public function QuickEditEndPointAccessTest::testEndPointAccess in Drupal 9
Same name and namespace in other branches
- 8 core/modules/quickedit/tests/src/Functional/QuickEditEndPointAccessTest.php \Drupal\Tests\quickedit\Functional\QuickEditEndPointAccessTest::testEndPointAccess()
Tests that Quick Edit endpoints are protected from anonymous requests.
File
- core/
modules/ quickedit/ tests/ src/ Functional/ QuickEditEndPointAccessTest.php, line 44
Class
- QuickEditEndPointAccessTest
- Tests accessing the Quick Edit endpoints.
Namespace
Drupal\Tests\quickedit\FunctionalCode
public function testEndPointAccess() {
// Quick Edit's JavaScript would never hit these endpoints, but we need to
// make sure that malicious users aren't able to use any of the other
// endpoints either.
$url = $this
->buildUrl('/quickedit/attachments');
$post = [
'editors[0]' => 'form',
];
$this
->assertAccessIsBlocked($url, $post);
$node = $this
->createNode([
'type' => 'article',
]);
$url = $this
->buildUrl('quickedit/form/node/' . $node
->id() . '/body/en/full');
$post = [
'nocssjs' => 'true',
];
$this
->assertAccessIsBlocked($url, $post);
$edit = [];
$edit['form_id'] = 'quickedit_field_form';
$edit['form_token'] = 'xIOzMjuc-PULKsRn_KxFn7xzNk5Bx7XKXLfQfw1qOnA';
$edit['form_build_id'] = 'form-kVmovBpyX-SJfTT5kY0pjTV35TV-znor--a64dEnMR8';
$edit['body[0][summary]'] = '';
$edit['body[0][value]'] = '<p>Malicious content.</p>';
$edit['body[0][format]'] = 'filtered_html';
$edit['op'] = t('Save');
$this
->assertAccessIsBlocked($url, $edit);
$post = [
'nocssjs' => 'true',
];
$url = $this
->buildUrl('quickedit/entity/node/' . $node
->id());
$this
->assertAccessIsBlocked($url, $post);
}