summaryrefslogtreecommitdiff
path: root/rt/t/security/CVE-2011-5092-prefs.t
blob: b8e15aae0d812ba3acc6b886462d350c92df43f5 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

use strict;
use warnings;

use RT::Test tests => undef;

my ($base, $m) = RT::Test->started_ok;

my $user = RT::Test->load_or_create_user(
    Name            => 'ausername',
    EmailAddress    => 'user@example.com',
    Password        => 'password',
    Privileged      => 1,
);

ok $user->id, 'created user';

ok(
    RT::Test->set_rights(
        { Principal => 'privileged', Right => [qw(ModifySelf ShowTicket)] },
    ),
    "granted ModifySelf to privileged"
);

$m->login('ausername');

{
    $m->get_ok("$base/Prefs/Other.html");
    my $style = '../css/base';
    $m->submit_form_ok({
        with_fields => {
            WebDefaultStylesheet => $style,
        },
        button      => 'Update',
    }, 'update prefs');
    is(RT->Config->Get('WebDefaultStylesheet', $user), $style, 'set preference');

    SKIP: {
        skip "RT::User->Stylesheet wasn't backported", 1 unless $user->can("Stylesheet");
        is $user->Stylesheet, RT->Config->Get('WebDefaultStylesheet'), '$user->Stylesheet is the default';
    }

    $m->get_ok($base);
    $m->content_unlike(qr/<link.+?\Q$style\E/, "lack .. path in page <link>");
    $m->content_contains( RT->Config->Get('WebDefaultStylesheet') );
}

{
    $m->get_ok("$base/Prefs/Other.html");
    my $format = '/../../m/_elements/full_site_link';
    $m->submit_form_ok({
        form_name   => 'ModifyPreferences',
        fields      => {
            UsernameFormat => $format,
        },
        button      => 'Update',
    }, 'update prefs');
    $m->content_contains('saved');

    my $ticket = RT::Test->create_ticket(
        Queue       => 'General',
        Subject     => 'test ticket',
        Requestor   => 'user@example.com',
    );
    ok $ticket->id, 'created ticket';
    $m->get_ok($base . "/Ticket/Display.html?id=" . $ticket->id);
    $m->content_lacks('NotMobile', "lacks NotMobile");
    $m->next_warning_like(qr/UsernameFormat/, 'caught UsernameFormat warning');
}

{
    $m->get_ok("$base/Helpers/Toggle/ShowRequestor?Status=/../../../Elements/Logo;Requestor=root");
    $m->content_lacks('logo', "didn't display /Elements/Logo");
    $m->content_contains('Results.html', "found link to search results");
}

undef $m;
done_testing;
generated by cgit v1.2.1 (git 2.18.0) at 2025-07-06 19:00:39 +0000