You are here

public function RestWSTestCase::testBadInputFormat in RESTful Web Services 7.2

Same name and namespace in other branches
  1. 7 restws.test \RestWSTestCase::testBadInputFormat()

Tests access to restricted input formats.

File

./restws.test, line 97
RESTful web services tests.

Class

RestWSTestCase
@file RESTful web services tests.

Code

public function testBadInputFormat() {
  module_enable(array(
    'php',
  ));

  // Reset the cache of valid permissions so that the PHP code format
  // permission exists.
  $this
    ->checkPermissions(array(), TRUE);

  // Assure that users can't create nodes with unauthorized input formats.
  $unprivileged_account = $this
    ->drupalCreateUser(array(
    'bypass node access',
    'access resource node',
  ));
  $title = $this
    ->randomName(8);
  $new_node = array(
    'body' => array(
      'value' => $this
        ->randomName(30),
      'format' => 'php_code',
    ),
    'title' => $title,
    'type' => 'page',
  );
  $json = drupal_json_encode($new_node);
  $result = $this
    ->httpRequest('node', 'POST', $unprivileged_account, $json);
  $this
    ->assertResponse('403');
  $this
    ->assertEqual($result, '403 Forbidden: Not authorized to set property body');
  $node = entity_load('node', FALSE, array(
    'title' => $title,
  ));
  $this
    ->assertEqual(count($node), 0, "Node with unauthorized input format wasn't created");

  // Check that the format is allowed if the permission is present.
  $privileged_account = $this
    ->drupalCreateUser(array(
    'bypass node access',
    'access resource node',
    'use text format php_code',
  ));
  $this
    ->httpRequest('node', 'POST', $privileged_account, $json);
  $this
    ->assertResponse('201');
  $node = entity_load('node', FALSE, array(
    'title' => $title,
  ));
  $this
    ->assertEqual(count($node), 1, "Node was created");
  $node = reset($node);
  $this
    ->assertEqual($node->body[LANGUAGE_NONE][0]['value'], $new_node['body']['value'], 'The new node body has the correct value');
  $this
    ->assertEqual($node->body[LANGUAGE_NONE][0]['format'], 'php_code', 'The new node has the correct format');

  // Check that users can't update nodes with unauthorized input formats.
  $node->body[LANGUAGE_NONE][0]['format'] = 'filtered_html';
  node_save($node);
  $new_body = $this
    ->randomName(30);
  $update = array(
    'body' => array(
      'value' => $new_body,
      'format' => 'php_code',
    ),
  );
  $json = drupal_json_encode($update);
  $result = $this
    ->httpRequest('node/1', 'PUT', $unprivileged_account, $json);
  $this
    ->assertResponse('403');
  $this
    ->assertEqual($result, '403 Forbidden: Not authorized to set property body');
  $node = node_load(1, NULL, TRUE);
  $this
    ->assertNotEqual($node->body[LANGUAGE_NONE][0]['value'], $new_body);
  $this
    ->assertEqual($node->body[LANGUAGE_NONE][0]['format'], 'filtered_html');

  // Check that the format is allowed if the permission is present.
  $this
    ->httpRequest('node/1', 'PUT', $privileged_account, $json);
  $this
    ->assertResponse('200');
  $node = node_load(1, NULL, TRUE);
  $this
    ->assertEqual($node->body[LANGUAGE_NONE][0]['value'], $new_body);
  $this
    ->assertEqual($node->body[LANGUAGE_NONE][0]['format'], 'php_code');
}