Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(ajax): forms in the admin namespace are protected
All forms in the view namespace 'forms/admin' are now protected by an AdminGatekeeper in case of AJAX requests to 'ajax/form/admin/'. This is inline with the requests to 'ajax/view/admin'.
- Loading branch information
Showing
9 changed files
with
205 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
164 changes: 164 additions & 0 deletions
164
engine/tests/phpunit/integration/Elgg/Ajax/ControllerIntegrationTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,164 @@ | ||
<?php | ||
|
||
namespace Elgg\Ajax; | ||
|
||
use Elgg\IntegrationTestCase; | ||
|
||
class ControllerIntegrationTest extends IntegrationTestCase { | ||
|
||
/** | ||
* @var \ElggUser | ||
*/ | ||
protected $user; | ||
|
||
public function up() { | ||
$this->registerViews(); | ||
} | ||
|
||
public function down() { | ||
elgg_get_session()->removeLoggedInUser(); | ||
|
||
if (isset($this->user)) { | ||
elgg_call(ELGG_IGNORE_ACCESS, function() { | ||
$this->user->delete(); | ||
}); | ||
} | ||
} | ||
|
||
protected function prepareService(\Elgg\Http\Request $request) { | ||
$this->createApplication([ | ||
'isolate' => true, | ||
'request' => $request, | ||
]); | ||
|
||
$this->registerViews(); | ||
} | ||
|
||
protected function executeRequest(\Elgg\Http\Request $request, bool $prepare = true) { | ||
if ($prepare) { | ||
$this->prepareService($request); | ||
} | ||
|
||
return _elgg_services()->router->getResponse($request); | ||
} | ||
|
||
protected function registerViews() { | ||
$views_dir = $this->normalizeTestFilePath('views'); | ||
_elgg_services()->views->autoregisterViews('', "{$views_dir}/default", 'default'); | ||
|
||
elgg_register_ajax_view('ajax_test/registered'); | ||
elgg_register_ajax_view('admin/ajax_test/registered'); | ||
elgg_register_ajax_view('forms/ajax_test/registered'); | ||
elgg_register_ajax_view('forms/admin/ajax_test/registered'); | ||
} | ||
|
||
public function testCanLoadRegisteredAjaxView() { | ||
$request = $this->prepareHttpRequest('ajax/view/ajax_test/registered', 'GET', [], 1); | ||
|
||
$response = $this->executeRequest($request); | ||
$this->assertInstanceOf(\Elgg\Http\OkResponse::class, $response); | ||
$this->assertEquals('registered', $response->getContent()); | ||
} | ||
|
||
public function testCantLoadRegisteredAjaxViewWithNonAjaxRequest() { | ||
$request = $this->prepareHttpRequest('ajax/view/ajax_test/registered'); | ||
|
||
$this->expectException(\Elgg\Http\Exception\AjaxGatekeeperException::class); | ||
$this->executeRequest($request); | ||
} | ||
|
||
public function testCantLoadNonRegisteredAjaxView() { | ||
$this->assertTrue(elgg_view_exists('ajax_test/not_registered')); | ||
$request = $this->prepareHttpRequest('ajax/view/ajax_test/not_registered', 'GET', [], 1); | ||
|
||
$response = $this->executeRequest($request); | ||
$this->assertInstanceOf(\Elgg\Http\ErrorResponse::class, $response); | ||
} | ||
|
||
public function testCantAccessAdminAjaxViewLoggedOut() { | ||
$request = $this->prepareHttpRequest('ajax/view/admin/ajax_test/registered', 'GET', [], 1); | ||
|
||
$this->expectException(\Elgg\Http\Exception\LoggedInGatekeeperException::class); | ||
$this->executeRequest($request); | ||
} | ||
|
||
public function testCantAccessAdminAjaxViewAsNonAdmin() { | ||
$request = $this->prepareHttpRequest('ajax/view/admin/ajax_test/registered', 'GET', [], 1); | ||
|
||
$this->prepareService($request); | ||
|
||
$this->user = $user = $this->createUser(); | ||
elgg_get_session()->setLoggedInUser($user); | ||
|
||
$this->expectException(\Elgg\Http\Exception\AdminGatekeeperException::class); | ||
$this->executeRequest($request, false); | ||
} | ||
|
||
public function testCanAccessAdminAjaxViewAsAdmin() { | ||
$request = $this->prepareHttpRequest('ajax/view/admin/ajax_test/registered', 'GET', [], 1); | ||
|
||
$this->prepareService($request); | ||
|
||
$user = $this->getAdmin(); | ||
elgg_get_session()->setLoggedInUser($user); | ||
|
||
$response = $this->executeRequest($request, false); | ||
$this->assertInstanceOf(\Elgg\Http\OkResponse::class, $response); | ||
$this->assertEquals('registered', $response->getContent()); | ||
} | ||
|
||
public function testCanLoadRegisteredAjaxForm() { | ||
$request = $this->prepareHttpRequest('ajax/form/ajax_test/registered', 'GET', [], 1); | ||
|
||
$response = $this->executeRequest($request); | ||
$this->assertInstanceOf(\Elgg\Http\OkResponse::class, $response); | ||
$this->assertStringContainsString('registered', $response->getContent()); | ||
} | ||
|
||
public function testCantLoadRegisteredAjaxFormWithNonAjaxRequest() { | ||
$request = $this->prepareHttpRequest('ajax/form/ajax_test/registered'); | ||
|
||
$this->expectException(\Elgg\Http\Exception\AjaxGatekeeperException::class); | ||
$this->executeRequest($request); | ||
} | ||
|
||
public function testCantLoadNonRegisteredAjaxForm() { | ||
$this->assertTrue(elgg_view_exists('ajax_test/not_registered')); | ||
$request = $this->prepareHttpRequest('ajax/form/ajax_test/not_registered', 'GET', [], 1); | ||
|
||
$response = $this->executeRequest($request); | ||
$this->assertInstanceOf(\Elgg\Http\ErrorResponse::class, $response); | ||
} | ||
|
||
public function testCantAccessAdminAjaxFormLoggedOut() { | ||
$request = $this->prepareHttpRequest('ajax/form/admin/ajax_test/registered', 'GET', [], 1); | ||
|
||
$this->expectException(\Elgg\Http\Exception\LoggedInGatekeeperException::class); | ||
$this->executeRequest($request); | ||
} | ||
|
||
public function testCantAccessAdminAjaxFormAsNonAdmin() { | ||
$request = $this->prepareHttpRequest('ajax/form/admin/ajax_test/registered', 'GET', [], 1); | ||
|
||
$this->prepareService($request); | ||
|
||
$this->user = $user = $this->createUser(); | ||
elgg_get_session()->setLoggedInUser($user); | ||
|
||
$this->expectException(\Elgg\Http\Exception\AdminGatekeeperException::class); | ||
$this->executeRequest($request, false); | ||
} | ||
|
||
public function testCanAccessAdminAjaxFormAsAdmin() { | ||
$request = $this->prepareHttpRequest('ajax/form/admin/ajax_test/registered', 'GET', [], 1); | ||
|
||
$this->prepareService($request); | ||
|
||
$user = $this->getAdmin(); | ||
elgg_get_session()->setLoggedInUser($user); | ||
|
||
$response = $this->executeRequest($request, false); | ||
$this->assertInstanceOf(\Elgg\Http\OkResponse::class, $response); | ||
$this->assertStringContainsString('registered', $response->getContent()); | ||
} | ||
} |
6 changes: 6 additions & 0 deletions
6
engine/tests/test_files/views/default/admin/ajax_test/registered.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
<?php | ||
/** | ||
* Registered ajax view | ||
*/ | ||
|
||
echo 'registered'; |
6 changes: 6 additions & 0 deletions
6
engine/tests/test_files/views/default/ajax_test/not_registered.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
<?php | ||
/** | ||
* Non registered ajax view | ||
*/ | ||
|
||
echo 'not registered'; |
6 changes: 6 additions & 0 deletions
6
engine/tests/test_files/views/default/ajax_test/registered.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
<?php | ||
/** | ||
* Registered ajax view | ||
*/ | ||
|
||
echo 'registered'; |
6 changes: 6 additions & 0 deletions
6
engine/tests/test_files/views/default/forms/admin/ajax_test/registered.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
<?php | ||
/** | ||
* Registered ajax view | ||
*/ | ||
|
||
echo 'registered'; |
6 changes: 6 additions & 0 deletions
6
engine/tests/test_files/views/default/forms/ajax_test/not_registered.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
<?php | ||
/** | ||
* Non registered ajax view | ||
*/ | ||
|
||
echo 'not registered'; |
6 changes: 6 additions & 0 deletions
6
engine/tests/test_files/views/default/forms/ajax_test/registered.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
<?php | ||
/** | ||
* Registered ajax view | ||
*/ | ||
|
||
echo 'registered'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters