Merge pull request #7839 from cakephp/issue-7828

Fix CSRF token failures in IntegrationTestCase
cakephp · Dec 13, 2015 · 11cd032 · 11cd032
2 parents d545959 + cf833c7
commit 11cd032
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 5 deletions.
diff --git a/src/ORM/Table.php b/src/ORM/Table.php
@@ -801,6 +801,10 @@ public function hasOne($associated, array $options = [])
      *   When true records will be loaded and then deleted.
      * - conditions: array with a list of conditions to filter the join with
      * - sort: The order in which results for this association should be returned
+     * - saveStrategy: Either 'append' or 'replace'. When 'append' the current records
+     *   are appended to any records in the database. When 'replace' associated records
+     *   not in the current set will be removed. If the foreign key is a null able column
+     *   or if `dependent` is true records will be orphaned.
      * - strategy: The strategy to be used for selecting results Either 'select'
      *   or 'subquery'. If subquery is selected the query used to return results
      *   in the source table will be used as conditions for getting rows in the

diff --git a/src/TestSuite/IntegrationTestCase.php b/src/TestSuite/IntegrationTestCase.php
@@ -430,12 +430,11 @@ protected function _addTokens($url, $data)
         }
 
         if ($this->_csrfToken === true) {
-            $csrfToken = Text::uuid();
-            if (!isset($data['_csrfToken'])) {
-                $data['_csrfToken'] = $csrfToken;
-            }
             if (!isset($this->_cookie['csrfToken'])) {
-                $this->_cookie['csrfToken'] = $csrfToken;
+                $this->_cookie['csrfToken'] = Text::uuid();
+            }
+            if (!isset($data['_csrfToken'])) {
+                $data['_csrfToken'] = $this->_cookie['csrfToken'];
             }
         }
         return $data;

diff --git a/tests/TestCase/TestSuite/IntegrationTestCaseTest.php b/tests/TestCase/TestSuite/IntegrationTestCaseTest.php
@@ -97,6 +97,39 @@ public function testRequestBuildingCsrfTokens()
         $this->assertSame('fale', $request->data['_csrfToken']);
     }
 
+    /**
+     * Test multiple actions using CSRF tokens don't fail
+     *
+     * @return void
+     */
+    public function testEnableCsrfMultipleRequests()
+    {
+        $this->enableCsrfToken();
+        $first = $this->_buildRequest('/tasks/add', 'POST', ['title' => 'First post']);
+        $second = $this->_buildRequest('/tasks/add', 'POST', ['title' => 'Second post']);
+        $this->assertSame($first->cookies['csrfToken'], $second->data['_csrfToken'], 'Csrf token should match cookie');
+        $this->assertSame(
+            $first->data['_csrfToken'],
+            $second->data['_csrfToken'],
+            'Tokens should be consistent per test method'
+        );
+    }
+
+    /**
+     * Test pre-determined CSRF tokens.
+     *
+     * @return void
+     */
+    public function testEnableCsrfPredeterminedCookie()
+    {
+        $this->enableCsrfToken();
+        $value = 'I am a teapot';
+        $this->cookie('csrfToken', $value);
+        $request = $this->_buildRequest('/tasks/add', 'POST', ['title' => 'First post']);
+        $this->assertSame($value, $request->cookies['csrfToken'], 'Csrf token should match cookie');
+        $this->assertSame($value, $request->data['_csrfToken'], 'Tokens should match');
+    }
+
     /**
      * Test building a request, with query parameters
      *