|
Chris@0
|
1 <?php
|
|
Chris@0
|
2
|
|
Chris@0
|
3 namespace Drupal\search\Tests;
|
|
Chris@0
|
4
|
|
Chris@0
|
5 use Drupal\comment\Plugin\Field\FieldType\CommentItemInterface;
|
|
Chris@0
|
6 use Drupal\comment\Tests\CommentTestTrait;
|
|
Chris@0
|
7 use Drupal\field\Entity\FieldConfig;
|
|
Chris@0
|
8 use Drupal\user\RoleInterface;
|
|
Chris@0
|
9 use Drupal\filter\Entity\FilterFormat;
|
|
Chris@0
|
10
|
|
Chris@0
|
11 /**
|
|
Chris@0
|
12 * Tests integration searching comments.
|
|
Chris@0
|
13 *
|
|
Chris@0
|
14 * @group search
|
|
Chris@0
|
15 */
|
|
Chris@0
|
16 class SearchCommentTest extends SearchTestBase {
|
|
Chris@0
|
17
|
|
Chris@0
|
18 use CommentTestTrait;
|
|
Chris@0
|
19
|
|
Chris@0
|
20 /**
|
|
Chris@0
|
21 * Modules to enable.
|
|
Chris@0
|
22 *
|
|
Chris@0
|
23 * @var array
|
|
Chris@0
|
24 */
|
|
Chris@0
|
25 public static $modules = ['filter', 'node', 'comment'];
|
|
Chris@0
|
26
|
|
Chris@0
|
27 /**
|
|
Chris@0
|
28 * Test subject for comments.
|
|
Chris@0
|
29 *
|
|
Chris@0
|
30 * @var string
|
|
Chris@0
|
31 */
|
|
Chris@0
|
32 protected $commentSubject;
|
|
Chris@0
|
33
|
|
Chris@0
|
34 /**
|
|
Chris@0
|
35 * ID for the administrator role.
|
|
Chris@0
|
36 *
|
|
Chris@0
|
37 * @var string
|
|
Chris@0
|
38 */
|
|
Chris@0
|
39 protected $adminRole;
|
|
Chris@0
|
40
|
|
Chris@0
|
41 /**
|
|
Chris@0
|
42 * A user with various administrative permissions.
|
|
Chris@0
|
43 *
|
|
Chris@0
|
44 * @var \Drupal\user\UserInterface
|
|
Chris@0
|
45 */
|
|
Chris@0
|
46 protected $adminUser;
|
|
Chris@0
|
47
|
|
Chris@0
|
48 /**
|
|
Chris@0
|
49 * Test node for searching.
|
|
Chris@0
|
50 *
|
|
Chris@0
|
51 * @var \Drupal\node\NodeInterface
|
|
Chris@0
|
52 */
|
|
Chris@0
|
53 protected $node;
|
|
Chris@0
|
54
|
|
Chris@0
|
55 protected function setUp() {
|
|
Chris@0
|
56 parent::setUp();
|
|
Chris@0
|
57
|
|
Chris@0
|
58 $full_html_format = FilterFormat::create([
|
|
Chris@0
|
59 'format' => 'full_html',
|
|
Chris@0
|
60 'name' => 'Full HTML',
|
|
Chris@0
|
61 'weight' => 1,
|
|
Chris@0
|
62 'filters' => [],
|
|
Chris@0
|
63 ]);
|
|
Chris@0
|
64 $full_html_format->save();
|
|
Chris@0
|
65
|
|
Chris@0
|
66 // Create and log in an administrative user having access to the Full HTML
|
|
Chris@0
|
67 // text format.
|
|
Chris@0
|
68 $permissions = [
|
|
Chris@0
|
69 'administer filters',
|
|
Chris@0
|
70 $full_html_format->getPermissionName(),
|
|
Chris@0
|
71 'administer permissions',
|
|
Chris@0
|
72 'create page content',
|
|
Chris@0
|
73 'post comments',
|
|
Chris@0
|
74 'skip comment approval',
|
|
Chris@0
|
75 'access comments',
|
|
Chris@0
|
76 ];
|
|
Chris@0
|
77 $this->adminUser = $this->drupalCreateUser($permissions);
|
|
Chris@0
|
78 $this->drupalLogin($this->adminUser);
|
|
Chris@0
|
79 // Add a comment field.
|
|
Chris@0
|
80 $this->addDefaultCommentField('node', 'article');
|
|
Chris@0
|
81 }
|
|
Chris@0
|
82
|
|
Chris@0
|
83 /**
|
|
Chris@0
|
84 * Verify that comments are rendered using proper format in search results.
|
|
Chris@0
|
85 */
|
|
Chris@0
|
86 public function testSearchResultsComment() {
|
|
Chris@0
|
87 $node_storage = $this->container->get('entity.manager')->getStorage('node');
|
|
Chris@0
|
88 // Create basic_html format that escapes all HTML.
|
|
Chris@0
|
89 $basic_html_format = FilterFormat::create([
|
|
Chris@0
|
90 'format' => 'basic_html',
|
|
Chris@0
|
91 'name' => 'Basic HTML',
|
|
Chris@0
|
92 'weight' => 1,
|
|
Chris@0
|
93 'filters' => [
|
|
Chris@0
|
94 'filter_html_escape' => ['status' => 1],
|
|
Chris@0
|
95 ],
|
|
Chris@0
|
96 'roles' => [RoleInterface::AUTHENTICATED_ID],
|
|
Chris@0
|
97 ]);
|
|
Chris@0
|
98 $basic_html_format->save();
|
|
Chris@0
|
99
|
|
Chris@0
|
100 $comment_body = 'Test comment body';
|
|
Chris@0
|
101
|
|
Chris@0
|
102 // Make preview optional.
|
|
Chris@0
|
103 $field = FieldConfig::loadByName('node', 'article', 'comment');
|
|
Chris@0
|
104 $field->setSetting('preview', DRUPAL_OPTIONAL);
|
|
Chris@0
|
105 $field->save();
|
|
Chris@0
|
106
|
|
Chris@0
|
107 // Allow anonymous users to search content.
|
|
Chris@0
|
108 $edit = [
|
|
Chris@0
|
109 RoleInterface::ANONYMOUS_ID . '[search content]' => 1,
|
|
Chris@0
|
110 RoleInterface::ANONYMOUS_ID . '[access comments]' => 1,
|
|
Chris@0
|
111 RoleInterface::ANONYMOUS_ID . '[post comments]' => 1,
|
|
Chris@0
|
112 ];
|
|
Chris@0
|
113 $this->drupalPostForm('admin/people/permissions', $edit, t('Save permissions'));
|
|
Chris@0
|
114
|
|
Chris@0
|
115 // Create a node.
|
|
Chris@0
|
116 $node = $this->drupalCreateNode(['type' => 'article']);
|
|
Chris@0
|
117 // Post a comment using 'Full HTML' text format.
|
|
Chris@0
|
118 $edit_comment = [];
|
|
Chris@0
|
119 $edit_comment['subject[0][value]'] = 'Test comment subject';
|
|
Chris@0
|
120 $edit_comment['comment_body[0][value]'] = '<h1>' . $comment_body . '</h1>';
|
|
Chris@0
|
121 $full_html_format_id = 'full_html';
|
|
Chris@0
|
122 $edit_comment['comment_body[0][format]'] = $full_html_format_id;
|
|
Chris@0
|
123 $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment, t('Save'));
|
|
Chris@0
|
124
|
|
Chris@0
|
125 // Post a comment with an evil script tag in the comment subject and a
|
|
Chris@0
|
126 // script tag nearby a keyword in the comment body. Use the 'FULL HTML' text
|
|
Chris@0
|
127 // format so the script tag stored.
|
|
Chris@0
|
128 $edit_comment2 = [];
|
|
Chris@0
|
129 $edit_comment2['subject[0][value]'] = "<script>alert('subjectkeyword');</script>";
|
|
Chris@0
|
130 $edit_comment2['comment_body[0][value]'] = "nearbykeyword<script>alert('somethinggeneric');</script>";
|
|
Chris@0
|
131 $edit_comment2['comment_body[0][format]'] = $full_html_format_id;
|
|
Chris@0
|
132 $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment2, t('Save'));
|
|
Chris@0
|
133
|
|
Chris@0
|
134 // Post a comment with a keyword inside an evil script tag in the comment
|
|
Chris@0
|
135 // body. Use the 'FULL HTML' text format so the script tag is stored.
|
|
Chris@0
|
136 $edit_comment3 = [];
|
|
Chris@0
|
137 $edit_comment3['subject[0][value]'] = 'asubject';
|
|
Chris@0
|
138 $edit_comment3['comment_body[0][value]'] = "<script>alert('insidekeyword');</script>";
|
|
Chris@0
|
139 $edit_comment3['comment_body[0][format]'] = $full_html_format_id;
|
|
Chris@0
|
140 $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment3, t('Save'));
|
|
Chris@0
|
141
|
|
Chris@0
|
142 // Invoke search index update.
|
|
Chris@0
|
143 $this->drupalLogout();
|
|
Chris@0
|
144 $this->cronRun();
|
|
Chris@0
|
145
|
|
Chris@0
|
146 // Search for the comment subject.
|
|
Chris@0
|
147 $edit = [
|
|
Chris@0
|
148 'keys' => "'" . $edit_comment['subject[0][value]'] . "'",
|
|
Chris@0
|
149 ];
|
|
Chris@0
|
150 $this->drupalPostForm('search/node', $edit, t('Search'));
|
|
Chris@0
|
151 $node_storage->resetCache([$node->id()]);
|
|
Chris@0
|
152 $node2 = $node_storage->load($node->id());
|
|
Chris@0
|
153 $this->assertText($node2->label(), 'Node found in search results.');
|
|
Chris@0
|
154 $this->assertText($edit_comment['subject[0][value]'], 'Comment subject found in search results.');
|
|
Chris@0
|
155
|
|
Chris@0
|
156 // Search for the comment body.
|
|
Chris@0
|
157 $edit = [
|
|
Chris@0
|
158 'keys' => "'" . $comment_body . "'",
|
|
Chris@0
|
159 ];
|
|
Chris@0
|
160 $this->drupalPostForm(NULL, $edit, t('Search'));
|
|
Chris@0
|
161 $this->assertText($node2->label(), 'Node found in search results.');
|
|
Chris@0
|
162
|
|
Chris@0
|
163 // Verify that comment is rendered using proper format.
|
|
Chris@0
|
164 $this->assertText($comment_body, 'Comment body text found in search results.');
|
|
Chris@0
|
165 $this->assertNoRaw(t('n/a'), 'HTML in comment body is not hidden.');
|
|
Chris@0
|
166 $this->assertNoEscaped($edit_comment['comment_body[0][value]'], 'HTML in comment body is not escaped.');
|
|
Chris@0
|
167
|
|
Chris@0
|
168 // Search for the evil script comment subject.
|
|
Chris@0
|
169 $edit = [
|
|
Chris@0
|
170 'keys' => 'subjectkeyword',
|
|
Chris@0
|
171 ];
|
|
Chris@0
|
172 $this->drupalPostForm('search/node', $edit, t('Search'));
|
|
Chris@0
|
173
|
|
Chris@0
|
174 // Verify the evil comment subject is escaped in search results.
|
|
Chris@0
|
175 $this->assertRaw('<script>alert('<strong>subjectkeyword</strong>');');
|
|
Chris@0
|
176 $this->assertNoRaw('<script>');
|
|
Chris@0
|
177
|
|
Chris@0
|
178 // Search for the keyword near the evil script tag in the comment body.
|
|
Chris@0
|
179 $edit = [
|
|
Chris@0
|
180 'keys' => 'nearbykeyword',
|
|
Chris@0
|
181 ];
|
|
Chris@0
|
182 $this->drupalPostForm('search/node', $edit, t('Search'));
|
|
Chris@0
|
183
|
|
Chris@0
|
184 // Verify that nearby script tag in the evil comment body is stripped from
|
|
Chris@0
|
185 // search results.
|
|
Chris@0
|
186 $this->assertRaw('<strong>nearbykeyword</strong>');
|
|
Chris@0
|
187 $this->assertNoRaw('<script>');
|
|
Chris@0
|
188
|
|
Chris@0
|
189 // Search for contents inside the evil script tag in the comment body.
|
|
Chris@0
|
190 $edit = [
|
|
Chris@0
|
191 'keys' => 'insidekeyword',
|
|
Chris@0
|
192 ];
|
|
Chris@0
|
193 $this->drupalPostForm('search/node', $edit, t('Search'));
|
|
Chris@0
|
194
|
|
Chris@0
|
195 // @todo Verify the actual search results.
|
|
Chris@0
|
196 // https://www.drupal.org/node/2551135
|
|
Chris@0
|
197
|
|
Chris@0
|
198 // Verify there is no script tag in search results.
|
|
Chris@0
|
199 $this->assertNoRaw('<script>');
|
|
Chris@0
|
200
|
|
Chris@0
|
201 // Hide comments.
|
|
Chris@0
|
202 $this->drupalLogin($this->adminUser);
|
|
Chris@0
|
203 $node->set('comment', CommentItemInterface::HIDDEN);
|
|
Chris@0
|
204 $node->save();
|
|
Chris@0
|
205
|
|
Chris@0
|
206 // Invoke search index update.
|
|
Chris@0
|
207 $this->drupalLogout();
|
|
Chris@0
|
208 $this->cronRun();
|
|
Chris@0
|
209
|
|
Chris@0
|
210 // Search for $title.
|
|
Chris@0
|
211 $this->drupalPostForm('search/node', $edit, t('Search'));
|
|
Chris@0
|
212 $this->assertText(t('Your search yielded no results.'));
|
|
Chris@0
|
213 }
|
|
Chris@0
|
214
|
|
Chris@0
|
215 /**
|
|
Chris@0
|
216 * Verify access rules for comment indexing with different permissions.
|
|
Chris@0
|
217 */
|
|
Chris@0
|
218 public function testSearchResultsCommentAccess() {
|
|
Chris@0
|
219 $comment_body = 'Test comment body';
|
|
Chris@0
|
220 $this->commentSubject = 'Test comment subject';
|
|
Chris@0
|
221 $roles = $this->adminUser->getRoles(TRUE);
|
|
Chris@0
|
222 $this->adminRole = $roles[0];
|
|
Chris@0
|
223
|
|
Chris@0
|
224 // Create a node.
|
|
Chris@0
|
225 // Make preview optional.
|
|
Chris@0
|
226 $field = FieldConfig::loadByName('node', 'article', 'comment');
|
|
Chris@0
|
227 $field->setSetting('preview', DRUPAL_OPTIONAL);
|
|
Chris@0
|
228 $field->save();
|
|
Chris@0
|
229 $this->node = $this->drupalCreateNode(['type' => 'article']);
|
|
Chris@0
|
230
|
|
Chris@0
|
231 // Post a comment using 'Full HTML' text format.
|
|
Chris@0
|
232 $edit_comment = [];
|
|
Chris@0
|
233 $edit_comment['subject[0][value]'] = $this->commentSubject;
|
|
Chris@0
|
234 $edit_comment['comment_body[0][value]'] = '<h1>' . $comment_body . '</h1>';
|
|
Chris@0
|
235 $this->drupalPostForm('comment/reply/node/' . $this->node->id() . '/comment', $edit_comment, t('Save'));
|
|
Chris@0
|
236
|
|
Chris@0
|
237 $this->drupalLogout();
|
|
Chris@0
|
238 $this->setRolePermissions(RoleInterface::ANONYMOUS_ID);
|
|
Chris@0
|
239 $this->assertCommentAccess(FALSE, 'Anon user has search permission but no access comments permission, comments should not be indexed');
|
|
Chris@0
|
240
|
|
Chris@0
|
241 $this->setRolePermissions(RoleInterface::ANONYMOUS_ID, TRUE);
|
|
Chris@0
|
242 $this->assertCommentAccess(TRUE, 'Anon user has search permission and access comments permission, comments should be indexed');
|
|
Chris@0
|
243
|
|
Chris@0
|
244 $this->drupalLogin($this->adminUser);
|
|
Chris@0
|
245 $this->drupalGet('admin/people/permissions');
|
|
Chris@0
|
246
|
|
Chris@0
|
247 // Disable search access for authenticated user to test admin user.
|
|
Chris@0
|
248 $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID, FALSE, FALSE);
|
|
Chris@0
|
249
|
|
Chris@0
|
250 $this->setRolePermissions($this->adminRole);
|
|
Chris@0
|
251 $this->assertCommentAccess(FALSE, 'Admin user has search permission but no access comments permission, comments should not be indexed');
|
|
Chris@0
|
252
|
|
Chris@0
|
253 $this->drupalGet('node/' . $this->node->id());
|
|
Chris@0
|
254 $this->setRolePermissions($this->adminRole, TRUE);
|
|
Chris@0
|
255 $this->assertCommentAccess(TRUE, 'Admin user has search permission and access comments permission, comments should be indexed');
|
|
Chris@0
|
256
|
|
Chris@0
|
257 $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID);
|
|
Chris@0
|
258 $this->assertCommentAccess(FALSE, 'Authenticated user has search permission but no access comments permission, comments should not be indexed');
|
|
Chris@0
|
259
|
|
Chris@0
|
260 $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID, TRUE);
|
|
Chris@0
|
261 $this->assertCommentAccess(TRUE, 'Authenticated user has search permission and access comments permission, comments should be indexed');
|
|
Chris@0
|
262
|
|
Chris@0
|
263 // Verify that access comments permission is inherited from the
|
|
Chris@0
|
264 // authenticated role.
|
|
Chris@0
|
265 $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID, TRUE, FALSE);
|
|
Chris@0
|
266 $this->setRolePermissions($this->adminRole);
|
|
Chris@0
|
267 $this->assertCommentAccess(TRUE, 'Admin user has search permission and no access comments permission, but comments should be indexed because admin user inherits authenticated user\'s permission to access comments');
|
|
Chris@0
|
268
|
|
Chris@0
|
269 // Verify that search content permission is inherited from the authenticated
|
|
Chris@0
|
270 // role.
|
|
Chris@0
|
271 $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID, TRUE, TRUE);
|
|
Chris@0
|
272 $this->setRolePermissions($this->adminRole, TRUE, FALSE);
|
|
Chris@0
|
273 $this->assertCommentAccess(TRUE, 'Admin user has access comments permission and no search permission, but comments should be indexed because admin user inherits authenticated user\'s permission to search');
|
|
Chris@0
|
274 }
|
|
Chris@0
|
275
|
|
Chris@0
|
276 /**
|
|
Chris@0
|
277 * Set permissions for role.
|
|
Chris@0
|
278 */
|
|
Chris@0
|
279 public function setRolePermissions($rid, $access_comments = FALSE, $search_content = TRUE) {
|
|
Chris@0
|
280 $permissions = [
|
|
Chris@0
|
281 'access comments' => $access_comments,
|
|
Chris@0
|
282 'search content' => $search_content,
|
|
Chris@0
|
283 ];
|
|
Chris@0
|
284 user_role_change_permissions($rid, $permissions);
|
|
Chris@0
|
285 }
|
|
Chris@0
|
286
|
|
Chris@0
|
287 /**
|
|
Chris@0
|
288 * Update search index and search for comment.
|
|
Chris@0
|
289 */
|
|
Chris@0
|
290 public function assertCommentAccess($assume_access, $message) {
|
|
Chris@0
|
291 // Invoke search index update.
|
|
Chris@0
|
292 search_mark_for_reindex('node_search', $this->node->id());
|
|
Chris@0
|
293 $this->cronRun();
|
|
Chris@0
|
294
|
|
Chris@0
|
295 // Search for the comment subject.
|
|
Chris@0
|
296 $edit = [
|
|
Chris@0
|
297 'keys' => "'" . $this->commentSubject . "'",
|
|
Chris@0
|
298 ];
|
|
Chris@0
|
299 $this->drupalPostForm('search/node', $edit, t('Search'));
|
|
Chris@0
|
300
|
|
Chris@0
|
301 if ($assume_access) {
|
|
Chris@0
|
302 $expected_node_result = $this->assertText($this->node->label());
|
|
Chris@0
|
303 $expected_comment_result = $this->assertText($this->commentSubject);
|
|
Chris@0
|
304 }
|
|
Chris@0
|
305 else {
|
|
Chris@0
|
306 $expected_node_result = $this->assertText(t('Your search yielded no results.'));
|
|
Chris@0
|
307 $expected_comment_result = $this->assertText(t('Your search yielded no results.'));
|
|
Chris@0
|
308 }
|
|
Chris@0
|
309 $this->assertTrue($expected_node_result && $expected_comment_result, $message);
|
|
Chris@0
|
310 }
|
|
Chris@0
|
311
|
|
Chris@0
|
312 /**
|
|
Chris@0
|
313 * Verify that 'add new comment' does not appear in search results or index.
|
|
Chris@0
|
314 */
|
|
Chris@0
|
315 public function testAddNewComment() {
|
|
Chris@0
|
316 // Create a node with a short body.
|
|
Chris@0
|
317 $settings = [
|
|
Chris@0
|
318 'type' => 'article',
|
|
Chris@0
|
319 'title' => 'short title',
|
|
Chris@0
|
320 'body' => [['value' => 'short body text']],
|
|
Chris@0
|
321 ];
|
|
Chris@0
|
322
|
|
Chris@0
|
323 $user = $this->drupalCreateUser([
|
|
Chris@0
|
324 'search content',
|
|
Chris@0
|
325 'create article content',
|
|
Chris@0
|
326 'access content',
|
|
Chris@0
|
327 'post comments',
|
|
Chris@0
|
328 'access comments',
|
|
Chris@0
|
329 ]);
|
|
Chris@0
|
330 $this->drupalLogin($user);
|
|
Chris@0
|
331
|
|
Chris@0
|
332 $node = $this->drupalCreateNode($settings);
|
|
Chris@0
|
333 // Verify that if you view the node on its own page, 'add new comment'
|
|
Chris@0
|
334 // is there.
|
|
Chris@0
|
335 $this->drupalGet('node/' . $node->id());
|
|
Chris@0
|
336 $this->assertText(t('Add new comment'));
|
|
Chris@0
|
337
|
|
Chris@0
|
338 // Run cron to index this page.
|
|
Chris@0
|
339 $this->drupalLogout();
|
|
Chris@0
|
340 $this->cronRun();
|
|
Chris@0
|
341
|
|
Chris@0
|
342 // Search for 'comment'. Should be no results.
|
|
Chris@0
|
343 $this->drupalLogin($user);
|
|
Chris@0
|
344 $this->drupalPostForm('search/node', ['keys' => 'comment'], t('Search'));
|
|
Chris@0
|
345 $this->assertText(t('Your search yielded no results'));
|
|
Chris@0
|
346
|
|
Chris@0
|
347 // Search for the node title. Should be found, and 'Add new comment' should
|
|
Chris@0
|
348 // not be part of the search snippet.
|
|
Chris@0
|
349 $this->drupalPostForm('search/node', ['keys' => 'short'], t('Search'));
|
|
Chris@0
|
350 $this->assertText($node->label(), 'Search for keyword worked');
|
|
Chris@0
|
351 $this->assertNoText(t('Add new comment'));
|
|
Chris@0
|
352 }
|
|
Chris@0
|
353
|
|
Chris@0
|
354 }
|
