You are here

public function QuickEditLoadingTest::testUserWithoutPermission in Zircon Profile 8.0

Same name and namespace in other branches
  1. 8 core/modules/quickedit/src/Tests/QuickEditLoadingTest.php \Drupal\quickedit\Tests\QuickEditLoadingTest::testUserWithoutPermission()

Test the loading of Quick Edit when a user doesn't have access to it.

File

core/modules/quickedit/src/Tests/QuickEditLoadingTest.php, line 96
Contains \Drupal\quickedit\Tests\QuickEditLoadingTest.

Class

QuickEditLoadingTest
Tests loading of in-place editing functionality and lazy loading of its in-place editors.

Namespace

Drupal\quickedit\Tests

Code

public function testUserWithoutPermission() {
  $this
    ->drupalLogin($this->authorUser);
  $this
    ->drupalGet('node/1');

  // Library and in-place editors.
  $this
    ->assertNoRaw('core/modules/quickedit/js/quickedit.js', 'Quick Edit library not loaded.');
  $this
    ->assertNoRaw('core/modules/quickedit/js/editors/formEditor.js', "'form' in-place editor not loaded.");

  // HTML annotation must always exist (to not break the render cache).
  $this
    ->assertRaw('data-quickedit-entity-id="node/1"');
  $this
    ->assertRaw('data-quickedit-field-id="node/1/body/en/full"');

  // Retrieving the metadata should result in an empty 403 response.
  $post = array(
    'fields[0]' => 'node/1/body/en/full',
  );
  $response = $this
    ->drupalPostWithFormat(Url::fromRoute('quickedit.metadata'), 'json', $post);
  $this
    ->assertIdentical('{"message":""}', $response);
  $this
    ->assertResponse(403);

  // Quick Edit's JavaScript would SearchRankingTestnever hit these endpoints if the metadata
  // was empty as above, but we need to make sure that malicious users aren't
  // able to use any of the other endpoints either.
  $post = array(
    'editors[0]' => 'form',
  ) + $this
    ->getAjaxPageStatePostData();
  $response = $this
    ->drupalPost('quickedit/attachments', '', $post, [
    'query' => [
      MainContentViewSubscriber::WRAPPER_FORMAT => 'drupal_ajax',
    ],
  ]);
  $this
    ->assertIdentical('{}', $response);
  $this
    ->assertResponse(403);
  $post = array(
    'nocssjs' => 'true',
  ) + $this
    ->getAjaxPageStatePostData();
  $response = $this
    ->drupalPost('quickedit/form/' . 'node/1/body/en/full', '', $post, [
    'query' => [
      MainContentViewSubscriber::WRAPPER_FORMAT => 'drupal_ajax',
    ],
  ]);
  $this
    ->assertIdentical('{}', $response);
  $this
    ->assertResponse(403);
  $edit = array();
  $edit['form_id'] = 'quickedit_field_form';
  $edit['form_token'] = 'xIOzMjuc-PULKsRn_KxFn7xzNk5Bx7XKXLfQfw1qOnA';
  $edit['form_build_id'] = 'form-kVmovBpyX-SJfTT5kY0pjTV35TV-znor--a64dEnMR8';
  $edit['body[0][summary]'] = '';
  $edit['body[0][value]'] = '<p>Malicious content.</p>';
  $edit['body[0][format]'] = 'filtered_html';
  $edit['op'] = t('Save');
  $response = $this
    ->drupalPost('quickedit/form/' . 'node/1/body/en/full', '', $edit, [
    'query' => [
      MainContentViewSubscriber::WRAPPER_FORMAT => 'drupal_ajax',
    ],
  ]);
  $this
    ->assertIdentical('{}', $response);
  $this
    ->assertResponse(403);
  $post = array(
    'nocssjs' => 'true',
  );
  $response = $this
    ->drupalPostWithFormat('quickedit/entity/' . 'node/1', 'json', $post);
  $this
    ->assertIdentical('{"message":""}', $response);
  $this
    ->assertResponse(403);
}