diff --git a/sources/Application/TwigBase/Controller/Controller.php b/sources/Application/TwigBase/Controller/Controller.php index 326048812..256db1c79 100644 --- a/sources/Application/TwigBase/Controller/Controller.php +++ b/sources/Application/TwigBase/Controller/Controller.php @@ -256,6 +256,7 @@ abstract class Controller extends AbstractController } /** + * @since 3.0.0 N°3606 - Adapt TwigBase Controller for combodo-monitoring extension * @throws \Exception */ protected function CheckAccess() @@ -271,12 +272,24 @@ abstract class Controller extends AbstractController if (empty($sExecModule) || empty($sConfiguredAccessTokenValue)){ LoginWebPage::DoLogin($this->m_bMustBeAdmin); - }else { + } else { //token mode without login required - $sPassedToken = utils::ReadParam($this->m_sAccessTokenConfigParamId, null); - if ($sPassedToken !== $sConfiguredAccessTokenValue){ + //N°7147 - Error HTTP 500 due to access_token not URL decoded + $sPassedToken = utils::ReadPostedParam($this->m_sAccessTokenConfigParamId, null, false, 'raw_data'); + if (is_null($sPassedToken)){ + $sPassedToken = utils::ReadParam($this->m_sAccessTokenConfigParamId, null, false, 'raw_data'); + } + + $sDecodedPassedToken = urldecode($sPassedToken); + var_dump([$sPassedToken, $sDecodedPassedToken]); + if ($sDecodedPassedToken !== $sConfiguredAccessTokenValue){ $sMsg = "Invalid token passed under '$this->m_sAccessTokenConfigParamId' http param to reach '$sExecModule' page."; - IssueLog::Error($sMsg); + IssueLog::Error($sMsg, null, + [ + 'sHtmlDecodedToken' => $sDecodedPassedToken, + 'conf param ID' => $this->m_sAccessTokenConfigParamId + ] + ); throw new Exception("Invalid token"); } } diff --git a/tests/php-unit-tests/unitary-tests/application/twigbase/ControllerTest.php b/tests/php-unit-tests/unitary-tests/application/twigbase/ControllerTest.php new file mode 100644 index 000000000..9a6c82804 --- /dev/null +++ b/tests/php-unit-tests/unitary-tests/application/twigbase/ControllerTest.php @@ -0,0 +1,75 @@ +RequireOnceUnitTestFile('FakeController.php'); + } + + public function CheckAccessProvider() { + return [ + 'simple token access OK' => [ + 'access_token' => 'toto123', + 'http_access_token' => 'toto123', + 'bSuccess' => true, + ], + 'simple token access OK sent by POST' => [ + 'access_token' => 'toto123', + 'http_access_token' => 'toto123', + 'bSuccess' => true, + 'bPost' => true, + ], + 'simple token access FAILED' => [ + 'access_token' => 'toto123', + 'http_access_token' => 'toto124', + 'bSuccess' => false, + ], + 'url encoded token access OK' => [ + 'access_token' => 'rfb4j"E?7}-ZJq4T^B*26pk8{;zxem', + 'http_access_token' => 'rfb4j%22E%3F7%7D-ZJq4T%5EB%2A26pk8%7B%3Bzxem', + 'bSuccess' => true, + ], + ]; + } + + /** + * Fix N°7147 + * @dataProvider CheckAccessProvider + */ + public function testCheckAccess($sConfiguredAccessToken, $sHttpAccessToken, $bSuccess, $bPost=false){ + $sModuleName = "MyModule"; + $sTokenParamName = "access_token_conf_param"; + + $_SESSION = []; + $_POST = []; + $_REQUEST = []; + + $_REQUEST['exec_module'] = $sModuleName; + if ($bPost){ + $_POST[$sTokenParamName] = $sHttpAccessToken; + } else { + $_REQUEST[$sTokenParamName] = $sHttpAccessToken; + } + + $oController = new FakeController(); + $oController->SetAccessTokenConfigParamId($sTokenParamName); + + MetaModel::GetConfig()->SetModuleSetting($sModuleName, $sTokenParamName, $sConfiguredAccessToken); + + if (! $bSuccess){ + $this->expectExceptionMessage("Invalid token"); + } + + $this->InvokeNonPublicMethod(FakeController::class, "CheckAccess", $oController); + + if ($bSuccess){ + $this->assertTrue(true, "no issue encountered"); + } + } +} diff --git a/tests/php-unit-tests/unitary-tests/application/twigbase/FakeController.php b/tests/php-unit-tests/unitary-tests/application/twigbase/FakeController.php new file mode 100644 index 000000000..262e0d8dd --- /dev/null +++ b/tests/php-unit-tests/unitary-tests/application/twigbase/FakeController.php @@ -0,0 +1,5 @@ +