[FEATURE] Complete the Property Mapper whitelist change for fluid
authorSebastian Kurfürst <sebastian@typo3.org>
Tue, 11 Dec 2012 21:20:59 +0000 (22:20 +0100)
committerAnja Leichsenring <aleichsenring@ab-softlab.de>
Sat, 9 Feb 2013 21:14:19 +0000 (22:14 +0100)
See http://forge.typo3.org/issues/43057 for detailed explanation.

Resolves: #43894
Depends: #43057
Releases: 6.1
Change-Id: If4beb9b832d6662092b64a3320c4e32a538dcbce
Reviewed-on: https://review.typo3.org/17115
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Marc Bastian Heinrichs
Tested-by: Marc Bastian Heinrichs
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php
typo3/sysext/fluid/Tests/Unit/Core/Widget/AbstractWidgetControllerTest.php
typo3/sysext/fluid/Tests/Unit/ViewHelpers/FormViewHelperTest.php
typo3/sysext/fluid/Tests/Unit/ViewHelpers/ViewHelperBaseTestcase.php

index 5a3d9cd..0d64baa 100644 (file)
@@ -65,6 +65,11 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
        protected $hashService;
 
        /**
+        * @var \TYPO3\CMS\Extbase\Mvc\Controller\MvcPropertyMappingConfigurationService
+        */
+       protected $mvcPropertyMappingConfigurationService;
+
+       /**
         * @var \TYPO3\CMS\Extbase\Service\ExtensionService
         */
        protected $extensionService;
@@ -116,6 +121,14 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
        }
 
        /**
+        * @param \TYPO3\CMS\Extbase\Mvc\Controller\MvcPropertyMappingConfigurationService $mvcPropertyMapperConfigurationService
+        * @return void
+        */
+       public function injectMvcPropertyMapperConfigurationService(\TYPO3\CMS\Extbase\Mvc\Controller\MvcPropertyMappingConfigurationService $mvcPropertyMapperConfigurationService) {
+               $this->mvcPropertyMappingConfigurationService = $mvcPropertyMapperConfigurationService;
+       }
+
+       /**
         * Initialize arguments.
         *
         * @return void
@@ -169,8 +182,13 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
                $content .= $this->renderHiddenIdentityField($this->arguments['object'], $this->getFormObjectName());
                $content .= $this->renderAdditionalIdentityFields();
                $content .= $this->renderHiddenReferrerFields();
-               $content .= $this->renderRequestHashField();
-               // Render hmac after everything else has been rendered
+               if ($this->configurationManager->isFeatureEnabled('rewrittenPropertyMapper') === FALSE) {
+                       // Render hmac after everything else has been rendered
+                       $content .= $this->renderRequestHashField();
+               } else {
+                       // Render the trusted list of all properties after everything else has been rendered
+                       $content .= $this->renderTrustedPropertiesField();
+               }
                $content .= chr(10) . '</div>' . chr(10);
                $content .= $formContent;
                $this->tag->setContent($content);
@@ -420,6 +438,17 @@ class FormViewHelper extends \TYPO3\CMS\Fluid\ViewHelpers\Form\AbstractFormViewH
                        $this->viewHelperVariableContainer->remove('TYPO3\\CMS\\Fluid\\ViewHelpers\\Form\\CheckboxViewHelper', 'checkboxFieldNames');
                }
        }
+
+       /**
+        * Render the request hash field
+        *
+        * @return string The hmac field
+        */
+       protected function renderTrustedPropertiesField() {
+               $formFieldNames = $this->viewHelperVariableContainer->get('TYPO3\CMS\Fluid\ViewHelpers\FormViewHelper', 'formFieldNames');
+               $requestHash = $this->mvcPropertyMappingConfigurationService->generateTrustedPropertiesToken($formFieldNames, $this->getFieldNamePrefix());
+               return '<input type="hidden" name="' . $this->prefixFieldName('__trustedProperties') . '" value="' . htmlspecialchars($requestHash) . '" />';
+       }
 }
 
 ?>
\ No newline at end of file
index 28a703e..c3b15e4 100644 (file)
@@ -47,6 +47,11 @@ class AbstractWidgetControllerTest extends \TYPO3\CMS\Extbase\Tests\Unit\BaseTes
                $mockUriBuilder = $this->getMock('TYPO3\\CMS\\Extbase\\Mvc\\Web\\Routing\\UriBuilder');
                $objectManager = $this->getMock('TYPO3\\CMS\\Extbase\\Object\\ObjectManagerInterface');
                $objectManager->expects($this->any())->method('create')->with('TYPO3\\CMS\\Extbase\\Mvc\\Web\\Routing\\UriBuilder')->will($this->returnValue($mockUriBuilder));
+
+               $configurationService = $this->getMock('TYPO3\\CMS\\Extbase\\Mvc\\Controller\\MvcPropertyMappingConfigurationService');
+               $abstractWidgetController->injectMvcPropertyMappingConfigurationService($configurationService);
+               $abstractWidgetController->_set('arguments', new \TYPO3\CMS\Extbase\Mvc\Controller\Arguments());
+
                $abstractWidgetController->_set('objectManager', $objectManager);
                $abstractWidgetController->processRequest($request, $response);
                $widgetConfiguration = $abstractWidgetController->_get('widgetConfiguration');
index 0e1d4e6..c98926e 100644 (file)
@@ -50,6 +50,8 @@ class FormViewHelperTest extends \TYPO3\CMS\Fluid\Tests\Unit\ViewHelpers\ViewHel
        protected function injectDependenciesIntoViewHelper(\TYPO3\CMS\Fluid\Core\ViewHelper\AbstractViewHelper $viewHelper) {
                $viewHelper->injectConfigurationManager($this->mockConfigurationManager);
                parent::injectDependenciesIntoViewHelper($viewHelper);
+               $this->mvcPropertyMapperConfigurationService->injectHashService(new \TYPO3\CMS\Extbase\Security\Cryptography\HashService());
+               $viewHelper->injectMvcPropertyMapperConfigurationService($this->mvcPropertyMapperConfigurationService);
        }
 
        /**
@@ -57,7 +59,7 @@ class FormViewHelperTest extends \TYPO3\CMS\Fluid\Tests\Unit\ViewHelpers\ViewHel
         */
        public function renderAddsObjectToViewHelperVariableContainer() {
                $formObject = new \stdClass();
-               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderHiddenIdentityField', 'renderAdditionalIdentityFields', 'renderHiddenReferrerFields', 'renderRequestHashField', 'addFormObjectNameToViewHelperVariableContainer', 'addFieldNamePrefixToViewHelperVariableContainer', 'removeFormObjectNameFromViewHelperVariableContainer', 'removeFieldNamePrefixFromViewHelperVariableContainer', 'addFormFieldNamesToViewHelperVariableContainer', 'removeFormFieldNamesFromViewHelperVariableContainer'), array(), '', FALSE);
+               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderHiddenIdentityField', 'renderAdditionalIdentityFields', 'renderHiddenReferrerFields', 'renderRequestHashField', 'addFormObjectNameToViewHelperVariableContainer', 'addFieldNamePrefixToViewHelperVariableContainer', 'removeFormObjectNameFromViewHelperVariableContainer', 'removeFieldNamePrefixFromViewHelperVariableContainer', 'addFormFieldNamesToViewHelperVariableContainer', 'removeFormFieldNamesFromViewHelperVariableContainer', 'renderTrustedPropertiesField'), array(), '', FALSE);
                $this->injectDependenciesIntoViewHelper($viewHelper);
                $viewHelper->setArguments(array('object' => $formObject));
                $this->viewHelperVariableContainer->expects($this->at(0))->method('add')->with('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', 'formObject', $formObject);
@@ -72,7 +74,7 @@ class FormViewHelperTest extends \TYPO3\CMS\Fluid\Tests\Unit\ViewHelpers\ViewHel
         */
        public function renderAddsObjectNameToTemplateVariableContainer() {
                $objectName = 'someObjectName';
-               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderHiddenIdentityField', 'renderHiddenReferrerFields', 'renderRequestHashField', 'addFormObjectToViewHelperVariableContainer', 'addFieldNamePrefixToViewHelperVariableContainer', 'removeFormObjectFromViewHelperVariableContainer', 'removeFieldNamePrefixFromViewHelperVariableContainer', 'addFormFieldNamesToViewHelperVariableContainer', 'removeFormFieldNamesFromViewHelperVariableContainer'), array(), '', FALSE);
+               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderHiddenIdentityField', 'renderHiddenReferrerFields', 'renderRequestHashField', 'addFormObjectToViewHelperVariableContainer', 'addFieldNamePrefixToViewHelperVariableContainer', 'removeFormObjectFromViewHelperVariableContainer', 'removeFieldNamePrefixFromViewHelperVariableContainer', 'addFormFieldNamesToViewHelperVariableContainer', 'removeFormFieldNamesFromViewHelperVariableContainer', 'renderTrustedPropertiesField'), array(), '', FALSE);
                $this->injectDependenciesIntoViewHelper($viewHelper);
                $viewHelper->setArguments(array('name' => $objectName));
                $this->viewHelperVariableContainer->expects($this->once())->method('add')->with('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', 'formObjectName', $objectName);
@@ -85,7 +87,7 @@ class FormViewHelperTest extends \TYPO3\CMS\Fluid\Tests\Unit\ViewHelpers\ViewHel
         */
        public function formObjectNameArgumentOverrulesNameArgument() {
                $objectName = 'someObjectName';
-               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderHiddenIdentityField', 'renderHiddenReferrerFields', 'renderRequestHashField', 'addFormObjectToViewHelperVariableContainer', 'addFieldNamePrefixToViewHelperVariableContainer', 'removeFormObjectFromViewHelperVariableContainer', 'removeFieldNamePrefixFromViewHelperVariableContainer', 'addFormFieldNamesToViewHelperVariableContainer', 'removeFormFieldNamesFromViewHelperVariableContainer'), array(), '', FALSE);
+               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderHiddenIdentityField', 'renderHiddenReferrerFields', 'renderRequestHashField', 'addFormObjectToViewHelperVariableContainer', 'addFieldNamePrefixToViewHelperVariableContainer', 'removeFormObjectFromViewHelperVariableContainer', 'removeFieldNamePrefixFromViewHelperVariableContainer', 'addFormFieldNamesToViewHelperVariableContainer', 'removeFormFieldNamesFromViewHelperVariableContainer', 'renderTrustedPropertiesField'), array(), '', FALSE);
                $this->injectDependenciesIntoViewHelper($viewHelper);
                $viewHelper->setArguments(array('name' => 'formName', 'objectName' => $objectName));
                $this->viewHelperVariableContainer->expects($this->once())->method('add')->with('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', 'formObjectName', $objectName);
@@ -97,7 +99,7 @@ class FormViewHelperTest extends \TYPO3\CMS\Fluid\Tests\Unit\ViewHelpers\ViewHel
         * @test
         */
        public function renderCallsRenderHiddenReferrerFields() {
-               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderRequestHashField', 'renderHiddenReferrerFields'), array(), '', FALSE);
+               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderRequestHashField', 'renderHiddenReferrerFields', 'renderTrustedPropertiesField'), array(), '', FALSE);
                $viewHelper->expects($this->once())->method('renderHiddenReferrerFields');
                $this->injectDependenciesIntoViewHelper($viewHelper);
                $viewHelper->render();
@@ -108,7 +110,7 @@ class FormViewHelperTest extends \TYPO3\CMS\Fluid\Tests\Unit\ViewHelpers\ViewHel
         */
        public function renderCallsRenderHiddenIdentityField() {
                $object = new \stdClass();
-               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderRequestHashField', 'renderHiddenIdentityField', 'getFormObjectName'), array(), '', FALSE);
+               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderRequestHashField', 'renderHiddenIdentityField', 'getFormObjectName', 'renderTrustedPropertiesField'), array(), '', FALSE);
                $this->injectDependenciesIntoViewHelper($viewHelper);
                $viewHelper->setArguments(array('object' => $object));
                $viewHelper->expects($this->atLeastOnce())->method('getFormObjectName')->will($this->returnValue('MyName'));
@@ -120,7 +122,7 @@ class FormViewHelperTest extends \TYPO3\CMS\Fluid\Tests\Unit\ViewHelpers\ViewHel
         * @test
         */
        public function renderCallsRenderAdditionalIdentityFields() {
-               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderRequestHashField', 'renderAdditionalIdentityFields'), array(), '', FALSE);
+               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderRequestHashField', 'renderAdditionalIdentityFields', 'renderTrustedPropertiesField'), array(), '', FALSE);
                $viewHelper->expects($this->once())->method('renderAdditionalIdentityFields');
                $this->injectDependenciesIntoViewHelper($viewHelper);
                $viewHelper->render();
@@ -129,9 +131,14 @@ class FormViewHelperTest extends \TYPO3\CMS\Fluid\Tests\Unit\ViewHelpers\ViewHel
        /**
         * @test
         */
-       public function renderWrapsHiddenFieldsWithDivForXhtmlCompatibility() {
+       public function renderWrapsHiddenFieldsWithDivForXhtmlCompatibilityWithOldPropertyMapper() {
                $viewHelper = $this->getMock($this->buildAccessibleProxy('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper'), array('renderChildren', 'renderHiddenIdentityField', 'renderAdditionalIdentityFields', 'renderHiddenReferrerFields', 'renderRequestHashField'), array(), '', FALSE);
-               $this->injectDependenciesIntoViewHelper($viewHelper);
+               $configurationManager = $this->getMock('TYPO3\\CMS\\Extbase\\Configuration\\ConfigurationManager', array('isFeatureEnabled'));
+               $configurationManager->expects($this->once())->method('isFeatureEnabled')->with('rewrittenPropertyMapper')->will($this->returnValue(FALSE));
+               $viewHelper->injectConfigurationManager($configurationManager);
+               $this->mvcPropertyMapperConfigurationService->injectHashService(new \TYPO3\CMS\Extbase\Security\Cryptography\HashService());
+               $viewHelper->injectMvcPropertyMapperConfigurationService($this->mvcPropertyMapperConfigurationService);
+               parent::injectDependenciesIntoViewHelper($viewHelper);
                $viewHelper->expects($this->once())->method('renderHiddenIdentityField')->will($this->returnValue('hiddenIdentityField'));
                $viewHelper->expects($this->once())->method('renderAdditionalIdentityFields')->will($this->returnValue('additionalIdentityFields'));
                $viewHelper->expects($this->once())->method('renderHiddenReferrerFields')->will($this->returnValue('hiddenReferrerFields'));
@@ -145,6 +152,26 @@ class FormViewHelperTest extends \TYPO3\CMS\Fluid\Tests\Unit\ViewHelpers\ViewHel
        /**
         * @test
         */
+       public function renderWrapsHiddenFieldsWithDivForXhtmlCompatibilityWithRewrittenPropertyMapper() {
+               $viewHelper = $this->getMock($this->buildAccessibleProxy('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper'), array('renderChildren', 'renderHiddenIdentityField', 'renderAdditionalIdentityFields', 'renderHiddenReferrerFields', 'renderTrustedPropertiesField'), array(), '', FALSE);
+               $configurationManager = $this->getMock('TYPO3\\CMS\\Extbase\\Configuration\\ConfigurationManager', array('isFeatureEnabled'));
+               $configurationManager->expects($this->once())->method('isFeatureEnabled')->with('rewrittenPropertyMapper')->will($this->returnValue(TRUE));
+               $viewHelper->injectConfigurationManager($configurationManager);
+               $this->mvcPropertyMapperConfigurationService->injectHashService(new \TYPO3\CMS\Extbase\Security\Cryptography\HashService());
+               $viewHelper->injectMvcPropertyMapperConfigurationService($this->mvcPropertyMapperConfigurationService);
+               parent::injectDependenciesIntoViewHelper($viewHelper);
+               $viewHelper->expects($this->once())->method('renderHiddenIdentityField')->will($this->returnValue('hiddenIdentityField'));
+               $viewHelper->expects($this->once())->method('renderAdditionalIdentityFields')->will($this->returnValue('additionalIdentityFields'));
+               $viewHelper->expects($this->once())->method('renderHiddenReferrerFields')->will($this->returnValue('hiddenReferrerFields'));
+               $viewHelper->expects($this->once())->method('renderChildren')->will($this->returnValue('formContent'));
+               $expectedResult = chr(10) . '<div style="display: none">' . 'hiddenIdentityFieldadditionalIdentityFieldshiddenReferrerFields' . chr(10) . '</div>' . chr(10) . 'formContent';
+               $this->tagBuilder->expects($this->once())->method('setContent')->with($expectedResult);
+               $viewHelper->render();
+       }
+
+       /**
+        * @test
+        */
        public function renderAdditionalIdentityFieldsFetchesTheFieldsFromViewHelperVariableContainerAndBuildsHiddenFieldsForThem() {
                $identityProperties = array(
                        'object1[object2]' => '<input type="hidden" name="object1[object2][__identity]" value="42" />',
@@ -179,7 +206,7 @@ class FormViewHelperTest extends \TYPO3\CMS\Fluid\Tests\Unit\ViewHelpers\ViewHel
         */
        public function renderAddsSpecifiedPrefixToTemplateVariableContainer() {
                $prefix = 'somePrefix';
-               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderHiddenIdentityField', 'renderHiddenReferrerFields', 'renderRequestHashField', 'addFormFieldNamesToViewHelperVariableContainer', 'removeFormFieldNamesFromViewHelperVariableContainer'), array(), '', FALSE);
+               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderHiddenIdentityField', 'renderHiddenReferrerFields', 'renderRequestHashField', 'addFormFieldNamesToViewHelperVariableContainer', 'removeFormFieldNamesFromViewHelperVariableContainer', 'renderTrustedPropertiesField'), array(), '', FALSE);
                $this->injectDependenciesIntoViewHelper($viewHelper);
                $viewHelper->setArguments(array('fieldNamePrefix' => $prefix));
                $this->viewHelperVariableContainer->expects($this->once())->method('add')->with('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', 'fieldNamePrefix', $prefix);
@@ -192,7 +219,7 @@ class FormViewHelperTest extends \TYPO3\CMS\Fluid\Tests\Unit\ViewHelpers\ViewHel
         */
        public function renderAddsDefaultFieldNamePrefixToTemplateVariableContainerIfNoPrefixIsSpecified() {
                $expectedPrefix = 'tx_someextension_someplugin';
-               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderHiddenIdentityField', 'renderHiddenReferrerFields', 'renderRequestHashField', 'addFormFieldNamesToViewHelperVariableContainer', 'removeFormFieldNamesFromViewHelperVariableContainer'), array(), '', FALSE);
+               $viewHelper = $this->getAccessibleMock('TYPO3\\CMS\\Fluid\\ViewHelpers\\FormViewHelper', array('renderChildren', 'renderHiddenIdentityField', 'renderHiddenReferrerFields', 'renderRequestHashField', 'addFormFieldNamesToViewHelperVariableContainer', 'removeFormFieldNamesFromViewHelperVariableContainer', 'renderTrustedPropertiesField'), array(), '', FALSE);
                $this->mockExtensionService->expects($this->once())->method('getPluginNamespace')->with('SomeExtension', 'SomePlugin')->will($this->returnValue('tx_someextension_someplugin'));
                $viewHelper->injectExtensionService($this->mockExtensionService);
                $this->injectDependenciesIntoViewHelper($viewHelper);
index d71a699..61fe7cd 100644 (file)
@@ -53,6 +53,11 @@ abstract class ViewHelperBaseTestcase extends \TYPO3\CMS\Extbase\Tests\Unit\Base
        protected $renderingContext;
 
        /**
+        * @var \TYPO3\CMS\Extbase\Mvc\Controller\MvcPropertyMappingConfigurationService
+        */
+       protected $mvcPropertyMapperConfigurationService;
+
+       /**
         * @return void
         */
        public function setUp() {
@@ -81,6 +86,7 @@ abstract class ViewHelperBaseTestcase extends \TYPO3\CMS\Extbase\Tests\Unit\Base
                $this->renderingContext->injectTemplateVariableContainer($this->templateVariableContainer);
                $this->renderingContext->injectViewHelperVariableContainer($this->viewHelperVariableContainer);
                $this->renderingContext->setControllerContext($this->controllerContext);
+               $this->mvcPropertyMapperConfigurationService = new \TYPO3\CMS\Extbase\Mvc\Controller\MvcPropertyMappingConfigurationService;
        }
 
        /**