QuickEditEndPointAccessTest.php

Same filename in other branches
  1. 8.9.x core/modules/quickedit/tests/src/Functional/QuickEditEndPointAccessTest.php

Namespace

Drupal\Tests\quickedit\Functional

File

core/modules/quickedit/tests/src/Functional/QuickEditEndPointAccessTest.php

View source
<?php

namespace Drupal\Tests\quickedit\Functional;

use Drupal\Component\Serialization\Json;
use Drupal\Core\EventSubscriber\MainContentViewSubscriber;
use Drupal\Tests\BrowserTestBase;
use GuzzleHttp\RequestOptions;

/**
 * Tests accessing the Quick Edit endpoints.
 *
 * @group quickedit
 * @group legacy
 */
class QuickEditEndPointAccessTest extends BrowserTestBase {
    
    /**
     * {@inheritdoc}
     */
    protected static $modules = [
        'quickedit',
        'node',
    ];
    
    /**
     * {@inheritdoc}
     */
    protected $defaultTheme = 'stark';
    
    /**
     * {@inheritdoc}
     */
    protected function setUp() : void {
        parent::setUp();
        $this->drupalCreateContentType([
            'type' => 'article',
            'name' => 'Article',
        ]);
    }
    
    /**
     * Tests that Quick Edit endpoints are protected from anonymous requests.
     */
    public function testEndPointAccess() {
        // Quick Edit's JavaScript would never hit these endpoints, but we need to
        // make sure that malicious users aren't able to use any of the other
        // endpoints either.
        $url = $this->buildUrl('/quickedit/attachments');
        $post = [
            'editors[0]' => 'form',
        ];
        $this->assertAccessIsBlocked($url, $post);
        $node = $this->createNode([
            'type' => 'article',
        ]);
        $url = $this->buildUrl('quickedit/form/node/' . $node->id() . '/body/en/full');
        $post = [
            'nocssjs' => 'true',
        ];
        $this->assertAccessIsBlocked($url, $post);
        $edit = [];
        $edit['form_id'] = 'quickedit_field_form';
        $edit['form_token'] = 'xIOzMjuc-PULKsRn_KxFn7xzNk5Bx7XKXLfQfw1qOnA';
        $edit['form_build_id'] = 'form-kVmovBpyX-SJfTT5kY0pjTV35TV-znor--a64dEnMR8';
        $edit['body[0][summary]'] = '';
        $edit['body[0][value]'] = '<p>Malicious content.</p>';
        $edit['body[0][format]'] = 'filtered_html';
        $edit['op'] = 'Save';
        $this->assertAccessIsBlocked($url, $edit);
        $post = [
            'nocssjs' => 'true',
        ];
        $url = $this->buildUrl('quickedit/entity/node/' . $node->id());
        $this->assertAccessIsBlocked($url, $post);
    }
    
    /**
     * Asserts that access to the passed URL is blocked.
     *
     * @param string $url
     *   The URL to check.
     * @param array $body
     *   The payload to send with the request.
     *
     * @internal
     */
    protected function assertAccessIsBlocked(string $url, array $body) : void {
        $client = $this->getHttpClient();
        $message = [
            'message' => "The 'access in-place editing' permission is required.",
        ];
        $response = $client->post($url, [
            RequestOptions::BODY => http_build_query($body),
            RequestOptions::QUERY => [
                MainContentViewSubscriber::WRAPPER_FORMAT => 'drupal_ajax',
            ],
            RequestOptions::COOKIES => $this->getSessionCookies(),
            RequestOptions::HEADERS => [
                'Accept' => 'application/json',
                'Content-Type' => 'application/x-www-form-urlencoded',
            ],
            RequestOptions::HTTP_ERRORS => FALSE,
        ]);
        $this->assertEquals(403, $response->getStatusCode());
        $response_message = Json::decode($response->getBody());
        $this->assertSame($message, $response_message);
    }

}

Classes

Title Deprecated Summary
QuickEditEndPointAccessTest Tests accessing the Quick Edit endpoints.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.