@@ 269-312 (lines=44) @@ | ||
266 | $this->assertFalse($check && $check->exists()); |
|
267 | } |
|
268 | ||
269 | public function testSpamComment() |
|
270 | { |
|
271 | // Test anonymous user |
|
272 | if ($member = Member::currentUser()) { |
|
273 | $member->logOut(); |
|
274 | } |
|
275 | $comment = $this->objFromFixture(Comment::class, 'firstComA'); |
|
276 | $commentID = $comment->ID; |
|
277 | $this->assertNull($comment->SpamLink(), 'No permission to see mark as spam link'); |
|
278 | $spam = $this->get('comments/spam/'.$comment->ID.'?ajax=1'); |
|
279 | $this->assertEquals(403, $spam->getStatusCode()); |
|
280 | $check = DataObject::get_by_id(Comment::class, $commentID); |
|
281 | $this->assertEquals(0, $check->IsSpam, 'No permission to mark as spam'); |
|
282 | ||
283 | // Test non-authenticated user |
|
284 | $this->logInAs('visitor'); |
|
285 | $this->assertNull($comment->SpamLink(), 'No permission to see mark as spam link'); |
|
286 | ||
287 | // Test authenticated user |
|
288 | $this->logInAs('commentadmin'); |
|
289 | $comment = $this->objFromFixture(Comment::class, 'firstComA'); |
|
290 | $commentID = $comment->ID; |
|
291 | $adminComment1Link = $comment->SpamLink(); |
|
292 | $this->assertContains('comments/spam/' . $commentID . '?t=', $adminComment1Link); |
|
293 | ||
294 | // Test that this link can't be shared / XSS exploited |
|
295 | $this->logInAs('commentadmin2'); |
|
296 | $spam = $this->get($adminComment1Link); |
|
297 | $this->assertEquals(400, $spam->getStatusCode()); |
|
298 | $check = DataObject::get_by_id(Comment::class, $comment->ID); |
|
299 | $this->assertEquals(0, $check->IsSpam, 'No permission to mark as spam'); |
|
300 | ||
301 | // Test that this other admin can spam the comment with their own link |
|
302 | $adminComment2Link = $comment->SpamLink(); |
|
303 | $this->assertNotEquals($adminComment2Link, $adminComment1Link); |
|
304 | $this->autoFollowRedirection = false; |
|
305 | $spam = $this->get($adminComment2Link); |
|
306 | $this->assertEquals(302, $spam->getStatusCode()); |
|
307 | $check = DataObject::get_by_id(Comment::class, $commentID); |
|
308 | $this->assertEquals(1, $check->IsSpam); |
|
309 | ||
310 | // Cannot re-spam spammed comment |
|
311 | $this->assertNull($check->SpamLink()); |
|
312 | } |
|
313 | ||
314 | public function testHamComment() |
|
315 | { |
|
@@ 314-357 (lines=44) @@ | ||
311 | $this->assertNull($check->SpamLink()); |
|
312 | } |
|
313 | ||
314 | public function testHamComment() |
|
315 | { |
|
316 | // Test anonymous user |
|
317 | if ($member = Member::currentUser()) { |
|
318 | $member->logOut(); |
|
319 | } |
|
320 | $comment = $this->objFromFixture(Comment::class, 'secondComC'); |
|
321 | $commentID = $comment->ID; |
|
322 | $this->assertNull($comment->HamLink(), 'No permission to see mark as ham link'); |
|
323 | $ham = $this->get('comments/ham/' . $comment->ID . '?ajax=1'); |
|
324 | $this->assertEquals(403, $ham->getStatusCode()); |
|
325 | $check = DataObject::get_by_id(Comment::class, $commentID); |
|
326 | $this->assertEquals(1, $check->IsSpam, 'No permission to mark as ham'); |
|
327 | ||
328 | // Test non-authenticated user |
|
329 | $this->logInAs('visitor'); |
|
330 | $this->assertNull($comment->HamLink(), 'No permission to see mark as ham link'); |
|
331 | ||
332 | // Test authenticated user |
|
333 | $this->logInAs('commentadmin'); |
|
334 | $comment = $this->objFromFixture(Comment::class, 'secondComC'); |
|
335 | $commentID = $comment->ID; |
|
336 | $adminComment1Link = $comment->HamLink(); |
|
337 | $this->assertContains('comments/ham/' . $commentID . '?t=', $adminComment1Link); |
|
338 | ||
339 | // Test that this link can't be shared / XSS exploited |
|
340 | $this->logInAs('commentadmin2'); |
|
341 | $ham = $this->get($adminComment1Link); |
|
342 | $this->assertEquals(400, $ham->getStatusCode()); |
|
343 | $check = DataObject::get_by_id(Comment::class, $comment->ID); |
|
344 | $this->assertEquals(1, $check->IsSpam, 'No permission to mark as ham'); |
|
345 | ||
346 | // Test that this other admin can ham the comment with their own link |
|
347 | $adminComment2Link = $comment->HamLink(); |
|
348 | $this->assertNotEquals($adminComment2Link, $adminComment1Link); |
|
349 | $this->autoFollowRedirection = false; |
|
350 | $ham = $this->get($adminComment2Link); |
|
351 | $this->assertEquals(302, $ham->getStatusCode()); |
|
352 | $check = DataObject::get_by_id(Comment::class, $commentID); |
|
353 | $this->assertEquals(0, $check->IsSpam); |
|
354 | ||
355 | // Cannot re-ham hammed comment |
|
356 | $this->assertNull($check->HamLink()); |
|
357 | } |
|
358 | ||
359 | public function testApproveComment() |
|
360 | { |
|
@@ 359-402 (lines=44) @@ | ||
356 | $this->assertNull($check->HamLink()); |
|
357 | } |
|
358 | ||
359 | public function testApproveComment() |
|
360 | { |
|
361 | // Test anonymous user |
|
362 | if ($member = Member::currentUser()) { |
|
363 | $member->logOut(); |
|
364 | } |
|
365 | $comment = $this->objFromFixture(Comment::class, 'secondComB'); |
|
366 | $commentID = $comment->ID; |
|
367 | $this->assertNull($comment->ApproveLink(), 'No permission to see approve link'); |
|
368 | $approve = $this->get('comments/approve/' . $comment->ID . '?ajax=1'); |
|
369 | $this->assertEquals(403, $approve->getStatusCode()); |
|
370 | $check = DataObject::get_by_id(Comment::class, $commentID); |
|
371 | $this->assertEquals(0, $check->Moderated, 'No permission to approve'); |
|
372 | ||
373 | // Test non-authenticated user |
|
374 | $this->logInAs('visitor'); |
|
375 | $this->assertNull($comment->ApproveLink(), 'No permission to see approve link'); |
|
376 | ||
377 | // Test authenticated user |
|
378 | $this->logInAs('commentadmin'); |
|
379 | $comment = $this->objFromFixture(Comment::class, 'secondComB'); |
|
380 | $commentID = $comment->ID; |
|
381 | $adminComment1Link = $comment->ApproveLink(); |
|
382 | $this->assertContains('comments/approve/' . $commentID . '?t=', $adminComment1Link); |
|
383 | ||
384 | // Test that this link can't be shared / XSS exploited |
|
385 | $this->logInAs('commentadmin2'); |
|
386 | $approve = $this->get($adminComment1Link); |
|
387 | $this->assertEquals(400, $approve->getStatusCode()); |
|
388 | $check = DataObject::get_by_id(Comment::class, $comment->ID); |
|
389 | $this->assertEquals(0, $check->Moderated, 'No permission to approve'); |
|
390 | ||
391 | // Test that this other admin can approve the comment with their own link |
|
392 | $adminComment2Link = $comment->ApproveLink(); |
|
393 | $this->assertNotEquals($adminComment2Link, $adminComment1Link); |
|
394 | $this->autoFollowRedirection = false; |
|
395 | $approve = $this->get($adminComment2Link); |
|
396 | $this->assertEquals(302, $approve->getStatusCode()); |
|
397 | $check = DataObject::get_by_id(Comment::class, $commentID); |
|
398 | $this->assertEquals(1, $check->Moderated); |
|
399 | ||
400 | // Cannot re-approve approved comment |
|
401 | $this->assertNull($check->ApproveLink()); |
|
402 | } |
|
403 | ||
404 | public function testCommenterURLWrite() |
|
405 | { |