You are here

public function QuickEditEndPointAccessTest::testEndPointAccess in Drupal 10

Same name and namespace in other branches
  1. 8 core/modules/quickedit/tests/src/Functional/QuickEditEndPointAccessTest.php \Drupal\Tests\quickedit\Functional\QuickEditEndPointAccessTest::testEndPointAccess()
  2. 9 core/modules/quickedit/tests/src/Functional/QuickEditEndPointAccessTest.php \Drupal\Tests\quickedit\Functional\QuickEditEndPointAccessTest::testEndPointAccess()

Tests that Quick Edit endpoints are protected from anonymous requests.

File

core/modules/quickedit/tests/src/Functional/QuickEditEndPointAccessTest.php, line 44

Class

QuickEditEndPointAccessTest
Tests accessing the Quick Edit endpoints.

Namespace

Drupal\Tests\quickedit\Functional

Code

public function testEndPointAccess() {

  // Quick Edit's JavaScript would never hit these endpoints, but we need to
  // make sure that malicious users aren't able to use any of the other
  // endpoints either.
  $url = $this
    ->buildUrl('/quickedit/attachments');
  $post = [
    'editors[0]' => 'form',
  ];
  $this
    ->assertAccessIsBlocked($url, $post);
  $node = $this
    ->createNode([
    'type' => 'article',
  ]);
  $url = $this
    ->buildUrl('quickedit/form/node/' . $node
    ->id() . '/body/en/full');
  $post = [
    'nocssjs' => 'true',
  ];
  $this
    ->assertAccessIsBlocked($url, $post);
  $edit = [];
  $edit['form_id'] = 'quickedit_field_form';
  $edit['form_token'] = 'xIOzMjuc-PULKsRn_KxFn7xzNk5Bx7XKXLfQfw1qOnA';
  $edit['form_build_id'] = 'form-kVmovBpyX-SJfTT5kY0pjTV35TV-znor--a64dEnMR8';
  $edit['body[0][summary]'] = '';
  $edit['body[0][value]'] = '<p>Malicious content.</p>';
  $edit['body[0][format]'] = 'filtered_html';
  $edit['op'] = 'Save';
  $this
    ->assertAccessIsBlocked($url, $edit);
  $post = [
    'nocssjs' => 'true',
  ];
  $url = $this
    ->buildUrl('quickedit/entity/node/' . $node
    ->id());
  $this
    ->assertAccessIsBlocked($url, $post);
}