summaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php36
1 files changed, 35 insertions, 1 deletions
diff --git a/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php
index f3c1f7934ef..986d0e577b7 100644
--- a/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php
+++ b/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php
@@ -123,10 +123,12 @@ class CORSMiddlewareTest extends \Test\TestCase {
}
/**
+ * CORS must not be enforced for anonymous users on public pages
+ *
* @CORS
* @PublicPage
*/
- public function testNoCORSShouldAllowCookieAuth() {
+ public function testNoCORSOnAnonymousPublicPage() {
$request = new Request(
[],
$this->createMock(IRequestId::class),
@@ -134,6 +136,9 @@ class CORSMiddlewareTest extends \Test\TestCase {
);
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
+ $this->session->expects($this->once())
+ ->method('isLoggedIn')
+ ->willReturn(false);
$this->session->expects($this->never())
->method('logout');
$this->session->expects($this->never())
@@ -146,6 +151,35 @@ class CORSMiddlewareTest extends \Test\TestCase {
}
/**
+ * Even on public pages users logged in using session cookies,
+ * that do not provide a valid CSRF token are disallowed
+ *
+ * @CORS
+ * @PublicPage
+ */
+ public function testCORSShouldNeverAllowCookieAuth() {
+ $request = new Request(
+ [],
+ $this->createMock(IRequestId::class),
+ $this->createMock(IConfig::class)
+ );
+ $this->reflector->reflect($this, __FUNCTION__);
+ $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
+ $this->session->expects($this->once())
+ ->method('isLoggedIn')
+ ->willReturn(true);
+ $this->session->expects($this->once())
+ ->method('logout');
+ $this->session->expects($this->never())
+ ->method('logClientIn')
+ ->with($this->equalTo('user'), $this->equalTo('pass'))
+ ->willReturn(true);
+
+ $this->expectException(SecurityException::class);
+ $middleware->beforeController($this->controller, __FUNCTION__);
+ }
+
+ /**
* @CORS
*/
public function testCORSShouldRelogin() {
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-23 17:30:41 +0000