3
* Gallery - a web based photo album viewer and editor
4
* Copyright (C) 2000-2007 Bharat Mediratta
6
* This program is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or (at
9
* your option) any later version.
11
* This program is distributed in the hope that it will be useful, but
12
* WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14
* General Public License for more details.
16
* You should have received a copy of the GNU General Public License
17
* along with this program; if not, write to the Free Software
18
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
22
* EditComment controller tests
25
* @author Bharat Mediratta <bharat@menalto.com>
26
* @version $Revision: 15538 $
28
class EditCommentControllerTest extends GalleryControllerTestCase {
30
function EditCommentControllerTest($methodName) {
31
$this->GalleryControllerTestCase($methodName, 'comment.EditComment');
38
/* Create two random items */
39
for ($i = 0; $i < 2; $i++) {
40
list ($ret, $this->_item[$i]) = $this->_createRandomDataItem($this->_getRootId());
42
return $this->failWithStatus($ret);
45
$this->_markForCleanup($this->_item[$i]);
47
/* Create a comment in it that we can delete */
48
list ($ret, $this->_comment[$i]) =
49
GalleryCoreApi::newFactoryInstance('GalleryEntity', 'GalleryComment');
51
print $ret->getAsHtml();
52
return $this->failWithStatus($ret);
55
$this->assert(isset($this->_comment[$i]), 'Missing comment instance');
56
$this->_comment[$i]->create($this->_item[$i]->getId());
57
$this->_comment[$i]->setCommenterId($gallery->getActiveUserId());
58
$this->_comment[$i]->setHost('127.0.0.1');
59
$this->_comment[$i]->setSubject('this is a test subject');
60
$this->_comment[$i]->setComment('this is a test comment');
61
$this->_comment[$i]->setDate(time());
62
$ret = $this->_comment[$i]->save();
64
print $ret->getAsHtml();
65
return $this->failWithStatus($ret);
69
list ($ret, $this->_anonymousUserId) =
70
GalleryCoreApi::getPluginParameter('module', 'core', 'id.anonymousUser');
72
print $ret->getAsHtml();
73
return $this->failWithStatus($ret);
76
list ($ret, $this->_anonymousUser) =
77
GalleryCoreApi::loadEntitiesById($this->_anonymousUserId);
79
print $ret->getAsHtml();
80
return $this->failWithStatus($ret);
83
list ($ret, $this->_saveMarkup) =
84
GalleryCoreApi::getPluginParameter('module', 'core', 'misc.markup');
86
print $ret->getAsHtml();
87
return $this->failWithStatus($ret);
92
$ret = GalleryCoreApi::setPluginParameter('module', 'core',
93
'misc.markup', $this->_saveMarkup);
95
$this->failWithStatus($ret);
101
function testEditComment() {
102
GalleryUtilities::putRequestVariable('itemId', $this->_item[0]->getId());
103
GalleryUtilities::putRequestVariable('commentId', $this->_comment[0]->getId());
104
GalleryUtilities::putRequestVariable('form[action][save]', 1);
105
GalleryUtilities::putRequestVariable('form[host]', 'hosty.host.host');
106
GalleryUtilities::putRequestVariable('form[subject]', 'This is a new subject');
107
GalleryUtilities::putRequestVariable('form[author]', 'This is a new author');
108
GalleryUtilities::putRequestVariable('form[comment]', 'This is a new comment');
109
GalleryUtilities::putRequestVariable('form[commenterName]',
110
$this->_anonymousUser->getUserName());
112
$results = $this->handleRequest();
113
$this->assertEquals(array('redirect' => array('view' => 'comment.CommentChangeConfirmation',
114
'itemId' => $this->_item[0]->getId()),
115
'status' => array('changed' => 1),
119
/* Grab the comment and verify it */
120
list ($ret, $comment) = $this->_comment[0]->refresh();
122
return $this->failWithStatus($ret);
125
$this->assertEquals('hosty.host.host', $comment->getHost());
126
$this->assertEquals((int)$this->_anonymousUserId, $comment->getCommenterId());
127
$this->assertEquals('This is a new comment', $comment->getComment());
128
$this->assertEquals('This is a new subject', $comment->getSubject());
131
function testPreviewComment() {
134
/* Use valid inputs */
135
GalleryUtilities::putRequestVariable('itemId', $this->_item[0]->getId());
136
GalleryUtilities::putRequestVariable('form[action][preview]', 1);
137
GalleryUtilities::putRequestVariable('form[host]', 'hosty.host.host');
138
GalleryUtilities::putRequestVariable('form[subject]', 'This is a new subject');
139
GalleryUtilities::putRequestVariable('form[author]', 'This is a new author');
140
GalleryUtilities::putRequestVariable('form[comment]', 'This is a new comment');
141
GalleryUtilities::putRequestVariable('form[commenterName]',
142
$this->_anonymousUser->getUserName());
144
/* Perform the request and verify that we succeeded */
145
$results = $this->handleRequest();
146
$this->assertEquals(array('delegate' => array('view' => 'comment.EditComment'),
152
function testMissingFields() {
153
GalleryUtilities::putRequestVariable('itemId', $this->_item[0]->getId());
154
GalleryUtilities::putRequestVariable('commentId', $this->_comment[0]->getId());
155
GalleryUtilities::putRequestVariable('form[action][save]', 1);
156
GalleryUtilities::putRequestVariable('form[host]', '');
157
GalleryUtilities::putRequestVariable('form[subject]', '');
158
GalleryUtilities::putRequestVariable('form[author]', '');
159
GalleryUtilities::putRequestVariable('form[comment]', '');
160
GalleryUtilities::putRequestVariable('form[commenterName]', '');
162
$results = $this->handleRequest();
163
$this->assertEquals(array('delegate' => array('view' => 'comment.EditComment'),
165
'error' => array('form[error][commenterName][missing]',
166
'form[error][comment][missing]')),
170
function testInvalidCommenterName() {
171
GalleryUtilities::putRequestVariable('itemId', $this->_item[0]->getId());
172
GalleryUtilities::putRequestVariable('commentId', $this->_comment[0]->getId());
173
GalleryUtilities::putRequestVariable('form[action][save]', 1);
174
GalleryUtilities::putRequestVariable('form[host]', 'hosty.host.host');
175
GalleryUtilities::putRequestVariable('form[subject]', 'This is a new subject');
176
GalleryUtilities::putRequestVariable('form[comment]', 'This is a new comment');
177
GalleryUtilities::putRequestVariable('form[commenterName]', 'some-illegal-user-name');
179
$results = $this->handleRequest();
180
$this->assertEquals(array('delegate' => array('view' => 'comment.EditComment'),
182
'error' => array('form[error][commenterName][invalid]')),
186
function testPreviewInvalidCommenterName() {
187
GalleryUtilities::putRequestVariable('itemId', $this->_item[0]->getId());
188
GalleryUtilities::putRequestVariable('commentId', $this->_comment[0]->getId());
189
GalleryUtilities::putRequestVariable('form[action][preview]', 1);
190
GalleryUtilities::putRequestVariable('form[host]', 'hosty.host.host');
191
GalleryUtilities::putRequestVariable('form[subject]', 'This is a new subject');
192
GalleryUtilities::putRequestVariable('form[comment]', 'This is a new comment');
193
GalleryUtilities::putRequestVariable('form[commenterName]', 'some-illegal-user-name');
195
$results = $this->handleRequest();
196
$this->assertEquals(array('delegate' => array('view' => 'comment.EditComment'),
198
'error' => array('form[error][commenterName][invalid]')),
202
function testPreviewEmptyComment() {
205
/* Use valid inputs */
206
GalleryUtilities::putRequestVariable('itemId', $this->_item[0]->getId());
207
GalleryUtilities::putRequestVariable('form[action][preview]', 1);
208
GalleryUtilities::putRequestVariable('form[host]', '');
209
GalleryUtilities::putRequestVariable('form[subject]', '');
210
GalleryUtilities::putRequestVariable('form[comment]', '');
211
GalleryUtilities::putRequestVariable('form[commenterName]', '');
213
/* Perform the request and verify that we failed */
214
$results = $this->handleRequest();
215
$this->assertEquals(array('delegate' => array('view' => 'comment.EditComment'),
217
'error' => array('form[error][commenterName][missing]',
218
'form[error][comment][missing]')),
223
* Use a bogus comment id
225
function testMaliciousEditComment1() {
226
GalleryUtilities::putRequestVariable('itemId', $this->_item[0]->getId());
227
GalleryUtilities::putRequestVariable('commentId', 123123123);
228
GalleryUtilities::putRequestVariable('form[action][save]', 1);
230
$results = $this->handleRequest(ERROR_MISSING_OBJECT);
234
* Use mismatched item id and comment id
236
function testMaliciousEditComment2() {
237
GalleryUtilities::putRequestVariable('itemId', $this->_item[0]->getId());
238
GalleryUtilities::putRequestVariable('commentId', $this->_comment[1]->getId());
239
GalleryUtilities::putRequestVariable('form[action][save]', 1);
241
$results = $this->handleRequest(ERROR_BAD_PARAMETER);
245
* Use malicious content
247
function testMaliciousEditComment3() {
248
$ret = GalleryCoreApi::setPluginParameter('module', 'core', 'misc.markup', 'html');
250
$this->failWithStatus($ret);
252
// GalleryDataCache::reset();
254
GalleryUtilities::putRequestVariable('itemId', $this->_item[0]->getId());
255
GalleryUtilities::putRequestVariable('commentId', $this->_comment[0]->getId());
256
GalleryUtilities::putRequestVariable('form[action][save]', 1);
257
GalleryUtilities::putRequestVariable('form[host]', 'hosty.host.host');
258
GalleryUtilities::putRequestVariable('form[subject]',
259
'<a href="javascript:alert(1)">a</a>');
260
GalleryUtilities::putRequestVariable('form[comment]',
261
'comment <applet code="bad.class"> test');
262
GalleryUtilities::putRequestVariable('form[author]',
263
'this is a author with <script>evilness</script> in it.');
264
GalleryUtilities::putRequestVariable('form[commenterName]',
265
$this->_anonymousUser->getUserName());
267
$results = $this->handleRequest();
268
$this->assertEquals(array('redirect' => array('view' => 'comment.CommentChangeConfirmation',
269
'itemId' => $this->_item[0]->getId()),
270
'status' => array('changed' => 1),
274
/* Grab the comment and verify it */
275
list ($ret, $comment) = $this->_comment[0]->refresh();
277
return $this->failWithStatus($ret);
280
$this->assertEquals('<a>a</a>', $comment->getSubject());
281
$this->assertEquals('comment test', $comment->getComment());
282
$this->assertEquals('this is a author with <script>evilness</script> in it.',
283
$comment->getAuthor());
284
$this->assertEquals('hosty.host.host', $comment->getHost());
285
$this->assertEquals((int)$this->_anonymousUserId, $comment->getCommenterId());
288
function testCancelEdit() {
289
GalleryUtilities::putRequestVariable('itemId', $this->_item[0]->getId());
290
GalleryUtilities::putRequestVariable('commentId', $this->_comment[0]->getId());
291
GalleryUtilities::putRequestVariable('form[action][cancel]', 1);
292
GalleryUtilities::putRequestVariable('form[host]', 'hosty.host.host');
293
GalleryUtilities::putRequestVariable('form[subject]', 'This is a new subject');
294
GalleryUtilities::putRequestVariable('form[comment]', 'This is a new comment');
295
GalleryUtilities::putRequestVariable('form[commenterName]',
296
$this->_anonymousUser->getUserName());
298
$results = $this->handleRequest();
299
$this->assertEquals(array('redirect' => array('view' => 'core.ShowItem',
300
'itemId' => $this->_item[0]->getId()),