Mercurial > hg > isophonics-drupal-site

annotate core/modules/quickedit/tests/src/Functional/QuickEditEndPointAccessTest.php @ 19:fa3358dc1485 tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add ndrum files
author Chris Cannam
date Wed, 28 Aug 2019 13:14:47 +0100
parents af1871eacc83
children
rev   line source
Chris@18 1 <?php
Chris@18 2
Chris@18 3 namespace Drupal\Tests\quickedit\Functional;
Chris@18 4
Chris@18 5 use Drupal\Component\Serialization\Json;
Chris@18 6 use Drupal\Core\EventSubscriber\MainContentViewSubscriber;
Chris@18 7 use Drupal\Tests\BrowserTestBase;
Chris@18 8 use GuzzleHttp\RequestOptions;
Chris@18 9
Chris@18 10 /**
Chris@18 11 * Tests accessing the Quick Edit endpoints.
Chris@18 12 *
Chris@18 13 * @group quickedit
Chris@18 14 */
Chris@18 15 class QuickEditEndPointAccessTest extends BrowserTestBase {
Chris@18 16
Chris@18 17 /**
Chris@18 18 * {@inheritdoc}
Chris@18 19 */
Chris@18 20 protected static $modules = [
Chris@18 21 'quickedit',
Chris@18 22 'node',
Chris@18 23 ];
Chris@18 24
Chris@18 25 /**
Chris@18 26 * {@inheritdoc}
Chris@18 27 */
Chris@18 28 protected function setUp() {
Chris@18 29 parent::setUp();
Chris@18 30 $this->drupalCreateContentType([
Chris@18 31 'type' => 'article',
Chris@18 32 'name' => 'Article',
Chris@18 33 ]);
Chris@18 34 }
Chris@18 35
Chris@18 36 /**
Chris@18 37 * Tests that Quick Edit endpoints are protected from anonymous requests.
Chris@18 38 */
Chris@18 39 public function testEndPointAccess() {
Chris@18 40 // Quick Edit's JavaScript would never hit these endpoints, but we need to
Chris@18 41 // make sure that malicious users aren't able to use any of the other
Chris@18 42 // endpoints either.
Chris@18 43 $url = $this->buildUrl('/quickedit/attachments');
Chris@18 44 $post = ['editors[0]' => 'form'];
Chris@18 45 $this->assertAccessIsBlocked($url, $post);
Chris@18 46
Chris@18 47 $node = $this->createNode(['type' => 'article']);
Chris@18 48 $url = $this->buildUrl('quickedit/form/node/' . $node->id() . '/body/en/full');
Chris@18 49 $post = ['nocssjs' => 'true'];
Chris@18 50 $this->assertAccessIsBlocked($url, $post);
Chris@18 51
Chris@18 52 $edit = [];
Chris@18 53 $edit['form_id'] = 'quickedit_field_form';
Chris@18 54 $edit['form_token'] = 'xIOzMjuc-PULKsRn_KxFn7xzNk5Bx7XKXLfQfw1qOnA';
Chris@18 55 $edit['form_build_id'] = 'form-kVmovBpyX-SJfTT5kY0pjTV35TV-znor--a64dEnMR8';
Chris@18 56 $edit['body[0][summary]'] = '';
Chris@18 57 $edit['body[0][value]'] = '<p>Malicious content.</p>';
Chris@18 58 $edit['body[0][format]'] = 'filtered_html';
Chris@18 59 $edit['op'] = t('Save');
Chris@18 60 $this->assertAccessIsBlocked($url, $edit);
Chris@18 61
Chris@18 62 $post = ['nocssjs' => 'true'];
Chris@18 63 $url = $this->buildUrl('quickedit/entity/node/' . $node->id());
Chris@18 64 $this->assertAccessIsBlocked($url, $post);
Chris@18 65 }
Chris@18 66
Chris@18 67 /**
Chris@18 68 * Asserts that access to the passed URL is blocked.
Chris@18 69 *
Chris@18 70 * @param string $url
Chris@18 71 * The URL to check.
Chris@18 72 * @param array $body
Chris@18 73 * The payload to send with the request.
Chris@18 74 */
Chris@18 75 protected function assertAccessIsBlocked($url, array $body) {
Chris@18 76 $client = $this->getHttpClient();
Chris@18 77 $message = ['message' => "The 'access in-place editing' permission is required."];
Chris@18 78
Chris@18 79 $response = $client->post($url, [
Chris@18 80 RequestOptions::BODY => http_build_query($body),
Chris@18 81 RequestOptions::QUERY => [MainContentViewSubscriber::WRAPPER_FORMAT => 'drupal_ajax'],
Chris@18 82 RequestOptions::COOKIES => $this->getSessionCookies(),
Chris@18 83 RequestOptions::HEADERS => [
Chris@18 84 'Accept' => 'application/json',
Chris@18 85 'Content-Type' => 'application/x-www-form-urlencoded',
Chris@18 86 ],
Chris@18 87 RequestOptions::HTTP_ERRORS => FALSE,
Chris@18 88 ]);
Chris@18 89
Chris@18 90 $this->assertEquals(403, $response->getStatusCode());
Chris@18 91
Chris@18 92 $response_message = Json::decode($response->getBody());
Chris@18 93 $this->assertSame($message, $response_message);
Chris@18 94 }
Chris@18 95
Chris@18 96 }