Feature #22685 » 14438-v7.diff
t3lib/class.t3lib_beuserauth.php (working copy) | ||
---|---|---|
return $isUserAllowedToLogin;
|
||
}
|
||
/**
|
||
* Logs out the current user and clears the form protection tokens.
|
||
*/
|
||
public function logoff() {
|
||
t3lib_formProtection_Factory::get(
|
||
't3lib_formProtection_Backend'
|
||
)->clean();
|
||
parent::logoff();
|
||
}
|
||
}
|
||
t3lib/core_autoload.php (working copy) | ||
---|---|---|
't3lib_error_exceptionhandlerinterface' => PATH_t3lib . 'error/interface.t3lib_error_exceptionhandlerinterface.php',
|
||
't3lib_browselinkshook' => PATH_t3lib . 'interfaces/interface.t3lib_browselinkshook.php',
|
||
't3lib_extfilefunctions_processdatahook' => PATH_t3lib . 'interfaces/interface.t3lib_extfilefunctions_processdatahook.php',
|
||
't3lib_formprotection_factory' => PATH_t3lib . 'formprotection/class.t3lib_formprotection_factory.php',
|
||
't3lib_formprotection_abstract' => PATH_t3lib . 'formprotection/class.t3lib_formprotection_abstract.php',
|
||
't3lib_formprotection_backend' => PATH_t3lib . 'formprotection/class.t3lib_formprotection_backend.php',
|
||
't3lib_localrecordlistgettablehook' => PATH_t3lib . 'interfaces/interface.t3lib_localrecordlistgettablehook.php',
|
||
't3lib_pageselect_getpagehook' => PATH_t3lib . 'interfaces/interface.t3lib_pageselect_getpagehook.php',
|
||
't3lib_pageselect_getrecordoverlayhook' => PATH_t3lib . 'interfaces/interface.t3lib_pageselect_getrecordoverlayhook.php',
|
t3lib/formprotection/class.t3lib_formprotection_backend.php (revision 0) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Class t3lib_formProtection_Backend.
|
||
*
|
||
* This class provides protection against cross-site request forgery (XSRF/CSRF)
|
||
* for forms in the BE.
|
||
*
|
||
* How to use:
|
||
*
|
||
* For each form in the BE (or link that changes some data), create a token and
|
||
* insert is as a hidden form element. The name of the form element does not
|
||
* matter; you only need it to get the form token for verifying it.
|
||
*
|
||
* <pre>
|
||
* $formToken = t3lib_formProtection_Factory::get(
|
||
* t3lib_formProtection_Factory::TYPE_BACK_END
|
||
* )->generateToken(
|
||
* 'BE user setup', 'edit'
|
||
* );
|
||
* $this->content .= '<input type="hidden" name="formToken" value="' .
|
||
* $formToken . '" />';
|
||
* </pre>
|
||
*
|
||
* The three parameters $formName, $action and $formInstanceName can be
|
||
* arbitrary strings, but they should make the form token as specific as
|
||
* possible. For different forms (e.g. BE user setup and editing a tt_content
|
||
* record) or different records (with different UIDs) from the same table,
|
||
* those values should be different.
|
||
*
|
||
* For editing a tt_content record, the call could look like this:
|
||
*
|
||
* <pre>
|
||
* $formToken = t3lib_formProtection_Factory::get(
|
||
* t3lib_formProtection_Factory::TYPE_BACK_END
|
||
* )->getFormProtection()->generateToken(
|
||
* 'tt_content', 'edit', $uid
|
||
* );
|
||
* </pre>
|
||
*
|
||
* At the end of the form, you need to persist the tokens. This makes sure that
|
||
* generated tokens get saved, and also that removed tokens stay removed:
|
||
*
|
||
* <pre>
|
||
* t3lib_formProtection_Factory::get(
|
||
* t3lib_formProtection_Factory::TYPE_BACK_END
|
||
* )->persistTokens();
|
||
* </pre>
|
||
*
|
||
* In BE lists, it might be necessary to generate hundreds of tokens. So the
|
||
* tokens do not get automatically persisted after creation for performance
|
||
* reasons.
|
||
*
|
||
*
|
||
* When processing the data that has been submitted by the form, you can check
|
||
* that the form token is valid like this:
|
||
*
|
||
* <pre>
|
||
* if ($dataHasBeenSubmitted && t3lib_formProtection_Factory::get(
|
||
* t3lib_formProtection_Factory::TYPE_BACK_END
|
||
* )->validateToken(
|
||
* (string) t3lib_div::_POST('formToken'),
|
||
* 'BE user setup', 'edit
|
||
* )
|
||
* ) {
|
||
* // processes the data
|
||
* } else {
|
||
* // no need to do anything here as the BE form protection will create a
|
||
* // flash message for an invalid token
|
||
* }
|
||
* </pre>
|
||
*
|
||
* Note that validateToken invalidates the token with the token ID. So calling
|
||
* validate with the same parameters two times in a row will always return FALSE
|
||
* for the second call.
|
||
*
|
||
* It is important that the tokens get validated <em>before</em> the tokens are
|
||
* persisted. This makes sure that the tokens that get invalidated by
|
||
* validateToken cannot be used again.
|
||
*
|
||
* $Id$
|
||
*
|
||
* @package TYPO3
|
||
* @subpackage t3lib
|
||
*
|
||
* @author Oliver Klee <typo3-coding@oliverklee.de>
|
||
*/
|
||
class t3lib_formProtection_Backend extends t3lib_formProtection_Abstract {
|
||
/**
|
||
* the maximum number of tokens that can exist at the same time
|
||
*
|
||
* @var integer
|
||
*/
|
||
protected $maximumNumberOfTokens = 20000;
|
||
/**
|
||
* Only allow construction if we have a backend session
|
||
*/
|
||
public function __construct() {
|
||
if (!isset($GLOBALS['BE_USER'])) {
|
||
throw new t3lib_error_Exception(
|
||
'A back-end form protection may only be instantiated if there' .
|
||
' is an active back-end session.',
|
||
1285067843
|
||
);
|
||
}
|
||
parent::__construct();
|
||
}
|
||
/**
|
||
* Creates or displayes an error message telling the user that the submitted
|
||
* form token is invalid.
|
||
*
|
||
* @return void
|
||
*/
|
||
protected function createValidationErrorMessage() {
|
||
$message = t3lib_div::makeInstance(
|
||
't3lib_FlashMessage',
|
||
$GLOBALS['LANG']->sL(
|
||
'LLL:EXT:lang/locallang_core.xml:error.formProtection.tokenInvalid'
|
||
),
|
||
'',
|
||
t3lib_FlashMessage::ERROR
|
||
);
|
||
t3lib_FlashMessageQueue::addMessage($message);
|
||
}
|
||
/**
|
||
* Retrieves all saved tokens.
|
||
*
|
||
* @return array<array>
|
||
* the saved tokens as, will be empty if no tokens have been saved
|
||
*/
|
||
protected function retrieveTokens() {
|
||
$tokens = $GLOBALS['BE_USER']->getSessionData('formTokens');
|
||
if (!is_array($tokens)) {
|
||
$tokens = array();
|
||
}
|
||
$this->tokens = $tokens;
|
||
}
|
||
/**
|
||
* Saves the tokens so that they can be used by a later incarnation of this
|
||
* class.
|
||
*
|
||
* @return void
|
||
*/
|
||
public function persistTokens() {
|
||
$GLOBALS['BE_USER']->setAndSaveSessionData('formTokens', $this->tokens);
|
||
}
|
||
}
|
||
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/formprotection/class.t3lib_formprotection_backend.php']) {
|
||
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/formprotection/class.t3lib_formprotection_backend.php']);
|
||
}
|
||
?>
|
t3lib/formprotection/class.t3lib_formprotection_factory.php (revision 0) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Class t3lib_formProtection_Factory.
|
||
*
|
||
* This class creates and manages instances of the various form protection
|
||
* classes.
|
||
*
|
||
* This class provides only static methods. It can not be instantiated.
|
||
*
|
||
* Usage for the back-end form protection:
|
||
*
|
||
* <pre>
|
||
* $formProtection = t3lib_formProtection_Factory::get(
|
||
* 't3lib_formProtection_BackEnd'
|
||
* );
|
||
* </pre>
|
||
*
|
||
* Usage for the install tool form protection:
|
||
*
|
||
* <pre>
|
||
* $formProtection = t3lib_formProtection_Factory::get(
|
||
* 'tx_install_formprotection'
|
||
* );
|
||
* $formProtection->injectInstallTool($this);
|
||
* </pre>
|
||
*
|
||
* $Id$
|
||
*
|
||
* @package TYPO3
|
||
* @subpackage t3lib
|
||
*
|
||
* @author Oliver Klee <typo3-coding@oliverklee.de>
|
||
* @author Ernesto Baschny <ernst@cron-it.de>
|
||
*/
|
||
final class t3lib_formProtection_Factory {
|
||
/**
|
||
* created instances of form protections using the type as array key
|
||
*
|
||
* @var array<t3lib_formProtectionAbstract>
|
||
*/
|
||
static protected $instances = array();
|
||
/**
|
||
* Private constructor to prevent instantiation.
|
||
*/
|
||
private function __construct() {}
|
||
/**
|
||
* Gets a form protection instance for the requested class $className.
|
||
*
|
||
* If there already is an existing instance of the requested $className, the
|
||
* existing instance will be returned.
|
||
*
|
||
* @param string $className
|
||
* the name of the class for which to return an instance, must be
|
||
* "t3lib_formProtection_BackEnd" or "tx_install_FormProtection"
|
||
*
|
||
* @return t3lib_formProtection_Abstract the requested instance
|
||
*/
|
||
static public function get($className) {
|
||
if (!isset(self::$instances[$className])) {
|
||
if (!class_exists($className, TRUE)) {
|
||
throw new InvalidArgumentException(
|
||
'$className must be the name of an existing class, but ' .
|
||
'actually was "' . $className . '".',
|
||
1285352962
|
||
);
|
||
}
|
||
$instance = t3lib_div::makeInstance($className);
|
||
if (!$instance instanceof t3lib_formProtection_Abstract) {
|
||
throw new InvalidArgumentException(
|
||
'$className must be a subclass of ' .
|
||
't3lib_formProtection_Abstract, but actually was "' .
|
||
$className . '".',
|
||
1285353026
|
||
);
|
||
}
|
||
self::$instances[$className] = $instance;
|
||
}
|
||
return self::$instances[$className];
|
||
}
|
||
/**
|
||
* Sets the instance that will be returned by get() for a specific class
|
||
* name.
|
||
*
|
||
* Note: This function is intended for testing purposes only.
|
||
*
|
||
* @param string $className
|
||
* the name of the class for which to set an instance, must be
|
||
* "t3lib_formProtection_BackEnd" or "tx_install_FormProtection"
|
||
* @param t3lib_formProtection_Abstract $instance
|
||
* the instance to set
|
||
*
|
||
* @return void
|
||
*/
|
||
static public function set($className, t3lib_formProtection_Abstract $instance) {
|
||
self::$instances[$className] = $instance;
|
||
}
|
||
/**
|
||
* Purges all existing instances.
|
||
*
|
||
* This function is particularly useful when cleaning up in unit testing.
|
||
*
|
||
* @return void
|
||
*/
|
||
static public function purgeInstances() {
|
||
foreach (self::$instances as $key => $instance) {
|
||
$instance->__destruct();
|
||
unset(self::$instances[$key]);
|
||
}
|
||
}
|
||
}
|
||
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/formprotection/class.t3lib_formprotection_factory.php']) {
|
||
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/formprotection/class.t3lib_formprotection_factory.php']);
|
||
}
|
||
?>
|
t3lib/formprotection/class.t3lib_formprotection_abstract.php (revision 0) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Class t3lib_formProtection_Abstract.
|
||
*
|
||
* This class provides protection against cross-site request forgery (XSRF/CSRF)
|
||
* for forms.
|
||
*
|
||
* For documentation on how to use this class, please see the documentation of
|
||
* the corresponding subclasses, e.g. t3lib_formProtection_Backend.
|
||
*
|
||
* $Id$
|
||
*
|
||
* @package TYPO3
|
||
* @subpackage t3lib
|
||
*
|
||
* @author Oliver Klee <typo3-coding@oliverklee.de>
|
||
*/
|
||
abstract class t3lib_formProtection_Abstract {
|
||
/**
|
||
* the maximum number of tokens that can exist at the same time
|
||
*
|
||
* @var integer
|
||
*/
|
||
protected $maximumNumberOfTokens = 0;
|
||
/**
|
||
* Valid tokens sorted from oldest to newest.
|
||
*
|
||
* [tokenId] => array(formName, formInstanceName)
|
||
*
|
||
* @var array<array>
|
||
*/
|
||
protected $tokens = array();
|
||
/**
|
||
* Constructor. Makes sure existing tokens are read and available for
|
||
* checking.
|
||
*/
|
||
public function __construct() {
|
||
$this->retrieveTokens();
|
||
}
|
||
/**
|
||
* Frees as much memory as possible.
|
||
*/
|
||
public function __destruct() {
|
||
$this->tokens = array();
|
||
}
|
||
/**
|
||
* Deletes all existing tokens and persists the (empty) token table.
|
||
*
|
||
* This function is intended to be called when a user logs on or off.
|
||
*
|
||
* @return void
|
||
*/
|
||
public function clean() {
|
||
$this->tokens = array();
|
||
$this->persistTokens();
|
||
}
|
||
/**
|
||
* Generates and stores a token for a form.
|
||
*
|
||
* Calling this function two times with the same parameters will create
|
||
* two valid, different tokens.
|
||
*
|
||
* Generating more tokens than $maximumNumberOfEntries will cause the oldest
|
||
* tokens to get dropped.
|
||
*
|
||
* Note: This function does not persist the tokens.
|
||
*
|
||
* @param string $formName
|
||
* the name of the form, for example a table name like "tt_content",
|
||
* or some other identifier like "install_tool_password", must not be
|
||
* empty
|
||
* @param string $action
|
||
* the name of the action of the form, for example "new", "delete" or
|
||
* "edit", may also be empty
|
||
* @param string $formInstanceName
|
||
* a string used to differentiate two instances of the same form,
|
||
* form example a record UID or a comma-separated list of UIDs,
|
||
* may also be empty
|
||
*
|
||
* @return string the 32-character hex ID of the generated token
|
||
*/
|
||
public function generateToken(
|
||
$formName, $action = '', $formInstanceName = ''
|
||
) {
|
||
if ($formName == '') {
|
||
throw new InvalidArgumentException('$formName must not be empty.');
|
||
}
|
||
do {
|
||
$tokenId = bin2hex(t3lib_div::generateRandomBytes(16));
|
||
} while (isset($this->tokens[$tokenId]));
|
||
$this->tokens[$tokenId] = array(
|
||
'formName' => $formName,
|
||
'action' => $action,
|
||
'formInstanceName' => $formInstanceName,
|
||
);
|
||
$this->preventOverflow();
|
||
return $tokenId;
|
||
}
|
||
/**
|
||
* Checks whether the token $tokenId is valid in the form $formName with
|
||
* $formInstanceName.
|
||
*
|
||
* A token is valid if $tokenId, $formName and $formInstanceName match and
|
||
* the token has not been used yet.
|
||
*
|
||
* Calling this function will mark the token $tokenId as invalud (if it
|
||
* exists).
|
||
*
|
||
* So calling this function with the same parameters two times will return
|
||
* FALSE the second time.
|
||
*
|
||
* @param string $tokenId
|
||
* a form token to check, may also be empty or utterly misformed
|
||
* @param string $formName
|
||
* the name of the form to check, for example "tt_content",
|
||
* may also be empty or utterly misformed
|
||
* @param string $action
|
||
* the action of the form to check, for example "edit",
|
||
* may also be empty or utterly misformed
|
||
* @param string $formInstanceName
|
||
* the instance name of the form to check, for example "42" or "foo"
|
||
* or "31,42", may also be empty or utterly misformed
|
||
*
|
||
* @return boolean
|
||
* TRUE if $tokenId, $formName, $action and $formInstanceName match
|
||
* and the token has not been used yet, FALSE otherwise
|
||
*/
|
||
public function validateToken(
|
||
$tokenId, $formName, $action = '', $formInstanceName = ''
|
||
) {
|
||
if (isset($this->tokens[$tokenId])) {
|
||
$token = $this->tokens[$tokenId];
|
||
$isValid = ($token['formName'] == $formName)
|
||
&& ($token['action'] == $action)
|
||
&& ($token['formInstanceName'] == $formInstanceName);
|
||
$this->dropToken($tokenId);
|
||
} else {
|
||
$isValid = FALSE;
|
||
}
|
||
if (!$isValid) {
|
||
$this->createValidationErrorMessage();
|
||
}
|
||
return $isValid;
|
||
}
|
||
/**
|
||
* Creates or displayes an error message telling the user that the submitted
|
||
* form token is invalid.
|
||
*
|
||
* This function may also be empty if the validation error should be handled
|
||
* silently.
|
||
*
|
||
* @return void
|
||
*/
|
||
abstract protected function createValidationErrorMessage();
|
||
/**
|
||
* Retrieves all saved tokens.
|
||
*
|
||
* @return array<arrray>
|
||
* the saved tokens, will be empty if no tokens have been saved
|
||
*/
|
||
abstract protected function retrieveTokens();
|
||
/**
|
||
* Saves the tokens so that they can be used by a later incarnation of this
|
||
* class.
|
||
*
|
||
* @return void
|
||
*/
|
||
abstract public function persistTokens();
|
||
/**
|
||
* Drops the token with the ID $tokenId.
|
||
*
|
||
* If there is no token with that ID, this function is a no-op.
|
||
*
|
||
* Note: This function does not persist the tokens.
|
||
*
|
||
* @param string $tokenId
|
||
* the 32-character ID of an existing token, must not be empty
|
||
*
|
||
* @return void
|
||
*/
|
||
protected function dropToken($tokenId) {
|
||
if (isset($this->tokens[$tokenId])) {
|
||
unset($this->tokens[$tokenId]);
|
||
}
|
||
}
|
||
/**
|
||
* Checks whether the number of current tokens still is at most
|
||
* $this->maximumNumberOfTokens.
|
||
*
|
||
* If there are more tokens, the oldest tokens are removed until the number
|
||
* of tokens is low enough.
|
||
*
|
||
* Note: This function does not persist the tokens.
|
||
*
|
||
* @return void
|
||
*/
|
||
protected function preventOverflow() {
|
||
if (empty($this->tokens)) {
|
||
return;
|
||
}
|
||
while (count($this->tokens) > $this->maximumNumberOfTokens) {
|
||
reset($this->tokens);
|
||
$this->dropToken(key($this->tokens));
|
||
}
|
||
}
|
||
}
|
||
?>
|
typo3/sysext/install/Resources/Private/Templates/AlterPasswordForm.html (working copy) | ||
---|---|---|
</li>
|
||
<li class="t3-install-hidden">
|
||
<input type="hidden" name="installToolPassword_md5" value="1" />
|
||
<input type="hidden" name="formToken" value="###FORMTOKEN###" />
|
||
</li>
|
||
</ol>
|
||
</fieldset>
|
typo3/sysext/install/mod/class.tx_install_formprotection.php (revision 0) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee <typo3-coding@oliverklee.de>
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Class tx_install_FormProtection.
|
||
*
|
||
* This class provides protection against cross-site request forgery (XSRF/CSRF)
|
||
* in the install tool.
|
||
*
|
||
*
|
||
* How to use this in the install tool:
|
||
*
|
||
* For each form in the install tool (or link that changes some data), create a
|
||
* token and insert is as a hidden form element. The name of the form element
|
||
* does not matter; you only need it to get the form token for verifying it.
|
||
*
|
||
* <pre>
|
||
* $formToken = $this->formProtection->generateToken(
|
||
* 'installToolPassword', 'change'
|
||
* );
|
||
* // then puts the generated form token in a hidden field in the template
|
||
* </pre>
|
||
*
|
||
* The three parameters $formName, $action and $formInstanceName can be
|
||
* arbitrary strings, but they should make the form token as specific as
|
||
* possible. For different forms (e.g. the password change and editing a the
|
||
* configuration), those values should be different.
|
||
*
|
||
* At the end of the form, you need to persist the tokens. This makes sure that
|
||
* generated tokens get saved, and also that removed tokens stay removed:
|
||
*
|
||
* <pre>
|
||
* $this->formProtection()->persistTokens();
|
||
* </pre>
|
||
*
|
||
*
|
||
* When processing the data that has been submitted by the form, you can check
|
||
* that the form token is valid like this:
|
||
*
|
||
* <pre>
|
||
* if ($dataHasBeenSubmitted && $this->formProtection()->validateToken(
|
||
* (string) $_POST['formToken'],
|
||
* 'installToolPassword',
|
||
* 'change'
|
||
* ) {
|
||
* // processes the data
|
||
* } else {
|
||
* // no need to do anything here as the install tool form protection will
|
||
* // create an error message for an invalid token
|
||
* }
|
||
* </pre>
|
||
*
|
||
* Note that validateToken invalidates the token with the token ID. So calling
|
||
* validate with the same parameters two times in a row will always return FALSE
|
||
* for the second call.
|
||
*
|
||
* It is important that the tokens get validated <em>before</em> the tokens are
|
||
* persisted. This makes sure that the tokens that get invalidated by
|
||
* validateToken cannot be used again.
|
||
*
|
||
* $Id$
|
||
*
|
||
* @package TYPO3
|
||
* @subpackage t3lib
|
||
*
|
||
* @author Oliver Klee <typo3-coding@oliverklee.de>
|
||
*/
|
||
class tx_install_FormProtection extends t3lib_formProtection_Abstract {
|
||
/**
|
||
* the maximum number of tokens that can exist at the same time
|
||
*
|
||
* @var integer
|
||
*/
|
||
protected $maximumNumberOfTokens = 100;
|
||
/**
|
||
* an instance of the install tool used for displaying messages
|
||
*
|
||
* @var tx_install
|
||
*/
|
||
protected $installTool = NULL;
|
||
/**
|
||
* Frees as much memory as possible.
|
||
*/
|
||
public function __destruct() {
|
||
$this->installTool = NULL;
|
||
parent::__destruct();
|
||
}
|
||
/**
|
||
* Injects the current instance of the install tool.
|
||
*
|
||
* This instance will be used for displaying messages.
|
||
*
|
||
* @param tx_install $installTool the current instance of the install tool
|
||
*
|
||
* @return void
|
||
*/
|
||
public function injectInstallTool(tx_install $installTool) {
|
||
$this->installTool = $installTool;
|
||
}
|
||
/**
|
||
* Creates or displayes an error message telling the user that the submitted
|
||
* form token is invalid.
|
||
*
|
||
* @return void
|
||
*/
|
||
protected function createValidationErrorMessage() {
|
||
$this->installTool->addErrorMessage(
|
||
'Validating the security token of this form has failed. ' .
|
||
'Please reload the form and submit it again.'
|
||
);
|
||
}
|
||
/**
|
||
* Retrieves all saved tokens.
|
||
*
|
||
* @return array<array>
|
||
* the saved tokens, will be empty if no tokens have been saved
|
||
*/
|
||
protected function retrieveTokens() {
|
||
if (isset($_SESSION['installToolFormTokens'])
|
||
&& is_array($_SESSION['installToolFormTokens'])
|
||
) {
|
||
$this->tokens = $_SESSION['installToolFormTokens'];
|
||
} else {
|
||
$this->tokens = array();
|
||
}
|
||
}
|
||
/**
|
||
* Saves the tokens so that they can be used by a later incarnation of this
|
||
* class.
|
||
*
|
||
* @return void
|
||
*/
|
||
public function persistTokens() {
|
||
$_SESSION['installToolFormTokens'] = $this->tokens;
|
||
}
|
||
}
|
||
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/install/mod/class.tx_install_formprotection.php']) {
|
||
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/install/mod/class.tx_install_formprotection.php']);
|
||
}
|
||
?>
|
typo3/sysext/install/mod/class.tx_install.php (working copy) | ||
---|---|---|
/**
|
||
* Install Tool module
|
||
*
|
||
* $Id$
|
||
*
|
||
* @author Kasper Skårhøj <kasperYYYY@typo3.com>
|
||
* @author Ingmar Schlecht <ingmar@typo3.org>
|
||
* @package TYPO3
|
||
... | ... | |
*/
|
||
protected $session = NULL;
|
||
/**
|
||
* the form protection instance used for creating and verifying form tokens
|
||
*
|
||
* @var tx_install_FormProtection
|
||
*/
|
||
protected $formProtection = NULL;
|
||
var $menuitems = array(
|
||
'config' => 'Basic Configuration',
|
||
'database' => 'Database Analyser',
|
||
... | ... | |
if($this->redirect_url) {
|
||
t3lib_utility_Http::redirect($this->redirect_url);
|
||
}
|
||
$this->formProtection = t3lib_formProtection_Factory::get(
|
||
'tx_install_FormProtection'
|
||
);
|
||
$this->formProtection->injectInstallTool($this);
|
||
} else {
|
||
$this->loginForm();
|
||
}
|
||
... | ... | |
TRUE,
|
||
TRUE
|
||
);
|
||
// Send content to the page wrapper function
|
||
$this->output($this->outputWrapper($content));
|
||
}
|
||
... | ... | |
if (is_file($enableInstallToolFile) && trim(file_get_contents($enableInstallToolFile)) !== 'KEEP_FILE') {
|
||
unlink(PATH_typo3conf . 'ENABLE_INSTALL_TOOL');
|
||
}
|
||
$this->formProtection->clean();
|
||
$this->session->destroySession();
|
||
t3lib_utility_Http::redirect($this->scriptSelf);
|
||
break;
|
||
... | ... | |
break;
|
||
}
|
||
}
|
||
$this->formProtection->persistTokens();
|
||
}
|
||
/**
|
||
... | ... | |
$doit=1;
|
||
if ($k=='BE' && $vk=='installToolPassword') {
|
||
if ($value) {
|
||
if (isset($_POST['installToolPassword_check']) && (!t3lib_div::_GP('installToolPassword_check') || strcmp(t3lib_div::_GP('installToolPassword_check'),$value))) {
|
||
$doit=0;
|
||
$this->errorMessages[] = '
|
||
The two passwords did not
|
||
match! The password was not
|
||
changed.
|
||
';
|
||
if (isset($_POST['installToolPassword_check'])) {
|
||
if (!$this->formProtection->validateToken(
|
||
(string) $_POST['formToken'],
|
||
'installToolPassword',
|
||
'change'
|
||
)) {
|
||
$doit = FALSE;
|
||
break;
|
||
}
|
||
if (!t3lib_div::_GP('installToolPassword_check')
|
||
|| strcmp(t3lib_div::_GP('installToolPassword_check'), $value)
|
||
) {
|
||
$doit = FALSE;
|
||
$this->errorMessages[]
|
||
= 'The two passwords did not ' .
|
||
'match! The password was not changed.';
|
||
}
|
||
}
|
||
if (t3lib_div::_GP('installToolPassword_md5')) $value =md5($value);
|
||
} else $doit=0;
|
||
... | ... | |
'action' => $this->scriptSelf.'?TYPO3_INSTALL[type]=extConfig',
|
||
'enterPassword' => 'Enter new password:',
|
||
'enterAgain' => 'Enter again:',
|
||
'submit' => 'Set new password'
|
||
'submit' => 'Set new password',
|
||
'formToken' => $this->formProtection->generateToken(
|
||
'installToolPassword', 'change'
|
||
),
|
||
);
|
||
// Fill the markers
|
||
$content = t3lib_parsehtml::substituteMarkerArray(
|
||
... | ... | |
$bytes = t3lib_div::generateRandomBytes($keyLength);
|
||
return substr(bin2hex($bytes), -96);
|
||
}
|
||
/**
|
||
* Adds an error message that should be displayed.
|
||
*
|
||
* @param string $messageText
|
||
* the text of the message to display, must not be empty
|
||
*/
|
||
public function addErrorMessage($messageText) {
|
||
if ($messageText == '') {
|
||
throw new InvalidArgumentException('$messageText must not be empty.');
|
||
}
|
||
$this->errorMessages[] = $messageText;
|
||
}
|
||
}
|
||
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/install/mod/class.tx_install.php']) {
|
typo3/sysext/install/ext_autoload.php (working copy) | ||
---|---|---|
<?php
|
||
/*
|
||
* Register necessary class names with autoloader
|
||
*
|
||
* $Id$
|
||
*/
|
||
// DO NOT CHANGE THIS FILE! It is automatically generated by extdeveval::buildAutoloadRegistry.
|
||
// This file was generated on 2010-09-22 09:06
|
||
$extensionPath = t3lib_extMgm::extPath('install');
|
||
return array(
|
||
'tx_install_report_installstatus' => t3lib_extMgm::extPath('install', 'report/class.tx_install_report_installstatus.php'),
|
||
'tx_install' => $extensionPath . 'mod/class.tx_install.php',
|
||
'tx_install_ajax' => $extensionPath . 'mod/class.tx_install_ajax.php',
|
||
'tx_install_formprotection' => $extensionPath . 'mod/class.tx_install_formprotection.php',
|
||
'tx_install_session' => $extensionPath . 'mod/class.tx_install_session.php',
|
||
'tx_install_report_installstatus' => $extensionPath . 'report/class.tx_install_report_installstatus.php',
|
||
);
|
||
?>
|
typo3/sysext/setup/mod/index.php (working copy) | ||
---|---|---|
/**
|
||
* If settings are submitted to _POST[DATA], store them
|
||
* NOTICE: This method is called before the template.php is included. See buttom of document
|
||
*
|
||
* @return void
|
||
* NOTICE: This method is called before the template.php is included. See
|
||
* bottom of document.
|
||
*/
|
||
function storeIncomingData() {
|
||
public function storeIncomingData() {
|
||
/* @var $BE_USER t3lib_beUserAuth */
|
||
global $BE_USER;
|
||
... | ... | |
$storeRec = array();
|
||
$fieldList = $this->getFieldsFromShowItem();
|
||
if (is_array($d)) {
|
||
$formProtection = t3lib_formProtection_Factory::get(
|
||
't3lib_formProtection_Backend'
|
||
);
|
||
if (is_array($d) && $formProtection->validateToken(
|
||
(string) t3lib_div::_POST('formToken'),
|
||
'BE user setup', 'edit'
|
||
)
|
||
) {
|
||
// UC hashed before applying changes
|
||
$save_before = md5(serialize($BE_USER->uc));
|
||
... | ... | |
$this->content .= $this->doc->spacer(20) . $this->doc->getDynTabMenu($menuItems, 'user-setup', false, false, 100, 1, false, 1, $this->dividers2tabs);
|
||
$formProtection = t3lib_formProtection_Factory::get(
|
||
't3lib_formProtection_Backend'
|
||
);
|
||
$formToken = $formProtection->generateToken('BE user setup', 'edit');
|
||
// Submit and reset buttons
|
||
$this->content .= $this->doc->spacer(20);
|
||
$this->content .= $this->doc->section('',
|
||
t3lib_BEfunc::cshItem('_MOD_user_setup', 'reset', $BACK_PATH) . '
|
||
<input type="hidden" name="simUser" value="'.$this->simUser.'" />
|
||
<input type="hidden" name="formToken" value="' . $formToken . '" />
|
||
<input type="submit" name="data[save]" value="'.$LANG->getLL('save').'" />
|
||
<input type="submit" name="data[setValuesToDefault]" value="'.$LANG->getLL('resetConfiguration').'" onclick="return confirm(\''.$LANG->getLL('setToStandardQuestion').'\');" />
|
||
<input type="submit" name="data[clearSessionVars]" value="' . $LANG->getLL('clearSessionVars') . '" onclick="return confirm(\'' . $LANG->getLL('clearSessionVarsQuestion') . '\');" />'
|
||
);
|
||
// Notice
|
||
$this->content .= $this->doc->spacer(30);
|
||
$flashMessage = t3lib_div::makeInstance(
|
||
... | ... | |
$SOBE->main();
|
||
$SOBE->printContent();
|
||
t3lib_formProtection_Factory::get('t3lib_formProtection_Backend')
|
||
->persistTokens();
|
||
?>
|
typo3/sysext/lang/locallang_core.xml (working copy) | ||
---|---|---|
<label index="warning.memcache_not_usable">Memcache is configured, but connection to memcached failed with these configuration(s):</label>
|
||
<label index="warning.file_missing">File is missing!</label>
|
||
<label index="warning.file_missing_text">This content element references a file which seems to not exist:</label>
|
||
<label index="error.formProtection.tokenInvalid">Validating the security token of this form has failed. Please reload the form and submit it again.</label>
|
||
<label index="toolbarItems.shortcuts">Shortcuts</label>
|
||
<label index="toolbarItems.shortcut">Shortcut</label>
|
||
<label index="toolbarItems.shortcutsGroup">Shortcut Group</label>
|
tests/t3lib/t3lib_beuserauthTest.php (revision 0) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee (typo3-coding@oliverklee.de)
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
/**
|
||
* Testcase for the t3lib_beUserAuth class in the TYPO3 Core extension.
|
||
*
|
||
* @package TYPO3
|
||
* @subpackage t3lib
|
||
*
|
||
* @author Oliver Klee <typo3-coding@oliverklee.de>
|
||
*/
|
||
class t3lib_beUserAuthTest extends tx_phpunit_testcase {
|
||
/**
|
||
* @var t3lib_beUserAuth
|
||
*/
|
||
private $fixture = NULL;
|
||
public function setUp() {
|
||
$this->fixture = new t3lib_beUserAuth();
|
||
}
|
||
public function tearDown() {
|
||
unset($this->fixture);
|
||
t3lib_formProtection_Factory::purgeInstances();
|
||
}
|
||
/////////////////////////////////////////
|
||
// Tests concerning the form protection
|
||
/////////////////////////////////////////
|
||
/**
|
||
* @test
|
||
*/
|
||
public function logoffCleansFormProtection() {
|
||
$formProtection = $this->getMock(
|
||
't3lib_formProtection_Backend', array('clean')
|
||
);
|
||
$formProtection->expects($this->atLeastOnce())->method('clean');
|
||
t3lib_formProtection_Factory::set(
|
||
't3lib_formProtection_Backend', $formProtection
|
||
);
|
||
$this->fixture->logoff();
|
||
}
|
||
}
|
||
?>
|
tests/t3lib/formprotection/t3lib_formProtection_FactoryTest.php (revision 0) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee (typo3-coding@oliverklee.de)
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
require_once('fixtures/class.t3lib_formprotection_testing.php');
|
||
/**
|
||
* Testcase for the t3lib_formProtection_Factory class.
|
||
*
|
||
* $Id$
|
||
*
|
||
* @package TYPO3
|
||
* @subpackage t3lib
|
||
*
|
||
* @author Oliver Klee <typo3-coding@oliverklee.de>
|
||
* @author Ernesto Baschny <ernst@cron-it.de>
|
||
*/
|
||
class t3lib_formProtection_FactoryTest extends tx_phpunit_testcase {
|
||
public function setUp() {
|
||
}
|
||
public function tearDown() {
|
||
t3lib_formProtection_Factory::purgeInstances();
|
||
}
|
||
/////////////////////////
|
||
// Tests concerning get
|
||
/////////////////////////
|
||
/**
|
||
* @test
|
||
*
|
||
* @expectedException InvalidArgumentException
|
||
*/
|
||
public function getForInexistentClassThrowsException() {
|
||
t3lib_formProtection_Factory::get('noSuchClass');
|
||
}
|
||
/**
|
||
* @test
|
||
*
|
||
* @expectedException InvalidArgumentException
|
||
*/
|
||
public function getForClassThatIsNoFormProtectionSubclassThrowsException() {
|
||
t3lib_formProtection_Factory::get('t3lib_formProtection_FactoryTest');
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function getForTypeBackEndWithExistingBackEndReturnsBackEndFormProtection() {
|
||
$this->assertTrue(
|
||
t3lib_formProtection_Factory::get(
|
||
't3lib_formProtection_Backend'
|
||
) instanceof t3lib_formProtection_Backend
|
||
);
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function getForTypeBackEndCalledTwoTimesReturnsTheSameInstance() {
|
||
$this->assertSame(
|
||
t3lib_formProtection_Factory::get(
|
||
't3lib_formProtection_Backend'
|
||
),
|
||
t3lib_formProtection_Factory::get(
|
||
't3lib_formProtection_Backend'
|
||
)
|
||
);
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function getForTypeInstallToolReturnsInstallToolFormProtection() {
|
||
$this->assertTrue(
|
||
t3lib_formProtection_Factory::get(
|
||
'tx_install_FormProtection'
|
||
) instanceof tx_install_FormProtection
|
||
);
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function getForTypeInstallToolCalledTwoTimesReturnsTheSameInstance() {
|
||
$this->assertSame(
|
||
t3lib_formProtection_Factory::get(
|
||
'tx_install_FormProtection'
|
||
),
|
||
t3lib_formProtection_Factory::get(
|
||
'tx_install_FormProtection'
|
||
)
|
||
);
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function getForTypesInstallToolAndBackEndReturnsDifferentInstances() {
|
||
$this->assertNotSame(
|
||
t3lib_formProtection_Factory::get(
|
||
'tx_install_FormProtection'
|
||
),
|
||
t3lib_formProtection_Factory::get(
|
||
't3lib_formProtection_Backend'
|
||
)
|
||
);
|
||
}
|
||
/////////////////////////
|
||
// Tests concerning set
|
||
/////////////////////////
|
||
/**
|
||
* @test
|
||
*/
|
||
public function setSetsInstanceForType() {
|
||
$instance = new t3lib_formProtection_Testing();
|
||
t3lib_formProtection_Factory::set(
|
||
't3lib_formProtection_Backend', $instance
|
||
);
|
||
$this->assertSame(
|
||
$instance,
|
||
t3lib_formProtection_Factory::get(
|
||
't3lib_formProtection_Backend'
|
||
)
|
||
);
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function setNotSetsInstanceForOtherType() {
|
||
$instance = new t3lib_formProtection_Testing();
|
||
t3lib_formProtection_Factory::set(
|
||
't3lib_formProtection_Backend', $instance
|
||
);
|
||
$this->assertNotSame(
|
||
$instance,
|
||
t3lib_formProtection_Factory::get(
|
||
'tx_install_FormProtection'
|
||
)
|
||
);
|
||
}
|
||
}
|
||
?>
|
tests/t3lib/formprotection/t3lib_formProtection_AbstractTest.php (revision 0) | ||
---|---|---|
<?php
|
||
/***************************************************************
|
||
* Copyright notice
|
||
*
|
||
* (c) 2010 Oliver Klee (typo3-coding@oliverklee.de)
|
||
* All rights reserved
|
||
*
|
||
* This script is part of the TYPO3 project. The TYPO3 project is
|
||
* free software; you can redistribute it and/or modify
|
||
* it under the terms of the GNU General Public License as published by
|
||
* the Free Software Foundation; either version 2 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* The GNU General Public License can be found at
|
||
* http://www.gnu.org/copyleft/gpl.html.
|
||
*
|
||
* This script is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU General Public License for more details.
|
||
*
|
||
* This copyright notice MUST APPEAR in all copies of the script!
|
||
***************************************************************/
|
||
require_once('fixtures/class.t3lib_formprotection_testing.php');
|
||
/**
|
||
* Testcase for the t3lib_formProtection_Abstract class.
|
||
*
|
||
* $Id$
|
||
*
|
||
* @package TYPO3
|
||
* @subpackage t3lib
|
||
*
|
||
* @author Oliver Klee <typo3-coding@oliverklee.de>
|
||
*/
|
||
class t3lib_formProtection_AbstractTest extends tx_phpunit_testcase {
|
||
/**
|
||
* @var t3lib_formProtection_Testing
|
||
*/
|
||
private $fixture;
|
||
public function setUp() {
|
||
$this->fixture = new t3lib_formProtection_Testing();
|
||
}
|
||
public function tearDown() {
|
||
$this->fixture->__destruct();
|
||
unset($this->fixture);
|
||
}
|
||
/////////////////////////////////////////
|
||
// Tests concerning the basic functions
|
||
/////////////////////////////////////////
|
||
/**
|
||
* @test
|
||
*/
|
||
public function constructionRetrievesTokens() {
|
||
$className = uniqid('t3lib_formProtection');
|
||
eval(
|
||
'class ' . $className . ' extends t3lib_formProtection_Testing {' .
|
||
'public $tokensHaveBeenRetrieved = FALSE; ' .
|
||
'protected function retrieveTokens() {' .
|
||
'$this->tokensHaveBeenRetrieved = TRUE;' .
|
||
'}' .
|
||
'}'
|
||
);
|
||
$fixture = new $className();
|
||
$this->assertTrue(
|
||
$fixture->tokensHaveBeenRetrieved
|
||
);
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function cleanMakesTokenInvalid() {
|
||
$formName = 'foo';
|
||
$tokenId = $this->fixture->generateToken($formName);
|
||
$this->fixture->clean();
|
||
$this->assertFalse(
|
||
$this->fixture->validateToken($tokenId, $formName)
|
||
);
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function cleanPersistsTokens() {
|
||
$fixture = $this->getMock(
|
||
't3lib_formProtection_Testing', array('persistTokens')
|
||
);
|
||
$fixture->expects($this->once())->method('persistTokens');
|
||
$fixture->clean();
|
||
}
|
||
///////////////////////////////////
|
||
// Tests concerning generateToken
|
||
///////////////////////////////////
|
||
/**
|
||
* @test
|
||
*/
|
||
public function generateTokenFormForEmptyFormNameThrowsException() {
|
||
$this->setExpectedException(
|
||
'InvalidArgumentException', '$formName must not be empty.'
|
||
);
|
||
$this->fixture->generateToken('', 'edit', 'bar');
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function generateTokenFormForEmptyActionNotThrowsException() {
|
||
$this->fixture->generateToken('foo', '', '42');
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function generateTokenFormForEmptyFormInstanceNameNotThrowsException() {
|
||
$this->fixture->generateToken('foo', 'edit', '');
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function generateTokenFormForOmittedActionAndFormInstanceNameNotThrowsException() {
|
||
$this->fixture->generateToken('foo');
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function generateTokenReturns32CharacterHexToken() {
|
||
$this->assertRegexp(
|
||
'/^[0-9a-f]{32}$/',
|
||
$this->fixture->generateToken('foo')
|
||
);
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function generateTokenCalledTwoTimesWithSameParametersReturnsDifferentTokens() {
|
||
$this->assertNotEquals(
|
||
$this->fixture->generateToken('foo', 'edit', 'bar'),
|
||
$this->fixture->generateToken('foo', 'edit', 'bar')
|
||
);
|
||
}
|
||
/**
|
||
* @test
|
||
*/
|
||
public function generatingTooManyTokensInvalidatesOldestToken() {
|
||
$this->fixture->setMaximumNumberOfTokens(2);
|
||
$formName = 'foo';
|
||
$token1 = $this->fixture->generateToken($formName);
|
||
$token2 = $this->fixture->generateToken($formName);
|
||
$token3 = $this->fixture->generateToken($formName);
|
- « Previous
- 1
- …
- 4
- 5
- 6
- Next »