public function testProtectedConfigSettings($session_token)
{
$sensitiveSettings = array('proxy_passwd', 'smtp_passwd');
// set a non empty value to the sessionts to check
foreach ($sensitiveSettings as $name) {
Config::setConfigurationValues('core', array($name => 'not_empty_password'));
$value = Config::getConfigurationValues('core', array($name));
$this->assertArrayHasKey($name, $value);
$this->assertNotEmpty($value[$name]);
}
$where = "'" . implode("', '", $sensitiveSettings) . "'";
$config = new config();
$rows = $config->find("`context`='core' AND `name` IN ({$where})");
$this->assertEquals(count($sensitiveSettings), count($rows));
// Check the value is not retrieved for sensitive settings
foreach ($rows as $row) {
$res = $this->doHttpRequest('GET', "Config/" . $row['id'], ['headers' => ['Session-Token' => $session_token]]);
$this->assertEquals(200, $res->getStatusCode());
$body = $res->getBody();
$data = json_decode($body, true);
$this->assertEquals('', $data['value']);
}
// Check an other setting is disclosed (when not empty)
$config = new Config();
$config->getFromDBByQuery("WHERE `context`='core' AND `name`='admin_email'");
$res = $this->doHttpRequest('GET', "Config/" . $config->getID(), ['headers' => ['Session-Token' => $session_token]]);
$this->assertEquals(200, $res->getStatusCode());
$body = $res->getBody();
$data = json_decode($body, true);
$this->assertNotEquals('', $data['value']);
// Check a search does not disclose sensitive values
$criteria = array();
$queryString = "";
foreach ($rows as $row) {
$queryString = "&criteria[][link]=or&criteria[][field]=1&criteria[][searchtype]=equals&criteria[][value]=" . $row['name'];
}
$res = $this->doHttpRequest('GET', "search/Config" . "?{$queryString}", ['headers' => ['Session-Token' => $session_token], 'query' => array()]);
$this->assertEquals(200, $res->getStatusCode());
$body = $res->getBody();
$data = json_decode($body, true);
foreach ($data['data'] as $row) {
foreach ($row as $col) {
$this->assertNotEquals($col, 'not_empty_password');
}
}
}
