manuelcillero/suitedesk
manuelcillero/suitedesk
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
This repository has been archived on 2025-06-21. You can view files and clone it, but you cannot make any changes to it's state, such as pushing and creating new issues, pull requests or comments.
suitedesk/modules/securepages_prevent_hijack/securepages_prevent_hijack.test

89 lines
2.8 KiB
Text
Raw Blame History

<?php
/**
* @file
* Simpletests for securepages_prevent_hijack.
*/
class SecurepagesPreventHijackTestCase extends DrupalWebTestCase {
/**
* Implementation of getInfo().
*/
public static function getInfo() {
return array(
'name' => t('Securepages Hijack Prevention'),
'description' => t('Functional tests for Securepages Hijack Prevention.'),
'group' => t('Securepages Hijack Prevention'),
);
}
/**
* Implementation of setUp().
*/
function setUp() {
parent::setUp('securepages', 'securepages_prevent_hijack');
variable_set('securepages_enable', TRUE);
}
/**
* Make sure the login forms are using an SSL action.
*/
function testSecurepagesPreventHijackLoginAction() {
// Test that form_alter() is disabled when securepages is off.
variable_set('securepages_enable', FALSE);
$this->drupalGet('user/login');
$this->assertNoPattern('/action="https.*id="user-login"/',
t('Make sure login page action is secured.'));
$this->drupalGet('');
$this->assertNoPattern('/action="https.*id="user-login-form"/',
t('Make sure login page action is secured.'));
// Enable securepages and re-test.
variable_set('securepages_enable', TRUE);
$this->drupalGet('user/login');
$this->assertPattern('/action="https.*id="user-login"/',
t('Make sure login page action is secured.'));
$this->drupalGet('');
$this->assertPattern('/action="https.*id="user-login-form"/',
t('Make sure login page action is secured.'));
}
/**
* Test the ability to detect hijacked sessions.
*/
function testSecurepagesPreventHijackDetection() {
$user = $this->drupalCreateUser(array('access content', 'administer nodes'));
$this->drupalLogin($user);
// Check that SSL pages work normally. node/add/* is protected by default in securepages.
$this->drupalGet('node/add/page');
$this->assertResponse(200);
$this->assertIdentical(strpos($this->getUrl(), 'https'), 0, t('Verify node/add/page is secure.'));
// Force the private key to regenerate. This is a sneaky hack to invalidate the secure cookie.
variable_set('drupal_private_key', 0);
$this->drupalGet('node/add/page');
$this->assertResponse(403, t('Make sure hijacked requests are denied.'));
}
/**
* Verify that secure cookie is re-sent after a password change
*/
function testSecurepagesPreventHijackPasswordReset() {
$user = $this->drupalCreateUser(array('access content', 'administer nodes'));
$this->drupalLogin($user);
$url = 'user/'. $user->uid . '/edit';
$edit = array(
'pass[pass1]' => 'secret',
'pass[pass2]' => 'secret',
);
$this->drupalPost($url, $edit, t('Save'));
$this->drupalGet('node/add/page');
// @FIXME - this assertion fails because of this bug: http://drupal.org/node/471970
// $this->assertResponse(200);
}
}
Reference in a new issue View git blame Copy permalink