function TriggeringElementTest::testAttemptAccessControlBypass
Same name in other branches
- 9 core/modules/system/tests/src/FunctionalJavascript/Form/TriggeringElementTest.php \Drupal\Tests\system\FunctionalJavascript\Form\TriggeringElementTest::testAttemptAccessControlBypass()
- 8.9.x core/modules/system/tests/src/FunctionalJavascript/Form/TriggeringElementTest.php \Drupal\Tests\system\FunctionalJavascript\Form\TriggeringElementTest::testAttemptAccessControlBypass()
- 11.x core/modules/system/tests/src/FunctionalJavascript/Form/TriggeringElementTest.php \Drupal\Tests\system\FunctionalJavascript\Form\TriggeringElementTest::testAttemptAccessControlBypass()
Tests attempts to bypass access control.
Test that the triggering element does not get set to a button with #access=FALSE.
File
-
core/
modules/ system/ tests/ src/ FunctionalJavascript/ Form/ TriggeringElementTest.php, line 91
Class
- TriggeringElementTest
- Tests that FAPI correctly determines the triggering element.
Namespace
Drupal\Tests\system\FunctionalJavascript\FormCode
public function testAttemptAccessControlBypass() : void {
$path = 'form-test/clicked-button';
$form_html_id = 'form-test-clicked-button';
// Retrieve a form where 'button1' has #access=FALSE and 'button2' doesn't.
$this->drupalGet($path . '/rs/s');
// Submit the form with 'button1=button1' in the POST data, which someone
// trying to get around security safeguards could easily do. We have to do
// a little trickery here, to work around the safeguards in submitForm()
// by renaming the text field and value that is in the form to 'button1',
// we can get the data we want into \Drupal::request()->request.
$page = $this->getSession()
->getPage();
$input = $page->find('css', 'input[name="text"]');
$this->assertNotNull($input, 'text input located.');
$input->setValue('name', 'button1');
$input->setValue('value', 'button1');
$this->xpath('//form[@id="' . $form_html_id . '"]//input[@type="submit"]')[0]
->click();
// Ensure that the triggering element was not set to the restricted button.
// Do this with both a negative and positive assertion, because negative
// assertions alone can be brittle. See testNoButtonInfoInPost() for why the
// triggering element gets set to 'button2'.
$this->assertSession()
->pageTextNotContains('The clicked button is button1.');
$this->assertSession()
->pageTextContains('The clicked button is button2.');
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.