|
Chris@0
|
1 <?php
|
|
Chris@0
|
2
|
|
Chris@0
|
3 namespace Drupal\file\Tests;
|
|
Chris@0
|
4
|
|
Chris@0
|
5 use Drupal\comment\Entity\Comment;
|
|
Chris@0
|
6 use Drupal\comment\Tests\CommentTestTrait;
|
|
Chris@0
|
7 use Drupal\Component\Utility\Unicode;
|
|
Chris@0
|
8 use Drupal\Core\Url;
|
|
Chris@0
|
9 use Drupal\field\Entity\FieldConfig;
|
|
Chris@0
|
10 use Drupal\field\Entity\FieldStorageConfig;
|
|
Chris@0
|
11 use Drupal\field_ui\Tests\FieldUiTestTrait;
|
|
Chris@0
|
12 use Drupal\user\RoleInterface;
|
|
Chris@0
|
13 use Drupal\file\Entity\File;
|
|
Chris@0
|
14 use Drupal\user\Entity\User;
|
|
Chris@0
|
15 use Drupal\user\UserInterface;
|
|
Chris@0
|
16
|
|
Chris@0
|
17 /**
|
|
Chris@0
|
18 * Tests the file field widget, single and multi-valued, with and without AJAX,
|
|
Chris@0
|
19 * with public and private files.
|
|
Chris@0
|
20 *
|
|
Chris@0
|
21 * @group file
|
|
Chris@0
|
22 */
|
|
Chris@0
|
23 class FileFieldWidgetTest extends FileFieldTestBase {
|
|
Chris@0
|
24
|
|
Chris@0
|
25 use CommentTestTrait;
|
|
Chris@0
|
26 use FieldUiTestTrait;
|
|
Chris@0
|
27
|
|
Chris@0
|
28 /**
|
|
Chris@0
|
29 * {@inheritdoc}
|
|
Chris@0
|
30 */
|
|
Chris@0
|
31 protected function setUp() {
|
|
Chris@0
|
32 parent::setUp();
|
|
Chris@0
|
33 $this->drupalPlaceBlock('system_breadcrumb_block');
|
|
Chris@0
|
34 }
|
|
Chris@0
|
35
|
|
Chris@0
|
36 /**
|
|
Chris@0
|
37 * Modules to enable.
|
|
Chris@0
|
38 *
|
|
Chris@0
|
39 * @var array
|
|
Chris@0
|
40 */
|
|
Chris@0
|
41 public static $modules = ['comment', 'block'];
|
|
Chris@0
|
42
|
|
Chris@0
|
43 /**
|
|
Chris@0
|
44 * Creates a temporary file, for a specific user.
|
|
Chris@0
|
45 *
|
|
Chris@0
|
46 * @param string $data
|
|
Chris@0
|
47 * A string containing the contents of the file.
|
|
Chris@0
|
48 * @param \Drupal\user\UserInterface $user
|
|
Chris@0
|
49 * The user of the file owner.
|
|
Chris@0
|
50 *
|
|
Chris@0
|
51 * @return \Drupal\file\FileInterface
|
|
Chris@0
|
52 * A file object, or FALSE on error.
|
|
Chris@0
|
53 */
|
|
Chris@0
|
54 protected function createTemporaryFile($data, UserInterface $user = NULL) {
|
|
Chris@0
|
55 $file = file_save_data($data, NULL, NULL);
|
|
Chris@0
|
56
|
|
Chris@0
|
57 if ($file) {
|
|
Chris@0
|
58 if ($user) {
|
|
Chris@0
|
59 $file->setOwner($user);
|
|
Chris@0
|
60 }
|
|
Chris@0
|
61 else {
|
|
Chris@0
|
62 $file->setOwner($this->adminUser);
|
|
Chris@0
|
63 }
|
|
Chris@0
|
64 // Change the file status to be temporary.
|
|
Chris@0
|
65 $file->setTemporary();
|
|
Chris@0
|
66 // Save the changes.
|
|
Chris@0
|
67 $file->save();
|
|
Chris@0
|
68 }
|
|
Chris@0
|
69
|
|
Chris@0
|
70 return $file;
|
|
Chris@0
|
71 }
|
|
Chris@0
|
72
|
|
Chris@0
|
73 /**
|
|
Chris@0
|
74 * Tests upload and remove buttons for a single-valued File field.
|
|
Chris@0
|
75 */
|
|
Chris@0
|
76 public function testSingleValuedWidget() {
|
|
Chris@0
|
77 $node_storage = $this->container->get('entity.manager')->getStorage('node');
|
|
Chris@0
|
78 $type_name = 'article';
|
|
Chris@0
|
79 $field_name = strtolower($this->randomMachineName());
|
|
Chris@0
|
80 $this->createFileField($field_name, 'node', $type_name);
|
|
Chris@0
|
81
|
|
Chris@0
|
82 $test_file = $this->getTestFile('text');
|
|
Chris@0
|
83
|
|
Chris@0
|
84 foreach (['nojs', 'js'] as $type) {
|
|
Chris@0
|
85 // Create a new node with the uploaded file and ensure it got uploaded
|
|
Chris@0
|
86 // successfully.
|
|
Chris@0
|
87 // @todo This only tests a 'nojs' submission, because drupalPostAjaxForm()
|
|
Chris@0
|
88 // does not yet support file uploads.
|
|
Chris@0
|
89 $nid = $this->uploadNodeFile($test_file, $field_name, $type_name);
|
|
Chris@0
|
90 $node_storage->resetCache([$nid]);
|
|
Chris@0
|
91 $node = $node_storage->load($nid);
|
|
Chris@0
|
92 $node_file = File::load($node->{$field_name}->target_id);
|
|
Chris@0
|
93 $this->assertFileExists($node_file, 'New file saved to disk on node creation.');
|
|
Chris@0
|
94
|
|
Chris@0
|
95 // Ensure the file can be downloaded.
|
|
Chris@0
|
96 $this->drupalGet(file_create_url($node_file->getFileUri()));
|
|
Chris@0
|
97 $this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
|
|
Chris@0
|
98
|
|
Chris@0
|
99 // Ensure the edit page has a remove button instead of an upload button.
|
|
Chris@0
|
100 $this->drupalGet("node/$nid/edit");
|
|
Chris@0
|
101 $this->assertNoFieldByXPath('//input[@type="submit"]', t('Upload'), 'Node with file does not display the "Upload" button.');
|
|
Chris@0
|
102 $this->assertFieldByXpath('//input[@type="submit"]', t('Remove'), 'Node with file displays the "Remove" button.');
|
|
Chris@0
|
103
|
|
Chris@0
|
104 // "Click" the remove button (emulating either a nojs or js submission).
|
|
Chris@0
|
105 switch ($type) {
|
|
Chris@0
|
106 case 'nojs':
|
|
Chris@0
|
107 $this->drupalPostForm(NULL, [], t('Remove'));
|
|
Chris@0
|
108 break;
|
|
Chris@0
|
109 case 'js':
|
|
Chris@0
|
110 $button = $this->xpath('//input[@type="submit" and @value="' . t('Remove') . '"]');
|
|
Chris@0
|
111 $this->drupalPostAjaxForm(NULL, [], [(string) $button[0]['name'] => (string) $button[0]['value']]);
|
|
Chris@0
|
112 break;
|
|
Chris@0
|
113 }
|
|
Chris@0
|
114
|
|
Chris@0
|
115 // Ensure the page now has an upload button instead of a remove button.
|
|
Chris@0
|
116 $this->assertNoFieldByXPath('//input[@type="submit"]', t('Remove'), 'After clicking the "Remove" button, it is no longer displayed.');
|
|
Chris@0
|
117 $this->assertFieldByXpath('//input[@type="submit"]', t('Upload'), 'After clicking the "Remove" button, the "Upload" button is displayed.');
|
|
Chris@0
|
118 // Test label has correct 'for' attribute.
|
|
Chris@0
|
119 $input = $this->xpath('//input[@name="files[' . $field_name . '_0]"]');
|
|
Chris@0
|
120 $label = $this->xpath('//label[@for="' . (string) $input[0]['id'] . '"]');
|
|
Chris@0
|
121 $this->assertTrue(isset($label[0]), 'Label for upload found.');
|
|
Chris@0
|
122
|
|
Chris@0
|
123 // Save the node and ensure it does not have the file.
|
|
Chris@0
|
124 $this->drupalPostForm(NULL, [], t('Save'));
|
|
Chris@0
|
125 $node_storage->resetCache([$nid]);
|
|
Chris@0
|
126 $node = $node_storage->load($nid);
|
|
Chris@0
|
127 $this->assertTrue(empty($node->{$field_name}->target_id), 'File was successfully removed from the node.');
|
|
Chris@0
|
128 }
|
|
Chris@0
|
129 }
|
|
Chris@0
|
130
|
|
Chris@0
|
131 /**
|
|
Chris@0
|
132 * Tests upload and remove buttons for multiple multi-valued File fields.
|
|
Chris@0
|
133 */
|
|
Chris@0
|
134 public function testMultiValuedWidget() {
|
|
Chris@0
|
135 $node_storage = $this->container->get('entity.manager')->getStorage('node');
|
|
Chris@0
|
136 $type_name = 'article';
|
|
Chris@0
|
137 // Use explicit names instead of random names for those fields, because of a
|
|
Chris@0
|
138 // bug in drupalPostForm() with multiple file uploads in one form, where the
|
|
Chris@0
|
139 // order of uploads depends on the order in which the upload elements are
|
|
Chris@0
|
140 // added to the $form (which, in the current implementation of
|
|
Chris@0
|
141 // FileStorage::listAll(), comes down to the alphabetical order on field
|
|
Chris@0
|
142 // names).
|
|
Chris@0
|
143 $field_name = 'test_file_field_1';
|
|
Chris@0
|
144 $field_name2 = 'test_file_field_2';
|
|
Chris@0
|
145 $cardinality = 3;
|
|
Chris@0
|
146 $this->createFileField($field_name, 'node', $type_name, ['cardinality' => $cardinality]);
|
|
Chris@0
|
147 $this->createFileField($field_name2, 'node', $type_name, ['cardinality' => $cardinality]);
|
|
Chris@0
|
148
|
|
Chris@0
|
149 $test_file = $this->getTestFile('text');
|
|
Chris@0
|
150
|
|
Chris@0
|
151 foreach (['nojs', 'js'] as $type) {
|
|
Chris@0
|
152 // Visit the node creation form, and upload 3 files for each field. Since
|
|
Chris@0
|
153 // the field has cardinality of 3, ensure the "Upload" button is displayed
|
|
Chris@0
|
154 // until after the 3rd file, and after that, isn't displayed. Because
|
|
Chris@0
|
155 // SimpleTest triggers the last button with a given name, so upload to the
|
|
Chris@0
|
156 // second field first.
|
|
Chris@0
|
157 // @todo This is only testing a non-Ajax upload, because drupalPostAjaxForm()
|
|
Chris@0
|
158 // does not yet emulate jQuery's file upload.
|
|
Chris@0
|
159 //
|
|
Chris@0
|
160 $this->drupalGet("node/add/$type_name");
|
|
Chris@0
|
161 foreach ([$field_name2, $field_name] as $each_field_name) {
|
|
Chris@0
|
162 for ($delta = 0; $delta < 3; $delta++) {
|
|
Chris@14
|
163 $edit = ['files[' . $each_field_name . '_' . $delta . '][]' => \Drupal::service('file_system')->realpath($test_file->getFileUri())];
|
|
Chris@0
|
164 // If the Upload button doesn't exist, drupalPostForm() will automatically
|
|
Chris@0
|
165 // fail with an assertion message.
|
|
Chris@0
|
166 $this->drupalPostForm(NULL, $edit, t('Upload'));
|
|
Chris@0
|
167 }
|
|
Chris@0
|
168 }
|
|
Chris@0
|
169 $this->assertNoFieldByXpath('//input[@type="submit"]', t('Upload'), 'After uploading 3 files for each field, the "Upload" button is no longer displayed.');
|
|
Chris@0
|
170
|
|
Chris@0
|
171 $num_expected_remove_buttons = 6;
|
|
Chris@0
|
172
|
|
Chris@0
|
173 foreach ([$field_name, $field_name2] as $current_field_name) {
|
|
Chris@0
|
174 // How many uploaded files for the current field are remaining.
|
|
Chris@0
|
175 $remaining = 3;
|
|
Chris@0
|
176 // Test clicking each "Remove" button. For extra robustness, test them out
|
|
Chris@0
|
177 // of sequential order. They are 0-indexed, and get renumbered after each
|
|
Chris@0
|
178 // iteration, so array(1, 1, 0) means:
|
|
Chris@0
|
179 // - First remove the 2nd file.
|
|
Chris@0
|
180 // - Then remove what is then the 2nd file (was originally the 3rd file).
|
|
Chris@0
|
181 // - Then remove the first file.
|
|
Chris@0
|
182 foreach ([1, 1, 0] as $delta) {
|
|
Chris@0
|
183 // Ensure we have the expected number of Remove buttons, and that they
|
|
Chris@0
|
184 // are numbered sequentially.
|
|
Chris@0
|
185 $buttons = $this->xpath('//input[@type="submit" and @value="Remove"]');
|
|
Chris@0
|
186 $this->assertTrue(is_array($buttons) && count($buttons) === $num_expected_remove_buttons, format_string('There are %n "Remove" buttons displayed (JSMode=%type).', ['%n' => $num_expected_remove_buttons, '%type' => $type]));
|
|
Chris@0
|
187 foreach ($buttons as $i => $button) {
|
|
Chris@0
|
188 $key = $i >= $remaining ? $i - $remaining : $i;
|
|
Chris@0
|
189 $check_field_name = $field_name2;
|
|
Chris@0
|
190 if ($current_field_name == $field_name && $i < $remaining) {
|
|
Chris@0
|
191 $check_field_name = $field_name;
|
|
Chris@0
|
192 }
|
|
Chris@0
|
193
|
|
Chris@0
|
194 $this->assertIdentical((string) $button['name'], $check_field_name . '_' . $key . '_remove_button');
|
|
Chris@0
|
195 }
|
|
Chris@0
|
196
|
|
Chris@0
|
197 // "Click" the remove button (emulating either a nojs or js submission).
|
|
Chris@0
|
198 $button_name = $current_field_name . '_' . $delta . '_remove_button';
|
|
Chris@0
|
199 switch ($type) {
|
|
Chris@0
|
200 case 'nojs':
|
|
Chris@0
|
201 // drupalPostForm() takes a $submit parameter that is the value of the
|
|
Chris@0
|
202 // button whose click we want to emulate. Since we have multiple
|
|
Chris@0
|
203 // buttons with the value "Remove", and want to control which one we
|
|
Chris@0
|
204 // use, we change the value of the other ones to something else.
|
|
Chris@0
|
205 // Since non-clicked buttons aren't included in the submitted POST
|
|
Chris@0
|
206 // data, and since drupalPostForm() will result in $this being updated
|
|
Chris@0
|
207 // with a newly rebuilt form, this doesn't cause problems.
|
|
Chris@0
|
208 foreach ($buttons as $button) {
|
|
Chris@0
|
209 if ($button['name'] != $button_name) {
|
|
Chris@0
|
210 $button['value'] = 'DUMMY';
|
|
Chris@0
|
211 }
|
|
Chris@0
|
212 }
|
|
Chris@0
|
213 $this->drupalPostForm(NULL, [], t('Remove'));
|
|
Chris@0
|
214 break;
|
|
Chris@0
|
215 case 'js':
|
|
Chris@0
|
216 // drupalPostAjaxForm() lets us target the button precisely, so we don't
|
|
Chris@0
|
217 // require the workaround used above for nojs.
|
|
Chris@0
|
218 $this->drupalPostAjaxForm(NULL, [], [$button_name => t('Remove')]);
|
|
Chris@0
|
219 break;
|
|
Chris@0
|
220 }
|
|
Chris@0
|
221 $num_expected_remove_buttons--;
|
|
Chris@0
|
222 $remaining--;
|
|
Chris@0
|
223
|
|
Chris@0
|
224 // Ensure an "Upload" button for the current field is displayed with the
|
|
Chris@0
|
225 // correct name.
|
|
Chris@0
|
226 $upload_button_name = $current_field_name . '_' . $remaining . '_upload_button';
|
|
Chris@0
|
227 $buttons = $this->xpath('//input[@type="submit" and @value="Upload" and @name=:name]', [':name' => $upload_button_name]);
|
|
Chris@0
|
228 $this->assertTrue(is_array($buttons) && count($buttons) == 1, format_string('The upload button is displayed with the correct name (JSMode=%type).', ['%type' => $type]));
|
|
Chris@0
|
229
|
|
Chris@0
|
230 // Ensure only at most one button per field is displayed.
|
|
Chris@0
|
231 $buttons = $this->xpath('//input[@type="submit" and @value="Upload"]');
|
|
Chris@0
|
232 $expected = $current_field_name == $field_name ? 1 : 2;
|
|
Chris@0
|
233 $this->assertTrue(is_array($buttons) && count($buttons) == $expected, format_string('After removing a file, only one "Upload" button for each possible field is displayed (JSMode=%type).', ['%type' => $type]));
|
|
Chris@0
|
234 }
|
|
Chris@0
|
235 }
|
|
Chris@0
|
236
|
|
Chris@0
|
237 // Ensure the page now has no Remove buttons.
|
|
Chris@0
|
238 $this->assertNoFieldByXPath('//input[@type="submit"]', t('Remove'), format_string('After removing all files, there is no "Remove" button displayed (JSMode=%type).', ['%type' => $type]));
|
|
Chris@0
|
239
|
|
Chris@0
|
240 // Save the node and ensure it does not have any files.
|
|
Chris@0
|
241 $this->drupalPostForm(NULL, ['title[0][value]' => $this->randomMachineName()], t('Save'));
|
|
Chris@0
|
242 preg_match('/node\/([0-9]+)/', $this->getUrl(), $matches);
|
|
Chris@0
|
243 $nid = $matches[1];
|
|
Chris@0
|
244 $node_storage->resetCache([$nid]);
|
|
Chris@0
|
245 $node = $node_storage->load($nid);
|
|
Chris@0
|
246 $this->assertTrue(empty($node->{$field_name}->target_id), 'Node was successfully saved without any files.');
|
|
Chris@0
|
247 }
|
|
Chris@0
|
248
|
|
Chris@0
|
249 $upload_files_node_creation = [$test_file, $test_file];
|
|
Chris@0
|
250 // Try to upload multiple files, but fewer than the maximum.
|
|
Chris@0
|
251 $nid = $this->uploadNodeFiles($upload_files_node_creation, $field_name, $type_name);
|
|
Chris@0
|
252 $node_storage->resetCache([$nid]);
|
|
Chris@0
|
253 $node = $node_storage->load($nid);
|
|
Chris@0
|
254 $this->assertEqual(count($node->{$field_name}), count($upload_files_node_creation), 'Node was successfully saved with mulitple files.');
|
|
Chris@0
|
255
|
|
Chris@0
|
256 // Try to upload more files than allowed on revision.
|
|
Chris@0
|
257 $upload_files_node_revision = [$test_file, $test_file, $test_file, $test_file];
|
|
Chris@0
|
258 $this->uploadNodeFiles($upload_files_node_revision, $field_name, $nid, 1);
|
|
Chris@0
|
259 $args = [
|
|
Chris@0
|
260 '%field' => $field_name,
|
|
Chris@0
|
261 '@max' => $cardinality,
|
|
Chris@0
|
262 '@count' => count($upload_files_node_creation) + count($upload_files_node_revision),
|
|
Chris@0
|
263 '%list' => implode(', ', array_fill(0, 3, $test_file->getFilename())),
|
|
Chris@0
|
264 ];
|
|
Chris@0
|
265 $this->assertRaw(t('Field %field can only hold @max values but there were @count uploaded. The following files have been omitted as a result: %list.', $args));
|
|
Chris@0
|
266 $node_storage->resetCache([$nid]);
|
|
Chris@0
|
267 $node = $node_storage->load($nid);
|
|
Chris@0
|
268 $this->assertEqual(count($node->{$field_name}), $cardinality, 'More files than allowed could not be saved to node.');
|
|
Chris@0
|
269
|
|
Chris@0
|
270 // Try to upload exactly the allowed number of files on revision. Create an
|
|
Chris@0
|
271 // empty node first, to fill it in its first revision.
|
|
Chris@0
|
272 $node = $this->drupalCreateNode([
|
|
Chris@0
|
273 'type' => $type_name
|
|
Chris@0
|
274 ]);
|
|
Chris@0
|
275 $this->uploadNodeFile($test_file, $field_name, $node->id(), 1);
|
|
Chris@0
|
276 $node_storage->resetCache([$nid]);
|
|
Chris@0
|
277 $node = $node_storage->load($nid);
|
|
Chris@0
|
278 $this->assertEqual(count($node->{$field_name}), $cardinality, 'Node was successfully revised to maximum number of files.');
|
|
Chris@0
|
279
|
|
Chris@0
|
280 // Try to upload exactly the allowed number of files, new node.
|
|
Chris@0
|
281 $upload_files = array_fill(0, $cardinality, $test_file);
|
|
Chris@0
|
282 $nid = $this->uploadNodeFiles($upload_files, $field_name, $type_name);
|
|
Chris@0
|
283 $node_storage->resetCache([$nid]);
|
|
Chris@0
|
284 $node = $node_storage->load($nid);
|
|
Chris@0
|
285 $this->assertEqual(count($node->{$field_name}), $cardinality, 'Node was successfully saved with maximum number of files.');
|
|
Chris@0
|
286
|
|
Chris@0
|
287 // Try to upload more files than allowed, new node.
|
|
Chris@0
|
288 $upload_files[] = $test_file;
|
|
Chris@0
|
289 $this->uploadNodeFiles($upload_files, $field_name, $type_name);
|
|
Chris@0
|
290
|
|
Chris@0
|
291 $args = [
|
|
Chris@0
|
292 '%field' => $field_name,
|
|
Chris@0
|
293 '@max' => $cardinality,
|
|
Chris@0
|
294 '@count' => count($upload_files),
|
|
Chris@0
|
295 '%list' => $test_file->getFileName(),
|
|
Chris@0
|
296 ];
|
|
Chris@0
|
297 $this->assertRaw(t('Field %field can only hold @max values but there were @count uploaded. The following files have been omitted as a result: %list.', $args));
|
|
Chris@0
|
298 }
|
|
Chris@0
|
299
|
|
Chris@0
|
300 /**
|
|
Chris@0
|
301 * Tests a file field with a "Private files" upload destination setting.
|
|
Chris@0
|
302 */
|
|
Chris@0
|
303 public function testPrivateFileSetting() {
|
|
Chris@0
|
304 $node_storage = $this->container->get('entity.manager')->getStorage('node');
|
|
Chris@0
|
305 // Grant the admin user required permissions.
|
|
Chris@0
|
306 user_role_grant_permissions($this->adminUser->roles[0]->target_id, ['administer node fields']);
|
|
Chris@0
|
307
|
|
Chris@0
|
308 $type_name = 'article';
|
|
Chris@0
|
309 $field_name = strtolower($this->randomMachineName());
|
|
Chris@0
|
310 $this->createFileField($field_name, 'node', $type_name);
|
|
Chris@0
|
311 $field = FieldConfig::loadByName('node', $type_name, $field_name);
|
|
Chris@0
|
312 $field_id = $field->id();
|
|
Chris@0
|
313
|
|
Chris@0
|
314 $test_file = $this->getTestFile('text');
|
|
Chris@0
|
315
|
|
Chris@0
|
316 // Change the field setting to make its files private, and upload a file.
|
|
Chris@0
|
317 $edit = ['settings[uri_scheme]' => 'private'];
|
|
Chris@0
|
318 $this->drupalPostForm("admin/structure/types/manage/$type_name/fields/$field_id/storage", $edit, t('Save field settings'));
|
|
Chris@0
|
319 $nid = $this->uploadNodeFile($test_file, $field_name, $type_name);
|
|
Chris@0
|
320 $node_storage->resetCache([$nid]);
|
|
Chris@0
|
321 $node = $node_storage->load($nid);
|
|
Chris@0
|
322 $node_file = File::load($node->{$field_name}->target_id);
|
|
Chris@0
|
323 $this->assertFileExists($node_file, 'New file saved to disk on node creation.');
|
|
Chris@0
|
324
|
|
Chris@0
|
325 // Ensure the private file is available to the user who uploaded it.
|
|
Chris@0
|
326 $this->drupalGet(file_create_url($node_file->getFileUri()));
|
|
Chris@0
|
327 $this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
|
|
Chris@0
|
328
|
|
Chris@0
|
329 // Ensure we can't change 'uri_scheme' field settings while there are some
|
|
Chris@0
|
330 // entities with uploaded files.
|
|
Chris@0
|
331 $this->drupalGet("admin/structure/types/manage/$type_name/fields/$field_id/storage");
|
|
Chris@0
|
332 $this->assertFieldByXpath('//input[@id="edit-settings-uri-scheme-public" and @disabled="disabled"]', 'public', 'Upload destination setting disabled.');
|
|
Chris@0
|
333
|
|
Chris@0
|
334 // Delete node and confirm that setting could be changed.
|
|
Chris@0
|
335 $node->delete();
|
|
Chris@0
|
336 $this->drupalGet("admin/structure/types/manage/$type_name/fields/$field_id/storage");
|
|
Chris@0
|
337 $this->assertFieldByXpath('//input[@id="edit-settings-uri-scheme-public" and not(@disabled)]', 'public', 'Upload destination setting enabled.');
|
|
Chris@0
|
338 }
|
|
Chris@0
|
339
|
|
Chris@0
|
340 /**
|
|
Chris@0
|
341 * Tests that download restrictions on private files work on comments.
|
|
Chris@0
|
342 */
|
|
Chris@0
|
343 public function testPrivateFileComment() {
|
|
Chris@0
|
344 $user = $this->drupalCreateUser(['access comments']);
|
|
Chris@0
|
345
|
|
Chris@0
|
346 // Grant the admin user required comment permissions.
|
|
Chris@0
|
347 $roles = $this->adminUser->getRoles();
|
|
Chris@0
|
348 user_role_grant_permissions($roles[1], ['administer comment fields', 'administer comments']);
|
|
Chris@0
|
349
|
|
Chris@0
|
350 // Revoke access comments permission from anon user, grant post to
|
|
Chris@0
|
351 // authenticated.
|
|
Chris@0
|
352 user_role_revoke_permissions(RoleInterface::ANONYMOUS_ID, ['access comments']);
|
|
Chris@0
|
353 user_role_grant_permissions(RoleInterface::AUTHENTICATED_ID, ['post comments', 'skip comment approval']);
|
|
Chris@0
|
354
|
|
Chris@0
|
355 // Create a new field.
|
|
Chris@0
|
356 $this->addDefaultCommentField('node', 'article');
|
|
Chris@0
|
357
|
|
Chris@0
|
358 $name = strtolower($this->randomMachineName());
|
|
Chris@0
|
359 $label = $this->randomMachineName();
|
|
Chris@0
|
360 $storage_edit = ['settings[uri_scheme]' => 'private'];
|
|
Chris@0
|
361 $this->fieldUIAddNewField('admin/structure/comment/manage/comment', $name, $label, 'file', $storage_edit);
|
|
Chris@0
|
362
|
|
Chris@0
|
363 // Manually clear cache on the tester side.
|
|
Chris@0
|
364 \Drupal::entityManager()->clearCachedFieldDefinitions();
|
|
Chris@0
|
365
|
|
Chris@0
|
366 // Create node.
|
|
Chris@0
|
367 $edit = [
|
|
Chris@0
|
368 'title[0][value]' => $this->randomMachineName(),
|
|
Chris@0
|
369 ];
|
|
Chris@0
|
370 $this->drupalPostForm('node/add/article', $edit, t('Save'));
|
|
Chris@0
|
371 $node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
|
|
Chris@0
|
372
|
|
Chris@0
|
373 // Add a comment with a file.
|
|
Chris@0
|
374 $text_file = $this->getTestFile('text');
|
|
Chris@0
|
375 $edit = [
|
|
Chris@14
|
376 'files[field_' . $name . '_' . 0 . ']' => \Drupal::service('file_system')->realpath($text_file->getFileUri()),
|
|
Chris@0
|
377 'comment_body[0][value]' => $comment_body = $this->randomMachineName(),
|
|
Chris@0
|
378 ];
|
|
Chris@0
|
379 $this->drupalPostForm('node/' . $node->id(), $edit, t('Save'));
|
|
Chris@0
|
380
|
|
Chris@0
|
381 // Get the comment ID.
|
|
Chris@0
|
382 preg_match('/comment-([0-9]+)/', $this->getUrl(), $matches);
|
|
Chris@0
|
383 $cid = $matches[1];
|
|
Chris@0
|
384
|
|
Chris@0
|
385 // Log in as normal user.
|
|
Chris@0
|
386 $this->drupalLogin($user);
|
|
Chris@0
|
387
|
|
Chris@0
|
388 $comment = Comment::load($cid);
|
|
Chris@0
|
389 $comment_file = $comment->{'field_' . $name}->entity;
|
|
Chris@0
|
390 $this->assertFileExists($comment_file, 'New file saved to disk on node creation.');
|
|
Chris@0
|
391 // Test authenticated file download.
|
|
Chris@0
|
392 $url = file_create_url($comment_file->getFileUri());
|
|
Chris@0
|
393 $this->assertNotEqual($url, NULL, 'Confirmed that the URL is valid');
|
|
Chris@0
|
394 $this->drupalGet(file_create_url($comment_file->getFileUri()));
|
|
Chris@0
|
395 $this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
|
|
Chris@0
|
396
|
|
Chris@0
|
397 // Test anonymous file download.
|
|
Chris@0
|
398 $this->drupalLogout();
|
|
Chris@0
|
399 $this->drupalGet(file_create_url($comment_file->getFileUri()));
|
|
Chris@0
|
400 $this->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.');
|
|
Chris@0
|
401
|
|
Chris@0
|
402 // Unpublishes node.
|
|
Chris@0
|
403 $this->drupalLogin($this->adminUser);
|
|
Chris@0
|
404 $edit = ['status[value]' => FALSE];
|
|
Chris@0
|
405 $this->drupalPostForm('node/' . $node->id() . '/edit', $edit, t('Save'));
|
|
Chris@0
|
406
|
|
Chris@0
|
407 // Ensures normal user can no longer download the file.
|
|
Chris@0
|
408 $this->drupalLogin($user);
|
|
Chris@0
|
409 $this->drupalGet(file_create_url($comment_file->getFileUri()));
|
|
Chris@0
|
410 $this->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.');
|
|
Chris@0
|
411 }
|
|
Chris@0
|
412
|
|
Chris@0
|
413 /**
|
|
Chris@0
|
414 * Tests validation with the Upload button.
|
|
Chris@0
|
415 */
|
|
Chris@0
|
416 public function testWidgetValidation() {
|
|
Chris@0
|
417 $type_name = 'article';
|
|
Chris@0
|
418 $field_name = strtolower($this->randomMachineName());
|
|
Chris@0
|
419 $this->createFileField($field_name, 'node', $type_name);
|
|
Chris@0
|
420 $this->updateFileField($field_name, $type_name, ['file_extensions' => 'txt']);
|
|
Chris@0
|
421
|
|
Chris@0
|
422 foreach (['nojs', 'js'] as $type) {
|
|
Chris@0
|
423 // Create node and prepare files for upload.
|
|
Chris@0
|
424 $node = $this->drupalCreateNode(['type' => 'article']);
|
|
Chris@0
|
425 $nid = $node->id();
|
|
Chris@0
|
426 $this->drupalGet("node/$nid/edit");
|
|
Chris@0
|
427 $test_file_text = $this->getTestFile('text');
|
|
Chris@0
|
428 $test_file_image = $this->getTestFile('image');
|
|
Chris@0
|
429 $name = 'files[' . $field_name . '_0]';
|
|
Chris@0
|
430
|
|
Chris@0
|
431 // Upload file with incorrect extension, check for validation error.
|
|
Chris@14
|
432 $edit[$name] = \Drupal::service('file_system')->realpath($test_file_image->getFileUri());
|
|
Chris@0
|
433 switch ($type) {
|
|
Chris@0
|
434 case 'nojs':
|
|
Chris@0
|
435 $this->drupalPostForm(NULL, $edit, t('Upload'));
|
|
Chris@0
|
436 break;
|
|
Chris@0
|
437 case 'js':
|
|
Chris@0
|
438 $button = $this->xpath('//input[@type="submit" and @value="' . t('Upload') . '"]');
|
|
Chris@0
|
439 $this->drupalPostAjaxForm(NULL, $edit, [(string) $button[0]['name'] => (string) $button[0]['value']]);
|
|
Chris@0
|
440 break;
|
|
Chris@0
|
441 }
|
|
Chris@0
|
442 $error_message = t('Only files with the following extensions are allowed: %files-allowed.', ['%files-allowed' => 'txt']);
|
|
Chris@0
|
443 $this->assertRaw($error_message, t('Validation error when file with wrong extension uploaded (JSMode=%type).', ['%type' => $type]));
|
|
Chris@0
|
444
|
|
Chris@0
|
445 // Upload file with correct extension, check that error message is removed.
|
|
Chris@14
|
446 $edit[$name] = \Drupal::service('file_system')->realpath($test_file_text->getFileUri());
|
|
Chris@0
|
447 switch ($type) {
|
|
Chris@0
|
448 case 'nojs':
|
|
Chris@0
|
449 $this->drupalPostForm(NULL, $edit, t('Upload'));
|
|
Chris@0
|
450 break;
|
|
Chris@0
|
451 case 'js':
|
|
Chris@0
|
452 $button = $this->xpath('//input[@type="submit" and @value="' . t('Upload') . '"]');
|
|
Chris@0
|
453 $this->drupalPostAjaxForm(NULL, $edit, [(string) $button[0]['name'] => (string) $button[0]['value']]);
|
|
Chris@0
|
454 break;
|
|
Chris@0
|
455 }
|
|
Chris@0
|
456 $this->assertNoRaw($error_message, t('Validation error removed when file with correct extension uploaded (JSMode=%type).', ['%type' => $type]));
|
|
Chris@0
|
457 }
|
|
Chris@0
|
458 }
|
|
Chris@0
|
459
|
|
Chris@0
|
460 /**
|
|
Chris@0
|
461 * Tests file widget element.
|
|
Chris@0
|
462 */
|
|
Chris@0
|
463 public function testWidgetElement() {
|
|
Chris@0
|
464 $field_name = Unicode::strtolower($this->randomMachineName());
|
|
Chris@0
|
465 $html_name = str_replace('_', '-', $field_name);
|
|
Chris@0
|
466 $this->createFileField($field_name, 'node', 'article', ['cardinality' => FieldStorageConfig::CARDINALITY_UNLIMITED]);
|
|
Chris@0
|
467 $file = $this->getTestFile('text');
|
|
Chris@0
|
468 $xpath = "//details[@data-drupal-selector='edit-$html_name']/div[@class='details-wrapper']/table";
|
|
Chris@0
|
469
|
|
Chris@0
|
470 $this->drupalGet('node/add/article');
|
|
Chris@0
|
471
|
|
Chris@0
|
472 $elements = $this->xpath($xpath);
|
|
Chris@0
|
473
|
|
Chris@0
|
474 // If the field has no item, the table should not be visible.
|
|
Chris@0
|
475 $this->assertIdentical(count($elements), 0);
|
|
Chris@0
|
476
|
|
Chris@0
|
477 // Upload a file.
|
|
Chris@0
|
478 $edit['files[' . $field_name . '_0][]'] = $this->container->get('file_system')->realpath($file->getFileUri());
|
|
Chris@0
|
479 $this->drupalPostAjaxForm(NULL, $edit, "{$field_name}_0_upload_button");
|
|
Chris@0
|
480
|
|
Chris@0
|
481 $elements = $this->xpath($xpath);
|
|
Chris@0
|
482
|
|
Chris@0
|
483 // If the field has at least a item, the table should be visible.
|
|
Chris@0
|
484 $this->assertIdentical(count($elements), 1);
|
|
Chris@0
|
485
|
|
Chris@0
|
486 // Test for AJAX error when using progress bar on file field widget
|
|
Chris@0
|
487 $key = $this->randomMachineName();
|
|
Chris@0
|
488 $this->drupalPost('file/progress/' . $key, 'application/json', []);
|
|
Chris@0
|
489 $this->assertNoResponse(500, t('No AJAX error when using progress bar on file field widget'));
|
|
Chris@0
|
490 $this->assertText('Starting upload...');
|
|
Chris@0
|
491 }
|
|
Chris@0
|
492
|
|
Chris@0
|
493 /**
|
|
Chris@0
|
494 * Tests exploiting the temporary file removal of another user using fid.
|
|
Chris@0
|
495 */
|
|
Chris@0
|
496 public function testTemporaryFileRemovalExploit() {
|
|
Chris@0
|
497 // Create a victim user.
|
|
Chris@0
|
498 $victim_user = $this->drupalCreateUser();
|
|
Chris@0
|
499
|
|
Chris@0
|
500 // Create an attacker user.
|
|
Chris@0
|
501 $attacker_user = $this->drupalCreateUser([
|
|
Chris@0
|
502 'access content',
|
|
Chris@0
|
503 'create article content',
|
|
Chris@0
|
504 'edit any article content',
|
|
Chris@0
|
505 ]);
|
|
Chris@0
|
506
|
|
Chris@0
|
507 // Log in as the attacker user.
|
|
Chris@0
|
508 $this->drupalLogin($attacker_user);
|
|
Chris@0
|
509
|
|
Chris@0
|
510 // Perform tests using the newly created users.
|
|
Chris@0
|
511 $this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user);
|
|
Chris@0
|
512 }
|
|
Chris@0
|
513
|
|
Chris@0
|
514 /**
|
|
Chris@0
|
515 * Tests exploiting the temporary file removal for anonymous users using fid.
|
|
Chris@0
|
516 */
|
|
Chris@0
|
517 public function testTemporaryFileRemovalExploitAnonymous() {
|
|
Chris@0
|
518 // Set up an anonymous victim user.
|
|
Chris@0
|
519 $victim_user = User::getAnonymousUser();
|
|
Chris@0
|
520
|
|
Chris@0
|
521 // Set up an anonymous attacker user.
|
|
Chris@0
|
522 $attacker_user = User::getAnonymousUser();
|
|
Chris@0
|
523
|
|
Chris@0
|
524 // Set up permissions for anonymous attacker user.
|
|
Chris@0
|
525 user_role_change_permissions(RoleInterface::ANONYMOUS_ID, [
|
|
Chris@0
|
526 'access content' => TRUE,
|
|
Chris@0
|
527 'create article content' => TRUE,
|
|
Chris@0
|
528 'edit any article content' => TRUE,
|
|
Chris@0
|
529 ]);
|
|
Chris@0
|
530
|
|
Chris@0
|
531 // Log out so as to be the anonymous attacker user.
|
|
Chris@0
|
532 $this->drupalLogout();
|
|
Chris@0
|
533
|
|
Chris@0
|
534 // Perform tests using the newly set up anonymous users.
|
|
Chris@0
|
535 $this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user);
|
|
Chris@0
|
536 }
|
|
Chris@0
|
537
|
|
Chris@0
|
538 /**
|
|
Chris@0
|
539 * Helper for testing exploiting the temporary file removal using fid.
|
|
Chris@0
|
540 *
|
|
Chris@0
|
541 * @param \Drupal\user\UserInterface $victim_user
|
|
Chris@0
|
542 * The victim user.
|
|
Chris@0
|
543 * @param \Drupal\user\UserInterface $attacker_user
|
|
Chris@0
|
544 * The attacker user.
|
|
Chris@0
|
545 */
|
|
Chris@0
|
546 protected function doTestTemporaryFileRemovalExploit(UserInterface $victim_user, UserInterface $attacker_user) {
|
|
Chris@0
|
547 $type_name = 'article';
|
|
Chris@0
|
548 $field_name = 'test_file_field';
|
|
Chris@0
|
549 $this->createFileField($field_name, 'node', $type_name);
|
|
Chris@0
|
550
|
|
Chris@0
|
551 $test_file = $this->getTestFile('text');
|
|
Chris@0
|
552 foreach (['nojs', 'js'] as $type) {
|
|
Chris@0
|
553 // Create a temporary file owned by the victim user. This will be as if
|
|
Chris@0
|
554 // they had uploaded the file, but not saved the node they were editing
|
|
Chris@0
|
555 // or creating.
|
|
Chris@0
|
556 $victim_tmp_file = $this->createTemporaryFile('some text', $victim_user);
|
|
Chris@0
|
557 $victim_tmp_file = File::load($victim_tmp_file->id());
|
|
Chris@0
|
558 $this->assertTrue($victim_tmp_file->isTemporary(), 'New file saved to disk is temporary.');
|
|
Chris@0
|
559 $this->assertFalse(empty($victim_tmp_file->id()), 'New file has an fid.');
|
|
Chris@0
|
560 $this->assertEqual($victim_user->id(), $victim_tmp_file->getOwnerId(), 'New file belongs to the victim.');
|
|
Chris@0
|
561
|
|
Chris@0
|
562 // Have attacker create a new node with a different uploaded file and
|
|
Chris@0
|
563 // ensure it got uploaded successfully.
|
|
Chris@0
|
564 $edit = [
|
|
Chris@0
|
565 'title[0][value]' => $type . '-title' ,
|
|
Chris@0
|
566 ];
|
|
Chris@0
|
567
|
|
Chris@0
|
568 // Attach a file to a node.
|
|
Chris@0
|
569 $edit['files[' . $field_name . '_0]'] = $this->container->get('file_system')->realpath($test_file->getFileUri());
|
|
Chris@0
|
570 $this->drupalPostForm(Url::fromRoute('node.add', ['node_type' => $type_name]), $edit, t('Save'));
|
|
Chris@0
|
571 $node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
|
|
Chris@0
|
572
|
|
Chris@0
|
573 /** @var \Drupal\file\FileInterface $node_file */
|
|
Chris@0
|
574 $node_file = File::load($node->{$field_name}->target_id);
|
|
Chris@0
|
575 $this->assertFileExists($node_file, 'A file was saved to disk on node creation');
|
|
Chris@0
|
576 $this->assertEqual($attacker_user->id(), $node_file->getOwnerId(), 'New file belongs to the attacker.');
|
|
Chris@0
|
577
|
|
Chris@0
|
578 // Ensure the file can be downloaded.
|
|
Chris@0
|
579 $this->drupalGet(file_create_url($node_file->getFileUri()));
|
|
Chris@0
|
580 $this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
|
|
Chris@0
|
581
|
|
Chris@0
|
582 // "Click" the remove button (emulating either a nojs or js submission).
|
|
Chris@0
|
583 // In this POST request, the attacker "guesses" the fid of the victim's
|
|
Chris@0
|
584 // temporary file and uses that to remove this file.
|
|
Chris@0
|
585 $this->drupalGet($node->toUrl('edit-form'));
|
|
Chris@0
|
586 switch ($type) {
|
|
Chris@0
|
587 case 'nojs':
|
|
Chris@0
|
588 $this->drupalPostForm(NULL, [$field_name . '[0][fids]' => (string) $victim_tmp_file->id()], 'Remove');
|
|
Chris@0
|
589 break;
|
|
Chris@0
|
590
|
|
Chris@0
|
591 case 'js':
|
|
Chris@0
|
592 $this->drupalPostAjaxForm(NULL, [$field_name . '[0][fids]' => (string) $victim_tmp_file->id()], ["{$field_name}_0_remove_button" => 'Remove']);
|
|
Chris@0
|
593 break;
|
|
Chris@0
|
594 }
|
|
Chris@0
|
595
|
|
Chris@0
|
596 // The victim's temporary file should not be removed by the attacker's
|
|
Chris@0
|
597 // POST request.
|
|
Chris@0
|
598 $this->assertFileExists($victim_tmp_file);
|
|
Chris@0
|
599 }
|
|
Chris@0
|
600 }
|
|
Chris@0
|
601
|
|
Chris@0
|
602 }
|
