diff options
| author | Angie Byron <webchick@24967.no-reply.drupal.org> | 2008-10-10 07:49:49 +0000 |
|---|---|---|
| committer | Angie Byron <webchick@24967.no-reply.drupal.org> | 2008-10-10 07:49:49 +0000 |
| commit | 6828096e7e647c539f0a1ee644aa2d361f9dbf80 (patch) | |
| tree | 91d9fb7e4f9973b24ab4195b09226e55a98a8ba8 | |
| parent | 8375d77ae25dd19c5b0c3623ce97d4c541c8c518 (diff) | |
| download | brdo-6828096e7e647c539f0a1ee644aa2d361f9dbf80.tar.gz brdo-6828096e7e647c539f0a1ee644aa2d361f9dbf80.tar.bz2 | |
#284887 by Dave Reid and dww: Disable autocomplete if user does not have access to the callback.
| -rw-r--r-- | includes/form.inc | 2 | ||||
| -rw-r--r-- | modules/profile/profile.admin.inc | 1 | ||||
| -rw-r--r-- | modules/profile/profile.test | 62 | ||||
| -rw-r--r-- | modules/user/user.test | 47 |
4 files changed, 109 insertions, 3 deletions
diff --git a/includes/form.inc b/includes/form.inc index a9472cba6..51d8916ad 100644 --- a/includes/form.inc +++ b/includes/form.inc @@ -2085,7 +2085,7 @@ function theme_textfield($element) { $extra = ''; $output = ''; - if ($element['#autocomplete_path']) { + if ($element['#autocomplete_path'] && menu_valid_path(array('link_path' => $element['#autocomplete_path']))) { drupal_add_js('misc/autocomplete.js'); $class[] = 'form-autocomplete'; $extra = '<input class="autocomplete" type="hidden" id="' . $element['#id'] . '-autocomplete" value="' . check_url(url($element['#autocomplete_path'], array('absolute' => TRUE))) . '" disabled="disabled" />'; diff --git a/modules/profile/profile.admin.inc b/modules/profile/profile.admin.inc index bcc3e5e77..912378852 100644 --- a/modules/profile/profile.admin.inc +++ b/modules/profile/profile.admin.inc @@ -269,6 +269,7 @@ Unless you know what you are doing, it is highly recommended that you prefix the $form['fields']['autocomplete'] = array('#type' => 'checkbox', '#title' => t('Form will auto-complete while user is typing.'), '#default_value' => $edit['autocomplete'], + '#description' => t('For security, auto-complete will be disabled if the user does not have access to user profiles.'), ); $form['fields']['required'] = array('#type' => 'checkbox', '#title' => t('The user must enter a value.'), diff --git a/modules/profile/profile.test b/modules/profile/profile.test index 8665457f7..485b79336 100644 --- a/modules/profile/profile.test +++ b/modules/profile/profile.test @@ -248,13 +248,71 @@ class ProfileTestWeights extends ProfileTestCase { } } +/** + * Test profile field autocompletion and access. + */ +class ProfileTestAutocomplete extends ProfileTestCase { + + /** + * Implementation of getInfo(). + */ + function getInfo() { + return array( + 'name' => t('Autocompletion'), + 'description' => t('Test profile fields with autocompletion.'), + 'group' => t('Profile') + ); + } + + /** + * Tests profile field autocompletion and access. + */ + function testAutocomplete() { + $this->drupalLogin($this->admin_user); + + // Create a new profile field with autocompletion enabled. + $category = $this->randomName(); + $field = $this->createProfileField('textfield', $category, array('weight' => 1, 'autocomplete' => 1)); + + // Enter profile field value. + $field['value'] = $this->randomName(); + $this->setProfileField($field, $field['value']); + + // Set some html for what we want to see in the page output later. + $autocomplete_html = '<input class="autocomplete" type="hidden" id="' . form_clean_id('edit-' . $field['form_name'] . '-autocomplete') . '" value="' . url('profile/autocomplete/' . $field['fid'], array('absolute' => TRUE)) . '" disabled="disabled" />'; + $field_html = '<input type="text" maxlength="255" name="' . $field['form_name'] . '" id="'. form_clean_id('edit-' . $field['form_name']) . '" size="60" value="' . $field['value'] . '" class="form-text form-autocomplete required" />'; + + // Check that autocompletion html is found on the user's profile edit page. + $this->drupalGet('user/' . $this->admin_user->uid . '/edit/' . $category); + $this->assertRaw($autocomplete_html, t('Autocomplete found.')); + $this->assertRaw('misc/autocomplete.js', t('Autocomplete JavaScript found.')); + $this->assertRaw('class="form-text form-autocomplete"', t('Autocomplete form element class found.')); + + // Check the autocompletion path using the first letter of our user's profile + // field value to make sure access is allowed and a valid result if found. + $this->drupalGet('profile/autocomplete/' . $field['fid'] . '/' . $field['value'][0]); + $this->assertResponse(200, t('Autocomplete path allowed to user with permission.')); + $this->assertRaw($field['value'], t('Autocomplete value found.')); + + // Logout and login with a user without the 'access user profiles' permission. + $this->drupalLogout(); + $this->drupalLogin($this->normal_user); + + // Check that autocompletion html is not found on the user's profile edit page. + $this->drupalGet('user/' . $this->normal_user->uid . '/edit/' . $category); + $this->assertNoRaw($autocomplete_html, t('Autocomplete not found.')); + + // User should be denied access to the profile autocomplete path. + $this->drupalGet('profile/autocomplete/' . $field['fid'] . '/' . $field['value'][0]); + $this->assertResponse(403, t('Autocomplete path denied to user without permission.')); + } +} + /** * TODO: * - Test field visibility * - Test profile browsing - * - Test autocomplete * - Test required fields * - Test fields on registration form * - Test updating fields */ - diff --git a/modules/user/user.test b/modules/user/user.test index 7a152fa5b..91e1df32e 100644 --- a/modules/user/user.test +++ b/modules/user/user.test @@ -523,3 +523,50 @@ class UserAdminTestCase extends DrupalWebTestCase { $this->assertEqual($account->status, 0, 'User B blocked'); } } + +/** + * Test user autocompletion. + */ +class UserAutocompleteTestCase extends DrupalWebTestCase { + + /** + * Implementation of getInfo(). + */ + function getInfo() { + return array( + 'name' => t('User autocompletion'), + 'description' => t('Test user autocompletion functionality.'), + 'group' => t('User') + ); + } + + /** + * Implementation of setUp(). + */ + function setUp() { + parent::setUp(); + + // Set up two users with different permissions to test access. + $this->unprivileged_user = $this->drupalCreateUser(); + $this->privileged_user = $this->drupalCreateUser(array('access user profiles')); + } + + /** + * Tests access to user autocompletion and verify the correct results. + */ + function testUserAutocomplete() { + // Check access from unprivileged user, should be denied. + $this->drupalLogin($this->unprivileged_user); + $this->drupalGet('user/autocomplete/' . $this->unprivileged_user->name[0]); + $this->assertResponse(403, t('Autocompletion access denied to user without permission.')); + + // Check access from privileged user. + $this->drupalLogout(); + $this->drupalLogin($this->privileged_user); + $this->drupalGet('user/autocomplete/' . $this->unprivileged_user->name[0]); + $this->assertResponse(200, t('Autocompletion access allowed.')); + + // Using first letter of the user's name, make sure the user's full name is in the results. + $this->assertRaw($this->unprivileged_user->name, t('User name found in autocompletion results.')); + } +} |