Bug #36659

Functional test sees account roles from previous test

Added by Robert Lemke over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Must have
Assignee:
Category:
Security
Start date:
2012-04-27
Due date:
% Done:

100%

PHP Version:
5.3
Has patch:
No
Complexity:
medium

Description

If testable security is used in a functional test case, a user is still authenticated with the roles of a previous test if the current test doesn't do any new authentication. This is due to a session being kept across test boundaries.

    /**
     * @test
     */
    public function publicActionIsGrantedForAdministrator() {
        $this->authenticateRoles(array('Administrator'));
        $this->restrictedController->publicAction();
    }

    /**
     * @test
     * @expectedException \TYPO3\FLOW3\Security\Exception\AuthenticationRequiredException
     */
    public function customerActionIsDeniedForEverybody() {
        $this->restrictedController->customerAction();
    }

The second test will fail because the role "Administrator" is still active. If the second test called $this->autenticateRoles(array()); it would actually work.

Associated revisions

Revision 09dba14b (diff)
Added by Robert Lemke over 7 years ago

[BUGFIX] Fix MethodSecurity functional test

After #36659 was fixed, the session handling works
as expected. That means, however, that if no account
is logged in, an AuthorizationRequiredException is
thrown on trying to access a restricted method.
The tests, however, anticipated an AccessDeniedException.

Change-Id: I6a7d9f8a75a1614ba1511e538fe5aad9c4c30f1f
Related: #36626
Related: #36659
Releases: 1.1

Revision 41a5fa00 (diff)
Added by Robert Lemke over 7 years ago

[!!!][BUGFIX] Fix session handling in functional tests

Sessions were kept across test boundaries which had bad
side effects on, for example, authentication: previously
authenticated roles where still active during the following
Test under certain circumstances.

This patch makes sure that sessions are destroyed after
each functional test.

It also introduces a previously missing parameter into the
destroy() method signature of the SessionInterface. If you
implemented your own session handler, you need to adjust the
destroy() method accordingly.

Change-Id: Ic455da8fbc79e864068874d3247d0d4ebeb8c87b
Resolves: #36659
Releases: 1.1

History

#1 Updated by Gerrit Code Review over 7 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10825

#2 Updated by Gerrit Code Review over 7 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10825

#3 Updated by Robert Lemke over 7 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF