You are here

public function ContextualDynamicContextTest::testTokenProtection in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/contextual/tests/src/Functional/ContextualDynamicContextTest.php \Drupal\Tests\contextual\Functional\ContextualDynamicContextTest::testTokenProtection()

Tests the contextual placeholder content is protected by a token.

File

core/modules/contextual/tests/src/Functional/ContextualDynamicContextTest.php, line 166

Class

ContextualDynamicContextTest
Tests if contextual links are showing on the front page depending on permissions.

Namespace

Drupal\Tests\contextual\Functional

Code

public function testTokenProtection() {
  $this
    ->drupalLogin($this->editorUser);

  // Create a node that will have a contextual link.
  $node1 = $this
    ->drupalCreateNode([
    'type' => 'article',
    'promote' => 1,
  ]);

  // Now, on the front page, all article nodes should have contextual links
  // placeholders, as should the view that contains them.
  $id = 'node:node=' . $node1
    ->id() . ':changed=' . $node1
    ->getChangedTime() . '&langcode=en';

  // Editor user: can access contextual links and can edit articles.
  $this
    ->drupalGet('node');
  $this
    ->assertContextualLinkPlaceHolder($id);
  $http_client = $this
    ->getHttpClient();
  $url = Url::fromRoute('contextual.render', [], [
    'query' => [
      '_format' => 'json',
      'destination' => 'node',
    ],
  ])
    ->setAbsolute()
    ->toString();
  $response = $http_client
    ->request('POST', $url, [
    'cookies' => $this
      ->getSessionCookies(),
    'form_params' => [
      'ids' => [
        $id,
      ],
      'tokens' => [],
    ],
    'http_errors' => FALSE,
  ]);
  $this
    ->assertEquals('400', $response
    ->getStatusCode());
  $this
    ->assertStringContainsString('No contextual ID tokens specified.', (string) $response
    ->getBody());
  $response = $http_client
    ->request('POST', $url, [
    'cookies' => $this
      ->getSessionCookies(),
    'form_params' => [
      'ids' => [
        $id,
      ],
      'tokens' => [
        'wrong_token',
      ],
    ],
    'http_errors' => FALSE,
  ]);
  $this
    ->assertEquals('400', $response
    ->getStatusCode());
  $this
    ->assertStringContainsString('Invalid contextual ID specified.', (string) $response
    ->getBody());
  $response = $http_client
    ->request('POST', $url, [
    'cookies' => $this
      ->getSessionCookies(),
    'form_params' => [
      'ids' => [
        $id,
      ],
      'tokens' => [
        'wrong_key' => $this
          ->createContextualIdToken($id),
      ],
    ],
    'http_errors' => FALSE,
  ]);
  $this
    ->assertEquals('400', $response
    ->getStatusCode());
  $this
    ->assertStringContainsString('Invalid contextual ID specified.', (string) $response
    ->getBody());
  $response = $http_client
    ->request('POST', $url, [
    'cookies' => $this
      ->getSessionCookies(),
    'form_params' => [
      'ids' => [
        $id,
      ],
      'tokens' => [
        $this
          ->createContextualIdToken($id),
      ],
    ],
    'http_errors' => FALSE,
  ]);
  $this
    ->assertEquals('200', $response
    ->getStatusCode());
}