This implements getWebUITokenSalt(), as mentioned in T25227#
2008199 and
implemented in
F3328897. Somehow it didn't make it into Icb674095.
This also fixes some issues in the unit test:
* Properly link the user to the request's Session so User::doLogout()
won't log a warning. This also gives use to the otherwise-unneeded
implementation of setUp(), and lets us get rid of the broken call to
User::newFromId() that was passing an IP address rather than a user ID.
* Privatize some internal methods.
* Use setExpectedApiException() instead of manually catching and
hard-coding the English exception message.
* Also assert that the bad token error didn't result in a logout.
Bug: T25227
Change-Id: I2aecfba821cca3c367c5e7e8d188a88197fb82d2
+ protected function getWebUITokenSalt( array $params ) {
+ return 'logoutToken';
+ }
+
public function isReadMode() {
return false;
}
public function isReadMode() {
return false;
}
* @covers ApiLogout
*/
class ApiLogoutTest extends ApiTestCase {
* @covers ApiLogout
*/
class ApiLogoutTest extends ApiTestCase {
- public function setUp() {
+
+ protected function setUp() {
+ global $wgRequest, $wgUser;
+
+
+ // Link the user to the Session properly so User::doLogout() doesn't complain.
+ $wgRequest->getSession()->setUser( $wgUser );
+ $wgUser = User::newFromSession( $wgRequest );
+ $this->apiContext->setUser( $wgUser );
}
public function testUserLogoutBadToken() {
}
public function testUserLogoutBadToken() {
+ global $wgUser;
+
+ $this->setExpectedApiException( 'apierror-badtoken' );
+
try {
$token = 'invalid token';
try {
$token = 'invalid token';
- $retLogout = $this->doUserLogout( $token );
- }
- catch ( ApiUsageException $e ) {
- $exceptionMsg = $e->getMessage();
+ $this->doUserLogout( $token );
+ } finally {
+ $this->assertTrue( $wgUser->isLoggedIn(), 'not logged out' );
-
- $this->assertSame( "Invalid CSRF token.", $exceptionMsg );
}
public function testUserLogout() {
}
public function testUserLogout() {
- // TODO: there has to be a cleaner way to make User::doLogout happy
- $wgUser = User::newFromId( '127.0.0.1' );
+ $this->assertTrue( $wgUser->isLoggedIn(), 'sanity check' );
$token = $this->getUserCsrfTokenFromApi();
$token = $this->getUserCsrfTokenFromApi();
- $retLogout = $this->doUserLogout( $token );
+ $this->doUserLogout( $token );
+ $this->assertFalse( $wgUser->isLoggedIn() );
+ }
+
+ public function testUserLogoutWithWebToken() {
+ global $wgUser, $wgRequest;
+
+ $this->assertTrue( $wgUser->isLoggedIn(), 'sanity check' );
+
+ // Logic copied from SkinTemplate.
+ $token = $wgUser->getEditToken( 'logoutToken', $wgRequest );
+
+ $this->doUserLogout( $token );
$this->assertFalse( $wgUser->isLoggedIn() );
}
$this->assertFalse( $wgUser->isLoggedIn() );
}
- public function getUserCsrfTokenFromApi() {
+ private function getUserCsrfTokenFromApi() {
$retToken = $this->doApiRequest( [
'action' => 'query',
'meta' => 'tokens',
$retToken = $this->doApiRequest( [
'action' => 'query',
'meta' => 'tokens',
return $retToken[0]['query']['tokens']['csrftoken'];
}
return $retToken[0]['query']['tokens']['csrftoken'];
}
- public function doUserLogout( $logoutToken ) {
+ private function doUserLogout( $logoutToken ) {
return $this->doApiRequest( [
'action' => 'logout',
'token' => $logoutToken
return $this->doApiRequest( [
'action' => 'logout',
'token' => $logoutToken