public function QuickEditLoadingTest::testUserWithoutPermission in Zircon Profile 8
Same name and namespace in other branches
- 8.0 core/modules/quickedit/src/Tests/QuickEditLoadingTest.php \Drupal\quickedit\Tests\QuickEditLoadingTest::testUserWithoutPermission()
Test the loading of Quick Edit when a user doesn't have access to it.
File
- core/
modules/ quickedit/ src/ Tests/ QuickEditLoadingTest.php, line 96 - Contains \Drupal\quickedit\Tests\QuickEditLoadingTest.
Class
- QuickEditLoadingTest
- Tests loading of in-place editing functionality and lazy loading of its in-place editors.
Namespace
Drupal\quickedit\TestsCode
public function testUserWithoutPermission() {
$this
->drupalLogin($this->authorUser);
$this
->drupalGet('node/1');
// Library and in-place editors.
$this
->assertNoRaw('core/modules/quickedit/js/quickedit.js', 'Quick Edit library not loaded.');
$this
->assertNoRaw('core/modules/quickedit/js/editors/formEditor.js', "'form' in-place editor not loaded.");
// HTML annotation must always exist (to not break the render cache).
$this
->assertRaw('data-quickedit-entity-id="node/1"');
$this
->assertRaw('data-quickedit-field-id="node/1/body/en/full"');
// Retrieving the metadata should result in an empty 403 response.
$post = array(
'fields[0]' => 'node/1/body/en/full',
);
$response = $this
->drupalPostWithFormat(Url::fromRoute('quickedit.metadata'), 'json', $post);
$this
->assertIdentical('{"message":""}', $response);
$this
->assertResponse(403);
// Quick Edit's JavaScript would SearchRankingTestnever hit these endpoints if the metadata
// was empty as above, but we need to make sure that malicious users aren't
// able to use any of the other endpoints either.
$post = array(
'editors[0]' => 'form',
) + $this
->getAjaxPageStatePostData();
$response = $this
->drupalPost('quickedit/attachments', '', $post, [
'query' => [
MainContentViewSubscriber::WRAPPER_FORMAT => 'drupal_ajax',
],
]);
$this
->assertIdentical('{}', $response);
$this
->assertResponse(403);
$post = array(
'nocssjs' => 'true',
) + $this
->getAjaxPageStatePostData();
$response = $this
->drupalPost('quickedit/form/' . 'node/1/body/en/full', '', $post, [
'query' => [
MainContentViewSubscriber::WRAPPER_FORMAT => 'drupal_ajax',
],
]);
$this
->assertIdentical('{}', $response);
$this
->assertResponse(403);
$edit = array();
$edit['form_id'] = 'quickedit_field_form';
$edit['form_token'] = 'xIOzMjuc-PULKsRn_KxFn7xzNk5Bx7XKXLfQfw1qOnA';
$edit['form_build_id'] = 'form-kVmovBpyX-SJfTT5kY0pjTV35TV-znor--a64dEnMR8';
$edit['body[0][summary]'] = '';
$edit['body[0][value]'] = '<p>Malicious content.</p>';
$edit['body[0][format]'] = 'filtered_html';
$edit['op'] = t('Save');
$response = $this
->drupalPost('quickedit/form/' . 'node/1/body/en/full', '', $edit, [
'query' => [
MainContentViewSubscriber::WRAPPER_FORMAT => 'drupal_ajax',
],
]);
$this
->assertIdentical('{}', $response);
$this
->assertResponse(403);
$post = array(
'nocssjs' => 'true',
);
$response = $this
->drupalPostWithFormat('quickedit/entity/' . 'node/1', 'json', $post);
$this
->assertIdentical('{"message":""}', $response);
$this
->assertResponse(403);
}