5 use RT::Test tests => undef;
7 my ($baseurl, $m) = RT::Test->started_ok;
9 # Get a non-REST session
10 diag "Standard web session";
11 ok $m->login, 'logged in';
12 $m->content_contains("RT at a glance", "Get full UI content");
14 # Requesting a REST page should be fine, as we have a Referer
15 $m->post("$baseurl/REST/1.0/ticket/new", [
18 $m->content_like(qr{^id: ticket/new}m, "REST request with referrer");
20 # Removing the Referer header gets us an interstitial
21 $m->add_header(Referer => undef);
22 $m->post("$baseurl/REST/1.0/ticket/new", [
26 $m->content_contains("Possible cross-site request forgery",
27 "REST request without referrer is blocked");
29 # But passing username and password lets us though
30 $m->post("$baseurl/REST/1.0/ticket/new", [
35 $m->content_like(qr{^id: ticket/new}m, "REST request without referrer, but username/password supplied, is OK");
37 # And we can still access non-REST urls
39 $m->content_contains("RT at a glance", "Full UI is still available");
42 # Now go get a REST session
44 $m = RT::Test::Web->new;
45 $m->post("$baseurl/REST/1.0/ticket/new", [
50 $m->content_like(qr{^id: ticket/new}m, "REST request to log in");
52 # Requesting that page again, with a username/password but no referrer,
54 $m->add_header(Referer => undef);
55 $m->post("$baseurl/REST/1.0/ticket/new", [
60 $m->content_like(qr{^id: ticket/new}m, "REST request with no referrer, but username/pass");
62 # And it's still fine without both referer and username and password,
63 # because REST is special-cased
64 $m->post("$baseurl/REST/1.0/ticket/new", [
67 $m->content_like(qr{^id: ticket/new}m, "REST request with no referrer or username/pass is special-cased for REST sessions");
69 # But the REST page can't request normal pages
71 $m->content_lacks("RT at a glance", "Full UI is denied for REST sessions");
72 $m->content_contains("This login session belongs to a REST client", "Tells you why");
73 $m->warning_like(qr/This login session belongs to a REST client/, "Logs a warning");