1 form.test FormsTriggeringElementTestCase::testAttemptAccessControlBypass()

Test that $form_state['triggering_element'] does not get set to a button with #access=FALSE.


core/modules/simpletest/tests/form.test, line 1924
Unit tests for the Backdrop Form API.


Test that FAPI correctly determines $form_state['triggering_element'].


function testAttemptAccessControlBypass() {
  $path = 'form-test/clicked-button';
  $form_html_id = 'form-test-clicked-button';

  // Retrieve a form where 'button1' has #access=FALSE and 'button2' doesn't.
  $this->backdropGet($path . '/rs/s');

  // Submit the form with 'button1=button1' in the POST data, which someone
  // trying to get around security safeguards could do. We have to do a little
  // trickery here, to work around the safeguards in backdropPost(): by
  // renaming the text field that is in the form to 'button1', we can get the
  // data we want into $_POST.
  $elements = $this->xpath('//form[@id="' . $form_html_id . '"]//input[@name="text"]');
  $elements[0]['name'] = 'button1';
  $this->backdropPost(NULL, array('button1' => 'button1'), NULL, array(), array(), $form_html_id);

  // Ensure that $form_state['triggering_element'] was not set to the
  // restricted button. Do this with both a negative and positive assertion,
  // because negative assertions alone can be brittle. See
  // testNoButtonInfoInPost() for why the triggering element gets set to
  // 'button2'.
  $this->assertNoText('The clicked button is button1.', '$form_state[\'triggering_element\'] not set to a restricted button.');
  $this->assertText('The clicked button is button2.', '$form_state[\'triggering_element\'] not set to a restricted button.');