function RestWSTestCase::testErrors in RESTful Web Services 7
Same name and namespace in other branches
- 7.2 restws.test \RestWSTestCase::testErrors()
Test requests to non-existing resources and other errors.
File
- ./
restws.test, line 252 - RESTful web services tests.
Class
- RestWSTestCase
- @file RESTful web services tests.
Code
function testErrors() {
// Read non-existing resource.
$random_nid = rand(1, 1000);
$result = $this
->httpRequest('node/' . $random_nid, 'GET');
$this
->assertResponse('404', 'HTTP response code is correct.');
// Update a node with an unknown property.
$account = $this
->drupalCreateUser(array(
'access content',
'bypass node access',
'access resource node',
));
$node = $this
->drupalCreateNode();
$property_name = $this
->randomName(8);
$json = drupal_json_encode(array(
$property_name => $property_name,
));
$result = $this
->httpRequest('node/' . $node->nid, 'POST', $account, $json);
$this
->assertEqual($result, "406 Not Acceptable: Unknown data property {$property_name}.", 'Response body is correct');
$this
->assertResponse('406', 'HTTP response code is correct.');
// Create a node with an unknown property.
$title = $this
->randomName(8);
$new_node = array(
'body' => array(
LANGUAGE_NONE => array(
array(),
),
),
'title' => $this
->randomName(8),
'type' => 'page',
'author' => $account->uid,
$property_name => $property_name,
);
$json = drupal_json_encode($new_node);
$result = $this
->httpRequest('node', 'PUT', $account, $json);
$this
->assertEqual($result, "406 Not Acceptable: Unknown data property {$property_name}.", 'Response body is correct');
$this
->assertResponse('406', 'HTTP response code is correct.');
// Simulate a CSRF attack without the required token.
$new_title = 'HACKED!';
$json = drupal_json_encode(array(
'title' => $new_title,
));
$this
->curlExec(array(
CURLOPT_HTTPGET => FALSE,
CURLOPT_POST => TRUE,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => $json,
CURLOPT_URL => url('node/' . $node->nid, array(
'absolute' => TRUE,
)),
CURLOPT_NOBODY => FALSE,
CURLOPT_HTTPHEADER => array(
'Content-Type: application/json',
),
));
$this
->assertResponse(403);
// Clear the static cache, otherwise we won't see the update.
$node = node_load($node->nid, NULL, TRUE);
$this
->assertNotEqual($node->title, $new_title, 'Node title was not updated in the database.');
// Simulate a cache poisoning attack where JSON could get into the page
// cache.
// Grant node resource access to anonymous users.
user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array(
'access resource node',
));
// Enable page caching.
variable_set('cache', 1);
// Reset cURL here to delete any stored request settings.
unset($this->curlHandle);
// Request the JSON representation of the node.
$this
->drupalGet("node/{$node->nid}", array(), array(
'Accept: application/json',
));
$this
->assertUrl("node/{$node->nid}.json", array(), 'Requesting a resource with JSON Accept header redirects to the .json URL.');
// Now request the HTML representation.
$result = $this
->drupalGet("node/{$node->nid}");
$content_type = $this
->drupalGetHeader('content-type');
$this
->assertNotEqual($content_type, 'application/json', 'Content type header is not JSON after requesting HTML.');
$this
->assertNull(drupal_json_decode($result), 'Response body is not JSON after requesting HTML.');
}