Mercurial > hg > isophonics-drupal-site

comparison core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php @ 17:129ea1e6d783

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update, including to Drupal core 8.6.10
author Chris Cannam
date Thu, 28 Feb 2019 13:21:36 +0000
parents 4c8ae668cc8c
children
comparison
equal deleted inserted replaced
16:c2387f117808 17:129ea1e6d783
2 2
3 namespace Drupal\Tests\system\Functional; 3 namespace Drupal\Tests\system\Functional;
4 4
5 use Drupal\Core\Url; 5 use Drupal\Core\Url;
6 use Drupal\Tests\BrowserTestBase; 6 use Drupal\Tests\BrowserTestBase;
7 use GuzzleHttp\Cookie\CookieJar;
8 7
9 /** 8 /**
10 * Tests protecting routes by requiring CSRF token in the request header. 9 * Tests protecting routes by requiring CSRF token in the request header.
11 * 10 *
12 * @group system 11 * @group system
25 * 24 *
26 * This checks one route that uses _csrf_request_header_token and one that 25 * This checks one route that uses _csrf_request_header_token and one that
27 * uses the deprecated _access_rest_csrf. 26 * uses the deprecated _access_rest_csrf.
28 */ 27 */
29 public function testRouteAccess() { 28 public function testRouteAccess() {
30 $client = \Drupal::httpClient(); 29 $client = $this->getHttpClient();
31 $csrf_token_paths = ['deprecated/session/token', 'session/token']; 30 $csrf_token_paths = ['deprecated/session/token', 'session/token'];
32 // Test using the both the current path and a test path that returns 31 // Test using the both the current path and a test path that returns
33 // a token using the deprecated 'rest' value. 32 // a token using the deprecated 'rest' value.
34 // Checking /deprecated/session/token can be removed in 8.3. 33 // Checking /deprecated/session/token can be removed in 8.3.
35 // @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access() 34 // @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
42 41
43 $csrf_token = $this->drupalGet($csrf_token_path); 42 $csrf_token = $this->drupalGet($csrf_token_path);
44 $url = Url::fromRoute($route_name) 43 $url = Url::fromRoute($route_name)
45 ->setAbsolute(TRUE) 44 ->setAbsolute(TRUE)
46 ->toString(); 45 ->toString();
47 $domain = parse_url($url, PHP_URL_HOST);
48
49 $session_id = $this->getSession()->getCookie($this->getSessionName());
50 /** @var \GuzzleHttp\Cookie\CookieJar $cookies */
51 $cookies = CookieJar::fromArray([$this->getSessionName() => $session_id], $domain);
52 $post_options = [ 46 $post_options = [
53 'headers' => ['Accept' => 'text/plain'], 47 'headers' => ['Accept' => 'text/plain'],
54 'http_errors' => FALSE, 48 'http_errors' => FALSE,
55 ]; 49 ];
56 50
58 $result = $client->post($url, $post_options); 52 $result = $client->post($url, $post_options);
59 $this->assertEquals(200, $result->getStatusCode()); 53 $this->assertEquals(200, $result->getStatusCode());
60 54
61 // Add cookies to POST options so that all other requests are for the 55 // Add cookies to POST options so that all other requests are for the
62 // authenticated user. 56 // authenticated user.
63 $post_options['cookies'] = $cookies; 57 $post_options['cookies'] = $this->getSessionCookies();
64 58
65 // Test that access is denied with no token in header. 59 // Test that access is denied with no token in header.
66 $result = $client->post($url, $post_options); 60 $result = $client->post($url, $post_options);
67 $this->assertEquals(403, $result->getStatusCode()); 61 $this->assertEquals(403, $result->getStatusCode());
68 62