Commit 6828096e authored by webchick's avatar webchick

#284887 by Dave Reid and dww: Disable autocomplete if user does not have access to the callback.

parent 8375d77a
......@@ -2085,7 +2085,7 @@ function theme_textfield($element) {
$extra = '';
$output = '';
if ($element['#autocomplete_path']) {
if ($element['#autocomplete_path'] && menu_valid_path(array('link_path' => $element['#autocomplete_path']))) {
drupal_add_js('misc/autocomplete.js');
$class[] = 'form-autocomplete';
$extra = '<input class="autocomplete" type="hidden" id="' . $element['#id'] . '-autocomplete" value="' . check_url(url($element['#autocomplete_path'], array('absolute' => TRUE))) . '" disabled="disabled" />';
......
......@@ -269,6 +269,7 @@ function profile_field_form(&$form_state, $arg = NULL) {
$form['fields']['autocomplete'] = array('#type' => 'checkbox',
'#title' => t('Form will auto-complete while user is typing.'),
'#default_value' => $edit['autocomplete'],
'#description' => t('For security, auto-complete will be disabled if the user does not have access to user profiles.'),
);
$form['fields']['required'] = array('#type' => 'checkbox',
'#title' => t('The user must enter a value.'),
......
......@@ -248,13 +248,71 @@ class ProfileTestWeights extends ProfileTestCase {
}
}
/**
* Test profile field autocompletion and access.
*/
class ProfileTestAutocomplete extends ProfileTestCase {
/**
* Implementation of getInfo().
*/
function getInfo() {
return array(
'name' => t('Autocompletion'),
'description' => t('Test profile fields with autocompletion.'),
'group' => t('Profile')
);
}
/**
* Tests profile field autocompletion and access.
*/
function testAutocomplete() {
$this->drupalLogin($this->admin_user);
// Create a new profile field with autocompletion enabled.
$category = $this->randomName();
$field = $this->createProfileField('textfield', $category, array('weight' => 1, 'autocomplete' => 1));
// Enter profile field value.
$field['value'] = $this->randomName();
$this->setProfileField($field, $field['value']);
// Set some html for what we want to see in the page output later.
$autocomplete_html = '<input class="autocomplete" type="hidden" id="' . form_clean_id('edit-' . $field['form_name'] . '-autocomplete') . '" value="' . url('profile/autocomplete/' . $field['fid'], array('absolute' => TRUE)) . '" disabled="disabled" />';
$field_html = '<input type="text" maxlength="255" name="' . $field['form_name'] . '" id="'. form_clean_id('edit-' . $field['form_name']) . '" size="60" value="' . $field['value'] . '" class="form-text form-autocomplete required" />';
// Check that autocompletion html is found on the user's profile edit page.
$this->drupalGet('user/' . $this->admin_user->uid . '/edit/' . $category);
$this->assertRaw($autocomplete_html, t('Autocomplete found.'));
$this->assertRaw('misc/autocomplete.js', t('Autocomplete JavaScript found.'));
$this->assertRaw('class="form-text form-autocomplete"', t('Autocomplete form element class found.'));
// Check the autocompletion path using the first letter of our user's profile
// field value to make sure access is allowed and a valid result if found.
$this->drupalGet('profile/autocomplete/' . $field['fid'] . '/' . $field['value'][0]);
$this->assertResponse(200, t('Autocomplete path allowed to user with permission.'));
$this->assertRaw($field['value'], t('Autocomplete value found.'));
// Logout and login with a user without the 'access user profiles' permission.
$this->drupalLogout();
$this->drupalLogin($this->normal_user);
// Check that autocompletion html is not found on the user's profile edit page.
$this->drupalGet('user/' . $this->normal_user->uid . '/edit/' . $category);
$this->assertNoRaw($autocomplete_html, t('Autocomplete not found.'));
// User should be denied access to the profile autocomplete path.
$this->drupalGet('profile/autocomplete/' . $field['fid'] . '/' . $field['value'][0]);
$this->assertResponse(403, t('Autocomplete path denied to user without permission.'));
}
}
/**
* TODO:
* - Test field visibility
* - Test profile browsing
* - Test autocomplete
* - Test required fields
* - Test fields on registration form
* - Test updating fields
*/
......@@ -523,3 +523,50 @@ class UserAdminTestCase extends DrupalWebTestCase {
$this->assertEqual($account->status, 0, 'User B blocked');
}
}
/**
* Test user autocompletion.
*/
class UserAutocompleteTestCase extends DrupalWebTestCase {
/**
* Implementation of getInfo().
*/
function getInfo() {
return array(
'name' => t('User autocompletion'),
'description' => t('Test user autocompletion functionality.'),
'group' => t('User')
);
}
/**
* Implementation of setUp().
*/
function setUp() {
parent::setUp();
// Set up two users with different permissions to test access.
$this->unprivileged_user = $this->drupalCreateUser();
$this->privileged_user = $this->drupalCreateUser(array('access user profiles'));
}
/**
* Tests access to user autocompletion and verify the correct results.
*/
function testUserAutocomplete() {
// Check access from unprivileged user, should be denied.
$this->drupalLogin($this->unprivileged_user);
$this->drupalGet('user/autocomplete/' . $this->unprivileged_user->name[0]);
$this->assertResponse(403, t('Autocompletion access denied to user without permission.'));
// Check access from privileged user.
$this->drupalLogout();
$this->drupalLogin($this->privileged_user);
$this->drupalGet('user/autocomplete/' . $this->unprivileged_user->name[0]);
$this->assertResponse(200, t('Autocompletion access allowed.'));
// Using first letter of the user's name, make sure the user's full name is in the results.
$this->assertRaw($this->unprivileged_user->name, t('User name found in autocompletion results.'));
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment