class FileFieldWidgetTest in Drupal 9
Same name in this branch
- 9 core/modules/file/tests/src/Functional/FileFieldWidgetTest.php \Drupal\Tests\file\Functional\FileFieldWidgetTest
- 9 core/modules/file/tests/src/FunctionalJavascript/FileFieldWidgetTest.php \Drupal\Tests\file\FunctionalJavascript\FileFieldWidgetTest
Same name and namespace in other branches
- 8 core/modules/file/tests/src/Functional/FileFieldWidgetTest.php \Drupal\Tests\file\Functional\FileFieldWidgetTest
- 10 core/modules/file/tests/src/Functional/FileFieldWidgetTest.php \Drupal\Tests\file\Functional\FileFieldWidgetTest
Tests the file field widget with public and private files.
@group file
Hierarchy
- class \Drupal\Tests\BrowserTestBase extends \PHPUnit\Framework\TestCase uses \Symfony\Bridge\PhpUnit\ExpectDeprecationTrait, FunctionalTestSetupTrait, TestSetupTrait, AssertLegacyTrait, BlockCreationTrait, ConfigTestTrait, ExtensionListTestTrait, ContentTypeCreationTrait, NodeCreationTrait, PhpUnitCompatibilityTrait, RandomGeneratorTrait, TestRequirementsTrait, PhpUnitWarnings, UiHelperTrait, UserCreationTrait, XdebugRequestTrait
- class \Drupal\Tests\file\Functional\FileFieldTestBase uses FileFieldCreationTrait, TestFileCreationTrait
- class \Drupal\Tests\file\Functional\FileFieldWidgetTest uses CommentTestTrait, FieldUiTestTrait
- class \Drupal\Tests\file\Functional\FileFieldTestBase uses FileFieldCreationTrait, TestFileCreationTrait
Expanded class hierarchy of FileFieldWidgetTest
File
- core/
modules/ file/ tests/ src/ Functional/ FileFieldWidgetTest.php, line 23
Namespace
Drupal\Tests\file\FunctionalView source
class FileFieldWidgetTest extends FileFieldTestBase {
use CommentTestTrait;
use FieldUiTestTrait;
/**
* {@inheritdoc}
*/
protected static $modules = [
'comment',
'block',
];
/**
* {@inheritdoc}
*/
protected $defaultTheme = 'classy';
/**
* {@inheritdoc}
*/
protected function setUp() : void {
parent::setUp();
$this
->drupalPlaceBlock('system_breadcrumb_block');
}
/**
* Creates a temporary file, for a specific user.
*
* @param string $data
* A string containing the contents of the file.
* @param \Drupal\user\UserInterface $user
* The user of the file owner.
*
* @return \Drupal\file\FileInterface
* A file object, or FALSE on error.
*/
protected function createTemporaryFile($data, UserInterface $user = NULL) {
$file = file_save_data($data, NULL, NULL);
if ($file) {
if ($user) {
$file
->setOwner($user);
}
else {
$file
->setOwner($this->adminUser);
}
// Change the file status to be temporary.
$file
->setTemporary();
// Save the changes.
$file
->save();
}
return $file;
}
/**
* Tests upload and remove buttons for a single-valued File field.
*/
public function testSingleValuedWidget() {
$node_storage = $this->container
->get('entity_type.manager')
->getStorage('node');
$type_name = 'article';
$field_name = strtolower($this
->randomMachineName());
$this
->createFileField($field_name, 'node', $type_name);
$test_file = $this
->getTestFile('text');
// Create a new node with the uploaded file and ensure it got uploaded
// successfully.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
$node = $node_storage
->loadUnchanged($nid);
$node_file = File::load($node->{$field_name}->target_id);
$this
->assertFileExists($node_file
->getFileUri());
// Ensure the file can be downloaded.
$this
->drupalGet($node_file
->createFileUrl());
$this
->assertSession()
->statusCodeEquals(200);
// Ensure the edit page has a remove button instead of an upload button.
$this
->drupalGet("node/{$nid}/edit");
$this
->assertSession()
->buttonNotExists('Upload');
$this
->assertSession()
->buttonExists('Remove');
$this
->submitForm([], 'Remove');
// Ensure the page now has an upload button instead of a remove button.
$this
->assertSession()
->buttonNotExists('Remove');
$this
->assertSession()
->buttonExists('Upload');
// Test label has correct 'for' attribute.
$input = $this
->assertSession()
->fieldExists("files[{$field_name}_0]");
$this
->assertSession()
->elementExists('xpath', '//label[@for="' . $input
->getAttribute('id') . '"]');
// Save the node and ensure it does not have the file.
$this
->submitForm([], 'Save');
$node = $node_storage
->loadUnchanged($nid);
$this
->assertTrue(empty($node->{$field_name}->target_id), 'File was successfully removed from the node.');
}
/**
* Tests upload and remove buttons for multiple multi-valued File fields.
*/
public function testMultiValuedWidget() {
$node_storage = $this->container
->get('entity_type.manager')
->getStorage('node');
$type_name = 'article';
// Use explicit names instead of random names for those fields, because of a
// bug in submitForm() with multiple file uploads in one form, where the
// order of uploads depends on the order in which the upload elements are
// added to the $form (which, in the current implementation of
// FileStorage::listAll(), comes down to the alphabetical order on field
// names).
$field_name = 'test_file_field_1';
$field_name2 = 'test_file_field_2';
$cardinality = 3;
$this
->createFileField($field_name, 'node', $type_name, [
'cardinality' => $cardinality,
]);
$this
->createFileField($field_name2, 'node', $type_name, [
'cardinality' => $cardinality,
]);
$test_file = $this
->getTestFile('text');
// Visit the node creation form, and upload 3 files for each field. Since
// the field has cardinality of 3, ensure the "Upload" button is displayed
// until after the 3rd file, and after that, isn't displayed. Because
// SimpleTest triggers the last button with a given name, so upload to the
// second field first.
$this
->drupalGet("node/add/{$type_name}");
foreach ([
$field_name2,
$field_name,
] as $each_field_name) {
for ($delta = 0; $delta < 3; $delta++) {
$edit = [
'files[' . $each_field_name . '_' . $delta . '][]' => \Drupal::service('file_system')
->realpath($test_file
->getFileUri()),
];
// If the Upload button doesn't exist, submitForm() will
// automatically fail with an assertion message.
$this
->submitForm($edit, 'Upload');
}
}
$this
->assertSession()
->buttonNotExists('Upload');
$num_expected_remove_buttons = 6;
foreach ([
$field_name,
$field_name2,
] as $current_field_name) {
// How many uploaded files for the current field are remaining.
$remaining = 3;
// Test clicking each "Remove" button. For extra robustness, test them out
// of sequential order. They are 0-indexed, and get renumbered after each
// iteration, so array(1, 1, 0) means:
// - First remove the 2nd file.
// - Then remove what is then the 2nd file (was originally the 3rd file).
// - Then remove the first file.
foreach ([
1,
1,
0,
] as $delta) {
// Ensure we have the expected number of Remove buttons, and that they
// are numbered sequentially.
$buttons = $this
->xpath('//input[@type="submit" and @value="Remove"]');
$this
->assertCount($num_expected_remove_buttons, $buttons, new FormattableMarkup('There are %n "Remove" buttons displayed.', [
'%n' => $num_expected_remove_buttons,
]));
foreach ($buttons as $i => $button) {
$key = $i >= $remaining ? $i - $remaining : $i;
$check_field_name = $field_name2;
if ($current_field_name == $field_name && $i < $remaining) {
$check_field_name = $field_name;
}
$this
->assertSame($check_field_name . '_' . $key . '_remove_button', $button
->getAttribute('name'));
}
// "Click" the remove button (emulating either a nojs or js submission).
$button_name = $current_field_name . '_' . $delta . '_remove_button';
$this
->getSession()
->getPage()
->findButton($button_name)
->press();
$num_expected_remove_buttons--;
$remaining--;
// Ensure an "Upload" button for the current field is displayed with the
// correct name.
$upload_button_name = $current_field_name . '_' . $remaining . '_upload_button';
$button = $this
->assertSession()
->buttonExists($upload_button_name);
$this
->assertSame('Upload', $button
->getValue());
// Ensure only at most one button per field is displayed.
$expected = $current_field_name == $field_name ? 1 : 2;
$this
->assertSession()
->elementsCount('xpath', '//input[@type="submit" and @value="Upload"]', $expected);
}
}
// Ensure the page now has no Remove buttons.
$this
->assertSession()
->buttonNotExists('Remove');
// Save the node and ensure it does not have any files.
$this
->submitForm([
'title[0][value]' => $this
->randomMachineName(),
], 'Save');
preg_match('/node\\/([0-9])/', $this
->getUrl(), $matches);
$nid = $matches[1];
$node = $node_storage
->loadUnchanged($nid);
$this
->assertTrue(empty($node->{$field_name}->target_id), 'Node was successfully saved without any files.');
// Try to upload more files than allowed on revision.
$upload_files_node_revision = [
$test_file,
$test_file,
$test_file,
$test_file,
];
foreach ($upload_files_node_revision as $i => $file) {
$edit['files[test_file_field_1_0][' . $i . ']'] = \Drupal::service('file_system')
->realpath($test_file
->getFileUri());
}
// @todo: Replace after https://www.drupal.org/project/drupal/issues/2917885
$this
->drupalGet('node/' . $node
->id() . '/edit');
$this
->assertSession()
->fieldExists('files[test_file_field_1_0][]');
$submit_xpath = $this
->assertSession()
->buttonExists('Save')
->getXpath();
$client = $this
->getSession()
->getDriver()
->getClient();
$form = $client
->getCrawler()
->filterXPath($submit_xpath)
->form();
$client
->request($form
->getMethod(), $form
->getUri(), $form
->getPhpValues(), $edit);
$node = $node_storage
->loadUnchanged($nid);
$this
->assertCount($cardinality, $node->{$field_name}, 'More files than allowed could not be saved to node.');
$upload_files_node_creation = [
$test_file,
$test_file,
];
// Try to upload multiple files, but fewer than the maximum.
$nid = $this
->uploadNodeFiles($upload_files_node_creation, $field_name, $type_name, TRUE, []);
$node = $node_storage
->loadUnchanged($nid);
$this
->assertSameSize($upload_files_node_creation, $node->{$field_name}, 'Node was successfully saved with multiple files.');
// Try to upload exactly the allowed number of files on revision.
$this
->uploadNodeFile($test_file, $field_name, $node
->id(), 1, [], TRUE);
$node = $node_storage
->loadUnchanged($nid);
$this
->assertCount($cardinality, $node->{$field_name}, 'Node was successfully revised to maximum number of files.');
// Try to upload exactly the allowed number of files, new node.
$upload_files = [
$test_file,
$test_file,
$test_file,
];
$nid = $this
->uploadNodeFiles($upload_files, $field_name, $type_name, TRUE, []);
$node = $node_storage
->loadUnchanged($nid);
$this
->assertCount($cardinality, $node->{$field_name}, 'Node was successfully saved with maximum number of files.');
}
/**
* Tests a file field with a "Private files" upload destination setting.
*/
public function testPrivateFileSetting() {
$node_storage = $this->container
->get('entity_type.manager')
->getStorage('node');
// Grant the admin user required permissions.
user_role_grant_permissions($this->adminUser->roles[0]->target_id, [
'administer node fields',
]);
$type_name = 'article';
$field_name = strtolower($this
->randomMachineName());
$this
->createFileField($field_name, 'node', $type_name);
$field = FieldConfig::loadByName('node', $type_name, $field_name);
$field_id = $field
->id();
$test_file = $this
->getTestFile('text');
// Change the field setting to make its files private, and upload a file.
$edit = [
'settings[uri_scheme]' => 'private',
];
$this
->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}/storage");
$this
->submitForm($edit, 'Save field settings');
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
$node = $node_storage
->loadUnchanged($nid);
$node_file = File::load($node->{$field_name}->target_id);
$this
->assertFileExists($node_file
->getFileUri());
// Ensure the private file is available to the user who uploaded it.
$this
->drupalGet($node_file
->createFileUrl());
$this
->assertSession()
->statusCodeEquals(200);
// Ensure we can't change 'uri_scheme' field settings while there are some
// entities with uploaded files.
$this
->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}/storage");
$this
->assertSession()
->fieldDisabled("edit-settings-uri-scheme-public");
// Delete node and confirm that setting could be changed.
$node
->delete();
$this
->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}/storage");
$this
->assertSession()
->fieldEnabled("edit-settings-uri-scheme-public");
}
/**
* Tests that download restrictions on private files work on comments.
*/
public function testPrivateFileComment() {
$user = $this
->drupalCreateUser([
'access comments',
]);
// Grant the admin user required comment permissions.
$roles = $this->adminUser
->getRoles();
user_role_grant_permissions($roles[1], [
'administer comment fields',
'administer comments',
]);
// Revoke access comments permission from anon user, grant post to
// authenticated.
user_role_revoke_permissions(RoleInterface::ANONYMOUS_ID, [
'access comments',
]);
user_role_grant_permissions(RoleInterface::AUTHENTICATED_ID, [
'post comments',
'skip comment approval',
]);
// Create a new field.
$this
->addDefaultCommentField('node', 'article');
$name = strtolower($this
->randomMachineName());
$label = $this
->randomMachineName();
$storage_edit = [
'settings[uri_scheme]' => 'private',
];
$this
->fieldUIAddNewField('admin/structure/comment/manage/comment', $name, $label, 'file', $storage_edit);
// Manually clear cache on the tester side.
\Drupal::service('entity_field.manager')
->clearCachedFieldDefinitions();
// Create node.
$edit = [
'title[0][value]' => $this
->randomMachineName(),
];
$this
->drupalGet('node/add/article');
$this
->submitForm($edit, 'Save');
$node = $this
->drupalGetNodeByTitle($edit['title[0][value]']);
// Add a comment with a file.
$text_file = $this
->getTestFile('text');
$edit = [
'files[field_' . $name . '_' . 0 . ']' => \Drupal::service('file_system')
->realpath($text_file
->getFileUri()),
'comment_body[0][value]' => $comment_body = $this
->randomMachineName(),
];
$this
->drupalGet('node/' . $node
->id());
$this
->submitForm($edit, 'Save');
// Get the comment ID.
preg_match('/comment-([0-9]+)/', $this
->getUrl(), $matches);
$cid = $matches[1];
// Log in as normal user.
$this
->drupalLogin($user);
$comment = Comment::load($cid);
$comment_file = $comment->{'field_' . $name}->entity;
$this
->assertFileExists($comment_file
->getFileUri());
// Test authenticated file download.
$url = $comment_file
->createFileUrl();
$this
->assertNotNull($url, 'Confirmed that the URL is valid');
$this
->drupalGet($comment_file
->createFileUrl());
$this
->assertSession()
->statusCodeEquals(200);
// Ensure that the anonymous user cannot download the file.
$this
->drupalLogout();
$this
->drupalGet($comment_file
->createFileUrl());
$this
->assertSession()
->statusCodeEquals(403);
// Unpublishes node.
$this
->drupalLogin($this->adminUser);
$edit = [
'status[value]' => FALSE,
];
$this
->drupalGet('node/' . $node
->id() . '/edit');
$this
->submitForm($edit, 'Save');
// Ensures normal user can no longer download the file.
$this
->drupalLogin($user);
$this
->drupalGet($comment_file
->createFileUrl());
$this
->assertSession()
->statusCodeEquals(403);
}
/**
* Tests validation with the Upload button.
*/
public function testWidgetValidation() {
$type_name = 'article';
$field_name = strtolower($this
->randomMachineName());
$this
->createFileField($field_name, 'node', $type_name);
$this
->updateFileField($field_name, $type_name, [
'file_extensions' => 'txt',
]);
$type = 'nojs';
// Create node and prepare files for upload.
$node = $this
->drupalCreateNode([
'type' => 'article',
]);
$nid = $node
->id();
$this
->drupalGet("node/{$nid}/edit");
$test_file_text = $this
->getTestFile('text');
$test_file_image = $this
->getTestFile('image');
$name = 'files[' . $field_name . '_0]';
// Upload file with incorrect extension, check for validation error.
$edit[$name] = \Drupal::service('file_system')
->realpath($test_file_image
->getFileUri());
$this
->submitForm($edit, 'Upload');
$this
->assertSession()
->pageTextContains("Only files with the following extensions are allowed: txt.");
// Upload file with correct extension, check that error message is removed.
$edit[$name] = \Drupal::service('file_system')
->realpath($test_file_text
->getFileUri());
$this
->submitForm($edit, 'Upload');
$this
->assertSession()
->pageTextNotContains("Only files with the following extensions are allowed: txt.");
}
/**
* Tests file widget element.
*/
public function testWidgetElement() {
$field_name = mb_strtolower($this
->randomMachineName());
$html_name = str_replace('_', '-', $field_name);
$this
->createFileField($field_name, 'node', 'article', [
'cardinality' => FieldStorageConfig::CARDINALITY_UNLIMITED,
]);
$file = $this
->getTestFile('text');
$xpath = "//details[@data-drupal-selector='edit-{$html_name}']/div[@class='details-wrapper']/table";
$this
->drupalGet('node/add/article');
$elements = $this
->xpath($xpath);
// If the field has no item, the table should not be visible.
$this
->assertCount(0, $elements);
// Upload a file.
$edit['files[' . $field_name . '_0][]'] = $this->container
->get('file_system')
->realpath($file
->getFileUri());
$this
->submitForm($edit, "{$field_name}_0_upload_button");
$elements = $this
->xpath($xpath);
// If the field has at least one item, the table should be visible.
$this
->assertCount(1, $elements);
// Test for AJAX error when using progress bar on file field widget.
$http_client = $this
->getHttpClient();
$key = $this
->randomMachineName();
$post_request = $http_client
->request('POST', $this
->buildUrl('file/progress/' . $key), [
'headers' => [
'Accept' => 'application/json',
'Content-Type' => 'application/x-www-form-urlencoded',
],
'http_errors' => FALSE,
]);
$this
->assertNotEquals(500, $post_request
->getStatusCode());
$body = Json::decode($post_request
->getBody());
$this
->assertStringContainsString('Starting upload...', $body['message']);
}
/**
* Tests exploiting the temporary file removal of another user using fid.
*/
public function testTemporaryFileRemovalExploit() {
// Create a victim user.
$victim_user = $this
->drupalCreateUser();
// Create an attacker user.
$attacker_user = $this
->drupalCreateUser([
'access content',
'create article content',
'edit any article content',
]);
// Log in as the attacker user.
$this
->drupalLogin($attacker_user);
// Perform tests using the newly created users.
$this
->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user);
}
/**
* Tests exploiting the temporary file removal for anonymous users using fid.
*/
public function testTemporaryFileRemovalExploitAnonymous() {
// Set up an anonymous victim user.
$victim_user = User::getAnonymousUser();
// Set up an anonymous attacker user.
$attacker_user = User::getAnonymousUser();
// Set up permissions for anonymous attacker user.
user_role_change_permissions(RoleInterface::ANONYMOUS_ID, [
'access content' => TRUE,
'create article content' => TRUE,
'edit any article content' => TRUE,
]);
// Log out so as to be the anonymous attacker user.
$this
->drupalLogout();
// Perform tests using the newly set up anonymous users.
$this
->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user);
}
/**
* Tests maximum upload file size validation.
*/
public function testMaximumUploadFileSizeValidation() {
// Grant the admin user required permissions.
user_role_grant_permissions($this->adminUser->roles[0]->target_id, [
'administer node fields',
]);
$type_name = 'article';
$field_name = strtolower($this
->randomMachineName());
$this
->createFileField($field_name, 'node', $type_name);
/** @var \Drupal\Field\FieldConfigInterface $field */
$field = FieldConfig::loadByName('node', $type_name, $field_name);
$field_id = $field
->id();
$this
->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}");
// Tests that form validation trims the user input.
$edit = [
'settings[max_filesize]' => ' 5.1 megabytes ',
];
$this
->submitForm($edit, 'Save settings');
$this
->assertSession()
->pageTextContains('Saved ' . $field_name . ' configuration.');
// Reload the field config to check for the saved value.
/** @var \Drupal\Field\FieldConfigInterface $field */
$field = FieldConfig::loadByName('node', $type_name, $field_name);
$settings = $field
->getSettings();
$this
->assertEquals('5.1 megabytes', $settings['max_filesize'], 'The max filesize value had been trimmed on save.');
}
/**
* Tests configuring file field's allowed file extensions setting.
*/
public function testFileExtensionsSetting() {
// Grant the admin user required permissions.
user_role_grant_permissions($this->adminUser->roles[0]->target_id, [
'administer node fields',
]);
$type_name = 'article';
$field_name = strtolower($this
->randomMachineName());
$this
->createFileField($field_name, 'node', $type_name);
$field = FieldConfig::loadByName('node', $type_name, $field_name);
$field_id = $field
->id();
// By default allowing .php files without .txt is not permitted.
$this
->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}");
$edit = [
'settings[file_extensions]' => 'jpg php',
];
$this
->submitForm($edit, 'Save settings');
$this
->assertSession()
->pageTextContains('Add txt to the list of allowed extensions to securely upload files with a php extension. The txt extension will then be added automatically.');
// Test allowing .php and .txt.
$edit = [
'settings[file_extensions]' => 'jpg php txt',
];
$this
->submitForm($edit, 'Save settings');
$this
->assertSession()
->pageTextContains('Saved ' . $field_name . ' configuration.');
// If the system is configured to allow insecure uploads, .txt is not
// required when allowing .php.
$this
->config('system.file')
->set('allow_insecure_uploads', TRUE)
->save();
$this
->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}");
$edit = [
'settings[file_extensions]' => 'jpg php',
];
$this
->submitForm($edit, 'Save settings');
$this
->assertSession()
->pageTextContains('Saved ' . $field_name . ' configuration.');
// Check that a file extension with an underscore can be configured.
$edit = [
'settings[file_extensions]' => 'x_t x.t xt x_y_t',
];
$this
->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}");
$this
->submitForm($edit, 'Save settings');
$field = FieldConfig::loadByName('node', $type_name, $field_name);
$this
->assertEquals('x_t x.t xt x_y_t', $field
->getSetting('file_extensions'));
// Check that a file field with an invalid value in allowed extensions
// property throws an error message.
$invalid_extensions = [
'x_.t',
'x._t',
'xt_',
'x__t',
'_xt',
];
foreach ($invalid_extensions as $value) {
$edit = [
'settings[file_extensions]' => $value,
];
$this
->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}");
$this
->submitForm($edit, 'Save settings');
$this
->assertSession()
->pageTextContains("The list of allowed extensions is not valid. Allowed characters are a-z, 0-9, '.', and '_'. The first and last characters cannot be '.' or '_', and these two characters cannot appear next to each other. Separate extensions with a comma or space.");
}
}
/**
* Helper for testing exploiting the temporary file removal using fid.
*
* @param \Drupal\user\UserInterface $victim_user
* The victim user.
* @param \Drupal\user\UserInterface $attacker_user
* The attacker user.
*/
protected function doTestTemporaryFileRemovalExploit(UserInterface $victim_user, UserInterface $attacker_user) {
$type_name = 'article';
$field_name = 'test_file_field';
$this
->createFileField($field_name, 'node', $type_name);
$test_file = $this
->getTestFile('text');
$type = 'no-js';
// Create a temporary file owned by the victim user. This will be as if
// they had uploaded the file, but not saved the node they were editing
// or creating.
$victim_tmp_file = $this
->createTemporaryFile('some text', $victim_user);
$victim_tmp_file = File::load($victim_tmp_file
->id());
$this
->assertTrue($victim_tmp_file
->isTemporary(), 'New file saved to disk is temporary.');
$this
->assertFalse(empty($victim_tmp_file
->id()), 'New file has an fid.');
$this
->assertEquals($victim_user
->id(), $victim_tmp_file
->getOwnerId(), 'New file belongs to the victim.');
// Have attacker create a new node with a different uploaded file and
// ensure it got uploaded successfully.
$edit = [
'title[0][value]' => $type . '-title',
];
// Attach a file to a node.
$edit['files[' . $field_name . '_0]'] = $this->container
->get('file_system')
->realpath($test_file
->getFileUri());
$this
->drupalGet(Url::fromRoute('node.add', [
'node_type' => $type_name,
]));
$this
->submitForm($edit, 'Save');
$node = $this
->drupalGetNodeByTitle($edit['title[0][value]']);
/** @var \Drupal\file\FileInterface $node_file */
$node_file = File::load($node->{$field_name}->target_id);
$this
->assertFileExists($node_file
->getFileUri());
$this
->assertEquals($attacker_user
->id(), $node_file
->getOwnerId(), 'New file belongs to the attacker.');
// Ensure the file can be downloaded.
$this
->drupalGet($node_file
->createFileUrl());
$this
->assertSession()
->statusCodeEquals(200);
// "Click" the remove button (emulating either a nojs or js submission).
// In this POST request, the attacker "guesses" the fid of the victim's
// temporary file and uses that to remove this file.
$this
->drupalGet($node
->toUrl('edit-form'));
$file_id_field = $this
->assertSession()
->hiddenFieldExists($field_name . '[0][fids]');
$file_id_field
->setValue((string) $victim_tmp_file
->id());
$this
->submitForm([], 'Remove');
// The victim's temporary file should not be removed by the attacker's
// POST request.
$this
->assertFileExists($victim_tmp_file
->getFileUri());
}
}
Members
Name | Modifiers | Type | Description | Overrides |
---|---|---|---|---|
AssertLegacyTrait:: |
protected | function | ||
AssertLegacyTrait:: |
protected | function | Asserts whether an expected cache tag was present in the last response. | |
AssertLegacyTrait:: |
protected | function | Asserts that the element with the given CSS selector is not present. | |
AssertLegacyTrait:: |
protected | function | Asserts that the element with the given CSS selector is present. | |
AssertLegacyTrait:: |
protected | function | ||
AssertLegacyTrait:: |
protected | function | Passes if the raw text IS found escaped on the loaded page, fail otherwise. | |
AssertLegacyTrait:: |
protected | function | Asserts that a field exists with the given name or ID. | |
AssertLegacyTrait:: |
protected | function | Asserts that a field exists with the given ID and value. | |
AssertLegacyTrait:: |
protected | function | Asserts that a field exists with the given name and value. | |
AssertLegacyTrait:: |
protected | function | Asserts that a field exists in the current page by the given XPath. | |
AssertLegacyTrait:: |
protected | function | Asserts that a checkbox field in the current page is checked. | |
AssertLegacyTrait:: |
protected | function | Asserts that a field exists in the current page with a given Xpath result. | |
AssertLegacyTrait:: |
protected | function | Checks that current response header equals value. | |
AssertLegacyTrait:: |
protected | function | ||
AssertLegacyTrait:: |
protected | function | ||
AssertLegacyTrait:: |
protected | function | Passes if a link with the specified label is found. | |
AssertLegacyTrait:: |
protected | function | Passes if a link containing a given href (part) is found. | |
AssertLegacyTrait:: |
protected | function | Asserts whether an expected cache tag was absent in the last response. | |
AssertLegacyTrait:: |
protected | function | Passes if the raw text is not found escaped on the loaded page. | |
AssertLegacyTrait:: |
protected | function | Asserts that a field does NOT exist with the given name or ID. | |
AssertLegacyTrait:: |
protected | function | Asserts that a field does not exist with the given ID and value. | |
AssertLegacyTrait:: |
protected | function | Asserts that a field does not exist with the given name and value. | |
AssertLegacyTrait:: |
protected | function | Asserts that a field does not exist or its value does not match, by XPath. | |
AssertLegacyTrait:: |
protected | function | Asserts that a checkbox field in the current page is not checked. | |
AssertLegacyTrait:: |
protected | function | Passes if a link with the specified label is not found. | |
AssertLegacyTrait:: |
protected | function | Passes if a link containing a given href (part) is not found. | |
AssertLegacyTrait:: |
protected | function | Asserts that a select option does NOT exist in the current page. | |
AssertLegacyTrait:: |
protected | function | Triggers a pass if the Perl regex pattern is not found in the raw content. | |
AssertLegacyTrait:: |
protected | function | Passes if the raw text IS not found on the loaded page, fail otherwise. | |
AssertLegacyTrait:: |
protected | function | ||
AssertLegacyTrait:: |
protected | function | Passes if the page (with HTML stripped) does not contains the text. | |
AssertLegacyTrait:: |
protected | function | ||
AssertLegacyTrait:: |
protected | function | Passes if the text is found MORE THAN ONCE on the text version of the page. | |
AssertLegacyTrait:: |
protected | function | Asserts that a select option in the current page exists. | |
AssertLegacyTrait:: |
protected | function | Asserts that a select option with the visible text exists. | |
AssertLegacyTrait:: |
protected | function | Asserts that a select option in the current page is checked. | |
AssertLegacyTrait:: |
protected | function | Triggers a pass if the Perl regex pattern is found in the raw content. | |
AssertLegacyTrait:: |
protected | function | Passes if the raw text IS found on the loaded page, fail otherwise. | |
AssertLegacyTrait:: |
protected | function | Asserts the page responds with the specified response code. | |
AssertLegacyTrait:: |
protected | function | Passes if the page (with HTML stripped) contains the text. | |
AssertLegacyTrait:: |
protected | function | Helper for assertText and assertNoText. | |
AssertLegacyTrait:: |
protected | function | Pass if the page title is the given string. | |
AssertLegacyTrait:: |
protected | function | Passes if the text is found ONLY ONCE on the text version of the page. | |
AssertLegacyTrait:: |
protected | function | Passes if the internal browser's URL matches the given path. | |
AssertLegacyTrait:: |
protected | function | Builds an XPath query. | |
AssertLegacyTrait:: |
protected | function | Helper: Constructs an XPath for the given set of attributes and value. | |
AssertLegacyTrait:: |
protected | function | Get all option elements, including nested options, in a select. | |
AssertLegacyTrait:: |
protected | function | Gets the current raw content. | |
AssertLegacyTrait:: |
protected | function | ||
AssertLegacyTrait:: |
protected | function | ||
BlockCreationTrait:: |
protected | function | Creates a block instance based on default settings. Aliased as: drupalPlaceBlock | |
BrowserHtmlDebugTrait:: |
protected | property | The Base URI to use for links to the output files. | |
BrowserHtmlDebugTrait:: |
protected | property | Class name for HTML output logging. | |
BrowserHtmlDebugTrait:: |
protected | property | Counter for HTML output logging. | |
BrowserHtmlDebugTrait:: |
protected | property | Counter storage for HTML output logging. | |
BrowserHtmlDebugTrait:: |
protected | property | Directory name for HTML output logging. | |
BrowserHtmlDebugTrait:: |
protected | property | HTML output output enabled. | |
BrowserHtmlDebugTrait:: |
protected | property | The file name to write the list of URLs to. | |
BrowserHtmlDebugTrait:: |
protected | property | HTML output test ID. | |
BrowserHtmlDebugTrait:: |
protected | function | Formats HTTP headers as string for HTML output logging. | |
BrowserHtmlDebugTrait:: |
protected | function | Returns headers in HTML output format. | 1 |
BrowserHtmlDebugTrait:: |
protected | function | Provides a Guzzle middleware handler to log every response received. | |
BrowserHtmlDebugTrait:: |
protected | function | Logs a HTML output message in a text file. | |
BrowserHtmlDebugTrait:: |
protected | function | Creates the directory to store browser output. | |
BrowserTestBase:: |
protected | property | The base URL. | |
BrowserTestBase:: |
protected | property | The config importer that can be used in a test. | |
BrowserTestBase:: |
protected | property | An array of custom translations suitable for drupal_rewrite_settings(). | |
BrowserTestBase:: |
protected | property | The database prefix of this test run. | |
BrowserTestBase:: |
protected | property | Mink session manager. | |
BrowserTestBase:: |
protected | property | Mink default driver params. | |
BrowserTestBase:: |
protected | property | Mink class for the default driver to use. | 1 |
BrowserTestBase:: |
protected | property | The original container. | |
BrowserTestBase:: |
protected | property | The original array of shutdown function callbacks. | |
BrowserTestBase:: |
protected | property | ||
BrowserTestBase:: |
protected | property | The profile to install as a basis for testing. | 39 |
BrowserTestBase:: |
protected | property | The app root. | |
BrowserTestBase:: |
protected | property | Browser tests are run in separate processes to prevent collisions between code that may be loaded by tests. | |
BrowserTestBase:: |
protected | property | Time limit in seconds for the test. | |
BrowserTestBase:: |
protected | property | The translation file directory for the test environment. | |
BrowserTestBase:: |
protected | function | Clean up the Simpletest environment. | |
BrowserTestBase:: |
protected | function | Configuration accessor for tests. Returns non-overridden configuration. | |
BrowserTestBase:: |
protected | function | Gets the value of an HTTP response header. | |
BrowserTestBase:: |
public static | function | Ensures test files are deletable. | |
BrowserTestBase:: |
protected | function | Gets an instance of the default Mink driver. | |
BrowserTestBase:: |
protected | function | Gets the JavaScript drupalSettings variable for the currently-loaded page. | 1 |
BrowserTestBase:: |
protected | function | Obtain the HTTP client for the system under test. | |
BrowserTestBase:: |
protected | function | Get the Mink driver args from an environment variable, if it is set. Can be overridden in a derived class so it is possible to use a different value for a subset of tests, e.g. the JavaScript tests. | 1 |
BrowserTestBase:: |
protected | function | Helper function to get the options of select field. | |
BrowserTestBase:: |
public | function | Returns Mink session. | |
BrowserTestBase:: |
protected | function | Get session cookies from current session. | |
BrowserTestBase:: |
protected | function |
Retrieves the current calling line in the class under test. Overrides BrowserHtmlDebugTrait:: |
|
BrowserTestBase:: |
protected | function | Visits the front page when initializing Mink. | 3 |
BrowserTestBase:: |
protected | function | Initializes Mink sessions. | 1 |
BrowserTestBase:: |
public | function | Installs Drupal into the Simpletest site. | 1 |
BrowserTestBase:: |
protected | function | Registers additional Mink sessions. | |
BrowserTestBase:: |
protected | function | Sets up the root application path. | |
BrowserTestBase:: |
public static | function | 1 | |
BrowserTestBase:: |
protected | function | 3 | |
BrowserTestBase:: |
protected | function | Transforms a nested array into a flat array suitable for submitForm(). | |
BrowserTestBase:: |
protected | function | Performs an xpath search on the contents of the internal browser. | |
BrowserTestBase:: |
public | function | Prevents serializing any properties. | |
CommentTestTrait:: |
public | function | Adds the default comment field to an entity. | |
ConfigTestTrait:: |
protected | function | Returns a ConfigImporter object to import test configuration. | |
ConfigTestTrait:: |
protected | function | Copies configuration objects from source storage to target storage. | |
ContentTypeCreationTrait:: |
protected | function | Creates a custom content type based on default settings. Aliased as: drupalCreateContentType | 1 |
ExtensionListTestTrait:: |
protected | function | Gets the path for the specified module. | |
ExtensionListTestTrait:: |
protected | function | Gets the path for the specified theme. | |
FieldUiTestTrait:: |
public | function | Adds an existing field through the Field UI. | |
FieldUiTestTrait:: |
public | function | Creates a new field through the Field UI. | |
FieldUiTestTrait:: |
public | function | Deletes a field through the Field UI. | |
FileFieldCreationTrait:: |
public | function | Attaches a file field to an entity. | |
FileFieldCreationTrait:: |
public | function | Creates a new file field. | |
FileFieldTestBase:: |
protected | property | A user with administration permissions. | |
FileFieldTestBase:: |
public | function | Asserts that a file exists in the database. | |
FileFieldTestBase:: |
public | function | Asserts that a file does not exist in the database. | |
FileFieldTestBase:: |
public | function | Asserts that a file's status is set to permanent in the database. | |
FileFieldTestBase:: |
public | function | Retrieves the fid of the last inserted file. | |
FileFieldTestBase:: |
public | function | Retrieves a sample file of the specified type. | |
FileFieldTestBase:: |
public | function | Removes a file from a node. | |
FileFieldTestBase:: |
public | function | Replaces a file within a node. | |
FileFieldTestBase:: |
public | function | Updates an existing file field with new settings. | |
FileFieldTestBase:: |
public | function | Uploads a file to a node. | |
FileFieldTestBase:: |
public | function | Uploads multiple files to a node. | |
FileFieldWidgetTest:: |
protected | property |
The theme to install as the default for testing. Overrides BrowserTestBase:: |
|
FileFieldWidgetTest:: |
protected static | property |
Modules to enable. Overrides FileFieldTestBase:: |
|
FileFieldWidgetTest:: |
protected | function | Creates a temporary file, for a specific user. | |
FileFieldWidgetTest:: |
protected | function | Helper for testing exploiting the temporary file removal using fid. | |
FileFieldWidgetTest:: |
protected | function |
Overrides FileFieldTestBase:: |
|
FileFieldWidgetTest:: |
public | function | Tests configuring file field's allowed file extensions setting. | |
FileFieldWidgetTest:: |
public | function | Tests maximum upload file size validation. | |
FileFieldWidgetTest:: |
public | function | Tests upload and remove buttons for multiple multi-valued File fields. | |
FileFieldWidgetTest:: |
public | function | Tests that download restrictions on private files work on comments. | |
FileFieldWidgetTest:: |
public | function | Tests a file field with a "Private files" upload destination setting. | |
FileFieldWidgetTest:: |
public | function | Tests upload and remove buttons for a single-valued File field. | |
FileFieldWidgetTest:: |
public | function | Tests exploiting the temporary file removal of another user using fid. | |
FileFieldWidgetTest:: |
public | function | Tests exploiting the temporary file removal for anonymous users using fid. | |
FileFieldWidgetTest:: |
public | function | Tests file widget element. | |
FileFieldWidgetTest:: |
public | function | Tests validation with the Upload button. | |
FunctionalTestSetupTrait:: |
protected | property | The flag to set 'apcu_ensure_unique_prefix' setting. | 1 |
FunctionalTestSetupTrait:: |
protected | property | The class loader to use for installation and initialization of setup. | |
FunctionalTestSetupTrait:: |
protected | property | The "#1" admin user. | |
FunctionalTestSetupTrait:: |
protected | function | Execute the non-interactive installer. | 1 |
FunctionalTestSetupTrait:: |
protected | function | Returns all supported database driver installer objects. | |
FunctionalTestSetupTrait:: |
protected | function | Initialize various configurations post-installation. | 1 |
FunctionalTestSetupTrait:: |
protected | function | Initializes the kernel after installation. | |
FunctionalTestSetupTrait:: |
protected | function | Initialize settings created during install. | |
FunctionalTestSetupTrait:: |
protected | function | Initializes user 1 for the site to be installed. | |
FunctionalTestSetupTrait:: |
protected | function | Installs the default theme defined by `static::$defaultTheme` when needed. | |
FunctionalTestSetupTrait:: |
protected | function | Install modules defined by `static::$modules`. | 1 |
FunctionalTestSetupTrait:: |
protected | function | Returns the parameters that will be used when Simpletest installs Drupal. | 9 |
FunctionalTestSetupTrait:: |
protected | function | Prepares the current environment for running the test. | 20 |
FunctionalTestSetupTrait:: |
protected | function | Creates a mock request and sets it on the generator. | |
FunctionalTestSetupTrait:: |
protected | function | Prepares site settings and services before installation. | 2 |
FunctionalTestSetupTrait:: |
protected | function | Resets and rebuilds the environment after setup. | |
FunctionalTestSetupTrait:: |
protected | function | Rebuilds \Drupal::getContainer(). | |
FunctionalTestSetupTrait:: |
protected | function | Resets all data structures after having enabled new modules. | |
FunctionalTestSetupTrait:: |
protected | function | Changes parameters in the services.yml file. | |
FunctionalTestSetupTrait:: |
protected | function | Sets up the base URL based upon the environment variable. | |
FunctionalTestSetupTrait:: |
protected | function | Rewrites the settings.php file of the test site. | 1 |
NodeCreationTrait:: |
protected | function | Creates a node based on default settings. Aliased as: drupalCreateNode | |
NodeCreationTrait:: |
public | function | Get a node from the database based on its title. Aliased as: drupalGetNodeByTitle | |
PhpUnitWarnings:: |
private static | property | Deprecation warnings from PHPUnit to raise with @trigger_error(). | |
PhpUnitWarnings:: |
public | function | Converts PHPUnit deprecation warnings to E_USER_DEPRECATED. | |
RandomGeneratorTrait:: |
protected | property | The random generator. | |
RandomGeneratorTrait:: |
protected | function | Gets the random generator for the utility methods. | |
RandomGeneratorTrait:: |
protected | function | Generates a unique random string containing letters and numbers. | 1 |
RandomGeneratorTrait:: |
public | function | Generates a random PHP object. | |
RandomGeneratorTrait:: |
public | function | Generates a pseudo-random string of ASCII characters of codes 32 to 126. | |
RandomGeneratorTrait:: |
public | function | Callback for random string validation. | |
RefreshVariablesTrait:: |
protected | function | Refreshes in-memory configuration and state information. | 1 |
SessionTestTrait:: |
protected | property | The name of the session cookie. | |
SessionTestTrait:: |
protected | function | Generates a session cookie name. | |
SessionTestTrait:: |
protected | function | Returns the session name in use on the child site. | |
StorageCopyTrait:: |
protected static | function | Copy the configuration from one storage to another and remove stale items. | |
TestFileCreationTrait:: |
protected | property | Whether the files were copied to the test files directory. | |
TestFileCreationTrait:: |
protected | function | Compares two files based on size and file name. | |
TestFileCreationTrait:: |
public static | function | Generates a test file. | |
TestFileCreationTrait:: |
protected | function | Gets a list of files that can be used in tests. Aliased as: drupalGetTestFiles | |
TestRequirementsTrait:: |
private | function | Checks missing module requirements. | |
TestRequirementsTrait:: |
protected | function | Check module requirements for the Drupal use case. | 1 |
TestRequirementsTrait:: |
protected static | function | Returns the Drupal root directory. | |
TestSetupTrait:: |
protected static | property | An array of config object names that are excluded from schema checking. | |
TestSetupTrait:: |
protected | property | The dependency injection container used in the test. | |
TestSetupTrait:: |
protected | property | The DrupalKernel instance used in the test. | |
TestSetupTrait:: |
protected | property | The site directory of the original parent site. | |
TestSetupTrait:: |
protected | property | The private file directory for the test environment. | |
TestSetupTrait:: |
protected | property | The public file directory for the test environment. | |
TestSetupTrait:: |
protected | property | The site directory of this test run. | |
TestSetupTrait:: |
protected | property | Set to TRUE to strict check all configuration saved. | 1 |
TestSetupTrait:: |
protected | property | The temporary file directory for the test environment. | |
TestSetupTrait:: |
protected | property | The test run ID. | |
TestSetupTrait:: |
protected | function | Changes the database connection to the prefixed one. | |
TestSetupTrait:: |
protected | function | Gets the config schema exclusions for this test. | |
TestSetupTrait:: |
public static | function | Returns the database connection to the site running Simpletest. | |
TestSetupTrait:: |
protected | function | Generates a database prefix for running tests. | 1 |
UiHelperTrait:: |
protected | property | The current user logged in using the Mink controlled browser. | |
UiHelperTrait:: |
protected | property | The number of meta refresh redirects to follow, or NULL if unlimited. | |
UiHelperTrait:: |
protected | property | The number of meta refresh redirects followed during ::drupalGet(). | |
UiHelperTrait:: |
public | function | Returns WebAssert object. | 1 |
UiHelperTrait:: |
protected | function | Builds an absolute URL from a system path or a URL object. | |
UiHelperTrait:: |
protected | function | Checks for meta refresh tag and if found call drupalGet() recursively. | |
UiHelperTrait:: |
protected | function | Clicks the element with the given CSS selector. | |
UiHelperTrait:: |
protected | function | Follows a link by complete name. | |
UiHelperTrait:: |
protected | function | Searches elements using a CSS selector in the raw content. | |
UiHelperTrait:: |
protected | function | Translates a CSS expression to its XPath equivalent. | |
UiHelperTrait:: |
protected | function | Retrieves a Drupal path or an absolute path. | 2 |
UiHelperTrait:: |
protected | function | Logs in a user using the Mink controlled browser. | |
UiHelperTrait:: |
protected | function | Logs a user out of the Mink controlled browser and confirms. | |
UiHelperTrait:: |
protected | function | Executes a form submission. | |
UiHelperTrait:: |
protected | function | Returns whether a given user account is logged in. | |
UiHelperTrait:: |
protected | function | Takes a path and returns an absolute path. | |
UiHelperTrait:: |
protected | function | Retrieves the plain-text content from the current page. | |
UiHelperTrait:: |
protected | function | Get the current URL from the browser. | |
UiHelperTrait:: |
protected | function | Determines if test is using DrupalTestBrowser. | |
UiHelperTrait:: |
protected | function | Prepare for a request to testing site. | 1 |
UiHelperTrait:: |
protected | function | Fills and submits a form. | |
UserCreationTrait:: |
protected | function | Checks whether a given list of permission names is valid. | |
UserCreationTrait:: |
protected | function | Creates an administrative role. | |
UserCreationTrait:: |
protected | function | Creates a role with specified permissions. Aliased as: drupalCreateRole | |
UserCreationTrait:: |
protected | function | Create a user with a given set of permissions. Aliased as: drupalCreateUser | |
UserCreationTrait:: |
protected | function | Grant permissions to a user role. | |
UserCreationTrait:: |
protected | function | Switch the current logged in user. | |
UserCreationTrait:: |
protected | function | Creates a random user account and sets it as current user. | |
XdebugRequestTrait:: |
protected | function | Adds xdebug cookies, from request setup. |