diff options
Diffstat (limited to 'rt/t/web/action-results.t')
-rw-r--r-- | rt/t/web/action-results.t | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/rt/t/web/action-results.t b/rt/t/web/action-results.t new file mode 100644 index 000000000..db8c26bb8 --- /dev/null +++ b/rt/t/web/action-results.t @@ -0,0 +1,48 @@ +use strict; +use warnings; +use RT::Test tests => 'no_declare'; + +my ($url, $m) = RT::Test->started_ok; + +ok $m->login, "Logged in"; + +# We test two ticket creation paths since one historically doesn't update the +# session (quick create) and the other does. +for my $quick (1, 0) { + diag $quick ? "Quick ticket creation" : "Normal ticket creation"; + + $m->get_ok("/"); + $m->submit_form_ok({ form_name => 'CreateTicketInQueue' }, "Create new ticket form") + unless $quick; + $m->submit_form_ok({ + with_fields => { + Subject => "The Plants", + Content => "Please water them.", + }, + }, "Submitted new ticket"); + + my $id = RT::Test->last_ticket->id; + + like $m->uri, qr/results=[A-Za-z0-9]{32}/, "URI contains results hash"; + $m->content_contains("Ticket $id created", "Page contains results message"); + $m->content_contains("#$id: The Plants") unless $quick; + + diag "Reloading without a referer but with a results hash doesn't trigger the CSRF"; { + # Mech's API here sucks. To drop the Referer and simulate a real browser + # reload, we need to make a new request which explicitly adds an empty Referer + # header (causing it to never be sent) and then deletes the empty Referer + # header to let it be automatically managed again. + $m->add_header("Referer" => undef); + $m->get_ok( $m->uri, "Reloading the results page without a Referer" ); + $m->delete_header("Referer"); + + like $m->uri, qr/results=[A-Za-z0-9]{32}/, "URI contains results hash"; + $m->content_lacks("cross-site request forgery", "Skipped the CSRF interstitial") + or $m->follow_link_ok({ text => "click here to resume your request" }, "Ignoring CSRF warning"); + $m->content_lacks("Ticket $id created", "Page lacks results message"); + $m->content_contains("#$id: The Plants") unless $quick; + } +} + +undef $m; +done_testing; |