class FileFieldWidgetTest

Same name in this branch
  1. 9 core/modules/file/tests/src/FunctionalJavascript/FileFieldWidgetTest.php \Drupal\Tests\file\FunctionalJavascript\FileFieldWidgetTest
Same name in other branches
  1. 8.9.x core/modules/file/tests/src/FunctionalJavascript/FileFieldWidgetTest.php \Drupal\Tests\file\FunctionalJavascript\FileFieldWidgetTest
  2. 8.9.x core/modules/file/tests/src/Functional/FileFieldWidgetTest.php \Drupal\Tests\file\Functional\FileFieldWidgetTest
  3. 10 core/modules/file/tests/src/FunctionalJavascript/FileFieldWidgetTest.php \Drupal\Tests\file\FunctionalJavascript\FileFieldWidgetTest
  4. 10 core/modules/file/tests/src/Functional/FileFieldWidgetTest.php \Drupal\Tests\file\Functional\FileFieldWidgetTest
  5. 11.x core/modules/file/tests/src/FunctionalJavascript/FileFieldWidgetTest.php \Drupal\Tests\file\FunctionalJavascript\FileFieldWidgetTest
  6. 11.x core/modules/file/tests/src/Functional/FileFieldWidgetTest.php \Drupal\Tests\file\Functional\FileFieldWidgetTest

Tests the file field widget with public and private files.

@group file

Hierarchy

Expanded class hierarchy of FileFieldWidgetTest

File

core/modules/file/tests/src/Functional/FileFieldWidgetTest.php, line 23

Namespace

Drupal\Tests\file\Functional
View source
class FileFieldWidgetTest extends FileFieldTestBase {
    use CommentTestTrait;
    use FieldUiTestTrait;
    
    /**
     * {@inheritdoc}
     */
    protected static $modules = [
        'comment',
        'block',
    ];
    
    /**
     * {@inheritdoc}
     */
    protected $defaultTheme = 'stark';
    
    /**
     * {@inheritdoc}
     */
    protected function setUp() : void {
        parent::setUp();
        $this->drupalPlaceBlock('system_breadcrumb_block');
    }
    
    /**
     * Creates a temporary file, for a specific user.
     *
     * @param string $data
     *   A string containing the contents of the file.
     * @param \Drupal\user\UserInterface $user
     *   The user of the file owner.
     *
     * @return \Drupal\file\FileInterface
     *   A file object, or FALSE on error.
     */
    protected function createTemporaryFile($data, UserInterface $user = NULL) {
        
        /** @var \Drupal\file\FileRepositoryInterface $file_repository */
        $file_repository = \Drupal::service('file.repository');
        $file = $file_repository->writeData($data, "public://");
        if ($file) {
            if ($user) {
                $file->setOwner($user);
            }
            else {
                $file->setOwner($this->adminUser);
            }
            // Change the file status to be temporary.
            $file->setTemporary();
            // Save the changes.
            $file->save();
        }
        return $file;
    }
    
    /**
     * Tests upload and remove buttons for a single-valued File field.
     */
    public function testSingleValuedWidget() {
        $node_storage = $this->container
            ->get('entity_type.manager')
            ->getStorage('node');
        $type_name = 'article';
        $field_name = strtolower($this->randomMachineName());
        $this->createFileField($field_name, 'node', $type_name);
        $test_file = $this->getTestFile('text');
        // Create a new node with the uploaded file and ensure it got uploaded
        // successfully.
        $nid = $this->uploadNodeFile($test_file, $field_name, $type_name);
        $node = $node_storage->loadUnchanged($nid);
        $node_file = File::load($node->{$field_name}->target_id);
        $this->assertFileExists($node_file->getFileUri());
        // Ensure the file can be downloaded.
        $this->drupalGet($node_file->createFileUrl());
        $this->assertSession()
            ->statusCodeEquals(200);
        // Ensure the edit page has a remove button instead of an upload button.
        $this->drupalGet("node/{$nid}/edit");
        $this->assertSession()
            ->buttonNotExists('Upload');
        $this->assertSession()
            ->buttonExists('Remove');
        $this->submitForm([], 'Remove');
        // Ensure the page now has an upload button instead of a remove button.
        $this->assertSession()
            ->buttonNotExists('Remove');
        $this->assertSession()
            ->buttonExists('Upload');
        // Test label has correct 'for' attribute.
        $input = $this->assertSession()
            ->fieldExists("files[{$field_name}_0]");
        $this->assertSession()
            ->elementExists('xpath', '//label[@for="' . $input->getAttribute('id') . '"]');
        // Save the node and ensure it does not have the file.
        $this->submitForm([], 'Save');
        $node = $node_storage->loadUnchanged($nid);
        $this->assertEmpty($node->{$field_name}->target_id, 'File was successfully removed from the node.');
    }
    
    /**
     * Tests upload and remove buttons for multiple multi-valued File fields.
     */
    public function testMultiValuedWidget() {
        $node_storage = $this->container
            ->get('entity_type.manager')
            ->getStorage('node');
        $type_name = 'article';
        // Use explicit names instead of random names for those fields, because of a
        // bug in submitForm() with multiple file uploads in one form, where the
        // order of uploads depends on the order in which the upload elements are
        // added to the $form (which, in the current implementation of
        // FileStorage::listAll(), comes down to the alphabetical order on field
        // names).
        $field_name = 'test_file_field_1';
        $field_name2 = 'test_file_field_2';
        $cardinality = 3;
        $this->createFileField($field_name, 'node', $type_name, [
            'cardinality' => $cardinality,
        ]);
        $this->createFileField($field_name2, 'node', $type_name, [
            'cardinality' => $cardinality,
        ]);
        $test_file = $this->getTestFile('text');
        // Visit the node creation form, and upload 3 files for each field. Since
        // the field has cardinality of 3, ensure the "Upload" button is displayed
        // until after the 3rd file, and after that, isn't displayed. Because
        // SimpleTest triggers the last button with a given name, so upload to the
        // second field first.
        $this->drupalGet("node/add/{$type_name}");
        foreach ([
            $field_name2,
            $field_name,
        ] as $each_field_name) {
            for ($delta = 0; $delta < 3; $delta++) {
                $edit = [
                    'files[' . $each_field_name . '_' . $delta . '][]' => \Drupal::service('file_system')->realpath($test_file->getFileUri()),
                ];
                // If the Upload button doesn't exist, submitForm() will
                // automatically fail with an assertion message.
                $this->submitForm($edit, 'Upload');
            }
        }
        $this->assertSession()
            ->buttonNotExists('Upload');
        $num_expected_remove_buttons = 6;
        foreach ([
            $field_name,
            $field_name2,
        ] as $current_field_name) {
            // How many uploaded files for the current field are remaining.
            $remaining = 3;
            // Test clicking each "Remove" button. For extra robustness, test them out
            // of sequential order. They are 0-indexed, and get renumbered after each
            // iteration, so array(1, 1, 0) means:
            // - First remove the 2nd file.
            // - Then remove what is then the 2nd file (was originally the 3rd file).
            // - Then remove the first file.
            foreach ([
                1,
                1,
                0,
            ] as $delta) {
                // Ensure we have the expected number of Remove buttons, and that they
                // are numbered sequentially.
                $buttons = $this->xpath('//input[@type="submit" and @value="Remove"]');
                $this->assertCount($num_expected_remove_buttons, $buttons, new FormattableMarkup('There are %n "Remove" buttons displayed.', [
                    '%n' => $num_expected_remove_buttons,
                ]));
                foreach ($buttons as $i => $button) {
                    $key = $i >= $remaining ? $i - $remaining : $i;
                    $check_field_name = $field_name2;
                    if ($current_field_name == $field_name && $i < $remaining) {
                        $check_field_name = $field_name;
                    }
                    $this->assertSame($check_field_name . '_' . $key . '_remove_button', $button->getAttribute('name'));
                }
                // "Click" the remove button (emulating either a nojs or js submission).
                $button_name = $current_field_name . '_' . $delta . '_remove_button';
                $this->getSession()
                    ->getPage()
                    ->findButton($button_name)
                    ->press();
                $num_expected_remove_buttons--;
                $remaining--;
                // Ensure an "Upload" button for the current field is displayed with the
                // correct name.
                $upload_button_name = $current_field_name . '_' . $remaining . '_upload_button';
                $button = $this->assertSession()
                    ->buttonExists($upload_button_name);
                $this->assertSame('Upload', $button->getValue());
                // Ensure only at most one button per field is displayed.
                $expected = $current_field_name == $field_name ? 1 : 2;
                $this->assertSession()
                    ->elementsCount('xpath', '//input[@type="submit" and @value="Upload"]', $expected);
            }
        }
        // Ensure the page now has no Remove buttons.
        $this->assertSession()
            ->buttonNotExists('Remove');
        // Save the node and ensure it does not have any files.
        $this->submitForm([
            'title[0][value]' => $this->randomMachineName(),
        ], 'Save');
        preg_match('/node\\/([0-9])/', $this->getUrl(), $matches);
        $nid = $matches[1];
        $node = $node_storage->loadUnchanged($nid);
        $this->assertEmpty($node->{$field_name}->target_id, 'Node was successfully saved without any files.');
        // Try to upload more files than allowed on revision.
        $upload_files_node_revision = [
            $test_file,
            $test_file,
            $test_file,
            $test_file,
        ];
        foreach ($upload_files_node_revision as $i => $file) {
            $edit['files[test_file_field_1_0][' . $i . ']'] = \Drupal::service('file_system')->realpath($test_file->getFileUri());
        }
        // @todo: Replace after https://www.drupal.org/project/drupal/issues/2917885
        $this->drupalGet('node/' . $node->id() . '/edit');
        $this->assertSession()
            ->fieldExists('files[test_file_field_1_0][]');
        $submit_xpath = $this->assertSession()
            ->buttonExists('Save')
            ->getXpath();
        $client = $this->getSession()
            ->getDriver()
            ->getClient();
        $form = $client->getCrawler()
            ->filterXPath($submit_xpath)
            ->form();
        $client->request($form->getMethod(), $form->getUri(), $form->getPhpValues(), $edit);
        $node = $node_storage->loadUnchanged($nid);
        $this->assertCount($cardinality, $node->{$field_name}, 'More files than allowed could not be saved to node.');
        $upload_files_node_creation = [
            $test_file,
            $test_file,
        ];
        // Try to upload multiple files, but fewer than the maximum.
        $nid = $this->uploadNodeFiles($upload_files_node_creation, $field_name, $type_name, TRUE, []);
        $node = $node_storage->loadUnchanged($nid);
        $this->assertSameSize($upload_files_node_creation, $node->{$field_name}, 'Node was successfully saved with multiple files.');
        // Try to upload exactly the allowed number of files on revision.
        $this->uploadNodeFile($test_file, $field_name, $node->id(), 1, [], TRUE);
        $node = $node_storage->loadUnchanged($nid);
        $this->assertCount($cardinality, $node->{$field_name}, 'Node was successfully revised to maximum number of files.');
        // Try to upload exactly the allowed number of files, new node.
        $upload_files = [
            $test_file,
            $test_file,
            $test_file,
        ];
        $nid = $this->uploadNodeFiles($upload_files, $field_name, $type_name, TRUE, []);
        $node = $node_storage->loadUnchanged($nid);
        $this->assertCount($cardinality, $node->{$field_name}, 'Node was successfully saved with maximum number of files.');
    }
    
    /**
     * Tests a file field with a "Private files" upload destination setting.
     */
    public function testPrivateFileSetting() {
        $node_storage = $this->container
            ->get('entity_type.manager')
            ->getStorage('node');
        // Grant the admin user required permissions.
        user_role_grant_permissions($this->adminUser->roles[0]->target_id, [
            'administer node fields',
        ]);
        $type_name = 'article';
        $field_name = strtolower($this->randomMachineName());
        $this->createFileField($field_name, 'node', $type_name);
        $field = FieldConfig::loadByName('node', $type_name, $field_name);
        $field_id = $field->id();
        $test_file = $this->getTestFile('text');
        // Change the field setting to make its files private, and upload a file.
        $edit = [
            'settings[uri_scheme]' => 'private',
        ];
        $this->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}/storage");
        $this->submitForm($edit, 'Save field settings');
        $nid = $this->uploadNodeFile($test_file, $field_name, $type_name);
        $node = $node_storage->loadUnchanged($nid);
        $node_file = File::load($node->{$field_name}->target_id);
        $this->assertFileExists($node_file->getFileUri());
        // Ensure the private file is available to the user who uploaded it.
        $this->drupalGet($node_file->createFileUrl());
        $this->assertSession()
            ->statusCodeEquals(200);
        // Ensure we can't change 'uri_scheme' field settings while there are some
        // entities with uploaded files.
        $this->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}/storage");
        $this->assertSession()
            ->fieldDisabled("edit-settings-uri-scheme-public");
        // Delete node and confirm that setting could be changed.
        $node->delete();
        $this->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}/storage");
        $this->assertSession()
            ->fieldEnabled("edit-settings-uri-scheme-public");
    }
    
    /**
     * Tests that download restrictions on private files work on comments.
     */
    public function testPrivateFileComment() {
        $user = $this->drupalCreateUser([
            'access comments',
        ]);
        // Grant the admin user required comment permissions.
        $roles = $this->adminUser
            ->getRoles();
        user_role_grant_permissions($roles[1], [
            'administer comment fields',
            'administer comments',
        ]);
        // Revoke access comments permission from anon user, grant post to
        // authenticated.
        user_role_revoke_permissions(RoleInterface::ANONYMOUS_ID, [
            'access comments',
        ]);
        user_role_grant_permissions(RoleInterface::AUTHENTICATED_ID, [
            'post comments',
            'skip comment approval',
        ]);
        // Create a new field.
        $this->addDefaultCommentField('node', 'article');
        $name = strtolower($this->randomMachineName());
        $label = $this->randomMachineName();
        $storage_edit = [
            'settings[uri_scheme]' => 'private',
        ];
        $this->fieldUIAddNewField('admin/structure/comment/manage/comment', $name, $label, 'file', $storage_edit);
        // Manually clear cache on the tester side.
        \Drupal::service('entity_field.manager')->clearCachedFieldDefinitions();
        // Create node.
        $edit = [
            'title[0][value]' => $this->randomMachineName(),
        ];
        $this->drupalGet('node/add/article');
        $this->submitForm($edit, 'Save');
        $node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
        // Add a comment with a file.
        $text_file = $this->getTestFile('text');
        $edit = [
            'files[field_' . $name . '_' . 0 . ']' => \Drupal::service('file_system')->realpath($text_file->getFileUri()),
            'comment_body[0][value]' => $comment_body = $this->randomMachineName(),
        ];
        $this->drupalGet('node/' . $node->id());
        $this->submitForm($edit, 'Save');
        // Get the comment ID.
        preg_match('/comment-([0-9]+)/', $this->getUrl(), $matches);
        $cid = $matches[1];
        // Log in as normal user.
        $this->drupalLogin($user);
        $comment = Comment::load($cid);
        $comment_file = $comment->{'field_' . $name}->entity;
        $this->assertFileExists($comment_file->getFileUri());
        // Test authenticated file download.
        $url = $comment_file->createFileUrl();
        $this->assertNotNull($url, 'Confirmed that the URL is valid');
        $this->drupalGet($comment_file->createFileUrl());
        $this->assertSession()
            ->statusCodeEquals(200);
        // Ensure that the anonymous user cannot download the file.
        $this->drupalLogout();
        $this->drupalGet($comment_file->createFileUrl());
        $this->assertSession()
            ->statusCodeEquals(403);
        // Unpublishes node.
        $this->drupalLogin($this->adminUser);
        $edit = [
            'status[value]' => FALSE,
        ];
        $this->drupalGet('node/' . $node->id() . '/edit');
        $this->submitForm($edit, 'Save');
        // Ensures normal user can no longer download the file.
        $this->drupalLogin($user);
        $this->drupalGet($comment_file->createFileUrl());
        $this->assertSession()
            ->statusCodeEquals(403);
    }
    
    /**
     * Tests validation with the Upload button.
     */
    public function testWidgetValidation() {
        $type_name = 'article';
        $field_name = strtolower($this->randomMachineName());
        $this->createFileField($field_name, 'node', $type_name);
        $this->updateFileField($field_name, $type_name, [
            'file_extensions' => 'txt',
        ]);
        $type = 'nojs';
        // Create node and prepare files for upload.
        $node = $this->drupalCreateNode([
            'type' => 'article',
        ]);
        $nid = $node->id();
        $this->drupalGet("node/{$nid}/edit");
        $test_file_text = $this->getTestFile('text');
        $test_file_image = $this->getTestFile('image');
        $name = 'files[' . $field_name . '_0]';
        // Upload file with incorrect extension, check for validation error.
        $edit[$name] = \Drupal::service('file_system')->realpath($test_file_image->getFileUri());
        $this->submitForm($edit, 'Upload');
        $this->assertSession()
            ->pageTextContains("Only files with the following extensions are allowed: txt.");
        // Upload file with correct extension, check that error message is removed.
        $edit[$name] = \Drupal::service('file_system')->realpath($test_file_text->getFileUri());
        $this->submitForm($edit, 'Upload');
        $this->assertSession()
            ->pageTextNotContains("Only files with the following extensions are allowed: txt.");
    }
    
    /**
     * Tests file widget element.
     */
    public function testWidgetElement() {
        $field_name = mb_strtolower($this->randomMachineName());
        $html_name = str_replace('_', '-', $field_name);
        $this->createFileField($field_name, 'node', 'article', [
            'cardinality' => FieldStorageConfig::CARDINALITY_UNLIMITED,
        ]);
        $file = $this->getTestFile('text');
        $xpath = "//details[@data-drupal-selector='edit-{$html_name}']/table";
        $this->drupalGet('node/add/article');
        // If the field has no item, the table should not be visible.
        $this->assertSession()
            ->elementNotExists('xpath', $xpath);
        // Upload a file.
        $edit['files[' . $field_name . '_0][]'] = $this->container
            ->get('file_system')
            ->realpath($file->getFileUri());
        $this->submitForm($edit, "{$field_name}_0_upload_button");
        // If the field has at least one item, the table should be visible.
        $this->assertSession()
            ->elementsCount('xpath', $xpath, 1);
        // Test for AJAX error when using progress bar on file field widget.
        $http_client = $this->getHttpClient();
        $key = $this->randomMachineName();
        $post_request = $http_client->request('POST', $this->buildUrl('file/progress/' . $key), [
            'headers' => [
                'Accept' => 'application/json',
                'Content-Type' => 'application/x-www-form-urlencoded',
            ],
            'http_errors' => FALSE,
        ]);
        $this->assertNotEquals(500, $post_request->getStatusCode());
        $body = Json::decode($post_request->getBody());
        $this->assertStringContainsString('Starting upload...', $body['message']);
    }
    
    /**
     * Tests exploiting the temporary file removal of another user using fid.
     */
    public function testTemporaryFileRemovalExploit() {
        // Create a victim user.
        $victim_user = $this->drupalCreateUser();
        // Create an attacker user.
        $attacker_user = $this->drupalCreateUser([
            'access content',
            'create article content',
            'edit any article content',
        ]);
        // Log in as the attacker user.
        $this->drupalLogin($attacker_user);
        // Perform tests using the newly created users.
        $this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user);
    }
    
    /**
     * Tests exploiting the temporary file removal for anonymous users using fid.
     */
    public function testTemporaryFileRemovalExploitAnonymous() {
        // Set up an anonymous victim user.
        $victim_user = User::getAnonymousUser();
        // Set up an anonymous attacker user.
        $attacker_user = User::getAnonymousUser();
        // Set up permissions for anonymous attacker user.
        user_role_change_permissions(RoleInterface::ANONYMOUS_ID, [
            'access content' => TRUE,
            'create article content' => TRUE,
            'edit any article content' => TRUE,
        ]);
        // Log out so as to be the anonymous attacker user.
        $this->drupalLogout();
        // Perform tests using the newly set up anonymous users.
        $this->doTestTemporaryFileRemovalExploit($victim_user, $attacker_user);
    }
    
    /**
     * Tests maximum upload file size validation.
     */
    public function testMaximumUploadFileSizeValidation() {
        // Grant the admin user required permissions.
        user_role_grant_permissions($this->adminUser->roles[0]->target_id, [
            'administer node fields',
        ]);
        $type_name = 'article';
        $field_name = strtolower($this->randomMachineName());
        $this->createFileField($field_name, 'node', $type_name);
        
        /** @var \Drupal\Field\FieldConfigInterface $field */
        $field = FieldConfig::loadByName('node', $type_name, $field_name);
        $field_id = $field->id();
        $this->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}");
        // Tests that form validation trims the user input.
        $edit = [
            'settings[max_filesize]' => ' 5.1 megabytes ',
        ];
        $this->submitForm($edit, 'Save settings');
        $this->assertSession()
            ->pageTextContains('Saved ' . $field_name . ' configuration.');
        // Reload the field config to check for the saved value.
        
        /** @var \Drupal\Field\FieldConfigInterface $field */
        $field = FieldConfig::loadByName('node', $type_name, $field_name);
        $settings = $field->getSettings();
        $this->assertEquals('5.1 megabytes', $settings['max_filesize'], 'The max filesize value had been trimmed on save.');
    }
    
    /**
     * Tests configuring file field's allowed file extensions setting.
     */
    public function testFileExtensionsSetting() {
        // Grant the admin user required permissions.
        user_role_grant_permissions($this->adminUser->roles[0]->target_id, [
            'administer node fields',
        ]);
        $type_name = 'article';
        $field_name = strtolower($this->randomMachineName());
        $this->createFileField($field_name, 'node', $type_name);
        $field = FieldConfig::loadByName('node', $type_name, $field_name);
        $field_id = $field->id();
        // By default allowing .php files without .txt is not permitted.
        $this->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}");
        $edit = [
            'settings[file_extensions]' => 'jpg php',
        ];
        $this->submitForm($edit, 'Save settings');
        $this->assertSession()
            ->pageTextContains('Add txt to the list of allowed extensions to securely upload files with a php extension. The txt extension will then be added automatically.');
        // Test allowing .php and .txt.
        $edit = [
            'settings[file_extensions]' => 'jpg php txt',
        ];
        $this->submitForm($edit, 'Save settings');
        $this->assertSession()
            ->pageTextContains('Saved ' . $field_name . ' configuration.');
        // If the system is configured to allow insecure uploads, .txt is not
        // required when allowing .php.
        $this->config('system.file')
            ->set('allow_insecure_uploads', TRUE)
            ->save();
        $this->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}");
        $edit = [
            'settings[file_extensions]' => 'jpg php',
        ];
        $this->submitForm($edit, 'Save settings');
        $this->assertSession()
            ->pageTextContains('Saved ' . $field_name . ' configuration.');
        // Check that a file extension with an underscore can be configured.
        $edit = [
            'settings[file_extensions]' => 'x_t x.t xt x_y_t',
        ];
        $this->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}");
        $this->submitForm($edit, 'Save settings');
        $field = FieldConfig::loadByName('node', $type_name, $field_name);
        $this->assertEquals('x_t x.t xt x_y_t', $field->getSetting('file_extensions'));
        // Check that a file field with an invalid value in allowed extensions
        // property throws an error message.
        $invalid_extensions = [
            'x_.t',
            'x._t',
            'xt_',
            'x__t',
            '_xt',
        ];
        foreach ($invalid_extensions as $value) {
            $edit = [
                'settings[file_extensions]' => $value,
            ];
            $this->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_id}");
            $this->submitForm($edit, 'Save settings');
            $this->assertSession()
                ->pageTextContains("The list of allowed extensions is not valid. Allowed characters are a-z, 0-9, '.', and '_'. The first and last characters cannot be '.' or '_', and these two characters cannot appear next to each other. Separate extensions with a comma or space.");
        }
    }
    
    /**
     * Helper for testing exploiting the temporary file removal using fid.
     *
     * @param \Drupal\user\UserInterface $victim_user
     *   The victim user.
     * @param \Drupal\user\UserInterface $attacker_user
     *   The attacker user.
     */
    protected function doTestTemporaryFileRemovalExploit(UserInterface $victim_user, UserInterface $attacker_user) {
        $type_name = 'article';
        $field_name = 'test_file_field';
        $this->createFileField($field_name, 'node', $type_name);
        $test_file = $this->getTestFile('text');
        $type = 'no-js';
        // Create a temporary file owned by the victim user. This will be as if
        // they had uploaded the file, but not saved the node they were editing
        // or creating.
        $victim_tmp_file = $this->createTemporaryFile('some text', $victim_user);
        $victim_tmp_file = File::load($victim_tmp_file->id());
        $this->assertTrue($victim_tmp_file->isTemporary(), 'New file saved to disk is temporary.');
        $this->assertNotEmpty($victim_tmp_file->id(), 'New file has an fid.');
        $this->assertEquals($victim_user->id(), $victim_tmp_file->getOwnerId(), 'New file belongs to the victim.');
        // Have attacker create a new node with a different uploaded file and
        // ensure it got uploaded successfully.
        $edit = [
            'title[0][value]' => $type . '-title',
        ];
        // Attach a file to a node.
        $edit['files[' . $field_name . '_0]'] = $this->container
            ->get('file_system')
            ->realpath($test_file->getFileUri());
        $this->drupalGet(Url::fromRoute('node.add', [
            'node_type' => $type_name,
        ]));
        $this->submitForm($edit, 'Save');
        $node = $this->drupalGetNodeByTitle($edit['title[0][value]']);
        
        /** @var \Drupal\file\FileInterface $node_file */
        $node_file = File::load($node->{$field_name}->target_id);
        $this->assertFileExists($node_file->getFileUri());
        $this->assertEquals($attacker_user->id(), $node_file->getOwnerId(), 'New file belongs to the attacker.');
        // Ensure the file can be downloaded.
        $this->drupalGet($node_file->createFileUrl());
        $this->assertSession()
            ->statusCodeEquals(200);
        // "Click" the remove button (emulating either a nojs or js submission).
        // In this POST request, the attacker "guesses" the fid of the victim's
        // temporary file and uses that to remove this file.
        $this->drupalGet($node->toUrl('edit-form'));
        $file_id_field = $this->assertSession()
            ->hiddenFieldExists($field_name . '[0][fids]');
        $file_id_field->setValue((string) $victim_tmp_file->id());
        $this->submitForm([], 'Remove');
        // The victim's temporary file should not be removed by the attacker's
        // POST request.
        $this->assertFileExists($victim_tmp_file->getFileUri());
    }

}

Members

Title Sort descending Deprecated Modifiers Object type Summary Member alias Overriden Title Overrides
AssertLegacyTrait::assert Deprecated protected function
AssertLegacyTrait::assertCacheTag Deprecated protected function Asserts whether an expected cache tag was present in the last response.
AssertLegacyTrait::assertElementNotPresent Deprecated protected function Asserts that the element with the given CSS selector is not present.
AssertLegacyTrait::assertElementPresent Deprecated protected function Asserts that the element with the given CSS selector is present.
AssertLegacyTrait::assertEqual Deprecated protected function
AssertLegacyTrait::assertEscaped Deprecated protected function Passes if the raw text IS found escaped on the loaded page, fail otherwise.
AssertLegacyTrait::assertField Deprecated protected function Asserts that a field exists with the given name or ID.
AssertLegacyTrait::assertFieldById Deprecated protected function Asserts that a field exists with the given ID and value.
AssertLegacyTrait::assertFieldByName Deprecated protected function Asserts that a field exists with the given name and value.
AssertLegacyTrait::assertFieldByXPath Deprecated protected function Asserts that a field exists in the current page by the given XPath.
AssertLegacyTrait::assertFieldChecked Deprecated protected function Asserts that a checkbox field in the current page is checked.
AssertLegacyTrait::assertFieldsByValue Deprecated protected function Asserts that a field exists in the current page with a given Xpath result.
AssertLegacyTrait::assertHeader Deprecated protected function Checks that current response header equals value.
AssertLegacyTrait::assertIdentical Deprecated protected function
AssertLegacyTrait::assertIdenticalObject Deprecated protected function
AssertLegacyTrait::assertLink Deprecated protected function Passes if a link with the specified label is found.
AssertLegacyTrait::assertLinkByHref Deprecated protected function Passes if a link containing a given href (part) is found.
AssertLegacyTrait::assertNoCacheTag Deprecated protected function Asserts whether an expected cache tag was absent in the last response.
AssertLegacyTrait::assertNoEscaped Deprecated protected function Passes if the raw text is not found escaped on the loaded page.
AssertLegacyTrait::assertNoField Deprecated protected function Asserts that a field does NOT exist with the given name or ID.
AssertLegacyTrait::assertNoFieldById Deprecated protected function Asserts that a field does not exist with the given ID and value.
AssertLegacyTrait::assertNoFieldByName Deprecated protected function Asserts that a field does not exist with the given name and value.
AssertLegacyTrait::assertNoFieldByXPath Deprecated protected function Asserts that a field does not exist or its value does not match, by XPath.
AssertLegacyTrait::assertNoFieldChecked Deprecated protected function Asserts that a checkbox field in the current page is not checked.
AssertLegacyTrait::assertNoLink Deprecated protected function Passes if a link with the specified label is not found.
AssertLegacyTrait::assertNoLinkByHref Deprecated protected function Passes if a link containing a given href (part) is not found.
AssertLegacyTrait::assertNoOption Deprecated protected function Asserts that a select option does NOT exist in the current page.
AssertLegacyTrait::assertNoPattern Deprecated protected function Triggers a pass if the Perl regex pattern is not found in the raw content.
AssertLegacyTrait::assertNoRaw Deprecated protected function Passes if the raw text IS not found on the loaded page, fail otherwise.
AssertLegacyTrait::assertNotEqual Deprecated protected function
AssertLegacyTrait::assertNoText Deprecated protected function Passes if the page (with HTML stripped) does not contains the text.
AssertLegacyTrait::assertNotIdentical Deprecated protected function
AssertLegacyTrait::assertNoUniqueText Deprecated protected function Passes if the text is found MORE THAN ONCE on the text version of the page.
AssertLegacyTrait::assertOption Deprecated protected function Asserts that a select option in the current page exists.
AssertLegacyTrait::assertOptionByText Deprecated protected function Asserts that a select option with the visible text exists.
AssertLegacyTrait::assertOptionSelected Deprecated protected function Asserts that a select option in the current page is checked.
AssertLegacyTrait::assertPattern Deprecated protected function Triggers a pass if the Perl regex pattern is found in the raw content.
AssertLegacyTrait::assertRaw Deprecated protected function Passes if the raw text IS found on the loaded page, fail otherwise.
AssertLegacyTrait::assertResponse Deprecated protected function Asserts the page responds with the specified response code.
AssertLegacyTrait::assertText Deprecated protected function Passes if the page (with HTML stripped) contains the text.
AssertLegacyTrait::assertTextHelper Deprecated protected function Helper for assertText and assertNoText.
AssertLegacyTrait::assertTitle Deprecated protected function Pass if the page title is the given string.
AssertLegacyTrait::assertUniqueText Deprecated protected function Passes if the text is found ONLY ONCE on the text version of the page.
AssertLegacyTrait::assertUrl Deprecated protected function Passes if the internal browser&#039;s URL matches the given path.
AssertLegacyTrait::buildXPathQuery Deprecated protected function Builds an XPath query.
AssertLegacyTrait::constructFieldXpath Deprecated protected function Helper: Constructs an XPath for the given set of attributes and value.
AssertLegacyTrait::getAllOptions Deprecated protected function Get all option elements, including nested options, in a select.
AssertLegacyTrait::getRawContent Deprecated protected function Gets the current raw content.
AssertLegacyTrait::pass Deprecated protected function
AssertLegacyTrait::verbose Deprecated protected function
BlockCreationTrait::placeBlock protected function Creates a block instance based on default settings. Aliased as: drupalPlaceBlock
BrowserHtmlDebugTrait::$htmlOutputBaseUrl protected property The Base URI to use for links to the output files.
BrowserHtmlDebugTrait::$htmlOutputClassName protected property Class name for HTML output logging.
BrowserHtmlDebugTrait::$htmlOutputCounter protected property Counter for HTML output logging.
BrowserHtmlDebugTrait::$htmlOutputCounterStorage protected property Counter storage for HTML output logging.
BrowserHtmlDebugTrait::$htmlOutputDirectory protected property Directory name for HTML output logging.
BrowserHtmlDebugTrait::$htmlOutputEnabled protected property HTML output enabled.
BrowserHtmlDebugTrait::$htmlOutputFile protected property The file name to write the list of URLs to.
BrowserHtmlDebugTrait::$htmlOutputTestId protected property HTML output test ID.
BrowserHtmlDebugTrait::formatHtmlOutputHeaders protected function Formats HTTP headers as string for HTML output logging.
BrowserHtmlDebugTrait::getHtmlOutputHeaders protected function Returns headers in HTML output format. 1
BrowserHtmlDebugTrait::getResponseLogHandler protected function Provides a Guzzle middleware handler to log every response received.
BrowserHtmlDebugTrait::htmlOutput protected function Logs a HTML output message in a text file.
BrowserHtmlDebugTrait::initBrowserOutputFile protected function Creates the directory to store browser output.
BrowserTestBase::$baseUrl protected property The base URL.
BrowserTestBase::$configImporter protected property The config importer that can be used in a test.
BrowserTestBase::$customTranslations protected property An array of custom translations suitable for drupal_rewrite_settings().
BrowserTestBase::$mink protected property Mink session manager.
BrowserTestBase::$minkDefaultDriverArgs protected property Mink default driver params.
BrowserTestBase::$minkDefaultDriverClass protected property Mink class for the default driver to use. 1
BrowserTestBase::$originalContainer protected property The original container.
BrowserTestBase::$originalShutdownCallbacks protected property The original array of shutdown function callbacks.
BrowserTestBase::$preserveGlobalState protected property
BrowserTestBase::$profile protected property The profile to install as a basis for testing. 37
BrowserTestBase::$runTestInSeparateProcess protected property Browser tests are run in separate processes to prevent collisions between
code that may be loaded by tests.
BrowserTestBase::$timeLimit protected property Time limit in seconds for the test.
BrowserTestBase::$translationFilesDirectory protected property The translation file directory for the test environment.
BrowserTestBase::cleanupEnvironment protected function Clean up the Simpletest environment.
BrowserTestBase::config protected function Configuration accessor for tests. Returns non-overridden configuration.
BrowserTestBase::drupalGetHeader Deprecated protected function Gets the value of an HTTP response header.
BrowserTestBase::filePreDeleteCallback public static function Ensures test files are deletable.
BrowserTestBase::getDefaultDriverInstance protected function Gets an instance of the default Mink driver.
BrowserTestBase::getDrupalSettings protected function Gets the JavaScript drupalSettings variable for the currently-loaded page. 1
BrowserTestBase::getHttpClient protected function Obtain the HTTP client for the system under test.
BrowserTestBase::getMinkDriverArgs protected function Gets the Mink driver args from an environment variable. 1
BrowserTestBase::getOptions protected function Helper function to get the options of select field.
BrowserTestBase::getSession public function Returns Mink session.
BrowserTestBase::getSessionCookies protected function Get session cookies from current session.
BrowserTestBase::getTestMethodCaller protected function Retrieves the current calling line in the class under test. Overrides BrowserHtmlDebugTrait::getTestMethodCaller
BrowserTestBase::initFrontPage protected function Visits the front page when initializing Mink. 3
BrowserTestBase::initMink protected function Initializes Mink sessions. 1
BrowserTestBase::installDrupal public function Installs Drupal into the Simpletest site. 1
BrowserTestBase::registerSessions protected function Registers additional Mink sessions.
BrowserTestBase::setUpAppRoot protected function Sets up the root application path.
BrowserTestBase::setUpBeforeClass public static function 1
BrowserTestBase::tearDown protected function 3
BrowserTestBase::translatePostValues protected function Transforms a nested array into a flat array suitable for submitForm().
BrowserTestBase::xpath protected function Performs an xpath search on the contents of the internal browser.
BrowserTestBase::__sleep public function Prevents serializing any properties.
CommentTestTrait::addDefaultCommentField public function Adds the default comment field to an entity.
ConfigTestTrait::configImporter protected function Returns a ConfigImporter object to import test configuration.
ConfigTestTrait::copyConfig protected function Copies configuration objects from source storage to target storage.
ContentTypeCreationTrait::createContentType protected function Creates a custom content type based on default settings. Aliased as: drupalCreateContentType 1
ExtensionListTestTrait::getModulePath protected function Gets the path for the specified module.
ExtensionListTestTrait::getThemePath protected function Gets the path for the specified theme.
FieldUiTestTrait::fieldUIAddExistingField public function Adds an existing field through the Field UI.
FieldUiTestTrait::fieldUIAddNewField public function Creates a new field through the Field UI.
FieldUiTestTrait::fieldUIDeleteField public function Deletes a field through the Field UI.
FileFieldCreationTrait::attachFileField public function Attaches a file field to an entity.
FileFieldCreationTrait::createFileField public function Creates a new file field.
FileFieldTestBase::$adminUser protected property A user with administration permissions.
FileFieldTestBase::assertFileEntryExists public function Asserts that a file exists in the database.
FileFieldTestBase::assertFileEntryNotExists public function Asserts that a file does not exist in the database.
FileFieldTestBase::assertFileIsPermanent public function Asserts that a file&#039;s status is set to permanent in the database.
FileFieldTestBase::getLastFileId public function Retrieves the fid of the last inserted file.
FileFieldTestBase::getTestFile public function Retrieves a sample file of the specified type.
FileFieldTestBase::removeNodeFile public function Removes a file from a node.
FileFieldTestBase::replaceNodeFile public function Replaces a file within a node.
FileFieldTestBase::updateFileField public function Updates an existing file field with new settings.
FileFieldTestBase::uploadNodeFile public function Uploads a file to a node.
FileFieldTestBase::uploadNodeFiles public function Uploads multiple files to a node.
FileFieldWidgetTest::$defaultTheme protected property Overrides BrowserTestBase::$defaultTheme
FileFieldWidgetTest::$modules protected static property Overrides FileFieldTestBase::$modules
FileFieldWidgetTest::createTemporaryFile protected function Creates a temporary file, for a specific user.
FileFieldWidgetTest::doTestTemporaryFileRemovalExploit protected function Helper for testing exploiting the temporary file removal using fid.
FileFieldWidgetTest::setUp protected function Overrides FileFieldTestBase::setUp
FileFieldWidgetTest::testFileExtensionsSetting public function Tests configuring file field&#039;s allowed file extensions setting.
FileFieldWidgetTest::testMaximumUploadFileSizeValidation public function Tests maximum upload file size validation.
FileFieldWidgetTest::testMultiValuedWidget public function Tests upload and remove buttons for multiple multi-valued File fields.
FileFieldWidgetTest::testPrivateFileComment public function Tests that download restrictions on private files work on comments.
FileFieldWidgetTest::testPrivateFileSetting public function Tests a file field with a &quot;Private files&quot; upload destination setting.
FileFieldWidgetTest::testSingleValuedWidget public function Tests upload and remove buttons for a single-valued File field.
FileFieldWidgetTest::testTemporaryFileRemovalExploit public function Tests exploiting the temporary file removal of another user using fid.
FileFieldWidgetTest::testTemporaryFileRemovalExploitAnonymous public function Tests exploiting the temporary file removal for anonymous users using fid.
FileFieldWidgetTest::testWidgetElement public function Tests file widget element.
FileFieldWidgetTest::testWidgetValidation public function Tests validation with the Upload button.
FunctionalTestSetupTrait::$apcuEnsureUniquePrefix protected property The flag to set &#039;apcu_ensure_unique_prefix&#039; setting. 1
FunctionalTestSetupTrait::$classLoader protected property The class loader to use for installation and initialization of setup.
FunctionalTestSetupTrait::$rootUser protected property The &quot;#1&quot; admin user.
FunctionalTestSetupTrait::doInstall protected function Execute the non-interactive installer. 1
FunctionalTestSetupTrait::getDatabaseTypes protected function Returns all supported database driver installer objects.
FunctionalTestSetupTrait::initConfig protected function Initialize various configurations post-installation. 1
FunctionalTestSetupTrait::initKernel protected function Initializes the kernel after installation.
FunctionalTestSetupTrait::initSettings protected function Initialize settings created during install.
FunctionalTestSetupTrait::initUserSession protected function Initializes user 1 for the site to be installed.
FunctionalTestSetupTrait::installDefaultThemeFromClassProperty protected function Installs the default theme defined by `static::$defaultTheme` when needed.
FunctionalTestSetupTrait::installModulesFromClassProperty protected function Install modules defined by `static::$modules`. 1
FunctionalTestSetupTrait::installParameters protected function Returns the parameters that will be used when Simpletest installs Drupal. 8
FunctionalTestSetupTrait::prepareEnvironment protected function Prepares the current environment for running the test. 22
FunctionalTestSetupTrait::prepareRequestForGenerator protected function Creates a mock request and sets it on the generator.
FunctionalTestSetupTrait::prepareSettings protected function Prepares site settings and services before installation. 3
FunctionalTestSetupTrait::rebuildAll protected function Resets and rebuilds the environment after setup.
FunctionalTestSetupTrait::rebuildContainer protected function Rebuilds \Drupal::getContainer().
FunctionalTestSetupTrait::resetAll protected function Resets all data structures after having enabled new modules.
FunctionalTestSetupTrait::setContainerParameter protected function Changes parameters in the services.yml file.
FunctionalTestSetupTrait::setupBaseUrl protected function Sets up the base URL based upon the environment variable.
FunctionalTestSetupTrait::writeSettings protected function Rewrites the settings.php file of the test site. 1
NodeCreationTrait::createNode protected function Creates a node based on default settings. Aliased as: drupalCreateNode
NodeCreationTrait::getNodeByTitle public function Get a node from the database based on its title. Aliased as: drupalGetNodeByTitle
PhpUnitWarnings::$deprecationWarnings private static property Deprecation warnings from PHPUnit to raise with @trigger_error().
PhpUnitWarnings::addWarning public function Converts PHPUnit deprecation warnings to E_USER_DEPRECATED.
RandomGeneratorTrait::$randomGenerator protected property The random generator.
RandomGeneratorTrait::getRandomGenerator protected function Gets the random generator for the utility methods.
RandomGeneratorTrait::randomMachineName protected function Generates a unique random string containing letters and numbers. 1
RandomGeneratorTrait::randomObject public function Generates a random PHP object.
RandomGeneratorTrait::randomString public function Generates a pseudo-random string of ASCII characters of codes 32 to 126.
RandomGeneratorTrait::randomStringValidate public function Callback for random string validation.
RefreshVariablesTrait::refreshVariables protected function Refreshes in-memory configuration and state information. 1
SessionTestTrait::$sessionName protected property The name of the session cookie.
SessionTestTrait::generateSessionName protected function Generates a session cookie name.
SessionTestTrait::getSessionName protected function Returns the session name in use on the child site.
StorageCopyTrait::replaceStorageContents protected static function Copy the configuration from one storage to another and remove stale items.
TestFileCreationTrait::$generatedTestFiles protected property Whether the files were copied to the test files directory.
TestFileCreationTrait::compareFiles protected function Compares two files based on size and file name.
TestFileCreationTrait::generateFile public static function Generates a test file.
TestFileCreationTrait::getTestFiles protected function Gets a list of files that can be used in tests. Aliased as: drupalGetTestFiles
TestRequirementsTrait::checkModuleRequirements private function Checks missing module requirements.
TestRequirementsTrait::checkRequirements protected function Check module requirements for the Drupal use case.
TestRequirementsTrait::getDrupalRoot protected static function Returns the Drupal root directory.
TestSetupTrait::$configSchemaCheckerExclusions protected static property An array of config object names that are excluded from schema checking. 1
TestSetupTrait::$container protected property The dependency injection container used in the test.
TestSetupTrait::$databasePrefix protected property The database prefix of this test run.
TestSetupTrait::$kernel protected property The DrupalKernel instance used in the test.
TestSetupTrait::$originalSite protected property The site directory of the original parent site.
TestSetupTrait::$privateFilesDirectory protected property The private file directory for the test environment.
TestSetupTrait::$publicFilesDirectory protected property The public file directory for the test environment.
TestSetupTrait::$root protected property The app root.
TestSetupTrait::$siteDirectory protected property The site directory of this test run.
TestSetupTrait::$strictConfigSchema protected property Set to TRUE to strict check all configuration saved. 1
TestSetupTrait::$tempFilesDirectory protected property The temporary file directory for the test environment.
TestSetupTrait::$testId protected property The test run ID.
TestSetupTrait::changeDatabasePrefix protected function Changes the database connection to the prefixed one.
TestSetupTrait::getConfigSchemaExclusions protected function Gets the config schema exclusions for this test.
TestSetupTrait::getDatabaseConnection public static function Returns the database connection to the site running Simpletest.
TestSetupTrait::prepareDatabasePrefix protected function Generates a database prefix for running tests. 1
UiHelperTrait::$loggedInUser protected property The current user logged in using the Mink controlled browser.
UiHelperTrait::$maximumMetaRefreshCount protected property The number of meta refresh redirects to follow, or NULL if unlimited.
UiHelperTrait::$metaRefreshCount protected property The number of meta refresh redirects followed during ::drupalGet().
UiHelperTrait::assertSession public function Returns WebAssert object. 1
UiHelperTrait::buildUrl protected function Builds an absolute URL from a system path or a URL object.
UiHelperTrait::checkForMetaRefresh protected function Checks for meta refresh tag and if found call drupalGet() recursively.
UiHelperTrait::click protected function Clicks the element with the given CSS selector.
UiHelperTrait::clickLink protected function Follows a link by complete name.
UiHelperTrait::cssSelect protected function Searches elements using a CSS selector in the raw content.
UiHelperTrait::cssSelectToXpath protected function Translates a CSS expression to its XPath equivalent.
UiHelperTrait::drupalGet protected function Retrieves a Drupal path or an absolute path. 2
UiHelperTrait::drupalLogin protected function Logs in a user using the Mink controlled browser.
UiHelperTrait::drupalLogout protected function Logs a user out of the Mink controlled browser and confirms.
UiHelperTrait::drupalPostForm Deprecated protected function Executes a form submission.
UiHelperTrait::drupalUserIsLoggedIn protected function Returns whether a given user account is logged in.
UiHelperTrait::getAbsoluteUrl protected function Takes a path and returns an absolute path.
UiHelperTrait::getTextContent protected function Retrieves the plain-text content from the current page.
UiHelperTrait::getUrl protected function Get the current URL from the browser.
UiHelperTrait::isTestUsingGuzzleClient protected function Determines if test is using DrupalTestBrowser.
UiHelperTrait::prepareRequest protected function Prepare for a request to testing site. 1
UiHelperTrait::submitForm protected function Fills and submits a form.
UserCreationTrait::checkPermissions protected function Checks whether a given list of permission names is valid.
UserCreationTrait::createAdminRole protected function Creates an administrative role.
UserCreationTrait::createRole protected function Creates a role with specified permissions. Aliased as: drupalCreateRole
UserCreationTrait::createUser protected function Create a user with a given set of permissions. Aliased as: drupalCreateUser
UserCreationTrait::grantPermissions protected function Grant permissions to a user role.
UserCreationTrait::setCurrentUser protected function Switch the current logged in user.
UserCreationTrait::setUpCurrentUser protected function Creates a random user account and sets it as current user.
XdebugRequestTrait::extractCookiesFromRequest protected function Adds xdebug cookies, from request setup.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.