You are here

Home » API reference » Quick Edit 7 » quickedit.test » QuickEditLoadingTest

public function QuickEditLoadingTest::testUserWithoutPermission in Quick Edit 7

Test the loading of Quick Edit when a user doesn't have access to it.

File

./quickedit.test, line 76
Tests loading of Quick Edit and lazy-loading of in-place editors.

Class

QuickEditLoadingTest
Tests loading of Quick Edit and lazy-loading of in-place editors.

Code

public function testUserWithoutPermission() {
  $this
    ->drupalLogin($this->author_user);
  $this
    ->drupalGet('node/1');

  // Library and in-place editors.
  $settings = $this
    ->drupalGetSettings();
  $module_path = drupal_get_path('module', 'quickedit');
  $this
    ->assertFalse(isset($settings['ajaxPageState']['js'][$module_path . '/js/quickedit.js']), 'Quick Edit library not loaded.');
  $this
    ->assertFalse(isset($settings['ajaxPageState']['js'][$module_path . '/quickedit/js/editors/formEditor.js']), "'form' in-place editor not loaded.");

  // HTML annotation does not exist for users without permission to in-place
  // edit.
  $this
    ->assertNoRaw('data-quickedit-entity-id="node/1"');
  $this
    ->assertNoRaw('data-quickedit-field-id="node/1/body/und/full"');

  // Retrieving the metadata should result in an empty 403 response.
  $post = array(
    'fields[0]' => 'node/1/body/und/full',
  );
  $response = $this
    ->drupalPostCustom('quickedit/metadata', 'application/json', $post);

  // @todo: Sadly, Drupal 7 returns HTML when a 403 occurs, no matter what the
  //        Content-Type is. It should be possible to work around this by
  //        moving the access check into the page callback. Question is
  //        whether that's worth the effort.
  // $this->assertIdentical('{}', $response);
  $this
    ->assertResponse(403);

  // Quick Edit's JavaScript would never hit these endpoints if the metadata
  // was empty as above, but we need to make sure that malicious users aren't
  // able to use any of the other endpoints either.
  $post = array(
    'editors[0]' => 'form',
  ) + $this
    ->getAjaxPageStatePostData();
  $response = $this
    ->drupalPostCustom('quickedit/attachments', 'application/vnd.drupal-ajax', $post);
  $commands = drupal_json_decode($response);
  $this
    ->assertIdentical(2, count($commands));
  $this
    ->assertIdentical('settings', $commands[0]['command']);
  $this
    ->assertIdentical('alert', $commands[1]['command']);
  $this
    ->assertIdentical('You are not authorized to access this page.', $commands[1]['text']);
  $this
    ->assertResponse(200);

  // 403 in Drupal 8!
  $post = array(
    'nocssjs' => 'true',
  ) + $this
    ->getAjaxPageStatePostData();
  $response = $this
    ->drupalPostCustom('quickedit/form/' . 'node/1/body/und/full', 'application/vnd.drupal-ajax', $post);
  $commands = drupal_json_decode($response);
  $this
    ->assertIdentical(2, count($commands));
  $this
    ->assertIdentical('settings', $commands[0]['command']);
  $this
    ->assertIdentical('alert', $commands[1]['command']);
  $this
    ->assertIdentical('You are not authorized to access this page.', $commands[1]['text']);
  $this
    ->assertResponse(200);

  // 403 in Drupal 8!
  $edit = array();
  $edit['form_id'] = 'quickedit_field_form';
  $edit['form_token'] = 'xIOzMjuc-PULKsRn_KxFn7xzNk5Bx7XKXLfQfw1qOnA';
  $edit['form_build_id'] = 'form-kVmovBpyX-SJfTT5kY0pjTV35TV-znor--a64dEnMR8';
  $edit['body[0][summary]'] = '';
  $edit['body[0][value]'] = '<p>Malicious content.</p>';
  $edit['body[0][format]'] = 'filtered_html';
  $edit['op'] = t('Save');
  $response = $this
    ->drupalPostCustom('quickedit/form/' . 'node/1/body/und/full', 'application/vnd.drupal-ajax', $edit);
  $commands = drupal_json_decode($response);
  $this
    ->assertIdentical(2, count($commands));
  $this
    ->assertIdentical('settings', $commands[0]['command']);
  $this
    ->assertIdentical('alert', $commands[1]['command']);
  $this
    ->assertIdentical('You are not authorized to access this page.', $commands[1]['text']);
  $this
    ->assertResponse(200);

  // 403 in Drupal 8!
  $post = array(
    'nocssjs' => 'true',
  );
  $response = $this
    ->drupalPostCustom('quickedit/entity/' . 'node/1', 'application/json', $post);
  $commands = drupal_json_decode($response);
  $this
    ->assertIdentical(2, count($commands));
  $this
    ->assertIdentical('settings', $commands[0]['command']);
  $this
    ->assertIdentical('alert', $commands[1]['command']);
  $this
    ->assertIdentical('You are not authorized to access this page.', $commands[1]['text']);
  $this
    ->assertResponse(200);

  // 403 in Drupal 8!
}