4 use RT::Test tests => undef;
6 my ($baseurl, $m) = RT::Test->started_ok;
8 # Get a non-REST session
9 diag "Standard web session";
10 ok $m->login, 'logged in';
11 $m->content_contains("RT at a glance", "Get full UI content");
13 # Requesting a REST page should be fine, as we have a Referer
14 $m->post("$baseurl/REST/1.0/ticket/new", [
17 $m->content_like(qr{^id: ticket/new}m, "REST request with referrer");
19 # Removing the Referer header gets us an interstitial
20 $m->add_header(Referer => undef);
21 $m->post("$baseurl/REST/1.0/ticket/new", [
25 $m->content_contains("Possible cross-site request forgery",
26 "REST request without referrer is blocked");
28 # But passing username and password lets us though
29 $m->post("$baseurl/REST/1.0/ticket/new", [
34 $m->content_like(qr{^id: ticket/new}m, "REST request without referrer, but username/password supplied, is OK");
36 # And we can still access non-REST urls
38 $m->content_contains("RT at a glance", "Full UI is still available");
41 # Now go get a REST session
43 $m = RT::Test::Web->new;
44 $m->post("$baseurl/REST/1.0/ticket/new", [
49 $m->content_like(qr{^id: ticket/new}m, "REST request to log in");
51 # Requesting that page again, with a username/password but no referrer,
53 $m->add_header(Referer => undef);
54 $m->post("$baseurl/REST/1.0/ticket/new", [
59 $m->content_like(qr{^id: ticket/new}m, "REST request with no referrer, but username/pass");
61 # And it's still fine without both referer and username and password,
62 # because REST is special-cased
63 $m->post("$baseurl/REST/1.0/ticket/new", [
66 $m->content_like(qr{^id: ticket/new}m, "REST request with no referrer or username/pass is special-cased for REST sessions");
68 # But the REST page can't request normal pages
70 $m->content_lacks("RT at a glance", "Full UI is denied for REST sessions");
71 $m->content_contains("This login session belongs to a REST client", "Tells you why");
72 $m->warning_like(qr/This login session belongs to a REST client/, "Logs a warning");