Add unit test for debugSecurity param

src/View/Helper/FormHelper.php

@@ -559,8 +559,11 @@ class FormHelper extends Helper
         if (empty($this->request['_Token'])) {
             return null;
         }
-        $debugSecurity = Hash::get($secureAttributes, 'debugSecurity') ?: Configure::read('debug');
-        unset($secureAttributes['debugSecurity']);
+        $debugSecurity = Configure::read('debug');
+        if (isset($secureAttributes['debugSecurity'])) {
+            $debugSecurity = $secureAttributes['debugSecurity'];
+            unset($secureAttributes['debugSecurity']);
+        }
 
         $tokenData = $this->_buildFieldToken(
             $this->_lastAction,

tests/TestCase/View/Helper/FormHelperTest.php

@@ -1694,6 +1694,137 @@ class FormHelperTest extends TestCase
     }
 
     /**
+     * testFormSecurityInputUnlockedFieldsDebugSecurityTrue method
+     *
+     * Test single record form with debugSecurity param.
+     *
+     * @return void
+     */
+    public function testFormSecurityInputUnlockedFieldsDebugSecurityTrue()
+    {
+        $this->Form->request['_Token'] = [
+            'unlockedFields' => ['first_name', 'address']
+        ];
+        $this->Form->create();
+        $this->assertEquals($this->Form->request['_Token']['unlockedFields'], $this->Form->unlockField());
+
+        $this->Form->hidden('Addresses.id', ['value' => '123456']);
+        $this->Form->text('Addresses.title');
+        $this->Form->text('Addresses.first_name');
+        $this->Form->text('Addresses.last_name');
+        $this->Form->text('Addresses.address');
+        $this->Form->text('Addresses.city');
+        $this->Form->text('Addresses.phone');
+
+        $result = $this->Form->fields;
+        $expected = [
+            'Addresses.id' => '123456', 'Addresses.title', 'Addresses.last_name',
+            'Addresses.city', 'Addresses.phone'
+        ];
+        $this->assertEquals($expected, $result);
+        $debug = Configure::read('debug');
+        Configure::write('debug', false);
+        $result = $this->Form->secure($expected, ['data-foo' => 'bar', 'debugSecurity' => true]);
+        Configure::write('debug', $debug);
+
+        $hash = 'a303becbdd99cb42ca14a1cf7e63dfd48696a3c5%3AAddresses.id';
+        $tokenDebug = urlencode(json_encode([
+            '/articles/add',
+            [
+                'Addresses.id' => '123456',
+                'Addresses.title',
+                'Addresses.last_name',
+                'Addresses.city',
+                'Addresses.phone'
+            ],
+            [
+                'first_name',
+                'address'
+            ]
+        ]));
+
+        $expected = [
+            'div' => ['style' => 'display:none;'],
+            ['input' => [
+                'type' => 'hidden',
+                'name' => '_Token[fields]',
+                'value' => $hash,
+                'data-foo' => 'bar',
+            ]],
+            ['input' => [
+                'type' => 'hidden',
+                'name' => '_Token[unlocked]',
+                'value' => 'address%7Cfirst_name',
+                'data-foo' => 'bar',
+            ]],
+            ['input' => [
+                'type' => 'hidden', 'name' => '_Token[debug]',
+                'value' => $tokenDebug,
+                'data-foo' => 'bar'
+            ]],
+            '/div'
+        ];
+        $this->assertHtml($expected, $result);
+    }
+
+    /**
+     * testFormSecurityInputUnlockedFieldsDebugSecurityFalse method
+     *
+     * Test single record form with debugSecurity param.
+     *
+     * @return void
+     */
+    public function testFormSecurityInputUnlockedFieldsDebugSecurityFalse()
+    {
+        $this->Form->request['_Token'] = [
+            'unlockedFields' => ['first_name', 'address']
+        ];
+        $this->Form->create();
+        $this->assertEquals($this->Form->request['_Token']['unlockedFields'], $this->Form->unlockField());
+
+        $this->Form->hidden('Addresses.id', ['value' => '123456']);
+        $this->Form->text('Addresses.title');
+        $this->Form->text('Addresses.first_name');
+        $this->Form->text('Addresses.last_name');
+        $this->Form->text('Addresses.address');
+        $this->Form->text('Addresses.city');
+        $this->Form->text('Addresses.phone');
+
+        $result = $this->Form->fields;
+        $expected = [
+            'Addresses.id' => '123456', 'Addresses.title', 'Addresses.last_name',
+            'Addresses.city', 'Addresses.phone'
+        ];
+        $this->assertEquals($expected, $result);
+
+        $debug = Configure::read('debug');
+        Configure::write('debug', true);
+        $result = $this->Form->secure($expected, ['data-foo' => 'bar', 'debugSecurity' => false]);
+        Configure::write('debug', $debug);
+
+        $hash = 'a303becbdd99cb42ca14a1cf7e63dfd48696a3c5%3AAddresses.id';
+
+        $expected = [
+            'div' => ['style' => 'display:none;'],
+            ['input' => [
+                'type' => 'hidden',
+                'name' => '_Token[fields]',
+                'value' => $hash,
+                'data-foo' => 'bar',
+            ]],
+            ['input' => [
+                'type' => 'hidden',
+                'name' => '_Token[unlocked]',
+                'value' => 'address%7Cfirst_name',
+                'data-foo' => 'bar',
+            ]],
+            '/div'
+        ];
+
+        $this->assertHtml($expected, $result);
+    }
+
+    /**
      * test securing inputs with custom name attributes.
      *
      * @return void