Merge pull request #336 from magento-extensibility/develop

He, Joan(johe) · He, Joan(johe) · commit aeaaec58eca3 · 2015-06-02T16:13:05.000-05:00
[Extensibility] Sprint 52
diff --git a/app/code/Magento/Backend/App/AbstractAction.php b/app/code/Magento/Backend/App/AbstractAction.php
@@ -22,6 +22,11 @@ abstract class AbstractAction extends \Magento\Framework\App\Action\Action
      */
     const SESSION_NAMESPACE = 'adminhtml';
 
+    /**
+     * Authorization level of a basic admin session
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::admin';
+
     /**
      * Array of actions which can be processed without secret key validation
      *
@@ -97,7 +102,7 @@ public function __construct(Action\Context $context)
      */
     protected function _isAllowed()
     {
-        return true;
+        return $this->_authorization->isAllowed(self::ADMIN_RESOURCE);
     }
 
     /**
@@ -228,14 +233,10 @@ public function dispatch(\Magento\Framework\App\RequestInterface $request)
      */
     protected function _isUrlChecked()
     {
-        return !$this->_actionFlag->get(
-            '',
-            self::FLAG_IS_URLS_CHECKED
-        ) && !$this->getRequest()->getParam(
-            'forwarded'
-        ) && !$this->_getSession()->getIsUrlNotice(
-            true
-        ) && !$this->_canUseBaseUrl;
+        return !$this->_actionFlag->get('', self::FLAG_IS_URLS_CHECKED)
+        && !$this->getRequest()->isForwarded()
+        && !$this->_getSession()->getIsUrlNotice(true)
+        && !$this->_canUseBaseUrl;
     }
 
     /**
diff --git a/app/code/Magento/Backend/App/Action/Plugin/Authentication.php b/app/code/Magento/Backend/App/Action/Plugin/Authentication.php
@@ -147,46 +147,25 @@ protected function _processNotLoggedInUser(\Magento\Framework\App\RequestInterfa
         if ($request->getPost('login') && $this->_performLogin($request)) {
             $isRedirectNeeded = $this->_redirectIfNeededAfterLogin($request);
         }
-        if (!$isRedirectNeeded && !$request->getParam('forwarded')) {
+        if (!$isRedirectNeeded && !$request->isForwarded()) {
             if ($request->getParam('isIframe')) {
-                $request->setParam(
-                    'forwarded',
-                    true
-                )->setRouteName(
-                    'adminhtml'
-                )->setControllerName(
-                    'auth'
-                )->setActionName(
-                    'deniedIframe'
-                )->setDispatched(
-                    false
-                );
+                $request->setForwarded(true)
+                    ->setRouteName('adminhtml')
+                    ->setControllerName('auth')
+                    ->setActionName('deniedIframe')
+                    ->setDispatched(false);
             } elseif ($request->getParam('isAjax')) {
-                $request->setParam(
-                    'forwarded',
-                    true
-                )->setRouteName(
-                    'adminhtml'
-                )->setControllerName(
-                    'auth'
-                )->setActionName(
-                    'deniedJson'
-                )->setDispatched(
-                    false
-                );
+                $request->setForwarded(true)
+                    ->setRouteName('adminhtml')
+                    ->setControllerName('auth')
+                    ->setActionName('deniedJson')
+                    ->setDispatched(false);
             } else {
-                $request->setParam(
-                    'forwarded',
-                    true
-                )->setRouteName(
-                    'adminhtml'
-                )->setControllerName(
-                    'auth'
-                )->setActionName(
-                    'login'
-                )->setDispatched(
-                    false
-                );
+                $request->setForwarded(true)
+                    ->setRouteName('adminhtml')
+                    ->setControllerName('auth')
+                    ->setActionName('login')
+                    ->setDispatched(false);
             }
         }
     }
diff --git a/app/code/Magento/Backend/Test/Unit/App/Action/Plugin/AuthenticationTest.php b/app/code/Magento/Backend/Test/Unit/App/Action/Plugin/AuthenticationTest.php
@@ -84,4 +84,78 @@ public function testAroundDispatchProlongStorage()
 
         $this->assertEquals($expectedResult, $this->plugin->aroundDispatch($subject, $proceed, $request));
     }
+
+    /**
+     * Calls aroundDispatch to access protected method _processNotLoggedInUser
+     *
+     * Data provider supplies different possibilities of request parameters and properties
+     * @dataProvider processNotLoggedInUserDataProvider
+     */
+    public function testProcessNotLoggedInUser($isIFrameParam, $isAjaxParam, $isForwardedFlag)
+    {
+        $subject = $this->getMockBuilder('Magento\Backend\Controller\Adminhtml\Index')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $request = $this->getMockBuilder('Magento\Framework\App\Request\Http')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $storage = $this->getMockBuilder('Magento\Backend\Model\Auth\Session')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        // Stubs to control the flow of execution in aroundDispatch
+        $this->auth->expects($this->any())->method('getAuthStorage')->will($this->returnValue($storage));
+        $request->expects($this->once())->method('getActionName')->will($this->returnValue('non/open/action/name'));
+        $this->auth->expects($this->any())->method('getUser')->willReturn(false);
+        $this->auth->expects($this->once())->method('isLoggedIn')->will($this->returnValue(false));
+        $request->expects($this->any())->method('getPost')->willReturn(false);
+
+        // Test cases and expectations based on provided data
+        $request->expects($this->once())->method('isForwarded')->willReturn($isForwardedFlag);
+        $getParamCalls = 0;
+        $actionName = '';
+
+        // If forwarded flag is set, getParam never gets called
+        if (!$isForwardedFlag) {
+            if ($isIFrameParam) {
+                $getParamCalls = 1;
+                $actionName = 'deniedIframe';
+            } else if ($isAjaxParam) {
+                $getParamCalls = 2;
+                $actionName = 'deniedJson';
+            } else {
+                $getParamCalls = 2;
+                $actionName = 'login';
+            }
+        }
+
+        $requestParams = [
+            ['isIframe', null, $isIFrameParam],
+            ['isAjax', null, $isAjaxParam]
+        ];
+
+        $setterCalls = $isForwardedFlag ? 0 : 1;
+        $request->expects($this->exactly($getParamCalls))->method('getParam')->willReturnMap($requestParams);
+        $request->expects($this->exactly($setterCalls))->method('setForwarded')->with(true)->willReturnSelf();
+        $request->expects($this->exactly($setterCalls))->method('setRouteName')->with('adminhtml')->willReturnSelf();
+        $request->expects($this->exactly($setterCalls))->method('setControllerName')->with('auth')->willReturnSelf();
+        $request->expects($this->exactly($setterCalls))->method('setActionName')->with($actionName)->willReturnSelf();
+        $request->expects($this->exactly($setterCalls))->method('setDispatched')->with(false)->willReturnSelf();
+
+        $expectedResult = 'expectedResult';
+        $proceed = function ($request) use ($expectedResult) {
+            return $expectedResult;
+        };
+        $this->assertEquals($expectedResult, $this->plugin->aroundDispatch($subject, $proceed, $request));
+    }
+
+    public function processNotLoggedInUserDataProvider()
+    {
+        return [
+            'iFrame' => [true, false, false],
+            'Ajax' => [false, true, false],
+            'Neither iFrame nor Ajax' => [false, false, false],
+            'Forwarded request' => [true, true, true]
+        ];
+    }
 }
diff --git a/app/code/Magento/Captcha/Controller/Adminhtml/Refresh/Refresh.php b/app/code/Magento/Captcha/Controller/Adminhtml/Refresh/Refresh.php
@@ -27,4 +27,14 @@ public function execute()
         $this->getResponse()->representJson(json_encode(['imgSrc' => $captchaModel->getImgSrc()]));
         $this->_actionFlag->set('', self::FLAG_NO_POST_DISPATCH, true);
     }
+
+    /**
+     * Check if user has permissions to access this controller
+     *
+     * @return bool
+     */
+    protected function _isAllowed()
+    {
+        return true;
+    }
 }
diff --git a/lib/internal/Magento/Framework/App/Test/Unit/Config/_files/invalidRoutesXmlArray.php b/lib/internal/Magento/Framework/App/Test/Unit/Config/_files/invalidRoutesXmlArray.php
@@ -98,7 +98,7 @@
         '</route></router></config>',
         [
             "Element 'route', attribute 'id': [facet 'pattern'] The value 'dc' is not accepted by the " .
-            "pattern '[A-Za-z_]{3,}'.",
+            "pattern '[A-Za-z0-9_]{3,}'.",
             "Element 'route', attribute 'id': 'dc' is not a valid value of the atomic type 'routeIdType'.",
             "Element 'route', attribute 'id': Warning: No precomputed value available, the value was either " .
             "invalid or something strange happend."
diff --git a/lib/internal/Magento/Framework/App/etc/routes.xsd b/lib/internal/Magento/Framework/App/etc/routes.xsd
@@ -92,7 +92,7 @@
             </xs:documentation>
         </xs:annotation>
         <xs:restriction base="xs:string">
-            <xs:pattern value="[A-Za-z_]{3,}" />
+            <xs:pattern value="[A-Za-z0-9_]{3,}" />
         </xs:restriction>
     </xs:simpleType>
 
diff --git a/lib/internal/Magento/Framework/App/etc/routes_merged.xsd b/lib/internal/Magento/Framework/App/etc/routes_merged.xsd
@@ -92,7 +92,7 @@
             </xs:documentation>
         </xs:annotation>
         <xs:restriction base="xs:string">
-            <xs:pattern value="[A-Za-z_]{3,}" />
+            <xs:pattern value="[A-Za-z0-9_]{3,}" />
         </xs:restriction>
     </xs:simpleType>
 
diff --git a/lib/internal/Magento/Framework/Data/Collection/Filesystem.php b/lib/internal/Magento/Framework/Data/Collection/Filesystem.php
@@ -698,7 +698,10 @@ public function getAllIds()
      */
     public function filterCallbackLike($field, $filterValue, $row)
     {
-        $filterValueRegex = str_replace('%', '(.*?)', str_replace('\'', '', preg_quote($filterValue, '/')));
+        $filterValue = trim(stripslashes($filterValue), '\'');
+        $filterValue = trim($filterValue, '%');
+        $filterValueRegex = '(.*?)' . preg_quote($filterValue, '/') . '(.*?)';
+
         return (bool)preg_match("/^{$filterValueRegex}\$/i", $row[$field]);
     }
 
diff --git a/lib/internal/Magento/Framework/Data/Test/Unit/Collection/FilesystemTest.php b/lib/internal/Magento/Framework/Data/Test/Unit/Collection/FilesystemTest.php
@@ -17,14 +17,67 @@ public function setUp()
         $this->model = $objectManager->getObject('Magento\Framework\Data\Collection\Filesystem');
     }
 
-    public function testFilterCallbackLike()
+    /**
+     * @param $field
+     * @param $filterValue
+     * @param $row
+     * @param $expected
+     *
+     * @dataProvider testFilterCallbackLikeDataProvider
+     */
+    public function testFilterCallbackLike($field, $filterValue, $row, $expected)
     {
-        $field = 'field';
-        $row = [$field => 'beginning_filter_target_end',];
-        $filterValueSuccess = new \Zend_Db_Expr('%filter_target%');
-        $filterValueFailure = new \Zend_Db_Expr('%not_found_in_the_row%');
+        $filterValue = new \Zend_Db_Expr($filterValue);
 
-        $this->assertTrue($this->model->filterCallbackLike($field, $filterValueSuccess, $row));
-        $this->assertFalse($this->model->filterCallbackLike($field, $filterValueFailure, $row));
+        $this->assertEquals($expected, $this->model->filterCallbackLike($field, $filterValue, $row));
+    }
+
+    /**
+     * @return array
+     */
+    public function testFilterCallbackLikeDataProvider()
+    {
+        $field     = 'field';
+        $testValue = '\'\'\'test\'\'\'Filter\'\'\'Value\'\'\'';
+        return [
+            [$field, '\'%test%\'', [$field => $testValue,], true],
+            [$field, '%\'test%', [$field => $testValue,], true],
+            [$field, '%\'test\'%', [$field => $testValue,], true],
+            [$field, '%\'\'test%', [$field => $testValue,], true],
+            [$field, '%\'\'test\'\'%', [$field => $testValue,], true],
+            [$field, '%\'\'\'test%', [$field => $testValue,], true],
+            [$field, '%\'\'\'test\'\'\'%', [$field => $testValue,], true],
+            [$field, '%\'\'\'\'test%', [$field => $testValue,], false],
+
+            [$field, '\'%Value%\'', [$field => $testValue,], true],
+            [$field, '%Value\'%', [$field => $testValue,], true],
+            [$field, '%\'Value\'%', [$field => $testValue,], true],
+            [$field, '%Value\'\'%', [$field => $testValue,], true],
+            [$field, '%\'\'Value\'\'%', [$field => $testValue,], true],
+            [$field, '%Value\'\'\'%', [$field => $testValue,], true],
+            [$field, '%\'\'\'Value\'\'\'%', [$field => $testValue,], true],
+            [$field, '%Value%\'\'\'\'%', [$field => $testValue,], false],
+
+            [$field, '\'%\'\'\'test\'\'\'Filter\'\'\'Value\'\'\'%\'', [$field => $testValue,], true],
+            [$field, '\'\'\'%\'\'\'test\'\'\'Filter\'\'\'Value\'\'\'%\'\'\'', [$field => $testValue,], true],
+            [$field, '%test\'\'\'Filter\'\'\'Value%', [$field => $testValue,], true],
+            [$field, '%test\'\'\'Filter\'\'\'Value\'\'\'%', [$field => $testValue,], true],
+            [$field, '%\'\'\'test\'\'\'Filter\'\'\'Value%', [$field => $testValue,], true],
+            [$field, '%\'\'\'Filter\'\'\'Value\'\'\'%', [$field => $testValue,], true],
+            [$field, '%Filter\'\'\'Value\'\'\'%', [$field => $testValue,], true],
+            [$field, '%\'\'\'Filter\'\'\'Value%', [$field => $testValue,], true],
+            [$field, '%Filter\'\'\'Value%', [$field => $testValue,], true],
+            [$field, '%Filter\'\'\'\'Value%', [$field => $testValue,], false],
+
+            [$field, '\'%\'\'\'Filter\'\'\'%\'', [$field => $testValue,], true],
+            [$field, '%Filter\'\'\'%', [$field => $testValue,], true],
+            [$field, '%\'\'\'Filter%', [$field => $testValue,], true],
+            [$field, '%\'Filter%', [$field => $testValue,], true],
+            [$field, '%Filter\'%', [$field => $testValue,], true],
+            [$field, '%Filter%', [$field => $testValue,], true],
+            [$field, '%Filter\'\'\'\'%', [$field => $testValue,], false],
+
+            [$field, '\'%no_match_value%\'', [$field => $testValue,], false],
+        ];
     }
 }
diff --git a/lib/internal/Magento/Framework/HTTP/PhpEnvironment/Request.php b/lib/internal/Magento/Framework/HTTP/PhpEnvironment/Request.php
@@ -67,6 +67,12 @@ class Request extends \Zend\Http\PhpEnvironment\Request
      */
     protected $dispatched = false;
 
+    /**
+     * Flag for whether the request is forwarded or not
+     *
+     * @var bool
+     */
+    protected $forwarded;
 
     /**
      * @var CookieReaderInterface
@@ -690,4 +696,24 @@ public function getBaseUrl()
         $url = str_replace('\\', '/', $url);
         return $url;
     }
+
+    /**
+     * @return bool
+     * @codeCoverageIgnore
+     */
+    public function isForwarded()
+    {
+        return $this->forwarded;
+    }
+
+    /**
+     * @param bool $forwarded
+     * @return $this
+     * @codeCoverageIgnore
+     */
+    public function setForwarded($forwarded)
+    {
+        $this->forwarded = $forwarded;
+        return $this;
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@`
`98`	`98`	`'</route></router></config>',`
`99`	`99`	`[`
`100`	`100`	`"Element 'route', attribute 'id': [facet 'pattern'] The value 'dc' is not accepted by the " .`
`101`		`- "pattern '[A-Za-z_]{3,}'.",`
	`101`	`+ "pattern '[A-Za-z0-9_]{3,}'.",`
`102`	`102`	`"Element 'route', attribute 'id': 'dc' is not a valid value of the atomic type 'routeIdType'.",`
`103`	`103`	`"Element 'route', attribute 'id': Warning: No precomputed value available, the value was either " .`
`104`	`104`	`"invalid or something strange happend."`
Original file line number	Diff line number	Diff line change
`@@ -698,7 +698,10 @@ public function getAllIds()`
`698`	`698`	`*/`
`699`	`699`	`public function filterCallbackLike($field, $filterValue, $row)`
`700`	`700`	`{`
`701`		`- $filterValueRegex = str_replace('%', '(.*?)', str_replace('\'', '', preg_quote($filterValue, '/')));`
	`701`	`+ $filterValue = trim(stripslashes($filterValue), '\'');`
	`702`	`+ $filterValue = trim($filterValue, '%');`
	`703`	`+ $filterValueRegex = '(.?)' . preg_quote($filterValue, '/') . '(.?)';`
	`704`	`+`
`702`	`705`	`return (bool)preg_match("/^{$filterValueRegex}\$/i", $row[$field]);`
`703`	`706`	`}`
`704`	`707`