Permalink
Browse files

Adding test cases for disableFields being part of the POST data.

  • Loading branch information...
1 parent 046ddce commit 338957936beccc0439c440398d1b412ab7d57adf @markstory markstory committed Jun 10, 2011
Showing with 77 additions and 40 deletions.
  1. +77 −40 lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
@@ -51,38 +51,33 @@ class SecurityTestController extends Controller {
* name property
*
* @var string 'SecurityTest'
- * @access public
*/
public $name = 'SecurityTest';
/**
* components property
*
* @var array
- * @access public
*/
public $components = array('Session', 'TestSecurity');
/**
* failed property
*
* @var bool false
- * @access public
*/
public $failed = false;
/**
* Used for keeping track of headers in test
*
* @var array
- * @access public
*/
public $testHeaders = array();
/**
* fail method
*
- * @access public
* @return void
*/
public function fail() {
@@ -95,7 +90,6 @@ public function fail() {
* @param mixed $option
* @param mixed $code
* @param mixed $exit
- * @access public
* @return void
*/
public function redirect($url, $status = null, $exit = true) {
@@ -124,22 +118,19 @@ class SecurityComponentTest extends CakeTestCase {
* Controller property
*
* @var SecurityTestController
- * @access public
*/
public $Controller;
/**
* oldSalt property
*
* @var string
- * @access public
*/
public $oldSalt;
/**
* setUp method
*
- * @access public
* @return void
*/
public function setUp() {
@@ -193,7 +184,6 @@ public function testConstructorSettingProperties() {
/**
* testStartup method
*
- * @access public
* @return void
*/
public function testStartup() {
@@ -206,7 +196,6 @@ public function testStartup() {
/**
* testRequirePostFail method
*
- * @access public
* @return void
*/
public function testRequirePostFail() {
@@ -220,7 +209,6 @@ public function testRequirePostFail() {
/**
* testRequirePostSucceed method
*
- * @access public
* @return void
*/
public function testRequirePostSucceed() {
@@ -234,7 +222,6 @@ public function testRequirePostSucceed() {
/**
* testRequireSecureFail method
*
- * @access public
* @return void
*/
public function testRequireSecureFail() {
@@ -249,7 +236,6 @@ public function testRequireSecureFail() {
/**
* testRequireSecureSucceed method
*
- * @access public
* @return void
*/
public function testRequireSecureSucceed() {
@@ -264,7 +250,6 @@ public function testRequireSecureSucceed() {
/**
* testRequireAuthFail method
*
- * @access public
* @return void
*/
public function testRequireAuthFail() {
@@ -295,7 +280,6 @@ public function testRequireAuthFail() {
/**
* testRequireAuthSucceed method
*
- * @access public
* @return void
*/
public function testRequireAuthSucceed() {
@@ -323,7 +307,6 @@ public function testRequireAuthSucceed() {
/**
* testRequirePostSucceedWrongMethod method
*
- * @access public
* @return void
*/
public function testRequirePostSucceedWrongMethod() {
@@ -337,7 +320,6 @@ public function testRequirePostSucceedWrongMethod() {
/**
* testRequireGetFail method
*
- * @access public
* @return void
*/
public function testRequireGetFail() {
@@ -351,7 +333,6 @@ public function testRequireGetFail() {
/**
* testRequireGetSucceed method
*
- * @access public
* @return void
*/
public function testRequireGetSucceed() {
@@ -365,7 +346,6 @@ public function testRequireGetSucceed() {
/**
* testRequireGetSucceedWrongMethod method
*
- * @access public
* @return void
*/
public function testRequireGetSucceedWrongMethod() {
@@ -379,7 +359,6 @@ public function testRequireGetSucceedWrongMethod() {
/**
* testRequirePutFail method
*
- * @access public
* @return void
*/
public function testRequirePutFail() {
@@ -393,7 +372,6 @@ public function testRequirePutFail() {
/**
* testRequirePutSucceed method
*
- * @access public
* @return void
*/
public function testRequirePutSucceed() {
@@ -407,7 +385,6 @@ public function testRequirePutSucceed() {
/**
* testRequirePutSucceedWrongMethod method
*
- * @access public
* @return void
*/
public function testRequirePutSucceedWrongMethod() {
@@ -421,7 +398,6 @@ public function testRequirePutSucceedWrongMethod() {
/**
* testRequireDeleteFail method
*
- * @access public
* @return void
*/
public function testRequireDeleteFail() {
@@ -435,7 +411,6 @@ public function testRequireDeleteFail() {
/**
* testRequireDeleteSucceed method
*
- * @access public
* @return void
*/
public function testRequireDeleteSucceed() {
@@ -449,7 +424,6 @@ public function testRequireDeleteSucceed() {
/**
* testRequireDeleteSucceedWrongMethod method
*
- * @access public
* @return void
*/
public function testRequireDeleteSucceedWrongMethod() {
@@ -463,7 +437,6 @@ public function testRequireDeleteSucceedWrongMethod() {
/**
* Simple hash validation test
*
- * @access public
* @return void
*/
public function testValidatePost() {
@@ -526,7 +499,6 @@ public function testValidatePostObjectDeserialize() {
/**
* Tests validation of checkbox arrays
*
- * @access public
* @return void
*/
public function testValidatePostArray() {
@@ -546,7 +518,6 @@ public function testValidatePostArray() {
/**
* testValidatePostNoModel method
*
- * @access public
* @return void
*/
public function testValidatePostNoModel() {
@@ -568,7 +539,6 @@ public function testValidatePostNoModel() {
/**
* testValidatePostSimple method
*
- * @access public
* @return void
*/
public function testValidatePostSimple() {
@@ -590,7 +560,6 @@ public function testValidatePostSimple() {
/**
* Tests hash validation for multiple records, including locked fields
*
- * @access public
* @return void
*/
public function testValidatePostComplex() {
@@ -666,7 +635,6 @@ public function testValidatePostMultipleSelect() {
* First block tests un-checked checkbox
* Second block tests checked checkbox
*
- * @access public
* @return void
*/
public function testValidatePostCheckbox() {
@@ -710,7 +678,6 @@ public function testValidatePostCheckbox() {
/**
* testValidatePostHidden method
*
- * @access public
* @return void
*/
public function testValidatePostHidden() {
@@ -733,7 +700,6 @@ public function testValidatePostHidden() {
/**
* testValidatePostWithDisabledFields method
*
- * @access public
* @return void
*/
public function testValidatePostWithDisabledFields() {
@@ -755,9 +721,85 @@ public function testValidatePostWithDisabledFields() {
}
/**
+ * test validating post data with posted disabled fields.
+ *
+ * @return void
+ */
+ public function testValidatePostDisabledFieldsInData() {
+ $this->Controller->Security->startup($this->Controller);
+ $key = $this->Controller->request->params['_Token']['key'];
+ $disabled = 'Model.username';
+ $fields = array('Model.hidden', 'Model.password');
+ $fields = urlencode(Security::hash(serialize($fields) . $disabled . Configure::read('Security.salt')));
+
+ $this->Controller->request->data = array(
+ 'Model' => array(
+ 'username' => 'mark',
+ 'password' => 'sekret',
+ 'hidden' => '0'
+ ),
+ '_Token' => compact('fields', 'key', 'disabled')
+ );
+
+ $result = $this->Controller->Security->validatePost($this->Controller);
+ $this->assertTrue($result);
+ }
+
+/**
+ * test that missing 'disabled' input causes failure
+ *
+ * @return void
+ */
+ public function testValidatePostFailNoDisabled() {
+ $this->Controller->Security->startup($this->Controller);
+ $key = $this->Controller->request->params['_Token']['key'];
+ $fields = array('Model.hidden', 'Model.password', 'Model.username');
+ $fields = urlencode(Security::hash(serialize($fields) . Configure::read('Security.salt')));
+
+ $this->Controller->request->data = array(
+ 'Model' => array(
+ 'username' => 'mark',
+ 'password' => 'sekret',
+ 'hidden' => '0'
+ ),
+ '_Token' => compact('fields', 'key')
+ );
+
+ $result = $this->Controller->Security->validatePost($this->Controller);
+ $this->assertFalse($result);
+ }
+
+/**
+ * Test that validatePost fails when disabled fields are changed.
+ *
+ * @return
+ */
+ public function testValidatePostFailDisabledFieldTampering() {
+ $this->Controller->Security->startup($this->Controller);
+ $key = $this->Controller->request->params['_Token']['key'];
+ $disabled = 'Model.username';
+ $fields = array('Model.hidden', 'Model.password');
+ $fields = urlencode(Security::hash(serialize($fields) . $disabled . Configure::read('Security.salt')));
+
+ // Tamper the values.
+ $disabled = 'Model.username|Model.password';
+
+ $this->Controller->request->data = array(
+ 'Model' => array(
+ 'username' => 'mark',
+ 'password' => 'sekret',
+ 'hidden' => '0'
+ ),
+ '_Token' => compact('fields', 'key', 'disabled')
+ );
+
+ $result = $this->Controller->Security->validatePost($this->Controller);
+ $this->assertFalse($result);
+ }
+
+/**
* testValidateHiddenMultipleModel method
*
- * @access public
* @return void
*/
public function testValidateHiddenMultipleModel() {
@@ -779,7 +821,6 @@ public function testValidateHiddenMultipleModel() {
/**
* testValidateHasManyModel method
*
- * @access public
* @return void
*/
public function testValidateHasManyModel() {
@@ -810,7 +851,6 @@ public function testValidateHasManyModel() {
/**
* testValidateHasManyRecordsPass method
*
- * @access public
* @return void
*/
public function testValidateHasManyRecordsPass() {
@@ -855,7 +895,6 @@ public function testValidateHasManyRecordsPass() {
*
* validatePost should fail, hidden fields have been changed.
*
- * @access public
* @return void
*/
public function testValidateHasManyRecordsFail() {
@@ -898,7 +937,6 @@ public function testValidateHasManyRecordsFail() {
/**
* testFormDisabledFields method
*
- * @access public
* @return void
*/
public function testFormDisabledFields() {
@@ -930,7 +968,6 @@ public function testFormDisabledFields() {
/**
* testRadio method
*
- * @access public
* @return void
*/
public function testRadio() {

0 comments on commit 3389579

Please sign in to comment.