[+BUGFIX] Extbase (Security): Made Request Hash checking a little less strict, to...
authorSebastian Kurfürst <sebastian@typo3.org>
Mon, 14 Jun 2010 16:28:25 +0000 (16:28 +0000)
committerSebastian Kurfürst <sebastian@typo3.org>
Mon, 14 Jun 2010 16:28:25 +0000 (16:28 +0000)
typo3/sysext/extbase/Classes/Security/Channel/RequestHashService.php
typo3/sysext/extbase/Tests/Security/Channel/RequestHashService_testcase.php

index 6c7ff6d..41cf137 100644 (file)
@@ -172,6 +172,16 @@ class Tx_Extbase_Security_Channel_RequestHashService implements t3lib_singleton
                                }
                        } elseif (!is_array($requestArguments[$argumentName]) && !is_array($allowedFields[$argumentName])) {
                                // do nothing, as this is allowed
+                       } elseif (!is_array($requestArguments[$argumentName]) && $requestArguments[$argumentName] === '' && is_array($allowedFields[$argumentName])) {
+                               // do nothing, as this is allowed.
+                               // This case is needed for making an array of checkboxes work, in case they are fully unchecked.
+                               // Example: if the following checkbox names are defined:
+                               //     foo[a]
+                               //     foo[b]
+                               // then, Fluid automatically renders a hidden field "foo" with the value '' (empty string) in front of it,
+                               // to determine the case if the user un-checks all checkboxes.
+                               // in this case, the property mapping already does the right thing, but without this condition here,
+                               // the request hash checking would fail because of the strong type checks.
                        } else {
                                // different types - error
                                return FALSE;
index a13e776..2569870 100644 (file)
@@ -389,6 +389,28 @@ class Tx_Extbase_Security_Channel_RequestHashService_testcase extends Tx_Extbase
                                // Expected result
                                FALSE
                        ),
+                       
+                       // hierarchical fields with requestfields != responsefields (different types)
+                       // This case happens if an array of checkboxes is rendered, in case they are fully unchecked.
+                       array(
+                               // Request
+                               array(
+                                       'a' => '', // this is the only allowed value.
+                                       'b' => 'X',
+                                       'c' => 'X'
+                               ),
+                               // Allowed
+                               array(
+                                       'a' => array(
+                                               'x' => 1,
+                                               'y' => 1
+                                       ),
+                                       'b' => 1,
+                                       'c' => 1
+                               ),
+                               // Expected result
+                               TRUE
+                       ),
                );
        }