function TriggeringElementTest::testAttemptAccessControlBypass in Zircon Profile 8
Same name and namespace in other branches
- 8.0 core/modules/system/src/Tests/Form/TriggeringElementTest.php \Drupal\system\Tests\Form\TriggeringElementTest::testAttemptAccessControlBypass()
Test that the triggering element does not get set to a button with #access=FALSE.
File
- core/
modules/ system/ src/ Tests/ Form/ TriggeringElementTest.php, line 78 - Contains \Drupal\system\Tests\Form\TriggeringElementTest.
Class
- TriggeringElementTest
- Tests that FAPI correctly determines the triggering element.
Namespace
Drupal\system\Tests\FormCode
function testAttemptAccessControlBypass() {
$path = 'form-test/clicked-button';
$form_html_id = 'form-test-clicked-button';
// Retrieve a form where 'button1' has #access=FALSE and 'button2' doesn't.
$this
->drupalGet($path . '/rs/s');
// Submit the form with 'button1=button1' in the POST data, which someone
// trying to get around security safeguards could easily do. We have to do
// a little trickery here, to work around the safeguards in drupalPostForm(): by
// renaming the text field that is in the form to 'button1', we can get the
// data we want into \Drupal::request()->request.
$elements = $this
->xpath('//form[@id="' . $form_html_id . '"]//input[@name="text"]');
$elements[0]['name'] = 'button1';
$this
->drupalPostForm(NULL, array(
'button1' => 'button1',
), NULL, array(), array(), $form_html_id);
// Ensure that the triggering element was not set to the restricted button.
// Do this with both a negative and positive assertion, because negative
// assertions alone can be brittle. See testNoButtonInfoInPost() for why the
//triggering element gets set to 'button2'.
$this
->assertNoText('The clicked button is button1.', '$form_state->getTriggeringElement() not set to a restricted button.');
$this
->assertText('The clicked button is button2.', '$form_state->getTriggeringElement() not set to a restricted button.');
}