Newer
Older
Dries Buytaert
committed
<?php
/**
* @file
Dries Buytaert
committed
* Tests for file.module.
Dries Buytaert
committed
*/
/**
Angie Byron
committed
* Provides methods specifically for testing File module's field handling.
Dries Buytaert
committed
*/
class FileFieldTestCase extends DrupalWebTestCase {
protected $admin_user;
function setUp() {
// Since this is a base class for many test cases, support the same
// flexibility that DrupalWebTestCase::setUp() has for the modules to be
// passed in as either an array or a variable number of string arguments.
$modules = func_get_args();
if (isset($modules[0]) && is_array($modules[0])) {
$modules = $modules[0];
}
$modules[] = 'file';
$modules[] = 'file_module_test';
parent::setUp($modules);
David Rothstein
committed
$this->admin_user = $this->drupalCreateUser(array('access content', 'access administration pages', 'administer site configuration', 'administer users', 'administer permissions', 'administer content types', 'administer nodes', 'bypass node access', 'administer fields'));
Dries Buytaert
committed
$this->drupalLogin($this->admin_user);
}
/**
Angie Byron
committed
* Retrieves a sample file of the specified type.
Dries Buytaert
committed
*/
function getTestFile($type_name, $size = NULL) {
// Get a file to upload.
$file = current($this->drupalGetTestFiles($type_name, $size));
// Add a filesize property to files as would be read by file_load().
$file->filesize = filesize($file->uri);
return $file;
}
/**
Angie Byron
committed
* Retrieves the fid of the last inserted file.
*/
function getLastFileId() {
return (int) db_query('SELECT MAX(fid) FROM {file_managed}')->fetchField();
}
Dries Buytaert
committed
/**
Angie Byron
committed
* Creates a new file field.
Dries Buytaert
committed
*
* @param $name
* The name of the new field (all lowercase), exclude the "field_" prefix.
* @param $type_name
* The node type that this field will be added to.
* @param $field_settings
* A list of field settings that will be added to the defaults.
* @param $instance_settings
* A list of instance settings that will be added to the instance defaults.
* @param $widget_settings
* A list of widget settings that will be added to the widget defaults.
*/
function createFileField($name, $type_name, $field_settings = array(), $instance_settings = array(), $widget_settings = array()) {
$field = array(
'field_name' => $name,
'type' => 'file',
'settings' => array(),
'cardinality' => !empty($field_settings['cardinality']) ? $field_settings['cardinality'] : 1,
);
$field['settings'] = array_merge($field['settings'], $field_settings);
field_create_field($field);
Dries Buytaert
committed
$this->attachFileField($name, 'node', $type_name, $instance_settings, $widget_settings);
}
/**
Angie Byron
committed
* Attaches a file field to an entity.
Dries Buytaert
committed
*
* @param $name
* The name of the new field (all lowercase), exclude the "field_" prefix.
* @param $entity_type
* The entity type this field will be added to.
* @param $bundle
* The bundle this field will be added to.
* @param $field_settings
* A list of field settings that will be added to the defaults.
* @param $instance_settings
* A list of instance settings that will be added to the instance defaults.
* @param $widget_settings
* A list of widget settings that will be added to the widget defaults.
*/
function attachFileField($name, $entity_type, $bundle, $instance_settings = array(), $widget_settings = array()) {
Dries Buytaert
committed
$instance = array(
Dries Buytaert
committed
'field_name' => $name,
Dries Buytaert
committed
'label' => $name,
Dries Buytaert
committed
'entity_type' => $entity_type,
'bundle' => $bundle,
Dries Buytaert
committed
'required' => !empty($instance_settings['required']),
'settings' => array(),
'widget' => array(
'type' => 'file_generic',
'settings' => array(),
),
);
$instance['settings'] = array_merge($instance['settings'], $instance_settings);
$instance['widget']['settings'] = array_merge($instance['widget']['settings'], $widget_settings);
field_create_instance($instance);
}
/**
Angie Byron
committed
* Updates an existing file field with new settings.
Dries Buytaert
committed
*/
function updateFileField($name, $type_name, $instance_settings = array(), $widget_settings = array()) {
Dries Buytaert
committed
$instance = field_info_instance('node', $name, $type_name);
Dries Buytaert
committed
$instance['settings'] = array_merge($instance['settings'], $instance_settings);
$instance['widget']['settings'] = array_merge($instance['widget']['settings'], $widget_settings);
field_update_instance($instance);
}
/**
Angie Byron
committed
* Uploads a file to a node.
Dries Buytaert
committed
*/
function uploadNodeFile($file, $field_name, $nid_or_type, $new_revision = TRUE, $extras = array()) {
$langcode = LANGUAGE_NONE;
Dries Buytaert
committed
$edit = array(
"title" => $this->randomName(),
Dries Buytaert
committed
'revision' => (string) (int) $new_revision,
);
if (is_numeric($nid_or_type)) {
Dries Buytaert
committed
$nid = $nid_or_type;
Dries Buytaert
committed
}
else {
Dries Buytaert
committed
// Add a new node.
$extras['type'] = $nid_or_type;
$node = $this->drupalCreateNode($extras);
Dries Buytaert
committed
$nid = $node->nid;
// Save at least one revision to better simulate a real site.
$this->drupalCreateNode(get_object_vars($node));
$node = node_load($nid, NULL, TRUE);
Jennifer Hodgdon
committed
$this->assertNotEqual($nid, $node->vid, 'Node revision exists.');
Dries Buytaert
committed
}
Dries Buytaert
committed
// Attach a file to the node.
$edit['files[' . $field_name . '_' . $langcode . '_0]'] = drupal_realpath($file->uri);
$this->drupalPost("node/$nid/edit", $edit, t('Save'));
return $nid;
Dries Buytaert
committed
}
/**
Angie Byron
committed
* Removes a file from a node.
Dries Buytaert
committed
*
* Note that if replacing a file, it must first be removed then added again.
*/
function removeNodeFile($nid, $new_revision = TRUE) {
$edit = array(
'revision' => (string) (int) $new_revision,
);
$this->drupalPost('node/' . $nid . '/edit', array(), t('Remove'));
$this->drupalPost(NULL, $edit, t('Save'));
}
/**
Angie Byron
committed
* Replaces a file within a node.
Dries Buytaert
committed
*/
function replaceNodeFile($file, $field_name, $nid, $new_revision = TRUE) {
$edit = array(
Angie Byron
committed
'files[' . $field_name . '_' . LANGUAGE_NONE . '_0]' => drupal_realpath($file->uri),
Dries Buytaert
committed
'revision' => (string) (int) $new_revision,
);
$this->drupalPost('node/' . $nid . '/edit', array(), t('Remove'));
$this->drupalPost(NULL, $edit, t('Save'));
}
/**
Angie Byron
committed
* Asserts that a file exists physically on disk.
Dries Buytaert
committed
*/
function assertFileExists($file, $message = NULL) {
Jennifer Hodgdon
committed
$message = isset($message) ? $message : format_string('File %file exists on the disk.', array('%file' => $file->uri));
Dries Buytaert
committed
$this->assertTrue(is_file($file->uri), $message);
}
/**
Angie Byron
committed
* Asserts that a file exists in the database.
Dries Buytaert
committed
*/
function assertFileEntryExists($file, $message = NULL) {
Dries Buytaert
committed
entity_get_controller('file')->resetCache();
Dries Buytaert
committed
$db_file = file_load($file->fid);
Jennifer Hodgdon
committed
$message = isset($message) ? $message : format_string('File %file exists in database at the correct path.', array('%file' => $file->uri));
Dries Buytaert
committed
$this->assertEqual($db_file->uri, $file->uri, $message);
}
/**
Angie Byron
committed
* Asserts that a file does not exist on disk.
Dries Buytaert
committed
*/
function assertFileNotExists($file, $message = NULL) {
Jennifer Hodgdon
committed
$message = isset($message) ? $message : format_string('File %file exists on the disk.', array('%file' => $file->uri));
Dries Buytaert
committed
$this->assertFalse(is_file($file->uri), $message);
}
/**
Angie Byron
committed
* Asserts that a file does not exist in the database.
Dries Buytaert
committed
*/
function assertFileEntryNotExists($file, $message) {
Dries Buytaert
committed
entity_get_controller('file')->resetCache();
Jennifer Hodgdon
committed
$message = isset($message) ? $message : format_string('File %file exists in database at the correct path.', array('%file' => $file->uri));
Dries Buytaert
committed
$this->assertFalse(file_load($file->fid), $message);
}
/**
Angie Byron
committed
* Asserts that a file's status is set to permanent in the database.
*/
function assertFileIsPermanent($file, $message = NULL) {
Jennifer Hodgdon
committed
$message = isset($message) ? $message : format_string('File %file is permanent.', array('%file' => $file->uri));
$this->assertTrue($file->status == FILE_STATUS_PERMANENT, $message);
}
David Rothstein
committed
/**
* Creates a temporary file, for a specific user.
*
* @param string $data
* A string containing the contents of the file.
* @param int $uid
* The user ID of the file owner.
*
* @return object
* A file object, or FALSE on error.
*/
function createTemporaryFile($data, $uid = NULL) {
$file = file_save_data($data, NULL, NULL);
if ($file) {
$file->uid = isset($uid) ? $uid : $this->admin_user->uid;
// Change the file status to be temporary.
$file->status = NULL;
return file_save($file);
}
return $file;
}
Dries Buytaert
committed
}
David Rothstein
committed
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
/**
* Tests adding a file to a non-node entity.
*/
class FileTaxonomyTermTestCase extends DrupalWebTestCase {
protected $admin_user;
public static function getInfo() {
return array(
'name' => 'Taxonomy term file test',
'description' => 'Tests adding a file to a non-node entity.',
'group' => 'File',
);
}
public function setUp() {
$modules[] = 'file';
$modules[] = 'taxonomy';
parent::setUp($modules);
$this->admin_user = $this->drupalCreateUser(array('access content', 'access administration pages', 'administer site configuration', 'administer taxonomy'));
$this->drupalLogin($this->admin_user);
}
/**
* Creates a file field and attaches it to the "Tags" taxonomy vocabulary.
*
* @param $name
* The field name of the file field to create.
* @param $uri_scheme
* The URI scheme to use for the file field (for example, "private" to
* create a field that stores private files or "public" to create a field
* that stores public files).
*/
protected function createAttachFileField($name, $uri_scheme) {
$field = array(
'field_name' => $name,
'type' => 'file',
'settings' => array(
'uri_scheme' => $uri_scheme,
),
'cardinality' => 1,
);
field_create_field($field);
// Attach an instance of it.
$instance = array(
'field_name' => $name,
'label' => 'File',
'entity_type' => 'taxonomy_term',
'bundle' => 'tags',
'required' => FALSE,
'settings' => array(),
'widget' => array(
'type' => 'file_generic',
'settings' => array(),
),
);
field_create_instance($instance);
}
/**
* Tests that a public file can be attached to a taxonomy term.
*
* This is a regression test for https://www.drupal.org/node/2305017.
*/
public function testTermFilePublic() {
$this->_testTermFile('public');
}
/**
* Tests that a private file can be attached to a taxonomy term.
*
* This is a regression test for https://www.drupal.org/node/2305017.
*/
public function testTermFilePrivate() {
$this->_testTermFile('private');
}
/**
* Runs tests for attaching a file field to a taxonomy term.
*
* @param $uri_scheme
* The URI scheme to use for the file field, either "public" or "private".
*/
protected function _testTermFile($uri_scheme) {
$field_name = strtolower($this->randomName());
$this->createAttachFileField($field_name, $uri_scheme);
// Get a file to upload.
$file = current($this->drupalGetTestFiles('text'));
// Add a filesize property to files as would be read by file_load().
$file->filesize = filesize($file->uri);
$langcode = LANGUAGE_NONE;
$edit = array(
"name" => $this->randomName(),
);
// Attach a file to the term.
$edit['files[' . $field_name . '_' . $langcode . '_0]'] = drupal_realpath($file->uri);
$this->drupalPost("admin/structure/taxonomy/tags/add", $edit, t('Save'));
// Find the term ID we just created.
$tid = db_query_range('SELECT tid FROM {taxonomy_term_data} ORDER BY tid DESC', 0, 1)->fetchField();
$terms = entity_load('taxonomy_term', array($tid));
$term = $terms[$tid];
$fid = $term->{$field_name}[LANGUAGE_NONE][0]['fid'];
// Check that the uploaded file is present on the edit form.
$this->drupalGet("taxonomy/term/$tid/edit");
$file_input_name = $field_name . '[' . LANGUAGE_NONE . '][0][fid]';
$this->assertFieldByXpath('//input[@type="hidden" and @name="' . $file_input_name . '"]', $fid, 'File is attached on edit form.');
// Edit the term and change name without changing the file.
$edit = array(
"name" => $this->randomName(),
);
$this->drupalPost("taxonomy/term/$tid/edit", $edit, t('Save'));
// Check that the uploaded file is still present on the edit form.
$this->drupalGet("taxonomy/term/$tid/edit");
$file_input_name = $field_name . '[' . LANGUAGE_NONE . '][0][fid]';
$this->assertFieldByXpath('//input[@type="hidden" and @name="' . $file_input_name . '"]', $fid, 'File is attached on edit form.');
// Load term while resetting the cache.
$terms = entity_load('taxonomy_term', array($tid), array(), TRUE);
$term = $terms[$tid];
$this->assertTrue(!empty($term->{$field_name}[LANGUAGE_NONE]), 'Term has attached files.');
$this->assertEqual($term->{$field_name}[LANGUAGE_NONE][0]['fid'], $fid, 'Same File ID is attached to the term.');
}
}
/**
Angie Byron
committed
* Tests the 'managed_file' element type.
*
* @todo Create a FileTestCase base class and move FileFieldTestCase methods
* that aren't related to fields into it.
*/
class FileManagedFileElementTestCase extends FileFieldTestCase {
public static function getInfo() {
return array(
'name' => 'Managed file element test',
'description' => 'Tests the managed_file element type.',
'group' => 'File',
);
}
/**
* Tests the managed_file element type.
*/
function testManagedFile() {
Angie Byron
committed
// Check that $element['#size'] is passed to the child upload element.
$this->drupalGet('file/test');
$this->assertFieldByXpath('//input[@name="files[nested_file]" and @size="13"]', NULL, 'The custom #size attribute is passed to the child upload element.');
// Perform the tests with all permutations of $form['#tree'] and
// $element['#extended'].
foreach (array(0, 1) as $tree) {
foreach (array(0, 1) as $extended) {
$test_file = $this->getTestFile('text');
$path = 'file/test/' . $tree . '/' . $extended;
$input_base_name = $tree ? 'nested_file' : 'file';
// Submit without a file.
$this->drupalPost($path, array(), t('Save'));
Jennifer Hodgdon
committed
$this->assertRaw(t('The file id is %fid.', array('%fid' => 0)), 'Submitted without a file.');
// Submit with a file, but with an invalid form token. Ensure the file
// was not saved.
$last_fid_prior = $this->getLastFileId();
$edit = array(
'files[' . $input_base_name . ']' => drupal_realpath($test_file->uri),
'form_token' => 'invalid token',
);
$this->drupalPost($path, $edit, t('Save'));
$this->assertText('The form has become outdated. Copy any unsaved work in the form below');
$last_fid = $this->getLastFileId();
$this->assertEqual($last_fid_prior, $last_fid, 'File was not saved when uploaded with an invalid form token.');
// Submit a new file, without using the Upload button.
$last_fid_prior = $this->getLastFileId();
$edit = array('files[' . $input_base_name . ']' => drupal_realpath($test_file->uri));
$this->drupalPost($path, $edit, t('Save'));
$last_fid = $this->getLastFileId();
Jennifer Hodgdon
committed
$this->assertTrue($last_fid > $last_fid_prior, 'New file got saved.');
$this->assertRaw(t('The file id is %fid.', array('%fid' => $last_fid)), 'Submit handler has correct file info.');
// Submit no new input, but with a default file.
$this->drupalPost($path . '/' . $last_fid, array(), t('Save'));
Jennifer Hodgdon
committed
$this->assertRaw(t('The file id is %fid.', array('%fid' => $last_fid)), 'Empty submission did not change an existing file.');
// Now, test the Upload and Remove buttons, with and without Ajax.
foreach (array(FALSE, TRUE) as $ajax) {
// Upload, then Submit.
$last_fid_prior = $this->getLastFileId();
$this->drupalGet($path);
$edit = array('files[' . $input_base_name . ']' => drupal_realpath($test_file->uri));
if ($ajax) {
$this->drupalPostAJAX(NULL, $edit, $input_base_name . '_upload_button');
}
else {
$this->drupalPost(NULL, $edit, t('Upload'));
}
$last_fid = $this->getLastFileId();
Jennifer Hodgdon
committed
$this->assertTrue($last_fid > $last_fid_prior, 'New file got uploaded.');
$this->drupalPost(NULL, array(), t('Save'));
Jennifer Hodgdon
committed
$this->assertRaw(t('The file id is %fid.', array('%fid' => $last_fid)), 'Submit handler has correct file info.');
// Remove, then Submit.
$this->drupalGet($path . '/' . $last_fid);
if ($ajax) {
$this->drupalPostAJAX(NULL, array(), $input_base_name . '_remove_button');
}
else {
$this->drupalPost(NULL, array(), t('Remove'));
}
$this->drupalPost(NULL, array(), t('Save'));
Jennifer Hodgdon
committed
$this->assertRaw(t('The file id is %fid.', array('%fid' => 0)), 'Submission after file removal was successful.');
// Upload, then Remove, then Submit.
$this->drupalGet($path);
$edit = array('files[' . $input_base_name . ']' => drupal_realpath($test_file->uri));
if ($ajax) {
$this->drupalPostAJAX(NULL, $edit, $input_base_name . '_upload_button');
$this->drupalPostAJAX(NULL, array(), $input_base_name . '_remove_button');
}
else {
$this->drupalPost(NULL, $edit, t('Upload'));
$this->drupalPost(NULL, array(), t('Remove'));
}
$this->drupalPost(NULL, array(), t('Save'));
Jennifer Hodgdon
committed
$this->assertRaw(t('The file id is %fid.', array('%fid' => 0)), 'Submission after file upload and removal was successful.');
}
}
}
}
}
/**
Angie Byron
committed
* Tests file field widget.
*/
class FileFieldWidgetTestCase extends FileFieldTestCase {
public static function getInfo() {
return array(
'name' => 'File field widget test',
Dries Buytaert
committed
'description' => 'Tests the file field widget, single and multi-valued, with and without AJAX, with public and private files.',
'group' => 'File',
);
}
/**
Angie Byron
committed
* Tests upload and remove buttons for a single-valued File field.
*/
Dries Buytaert
committed
function testSingleValuedWidget() {
// Use 'page' instead of 'article', so that the 'article' image field does
// not conflict with this test. If in the future the 'page' type gets its
// own default file or image field, this test can be made more robust by
// using a custom node type.
$type_name = 'page';
$field_name = strtolower($this->randomName());
$this->createFileField($field_name, $type_name);
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
$test_file = $this->getTestFile('text');
foreach (array('nojs', 'js') as $type) {
// Create a new node with the uploaded file and ensure it got uploaded
// successfully.
Dries Buytaert
committed
// @todo This only tests a 'nojs' submission, because drupalPostAJAX()
// does not yet support file uploads.
$nid = $this->uploadNodeFile($test_file, $field_name, $type_name);
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
Jennifer Hodgdon
committed
$this->assertFileExists($node_file, 'New file saved to disk on node creation.');
Dries Buytaert
committed
David Rothstein
committed
// Test that running field_attach_update() leaves the file intact.
$field = new stdClass();
$field->type = $type_name;
$field->nid = $nid;
field_attach_update('node', $field);
$node = node_load($nid);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$this->assertFileExists($node_file, 'New file still saved to disk on field update.');
Dries Buytaert
committed
// Ensure the file can be downloaded.
Dries Buytaert
committed
$this->drupalGet(file_create_url($node_file->uri));
Jennifer Hodgdon
committed
$this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
// Ensure the edit page has a remove button instead of an upload button.
$this->drupalGet("node/$nid/edit");
Jennifer Hodgdon
committed
$this->assertNoFieldByXPath('//input[@type="submit"]', t('Upload'), 'Node with file does not display the "Upload" button.');
$this->assertFieldByXpath('//input[@type="submit"]', t('Remove'), 'Node with file displays the "Remove" button.');
// "Click" the remove button (emulating either a nojs or js submission).
switch ($type) {
case 'nojs':
$this->drupalPost(NULL, array(), t('Remove'));
break;
case 'js':
$button = $this->xpath('//input[@type="submit" and @value="' . t('Remove') . '"]');
Dries Buytaert
committed
$this->drupalPostAJAX(NULL, array(), array((string) $button[0]['name'] => (string) $button[0]['value']));
break;
}
// Ensure the page now has an upload button instead of a remove button.
Jennifer Hodgdon
committed
$this->assertNoFieldByXPath('//input[@type="submit"]', t('Remove'), 'After clicking the "Remove" button, it is no longer displayed.');
$this->assertFieldByXpath('//input[@type="submit"]', t('Upload'), 'After clicking the "Remove" button, the "Upload" button is displayed.');
// Save the node and ensure it does not have the file.
$this->drupalPost(NULL, array(), t('Save'));
$node = node_load($nid, NULL, TRUE);
Jennifer Hodgdon
committed
$this->assertTrue(empty($node->{$field_name}[LANGUAGE_NONE][0]['fid']), 'File was successfully removed from the node.');
}
Dries Buytaert
committed
}
Dries Buytaert
committed
David Rothstein
committed
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
/**
* Tests exploiting the temporary file removal of another user using fid.
*/
function testTemporaryFileRemovalExploit() {
// Create a victim user.
$victim_user = $this->drupalCreateUser();
// Create an attacker user.
$attacker_user = $this->drupalCreateUser(array(
'access content',
'create page content',
'edit any page content',
));
// Log in as the attacker user.
$this->drupalLogin($attacker_user);
// Perform tests using the newly created users.
$this->doTestTemporaryFileRemovalExploit($victim_user->uid, $attacker_user->uid);
}
/**
* Tests exploiting the temporary file removal for anonymous users using fid.
*/
public function testTemporaryFileRemovalExploitAnonymous() {
// Set up an anonymous victim user.
$victim_uid = 0;
// Set up an anonymous attacker user.
$attacker_uid = 0;
// Set up permissions for anonymous attacker user.
user_role_change_permissions(DRUPAL_ANONYMOUS_RID, array(
'access content' => TRUE,
'create page content' => TRUE,
'edit any page content' => TRUE,
));
// In order to simulate being the anonymous attacker user, we need to log
// out here since setUp() has logged in the admin.
$this->drupalLogout();
// Perform tests using the newly set up users.
$this->doTestTemporaryFileRemovalExploit($victim_uid, $attacker_uid);
}
Stefan Ruijsenaars
committed
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
/**
* Tests validation with the Upload button.
*/
function testWidgetValidation() {
$type_name = 'article';
$field_name = strtolower($this->randomName());
$this->createFileField($field_name, $type_name);
$this->updateFileField($field_name, $type_name, array('file_extensions' => 'txt'));
foreach (array('nojs', 'js') as $type) {
// Create node and prepare files for upload.
$node = $this->drupalCreateNode(array('type' => 'article'));
$nid = $node->nid;
$this->drupalGet("node/$nid/edit");
$test_file_text = $this->getTestFile('text');
$test_file_image = $this->getTestFile('image');
$field = field_info_field($field_name);
$name = 'files[' . $field_name . '_' . LANGUAGE_NONE . '_0]';
// Upload file with incorrect extension, check for validation error.
$edit[$name] = drupal_realpath($test_file_image->uri);
switch ($type) {
case 'nojs':
$this->drupalPost(NULL, $edit, t('Upload'));
break;
case 'js':
$button = $this->xpath('//input[@type="submit" and @value="' . t('Upload') . '"]');
$this->drupalPostAJAX(NULL, $edit, array((string) $button[0]['name'] => (string) $button[0]['value']));
break;
}
$error_message = t('Only files with the following extensions are allowed: %files-allowed.', array('%files-allowed' => 'txt'));
$this->assertRaw($error_message, t('Validation error when file with wrong extension uploaded (JSMode=%type).', array('%type' => $type)));
// Upload file with correct extension, check that error message is removed.
$edit[$name] = drupal_realpath($test_file_text->uri);
switch ($type) {
case 'nojs':
$this->drupalPost(NULL, $edit, t('Upload'));
break;
case 'js':
$button = $this->xpath('//input[@type="submit" and @value="' . t('Upload') . '"]');
$this->drupalPostAJAX(NULL, $edit, array((string) $button[0]['name'] => (string) $button[0]['value']));
break;
}
$this->assertNoRaw($error_message, t('Validation error removed when file with correct extension uploaded (JSMode=%type).', array('%type' => $type)));
}
}
David Rothstein
committed
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
/**
* Helper for testing exploiting the temporary file removal using fid.
*
* @param int $victim_uid
* The victim user ID.
* @param int $attacker_uid
* The attacker user ID.
*/
protected function doTestTemporaryFileRemovalExploit($victim_uid, $attacker_uid) {
// Use 'page' instead of 'article', so that the 'article' image field does
// not conflict with this test. If in the future the 'page' type gets its
// own default file or image field, this test can be made more robust by
// using a custom node type.
$type_name = 'page';
$field_name = 'test_file_field';
$this->createFileField($field_name, $type_name);
$test_file = $this->getTestFile('text');
foreach (array('nojs', 'js') as $type) {
// Create a temporary file owned by the anonymous victim user. This will be
// as if they had uploaded the file, but not saved the node they were
// editing or creating.
$victim_tmp_file = $this->createTemporaryFile('some text', $victim_uid);
$victim_tmp_file = file_load($victim_tmp_file->fid);
$this->assertTrue($victim_tmp_file->status != FILE_STATUS_PERMANENT, 'New file saved to disk is temporary.');
$this->assertFalse(empty($victim_tmp_file->fid), 'New file has a fid');
$this->assertEqual($victim_uid, $victim_tmp_file->uid, 'New file belongs to the victim user');
// Have attacker create a new node with a different uploaded file and
// ensure it got uploaded successfully.
// @todo Can we test AJAX? See https://www.drupal.org/node/2538260
$edit = array(
'title' => $type . '-title',
);
// Attach a file to a node.
$langcode = LANGUAGE_NONE;
$edit['files[' . $field_name . '_' . $langcode . '_0]'] = drupal_realpath($test_file->uri);
$this->drupalPost("node/add/$type_name", $edit, 'Save');
$node = $this->drupalGetNodeByTitle($edit['title']);
$node_file = file_load($node->{$field_name}[$langcode][0]['fid']);
$this->assertFileExists($node_file, 'New file saved to disk on node creation.');
$this->assertEqual($attacker_uid, $node_file->uid, 'New file belongs to the attacker.');
// Ensure the file can be downloaded.
$this->drupalGet(file_create_url($node_file->uri));
$this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
// "Click" the remove button (emulating either a nojs or js submission).
// In this POST request, the attacker "guesses" the fid of the victim's
// temporary file and uses that to remove this file.
$this->drupalGet('node/' . $node->nid . '/edit');
switch ($type) {
case 'nojs':
$this->drupalPost(NULL, array("{$field_name}[$langcode][0][fid]" => (string) $victim_tmp_file->fid), 'Remove');
break;
case 'js':
$button = $this->xpath('//input[@type="submit" and @value="Remove"]');
$this->drupalPostAJAX(NULL, array("{$field_name}[$langcode][0][fid]" => (string) $victim_tmp_file->fid), array((string) $button[0]['name'] => (string) $button[0]['value']));
break;
}
// The victim's temporary file should not be removed by the attacker's
// POST request.
$this->assertFileExists($victim_tmp_file);
}
}
Dries Buytaert
committed
/**
Angie Byron
committed
* Tests upload and remove buttons for multiple multi-valued File fields.
Dries Buytaert
committed
*/
function testMultiValuedWidget() {
// Use 'page' instead of 'article', so that the 'article' image field does
// not conflict with this test. If in the future the 'page' type gets its
// own default file or image field, this test can be made more robust by
// using a custom node type.
$type_name = 'page';
$field_name = strtolower($this->randomName());
Angie Byron
committed
$field_name2 = strtolower($this->randomName());
Angie Byron
committed
$this->createFileField($field_name, $type_name, array('cardinality' => 3));
Angie Byron
committed
$this->createFileField($field_name2, $type_name, array('cardinality' => 3));
Dries Buytaert
committed
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
Angie Byron
committed
$field2 = field_info_field($field_name2);
$instance2 = field_info_instance('node', $field_name2, $type_name);
Dries Buytaert
committed
$test_file = $this->getTestFile('text');
foreach (array('nojs', 'js') as $type) {
Angie Byron
committed
// Visit the node creation form, and upload 3 files for each field. Since
// the field has cardinality of 3, ensure the "Upload" button is displayed
// until after the 3rd file, and after that, isn't displayed. Because
// SimpleTest triggers the last button with a given name, so upload to the
// second field first.
// @todo This is only testing a non-Ajax upload, because drupalPostAJAX()
Dries Buytaert
committed
// does not yet emulate jQuery's file upload.
Angie Byron
committed
//
Dries Buytaert
committed
$this->drupalGet("node/add/$type_name");
Angie Byron
committed
foreach (array($field_name2, $field_name) as $each_field_name) {
for ($delta = 0; $delta < 3; $delta++) {
$edit = array('files[' . $each_field_name . '_' . LANGUAGE_NONE . '_' . $delta . ']' => drupal_realpath($test_file->uri));
// If the Upload button doesn't exist, drupalPost() will automatically
// fail with an assertion message.
$this->drupalPost(NULL, $edit, t('Upload'));
Dries Buytaert
committed
}
Angie Byron
committed
}
Jennifer Hodgdon
committed
$this->assertNoFieldByXpath('//input[@type="submit"]', t('Upload'), 'After uploading 3 files for each field, the "Upload" button is no longer displayed.');
Angie Byron
committed
$num_expected_remove_buttons = 6;
foreach (array($field_name, $field_name2) as $current_field_name) {
// How many uploaded files for the current field are remaining.
$remaining = 3;
// Test clicking each "Remove" button. For extra robustness, test them out
// of sequential order. They are 0-indexed, and get renumbered after each
// iteration, so array(1, 1, 0) means:
// - First remove the 2nd file.
// - Then remove what is then the 2nd file (was originally the 3rd file).
// - Then remove the first file.
foreach (array(1,1,0) as $delta) {
// Ensure we have the expected number of Remove buttons, and that they
// are numbered sequentially.
$buttons = $this->xpath('//input[@type="submit" and @value="Remove"]');
Jennifer Hodgdon
committed
$this->assertTrue(is_array($buttons) && count($buttons) === $num_expected_remove_buttons, format_string('There are %n "Remove" buttons displayed (JSMode=%type).', array('%n' => $num_expected_remove_buttons, '%type' => $type)));
Angie Byron
committed
foreach ($buttons as $i => $button) {
$key = $i >= $remaining ? $i - $remaining : $i;
$check_field_name = $field_name2;
if ($current_field_name == $field_name && $i < $remaining) {
$check_field_name = $field_name;
}
Dries Buytaert
committed
Angie Byron
committed
$this->assertIdentical((string) $button['name'], $check_field_name . '_' . LANGUAGE_NONE . '_' . $key. '_remove_button');
}
// "Click" the remove button (emulating either a nojs or js submission).
$button_name = $current_field_name . '_' . LANGUAGE_NONE . '_' . $delta . '_remove_button';
switch ($type) {
case 'nojs':
// drupalPost() takes a $submit parameter that is the value of the
// button whose click we want to emulate. Since we have multiple
// buttons with the value "Remove", and want to control which one we
// use, we change the value of the other ones to something else.
// Since non-clicked buttons aren't included in the submitted POST
// data, and since drupalPost() will result in $this being updated
// with a newly rebuilt form, this doesn't cause problems.
foreach ($buttons as $button) {
if ($button['name'] != $button_name) {
$button['value'] = 'DUMMY';
}
Dries Buytaert
committed
}
Angie Byron
committed
$this->drupalPost(NULL, array(), t('Remove'));
break;
case 'js':
// drupalPostAJAX() lets us target the button precisely, so we don't
// require the workaround used above for nojs.
$this->drupalPostAJAX(NULL, array(), array($button_name => t('Remove')));
break;
}
$num_expected_remove_buttons--;
$remaining--;
// Ensure an "Upload" button for the current field is displayed with the
// correct name.
$upload_button_name = $current_field_name . '_' . LANGUAGE_NONE . '_' . $remaining . '_upload_button';
$buttons = $this->xpath('//input[@type="submit" and @value="Upload" and @name=:name]', array(':name' => $upload_button_name));
Jennifer Hodgdon
committed
$this->assertTrue(is_array($buttons) && count($buttons) == 1, format_string('The upload button is displayed with the correct name (JSMode=%type).', array('%type' => $type)));
Angie Byron
committed
// Ensure only at most one button per field is displayed.
$buttons = $this->xpath('//input[@type="submit" and @value="Upload"]');
$expected = $current_field_name == $field_name ? 1 : 2;
Jennifer Hodgdon
committed
$this->assertTrue(is_array($buttons) && count($buttons) == $expected, format_string('After removing a file, only one "Upload" button for each possible field is displayed (JSMode=%type).', array('%type' => $type)));
Dries Buytaert
committed
}
}
// Ensure the page now has no Remove buttons.
Jennifer Hodgdon
committed
$this->assertNoFieldByXPath('//input[@type="submit"]', t('Remove'), format_string('After removing all files, there is no "Remove" button displayed (JSMode=%type).', array('%type' => $type)));
Angie Byron
committed
Dries Buytaert
committed
// Save the node and ensure it does not have any files.
$this->drupalPost(NULL, array('title' => $this->randomName()), t('Save'));
$matches = array();
preg_match('/node\/([0-9]+)/', $this->getUrl(), $matches);
$nid = $matches[1];
$node = node_load($nid, NULL, TRUE);
Jennifer Hodgdon
committed
$this->assertTrue(empty($node->{$field_name}[LANGUAGE_NONE][0]['fid']), 'Node was successfully saved without any files.');
Angie Byron
committed
}
Dries Buytaert
committed
}
Angie Byron
committed
Dries Buytaert
committed
/**
* Tests a file field with a "Private files" upload destination setting.
*/
function testPrivateFileSetting() {
// Use 'page' instead of 'article', so that the 'article' image field does
// not conflict with this test. If in the future the 'page' type gets its
// own default file or image field, this test can be made more robust by
// using a custom node type.
$type_name = 'page';
$field_name = strtolower($this->randomName());
$this->createFileField($field_name, $type_name);
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
$test_file = $this->getTestFile('text');
// Change the field setting to make its files private, and upload a file.
Dries Buytaert
committed
$edit = array('field[settings][uri_scheme]' => 'private');
$this->drupalPost("admin/structure/types/manage/$type_name/fields/$field_name", $edit, t('Save settings'));
$nid = $this->uploadNodeFile($test_file, $field_name, $type_name);
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
Jennifer Hodgdon
committed
$this->assertFileExists($node_file, 'New file saved to disk on node creation.');
Dries Buytaert
committed
// Ensure the private file is available to the user who uploaded it.
Dries Buytaert
committed
$this->drupalGet(file_create_url($node_file->uri));
Jennifer Hodgdon
committed
$this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
Dries Buytaert
committed
Dries Buytaert
committed
// Ensure we can't change 'uri_scheme' field settings while there are some
// entities with uploaded files.
$this->drupalGet("admin/structure/types/manage/$type_name/fields/$field_name");
Jennifer Hodgdon
committed
$this->assertFieldByXpath('//input[@id="edit-field-settings-uri-scheme-public" and @disabled="disabled"]', 'public', 'Upload destination setting disabled.');
Dries Buytaert
committed
Dries Buytaert
committed
// Delete node and confirm that setting could be changed.
node_delete($nid);
$this->drupalGet("admin/structure/types/manage/$type_name/fields/$field_name");
Jennifer Hodgdon
committed
$this->assertFieldByXpath('//input[@id="edit-field-settings-uri-scheme-public" and not(@disabled)]', 'public', 'Upload destination setting enabled.');
}
Angie Byron
committed
/**
* Tests that download restrictions on private files work on comments.
*/
function testPrivateFileComment() {
$user = $this->drupalCreateUser(array('access comments'));
// Remove access comments permission from anon user.
$edit = array(
David Rothstein
committed
DRUPAL_ANONYMOUS_RID . '[access comments]' => FALSE,
Angie Byron
committed
);
$this->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
// Create a new field.
$edit = array(
'fields[_add_new_field][label]' => $label = $this->randomName(),
'fields[_add_new_field][field_name]' => $name = strtolower($this->randomName()),
'fields[_add_new_field][type]' => 'file',
'fields[_add_new_field][widget_type]' => 'file_generic',
Angie Byron
committed
);
$this->drupalPost('admin/structure/types/manage/article/comment/fields', $edit, t('Save'));
$edit = array('field[settings][uri_scheme]' => 'private');
$this->drupalPost(NULL, $edit, t('Save field settings'));
$this->drupalPost(NULL, array(), t('Save settings'));
// Create node.
$text_file = $this->getTestFile('text');
$edit = array(
'title' => $this->randomName(),
);
$this->drupalPost('node/add/article', $edit, t('Save'));
Angie Byron
committed
// Add a comment with a file.
$text_file = $this->getTestFile('text');
$edit = array(
Angie Byron
committed
'files[field_' . $name . '_' . LANGUAGE_NONE . '_' . 0 . ']' => drupal_realpath($text_file->uri),
Angie Byron
committed
'comment_body[' . LANGUAGE_NONE . '][0][value]' => $comment_body = $this->randomName(),
);
$this->drupalPost(NULL, $edit, t('Save'));
// Get the comment ID.
preg_match('/comment-([0-9]+)/', $this->getUrl(), $matches);
$cid = $matches[1];
// Log in as normal user.
$this->drupalLogin($user);
Angie Byron
committed
$comment = comment_load($cid);
$comment_file = (object) $comment->{'field_' . $name}[LANGUAGE_NONE][0];
Jennifer Hodgdon
committed
$this->assertFileExists($comment_file, 'New file saved to disk on node creation.');
Angie Byron
committed
// Test authenticated file download.
$url = file_create_url($comment_file->uri);
Jennifer Hodgdon
committed
$this->assertNotEqual($url, NULL, 'Confirmed that the URL is valid');
Angie Byron
committed
$this->drupalGet(file_create_url($comment_file->uri));
Jennifer Hodgdon
committed
$this->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
Angie Byron
committed
// Test anonymous file download.
$this->drupalLogout();
$this->drupalGet(file_create_url($comment_file->uri));
Jennifer Hodgdon
committed
$this->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.');
// Unpublishes node.
$this->drupalLogin($this->admin_user);
$edit = array(
'status' => FALSE,
);
$this->drupalPost('node/' . $node->nid . '/edit', $edit, t('Save'));
// Ensures normal user can no longer download the file.
$this->drupalLogin($user);
$this->drupalGet(file_create_url($comment_file->uri));
Jennifer Hodgdon
committed
$this->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.');
Angie Byron
committed
}
}
Dries Buytaert
committed
/**
Angie Byron
committed
* Tests file handling with node revisions.
Dries Buytaert
committed
*/
class FileFieldRevisionTestCase extends FileFieldTestCase {
public static function getInfo() {
Dries Buytaert
committed
return array(
'name' => 'File field revision test',
'description' => 'Test creating and deleting revisions with files attached.',
'group' => 'File',
Dries Buytaert
committed
);
}
/**
Angie Byron
committed
* Tests creating multiple revisions of a node and managing attached files.
Dries Buytaert
committed
*
* Expected behaviors:
* - Adding a new revision will make another entry in the field table, but
* the original file will not be duplicated.
* - Deleting a revision should not delete the original file if the file
* is in use by another revision.
* - When the last revision that uses a file is deleted, the original file
* should be deleted also.
*/
function testRevisions() {
$type_name = 'article';
Dries Buytaert
committed
$field_name = strtolower($this->randomName());
Dries Buytaert
committed
$this->createFileField($field_name, $type_name);
$field = field_info_field($field_name);
Dries Buytaert
committed
$instance = field_info_instance('node', $field_name, $type_name);
Dries Buytaert
committed
Dries Buytaert
committed
// Attach the same fields to users.
$this->attachFileField($field_name, 'user', 'user');
Dries Buytaert
committed
$test_file = $this->getTestFile('text');
// Create a new node with the uploaded file.
$nid = $this->uploadNodeFile($test_file, $field_name, $type_name);
// Check that the file exists on disk and in the database.
$node = node_load($nid, NULL, TRUE);
$node_file_r1 = (object) $node->{$field_name}[LANGUAGE_NONE][0];
Dries Buytaert
committed
$node_vid_r1 = $node->vid;
Jennifer Hodgdon
committed
$this->assertFileExists($node_file_r1, 'New file saved to disk on node creation.');
$this->assertFileEntryExists($node_file_r1, 'File entry exists in database on node creation.');
$this->assertFileIsPermanent($node_file_r1, 'File is permanent.');
Dries Buytaert
committed
// Upload another file to the same node in a new revision.
$this->replaceNodeFile($test_file, $field_name, $nid);