fix: scope csrf fields and block past dates
This commit is contained in:
@@ -2,6 +2,12 @@
|
||||
declare(strict_types=1);
|
||||
|
||||
require_once PLUGIN_ROOT . '/exec/lib/CsrfGuard.php';
|
||||
require_once PLUGIN_ROOT . '/exec/lib/Settings.php';
|
||||
require_once PLUGIN_ROOT . '/exec/lib/Lang.php';
|
||||
require_once PLUGIN_ROOT . '/exec/lib/DirectAdminUser.php';
|
||||
require_once PLUGIN_ROOT . '/exec/lib/RuleRepository.php';
|
||||
require_once PLUGIN_ROOT . '/exec/lib/AuditLog.php';
|
||||
require_once PLUGIN_ROOT . '/exec/lib/AppContext.php';
|
||||
|
||||
test('csrf token is bound to user session action and time', function (): void {
|
||||
$guard = new CsrfGuard('secret', 'alice', 'session-1');
|
||||
@@ -13,3 +19,21 @@ test('csrf token is bound to user session action and time', function (): void {
|
||||
assert_false($guard->validate('create', (string)($issued['ts'] - 7200), $issued['token'], 3600, 'session-1'));
|
||||
assert_false($guard->validate('create', 'bad', $issued['token'], 3600, 'session-1'));
|
||||
});
|
||||
|
||||
test('csrf form fields use plugin scoped names to avoid directadmin token collisions', function (): void {
|
||||
$settings = Settings::load(TEST_TMP . '/missing-csrf-form.conf');
|
||||
$ctx = new AppContext(
|
||||
new DirectAdminUser('alice', 'enhanced', 'pl', TEST_TMP . '/config'),
|
||||
$settings,
|
||||
new RuleRepository(TEST_TMP . '/data'),
|
||||
new CsrfGuard('secret', 'alice', 'sid'),
|
||||
Lang::load('pl', $settings),
|
||||
new AuditLog(TEST_TMP . '/audit.log')
|
||||
);
|
||||
|
||||
$html = $ctx->csrfField('create');
|
||||
assert_contains('name="gar_csrf_ts"', $html);
|
||||
assert_contains('name="gar_csrf_sid"', $html);
|
||||
assert_contains('name="gar_csrf_token"', $html);
|
||||
assert_false(str_contains($html, 'name="csrf_token"'));
|
||||
});
|
||||
|
||||
@@ -119,6 +119,24 @@ test('calendar picker is based on selected rule month and supports month navigat
|
||||
assert_false(strpos($html, 'Czerwiec 2026') !== false);
|
||||
});
|
||||
|
||||
test('calendar picker disables dates before today', function (): void {
|
||||
$settingsPath = TEST_TMP . '/form-calendar-min.conf';
|
||||
test_write($settingsPath, "DEFAULT_PLUGIN_LANGUAGE=pl\nGLOBAL_AUTORESPONDER_BACKEND=exim\n");
|
||||
$settings = Settings::load($settingsPath);
|
||||
$ctx = new AppContext(
|
||||
new DirectAdminUser('alice', 'enhanced', 'pl', TEST_TMP . '/config'),
|
||||
$settings,
|
||||
new RuleRepository(TEST_TMP . '/data'),
|
||||
new CsrfGuard('secret', 'alice', 'sid'),
|
||||
Lang::load('pl', $settings),
|
||||
new AuditLog(TEST_TMP . '/audit.log')
|
||||
);
|
||||
|
||||
$html = render_calendar_picker($ctx, 'start_value', $ctx->t('Start date'), '2000-01-15T09:00');
|
||||
assert_contains('br-cal-day-disabled', $html);
|
||||
assert_false(str_contains($html, 'data-date-value="2000-01-15"'), 'Past dates must not be clickable');
|
||||
});
|
||||
|
||||
test('rule form localizes calendar and preview labels without translating user content globally', function (): void {
|
||||
$settingsPath = TEST_TMP . '/form-i18n.conf';
|
||||
test_write($settingsPath, "DEFAULT_PLUGIN_LANGUAGE=en\nGLOBAL_AUTORESPONDER_BACKEND=exim\n");
|
||||
|
||||
@@ -75,3 +75,26 @@ test('rule validator rejects unsupported response frequency', function (): void
|
||||
}
|
||||
throw new RuntimeException('Expected invalid frequency to fail');
|
||||
});
|
||||
|
||||
test('rule validator rejects start date before current date', function (): void {
|
||||
$settingsPath = TEST_TMP . '/validator-past.conf';
|
||||
test_write($settingsPath, "GLOBAL_AUTORESPONDER_TIMEZONE=Europe/Warsaw\nGLOBAL_AUTORESPONDER_BACKEND=exim\n");
|
||||
$settings = Settings::load($settingsPath);
|
||||
$tz = new DateTimeZone($settings->timezone());
|
||||
$yesterday = (new DateTimeImmutable('yesterday', $tz))->format('Y-m-d');
|
||||
$tomorrow = (new DateTimeImmutable('tomorrow', $tz))->format('Y-m-d');
|
||||
|
||||
try {
|
||||
RuleValidator::validate([
|
||||
'subject_prefix' => 'Urlop',
|
||||
'reply_frequency' => '1440',
|
||||
'body' => 'Body',
|
||||
'start_value' => $yesterday . 'T09:00',
|
||||
'end_value' => $tomorrow . 'T17:00',
|
||||
], $settings);
|
||||
} catch (InvalidArgumentException $e) {
|
||||
assert_contains('wcześniejsza niż aktualna', $e->getMessage());
|
||||
return;
|
||||
}
|
||||
throw new RuntimeException('Expected past start date to fail');
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user