Skip to content
Permalink
Browse files

Fixing issues with SecurityComponent, where removing your session,

would allow posting of invalid form data.
Fixes #1867
  • Loading branch information...
markstory committed Jul 30, 2011
1 parent e1960d1 commit 7a9ac53adfc6fb9bb8a2a99ffacf260ddcc25e50
@@ -607,6 +607,8 @@ function _validatePost(&$controller) {
if ($tokenData['expires'] < time() || $tokenData['key'] !== $token) {
return false;
}
} else {
return false;
}
$locked = null;
@@ -582,6 +582,25 @@ function testValidatePost() {
$this->assertTrue($this->Controller->Security->validatePost($this->Controller));
}
/**
* Test that validatePost fails if you are missing the session information.
*
* @return void
*/
function testValidatePostNoSession() {
$this->Controller->Security->startup($this->Controller);
$this->Controller->Session->delete('_Token');
$key = $this->Controller->params['_Token']['key'];
$fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
$this->Controller->data = array(
'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
'_Token' => compact('key', 'fields')
);
$this->assertFalse($this->Controller->Security->validatePost($this->Controller));
}
/**
* test that validatePost fails if any of its required fields are missing.
*

0 comments on commit 7a9ac53

Please sign in to comment.
You can’t perform that action at this time.