Chris@17: <?php
Chris@17: 
Chris@17: namespace Drupal\Tests\search\Functional;
Chris@17: 
Chris@17: use Behat\Mink\Exception\ResponseTextException;
Chris@17: use Drupal\comment\Plugin\Field\FieldType\CommentItemInterface;
Chris@17: use Drupal\comment\Tests\CommentTestTrait;
Chris@17: use Drupal\field\Entity\FieldConfig;
Chris@17: use Drupal\Tests\BrowserTestBase;
Chris@17: use Drupal\Tests\Traits\Core\CronRunTrait;
Chris@17: use Drupal\user\RoleInterface;
Chris@17: use Drupal\filter\Entity\FilterFormat;
Chris@17: 
Chris@17: /**
Chris@17:  * Tests integration searching comments.
Chris@17:  *
Chris@17:  * @group search
Chris@17:  */
Chris@17: class SearchCommentTest extends BrowserTestBase {
Chris@17: 
Chris@17:   use CommentTestTrait;
Chris@17:   use CronRunTrait;
Chris@17: 
Chris@17:   /**
Chris@17:    * {@inheritdoc}
Chris@17:    */
Chris@17:   protected static $modules = ['filter', 'node', 'comment', 'search'];
Chris@17: 
Chris@17:   /**
Chris@17:    * Test subject for comments.
Chris@17:    *
Chris@17:    * @var string
Chris@17:    */
Chris@17:   protected $commentSubject;
Chris@17: 
Chris@17:   /**
Chris@17:    * ID for the administrator role.
Chris@17:    *
Chris@17:    * @var string
Chris@17:    */
Chris@17:   protected $adminRole;
Chris@17: 
Chris@17:   /**
Chris@17:    * A user with various administrative permissions.
Chris@17:    *
Chris@17:    * @var \Drupal\user\UserInterface
Chris@17:    */
Chris@17:   protected $adminUser;
Chris@17: 
Chris@17:   /**
Chris@17:    * Test node for searching.
Chris@17:    *
Chris@17:    * @var \Drupal\node\NodeInterface
Chris@17:    */
Chris@17:   protected $node;
Chris@17: 
Chris@17:   protected function setUp() {
Chris@17:     parent::setUp();
Chris@17: 
Chris@17:     $this->drupalCreateContentType(['type' => 'page', 'name' => 'Basic page']);
Chris@17:     $this->drupalCreateContentType(['type' => 'article', 'name' => 'Article']);
Chris@17: 
Chris@17:     $full_html_format = FilterFormat::create([
Chris@17:       'format' => 'full_html',
Chris@17:       'name' => 'Full HTML',
Chris@17:       'weight' => 1,
Chris@17:       'filters' => [],
Chris@17:     ]);
Chris@17:     $full_html_format->save();
Chris@17: 
Chris@17:     // Create and log in an administrative user having access to the Full HTML
Chris@17:     // text format.
Chris@17:     $permissions = [
Chris@17:       'administer filters',
Chris@17:       $full_html_format->getPermissionName(),
Chris@17:       'administer permissions',
Chris@17:       'create page content',
Chris@17:       'post comments',
Chris@17:       'skip comment approval',
Chris@17:       'access comments',
Chris@17:     ];
Chris@17:     $this->adminUser = $this->drupalCreateUser($permissions);
Chris@17:     $this->drupalLogin($this->adminUser);
Chris@17:     // Add a comment field.
Chris@17:     $this->addDefaultCommentField('node', 'article');
Chris@17:   }
Chris@17: 
Chris@17:   /**
Chris@17:    * Verify that comments are rendered using proper format in search results.
Chris@17:    */
Chris@17:   public function testSearchResultsComment() {
Chris@17:     $node_storage = $this->container->get('entity.manager')->getStorage('node');
Chris@17:     // Create basic_html format that escapes all HTML.
Chris@17:     $basic_html_format = FilterFormat::create([
Chris@17:       'format' => 'basic_html',
Chris@17:       'name' => 'Basic HTML',
Chris@17:       'weight' => 1,
Chris@17:       'filters' => [
Chris@17:         'filter_html_escape' => ['status' => 1],
Chris@17:       ],
Chris@17:       'roles' => [RoleInterface::AUTHENTICATED_ID],
Chris@17:     ]);
Chris@17:     $basic_html_format->save();
Chris@17: 
Chris@17:     $comment_body = 'Test comment body';
Chris@17: 
Chris@17:     // Make preview optional.
Chris@17:     $field = FieldConfig::loadByName('node', 'article', 'comment');
Chris@17:     $field->setSetting('preview', DRUPAL_OPTIONAL);
Chris@17:     $field->save();
Chris@17: 
Chris@17:     // Allow anonymous users to search content.
Chris@17:     $edit = [
Chris@17:       RoleInterface::ANONYMOUS_ID . '[search content]' => 1,
Chris@17:       RoleInterface::ANONYMOUS_ID . '[access comments]' => 1,
Chris@17:       RoleInterface::ANONYMOUS_ID . '[post comments]' => 1,
Chris@17:     ];
Chris@17:     $this->drupalPostForm('admin/people/permissions', $edit, t('Save permissions'));
Chris@17: 
Chris@17:     // Create a node.
Chris@17:     $node = $this->drupalCreateNode(['type' => 'article']);
Chris@17:     // Post a comment using 'Full HTML' text format.
Chris@17:     $edit_comment = [];
Chris@17:     $edit_comment['subject[0][value]'] = 'Test comment subject';
Chris@17:     $edit_comment['comment_body[0][value]'] = '<h1>' . $comment_body . '</h1>';
Chris@17:     $full_html_format_id = 'full_html';
Chris@17:     $edit_comment['comment_body[0][format]'] = $full_html_format_id;
Chris@17:     $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment, t('Save'));
Chris@17: 
Chris@17:     // Post a comment with an evil script tag in the comment subject and a
Chris@17:     // script tag nearby a keyword in the comment body. Use the 'FULL HTML' text
Chris@17:     // format so the script tag stored.
Chris@17:     $edit_comment2 = [];
Chris@17:     $edit_comment2['subject[0][value]'] = "<script>alert('subjectkeyword');</script>";
Chris@17:     $edit_comment2['comment_body[0][value]'] = "nearbykeyword<script>alert('somethinggeneric');</script>";
Chris@17:     $edit_comment2['comment_body[0][format]'] = $full_html_format_id;
Chris@17:     $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment2, t('Save'));
Chris@17: 
Chris@17:     // Post a comment with a keyword inside an evil script tag in the comment
Chris@17:     // body. Use the 'FULL HTML' text format so the script tag is stored.
Chris@17:     $edit_comment3 = [];
Chris@17:     $edit_comment3['subject[0][value]'] = 'asubject';
Chris@17:     $edit_comment3['comment_body[0][value]'] = "<script>alert('insidekeyword');</script>";
Chris@17:     $edit_comment3['comment_body[0][format]'] = $full_html_format_id;
Chris@17:     $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment3, t('Save'));
Chris@17: 
Chris@17:     // Invoke search index update.
Chris@17:     $this->drupalLogout();
Chris@17:     $this->cronRun();
Chris@17: 
Chris@17:     // Search for the comment subject.
Chris@17:     $edit = [
Chris@17:       'keys' => "'" . $edit_comment['subject[0][value]'] . "'",
Chris@17:     ];
Chris@17:     $this->drupalPostForm('search/node', $edit, t('Search'));
Chris@17:     $node_storage->resetCache([$node->id()]);
Chris@17:     $node2 = $node_storage->load($node->id());
Chris@17:     $this->assertText($node2->label(), 'Node found in search results.');
Chris@17:     $this->assertText($edit_comment['subject[0][value]'], 'Comment subject found in search results.');
Chris@17: 
Chris@17:     // Search for the comment body.
Chris@17:     $edit = [
Chris@17:       'keys' => "'" . $comment_body . "'",
Chris@17:     ];
Chris@17:     $this->drupalPostForm(NULL, $edit, t('Search'));
Chris@17:     $this->assertText($node2->label(), 'Node found in search results.');
Chris@17: 
Chris@17:     // Verify that comment is rendered using proper format.
Chris@17:     $this->assertText($comment_body, 'Comment body text found in search results.');
Chris@17:     $this->assertNoRaw(t('n/a'), 'HTML in comment body is not hidden.');
Chris@17:     $this->assertNoEscaped($edit_comment['comment_body[0][value]'], 'HTML in comment body is not escaped.');
Chris@17: 
Chris@17:     // Search for the evil script comment subject.
Chris@17:     $edit = [
Chris@17:       'keys' => 'subjectkeyword',
Chris@17:     ];
Chris@17:     $this->drupalPostForm('search/node', $edit, t('Search'));
Chris@17: 
Chris@17:     // Verify the evil comment subject is escaped in search results.
Chris@17:     $this->assertRaw('&lt;script&gt;alert(&#039;<strong>subjectkeyword</strong>&#039;);');
Chris@17:     $this->assertNoRaw('<script>');
Chris@17: 
Chris@17:     // Search for the keyword near the evil script tag in the comment body.
Chris@17:     $edit = [
Chris@17:       'keys' => 'nearbykeyword',
Chris@17:     ];
Chris@17:     $this->drupalPostForm('search/node', $edit, t('Search'));
Chris@17: 
Chris@17:     // Verify that nearby script tag in the evil comment body is stripped from
Chris@17:     // search results.
Chris@17:     $this->assertRaw('<strong>nearbykeyword</strong>');
Chris@17:     $this->assertNoRaw('<script>');
Chris@17: 
Chris@17:     // Search for contents inside the evil script tag in the comment body.
Chris@17:     $edit = [
Chris@17:       'keys' => 'insidekeyword',
Chris@17:     ];
Chris@17:     $this->drupalPostForm('search/node', $edit, t('Search'));
Chris@17: 
Chris@17:     // @todo Verify the actual search results.
Chris@17:     //   https://www.drupal.org/node/2551135
Chris@17: 
Chris@17:     // Verify there is no script tag in search results.
Chris@17:     $this->assertNoRaw('<script>');
Chris@17: 
Chris@17:     // Hide comments.
Chris@17:     $this->drupalLogin($this->adminUser);
Chris@17:     $node->set('comment', CommentItemInterface::HIDDEN);
Chris@17:     $node->save();
Chris@17: 
Chris@17:     // Invoke search index update.
Chris@17:     $this->drupalLogout();
Chris@17:     $this->cronRun();
Chris@17: 
Chris@17:     // Search for $title.
Chris@17:     $this->drupalPostForm('search/node', $edit, t('Search'));
Chris@17:     $this->assertText(t('Your search yielded no results.'));
Chris@17:   }
Chris@17: 
Chris@17:   /**
Chris@17:    * Verify access rules for comment indexing with different permissions.
Chris@17:    */
Chris@17:   public function testSearchResultsCommentAccess() {
Chris@17:     $comment_body = 'Test comment body';
Chris@17:     $this->commentSubject = 'Test comment subject';
Chris@17:     $roles = $this->adminUser->getRoles(TRUE);
Chris@17:     $this->adminRole = $roles[0];
Chris@17: 
Chris@17:     // Create a node.
Chris@17:     // Make preview optional.
Chris@17:     $field = FieldConfig::loadByName('node', 'article', 'comment');
Chris@17:     $field->setSetting('preview', DRUPAL_OPTIONAL);
Chris@17:     $field->save();
Chris@17:     $this->node = $this->drupalCreateNode(['type' => 'article']);
Chris@17: 
Chris@17:     // Post a comment using 'Full HTML' text format.
Chris@17:     $edit_comment = [];
Chris@17:     $edit_comment['subject[0][value]'] = $this->commentSubject;
Chris@17:     $edit_comment['comment_body[0][value]'] = '<h1>' . $comment_body . '</h1>';
Chris@17:     $this->drupalPostForm('comment/reply/node/' . $this->node->id() . '/comment', $edit_comment, t('Save'));
Chris@17: 
Chris@17:     $this->drupalLogout();
Chris@17:     $this->setRolePermissions(RoleInterface::ANONYMOUS_ID);
Chris@17:     $this->assertCommentAccess(FALSE, 'Anon user has search permission but no access comments permission, comments should not be indexed');
Chris@17: 
Chris@17:     $this->setRolePermissions(RoleInterface::ANONYMOUS_ID, TRUE);
Chris@17:     $this->assertCommentAccess(TRUE, 'Anon user has search permission and access comments permission, comments should be indexed');
Chris@17: 
Chris@17:     $this->drupalLogin($this->adminUser);
Chris@17:     $this->drupalGet('admin/people/permissions');
Chris@17: 
Chris@17:     // Disable search access for authenticated user to test admin user.
Chris@17:     $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID, FALSE, FALSE);
Chris@17: 
Chris@17:     $this->setRolePermissions($this->adminRole);
Chris@17:     $this->assertCommentAccess(FALSE, 'Admin user has search permission but no access comments permission, comments should not be indexed');
Chris@17: 
Chris@17:     $this->drupalGet('node/' . $this->node->id());
Chris@17:     $this->setRolePermissions($this->adminRole, TRUE);
Chris@17:     $this->assertCommentAccess(TRUE, 'Admin user has search permission and access comments permission, comments should be indexed');
Chris@17: 
Chris@17:     $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID);
Chris@17:     $this->assertCommentAccess(FALSE, 'Authenticated user has search permission but no access comments permission, comments should not be indexed');
Chris@17: 
Chris@17:     $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID, TRUE);
Chris@17:     $this->assertCommentAccess(TRUE, 'Authenticated user has search permission and access comments permission, comments should be indexed');
Chris@17: 
Chris@17:     // Verify that access comments permission is inherited from the
Chris@17:     // authenticated role.
Chris@17:     $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID, TRUE, FALSE);
Chris@17:     $this->setRolePermissions($this->adminRole);
Chris@17:     $this->assertCommentAccess(TRUE, 'Admin user has search permission and no access comments permission, but comments should be indexed because admin user inherits authenticated user\'s permission to access comments');
Chris@17: 
Chris@17:     // Verify that search content permission is inherited from the authenticated
Chris@17:     // role.
Chris@17:     $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID, TRUE, TRUE);
Chris@17:     $this->setRolePermissions($this->adminRole, TRUE, FALSE);
Chris@17:     $this->assertCommentAccess(TRUE, 'Admin user has access comments permission and no search permission, but comments should be indexed because admin user inherits authenticated user\'s permission to search');
Chris@17:   }
Chris@17: 
Chris@17:   /**
Chris@17:    * Set permissions for role.
Chris@17:    */
Chris@17:   public function setRolePermissions($rid, $access_comments = FALSE, $search_content = TRUE) {
Chris@17:     $permissions = [
Chris@17:       'access comments' => $access_comments,
Chris@17:       'search content' => $search_content,
Chris@17:     ];
Chris@17:     user_role_change_permissions($rid, $permissions);
Chris@17:   }
Chris@17: 
Chris@17:   /**
Chris@17:    * Update search index and search for comment.
Chris@17:    */
Chris@17:   public function assertCommentAccess($assume_access, $message) {
Chris@17:     // Invoke search index update.
Chris@17:     search_mark_for_reindex('node_search', $this->node->id());
Chris@17:     $this->cronRun();
Chris@17: 
Chris@17:     // Search for the comment subject.
Chris@17:     $edit = [
Chris@17:       'keys' => "'" . $this->commentSubject . "'",
Chris@17:     ];
Chris@17:     $this->drupalPostForm('search/node', $edit, t('Search'));
Chris@17: 
Chris@17:     try {
Chris@17:       if ($assume_access) {
Chris@17:         $this->assertSession()->pageTextContains($this->node->label());
Chris@17:         $this->assertSession()->pageTextContains($this->commentSubject);
Chris@17:       }
Chris@17:       else {
Chris@17:         $this->assertSession()->pageTextContains(t('Your search yielded no results.'));
Chris@17:       }
Chris@17:     }
Chris@17:     catch (ResponseTextException $exception) {
Chris@17:       $this->fail($message);
Chris@17:     }
Chris@17:   }
Chris@17: 
Chris@17:   /**
Chris@17:    * Verify that 'add new comment' does not appear in search results or index.
Chris@17:    */
Chris@17:   public function testAddNewComment() {
Chris@17:     // Create a node with a short body.
Chris@17:     $settings = [
Chris@17:       'type' => 'article',
Chris@17:       'title' => 'short title',
Chris@17:       'body' => [['value' => 'short body text']],
Chris@17:     ];
Chris@17: 
Chris@17:     $user = $this->drupalCreateUser([
Chris@17:       'search content',
Chris@17:       'create article content',
Chris@17:       'access content',
Chris@17:       'post comments',
Chris@17:       'access comments',
Chris@17:     ]);
Chris@17:     $this->drupalLogin($user);
Chris@17: 
Chris@17:     $node = $this->drupalCreateNode($settings);
Chris@17:     // Verify that if you view the node on its own page, 'add new comment'
Chris@17:     // is there.
Chris@17:     $this->drupalGet('node/' . $node->id());
Chris@17:     $this->assertText(t('Add new comment'));
Chris@17: 
Chris@17:     // Run cron to index this page.
Chris@17:     $this->drupalLogout();
Chris@17:     $this->cronRun();
Chris@17: 
Chris@17:     // Search for 'comment'. Should be no results.
Chris@17:     $this->drupalLogin($user);
Chris@17:     $this->drupalPostForm('search/node', ['keys' => 'comment'], t('Search'));
Chris@17:     $this->assertText(t('Your search yielded no results'));
Chris@17: 
Chris@17:     // Search for the node title. Should be found, and 'Add new comment' should
Chris@17:     // not be part of the search snippet.
Chris@17:     $this->drupalPostForm('search/node', ['keys' => 'short'], t('Search'));
Chris@17:     $this->assertText($node->label(), 'Search for keyword worked');
Chris@17:     $this->assertNoText(t('Add new comment'));
Chris@17:   }
Chris@17: 
Chris@17: }