You are here

public function TriggeringElementTest::testAttemptAccessControlBypass in Drupal 8

Same name and namespace in other branches
  1. 9 core/modules/system/tests/src/FunctionalJavascript/Form/TriggeringElementTest.php \Drupal\Tests\system\FunctionalJavascript\Form\TriggeringElementTest::testAttemptAccessControlBypass()
  2. 10 core/modules/system/tests/src/FunctionalJavascript/Form/TriggeringElementTest.php \Drupal\Tests\system\FunctionalJavascript\Form\TriggeringElementTest::testAttemptAccessControlBypass()

Tests attempts to bypass access control.

Test that the triggering element does not get set to a button with #access=FALSE.

File

core/modules/system/tests/src/FunctionalJavascript/Form/TriggeringElementTest.php, line 88

Class

TriggeringElementTest
Tests that FAPI correctly determines the triggering element.

Namespace

Drupal\Tests\system\FunctionalJavascript\Form

Code

public function testAttemptAccessControlBypass() {
  $path = 'form-test/clicked-button';
  $form_html_id = 'form-test-clicked-button';

  // Retrieve a form where 'button1' has #access=FALSE and 'button2' doesn't.
  $this
    ->drupalGet($path . '/rs/s');

  // Submit the form with 'button1=button1' in the POST data, which someone
  // trying to get around security safeguards could easily do. We have to do
  // a little trickery here, to work around the safeguards in drupalPostForm()
  // by renaming the text field and value that is in the form to 'button1',
  // we can get the data we want into \Drupal::request()->request.
  $page = $this
    ->getSession()
    ->getPage();
  $input = $page
    ->find('css', 'input[name="text"]');
  $this
    ->assertNotNull($input, 'text input located.');
  $input
    ->setValue('name', 'button1');
  $input
    ->setValue('value', 'button1');
  $this
    ->xpath('//form[@id="' . $form_html_id . '"]//input[@type="submit"]')[0]
    ->click();

  // Ensure that the triggering element was not set to the restricted button.
  // Do this with both a negative and positive assertion, because negative
  // assertions alone can be brittle. See testNoButtonInfoInPost() for why the
  // triggering element gets set to 'button2'.
  $this
    ->assertSession()
    ->pageTextNotContains('The clicked button is button1.');
  $this
    ->assertSession()
    ->pageTextContains('The clicked button is button2.');
}