From f6534d2962e97b2cb22af62c9a331a44e2c08c8c Mon Sep 17 00:00:00 2001 From: Jose Lorenzo Rodriguez Date: Mon, 28 Nov 2011 00:52:47 -0430 Subject: [PATCH] Fixing issue where changing the case for an action in the url would allow the action in the AuthComponent making it accessible to not-logged in users --- lib/Cake/Controller/Component/AuthComponent.php | 6 +++--- .../Test/Case/Controller/Component/AuthComponentTest.php | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/Cake/Controller/Component/AuthComponent.php b/lib/Cake/Controller/Component/AuthComponent.php index 2f3e8c58c..4c661c06a 100644 --- a/lib/Cake/Controller/Component/AuthComponent.php +++ b/lib/Cake/Controller/Component/AuthComponent.php @@ -268,8 +268,8 @@ class AuthComponent extends Component { return true; } - $methods = array_flip($controller->methods); - $action = $controller->request->params['action']; + $methods = array_flip(array_map('strtolower', $controller->methods)); + $action = strtolower($controller->request->params['action']); $isMissingAction = ( $controller->scaffold === false && @@ -296,7 +296,7 @@ class AuthComponent extends Component { $allowedActions = $this->allowedActions; $isAllowed = ( $this->allowedActions == array('*') || - in_array($action, $allowedActions) + in_array($action, array_map('strtolower', $allowedActions)) ); if ($loginAction != $url && $isAllowed) { diff --git a/lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php b/lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php index 264bec88f..fb38364fb 100644 --- a/lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php +++ b/lib/Cake/Test/Case/Controller/Component/AuthComponentTest.php @@ -671,6 +671,11 @@ class AuthComponentTest extends CakeTestCase { $this->Controller->request->query['url'] = Router::normalize($url); $this->assertFalse($this->Controller->Auth->startup($this->Controller)); + + $url = '/auth_test/CamelCase'; + $this->Controller->request->addParams(Router::parse($url)); + $this->Controller->request->query['url'] = Router::normalize($url); + $this->assertFalse($this->Controller->Auth->startup($this->Controller)); } /**