Model.hidden' , 'Model.password' ),
array ( 'Model.username' ),
array ( 'not expected' )
)));
$this -> Controller -> request -> data = array (
'Model' => array (
'username' => 'mark' ,
'password' => 'sekret' ,
'hidden' => '0'
),
'_Token' => compact ( 'fields' , 'unlocked' , 'debug' )
);
$result = $this -> validatePost ( 'SecurityException' , 'Invalid security debug token.' );
$this -> assertFalse ( $result );
$debug = urlencode ( json_encode ( 'not an array' ));
$result = $this -> validatePost ( 'SecurityException' , 'Invalid security debug token.' );
$this -> assertFalse ( $result );
}
/**
* test blackhole will now throw passed exception if debug enabled
*
* @ return void
*/
public function testBlackholeThrowsException () {
2022-12-31 04:13:42 +00:00
$this -> expectException ( SecurityException :: class );
$this -> expectExceptionMessage ( " error description " );
2016-10-16 11:20:11 +00:00
$this -> Security -> blackHoleCallback = '' ;
$this -> Security -> blackHole ( $this -> Controller , 'auth' , new SecurityException ( 'error description' ));
}
/**
* test blackhole will throw BadRequest if debug disabled
*
* @ return void
*/
public function testBlackholeThrowsBadRequest () {
$this -> Security -> blackHoleCallback = '' ;
$message = '' ;
Configure :: write ( 'debug' , false );
try {
$this -> Security -> blackHole ( $this -> Controller , 'auth' , new SecurityException ( 'error description' ));
} catch ( SecurityException $ex ) {
$message = $ex -> getMessage ();
$reason = $ex -> getReason ();
}
$this -> assertEquals ( 'The request has been black-holed' , $message );
$this -> assertEquals ( 'error description' , $reason );
}
/**
* Test that validatePost fails with tampered fields and explanation
*
* @ return void
*/
public function testValidatePostFailTampering () {
$this -> Controller -> Security -> startup ( $this -> Controller );
$unlocked = '' ;
$fields = array ( 'Model.hidden' => 'value' , 'Model.id' => '1' );
$debug = urlencode ( json_encode ( array (
'/posts/index' ,
$fields ,
array ()
)));
$fields = urlencode ( Security :: hash ( serialize ( $fields ) . $unlocked . Configure :: read ( 'Security.salt' )));
$fields .= urlencode ( ':Model.hidden|Model.id' );
$this -> Controller -> request -> data = array (
'Model' => array (
'hidden' => 'tampered' ,
'id' => '1' ,
),
'_Token' => compact ( 'fields' , 'unlocked' , 'debug' )
);
$result = $this -> validatePost ( 'SecurityException' , 'Tampered field \'Model.hidden\' in POST data (expected value \'value\' but found \'tampered\')' );
$this -> assertFalse ( $result );
}
/**
* Test that validatePost fails with tampered fields and explanation
*
* @ return void
*/
public function testValidatePostFailTamperingMutatedIntoArray () {
$this -> Controller -> Security -> startup ( $this -> Controller );
$unlocked = '' ;
$fields = array ( 'Model.hidden' => 'value' , 'Model.id' => '1' );
$debug = urlencode ( json_encode ( array (
'/posts/index' ,
$fields ,
array ()
)));
$fields = urlencode ( Security :: hash ( serialize ( $fields ) . $unlocked . Configure :: read ( 'Security.salt' )));
$fields .= urlencode ( ':Model.hidden|Model.id' );
$this -> Controller -> request -> data = array (
'Model' => array (
'hidden' => array ( 'some-key' => 'some-value' ),
'id' => '1' ,
),
'_Token' => compact ( 'fields' , 'unlocked' , 'debug' )
);
$result = $this -> validatePost ( 'SecurityException' , 'Unexpected field \'Model.hidden.some-key\' in POST data, Missing field \'Model.hidden\' in POST data' );
$this -> assertFalse ( $result );
}
/**
* Test that debug token should not be sent if debug is disabled
*
* @ return void
*/
public function testValidatePostUnexpectedDebugToken () {
$this -> Controller -> Security -> startup ( $this -> Controller );
$unlocked = '' ;
$fields = array ( 'Model.hidden' => 'value' , 'Model.id' => '1' );
$debug = urlencode ( json_encode ( array (
'/posts/index' ,
$fields ,
array ()
)));
$fields = urlencode ( Security :: hash ( serialize ( $fields ) . $unlocked . Configure :: read ( 'Security.salt' )));
$fields .= urlencode ( ':Model.hidden|Model.id' );
$this -> Controller -> request -> data = array (
'Model' => array (
'hidden' => array ( 'some-key' => 'some-value' ),
'id' => '1' ,
),
'_Token' => compact ( 'fields' , 'unlocked' , 'debug' )
);
Configure :: write ( 'debug' , false );
$result = $this -> validatePost ( 'SecurityException' , 'Unexpected \'_Token.debug\' found in request data' );
$this -> assertFalse ( $result );
}
/**
* Auth required throws exception token not found
*
* @ return void
*/
public function testAuthRequiredThrowsExceptionTokenNotFoundPost () {
2022-12-31 04:13:42 +00:00
$this -> expectException ( AuthSecurityException :: class );
$this -> expectExceptionMessage ( " '_Token' was not found in request data. " );
2016-10-16 11:20:11 +00:00
$this -> Controller -> Security -> requireAuth = array ( 'protected' );
$this -> Controller -> request -> params [ 'action' ] = 'protected' ;
2016-10-16 13:37:12 +00:00
$this -> Controller -> request -> data = array ( 'some-key' => 'some-value' );
2016-10-16 11:20:11 +00:00
$this -> Controller -> Security -> authRequired ( $this -> Controller );
}
/**
* Auth required throws exception token not found in Session
*
* @ return void
*/
public function testAuthRequiredThrowsExceptionTokenNotFoundSession () {
2022-12-31 04:13:42 +00:00
$this -> expectException ( AuthSecurityException :: class );
$this -> expectExceptionMessage ( " '_Token' was not found in session. " );
2016-10-16 11:20:11 +00:00
$this -> Controller -> Security -> requireAuth = array ( 'protected' );
$this -> Controller -> request -> params [ 'action' ] = 'protected' ;
$this -> Controller -> request -> data = array ( '_Token' => 'not empty' );
$this -> Controller -> Security -> authRequired ( $this -> Controller );
}
/**
* Auth required throws exception controller not allowed
*
* @ return void
*/
public function testAuthRequiredThrowsExceptionControllerNotAllowed () {
2022-12-31 04:13:42 +00:00
$this -> expectException ( AuthSecurityException :: class );
$this -> expectExceptionMessage ( " Controller 'NotAllowed' was not found in allowed controllers: 'Allowed, AnotherAllowed'. " );
2016-10-16 11:20:11 +00:00
$this -> Controller -> Security -> requireAuth = array ( 'protected' );
$this -> Controller -> request -> params [ 'controller' ] = 'NotAllowed' ;
$this -> Controller -> request -> params [ 'action' ] = 'protected' ;
$this -> Controller -> request -> data = array ( '_Token' => 'not empty' );
$this -> Controller -> Session -> write ( '_Token' , array (
'allowedControllers' => array ( 'Allowed' , 'AnotherAllowed' )
));
$this -> Controller -> Security -> authRequired ( $this -> Controller );
}
/**
* Auth required throws exception controller not allowed
*
* @ return void
*/
public function testAuthRequiredThrowsExceptionActionNotAllowed () {
2022-12-31 04:13:42 +00:00
$this -> expectException ( AuthSecurityException :: class );
$this -> expectExceptionMessage ( " Action 'NotAllowed::protected' was not found in allowed actions: 'index, view'. " );
2016-10-16 11:20:11 +00:00
$this -> Controller -> Security -> requireAuth = array ( 'protected' );
$this -> Controller -> request -> params [ 'controller' ] = 'NotAllowed' ;
$this -> Controller -> request -> params [ 'action' ] = 'protected' ;
$this -> Controller -> request -> data = array ( '_Token' => 'not empty' );
$this -> Controller -> Session -> write ( '_Token' , array (
'allowedActions' => array ( 'index' , 'view' )
));
$this -> Controller -> Security -> authRequired ( $this -> Controller );
}
/**
* Auth required throws exception controller not allowed
*
* @ return void
*/
public function testAuthRequired () {
$this -> Controller -> Security -> requireAuth = array ( 'protected' );
$this -> Controller -> request -> params [ 'controller' ] = 'Allowed' ;
$this -> Controller -> request -> params [ 'action' ] = 'protected' ;
$this -> Controller -> request -> data = array ( '_Token' => 'not empty' );
$this -> Controller -> Session -> write ( '_Token' , array (
'allowedActions' => array ( 'protected' ),
'allowedControllers' => array ( 'Allowed' ),
));
$this -> assertTrue ( $this -> Controller -> Security -> authRequired ( $this -> Controller ));
}
2016-10-16 13:28:28 +00:00
/**
* Auth required throws exception controller not allowed
*
* @ return void
*/
public function testMethodsRequiredThrowsExceptionMethodNotAllowed () {
2022-12-31 04:13:42 +00:00
$this -> expectException ( SecurityException :: class );
$this -> expectExceptionMessage ( " The request method must be POST " );
2016-10-16 13:28:28 +00:00
$_SERVER [ 'REQUEST_METHOD' ] = 'GET' ;
$this -> Controller -> Security -> requirePost = array ( 'delete' );
$this -> Controller -> request -> params [ 'controller' ] = 'Test' ;
$this -> Controller -> request -> params [ 'action' ] = 'delete' ;
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> Controller -> Security -> methodsRequired ( $this -> Controller );
}
/**
* Auth required throws exception controller not allowed
*
* @ return void
*/
public function testMethodsRequired () {
$_SERVER [ 'REQUEST_METHOD' ] = 'POST' ;
$this -> Controller -> Security -> requirePost = array ( 'delete' );
$this -> Controller -> request -> params [ 'controller' ] = 'Test' ;
$this -> Controller -> request -> params [ 'action' ] = 'delete' ;
$this -> Controller -> Security -> startup ( $this -> Controller );
$this -> assertTrue ( $this -> Controller -> Security -> methodsRequired ( $this -> Controller ));
}
2008-05-30 11:40:08 +00:00
}