Fix missing CSRF checks in admin/account_edit

(cherry picked from commit 38c947590e81fbb00e315e1902eba8dd6dbdd0ec)

342d94c3 tpl: Fix warnings in templates.
bccaeb1e tests: Update Module\TestCase to support POST requests
f627e55b tests: Update account fixtures with fixed account_level.
ee62aff4 Module\Admin\Account_edit: Add missing CSRF checks.

Co-authored-by: Harald Eilertsen <haraldei@anduin.net>

1 files changed, 40 insertions, 19 deletions

diff --git a/tests/unit/Module/TestCase.php b/tests/unit/Module/TestCase.php
index e92bc7083..81d8e61fc 100644
--- a/tests/unit/Module/TestCase.php
+++ b/tests/unit/Module/TestCase.php
@@ -10,6 +10,7 @@
 
 namespace Zotlabs\Tests\Unit\Module;
 
+use PHPUnit\Framework\Attributes\After;
 use Zotlabs\Tests\Unit\UnitTestCase;
 use App;
 
@@ -25,26 +26,22 @@ class TestCase extends UnitTestCase {
 	// Import PHPMock methods into this class
 	use \phpmock\phpunit\PHPMock;
 
-	/**
-	 * Emulate a GET request.
-	 *
-	 * @param string $uri	The URI to request. Typically this will be the module
-	 *						name, followed by any req args separated by slashes.
-	 * @param array $query	Assciative array of query args, with the parameters
-	 *						as keys.
-	 */
-	protected function get(string $uri, array $query = []): void {
-		$_GET['q'] = $uri;
+	#[After]
+	public function cleanup_stubs(): void {
+		$this->killme_stub = null;
+		$this->goaway_stub = null;
+	}
 
-		if (!empty($query)) {
-			$_GET = array_merge($_GET, $query);
-		}
+	protected function do_request(string $method, string $uri, array $query = [], array $params = []): void {
+		$_GET['q'] = $uri;
+		$_GET = array_merge($_GET, $query);
+		$_POST = $params;
 
-		$_SERVER['REQUEST_METHOD'] = 'GET';
+		$_SERVER['REQUEST_METHOD'] = $method;
 		$_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
 		$_SERVER['QUERY_STRING'] = "q={$uri}";
 		// phpcs:disable Generic.PHP.DisallowRequestSuperglobal.Found
-		$_REQUEST = $_GET;
+		$_REQUEST = array_merge($_GET, $_POST);
 		// phpcs::enable
 
 		\App::init();
@@ -55,6 +52,32 @@ class TestCase extends UnitTestCase {
 	}
 
 	/**
+	 * Emulate a GET request.
+	 *
+	 * @param string $uri	The URI to request. Typically this will be the module
+	 *						name, followed by any req args separated by slashes.
+	 * @param array $query	Assciative array of query args, with the parameters
+	 *						as keys.
+	 */
+	protected function get(string $uri, array $query = []): void {
+		$this->do_request('GET', $uri, $query);
+	}
+
+	/**
+	 * Emulate a POST request.
+	 *
+	 * @param string $uri	The URI to request. Typically this will be the module
+	 *						name, followed by any req args separated by slashes.
+	 * @param array $query	Associative array of query args, with the parameters
+	 *						as keys.
+	 * @param array $params	Associative array of POST params, with the param names
+	 *						as keys.
+	 */
+	protected function post(string $uri, array $query = [], array $params = []): void {
+		$this->do_request('POST', $uri, $query, $params);
+	}
+
+	/**
 	 * Helper to simplify asserting contents in the rendered page.
 	 *
 	 * @param string $needle	The expected string to find.
@@ -100,8 +123,7 @@ class TestCase extends UnitTestCase {
 	 * @throws KillmeException
 	 */
 	protected function stub_killme(): void {
-		$killme_stub = $this->getFunctionMock('Zotlabs\Module', 'killme');
-		$killme_stub
+		$this->killme_stub = $this->getFunctionMock('Zotlabs\Module', 'killme')
 			->expects($this->once())
 			->willReturnCallback(
 				function () {
@@ -147,8 +169,7 @@ class TestCase extends UnitTestCase {
 	 * @throws RedirectException
 	 */
 	protected function stub_goaway(): void {
-		$goaway_stub = $this->getFunctionMock('Zotlabs\Module', 'goaway');
-		$goaway_stub
+		$this->goaway_stub = $this->getFunctionMock('Zotlabs\Module', 'goaway')
 			->expects($this->once())
 			->willReturnCallback(
 				function (string $uri) {