Permalink
Browse files

Fixing issue where changing the case for an action in the url would a…

…llow the action in the AuthComponent making it accessible to not-logged in users
  • Loading branch information...
1 parent 2bffd4c commit f6534d2962e97b2cb22af62c9a331a44e2c08c8c @lorenzo lorenzo committed Nov 28, 2011
@@ -268,8 +268,8 @@ public function startup($controller) {
return true;
}
- $methods = array_flip($controller->methods);
- $action = $controller->request->params['action'];
+ $methods = array_flip(array_map('strtolower', $controller->methods));
+ $action = strtolower($controller->request->params['action']);
$isMissingAction = (
$controller->scaffold === false &&
@@ -296,7 +296,7 @@ public function startup($controller) {
$allowedActions = $this->allowedActions;
$isAllowed = (
$this->allowedActions == array('*') ||
- in_array($action, $allowedActions)
+ in_array($action, array_map('strtolower', $allowedActions))
);
if ($loginAction != $url && $isAllowed) {
@@ -671,6 +671,11 @@ public function testDenyWithCamelCaseMethods() {
$this->Controller->request->query['url'] = Router::normalize($url);
$this->assertFalse($this->Controller->Auth->startup($this->Controller));
+
+ $url = '/auth_test/CamelCase';
+ $this->Controller->request->addParams(Router::parse($url));
+ $this->Controller->request->query['url'] = Router::normalize($url);
+ $this->assertFalse($this->Controller->Auth->startup($this->Controller));
}
/**

0 comments on commit f6534d2

Please sign in to comment.