fe45ba8752
Previously, there was no validation whatsoever and the module would happily write any preference you asked it to. This, combined with the fact that the code using the 'editfont' preference didn't perform any validation or escaping, led to a CSS injection vulnerability. Using Preferences::getPreferences breaks some existing test cases because a MockUser doesn't have groups for preferences. Change-Id: I98df55f2b16ac1b6fce578798b6f58b5dad96775
227 lines
5.8 KiB
PHP
227 lines
5.8 KiB
PHP
<?php
|
|
|
|
/**
|
|
* @group API
|
|
*/
|
|
class ApiOptionsTest extends MediaWikiLangTestCase {
|
|
|
|
private $mTested, $mUserMock, $mContext, $mSession;
|
|
|
|
private static $Success = array( 'options' => 'success' );
|
|
|
|
protected function setUp() {
|
|
parent::setUp();
|
|
|
|
$this->mUserMock = $this->getMockBuilder( 'User' )
|
|
->disableOriginalConstructor()
|
|
->getMock();
|
|
|
|
// Create a new context
|
|
$this->mContext = new DerivativeContext( new RequestContext() );
|
|
$this->mContext->setUser( $this->mUserMock );
|
|
|
|
$main = new ApiMain( $this->mContext );
|
|
|
|
// Empty session
|
|
$this->mSession = array();
|
|
|
|
$this->mTested = new ApiOptions( $main, 'options' );
|
|
}
|
|
|
|
private function getSampleRequest( $custom = array() ) {
|
|
$request = array(
|
|
'token' => '123ABC',
|
|
'change' => null,
|
|
'optionname' => null,
|
|
'optionvalue' => null,
|
|
);
|
|
return array_merge( $request, $custom );
|
|
}
|
|
|
|
private function executeQuery( $request ) {
|
|
$this->mContext->setRequest( new FauxRequest( $request, true, $this->mSession ) );
|
|
$this->mTested->execute();
|
|
return $this->mTested->getResult()->getData();
|
|
}
|
|
|
|
/**
|
|
* @expectedException UsageException
|
|
*/
|
|
public function testNoToken() {
|
|
$request = $this->getSampleRequest( array( 'token' => null ) );
|
|
|
|
$this->executeQuery( $request );
|
|
}
|
|
|
|
public function testAnon() {
|
|
$this->mUserMock->expects( $this->once() )
|
|
->method( 'isAnon' )
|
|
->will( $this->returnValue( true ) );
|
|
|
|
try {
|
|
$request = $this->getSampleRequest();
|
|
|
|
$this->executeQuery( $request );
|
|
} catch ( UsageException $e ) {
|
|
$this->assertEquals( 'notloggedin', $e->getCodeString() );
|
|
$this->assertEquals( 'Anonymous users cannot change preferences', $e->getMessage() );
|
|
return;
|
|
}
|
|
$this->fail( "UsageException was not thrown" );
|
|
}
|
|
|
|
public function testNoOptionname() {
|
|
try {
|
|
$request = $this->getSampleRequest( array( 'optionvalue' => '1' ) );
|
|
|
|
$this->executeQuery( $request );
|
|
} catch ( UsageException $e ) {
|
|
$this->assertEquals( 'nooptionname', $e->getCodeString() );
|
|
$this->assertEquals( 'The optionname parameter must be set', $e->getMessage() );
|
|
return;
|
|
}
|
|
$this->fail( "UsageException was not thrown" );
|
|
}
|
|
|
|
public function testNoChanges() {
|
|
$this->mUserMock->expects( $this->never() )
|
|
->method( 'resetOptions' );
|
|
|
|
$this->mUserMock->expects( $this->never() )
|
|
->method( 'setOption' );
|
|
|
|
$this->mUserMock->expects( $this->never() )
|
|
->method( 'saveSettings' );
|
|
|
|
try {
|
|
$request = $this->getSampleRequest();
|
|
|
|
$this->executeQuery( $request );
|
|
} catch ( UsageException $e ) {
|
|
$this->assertEquals( 'nochanges', $e->getCodeString() );
|
|
$this->assertEquals( 'No changes were requested', $e->getMessage() );
|
|
return;
|
|
}
|
|
$this->fail( "UsageException was not thrown" );
|
|
}
|
|
|
|
/**
|
|
* @group Broken
|
|
*/
|
|
public function testReset() {
|
|
$this->mUserMock->expects( $this->once() )
|
|
->method( 'resetOptions' );
|
|
|
|
$this->mUserMock->expects( $this->never() )
|
|
->method( 'setOption' );
|
|
|
|
$this->mUserMock->expects( $this->once() )
|
|
->method( 'saveSettings' );
|
|
|
|
$request = $this->getSampleRequest( array( 'reset' => '' ) );
|
|
|
|
$response = $this->executeQuery( $request );
|
|
|
|
$this->assertEquals( self::$Success, $response );
|
|
}
|
|
|
|
/**
|
|
* @group Broken
|
|
*/
|
|
public function testOptionWithValue() {
|
|
$this->mUserMock->expects( $this->never() )
|
|
->method( 'resetOptions' );
|
|
|
|
$this->mUserMock->expects( $this->once() )
|
|
->method( 'setOption' )
|
|
->with( $this->equalTo( 'name' ), $this->equalTo( 'value' ) );
|
|
|
|
$this->mUserMock->expects( $this->once() )
|
|
->method( 'saveSettings' );
|
|
|
|
$request = $this->getSampleRequest( array( 'optionname' => 'name', 'optionvalue' => 'value' ) );
|
|
|
|
$response = $this->executeQuery( $request );
|
|
|
|
$this->assertEquals( self::$Success, $response );
|
|
}
|
|
|
|
/**
|
|
* @group Broken
|
|
*/
|
|
public function testOptionResetValue() {
|
|
$this->mUserMock->expects( $this->never() )
|
|
->method( 'resetOptions' );
|
|
|
|
$this->mUserMock->expects( $this->once() )
|
|
->method( 'setOption' )
|
|
->with( $this->equalTo( 'name' ), $this->equalTo( null ) );
|
|
|
|
$this->mUserMock->expects( $this->once() )
|
|
->method( 'saveSettings' );
|
|
|
|
$request = $this->getSampleRequest( array( 'optionname' => 'name' ) );
|
|
$response = $this->executeQuery( $request );
|
|
|
|
$this->assertEquals( self::$Success, $response );
|
|
}
|
|
|
|
/**
|
|
* @group Broken
|
|
*/
|
|
public function testChange() {
|
|
$this->mUserMock->expects( $this->never() )
|
|
->method( 'resetOptions' );
|
|
|
|
$this->mUserMock->expects( $this->at( 1 ) )
|
|
->method( 'setOption' )
|
|
->with( $this->equalTo( 'willBeNull' ), $this->equalTo( null ) );
|
|
|
|
$this->mUserMock->expects( $this->at( 2 ) )
|
|
->method( 'setOption' )
|
|
->with( $this->equalTo( 'willBeEmpty' ), $this->equalTo( '' ) );
|
|
|
|
$this->mUserMock->expects( $this->at( 3 ) )
|
|
->method( 'setOption' )
|
|
->with( $this->equalTo( 'willBeHappy' ), $this->equalTo( 'Happy' ) );
|
|
|
|
$this->mUserMock->expects( $this->once() )
|
|
->method( 'saveSettings' );
|
|
|
|
$request = $this->getSampleRequest( array( 'change' => 'willBeNull|willBeEmpty=|willBeHappy=Happy' ) );
|
|
|
|
$response = $this->executeQuery( $request );
|
|
|
|
$this->assertEquals( self::$Success, $response );
|
|
}
|
|
|
|
/**
|
|
* @group Broken
|
|
*/
|
|
public function testResetChangeOption() {
|
|
$this->mUserMock->expects( $this->once() )
|
|
->method( 'resetOptions' );
|
|
|
|
$this->mUserMock->expects( $this->at( 2 ) )
|
|
->method( 'setOption' )
|
|
->with( $this->equalTo( 'willBeHappy' ), $this->equalTo( 'Happy' ) );
|
|
|
|
$this->mUserMock->expects( $this->at( 3 ) )
|
|
->method( 'setOption' )
|
|
->with( $this->equalTo( 'name' ), $this->equalTo( 'value' ) );
|
|
|
|
$this->mUserMock->expects( $this->once() )
|
|
->method( 'saveSettings' );
|
|
|
|
$args = array(
|
|
'reset' => '',
|
|
'change' => 'willBeHappy=Happy',
|
|
'optionname' => 'name',
|
|
'optionvalue' => 'value'
|
|
);
|
|
|
|
$response = $this->executeQuery( $this->getSampleRequest( $args ) );
|
|
|
|
$this->assertEquals( self::$Success, $response );
|
|
}
|
|
}
|