X-Git-Url: http://git.heureux-cyclage.org/?a=blobdiff_plain;ds=inline;f=tests%2Fphpunit%2Fincludes%2Fuser%2FUserTest.php;h=941e940d42081c74cc7f83438909b1c37a4812d1;hb=1e9c361960587b889911f6239026f6358c880845;hp=5d9cda7c44f0df20490cb45eaa009656bd98c467;hpb=1a2299c74908501bd2b21bc5129d68737aaef004;p=lhc%2Fweb%2Fwiklou.git

diff --git a/tests/phpunit/includes/user/UserTest.php b/tests/phpunit/includes/user/UserTest.php
index 5d9cda7c44..941e940d42 100644
--- a/tests/phpunit/includes/user/UserTest.php
+++ b/tests/phpunit/includes/user/UserTest.php
@@ -25,6 +25,7 @@ class UserTest extends MediaWikiTestCase {
 		$this->setUpPermissionGlobals();
 
 		$this->user = new User;
+		$this->user->addToDatabase();
 		$this->user->addGroup( 'unittesters' );
 	}
 
@@ -99,6 +100,7 @@ class UserTest extends MediaWikiTestCase {
 	 */
 	public function testUserGetRightsHooks() {
 		$user = new User;
+		$user->addToDatabase();
 		$user->addGroup( 'unittesters' );
 		$user->addGroup( 'testwriters' );
 		$userWrapper = TestingAccessWrapper::newFromObject( $user );
@@ -345,29 +347,29 @@ class UserTest extends MediaWikiTestCase {
 		$user = $this->getMutableTestUser()->getUser();
 
 		$user->setOption( 'userjs-someoption', 'test' );
-		$user->setOption( 'cols', 200 );
+		$user->setOption( 'rclimit', 200 );
 		$user->saveSettings();
 
 		$user = User::newFromName( $user->getName() );
 		$user->load( User::READ_LATEST );
 		$this->assertEquals( 'test', $user->getOption( 'userjs-someoption' ) );
-		$this->assertEquals( 200, $user->getOption( 'cols' ) );
+		$this->assertEquals( 200, $user->getOption( 'rclimit' ) );
 
 		$user = User::newFromName( $user->getName() );
 		MediaWikiServices::getInstance()->getMainWANObjectCache()->clearProcessCache();
 		$this->assertEquals( 'test', $user->getOption( 'userjs-someoption' ) );
-		$this->assertEquals( 200, $user->getOption( 'cols' ) );
+		$this->assertEquals( 200, $user->getOption( 'rclimit' ) );
 	}
 
 	/**
-	 * Bug 37963
+	 * T39963
 	 * Make sure defaults are loaded when setOption is called.
 	 * @covers User::loadOptions
 	 */
 	public function testAnonOptions() {
 		global $wgDefaultUserOptions;
 		$this->user->setOption( 'userjs-someoption', 'test' );
-		$this->assertEquals( $wgDefaultUserOptions['cols'], $this->user->getOption( 'cols' ) );
+		$this->assertEquals( $wgDefaultUserOptions['rclimit'], $this->user->getOption( 'rclimit' ) );
 		$this->assertEquals( 'test', $this->user->getOption( 'userjs-someoption' ) );
 	}
 
@@ -597,6 +599,7 @@ class UserTest extends MediaWikiTestCase {
 		$this->setMwGlobals( [
 			'wgCookieSetOnAutoblock' => true,
 			'wgCookiePrefix' => 'wmsitetitle',
+			'wgSecretKey' => MWCryptRand::generateHex( 64, true ),
 		] );
 
 		// 1. Log in a test user, and block them.
@@ -624,12 +627,13 @@ class UserTest extends MediaWikiTestCase {
 		// Test for the desired cookie name, value, and expiry.
 		$cookies = $request1->response()->getCookies();
 		$this->assertArrayHasKey( 'wmsitetitleBlockID', $cookies );
-		$this->assertEquals( $block->getId(), $cookies['wmsitetitleBlockID']['value'] );
 		$this->assertEquals( $expiryFiveHours, $cookies['wmsitetitleBlockID']['expire'] );
+		$cookieValue = Block::getIdFromCookieValue( $cookies['wmsitetitleBlockID']['value'] );
+		$this->assertEquals( $block->getId(), $cookieValue );
 
 		// 2. Create a new request, set the cookies, and see if the (anon) user is blocked.
 		$request2 = new FauxRequest();
-		$request2->setCookie( 'BlockID', $block->getId() );
+		$request2->setCookie( 'BlockID', $block->getCookieValue() );
 		$user2 = User::newFromSession( $request2 );
 		$user2->load();
 		$this->assertNotEquals( $user1->getId(), $user2->getId() );
@@ -667,6 +671,7 @@ class UserTest extends MediaWikiTestCase {
 		$this->setMwGlobals( [
 			'wgCookieSetOnAutoblock' => false,
 			'wgCookiePrefix' => 'wm_no_cookies',
+			'wgSecretKey' => MWCryptRand::generateHex( 64, true ),
 		] );
 
 		// 1. Log in a test user, and block them.
@@ -703,6 +708,7 @@ class UserTest extends MediaWikiTestCase {
 		$this->setMwGlobals( [
 			'wgCookieSetOnAutoblock' => true,
 			'wgCookiePrefix' => 'wm_infinite_block',
+			'wgSecretKey' => MWCryptRand::generateHex( 64, true ),
 		] );
 		// 1. Log in a test user, and block them indefinitely.
 		$user1Tmp = $this->getTestUser()->getUser();
@@ -726,13 +732,11 @@ class UserTest extends MediaWikiTestCase {
 		$this->assertArrayHasKey( 'wm_infinite_blockBlockID', $cookies );
 		$expOneDay = wfTimestamp() + ( 24 * 60 * 60 );
 		// Check for expiry dates in a 10-second window, to account for slow testing.
-		$this->assertGreaterThan(
-			$expOneDay - 5,
-			$cookies['wm_infinite_blockBlockID']['expire']
-		);
-		$this->assertLessThan(
-			$expOneDay + 5,
-			$cookies['wm_infinite_blockBlockID']['expire']
+		$this->assertEquals(
+			$expOneDay,
+			$cookies['wm_infinite_blockBlockID']['expire'],
+			'Expiry date',
+			5.0
 		);
 
 		// 3. Change the block's expiry (to 2 hours), and the cookie's should be changed also.
@@ -752,4 +756,110 @@ class UserTest extends MediaWikiTestCase {
 		// Clean up.
 		$block->delete();
 	}
+
+	public function testSoftBlockRanges() {
+		global $wgUser;
+
+		$this->setMwGlobals( [
+			'wgSoftBlockRanges' => [ '10.0.0.0/8' ],
+			'wgUser' => null,
+		] );
+
+		// IP isn't in $wgSoftBlockRanges
+		$request = new FauxRequest();
+		$request->setIP( '192.168.0.1' );
+		$wgUser = User::newFromSession( $request );
+		$this->assertNull( $wgUser->getBlock() );
+
+		// IP is in $wgSoftBlockRanges
+		$request = new FauxRequest();
+		$request->setIP( '10.20.30.40' );
+		$wgUser = User::newFromSession( $request );
+		$block = $wgUser->getBlock();
+		$this->assertInstanceOf( Block::class, $block );
+		$this->assertSame( 'wgSoftBlockRanges', $block->getSystemBlockType() );
+
+		// Make sure the block is really soft
+		$request->getSession()->setUser( $this->getTestUser()->getUser() );
+		$wgUser = User::newFromSession( $request );
+		$this->assertFalse( $wgUser->isAnon(), 'sanity check' );
+		$this->assertNull( $wgUser->getBlock() );
+	}
+
+	/**
+	 * Test that a modified BlockID cookie doesn't actually load the relevant block (T152951).
+	 */
+	public function testAutoblockCookieInauthentic() {
+		// Set up the bits of global configuration that we use.
+		$this->setMwGlobals( [
+			'wgCookieSetOnAutoblock' => true,
+			'wgCookiePrefix' => 'wmsitetitle',
+			'wgSecretKey' => MWCryptRand::generateHex( 64, true ),
+		] );
+
+		// 1. Log in a blocked test user.
+		$user1tmp = $this->getTestUser()->getUser();
+		$request1 = new FauxRequest();
+		$request1->getSession()->setUser( $user1tmp );
+		$block = new Block( [ 'enableAutoblock' => true ] );
+		$block->setTarget( $user1tmp );
+		$block->insert();
+		$user1 = User::newFromSession( $request1 );
+		$user1->mBlock = $block;
+		$user1->load();
+
+		// 2. Create a new request, set the cookie to an invalid value, and make sure the (anon)
+		// user not blocked.
+		$request2 = new FauxRequest();
+		$request2->setCookie( 'BlockID', $block->getId() . '!zzzzzzz' );
+		$user2 = User::newFromSession( $request2 );
+		$user2->load();
+		$this->assertTrue( $user2->isAnon() );
+		$this->assertFalse( $user2->isLoggedIn() );
+		$this->assertFalse( $user2->isBlocked() );
+
+		// Clean up.
+		$block->delete();
+	}
+
+	/**
+	 * The BlockID cookie is normally verified with a HMAC, but not if wgSecretKey is not set.
+	 * This checks that a non-authenticated cookie still works.
+	 */
+	public function testAutoblockCookieNoSecretKey() {
+		// Set up the bits of global configuration that we use.
+		$this->setMwGlobals( [
+			'wgCookieSetOnAutoblock' => true,
+			'wgCookiePrefix' => 'wmsitetitle',
+			'wgSecretKey' => null,
+		] );
+
+		// 1. Log in a blocked test user.
+		$user1tmp = $this->getTestUser()->getUser();
+		$request1 = new FauxRequest();
+		$request1->getSession()->setUser( $user1tmp );
+		$block = new Block( [ 'enableAutoblock' => true ] );
+		$block->setTarget( $user1tmp );
+		$block->insert();
+		$user1 = User::newFromSession( $request1 );
+		$user1->mBlock = $block;
+		$user1->load();
+		$this->assertTrue( $user1->isBlocked() );
+
+		// 2. Create a new request, set the cookie to just the block ID, and the user should
+		// still get blocked when they log in again.
+		$request2 = new FauxRequest();
+		$request2->setCookie( 'BlockID', $block->getId() );
+		$user2 = User::newFromSession( $request2 );
+		$user2->load();
+		$this->assertNotEquals( $user1->getId(), $user2->getId() );
+		$this->assertNotEquals( $user1->getToken(), $user2->getToken() );
+		$this->assertTrue( $user2->isAnon() );
+		$this->assertFalse( $user2->isLoggedIn() );
+		$this->assertTrue( $user2->isBlocked() );
+		$this->assertEquals( true, $user2->getBlock()->isAutoblocking() ); // Non-strict type-check.
+
+		// Clean up.
+		$block->delete();
+	}
 }