Mercurial > hg > isophonics-drupal-site
comparison core/modules/quickedit/tests/src/Functional/QuickEditEndPointAccessTest.php @ 18:af1871eacc83
Update to Drupal core 8.7.1
| author | Chris Cannam |
|---|---|
| date | Thu, 09 May 2019 15:33:08 +0100 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 17:129ea1e6d783 | 18:af1871eacc83 |
|---|---|
| 1 <?php | |
| 2 | |
| 3 namespace Drupal\Tests\quickedit\Functional; | |
| 4 | |
| 5 use Drupal\Component\Serialization\Json; | |
| 6 use Drupal\Core\EventSubscriber\MainContentViewSubscriber; | |
| 7 use Drupal\Tests\BrowserTestBase; | |
| 8 use GuzzleHttp\RequestOptions; | |
| 9 | |
| 10 /** | |
| 11 * Tests accessing the Quick Edit endpoints. | |
| 12 * | |
| 13 * @group quickedit | |
| 14 */ | |
| 15 class QuickEditEndPointAccessTest extends BrowserTestBase { | |
| 16 | |
| 17 /** | |
| 18 * {@inheritdoc} | |
| 19 */ | |
| 20 protected static $modules = [ | |
| 21 'quickedit', | |
| 22 'node', | |
| 23 ]; | |
| 24 | |
| 25 /** | |
| 26 * {@inheritdoc} | |
| 27 */ | |
| 28 protected function setUp() { | |
| 29 parent::setUp(); | |
| 30 $this->drupalCreateContentType([ | |
| 31 'type' => 'article', | |
| 32 'name' => 'Article', | |
| 33 ]); | |
| 34 } | |
| 35 | |
| 36 /** | |
| 37 * Tests that Quick Edit endpoints are protected from anonymous requests. | |
| 38 */ | |
| 39 public function testEndPointAccess() { | |
| 40 // Quick Edit's JavaScript would never hit these endpoints, but we need to | |
| 41 // make sure that malicious users aren't able to use any of the other | |
| 42 // endpoints either. | |
| 43 $url = $this->buildUrl('/quickedit/attachments'); | |
| 44 $post = ['editors[0]' => 'form']; | |
| 45 $this->assertAccessIsBlocked($url, $post); | |
| 46 | |
| 47 $node = $this->createNode(['type' => 'article']); | |
| 48 $url = $this->buildUrl('quickedit/form/node/' . $node->id() . '/body/en/full'); | |
| 49 $post = ['nocssjs' => 'true']; | |
| 50 $this->assertAccessIsBlocked($url, $post); | |
| 51 | |
| 52 $edit = []; | |
| 53 $edit['form_id'] = 'quickedit_field_form'; | |
| 54 $edit['form_token'] = 'xIOzMjuc-PULKsRn_KxFn7xzNk5Bx7XKXLfQfw1qOnA'; | |
| 55 $edit['form_build_id'] = 'form-kVmovBpyX-SJfTT5kY0pjTV35TV-znor--a64dEnMR8'; | |
| 56 $edit['body[0][summary]'] = ''; | |
| 57 $edit['body[0][value]'] = '<p>Malicious content.</p>'; | |
| 58 $edit['body[0][format]'] = 'filtered_html'; | |
| 59 $edit['op'] = t('Save'); | |
| 60 $this->assertAccessIsBlocked($url, $edit); | |
| 61 | |
| 62 $post = ['nocssjs' => 'true']; | |
| 63 $url = $this->buildUrl('quickedit/entity/node/' . $node->id()); | |
| 64 $this->assertAccessIsBlocked($url, $post); | |
| 65 } | |
| 66 | |
| 67 /** | |
| 68 * Asserts that access to the passed URL is blocked. | |
| 69 * | |
| 70 * @param string $url | |
| 71 * The URL to check. | |
| 72 * @param array $body | |
| 73 * The payload to send with the request. | |
| 74 */ | |
| 75 protected function assertAccessIsBlocked($url, array $body) { | |
| 76 $client = $this->getHttpClient(); | |
| 77 $message = ['message' => "The 'access in-place editing' permission is required."]; | |
| 78 | |
| 79 $response = $client->post($url, [ | |
| 80 RequestOptions::BODY => http_build_query($body), | |
| 81 RequestOptions::QUERY => [MainContentViewSubscriber::WRAPPER_FORMAT => 'drupal_ajax'], | |
| 82 RequestOptions::COOKIES => $this->getSessionCookies(), | |
| 83 RequestOptions::HEADERS => [ | |
| 84 'Accept' => 'application/json', | |
| 85 'Content-Type' => 'application/x-www-form-urlencoded', | |
| 86 ], | |
| 87 RequestOptions::HTTP_ERRORS => FALSE, | |
| 88 ]); | |
| 89 | |
| 90 $this->assertEquals(403, $response->getStatusCode()); | |
| 91 | |
| 92 $response_message = Json::decode($response->getBody()); | |
| 93 $this->assertSame($message, $response_message); | |
| 94 } | |
| 95 | |
| 96 } |