Adding tests for csrf feature separation.

Removing serialize() calls as they didn't really add anything.
cakephp · Sep 30, 2010 · b088daf · b088daf
1 parent 72a1c95
commit b088daf
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 14 deletions.
diff --git a/cake/libs/controller/components/security.php b/cake/libs/controller/components/security.php
@@ -580,7 +580,7 @@ protected function _validatePost(&$controller) {
 		$token = $data['_Token']['key'];
 
 		if ($this->Session->check('_Token')) {
-			$tokenData = unserialize($this->Session->read('_Token'));
+			$tokenData = $this->Session->read('_Token');
 
 			if ($tokenData['expires'] < time() || $tokenData['key'] !== $token) {
 				return false;
@@ -651,7 +651,7 @@ protected function _validatePost(&$controller) {
 	protected function _generateToken(&$controller) {
 		if (isset($controller->params['requested']) && $controller->params['requested'] === 1) {
 			if ($this->Session->check('_Token')) {
-				$tokenData = unserialize($this->Session->read('_Token'));
+				$tokenData = $this->Session->read('_Token');
 				$controller->params['_Token'] = $tokenData;
 			}
 			return false;
@@ -671,7 +671,7 @@ protected function _generateToken(&$controller) {
 		}
 
 		if ($this->Session->check('_Token')) {
-			$tokenData = unserialize($this->Session->read('_Token'));
+			$tokenData = $this->Session->read('_Token');
 			$valid = (
 				isset($tokenData['expires']) &&
 				$tokenData['expires'] > time() &&
@@ -683,7 +683,7 @@ protected function _generateToken(&$controller) {
 			}
 		}
 		$controller->request->params['_Token'] = $token;
-		$this->Session->write('_Token', serialize($token));
+		$this->Session->write('_Token', $token);
 		return true;
 	}
 

diff --git a/cake/tests/cases/libs/controller/components/security.test.php b/cake/tests/cases/libs/controller/components/security.test.php
@@ -152,6 +152,7 @@ function setUp() {
 		$this->Controller->Components->init($this->Controller);
 		$this->Controller->Security = $this->Controller->TestSecurity;
 		$this->Controller->Security->blackHoleCallback = 'fail';
+		$this->Security = $this->Controller->Security;
 
 		Configure::write('Security.salt', 'foo!');
 	}
@@ -856,16 +857,6 @@ function testValidateHiddenMultipleModel() {
 		$this->assertTrue($result);
 	}
 
-/**
- * testLoginValidation method
- *
- * @access public
- * @return void
- */
-	function testLoginValidation() {
-
-	}
-
 /**
  * testValidateHasManyModel method
  *
@@ -1238,4 +1229,19 @@ function testBlackHoleNotDeletingSessionInformation() {
 		$this->Controller->Security->blackHole($this->Controller, 'auth');
 		$this->assertTrue($this->Controller->Security->Session->check('_Token'), '_Token was deleted by blackHole %s');
 	}
+
+/**
+ * test setting 
+ *
+ * @return void
+ */
+	function testCsrfSettings() {
+		$this->Security->validatePost = false;
+		$this->Security->enableCsrf = true;
+		$this->Security->csrfExpires = '+10 minutes';
+		$this->Security->startup($this->Controller);
+
+		$token = $this->Security->Session->read('_Token');
+		$this->assertEquals(count($token['csrf']), 1, 'Missing the csrf token.');
+	}
 }