function TriggeringElementTest::testAttemptAccessControlBypass

Tests attempts to bypass access control.

Test that the triggering element does not get set to a button with #access=FALSE.

File

core/modules/system/tests/src/FunctionalJavascript/Form/TriggeringElementTest.php, line 89

Class

TriggeringElementTest

Tests that FAPI correctly determines the triggering element.

Namespace

Code

public function testAttemptAccessControlBypass() {
    $path = 'form-test/clicked-button';
    $form_html_id = 'form-test-clicked-button';
    // Retrieve a form where 'button1' has #access=FALSE and 'button2' doesn't.
    $this->drupalGet($path . '/rs/s');
    // Submit the form with 'button1=button1' in the POST data, which someone
    // trying to get around security safeguards could easily do. We have to do
    // a little trickery here, to work around the safeguards in submitForm()
    // by renaming the text field and value that is in the form to 'button1',
    // we can get the data we want into \Drupal::request()->request.
    $page = $this->getSession()
        ->getPage();
    $input = $page->find('css', 'input[name="text"]');
    $this->assertNotNull($input, 'text input located.');
    $input->setValue('name', 'button1');
    $input->setValue('value', 'button1');
    $this->xpath('//form[@id="' . $form_html_id . '"]//input[@type="submit"]')[0]
        ->click();
    // Ensure that the triggering element was not set to the restricted button.
    // Do this with both a negative and positive assertion, because negative
    // assertions alone can be brittle. See testNoButtonInfoInPost() for why the
    // triggering element gets set to 'button2'.
    $this->assertSession()
        ->pageTextNotContains('The clicked button is button1.');
    $this->assertSession()
        ->pageTextContains('The clicked button is button2.');
}