3 use RT::Test tests => 'no_declare';
5 my ($url, $m) = RT::Test->started_ok;
7 ok $m->login, "Logged in";
9 # We test two ticket creation paths since one historically doesn't update the
10 # session (quick create) and the other does.
11 for my $quick (1, 0) {
12 diag $quick ? "Quick ticket creation" : "Normal ticket creation";
15 $m->submit_form_ok({ form_name => 'CreateTicketInQueue' }, "Create new ticket form")
19 Subject => "The Plants",
20 Content => "Please water them.",
22 }, "Submitted new ticket");
24 my $id = RT::Test->last_ticket->id;
26 like $m->uri, qr/results=[A-Za-z0-9]{32}/, "URI contains results hash";
27 $m->content_contains("Ticket $id created", "Page contains results message");
28 $m->content_contains("#$id: The Plants") unless $quick;
30 diag "Reloading without a referer but with a results hash doesn't trigger the CSRF"; {
31 # Mech's API here sucks. To drop the Referer and simulate a real browser
32 # reload, we need to make a new request which explicitly adds an empty Referer
33 # header (causing it to never be sent) and then deletes the empty Referer
34 # header to let it be automatically managed again.
35 $m->add_header("Referer" => undef);
36 $m->get_ok( $m->uri, "Reloading the results page without a Referer" );
37 $m->delete_header("Referer");
39 like $m->uri, qr/results=[A-Za-z0-9]{32}/, "URI contains results hash";
40 $m->content_lacks("cross-site request forgery", "Skipped the CSRF interstitial")
41 or $m->follow_link_ok({ text => "click here to resume your request" }, "Ignoring CSRF warning");
42 $m->content_lacks("Ticket $id created", "Page lacks results message");
43 $m->content_contains("#$id: The Plants") unless $quick;