Chris@18: <?php
Chris@18: 
Chris@18: namespace Drupal\Tests\quickedit\Functional;
Chris@18: 
Chris@18: use Drupal\Component\Serialization\Json;
Chris@18: use Drupal\Core\EventSubscriber\MainContentViewSubscriber;
Chris@18: use Drupal\Tests\BrowserTestBase;
Chris@18: use GuzzleHttp\RequestOptions;
Chris@18: 
Chris@18: /**
Chris@18:  * Tests accessing the Quick Edit endpoints.
Chris@18:  *
Chris@18:  * @group quickedit
Chris@18:  */
Chris@18: class QuickEditEndPointAccessTest extends BrowserTestBase {
Chris@18: 
Chris@18:   /**
Chris@18:    * {@inheritdoc}
Chris@18:    */
Chris@18:   protected static $modules = [
Chris@18:     'quickedit',
Chris@18:     'node',
Chris@18:   ];
Chris@18: 
Chris@18:   /**
Chris@18:    * {@inheritdoc}
Chris@18:    */
Chris@18:   protected function setUp() {
Chris@18:     parent::setUp();
Chris@18:     $this->drupalCreateContentType([
Chris@18:       'type' => 'article',
Chris@18:       'name' => 'Article',
Chris@18:     ]);
Chris@18:   }
Chris@18: 
Chris@18:   /**
Chris@18:    * Tests that Quick Edit endpoints are protected from anonymous requests.
Chris@18:    */
Chris@18:   public function testEndPointAccess() {
Chris@18:     // Quick Edit's JavaScript would never hit these endpoints, but we need to
Chris@18:     // make sure that malicious users aren't able to use any of the other
Chris@18:     // endpoints either.
Chris@18:     $url = $this->buildUrl('/quickedit/attachments');
Chris@18:     $post = ['editors[0]' => 'form'];
Chris@18:     $this->assertAccessIsBlocked($url, $post);
Chris@18: 
Chris@18:     $node = $this->createNode(['type' => 'article']);
Chris@18:     $url = $this->buildUrl('quickedit/form/node/' . $node->id() . '/body/en/full');
Chris@18:     $post = ['nocssjs' => 'true'];
Chris@18:     $this->assertAccessIsBlocked($url, $post);
Chris@18: 
Chris@18:     $edit = [];
Chris@18:     $edit['form_id'] = 'quickedit_field_form';
Chris@18:     $edit['form_token'] = 'xIOzMjuc-PULKsRn_KxFn7xzNk5Bx7XKXLfQfw1qOnA';
Chris@18:     $edit['form_build_id'] = 'form-kVmovBpyX-SJfTT5kY0pjTV35TV-znor--a64dEnMR8';
Chris@18:     $edit['body[0][summary]'] = '';
Chris@18:     $edit['body[0][value]'] = '<p>Malicious content.</p>';
Chris@18:     $edit['body[0][format]'] = 'filtered_html';
Chris@18:     $edit['op'] = t('Save');
Chris@18:     $this->assertAccessIsBlocked($url, $edit);
Chris@18: 
Chris@18:     $post = ['nocssjs' => 'true'];
Chris@18:     $url = $this->buildUrl('quickedit/entity/node/' . $node->id());
Chris@18:     $this->assertAccessIsBlocked($url, $post);
Chris@18:   }
Chris@18: 
Chris@18:   /**
Chris@18:    * Asserts that access to the passed URL is blocked.
Chris@18:    *
Chris@18:    * @param string $url
Chris@18:    *   The URL to check.
Chris@18:    * @param array $body
Chris@18:    *   The payload to send with the request.
Chris@18:    */
Chris@18:   protected function assertAccessIsBlocked($url, array $body) {
Chris@18:     $client = $this->getHttpClient();
Chris@18:     $message = ['message' => "The 'access in-place editing' permission is required."];
Chris@18: 
Chris@18:     $response = $client->post($url, [
Chris@18:       RequestOptions::BODY => http_build_query($body),
Chris@18:       RequestOptions::QUERY => [MainContentViewSubscriber::WRAPPER_FORMAT => 'drupal_ajax'],
Chris@18:       RequestOptions::COOKIES => $this->getSessionCookies(),
Chris@18:       RequestOptions::HEADERS => [
Chris@18:         'Accept' => 'application/json',
Chris@18:         'Content-Type' => 'application/x-www-form-urlencoded',
Chris@18:       ],
Chris@18:       RequestOptions::HTTP_ERRORS => FALSE,
Chris@18:     ]);
Chris@18: 
Chris@18:     $this->assertEquals(403, $response->getStatusCode());
Chris@18: 
Chris@18:     $response_message = Json::decode($response->getBody());
Chris@18:     $this->assertSame($message, $response_message);
Chris@18:   }
Chris@18: 
Chris@18: }