Skip to content
Permalink
Browse files

Making tokens persist across 'requests'.

Removing more serialize/unserialize calls.
  • Loading branch information...
markstory committed Sep 30, 2010
1 parent f5ed911 commit dc6b33f80ed9cb290905c281e40af4babf418309
@@ -516,7 +516,7 @@ protected function _authRequired(&$controller) {
}
if ($this->Session->check('_Token')) {
$tData = unserialize($this->Session->read('_Token'));
$tData = $this->Session->read('_Token');
if (!empty($tData['allowedControllers']) && !in_array($this->request->params['controller'], $tData['allowedControllers']) || !empty($tData['allowedActions']) && !in_array($this->request->params['action'], $tData['allowedActions'])) {
if (!$this->blackHole($controller, 'auth')) {
@@ -681,7 +681,8 @@ protected function _generateToken(&$controller) {
'expires' => $expires,
'allowedControllers' => $this->allowedControllers,
'allowedActions' => $this->allowedActions,
'disabledFields' => $this->disabledFields
'disabledFields' => $this->disabledFields,
'csrfTokens' => array()
);
if ($this->csrfCheck) {
@@ -699,6 +700,9 @@ protected function _generateToken(&$controller) {
if ($valid) {
$token['key'] = $tokenData['key'];
}
if (!empty($tokenData['csrfTokens'])) {
$token['csrfTokens'] += $tokenData['csrfTokens'];
}
}
$controller->request->params['_Token'] = $token;
$this->Session->write('_Token', $token);
@@ -281,16 +281,16 @@ function testRequireAuthFail() {
$this->Controller->Security->startup($this->Controller);
$this->assertTrue($this->Controller->failed);
$this->Controller->Session->write('_Token', serialize(array('allowedControllers' => array())));
$this->Controller->Session->write('_Token', array('allowedControllers' => array()));
$this->Controller->request->data = array('username' => 'willy', 'password' => 'somePass');
$this->Controller->request['action'] = 'posted';
$this->Controller->Security->requireAuth('posted');
$this->Controller->Security->startup($this->Controller);
$this->assertTrue($this->Controller->failed);
$this->Controller->Session->write('_Token', serialize(array(
$this->Controller->Session->write('_Token', array(
'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted2')
)));
));
$this->Controller->request->data = array('username' => 'willy', 'password' => 'somePass');
$this->Controller->request['action'] = 'posted';
$this->Controller->Security->requireAuth('posted');
@@ -311,9 +311,9 @@ function testRequireAuthSucceed() {
$this->Controller->Security->startup($this->Controller);
$this->assertFalse($this->Controller->failed);
$this->Controller->Security->Session->write('_Token', serialize(array(
$this->Controller->Security->Session->write('_Token', array(
'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted')
)));
));
$this->Controller->request['controller'] = 'SecurityTest';
$this->Controller->request['action'] = 'posted';
@@ -1240,10 +1240,23 @@ function testCsrfSettings() {
$this->Security->csrfCheck = true;
$this->Security->csrfExpires = '+10 minutes';
$this->Security->startup($this->Controller);
$token = $this->Security->Session->read('_Token');
$this->assertEquals(count($token['csrfTokens']), 1, 'Missing the csrf token.');
$this->assertEquals(strtotime('+10 minutes'), current($token['csrfTokens']), 'Token expiry does not match');
}
function testCsrfSettingMultipleNonces() {
$this->Security->validatePost = false;
$this->Security->csrfCheck = true;
$this->Security->csrfExpires = '+10 minutes';
$this->Security->startup($this->Controller);
$this->Security->startup($this->Controller);
$token = $this->Security->Session->read('_Token');
$this->assertEquals(count($token['csrfTokens']), 2, 'Missing the csrf token.');
foreach ($token['csrfTokens'] as $key => $expires) {
$this->assertEquals(strtotime('+10 minutes'), $expires, 'Token expiry does not match');
}
}
}

0 comments on commit dc6b33f

Please sign in to comment.
You can’t perform that action at this time.