Permalink
Browse files

Fix incorrect CSRF token fields when using postLink()

Creating a postLink after creating a GET form would result in the
incorrect fields being generated.

Fixes #2308
  • Loading branch information...
1 parent 1f5d1ee commit a07608cbb9463343b3aede21d9a3cbf092020667 @markstory markstory committed Nov 12, 2013
Showing with 30 additions and 0 deletions.
  1. +29 −0 lib/Cake/Test/Case/View/Helper/FormHelperTest.php
  2. +1 −0 lib/Cake/View/Helper/FormHelper.php
@@ -7173,6 +7173,35 @@ public function testPostLink() {
}
/**
+ * test creating postLinks after a GET form.
+ *
+ * @return void
+ */
+ public function testPostLinkAfterGetForm() {
+ $this->Form->request->params['_Token']['key'] = 'testkey';
+ $this->Form->create('User', array('type' => 'get'));
+ $this->Form->end();
+
+ $result = $this->Form->postLink('Delete', '/posts/delete/1');
+ $this->assertTags($result, array(
+ 'form' => array(
+ 'method' => 'post', 'action' => '/posts/delete/1',
+ 'name' => 'preg:/post_\w+/', 'id' => 'preg:/post_\w+/', 'style' => 'display:none;'
+ ),
+ array('input' => array('type' => 'hidden', 'name' => '_method', 'value' => 'POST')),
+ array('input' => array('type' => 'hidden', 'name' => 'data[_Token][key]', 'value' => 'testkey', 'id' => 'preg:/Token\d+/')),
+ 'div' => array('style' => 'display:none;'),
+ array('input' => array('type' => 'hidden', 'name' => 'data[_Token][fields]', 'value' => 'preg:/[\w\d%]+/', 'id' => 'preg:/TokenFields\d+/')),
+ array('input' => array('type' => 'hidden', 'name' => 'data[_Token][unlocked]', 'value' => '', 'id' => 'preg:/TokenUnlocked\d+/')),
+ '/div',
+ '/form',
+ 'a' => array('href' => '#', 'onclick' => 'preg:/document\.post_\w+\.submit\(\); event\.returnValue = false; return false;/'),
+ 'Delete',
+ '/a'
+ ));
+ }
+
+/**
* Test that postLink adds _Token fields.
*
* @return void
@@ -523,6 +523,7 @@ public function end($options = null) {
$out .= $this->Html->useTag('formend');
$this->_View->modelScope = false;
+ $this->requestType = null;
return $out;
}

0 comments on commit a07608c

Please sign in to comment.