--- /dev/null
+use strict;
+use warnings;
+use RT::Test tests => 'no_declare';
+
+my ($url, $m) = RT::Test->started_ok;
+
+ok $m->login, "Logged in";
+
+# We test two ticket creation paths since one historically doesn't update the
+# session (quick create) and the other does.
+for my $quick (1, 0) {
+ diag $quick ? "Quick ticket creation" : "Normal ticket creation";
+
+ $m->get_ok("/");
+ $m->submit_form_ok({ form_name => 'CreateTicketInQueue' }, "Create new ticket form")
+ unless $quick;
+ $m->submit_form_ok({
+ with_fields => {
+ Subject => "The Plants",
+ Content => "Please water them.",
+ },
+ }, "Submitted new ticket");
+
+ my $id = RT::Test->last_ticket->id;
+
+ like $m->uri, qr/results=[A-Za-z0-9]{32}/, "URI contains results hash";
+ $m->content_contains("Ticket $id created", "Page contains results message");
+ $m->content_contains("#$id: The Plants") unless $quick;
+
+ diag "Reloading without a referer but with a results hash doesn't trigger the CSRF"; {
+ # Mech's API here sucks. To drop the Referer and simulate a real browser
+ # reload, we need to make a new request which explicitly adds an empty Referer
+ # header (causing it to never be sent) and then deletes the empty Referer
+ # header to let it be automatically managed again.
+ $m->add_header("Referer" => undef);
+ $m->get_ok( $m->uri, "Reloading the results page without a Referer" );
+ $m->delete_header("Referer");
+
+ like $m->uri, qr/results=[A-Za-z0-9]{32}/, "URI contains results hash";
+ $m->content_lacks("cross-site request forgery", "Skipped the CSRF interstitial")
+ or $m->follow_link_ok({ text => "click here to resume your request" }, "Ignoring CSRF warning");
+ $m->content_lacks("Ticket $id created", "Page lacks results message");
+ $m->content_contains("#$id: The Plants") unless $quick;
+ }
+}
+
+undef $m;
+done_testing;
projects / freeside.git / blobdiff