Skip to content

Commit

Permalink
Updating method name, variables, and properties to be unlocked.
Browse files Browse the repository at this point in the history 
This better reflects what is actually going to happen, as fields that are
unlocked are not checked.  It also works better with the idea that secure = false
means unlocked or unsecured.
  • Loading branch information
@markstory
markstory committed Jun 15, 2011
1 parent 3389579 commit f3f475f
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 51 deletions.
54 changes: 27 additions & 27 deletions lib/Cake/Test/Case/View/Helper/FormHelperTest.php
View file
Expand Up @@ -835,8 +835,8 @@ public function testFormSecurityFields() {
'value' => urlencode($expected), 'id' => 'preg:/TokenFields\d+/'
)),
array('input' => array(
'type' => 'hidden', 'name' => 'data[_Token][disabled]',
'value' => '', 'id' => 'preg:/TokenDisabled\d+/'
'type' => 'hidden', 'name' => 'data[_Token][unlocked]',
'value' => '', 'id' => 'preg:/TokenUnlocked\d+/'
)),
'/div'
);
Expand Down Expand Up @@ -902,8 +902,8 @@ public function testFormSecurityMultipleFields() {
'value' => $hash, 'id' => 'preg:/TokenFields\d+/'
)),
array('input' => array(
'type' => 'hidden', 'name' => 'data[_Token][disabled]',
'value' => '', 'id' => 'preg:/TokenDisabled\d+/'
'type' => 'hidden', 'name' => 'data[_Token][unlocked]',
'value' => '', 'id' => 'preg:/TokenUnlocked\d+/'
)),
'/div'
);
Expand Down Expand Up @@ -948,8 +948,8 @@ public function testFormSecurityMultipleSubmitButtons() {
'value' => 'preg:/.+/', 'id' => 'preg:/TokenFields\d+/'
)),
array('input' => array(
'type' => 'hidden', 'name' => 'data[_Token][disabled]',
'value' => '', 'id' => 'preg:/TokenDisabled\d+/'
'type' => 'hidden', 'name' => 'data[_Token][unlocked]',
'value' => '', 'id' => 'preg:/TokenUnlocked\d+/'
)),
'/div'
);
Expand Down Expand Up @@ -999,8 +999,8 @@ public function testFormSecurityMultipleInputFields() {
'value' => $hash, 'id' => 'preg:/TokenFields\d+/'
)),
array('input' => array(
'type' => 'hidden', 'name' => 'data[_Token][disabled]',
'value' => '', 'id' => 'preg:/TokenDisabled\d+/'
'type' => 'hidden', 'name' => 'data[_Token][unlocked]',
'value' => '', 'id' => 'preg:/TokenUnlocked\d+/'
)),
'/div'
);
Expand All @@ -1019,7 +1019,7 @@ public function testFormSecurityMultipleInputDisabledFields() {
$key = 'testKey';
$this->Form->request->params['_Token'] = array(
'key' => $key,
'disabledFields' => array('first_name', 'address')
'unlockedFields' => array('first_name', 'address')
);
$this->Form->create();

Expand Down Expand Up @@ -1048,8 +1048,8 @@ public function testFormSecurityMultipleInputDisabledFields() {
'value' => $hash, 'id' => 'preg:/TokenFields\d+/'
)),
array('input' => array(
'type' => 'hidden', 'name' => 'data[_Token][disabled]',
'value' => 'address%7Cfirst_name', 'id' => 'preg:/TokenDisabled\d+/'
'type' => 'hidden', 'name' => 'data[_Token][unlocked]',
'value' => 'address%7Cfirst_name', 'id' => 'preg:/TokenUnlocked\d+/'
)),
'/div'
);
Expand All @@ -1064,14 +1064,14 @@ public function testFormSecurityMultipleInputDisabledFields() {
* @access public
* @return void
*/
public function testFormSecurityInputDisabledFields() {
public function testFormSecurityInputUnlockedFields() {
$key = 'testKey';
$this->Form->request['_Token'] = array(
'key' => $key,
'disabledFields' => array('first_name', 'address')
'unlockedFields' => array('first_name', 'address')
);
$this->Form->create();
$this->assertEquals($this->Form->request['_Token']['disabledFields'], $this->Form->disableField());
$this->assertEquals($this->Form->request['_Token']['unlockedFields'], $this->Form->unlockField());

$this->Form->hidden('Addresses.id', array('value' => '123456'));
$this->Form->input('Addresses.title');
Expand All @@ -1098,8 +1098,8 @@ public function testFormSecurityInputDisabledFields() {
'value' => $hash, 'id' => 'preg:/TokenFields\d+/'
)),
array('input' => array(
'type' => 'hidden', 'name' => 'data[_Token][disabled]',
'value' => 'address%7Cfirst_name', 'id' => 'preg:/TokenDisabled\d+/'
'type' => 'hidden', 'name' => 'data[_Token][unlocked]',
'value' => 'address%7Cfirst_name', 'id' => 'preg:/TokenUnlocked\d+/'
)),
'/div'
);
Expand Down Expand Up @@ -1223,8 +1223,8 @@ public function testFormSecuredInput() {
'value' => $hash, 'id' => 'preg:/TokenFields\d+/'
)),
array('input' => array(
'type' => 'hidden', 'name' => 'data[_Token][disabled]',
'value' => '', 'id' => 'preg:/TokenDisabled\d+/'
'type' => 'hidden', 'name' => 'data[_Token][unlocked]',
'value' => '', 'id' => 'preg:/TokenUnlocked\d+/'
)),
'/div'
);
Expand Down Expand Up @@ -1318,28 +1318,28 @@ public function testDisableSecurityUsingForm() {
*
* @return void
*/
public function testDisableFieldAddsToList() {
public function testUnlockFieldAddsToList() {
$this->Form->request['_Token'] = array(
'key' => 'testKey',
'disabledFields' => array()
'unlockedFields' => array()
);
$this->Form->create('Contact');
$this->Form->disableField('Contact.name');
$this->Form->unlockField('Contact.name');
$this->Form->text('Contact.name');

$this->assertEquals(array('Contact.name'), $this->Form->disableField());
$this->assertEquals(array('Contact.name'), $this->Form->unlockField());
$this->assertEquals(array(), $this->Form->fields);
}

/**
* test disableField removing from fields array.
* test unlockField removing from fields array.
*
* @return void
*/
public function testDisableFieldRemovingFromFields() {
public function testUnlockFieldRemovingFromFields() {
$this->Form->request['_Token'] = array(
'key' => 'testKey',
'disabledFields' => array()
'unlockedFields' => array()
);
$this->Form->create('Contact');
$this->Form->hidden('Contact.id', array('value' => 1));
Expand All @@ -1348,8 +1348,8 @@ public function testDisableFieldRemovingFromFields() {
$this->assertEquals(1, $this->Form->fields['Contact.id'], 'Hidden input should be secured.');
$this->assertTrue(in_array('Contact.name', $this->Form->fields), 'Field should be secured.');

$this->Form->disableField('Contact.name');
$this->Form->disableField('Contact.id');
$this->Form->unlockField('Contact.name');
$this->Form->unlockField('Contact.id');
$this->assertEquals(array(), $this->Form->fields);
}

Expand Down
48 changes: 24 additions & 24 deletions lib/Cake/View/Helper/FormHelper.php
View file
Expand Up @@ -66,7 +66,7 @@ class FormHelper extends AppHelper {

/**
* Constant used internally to skip the securing process,
* and neither add the field to the hash or to the disabled fields.
* and neither add the field to the hash or to the unlocked fields.
*
* @var string
*/
Expand Down Expand Up @@ -104,7 +104,7 @@ class FormHelper extends AppHelper {
* @see SecurityComponent::validatePost()
* @var array
*/
protected $_disabledFields = array();
protected $_unlockedFields = array();

/**
* Introspects model information and extracts information related
Expand Down Expand Up @@ -339,9 +339,9 @@ public function create($model = null, $options = array()) {
'value' => $this->request->params['_Token']['key'], 'id' => 'Token' . mt_rand())
);

if (!empty($this->request['_Token']['disabledFields'])) {
foreach ((array)$this->request['_Token']['disabledFields'] as $disabled) {
$this->_disabledFields[] = $disabled;
if (!empty($this->request['_Token']['unlockedFields'])) {
foreach ((array)$this->request['_Token']['unlockedFields'] as $unlocked) {
$this->_unlockedFields[] = $unlocked;
}
}
}
Expand Down Expand Up @@ -417,7 +417,7 @@ public function secure($fields = array()) {
return;
}
$locked = array();
$disabledFields = $this->_disabledFields;
$unlockedFields = $this->_unlockedFields;

foreach ($fields as $key => $value) {
if (!is_int($key)) {
Expand All @@ -426,41 +426,41 @@ public function secure($fields = array()) {
}
}

sort($disabledFields, SORT_STRING);
sort($unlockedFields, SORT_STRING);
sort($fields, SORT_STRING);
ksort($locked, SORT_STRING);
$fields += $locked;

$locked = implode(array_keys($locked), '|');
$disabled = implode($disabledFields, '|');
$fields = Security::hash(serialize($fields) . $disabled . Configure::read('Security.salt'));
$unlocked = implode($unlockedFields, '|');
$fields = Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'));

$out = $this->hidden('_Token.fields', array(
'value' => urlencode($fields . ':' . $locked),
'id' => 'TokenFields' . mt_rand()
));
$out .= $this->hidden('_Token.disabled', array(
'value' => urlencode($disabled),
'id' => 'TokenDisabled' . mt_rand()
$out .= $this->hidden('_Token.unlocked', array(
'value' => urlencode($unlocked),
'id' => 'TokenUnlocked' . mt_rand()
));
return $this->Html->useTag('block', ' style="display:none;"', $out);
}

/**
* Add to or get the list of fields that are currently disabled.
* Disabled fields are not included in the field hash used by SecurityComponent
* disabling a field once its been added to the list of secured fields will remove
* Add to or get the list of fields that are currently unlocked.
* Unlocked fields are not included in the field hash used by SecurityComponent
* unlocking a field once its been added to the list of secured fields will remove
* it from the list of fields.
*
* @param string $name The dot separated name for the field.
* @return mixed Either null, or the list of fields.
*/
public function disableField($name = null) {
public function unlockField($name = null) {
if ($name === null) {
return $this->_disabledFields;
return $this->_unlockedFields;
}
if (!in_array($name, $this->_disabledFields)) {
$this->_disabledFields[] = $name;
if (!in_array($name, $this->_unlockedFields)) {
$this->_unlockedFields[] = $name;
}
$index = array_search($name, $this->fields);
if ($index !== false) {
Expand All @@ -474,7 +474,7 @@ public function disableField($name = null) {
* Populates $this->fields
*
* @param boolean $lock Whether this field should be part of the validation
* or excluded as part of the disabledFields.
* or excluded as part of the unlockedFields.
* @param mixed $field Reference to field to be secured
* @param mixed $value Field value, if value should not be tampered with.
* @return void
Expand All @@ -486,9 +486,9 @@ protected function __secure($lock, $field = null, $value = null) {
$field = Set::filter(explode('.', $field), true);
}

foreach ($this->_disabledFields as $disableField) {
$disableParts = explode('.', $disableField);
if (array_values(array_intersect($field, $disableParts)) === $disableParts) {
foreach ($this->_unlockedFields as $unlockField) {
$unlockParts = explode('.', $unlockField);
if (array_values(array_intersect($field, $unlockParts)) === $unlockParts) {
return;
}
}
Expand All @@ -503,7 +503,7 @@ protected function __secure($lock, $field = null, $value = null) {
$this->fields[] = $field;
}
} else {
$this->disableField($field);
$this->unlockField($field);
}
}

Expand Down

0 comments on commit f3f475f

Please sign in to comment.