Merge branch 'MAGETWO-36837-authentication-bypass' into develop

Dale Sikkema · Dale Sikkema · commit f09d326462c2 · 2015-05-28T16:37:03.000-05:00
diff --git a/app/code/Magento/Backend/App/AbstractAction.php b/app/code/Magento/Backend/App/AbstractAction.php
@@ -22,6 +22,11 @@ abstract class AbstractAction extends \Magento\Framework\App\Action\Action
      */
     const SESSION_NAMESPACE = 'adminhtml';
 
+    /**
+     * Authorization level of a basic admin session
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::admin';
+
     /**
      * Array of actions which can be processed without secret key validation
      *
@@ -76,10 +81,17 @@ abstract class AbstractAction extends \Magento\Framework\App\Action\Action
      */
     protected $_formKeyValidator;
 
+    /**
+     * Resource used to authorize access to the controller
+     *
+     * @var string
+     */
+    protected $resource;
+
     /**
      * @param \Magento\Backend\App\Action\Context $context
      */
-    public function __construct(Action\Context $context)
+    public function __construct(Action\Context $context, $resource = '')
     {
         parent::__construct($context);
         $this->_authorization = $context->getAuthorization();
@@ -97,7 +109,7 @@ public function __construct(Action\Context $context)
      */
     protected function _isAllowed()
     {
-        return true;
+        return $this->_authorization->isAllowed($this->resource ?: self::ADMIN_RESOURCE);
     }
 
     /**
@@ -228,14 +240,10 @@ public function dispatch(\Magento\Framework\App\RequestInterface $request)
      */
     protected function _isUrlChecked()
     {
-        return !$this->_actionFlag->get(
-            '',
-            self::FLAG_IS_URLS_CHECKED
-        ) && !$this->getRequest()->getParam(
-            'forwarded'
-        ) && !$this->_getSession()->getIsUrlNotice(
-            true
-        ) && !$this->_canUseBaseUrl;
+        return !$this->_actionFlag->get('', self::FLAG_IS_URLS_CHECKED)
+        && !$this->getRequest()->isForwarded()
+        && !$this->_getSession()->getIsUrlNotice(true)
+        && !$this->_canUseBaseUrl;
     }
 
     /**
diff --git a/app/code/Magento/Backend/App/Action/Plugin/Authentication.php b/app/code/Magento/Backend/App/Action/Plugin/Authentication.php
@@ -147,46 +147,25 @@ protected function _processNotLoggedInUser(\Magento\Framework\App\RequestInterfa
         if ($request->getPost('login') && $this->_performLogin($request)) {
             $isRedirectNeeded = $this->_redirectIfNeededAfterLogin($request);
         }
-        if (!$isRedirectNeeded && !$request->getParam('forwarded')) {
+        if (!$isRedirectNeeded && !$request->isForwarded()) {
             if ($request->getParam('isIframe')) {
-                $request->setParam(
-                    'forwarded',
-                    true
-                )->setRouteName(
-                    'adminhtml'
-                )->setControllerName(
-                    'auth'
-                )->setActionName(
-                    'deniedIframe'
-                )->setDispatched(
-                    false
-                );
+                $request->setForwarded(true)
+                    ->setRouteName('adminhtml')
+                    ->setControllerName('auth')
+                    ->setActionName('deniedIframe')
+                    ->setDispatched(false);
             } elseif ($request->getParam('isAjax')) {
-                $request->setParam(
-                    'forwarded',
-                    true
-                )->setRouteName(
-                    'adminhtml'
-                )->setControllerName(
-                    'auth'
-                )->setActionName(
-                    'deniedJson'
-                )->setDispatched(
-                    false
-                );
+                $request->setForwarded(true)
+                    ->setRouteName('adminhtml')
+                    ->setControllerName('auth')
+                    ->setActionName('deniedJson')
+                    ->setDispatched(false);
             } else {
-                $request->setParam(
-                    'forwarded',
-                    true
-                )->setRouteName(
-                    'adminhtml'
-                )->setControllerName(
-                    'auth'
-                )->setActionName(
-                    'login'
-                )->setDispatched(
-                    false
-                );
+                $request->setForwarded(true)
+                    ->setRouteName('adminhtml')
+                    ->setControllerName('auth')
+                    ->setActionName('login')
+                    ->setDispatched(false);
             }
         }
     }
diff --git a/app/code/Magento/Backend/Test/Unit/App/Action/Plugin/AuthenticationTest.php b/app/code/Magento/Backend/Test/Unit/App/Action/Plugin/AuthenticationTest.php
@@ -84,4 +84,79 @@ public function testAroundDispatchProlongStorage()
 
         $this->assertEquals($expectedResult, $this->plugin->aroundDispatch($subject, $proceed, $request));
     }
+
+    /**
+     * Calls aroundDispatch to access protected method _processNotLoggedInUser
+     *
+     * Data provider supplies different possibilities of request parameters and properties
+     * @dataProvider userNotLoggedInRequest
+     */
+    public function testProcessNotLoggedInUser($isIFrameParam, $isAjaxParam, $isForwardedFlag)
+    {
+        $subject = $this->getMockBuilder('Magento\Backend\Controller\Adminhtml\Index')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $request = $this->getMockBuilder('Magento\Framework\App\Request\Http')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $storage = $this->getMockBuilder('Magento\Backend\Model\Auth\Session')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        // Stubs to control the flow of execution in aroundDispatch
+        $this->auth->expects($this->any())->method('getAuthStorage')->will($this->returnValue($storage));
+        $request->expects($this->once())->method('getActionName')->will($this->returnValue('non/open/action/name'));
+        $this->auth->expects($this->any())->method('getUser')->willReturn(false);
+        $this->auth->expects($this->once())->method('isLoggedIn')->will($this->returnValue(false));
+        $request->expects($this->any())->method('getPost')->willReturn(false);
+
+        // Test cases and expectations based on provided data
+        $request->expects($this->once())->method('isForwarded')->willReturn($isForwardedFlag);
+        $getParamCalls = 0;
+        $actionName = '';
+
+        // If forwarded flag is set, getParam never gets called
+        if (!$isForwardedFlag) {
+            if ($isIFrameParam) {
+                $getParamCalls = 1;
+                $actionName = 'deniedIframe';
+            } else if ($isAjaxParam) {
+                $getParamCalls = 2;
+                $actionName = 'deniedJson';
+            } else {
+                $getParamCalls = 2;
+                $actionName = 'login';
+            }
+        }
+
+        $requestParams = [
+            ['isIframe', null, $isIFrameParam],
+            ['isAjax', null, $isAjaxParam]
+        ];
+
+        $setterCalls = $isForwardedFlag ? 0 : 1;
+        $request->expects($this->exactly($getParamCalls))->method('getParam')->willReturnMap($requestParams);
+        $request->expects($this->exactly($setterCalls))->method('setForwarded')->with(true)->willReturnSelf();
+        $request->expects($this->exactly($setterCalls))->method('setRouteName')->with('adminhtml')->willReturnSelf();
+        $request->expects($this->exactly($setterCalls))->method('setControllerName')->with('auth')->willReturnSelf();
+        $request->expects($this->exactly($setterCalls))->method('setActionName')->with($actionName)->willReturnSelf();
+        $request->expects($this->exactly($setterCalls))->method('setDispatched')->with(false)->willReturnSelf();
+
+        $expectedResult = 'expectedResult';
+        $proceed = function ($request) use ($expectedResult)
+        {
+            return $expectedResult;
+        };
+        $this->assertEquals($expectedResult, $this->plugin->aroundDispatch($subject, $proceed, $request));
+    }
+
+    public function userNotLoggedInRequest()
+    {
+        return [
+            'iFrame' => [true, false, false],
+            'Ajax' => [false, true, false],
+            'Neither iFrame nor Ajax' => [false, false, false],
+            'Forwarded request' => [true, true, true]
+        ];
+    }
 }
diff --git a/app/code/Magento/Captcha/Controller/Adminhtml/Refresh/Refresh.php b/app/code/Magento/Captcha/Controller/Adminhtml/Refresh/Refresh.php
@@ -27,4 +27,14 @@ public function execute()
         $this->getResponse()->representJson(json_encode(['imgSrc' => $captchaModel->getImgSrc()]));
         $this->_actionFlag->set('', self::FLAG_NO_POST_DISPATCH, true);
     }
+
+    /**
+     * Check if user has permissions to access this controller
+     *
+     * @return bool
+     */
+    protected function _isAllowed()
+    {
+        return true;
+    }
 }
diff --git a/lib/internal/Magento/Framework/HTTP/PhpEnvironment/Request.php b/lib/internal/Magento/Framework/HTTP/PhpEnvironment/Request.php
@@ -67,6 +67,12 @@ class Request extends \Zend\Http\PhpEnvironment\Request
      */
     protected $dispatched = false;
 
+    /**
+     * Flag for whether the request is forwarded or not
+     *
+     * @var bool
+     */
+    protected $forwarded;
 
     /**
      * @var CookieReaderInterface
@@ -690,4 +696,24 @@ public function getBaseUrl()
         $url = str_replace('\\', '/', $url);
         return $url;
     }
+
+    /**
+     * @return bool
+     * @codeCoverageIgnore
+     */
+    public function isForwarded()
+    {
+        return $this->forwarded;
+    }
+
+    /**
+     * @param bool $forwarded
+     * @return $this
+     * @codeCoverageIgnore
+     */
+    public function setForwarded($forwarded)
+    {
+        $this->forwarded = $forwarded;
+        return $this;
+    }
 }
