1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
use strict;
use warnings;
use RT::Test tests => 'no_declare';
my ($url, $m) = RT::Test->started_ok;
ok $m->login, "Logged in";
# We test two ticket creation paths since one historically doesn't update the
# session (quick create) and the other does.
for my $quick (1, 0) {
diag $quick ? "Quick ticket creation" : "Normal ticket creation";
$m->get_ok("/");
$m->submit_form_ok({ form_name => 'CreateTicketInQueue' }, "Create new ticket form")
unless $quick;
$m->submit_form_ok({
with_fields => {
Subject => "The Plants",
Content => "Please water them.",
},
}, "Submitted new ticket");
my $id = RT::Test->last_ticket->id;
like $m->uri, qr/results=[A-Za-z0-9]{32}/, "URI contains results hash";
$m->content_contains("Ticket $id created", "Page contains results message");
$m->content_contains("#$id: The Plants") unless $quick;
diag "Reloading without a referer but with a results hash doesn't trigger the CSRF"; {
# Mech's API here sucks. To drop the Referer and simulate a real browser
# reload, we need to make a new request which explicitly adds an empty Referer
# header (causing it to never be sent) and then deletes the empty Referer
# header to let it be automatically managed again.
$m->add_header("Referer" => undef);
$m->get_ok( $m->uri, "Reloading the results page without a Referer" );
$m->delete_header("Referer");
like $m->uri, qr/results=[A-Za-z0-9]{32}/, "URI contains results hash";
$m->content_lacks("cross-site request forgery", "Skipped the CSRF interstitial")
or $m->follow_link_ok({ text => "click here to resume your request" }, "Ignoring CSRF warning");
$m->content_lacks("Ticket $id created", "Page lacks results message");
$m->content_contains("#$id: The Plants") unless $quick;
}
}
undef $m;
done_testing;
|