Bug #36659
Functional test sees account roles from previous test
| Status: | Resolved | Start date: | 2012-04-27 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assigned To: | Robert Lemke | % Done: | 100% |
|
| Category: | Security | |||
| Target version: | TYPO3 Flow Base Distribution - 1.1 beta 1 | |||
| PHP Version: | 5.3 | Complexity: | medium | |
| Has patch: | No | Affected Flow version: | Git master |
Description
If testable security is used in a functional test case, a user is still authenticated with the roles of a previous test if the current test doesn't do any new authentication. This is due to a session being kept across test boundaries.
/**
* @test
*/
public function publicActionIsGrantedForAdministrator() {
$this->authenticateRoles(array('Administrator'));
$this->restrictedController->publicAction();
}
/**
* @test
* @expectedException \TYPO3\FLOW3\Security\Exception\AuthenticationRequiredException
*/
public function customerActionIsDeniedForEverybody() {
$this->restrictedController->customerAction();
}
The second test will fail because the role "Administrator" is still active. If the second test called $this->autenticateRoles(array()); it would actually work.
Associated revisions
[BUGFIX] Fix MethodSecurity functional test
After #36659 was fixed, the session handling works
as expected. That means, however, that if no account
is logged in, an AuthorizationRequiredException is
thrown on trying to access a restricted method.
The tests, however, anticipated an AccessDeniedException.
Change-Id: I6a7d9f8a75a1614ba1511e538fe5aad9c4c30f1f
Related: #36626
Related: #36659
Releases: 1.1
[!!!][BUGFIX] Fix session handling in functional tests
Sessions were kept across test boundaries which had bad
side effects on, for example, authentication: previously
authenticated roles where still active during the following
Test under certain circumstances.
This patch makes sure that sessions are destroyed after
each functional test.
It also introduces a previously missing parameter into the
destroy() method signature of the SessionInterface. If you
implemented your own session handler, you need to adjust the
destroy() method accordingly.
Change-Id: Ic455da8fbc79e864068874d3247d0d4ebeb8c87b
Resolves: #36659
Releases: 1.1
History
#1 Updated by Gerrit Code Review over 3 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10825
#2 Updated by Gerrit Code Review over 3 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10825
#3 Updated by Robert Lemke over 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 41a5fa000b9228ce43566fc92211b729dca775e3.