 * @file
 * Tests for BOTCHA module.

// Some constants for better reuse.
define('BOTCHA_WRONG_RESPONSE_ERROR_MESSAGE', 'You must be a human, not a spam bot, to submit forms on this website.');
define('BOTCHA_SESSION_REUSE_ATTACK_ERROR_MESSAGE', 'Form session reuse detected.');
define('BOTCHA_UNKNOWN_CSID_ERROR_MESSAGE', 'You must be a human, not a spam bot, to submit forms on this website.');
define('BOTCHA_NO_JS_ERROR_MESSAGE', 'Please enable Javascript to use this form.');

 * Base class for BOTCHA tests.
 * Provides common setup stuff and various helper functions
abstract class BotchaBaseWebTestCase extends DrupalWebTestCase {

   * User with various administrative permissions.
   * @var Drupal user
  protected $admin_user;

   * Normal visitor with limited permissions
   * @var Drupal user;
  protected $normal_user;

   * Form ID of comment form on standard (page) node
   * @var string
  const COMMENT_FORM_ID = 'comment_form';

   * Drupal path of the (general) BOTCHA admin page
  const BOTCHA_ADMIN_PATH = 'admin/user/botcha';
  function setUp() {

    // Load two modules: the botcha module itself and the comment module for testing anonymous comments.
    parent::setUp('botcha', 'comment');
    module_load_include('inc', 'botcha');

    // Create a normal user.
    $permissions = array(
      'access comments',
      'post comments',
      'post comments without approval',
      'access content',
      'create page content',
      'edit own page content',
    $this->normal_user = $this

    // Create an admin user.
    $permissions[] = 'administer BOTCHA settings';
    $permissions[] = 'skip BOTCHA';
    $permissions[] = 'administer permissions';
    $permissions[] = 'administer content types';
    $this->admin_user = $this

    // Put comments on page nodes on a separate page (default in D7: below post).
    variable_set('comment_form_location_page', COMMENT_FORM_SEPARATE_PAGE);

    // Tweak BOTCHA configuration
    db_query("UPDATE {botcha_points} SET botcha_type = '%s' WHERE form_id = '%s'", 'none', 'user_login');
    db_query("UPDATE {botcha_points} SET botcha_type = '%s' WHERE form_id = '%s'", 'none', 'user_login_block');

   * Assert that the response is accepted:
   * no "unknown CSID" message, no "CSID reuse attack detection" message,
   * no "wrong answer" message.
  protected function assertBotchaResponseAccepted() {

    // There should be no error message about unknown BOTCHA session ID.
      ->assertNoText(t(BOTCHA_UNKNOWN_CSID_ERROR_MESSAGE), 'BOTCHA response should be accepted (known CSID).', 'BOTCHA');

    // There should be no error message about CSID reuse attack.
      ->assertNoText(t(BOTCHA_SESSION_REUSE_ATTACK_ERROR_MESSAGE), 'BOTCHA response should be accepted (no BOTCHA session reuse attack detection).', 'BOTCHA');

    // There should be no error message about wrong response.
      ->assertNoText(t(BOTCHA_NO_JS_ERROR_MESSAGE), 'BOTCHA response should be accepted (JS enabled).', 'BOTCHA');

   * Assert that there is a BOTCHA on the form or not.
   * @param bool $presence whether there should be a BOTCHA or not.
  protected function assertBotchaPresence($presence) {
    if ($presence) {
        ->assertText('If you\'re a human, don\'t change the following field', 'There should be a BOTCHA on the form.', 'BOTCHA');
    else {
        ->assertNoText('If you\'re a human, don\'t change the following field', 'There should be no BOTCHA on the form.', 'BOTCHA');

   * Helper function to create a node with comments enabled.
   * @return
   *   Created node object.
  protected function createNodeWithCommentsEnabled($type = 'page') {
    $node_settings = array(
      'type' => $type,
      'comment' => 2,
    $node = $this
    return $node;

   * Helper function to get form values array from comment form
  protected function getCommentFormValuesFromForm() {

    // Submit the form using the displayed values.
    $displayed = array();
    foreach (array(
      'subject' => "//input[@id='edit-subject']",
      'comment' => "//textarea[@id='edit-comment']",
      'botcha_response' => "//input[@id='edit-botcha-response']",
    ) as $field => $path) {
      $elements = $this
      $value = isset($elements[0]['value']) ? $elements[0]['value'] : (isset($elements[0][0]) ? $elements[0][0] : FALSE);
      debug($field . ' value=' . $value . '<br>elements=<pre>' . print_r($elements, 1) . '</pre>');
      if (!empty($value)) {
        $displayed[$field] = (string) $value;
    return $displayed;

   * Helper function to generate a default form values array for comment forms
  protected function setCommentFormValues() {
    $edit = array(
      'subject' => 'comment_subject ' . $this
      'comment' => 'comment_body ' . $this
    return $edit;

   * Helper function to generate a default form values array for node forms
  protected function setNodeFormValues() {
    $edit = array(
      'title' => 'node_title ' . $this
      'body' => 'node_body ' . $this
    return $edit;

   * Get the form_build_id from the current form in the browser.
  protected function getFormBuildIdFromForm() {
    $elements = $this
    $form_build_id = isset($elements[0]['value']) ? $elements[0]['value'] : FALSE;
    debug('$form_build_id value=' . $form_build_id . '<br>elements=<pre>' . print_r($elements, 1) . '</pre>');
    return $form_build_id;

   * Helper function to allow comment posting for anonymous users.
  protected function allowCommentPostingForAnonymousVisitors() {

    // Log in as admin.

    // Post user permissions form
    $edit = array(
      '1[access comments]' => true,
      '1[post comments]' => true,
      '1[post comments without approval]' => true,
      ->drupalPost('admin/user/permissions', $edit, 'Save permissions');
      ->assertText('The changes have been saved.');

    // Log admin out

class BotchaTestCase extends BotchaBaseWebTestCase {
  public static function getInfo() {
    return array(
      'name' => t('General BOTCHA functionality'),
      'description' => t('Testing of the basic BOTCHA functionality.'),
      'group' => t('BOTCHA'),

   * Testing the protection of the user log in form.
  function testBotchaOnLoginForm() {

    // Create user and test log in without BOTCHA.
    $user = $this

    // Log out again.

    // Set a BOTCHA on login form
    botcha_set_form_id_setting('user_login', 'default');

    // Check if there is a BOTCHA on the login form (look for the title).

    // Try to log in, which should fail (due to JS required for 'default' BOTCHA recipe is not present in simpletest browser).
    $edit = array(
      'name' => $user->name,
      'pass' => $user->pass_raw,
      ->drupalPost('user', $edit, t('Log in'));

    // Check for error message.
      ->assertText(t(BOTCHA_WRONG_RESPONSE_ERROR_MESSAGE), 'BOTCHA should block user login form', 'BOTCHA');

    // And make sure that user is not logged in: check for name and password fields on ?q=user
      ->assertField('name', t('Username field found.'), 'BOTCHA');
      ->assertField('pass', t('Password field found.'), 'BOTCHA');

   * Assert function for testing if comment posting works as it should.
   * Creates node with comment writing enabled, tries to post comment
   * with given BOTCHA response (caller should enable the desired
   * challenge on page node comment forms) and checks if the result is as expected.
   * @param $node existing node to post comments to (if NULL, will be created)
   * @param $should_pass boolean describing if the posting should pass or should be blocked
   * @param $message message to prefix to nested asserts
   * @param $button name of button to click (t('Save') by default)
  protected function assertCommentPosting($node, $should_pass, $message, $button = '') {

    // Make sure comments on pages can be saved directely without preview.
    variable_set('comment_preview_page', DRUPAL_OPTIONAL);
    if (empty($node)) {

      // Create a node with comments enabled.
      $node = $this
    if (empty($button)) {
      $button = t('Save');

    // Check if there is a BOTCHA on the comment form.
      ->drupalGet('comment/reply/' . $node->nid);

    // Post comment on node.
    $edit = $this
    if (!$should_pass) {

      // Screw up fields (like a bot would do)
      $edit['botcha_response'] = 'xx';
    $comment_subject = $edit['subject'];
    $comment_body = $edit['comment'];
      ->drupalPost('comment/reply/' . $node->nid, $edit, $button);
    if ($should_pass) {

      // There should be no error message.

      // Get node page and check that comment shows up.
        ->drupalGet('node/' . $node->nid);
        ->assertText($comment_subject, $message . ' Comment should show up on node page.', 'BOTCHA');
        ->assertText($comment_body, $message . ' Comment should show up on node page.', 'BOTCHA');
    else {

      // Check for error message.
        ->assertText(t(BOTCHA_WRONG_RESPONSE_ERROR_MESSAGE), $message . ' Comment submission should be blocked.', 'BOTCHA');

      // Check that there is still BOTCHA after failed submit.

      // Get node page and check that comment is not present.
        ->drupalGet('node/' . $node->nid);
        ->assertNoText($comment_subject, $message . ' Comment should not show up on node page.', 'BOTCHA');
        ->assertNoText($comment_body, $message . ' Comment should not show up on node page.', 'BOTCHA');
    return $node;

   * Testing the case sensistive/insensitive validation.
  function testBotchaValidation() {

    // Set Test BOTCHA on comment form
    botcha_set_form_id_setting(self::COMMENT_FORM_ID, 'test');

    // Log in as normal user.
      ->assertCommentPosting(NULL, TRUE, 'Validation of right fields touched.');
      ->assertCommentPosting(NULL, FALSE, 'Validation of wrong fields touched.');

   * Test if BOTCHA is applied when previewing comments:
   * comment preview should have BOTCHA again.
   * \see testBotchaAfterNodePreview()
  function testBotchaAfterCommentPreview() {

    // Set Test BOTCHA on comment form.
    botcha_set_form_id_setting(self::COMMENT_FORM_ID, 'test');

    // Log in as normal user.

    // Create a node with comments enabled.
    $node = $this

    // Check if there is a BOTCHA on the comment form (look for the title).
      ->drupalGet('comment/reply/' . $node->nid);

    // Preview comment with correct BOTCHA.
    $edit = $this
      ->drupalPost('comment/reply/' . $node->nid, $edit, t('Preview'));

    // Check that there is still BOTCHA after preview.

   * Test if BOTCHA is applied when previewing nodes:
   * node preview should have BOTCHA again.
   * The preview functionality of comments and nodes works slightly different under the hood.
   * BOTCHA module should be able to handle both.
   * \see testBotchaAfterCommentPreview()
  function testBotchaAfterNodePreview() {

    // Set Test BOTCHA on page form.
    botcha_set_form_id_setting('page_node_form', 'test');

    // Log in as normal user.

    // Check if there is a BOTCHA on the node form (look for the title).

    // Page settings to post, with correct BOTCHA answer.
    $edit = $this

    // Preview the node
      ->drupalPost('node/add/page', $edit, t('Preview'));

    // Check that there is still BOTCHA after preview.

   * BOTCHA should also be put on admin pages if visitor
   * has no access
  function testBotchaOnLoginBlockOnAdminPages() {

    // Set a BOTCHA on login block form
    botcha_set_form_id_setting('user_login_block', 'default');

    // Check if there is a BOTCHA on home page.

    // Check there is a BOTCHA on "forbidden" admin pages

   * Test if BOTCHA is applied correctly when failing first and then resubmitting comments:
   * comment form should have BOTCHA again and pass correct submission.
   * (We use to fail BOTCHA as it is impossible to fail comment form on its own)
   * \see testBotchaAfterNodePreview()
  function testBotchaResubmit() {

    // Set Test BOTCHA on comment form.
    botcha_set_form_id_setting(self::COMMENT_FORM_ID, 'test');

    // Create a node with comments enabled.
    $node = $this

    // Log in as normal user.

    // Make sure comments on pages can be saved directely without preview.
    variable_set('comment_preview_page', DRUPAL_OPTIONAL);

    // Check if there is a BOTCHA on the comment form.
      ->drupalGet('comment/reply/' . $node->nid);

    // Post comment on node.
    $edit = $this

    // Screw up fields (like a bot would do)
    $edit['botcha_response'] = 'xx';
    $comment_subject = $edit['subject'];
    $comment_body = $edit['comment'];
      ->drupalPost('comment/reply/' . $node->nid, $edit, t('Save'));

    // Check for error message.
      ->assertText(t(BOTCHA_WRONG_RESPONSE_ERROR_MESSAGE), 'Comment submission should be blocked.', 'BOTCHA');

    // Check that there is still BOTCHA after failed submit.

    // Copy all values from the form into new one.
    $edit = $this

    // Get node page and check that comment is not present.
      ->drupalGet('node/' . $node->nid);
      ->assertNoText($comment_subject, 'Comment should not show up on node page.', 'BOTCHA');
      ->assertNoText($comment_body, 'Comment should not show up on node page.', 'BOTCHA');
    $comment_subject = $edit['subject'];
    $comment_body = $edit['comment'];

    // Save comment again with correct BOTCHA.
      ->drupalPost('comment/reply/' . $node->nid, $edit, t('Save'));

    // There should be no error message.

    // Get node page and check that comment shows up.
      ->drupalGet('node/' . $node->nid);
      ->assertText($comment_subject, ' Comment should show up on node page.', 'BOTCHA');
      ->assertText($comment_body, ' Comment should show up on node page.', 'BOTCHA');

class BotchaAdminTestCase extends BotchaBaseWebTestCase {
  public static function getInfo() {
    return array(
      'name' => t('BOTCHA administration functionality'),
      'description' => t('Testing of the BOTCHA administration interface and functionality.'),
      'group' => t('BOTCHA'),

   * Test access to the admin pages.
  function testAdminAccess() {
    file_put_contents('tmp.simpletest.html', $this
      ->assertText(t('Access denied'), 'Normal users should not be able to access the BOTCHA admin pages', 'BOTCHA');
      ->assertNoText(t('Access denied'), 'Admin users should be able to access the BOTCHA admin pages', 'BOTCHA');

   * Test the BOTCHA point setting getter/setter.
  function testBotchaPointSettingGetterAndSetter() {
    $comment_form_id = self::COMMENT_FORM_ID;

    // Set to 'none'.
    botcha_set_form_id_setting($comment_form_id, 'none');
    $result = botcha_get_form_id_setting($comment_form_id);
      ->assertNotNull($result, 'Setting and getting BOTCHA point: none', 'BOTCHA');
      ->assertNull($result->botcha_type, 'Setting and getting BOTCHA point: none', 'BOTCHA');
    $result = botcha_get_form_id_setting($comment_form_id, TRUE);
      ->assertEqual($result, 'none', 'Setting and symbolic getting BOTCHA point: "none"', 'BOTCHA');

    // Set to 'default'
    botcha_set_form_id_setting($comment_form_id, 'default');
    $result = botcha_get_form_id_setting($comment_form_id);
      ->assertNotNull($result, 'Setting and getting BOTCHA point: default', 'BOTCHA');
      ->assertEqual($result->botcha_type, 'default', 'Setting and getting BOTCHA point: default', 'BOTCHA');
    $result = botcha_get_form_id_setting($comment_form_id, TRUE);
      ->assertEqual($result, 'default', 'Setting and symbolic getting BOTCHA point: "default"', 'BOTCHA');

    // Set to 'boo'.
    botcha_set_form_id_setting($comment_form_id, 'boo');
    $result = botcha_get_form_id_setting($comment_form_id);
      ->assertNotNull($result, 'Setting and getting BOTCHA point: boo', 'BOTCHA');
      ->assertEqual($result->botcha_type, 'boo', 'Setting and getting BOTCHA point: boo', 'BOTCHA');
    $result = botcha_get_form_id_setting($comment_form_id, TRUE);
      ->assertEqual($result, 'boo', 'Setting and symbolic getting BOTCHA point: "boo"', 'BOTCHA');

    // Set to NULL (which should delete the BOTCHA point setting entry).
    botcha_set_form_id_setting($comment_form_id, NULL);
    $result = botcha_get_form_id_setting($comment_form_id);
      ->assertNull($result, 'Setting and getting BOTCHA point: NULL', 'BOTCHA');
    $result = botcha_get_form_id_setting($comment_form_id, TRUE);
      ->assertNull($result, 'Setting and symbolic getting BOTCHA point: NULL', 'BOTCHA');

    //    // Set with object.
    //    $botcha_type = new stdClass;
    //    $botcha_type->botcha_type = 'fofo';
    //    botcha_set_form_id_setting($comment_form_id, $botcha_type);
    //    $result = botcha_get_form_id_setting($comment_form_id);
    //    $this->assertNotNull($result, 'Setting and getting BOTCHA point: fofo', 'BOTCHA');
    //    $this->assertEqual($result->botcha_type, 'fofo', 'Setting and getting BOTCHA point: fofo', 'BOTCHA');
    //    $result = botcha_get_form_id_setting($comment_form_id, TRUE);
    //    $this->assertEqual($result, 'fofo', 'Setting and symbolic getting BOTCHA point: "fofo"', 'BOTCHA');

   * Helper function for checking BOTCHA setting of a form.
   * @param $form_id the form_id of the form to investigate.
   * @param $challenge_type what the challenge type should be:
   *   NULL, 'none', 'default' or something like 'default'
  protected function assertBotchaSetting($form_id, $challenge_type) {
    $result = botcha_get_form_id_setting(self::COMMENT_FORM_ID, TRUE);
      ->assertEqual($result, $challenge_type, t('Check BOTCHA setting for form: expected: @expected, received: @received.', array(
      '@expected' => var_export($challenge_type, TRUE),
      '@received' => var_export($result, TRUE),
    )), 'BOTCHA');

   * Testing of the BOTCHA administration links.
  function testBotchaAdminLinks() {

    // Set Test BOTCHA on comment form
    botcha_set_form_id_setting(self::COMMENT_FORM_ID, 'none');

    // Log in as admin

    // Enable BOTCHA administration links.
    $edit = array(
      'botcha_administration_mode' => TRUE,
      ->drupalPost(self::BOTCHA_ADMIN_PATH, $edit, 'Save configuration');

    // Create a node with comments enabled.
    $node = $this

    // Go to node page
      ->drupalGet('node/' . $node->nid);

    // Click the add new comment link
      ->clickLink(t('Add new comment'));
    $add_comment_url = $this

    // Remove fragment part from comment URL to avoid problems with later asserts
    $add_comment_url = strtok($add_comment_url, "#");


    // Click the BOTCHA admin link to enable a challenge.
      ->clickLink(t('Add BOTCHA protection on form'));

    // Enable 'default' BOTCHA.
    $edit = array(
      'botcha_type' => 'default',
      ->getUrl(), $edit, t('Save'));

    // Check if returned to original comment form.
      ->assertUrl($add_comment_url, array(), 'After setting BOTCHA with BOTCHA admin links: should return to original form.', 'BOTCHA');

    // Check if BOTCHA was successfully enabled (on BOTCHA admin links fieldset).
      ->assertText(t('Saved BOTCHA point settings.', array(
      '@type' => 'default',
    )), 'Enable a challenge through the BOTCHA admin links', 'BOTCHA');

    // Check if BOTCHA was successfully enabled (through API).
      ->assertBotchaSetting(self::COMMENT_FORM_ID, 'default');


    // Edit challenge type through BOTCHA admin links.

    // Enable 'default' BOTCHA.
    $edit = array(
      'botcha_type' => 'default',
      ->getUrl(), $edit, t('Save'));

    // Check if returned to original comment form.
      ->assertEqual($add_comment_url, $this
      ->getUrl(), 'After editing challenge type BOTCHA admin links: should return to original form.', 'BOTCHA');

    // Check if BOTCHA was successfully changed (on BOTCHA admin links fieldset).
    // This is actually the same as the previous setting because the botcha/Math is the
    // default for the default challenge. TODO Make sure the edit is a real change.
      ->assertText(t('Saved BOTCHA point settings.', array(
      '@type' => 'default',
    )), 'Enable a challenge through the BOTCHA admin links', 'BOTCHA');

    // Check if BOTCHA was successfully edited (through API).
      ->assertBotchaSetting(self::COMMENT_FORM_ID, 'default');


    // Disable challenge through BOTCHA admin links.

    // And confirm.
      ->getUrl(), array(), 'Disable');

    // Check if returned to original comment form.
      ->assertEqual($add_comment_url, $this
      ->getUrl(), 'After disablin challenge with BOTCHA admin links: should return to original form.', 'BOTCHA');

    // Check if BOTCHA was successfully disabled (on BOTCHA admin links fieldset).
      ->assertText(t('Disabled BOTCHA for form'), 'Disable challenge through the BOTCHA admin links', 'BOTCHA');

    // Check if BOTCHA was successfully disabled (through API).
      ->assertBotchaSetting(self::COMMENT_FORM_ID, 'none');
  function testUntrustedUserPosting() {

    // Set BOTCHA on comment form.
    botcha_set_form_id_setting(self::COMMENT_FORM_ID, 'test');

    // Create a node with comments enabled.
    $node = $this

    // Log in as normal (untrusted) user.

    // Go to node page and click the "add comment" link.
      ->drupalGet('node/' . $node->nid);
      ->clickLink(t('Add new comment'));
    $add_comment_url = $this

    // Check if BOTCHA is visible on form.

    // Try to post a comment with wrong answer.
    $edit = $this

    // Screw up fields (like a bot would do)
    $edit['botcha_response'] = 'xx';
      ->drupalPost($add_comment_url, $edit, t('Preview'));
      ->assertText(t(BOTCHA_WRONG_RESPONSE_ERROR_MESSAGE), 'wrong BOTCHA should block form submission.', 'BOTCHA');

    //TODO: more testing for untrusted posts.

   * Test the BOTCHA placement flushing.
  function testBotchaPlacementCacheFlushing() {
    $comment_form_id = self::COMMENT_FORM_ID;
    botcha_set_form_id_setting($comment_form_id, 'default');
    variable_set('botcha_administration_mode', TRUE);

    //    $placement_map = variable_get('botcha_placement_map_cache', NULL);
    //    $this->assertNull($placement_map, 'BOTCHA placement cache should be unset.');
    // Create a node with comments enabled.
    $node = $this

    // Visit comment form of commentable node to fill the BOTCHA placement cache.
      ->drupalGet('comment/reply/' . $node->nid);

    // Check if there is BOTCHA placement cache.
    $placement_map = variable_get('botcha_placement_map_cache', NULL);
      ->assertNotNull($placement_map, 'BOTCHA placement cache should be set.');

   * Helper function to get the BOTCHA point setting straight from the database.
   * @param string $form_id
   * @return stdClass object
  private function getBotchaPointSettingFromDatabase($form_id) {
    $result = db_query("SELECT * FROM {botcha_points} WHERE form_id = '%s'", $form_id);
    if (!$result) {
      return NULL;
    $botcha_point = db_fetch_object($result);
    if (!$botcha_point) {
      return NULL;
    return $botcha_point;

   * Method for testing the BOTCHA point administration
  function testBotchaPointAdministration() {

    // Generate BOTCHA point data:
    // Drupal form ID should consist of lowercase alphanumerics and underscore)
    $botcha_point_form_id = 'form_' . strtolower($this

    // the 'default' BOTCHA is always available, so let's use it
    $botcha_point_type = 'default';

    // Log in as admin

    // Set BOTCHA point through admin/user/botcha/botcha_point
    $form_values = array(
      'botcha_point_form_id' => $botcha_point_form_id,
      'botcha_type' => $botcha_point_type,
      ->drupalPost(self::BOTCHA_ADMIN_PATH . '/botcha_point', $form_values, t('Save'));
      ->assertText(t('Saved BOTCHA point settings.'), 'Saving of BOTCHA point settings');

    // Check in database
    $result = $this
      ->assertEqual($result->botcha_type, $botcha_point_type, 'Enabled BOTCHA point should have type set');

    // Disable BOTCHA point again
      ->drupalPost(self::BOTCHA_ADMIN_PATH . '/botcha_point/' . $botcha_point_form_id . '/disable', array(), t('Disable'));
      ->assertRaw(t('Disabled BOTCHA for form %form_id.', array(
      '%form_id' => $botcha_point_form_id,
    )), 'Disabling of BOTCHA point');

    // Check in database
    $result = $this
      ->assertNull($result->botcha_type, 'Disabled BOTCHA point should have NULL as type');

    // Set BOTCHA point through admin/user/botcha/botcha_point/$form_id
    $form_values = array(
      'botcha_type' => $botcha_point_type,
      ->drupalPost(self::BOTCHA_ADMIN_PATH . '/botcha_point/' . $botcha_point_form_id, $form_values, t('Save'));
      ->assertText(t('Saved BOTCHA point settings.'), 'Saving of BOTCHA point settings');

    // Check in database
    $result = $this
      ->assertEqual($result->botcha_type, $botcha_point_type, 'Enabled BOTCHA point should have type set');

    // Delete BOTCHA point
      ->drupalPost(self::BOTCHA_ADMIN_PATH . '/botcha_point/' . $botcha_point_form_id . '/delete', array(), t('Delete'));
      ->assertRaw(t('Deleted BOTCHA for form %form_id.', array(
      '%form_id' => $botcha_point_form_id,
    )), 'Deleting of BOTCHA point');

    // Check in database
    $result = $this
      ->assertFalse($result, 'Deleted BOTCHA point should be in database');

   * Method for testing the BOTCHA point administration
  function testBotchaPointAdministrationByNonAdmin() {

    // First add a BOTCHA point (as admin)
    $botcha_point_form_id = 'form_' . strtolower($this
    $botcha_point_type = 'default';
    $form_values = array(
      'botcha_point_form_id' => $botcha_point_form_id,
      'botcha_type' => $botcha_point_type,
      ->drupalPost(self::BOTCHA_ADMIN_PATH . '/botcha_point/', $form_values, t('Save'));
      ->assertText(t('Saved BOTCHA point settings.'), 'Saving of BOTCHA point settings');

    // Switch from admin to nonadmin
      ->drupalGet(url('logout', array(
      'absolute' => TRUE,

    // Try to set BOTCHA point through admin/user/botcha/botcha_point
      ->drupalGet(self::BOTCHA_ADMIN_PATH . '/botcha_point');
      ->assertText(t('You are not authorized to access this page.'), 'Non admin should not be able to set a BOTCHA point');

    // Try to set BOTCHA point through admin/user/botcha/botcha_point/$form_id
      ->drupalGet(self::BOTCHA_ADMIN_PATH . '/botcha_point/' . 'form_' . strtolower($this
      ->assertText(t('You are not authorized to access this page.'), 'Non admin should not be able to set a BOTCHA point');

    // Try to disable the BOTCHA point
      ->drupalGet(self::BOTCHA_ADMIN_PATH . '/botcha_point/' . $botcha_point_form_id . '/disable');
      ->assertText(t('You are not authorized to access this page.'), 'Non admin should not be able to disable a BOTCHA point');

    // Try to delete the BOTCHA point
      ->drupalGet(self::BOTCHA_ADMIN_PATH . '/botcha_point/' . $botcha_point_form_id . '/delete');
      ->assertText(t('You are not authorized to access this page.'), 'Non admin should not be able to delete a BOTCHA point');

    // Switch from nonadmin to admin again
      ->drupalGet(url('logout', array(
      'absolute' => TRUE,

    // Check if original BOTCHA point still exists in database
    $result = $this
      ->assertEqual($result->botcha_type, $botcha_point_type, 'Enabled BOTCHA point should still have type set');

    // Delete BOTCHA point
      ->drupalPost(self::BOTCHA_ADMIN_PATH . '/botcha_point/' . $botcha_point_form_id . '/delete', array(), t('Delete'));
      ->assertRaw(t('Deleted BOTCHA for form %form_id.', array(
      '%form_id' => $botcha_point_form_id,
    )), 'Deleting of BOTCHA point');

class BotchaSessionReuseAttackTestCase extends BotchaBaseWebTestCase {
  public static function getInfo() {
    return array(
      'name' => t('BOTCHA session reuse attack tests'),
      'description' => t('Testing of the protection against BOTCHA session reuse attacks.'),
      'group' => t('BOTCHA'),

   * Assert that the BOTCHA session ID reuse attack was detected.
  protected function assertBotchaSessionIdReuseAttackDetection() {
      ->assertText(t(BOTCHA_SESSION_REUSE_ATTACK_ERROR_MESSAGE), 'BOTCHA session ID reuse attack should be detected.', 'BOTCHA');

    //    // There should be an error message about bad post.
    //    $this->assertText(t(BOTCHA_WRONG_RESPONSE_ERROR_MESSAGE),
    //      'BOTCHA should be flagged as wrong.',
    //      'BOTCHA');
  function testBotchaSessionReuseAttackDetectionOnCommentPreview() {

    // Create commentable node
    $node = $this

    // Set Test BOTCHA on comment form.
    botcha_set_form_id_setting(self::COMMENT_FORM_ID, 'test');

    // Log in as normal user.

    // Go to comment form of commentable node.
      ->drupalGet('comment/reply/' . $node->nid);

    // Get form_build_id.
    $form_build_id = $this

    // Post the form with the solution.
    $edit = $this
      ->drupalPost(NULL, $edit, t('Preview'));

    // Answer should be accepted and further BOTCHA ommitted.

    // Post a new comment, reusing the previous BOTCHA session.
    $edit = $this
    $edit['form_build_id'] = $form_build_id;
      ->drupalPost('comment/reply/' . $node->nid, $edit, t('Preview'));

    // BOTCHA session reuse attack should be detected.

    // There should be a BOTCHA.

    // Verify that values that user posted are preserved in the new form
    $values = $this
      ->assertEqual($values['subject'], $edit['subject'], 'Subject should be preserved');
      ->assertEqual($values['comment'], $edit['comment'], 'Comment body should be preserved');

    // And verify new form can be re-submitted
      ->drupalPost('comment/reply/' . $node->nid, $edit, t('Preview'));
  function testBotchaSessionReuseAttackDetectionOnNodeForm() {

    // Set BOTCHA on page form.
    botcha_set_form_id_setting('page_node_form', 'test');

    // Log in as normal user.

    // Go to node add form.

    // Get form_build_id.
    $form_build_id = $this

    // Page settings to post, with correct BOTCHA answer.
    $edit = $this

    // Preview the node
      ->drupalPost(NULL, $edit, t('Preview'));

    // Answer should be accepted.

    // Post a new node, reusing the previous BOTCHA session.
    $edit = $this
    $edit['form_build_id'] = $form_build_id;
      ->drupalPost('node/add/page', $edit, t('Preview'));

    // BOTCHA session reuse attack should be detected.

    // There should be a BOTCHA.
  function testBotchaSessionReuseAttackDetectionOnLoginForm() {

    // Set BOTCHA on login form.
    botcha_set_form_id_setting('user_login', 'test');

    // Go to log in form.

    // Get form_build_id.
    $form_build_id = $this

    // Log in through form.
    $edit = array(
      'name' => $this->normal_user->name,
      'pass' => $this->normal_user->pass_raw,
      ->drupalPost(NULL, $edit, t('Log in'));

    // If a "log out" link appears on the page, it is almost certainly because
    // the login was successful.
    $pass = $this
      ->assertLink(t('Log out'), 0, t('User %name successfully logged in.', array(
      '%name' => $this->normal_user->name,
    )), t('User login'));

    // Log out again.

    // Try to log in again, reusing the previous BOTCHA session.
    $edit += array(
      'form_build_id' => $form_build_id,
      ->drupalPost('user', $edit, t('Log in'));

    // BOTCHA session reuse attack should be detected.

    // There should be a BOTCHA.
  public function testMultipleBotchaProtectedFormsOnOnePage() {

    // Set Test BOTCHA on comment form and login block
    botcha_set_form_id_setting(self::COMMENT_FORM_ID, 'test');
    botcha_set_form_id_setting('user_login_block', 'test');

    // Create a node with comments enabled.
    $node = $this

    // Preview comment with correct BOTCHA answer.
    $edit = $this
    $comment_subject = $edit['subject'];
      ->drupalPost('comment/reply/' . $node->nid, $edit, t('Preview'));

    // Post should be accepted: no warnings,
    // no BOTCHA reuse detection (which could be used by user log in block).


