Cavemanon/piratepoet
8
Fork 0
Code Pull Requests Actions Releases 16 Activity

- Prevents viewing newsletters if subscriber does not exist and token

Browse Source 
does not match
This commit is contained in:
Vlad
2016-12-22 21:13:21 -05:00
parent e5e5e7b426
commit fc54f31d3d
2 changed files with 21 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
lib/Router/Endpoints/ViewInBrowser.php
View File

@@ -39,11 +39,6 @@ class ViewInBrowser {
Newsletter::getByHash($data->newsletter_hash); Newsletter::getByHash($data->newsletter_hash);
if(!$data->newsletter) return false; if(!$data->newsletter) return false;
// queue is optional; if defined, get it
$data->queue = (!empty($data->queue_id)) ?
SendingQueue::findOne($data->queue_id) :
SendingQueue::where('newsletter_id', $data->newsletter->id)->findOne();
// subscriber is optional; if exists, token must validate // subscriber is optional; if exists, token must validate
$data->subscriber = (!empty($data->subscriber_id)) ? $data->subscriber = (!empty($data->subscriber_id)) ?
Subscriber::findOne($data->subscriber_id) : Subscriber::findOne($data->subscriber_id) :
@@ -53,6 +48,15 @@ class ViewInBrowser {
!Subscriber::verifyToken($data->subscriber->email, $data->subscriber_token) !Subscriber::verifyToken($data->subscriber->email, $data->subscriber_token)
) return false; ) return false;
} }
// if newsletter ID is defined then subscriber must exist
if($data->newsletter_id && !$data->subscriber) return false;
// queue is optional; if defined, get it
$data->queue = (!empty($data->queue_id)) ?
SendingQueue::findOne($data->queue_id) :
SendingQueue::where('newsletter_id', $data->newsletter->id)->findOne();
// if queue and subscriber exist and newsletter is not being previewed, // if queue and subscriber exist and newsletter is not being previewed,
// subscriber must have received the newsletter // subscriber must have received the newsletter
if(empty($data->preview) && if(empty($data->preview) &&

18
tests/unit/Router/Endpoints/ViewInBrowserTest.php
View File

@@ -37,7 +37,7 @@ class ViewInBrowserRouterTest extends MailPoetTest {
function testItAbortsWhenBrowserPreviewDataIsMissing() { function testItAbortsWhenBrowserPreviewDataIsMissing() {
$view_in_browser = Stub::make($this->view_in_browser, array( $view_in_browser = Stub::make($this->view_in_browser, array(
'_abort' => Stub::exactly(2, function () { }) '_abort' => Stub::exactly(2, function() { })
), $this); ), $this);
// newsletter ID is required // newsletter ID is required
$data = $this->browser_preview_data; $data = $this->browser_preview_data;
@@ -51,7 +51,7 @@ class ViewInBrowserRouterTest extends MailPoetTest {
function testItAbortsWhenBrowserPreviewDataIsInvalid() { function testItAbortsWhenBrowserPreviewDataIsInvalid() {
$view_in_browser = Stub::make($this->view_in_browser, array( $view_in_browser = Stub::make($this->view_in_browser, array(
'_abort' => Stub::exactly(3, function () { }) '_abort' => Stub::exactly(3, function() { })
), $this); ), $this);
// newsletter ID is invalid // newsletter ID is invalid
$data = $this->browser_preview_data; $data = $this->browser_preview_data;
@@ -72,7 +72,7 @@ class ViewInBrowserRouterTest extends MailPoetTest {
$subscriber = $this->subscriber; $subscriber = $this->subscriber;
$subscriber->email = 'random@email.com'; $subscriber->email = 'random@email.com';
$subscriber->save(); $subscriber->save();
$data = (object) array_merge( $data = (object)array_merge(
$this->browser_preview_data, $this->browser_preview_data,
array( array(
'queue' => $this->queue, 'queue' => $this->queue,
@@ -83,8 +83,14 @@ class ViewInBrowserRouterTest extends MailPoetTest {
expect($this->view_in_browser->_validateBrowserPreviewData($data))->false(); expect($this->view_in_browser->_validateBrowserPreviewData($data))->false();
} }
function testItFailsValidationWhenNewsletterIdIsProvidedButSubscriberDoesNotExist() {
$data = (object)$this->browser_preview_data;
$data->subscriber_id = false;
expect($this->view_in_browser->_validateBrowserPreviewData($data))->false();
}
function testItFailsValidationWhenSubscriberIsNotOnProcessedList() { function testItFailsValidationWhenSubscriberIsNotOnProcessedList() {
$data = (object) $this->browser_preview_data; $data = (object)$this->browser_preview_data;
$result = $this->view_in_browser->_validateBrowserPreviewData($data); $result = $this->view_in_browser->_validateBrowserPreviewData($data);
expect($result)->notEmpty(); expect($result)->notEmpty();
$queue = $this->queue; $queue = $this->queue;
@@ -95,7 +101,7 @@ class ViewInBrowserRouterTest extends MailPoetTest {
} }
function testItDoesNotRequireWpUsersToBeOnProcessedListWhenPreviewIsEnabled() { function testItDoesNotRequireWpUsersToBeOnProcessedListWhenPreviewIsEnabled() {
$data = (object) array_merge( $data = (object)array_merge(
$this->browser_preview_data, $this->browser_preview_data,
array( array(
'queue' => $this->queue, 'queue' => $this->queue,
@@ -117,7 +123,7 @@ class ViewInBrowserRouterTest extends MailPoetTest {
function testItReturnsViewActionResult() { function testItReturnsViewActionResult() {
$view_in_browser = Stub::make($this->view_in_browser, array( $view_in_browser = Stub::make($this->view_in_browser, array(
'_displayNewsletter' => Stub::exactly(1, function () { }) '_displayNewsletter' => Stub::exactly(1, function() { })
), $this); ), $this);
$view_in_browser->data = $view_in_browser->_processBrowserPreviewData($this->browser_preview_data); $view_in_browser->data = $view_in_browser->_processBrowserPreviewData($this->browser_preview_data);
$view_in_browser->view(); $view_in_browser->view();