Add unit tests for webform case with auth in code

csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MissingAccessControl.expected

@@ -0,0 +1,2 @@
+| Test1/EditProfile.aspx.cs:9:20:9:29 | btn1_Click | This action is missing an authorization check. |
+| Test1/ViewProfile.aspx.cs:14:20:14:36 | btn_delete1_Click | This action is missing an authorization check. |

csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MissingAccessControl.qlref

@@ -0,0 +1 @@
+Security Features/CWE-285/MissingAccessControl.ql

csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test1/EditProfile.aspx.cs

@@ -0,0 +1,18 @@
+using System;
+using System.Web.UI;
+
+class EditProfile : System.Web.UI.Page {
+    private void doThings() { }
+
+    private bool isAuthorized() { return false; }
+
+    protected void btn1_Click(object sender, EventArgs e) {
+        doThings();
+    }
+
+    protected void btn2_Click(object sender, EventArgs e) {
+        if (isAuthorized()) {
+            doThings();
+        }
+    }
+} 

csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test1/ViewProfile.aspx.cs

@@ -0,0 +1,23 @@
+using System;
+using System.Web.UI;
+using System.Web.Security;
+
+class ViewProfile : System.Web.UI.Page {
+    private void doThings() { }
+
+    public System.Security.Principal.IPrincipal User { get; } // TODO: this should be in the stubs
+
+    protected void btn_safe_Click(object sender, EventArgs e) {
+        doThings();
+    }
+
+    protected void btn_delete1_Click(object sender, EventArgs e) {
+        doThings();
+    }
+
+    protected void btn_delete2_Click(object sender, EventArgs e) {
+        if (User.IsInRole("admin")) {
+            doThings();
+        }
+    }
+} 

csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/options

@@ -0,0 +1 @@
+semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs