function RequestSanitizerTest::testRequestSanitizer

Same name and namespace in other branches
  1. 11.x core/tests/Drupal/FunctionalTests/HttpKernel/RequestSanitizerTest.php \Drupal\FunctionalTests\HttpKernel\RequestSanitizerTest::testRequestSanitizer()

Tests X-Http-Method-Override header handling.

Drupal checks the X-HTTP-Method-Override header directly and rejects any OPTIONS override. Symfony 8 silently ignores overrides to GET/HEAD/CONNECT/TRACE in getMethod(), so the page cache sees the original POST method (not cacheable).

File

core/tests/Drupal/FunctionalTests/HttpKernel/RequestSanitizerTest.php, line 39

Class

RequestSanitizerTest
Tests RequestSanitizerMiddleware.

Namespace

Drupal\FunctionalTests\HttpKernel

Code

public function testRequestSanitizer() : void {
  $url = new Url('system_test.method');
  $response = $this->makeApiRequest('GET', $url, []);
  $this->assertSame(200, $response->getStatusCode());
  $this->assertSame('GET', (string) $response->getBody());
  $response = $this->makeApiRequest('POST', $url, []);
  $this->assertSame(200, $response->getStatusCode());
  $this->assertSame('POST', (string) $response->getBody());
  // A POST with X-Http-Method-Override: GET is accepted. The page cache serves
  // with a 200. The header is ignored and isMethodCacheable() sees POST.
  $request_options[RequestOptions::HEADERS] = [
    'X-Http-Method-Override' => 'GET',
  ];
  $response = $this->makeApiRequest('POST', $url, $request_options);
  $this->assertSame(200, $response->getStatusCode());
  $this->assertSame('POST', (string) $response->getBody());
  // A POST with X-Http-Method-Override: OPTIONS is rejected with a 400 by
  // the request sanitizer.
  $request_options[RequestOptions::HEADERS] = [
    'X-Http-Method-Override' => 'OPTIONS',
  ];
  $response = $this->makeApiRequest('POST', $url, $request_options);
  $this->assertSame(400, $response->getStatusCode());
  // Verify the result is the same after clearing the page cache.
  $this->rebuildAll();
  $request_options[RequestOptions::HEADERS] = [
    'X-Http-Method-Override' => 'GET',
  ];
  $response = $this->makeApiRequest('POST', $url, $request_options);
  $this->assertSame(200, $response->getStatusCode());
  $this->assertSame('POST', (string) $response->getBody());
  $request_options[RequestOptions::HEADERS] = [
    'X-Http-Method-Override' => 'OPTIONS',
  ];
  $response = $this->makeApiRequest('POST', $url, $request_options);
  $this->assertSame(400, $response->getStatusCode());
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.