diff options
author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2018-02-28 16:34:20 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-28 16:34:20 +0300 |
commit | 2c6f3c88cfd4db5f7a1c43f205f25667868046de (patch) | |
tree | cc0437b3a4e3bc318dc0615c7a735eae03de0e30 /tests | |
parent | d33a93c6f95ce88da599ce5df6026f83b92b42dc (diff) | |
parent | 55d5868da50c833e8d620bb1dadb5b82e19ac0e8 (diff) |
Merge pull request #8099 from nextcloud/7873_13
[stable13] Don't perform CSRF check on OCS routes with Bearer auth
Diffstat (limited to 'tests')
-rw-r--r-- | tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php index 151d6935e7f..d0f4eca18e8 100644 --- a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php +++ b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php @@ -387,11 +387,15 @@ class SecurityMiddlewareTest extends \Test\TestCase { ->getMock(); return [ - [$controller, false, true], - [$controller, true, true], - - [$ocsController, false, true], - [$ocsController, true, false], + [$controller, false, false, true], + [$controller, false, true, true], + [$controller, true, false, true], + [$controller, true, true, true], + + [$ocsController, false, false, true], + [$ocsController, false, true, false], + [$ocsController, true, false, false], + [$ocsController, true, true, false], ]; } @@ -399,13 +403,21 @@ class SecurityMiddlewareTest extends \Test\TestCase { * @dataProvider dataCsrfOcsController * @param Controller $controller * @param bool $hasOcsApiHeader + * @param bool $hasBearerAuth * @param bool $exception */ - public function testCsrfOcsController(Controller $controller, $hasOcsApiHeader, $exception) { + public function testCsrfOcsController(Controller $controller, $hasOcsApiHeader, $hasBearerAuth, $exception) { $this->request ->method('getHeader') - ->with('OCS-APIREQUEST') - ->willReturn($hasOcsApiHeader ? 'true' : null); + ->will(self::returnCallback(function ($header) use ($hasOcsApiHeader, $hasBearerAuth) { + if ($header === 'OCS-APIREQUEST' && $hasOcsApiHeader) { + return 'true'; + } + if ($header === 'Authorization' && $hasBearerAuth) { + return 'Bearer TOKEN!'; + } + return ''; + })); $this->request->expects($this->once()) ->method('passesStrictCookieCheck') ->willReturn(true); |