Tests for file.module.
<?php
/**
* @file
* Tests for file.module.
*/
/**
* Provides methods specifically for testing File module's field handling.
*/
class FileFieldTestCase extends DrupalWebTestCase {
protected $admin_user;
function setUp() {
// Since this is a base class for many test cases, support the same
// flexibility that DrupalWebTestCase::setUp() has for the modules to be
// passed in as either an array or a variable number of string arguments.
$modules = func_get_args();
if (isset($modules[0]) && is_array($modules[0])) {
$modules = $modules[0];
}
$modules[] = 'file';
$modules[] = 'file_module_test';
parent::setUp($modules);
$this->admin_user = $this
->drupalCreateUser(array(
'access content',
'access administration pages',
'administer site configuration',
'administer users',
'administer permissions',
'administer content types',
'administer nodes',
'bypass node access',
'administer fields',
));
$this
->drupalLogin($this->admin_user);
}
/**
* Retrieves a sample file of the specified type.
*/
function getTestFile($type_name, $size = NULL) {
// Get a file to upload.
$file = current($this
->drupalGetTestFiles($type_name, $size));
// Add a filesize property to files as would be read by file_load().
$file->filesize = filesize($file->uri);
return $file;
}
/**
* Retrieves the fid of the last inserted file.
*/
function getLastFileId() {
return (int) db_query('SELECT MAX(fid) FROM {file_managed}')
->fetchField();
}
/**
* Creates a new file field.
*
* @param $name
* The name of the new field (all lowercase), exclude the "field_" prefix.
* @param $type_name
* The node type that this field will be added to.
* @param $field_settings
* A list of field settings that will be added to the defaults.
* @param $instance_settings
* A list of instance settings that will be added to the instance defaults.
* @param $widget_settings
* A list of widget settings that will be added to the widget defaults.
*/
function createFileField($name, $type_name, $field_settings = array(), $instance_settings = array(), $widget_settings = array()) {
$field = array(
'field_name' => $name,
'type' => 'file',
'settings' => array(),
'cardinality' => !empty($field_settings['cardinality']) ? $field_settings['cardinality'] : 1,
);
$field['settings'] = array_merge($field['settings'], $field_settings);
field_create_field($field);
$this
->attachFileField($name, 'node', $type_name, $instance_settings, $widget_settings);
}
/**
* Attaches a file field to an entity.
*
* @param $name
* The name of the new field (all lowercase), exclude the "field_" prefix.
* @param $entity_type
* The entity type this field will be added to.
* @param $bundle
* The bundle this field will be added to.
* @param $field_settings
* A list of field settings that will be added to the defaults.
* @param $instance_settings
* A list of instance settings that will be added to the instance defaults.
* @param $widget_settings
* A list of widget settings that will be added to the widget defaults.
*/
function attachFileField($name, $entity_type, $bundle, $instance_settings = array(), $widget_settings = array()) {
$instance = array(
'field_name' => $name,
'label' => $name,
'entity_type' => $entity_type,
'bundle' => $bundle,
'required' => !empty($instance_settings['required']),
'settings' => array(),
'widget' => array(
'type' => 'file_generic',
'settings' => array(),
),
);
$instance['settings'] = array_merge($instance['settings'], $instance_settings);
$instance['widget']['settings'] = array_merge($instance['widget']['settings'], $widget_settings);
field_create_instance($instance);
}
/**
* Updates an existing file field with new settings.
*/
function updateFileField($name, $type_name, $instance_settings = array(), $widget_settings = array()) {
$instance = field_info_instance('node', $name, $type_name);
$instance['settings'] = array_merge($instance['settings'], $instance_settings);
$instance['widget']['settings'] = array_merge($instance['widget']['settings'], $widget_settings);
field_update_instance($instance);
}
/**
* Uploads a file to a node.
*/
function uploadNodeFile($file, $field_name, $nid_or_type, $new_revision = TRUE, $extras = array()) {
$langcode = LANGUAGE_NONE;
$edit = array(
"title" => $this
->randomName(),
'revision' => (string) (int) $new_revision,
);
if (is_numeric($nid_or_type)) {
$nid = $nid_or_type;
}
else {
// Add a new node.
$extras['type'] = $nid_or_type;
$node = $this
->drupalCreateNode($extras);
$nid = $node->nid;
// Save at least one revision to better simulate a real site.
$this
->drupalCreateNode(get_object_vars($node));
$node = node_load($nid, NULL, TRUE);
$this
->assertNotEqual($nid, $node->vid, 'Node revision exists.');
}
// Attach a file to the node.
$edit['files[' . $field_name . '_' . $langcode . '_0]'] = drupal_realpath($file->uri);
$this
->drupalPost("node/{$nid}/edit", $edit, t('Save'));
return $nid;
}
/**
* Removes a file from a node.
*
* Note that if replacing a file, it must first be removed then added again.
*/
function removeNodeFile($nid, $new_revision = TRUE) {
$edit = array(
'revision' => (string) (int) $new_revision,
);
$this
->drupalPost('node/' . $nid . '/edit', array(), t('Remove'));
$this
->drupalPost(NULL, $edit, t('Save'));
}
/**
* Replaces a file within a node.
*/
function replaceNodeFile($file, $field_name, $nid, $new_revision = TRUE) {
$edit = array(
'files[' . $field_name . '_' . LANGUAGE_NONE . '_0]' => drupal_realpath($file->uri),
'revision' => (string) (int) $new_revision,
);
$this
->drupalPost('node/' . $nid . '/edit', array(), t('Remove'));
$this
->drupalPost(NULL, $edit, t('Save'));
}
/**
* Asserts that a file exists physically on disk.
*/
function assertFileExists($file, $message = NULL) {
$message = isset($message) ? $message : format_string('File %file exists on the disk.', array(
'%file' => $file->uri,
));
$this
->assertTrue(is_file($file->uri), $message);
}
/**
* Asserts that a file exists in the database.
*/
function assertFileEntryExists($file, $message = NULL) {
entity_get_controller('file')
->resetCache();
$db_file = file_load($file->fid);
$message = isset($message) ? $message : format_string('File %file exists in database at the correct path.', array(
'%file' => $file->uri,
));
$this
->assertEqual($db_file->uri, $file->uri, $message);
}
/**
* Asserts that a file does not exist on disk.
*/
function assertFileNotExists($file, $message = NULL) {
$message = isset($message) ? $message : format_string('File %file exists on the disk.', array(
'%file' => $file->uri,
));
$this
->assertFalse(is_file($file->uri), $message);
}
/**
* Asserts that a file does not exist in the database.
*/
function assertFileEntryNotExists($file, $message) {
entity_get_controller('file')
->resetCache();
$message = isset($message) ? $message : format_string('File %file exists in database at the correct path.', array(
'%file' => $file->uri,
));
$this
->assertFalse(file_load($file->fid), $message);
}
/**
* Asserts that a file's status is set to permanent in the database.
*/
function assertFileIsPermanent($file, $message = NULL) {
$message = isset($message) ? $message : format_string('File %file is permanent.', array(
'%file' => $file->uri,
));
$this
->assertTrue($file->status == FILE_STATUS_PERMANENT, $message);
}
/**
* Creates a temporary file, for a specific user.
*
* @param string $data
* A string containing the contents of the file.
* @param int $uid
* The user ID of the file owner.
*
* @return object
* A file object, or FALSE on error.
*/
function createTemporaryFile($data, $uid = NULL) {
$file = file_save_data($data, NULL, NULL);
if ($file) {
$file->uid = isset($uid) ? $uid : $this->admin_user->uid;
// Change the file status to be temporary.
$file->status = NULL;
return file_save($file);
}
return $file;
}
}
/**
* Tests adding a file to a non-node entity.
*/
class FileTaxonomyTermTestCase extends DrupalWebTestCase {
protected $admin_user;
public static function getInfo() {
return array(
'name' => 'Taxonomy term file test',
'description' => 'Tests adding a file to a non-node entity.',
'group' => 'File',
);
}
public function setUp() {
$modules[] = 'file';
$modules[] = 'taxonomy';
parent::setUp($modules);
$this->admin_user = $this
->drupalCreateUser(array(
'access content',
'access administration pages',
'administer site configuration',
'administer taxonomy',
));
$this
->drupalLogin($this->admin_user);
}
/**
* Creates a file field and attaches it to the "Tags" taxonomy vocabulary.
*
* @param $name
* The field name of the file field to create.
* @param $uri_scheme
* The URI scheme to use for the file field (for example, "private" to
* create a field that stores private files or "public" to create a field
* that stores public files).
*/
protected function createAttachFileField($name, $uri_scheme) {
$field = array(
'field_name' => $name,
'type' => 'file',
'settings' => array(
'uri_scheme' => $uri_scheme,
),
'cardinality' => 1,
);
field_create_field($field);
// Attach an instance of it.
$instance = array(
'field_name' => $name,
'label' => 'File',
'entity_type' => 'taxonomy_term',
'bundle' => 'tags',
'required' => FALSE,
'settings' => array(),
'widget' => array(
'type' => 'file_generic',
'settings' => array(),
),
);
field_create_instance($instance);
}
/**
* Tests that a public file can be attached to a taxonomy term.
*
* This is a regression test for https://www.drupal.org/node/2305017.
*/
public function testTermFilePublic() {
$this
->_testTermFile('public');
}
/**
* Tests that a private file can be attached to a taxonomy term.
*
* This is a regression test for https://www.drupal.org/node/2305017.
*/
public function testTermFilePrivate() {
$this
->_testTermFile('private');
}
/**
* Runs tests for attaching a file field to a taxonomy term.
*
* @param $uri_scheme
* The URI scheme to use for the file field, either "public" or "private".
*/
protected function _testTermFile($uri_scheme) {
$field_name = strtolower($this
->randomName());
$this
->createAttachFileField($field_name, $uri_scheme);
// Get a file to upload.
$file = current($this
->drupalGetTestFiles('text'));
// Add a filesize property to files as would be read by file_load().
$file->filesize = filesize($file->uri);
$langcode = LANGUAGE_NONE;
$edit = array(
"name" => $this
->randomName(),
);
// Attach a file to the term.
$edit['files[' . $field_name . '_' . $langcode . '_0]'] = drupal_realpath($file->uri);
$this
->drupalPost("admin/structure/taxonomy/tags/add", $edit, t('Save'));
// Find the term ID we just created.
$tid = db_query_range('SELECT tid FROM {taxonomy_term_data} ORDER BY tid DESC', 0, 1)
->fetchField();
$terms = entity_load('taxonomy_term', array(
$tid,
));
$term = $terms[$tid];
$fid = $term->{$field_name}[LANGUAGE_NONE][0]['fid'];
// Check that the uploaded file is present on the edit form.
$this
->drupalGet("taxonomy/term/{$tid}/edit");
$file_input_name = $field_name . '[' . LANGUAGE_NONE . '][0][fid]';
$this
->assertFieldByXpath('//input[@type="hidden" and @name="' . $file_input_name . '"]', $fid, 'File is attached on edit form.');
// Edit the term and change name without changing the file.
$edit = array(
"name" => $this
->randomName(),
);
$this
->drupalPost("taxonomy/term/{$tid}/edit", $edit, t('Save'));
// Check that the uploaded file is still present on the edit form.
$this
->drupalGet("taxonomy/term/{$tid}/edit");
$file_input_name = $field_name . '[' . LANGUAGE_NONE . '][0][fid]';
$this
->assertFieldByXpath('//input[@type="hidden" and @name="' . $file_input_name . '"]', $fid, 'File is attached on edit form.');
// Load term while resetting the cache.
$terms = entity_load('taxonomy_term', array(
$tid,
), array(), TRUE);
$term = $terms[$tid];
$this
->assertTrue(!empty($term->{$field_name}[LANGUAGE_NONE]), 'Term has attached files.');
$this
->assertEqual($term->{$field_name}[LANGUAGE_NONE][0]['fid'], $fid, 'Same File ID is attached to the term.');
}
}
/**
* Tests the 'managed_file' element type.
*
* @todo Create a FileTestCase base class and move FileFieldTestCase methods
* that aren't related to fields into it.
*/
class FileManagedFileElementTestCase extends FileFieldTestCase {
public static function getInfo() {
return array(
'name' => 'Managed file element test',
'description' => 'Tests the managed_file element type.',
'group' => 'File',
);
}
/**
* Tests the managed_file element type.
*/
function testManagedFile() {
// Check that $element['#size'] is passed to the child upload element.
$this
->drupalGet('file/test');
$this
->assertFieldByXpath('//input[@name="files[nested_file]" and @size="13"]', NULL, 'The custom #size attribute is passed to the child upload element.');
// Perform the tests with all permutations of $form['#tree'] and
// $element['#extended'].
foreach (array(
0,
1,
) as $tree) {
foreach (array(
0,
1,
) as $extended) {
$test_file = $this
->getTestFile('text');
$path = 'file/test/' . $tree . '/' . $extended;
$input_base_name = $tree ? 'nested_file' : 'file';
// Submit without a file.
$this
->drupalPost($path, array(), t('Save'));
$this
->assertRaw(t('The file id is %fid.', array(
'%fid' => 0,
)), 'Submitted without a file.');
// Submit with a file, but with an invalid form token. Ensure the file
// was not saved.
$last_fid_prior = $this
->getLastFileId();
$edit = array(
'files[' . $input_base_name . ']' => drupal_realpath($test_file->uri),
'form_token' => 'invalid token',
);
$this
->drupalPost($path, $edit, t('Save'));
$this
->assertText('The form has become outdated. Copy any unsaved work in the form below');
$last_fid = $this
->getLastFileId();
$this
->assertEqual($last_fid_prior, $last_fid, 'File was not saved when uploaded with an invalid form token.');
// Submit a new file, without using the Upload button.
$last_fid_prior = $this
->getLastFileId();
$edit = array(
'files[' . $input_base_name . ']' => drupal_realpath($test_file->uri),
);
$this
->drupalPost($path, $edit, t('Save'));
$last_fid = $this
->getLastFileId();
$this
->assertTrue($last_fid > $last_fid_prior, 'New file got saved.');
$this
->assertRaw(t('The file id is %fid.', array(
'%fid' => $last_fid,
)), 'Submit handler has correct file info.');
// Submit no new input, but with a default file.
$this
->drupalPost($path . '/' . $last_fid, array(), t('Save'));
$this
->assertRaw(t('The file id is %fid.', array(
'%fid' => $last_fid,
)), 'Empty submission did not change an existing file.');
// Now, test the Upload and Remove buttons, with and without Ajax.
foreach (array(
FALSE,
TRUE,
) as $ajax) {
// Upload, then Submit.
$last_fid_prior = $this
->getLastFileId();
$this
->drupalGet($path);
$edit = array(
'files[' . $input_base_name . ']' => drupal_realpath($test_file->uri),
);
if ($ajax) {
$this
->drupalPostAJAX(NULL, $edit, $input_base_name . '_upload_button');
}
else {
$this
->drupalPost(NULL, $edit, t('Upload'));
}
$last_fid = $this
->getLastFileId();
$this
->assertTrue($last_fid > $last_fid_prior, 'New file got uploaded.');
$this
->drupalPost(NULL, array(), t('Save'));
$this
->assertRaw(t('The file id is %fid.', array(
'%fid' => $last_fid,
)), 'Submit handler has correct file info.');
// Remove, then Submit.
$this
->drupalGet($path . '/' . $last_fid);
if ($ajax) {
$this
->drupalPostAJAX(NULL, array(), $input_base_name . '_remove_button');
}
else {
$this
->drupalPost(NULL, array(), t('Remove'));
}
$this
->drupalPost(NULL, array(), t('Save'));
$this
->assertRaw(t('The file id is %fid.', array(
'%fid' => 0,
)), 'Submission after file removal was successful.');
// Upload, then Remove, then Submit.
$this
->drupalGet($path);
$edit = array(
'files[' . $input_base_name . ']' => drupal_realpath($test_file->uri),
);
if ($ajax) {
$this
->drupalPostAJAX(NULL, $edit, $input_base_name . '_upload_button');
$this
->drupalPostAJAX(NULL, array(), $input_base_name . '_remove_button');
}
else {
$this
->drupalPost(NULL, $edit, t('Upload'));
$this
->drupalPost(NULL, array(), t('Remove'));
}
$this
->drupalPost(NULL, array(), t('Save'));
$this
->assertRaw(t('The file id is %fid.', array(
'%fid' => 0,
)), 'Submission after file upload and removal was successful.');
}
}
}
}
}
/**
* Tests file field widget.
*/
class FileFieldWidgetTestCase extends FileFieldTestCase {
public static function getInfo() {
return array(
'name' => 'File field widget test',
'description' => 'Tests the file field widget, single and multi-valued, with and without AJAX, with public and private files.',
'group' => 'File',
);
}
/**
* Tests upload and remove buttons for a single-valued File field.
*/
function testSingleValuedWidget() {
// Use 'page' instead of 'article', so that the 'article' image field does
// not conflict with this test. If in the future the 'page' type gets its
// own default file or image field, this test can be made more robust by
// using a custom node type.
$type_name = 'page';
$field_name = strtolower($this
->randomName());
$this
->createFileField($field_name, $type_name);
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
$test_file = $this
->getTestFile('text');
foreach (array(
'nojs',
'js',
) as $type) {
// Create a new node with the uploaded file and ensure it got uploaded
// successfully.
// @todo This only tests a 'nojs' submission, because drupalPostAJAX()
// does not yet support file uploads.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$this
->assertFileExists($node_file, 'New file saved to disk on node creation.');
// Test that running field_attach_update() leaves the file intact.
$field = new stdClass();
$field->type = $type_name;
$field->nid = $nid;
field_attach_update('node', $field);
$node = node_load($nid);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$this
->assertFileExists($node_file, 'New file still saved to disk on field update.');
// Ensure the file can be downloaded.
$this
->drupalGet(file_create_url($node_file->uri));
$this
->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
// Ensure the edit page has a remove button instead of an upload button.
$this
->drupalGet("node/{$nid}/edit");
$this
->assertNoFieldByXPath('//input[@type="submit"]', t('Upload'), 'Node with file does not display the "Upload" button.');
$this
->assertFieldByXpath('//input[@type="submit"]', t('Remove'), 'Node with file displays the "Remove" button.');
// "Click" the remove button (emulating either a nojs or js submission).
switch ($type) {
case 'nojs':
$this
->drupalPost(NULL, array(), t('Remove'));
break;
case 'js':
$button = $this
->xpath('//input[@type="submit" and @value="' . t('Remove') . '"]');
$this
->drupalPostAJAX(NULL, array(), array(
(string) $button[0]['name'] => (string) $button[0]['value'],
));
break;
}
// Ensure the page now has an upload button instead of a remove button.
$this
->assertNoFieldByXPath('//input[@type="submit"]', t('Remove'), 'After clicking the "Remove" button, it is no longer displayed.');
$this
->assertFieldByXpath('//input[@type="submit"]', t('Upload'), 'After clicking the "Remove" button, the "Upload" button is displayed.');
// Save the node and ensure it does not have the file.
$this
->drupalPost(NULL, array(), t('Save'));
$node = node_load($nid, NULL, TRUE);
$this
->assertTrue(empty($node->{$field_name}[LANGUAGE_NONE][0]['fid']), 'File was successfully removed from the node.');
}
}
/**
* Tests exploiting the temporary file removal of another user using fid.
*/
function testTemporaryFileRemovalExploit() {
// Create a victim user.
$victim_user = $this
->drupalCreateUser();
// Create an attacker user.
$attacker_user = $this
->drupalCreateUser(array(
'access content',
'create page content',
'edit any page content',
));
// Log in as the attacker user.
$this
->drupalLogin($attacker_user);
// Perform tests using the newly created users.
$this
->doTestTemporaryFileRemovalExploit($victim_user->uid, $attacker_user->uid);
}
/**
* Tests exploiting the temporary file removal for anonymous users using fid.
*/
public function testTemporaryFileRemovalExploitAnonymous() {
// Set up an anonymous victim user.
$victim_uid = 0;
// Set up an anonymous attacker user.
$attacker_uid = 0;
// Set up permissions for anonymous attacker user.
user_role_change_permissions(DRUPAL_ANONYMOUS_RID, array(
'access content' => TRUE,
'create page content' => TRUE,
'edit any page content' => TRUE,
));
// In order to simulate being the anonymous attacker user, we need to log
// out here since setUp() has logged in the admin.
$this
->drupalLogout();
// Perform tests using the newly set up users.
$this
->doTestTemporaryFileRemovalExploit($victim_uid, $attacker_uid);
}
/**
* Tests validation with the Upload button.
*/
function testWidgetValidation() {
$type_name = 'article';
$field_name = strtolower($this
->randomName());
$this
->createFileField($field_name, $type_name);
$this
->updateFileField($field_name, $type_name, array(
'file_extensions' => 'txt',
));
foreach (array(
'nojs',
'js',
) as $type) {
// Create node and prepare files for upload.
$node = $this
->drupalCreateNode(array(
'type' => 'article',
));
$nid = $node->nid;
$this
->drupalGet("node/{$nid}/edit");
$test_file_text = $this
->getTestFile('text');
$test_file_image = $this
->getTestFile('image');
$field = field_info_field($field_name);
$name = 'files[' . $field_name . '_' . LANGUAGE_NONE . '_0]';
// Upload file with incorrect extension, check for validation error.
$edit[$name] = drupal_realpath($test_file_image->uri);
switch ($type) {
case 'nojs':
$this
->drupalPost(NULL, $edit, t('Upload'));
break;
case 'js':
$button = $this
->xpath('//input[@type="submit" and @value="' . t('Upload') . '"]');
$this
->drupalPostAJAX(NULL, $edit, array(
(string) $button[0]['name'] => (string) $button[0]['value'],
));
break;
}
$error_message = t('Only files with the following extensions are allowed: %files-allowed.', array(
'%files-allowed' => 'txt',
));
$this
->assertRaw($error_message, t('Validation error when file with wrong extension uploaded (JSMode=%type).', array(
'%type' => $type,
)));
// Upload file with correct extension, check that error message is removed.
$edit[$name] = drupal_realpath($test_file_text->uri);
switch ($type) {
case 'nojs':
$this
->drupalPost(NULL, $edit, t('Upload'));
break;
case 'js':
$button = $this
->xpath('//input[@type="submit" and @value="' . t('Upload') . '"]');
$this
->drupalPostAJAX(NULL, $edit, array(
(string) $button[0]['name'] => (string) $button[0]['value'],
));
break;
}
$this
->assertNoRaw($error_message, t('Validation error removed when file with correct extension uploaded (JSMode=%type).', array(
'%type' => $type,
)));
}
}
/**
* Helper for testing exploiting the temporary file removal using fid.
*
* @param int $victim_uid
* The victim user ID.
* @param int $attacker_uid
* The attacker user ID.
*/
protected function doTestTemporaryFileRemovalExploit($victim_uid, $attacker_uid) {
// Use 'page' instead of 'article', so that the 'article' image field does
// not conflict with this test. If in the future the 'page' type gets its
// own default file or image field, this test can be made more robust by
// using a custom node type.
$type_name = 'page';
$field_name = 'test_file_field';
$this
->createFileField($field_name, $type_name);
$test_file = $this
->getTestFile('text');
foreach (array(
'nojs',
'js',
) as $type) {
// Create a temporary file owned by the anonymous victim user. This will be
// as if they had uploaded the file, but not saved the node they were
// editing or creating.
$victim_tmp_file = $this
->createTemporaryFile('some text', $victim_uid);
$victim_tmp_file = file_load($victim_tmp_file->fid);
$this
->assertTrue($victim_tmp_file->status != FILE_STATUS_PERMANENT, 'New file saved to disk is temporary.');
$this
->assertFalse(empty($victim_tmp_file->fid), 'New file has a fid');
$this
->assertEqual($victim_uid, $victim_tmp_file->uid, 'New file belongs to the victim user');
// Have attacker create a new node with a different uploaded file and
// ensure it got uploaded successfully.
// @todo Can we test AJAX? See https://www.drupal.org/node/2538260
$edit = array(
'title' => $type . '-title',
);
// Attach a file to a node.
$langcode = LANGUAGE_NONE;
$edit['files[' . $field_name . '_' . $langcode . '_0]'] = drupal_realpath($test_file->uri);
$this
->drupalPost("node/add/{$type_name}", $edit, 'Save');
$node = $this
->drupalGetNodeByTitle($edit['title']);
$node_file = file_load($node->{$field_name}[$langcode][0]['fid']);
$this
->assertFileExists($node_file, 'New file saved to disk on node creation.');
$this
->assertEqual($attacker_uid, $node_file->uid, 'New file belongs to the attacker.');
// Ensure the file can be downloaded.
$this
->drupalGet(file_create_url($node_file->uri));
$this
->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
// "Click" the remove button (emulating either a nojs or js submission).
// In this POST request, the attacker "guesses" the fid of the victim's
// temporary file and uses that to remove this file.
$this
->drupalGet('node/' . $node->nid . '/edit');
switch ($type) {
case 'nojs':
$this
->drupalPost(NULL, array(
"{$field_name}[{$langcode}][0][fid]" => (string) $victim_tmp_file->fid,
), 'Remove');
break;
case 'js':
$button = $this
->xpath('//input[@type="submit" and @value="Remove"]');
$this
->drupalPostAJAX(NULL, array(
"{$field_name}[{$langcode}][0][fid]" => (string) $victim_tmp_file->fid,
), array(
(string) $button[0]['name'] => (string) $button[0]['value'],
));
break;
}
// The victim's temporary file should not be removed by the attacker's
// POST request.
$this
->assertFileExists($victim_tmp_file);
}
}
/**
* Tests upload and remove buttons for multiple multi-valued File fields.
*/
function testMultiValuedWidget() {
// Use 'page' instead of 'article', so that the 'article' image field does
// not conflict with this test. If in the future the 'page' type gets its
// own default file or image field, this test can be made more robust by
// using a custom node type.
$type_name = 'page';
$field_name = strtolower($this
->randomName());
$field_name2 = strtolower($this
->randomName());
$this
->createFileField($field_name, $type_name, array(
'cardinality' => 3,
));
$this
->createFileField($field_name2, $type_name, array(
'cardinality' => 3,
));
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
$field2 = field_info_field($field_name2);
$instance2 = field_info_instance('node', $field_name2, $type_name);
$test_file = $this
->getTestFile('text');
foreach (array(
'nojs',
'js',
) as $type) {
// Visit the node creation form, and upload 3 files for each field. Since
// the field has cardinality of 3, ensure the "Upload" button is displayed
// until after the 3rd file, and after that, isn't displayed. Because
// SimpleTest triggers the last button with a given name, so upload to the
// second field first.
// @todo This is only testing a non-Ajax upload, because drupalPostAJAX()
// does not yet emulate jQuery's file upload.
//
$this
->drupalGet("node/add/{$type_name}");
foreach (array(
$field_name2,
$field_name,
) as $each_field_name) {
for ($delta = 0; $delta < 3; $delta++) {
$edit = array(
'files[' . $each_field_name . '_' . LANGUAGE_NONE . '_' . $delta . ']' => drupal_realpath($test_file->uri),
);
// If the Upload button doesn't exist, drupalPost() will automatically
// fail with an assertion message.
$this
->drupalPost(NULL, $edit, t('Upload'));
}
}
$this
->assertNoFieldByXpath('//input[@type="submit"]', t('Upload'), 'After uploading 3 files for each field, the "Upload" button is no longer displayed.');
$num_expected_remove_buttons = 6;
foreach (array(
$field_name,
$field_name2,
) as $current_field_name) {
// How many uploaded files for the current field are remaining.
$remaining = 3;
// Test clicking each "Remove" button. For extra robustness, test them out
// of sequential order. They are 0-indexed, and get renumbered after each
// iteration, so array(1, 1, 0) means:
// - First remove the 2nd file.
// - Then remove what is then the 2nd file (was originally the 3rd file).
// - Then remove the first file.
foreach (array(
1,
1,
0,
) as $delta) {
// Ensure we have the expected number of Remove buttons, and that they
// are numbered sequentially.
$buttons = $this
->xpath('//input[@type="submit" and @value="Remove"]');
$this
->assertTrue(is_array($buttons) && count($buttons) === $num_expected_remove_buttons, format_string('There are %n "Remove" buttons displayed (JSMode=%type).', array(
'%n' => $num_expected_remove_buttons,
'%type' => $type,
)));
foreach ($buttons as $i => $button) {
$key = $i >= $remaining ? $i - $remaining : $i;
$check_field_name = $field_name2;
if ($current_field_name == $field_name && $i < $remaining) {
$check_field_name = $field_name;
}
$this
->assertIdentical((string) $button['name'], $check_field_name . '_' . LANGUAGE_NONE . '_' . $key . '_remove_button');
}
// "Click" the remove button (emulating either a nojs or js submission).
$button_name = $current_field_name . '_' . LANGUAGE_NONE . '_' . $delta . '_remove_button';
switch ($type) {
case 'nojs':
// drupalPost() takes a $submit parameter that is the value of the
// button whose click we want to emulate. Since we have multiple
// buttons with the value "Remove", and want to control which one we
// use, we change the value of the other ones to something else.
// Since non-clicked buttons aren't included in the submitted POST
// data, and since drupalPost() will result in $this being updated
// with a newly rebuilt form, this doesn't cause problems.
foreach ($buttons as $button) {
if ($button['name'] != $button_name) {
$button['value'] = 'DUMMY';
}
}
$this
->drupalPost(NULL, array(), t('Remove'));
break;
case 'js':
// drupalPostAJAX() lets us target the button precisely, so we don't
// require the workaround used above for nojs.
$this
->drupalPostAJAX(NULL, array(), array(
$button_name => t('Remove'),
));
break;
}
$num_expected_remove_buttons--;
$remaining--;
// Ensure an "Upload" button for the current field is displayed with the
// correct name.
$upload_button_name = $current_field_name . '_' . LANGUAGE_NONE . '_' . $remaining . '_upload_button';
$buttons = $this
->xpath('//input[@type="submit" and @value="Upload" and @name=:name]', array(
':name' => $upload_button_name,
));
$this
->assertTrue(is_array($buttons) && count($buttons) == 1, format_string('The upload button is displayed with the correct name (JSMode=%type).', array(
'%type' => $type,
)));
// Ensure only at most one button per field is displayed.
$buttons = $this
->xpath('//input[@type="submit" and @value="Upload"]');
$expected = $current_field_name == $field_name ? 1 : 2;
$this
->assertTrue(is_array($buttons) && count($buttons) == $expected, format_string('After removing a file, only one "Upload" button for each possible field is displayed (JSMode=%type).', array(
'%type' => $type,
)));
}
}
// Ensure the page now has no Remove buttons.
$this
->assertNoFieldByXPath('//input[@type="submit"]', t('Remove'), format_string('After removing all files, there is no "Remove" button displayed (JSMode=%type).', array(
'%type' => $type,
)));
// Save the node and ensure it does not have any files.
$this
->drupalPost(NULL, array(
'title' => $this
->randomName(),
), t('Save'));
$matches = array();
preg_match('/node\\/([0-9]+)/', $this
->getUrl(), $matches);
$nid = $matches[1];
$node = node_load($nid, NULL, TRUE);
$this
->assertTrue(empty($node->{$field_name}[LANGUAGE_NONE][0]['fid']), 'Node was successfully saved without any files.');
}
}
/**
* Tests a file field with a "Private files" upload destination setting.
*/
function testPrivateFileSetting() {
// Use 'page' instead of 'article', so that the 'article' image field does
// not conflict with this test. If in the future the 'page' type gets its
// own default file or image field, this test can be made more robust by
// using a custom node type.
$type_name = 'page';
$field_name = strtolower($this
->randomName());
$this
->createFileField($field_name, $type_name);
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
$test_file = $this
->getTestFile('text');
// Change the field setting to make its files private, and upload a file.
$edit = array(
'field[settings][uri_scheme]' => 'private',
);
$this
->drupalPost("admin/structure/types/manage/{$type_name}/fields/{$field_name}", $edit, t('Save settings'));
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$this
->assertFileExists($node_file, 'New file saved to disk on node creation.');
// Ensure the private file is available to the user who uploaded it.
$this
->drupalGet(file_create_url($node_file->uri));
$this
->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
// Ensure we can't change 'uri_scheme' field settings while there are some
// entities with uploaded files.
$this
->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_name}");
$this
->assertFieldByXpath('//input[@id="edit-field-settings-uri-scheme-public" and @disabled="disabled"]', 'public', 'Upload destination setting disabled.');
// Delete node and confirm that setting could be changed.
node_delete($nid);
$this
->drupalGet("admin/structure/types/manage/{$type_name}/fields/{$field_name}");
$this
->assertFieldByXpath('//input[@id="edit-field-settings-uri-scheme-public" and not(@disabled)]', 'public', 'Upload destination setting enabled.');
}
/**
* Tests that download restrictions on private files work on comments.
*/
function testPrivateFileComment() {
$user = $this
->drupalCreateUser(array(
'access comments',
));
// Remove access comments permission from anon user.
$edit = array(
DRUPAL_ANONYMOUS_RID . '[access comments]' => FALSE,
);
$this
->drupalPost('admin/people/permissions', $edit, t('Save permissions'));
// Create a new field.
$edit = array(
'fields[_add_new_field][label]' => $label = $this
->randomName(),
'fields[_add_new_field][field_name]' => $name = strtolower($this
->randomName()),
'fields[_add_new_field][type]' => 'file',
'fields[_add_new_field][widget_type]' => 'file_generic',
);
$this
->drupalPost('admin/structure/types/manage/article/comment/fields', $edit, t('Save'));
$edit = array(
'field[settings][uri_scheme]' => 'private',
);
$this
->drupalPost(NULL, $edit, t('Save field settings'));
$this
->drupalPost(NULL, array(), t('Save settings'));
// Create node.
$text_file = $this
->getTestFile('text');
$edit = array(
'title' => $this
->randomName(),
);
$this
->drupalPost('node/add/article', $edit, t('Save'));
$node = $this
->drupalGetNodeByTitle($edit['title']);
// Add a comment with a file.
$text_file = $this
->getTestFile('text');
$edit = array(
'files[field_' . $name . '_' . LANGUAGE_NONE . '_' . 0 . ']' => drupal_realpath($text_file->uri),
'comment_body[' . LANGUAGE_NONE . '][0][value]' => $comment_body = $this
->randomName(),
);
$this
->drupalPost(NULL, $edit, t('Save'));
// Get the comment ID.
preg_match('/comment-([0-9]+)/', $this
->getUrl(), $matches);
$cid = $matches[1];
// Log in as normal user.
$this
->drupalLogin($user);
$comment = comment_load($cid);
$comment_file = (object) $comment->{'field_' . $name}[LANGUAGE_NONE][0];
$this
->assertFileExists($comment_file, 'New file saved to disk on node creation.');
// Test authenticated file download.
$url = file_create_url($comment_file->uri);
$this
->assertNotEqual($url, NULL, 'Confirmed that the URL is valid');
$this
->drupalGet(file_create_url($comment_file->uri));
$this
->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
// Test anonymous file download.
$this
->drupalLogout();
$this
->drupalGet(file_create_url($comment_file->uri));
$this
->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.');
// Unpublishes node.
$this
->drupalLogin($this->admin_user);
$edit = array(
'status' => FALSE,
);
$this
->drupalPost('node/' . $node->nid . '/edit', $edit, t('Save'));
// Ensures normal user can no longer download the file.
$this
->drupalLogin($user);
$this
->drupalGet(file_create_url($comment_file->uri));
$this
->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.');
}
}
/**
* Tests file handling with node revisions.
*/
class FileFieldRevisionTestCase extends FileFieldTestCase {
public static function getInfo() {
return array(
'name' => 'File field revision test',
'description' => 'Test creating and deleting revisions with files attached.',
'group' => 'File',
);
}
/**
* Tests creating multiple revisions of a node and managing attached files.
*
* Expected behaviors:
* - Adding a new revision will make another entry in the field table, but
* the original file will not be duplicated.
* - Deleting a revision should not delete the original file if the file
* is in use by another revision.
* - When the last revision that uses a file is deleted, the original file
* should be deleted also.
*/
function testRevisions() {
$type_name = 'article';
$field_name = strtolower($this
->randomName());
$this
->createFileField($field_name, $type_name);
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
// Attach the same fields to users.
$this
->attachFileField($field_name, 'user', 'user');
$test_file = $this
->getTestFile('text');
// Create a new node with the uploaded file.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
// Check that the file exists on disk and in the database.
$node = node_load($nid, NULL, TRUE);
$node_file_r1 = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$node_vid_r1 = $node->vid;
$this
->assertFileExists($node_file_r1, 'New file saved to disk on node creation.');
$this
->assertFileEntryExists($node_file_r1, 'File entry exists in database on node creation.');
$this
->assertFileIsPermanent($node_file_r1, 'File is permanent.');
// Upload another file to the same node in a new revision.
$this
->replaceNodeFile($test_file, $field_name, $nid);
$node = node_load($nid, NULL, TRUE);
$node_file_r2 = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$node_vid_r2 = $node->vid;
$this
->assertFileExists($node_file_r2, 'Replacement file exists on disk after creating new revision.');
$this
->assertFileEntryExists($node_file_r2, 'Replacement file entry exists in database after creating new revision.');
$this
->assertFileIsPermanent($node_file_r2, 'Replacement file is permanent.');
// Check that the original file is still in place on the first revision.
$node = node_load($nid, $node_vid_r1, TRUE);
$this
->assertEqual($node_file_r1, (object) $node->{$field_name}[LANGUAGE_NONE][0], 'Original file still in place after replacing file in new revision.');
$this
->assertFileExists($node_file_r1, 'Original file still in place after replacing file in new revision.');
$this
->assertFileEntryExists($node_file_r1, 'Original file entry still in place after replacing file in new revision');
$this
->assertFileIsPermanent($node_file_r1, 'Original file is still permanent.');
// Save a new version of the node without any changes.
// Check that the file is still the same as the previous revision.
$this
->drupalPost('node/' . $nid . '/edit', array(
'revision' => '1',
), t('Save'));
$node = node_load($nid, NULL, TRUE);
$node_file_r3 = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$node_vid_r3 = $node->vid;
$this
->assertEqual($node_file_r2, $node_file_r3, 'Previous revision file still in place after creating a new revision without a new file.');
$this
->assertFileIsPermanent($node_file_r3, 'New revision file is permanent.');
// Revert to the first revision and check that the original file is active.
$this
->drupalPost('node/' . $nid . '/revisions/' . $node_vid_r1 . '/revert', array(), t('Revert'));
$node = node_load($nid, NULL, TRUE);
$node_file_r4 = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$node_vid_r4 = $node->vid;
$this
->assertEqual($node_file_r1, $node_file_r4, 'Original revision file still in place after reverting to the original revision.');
$this
->assertFileIsPermanent($node_file_r4, 'Original revision file still permanent after reverting to the original revision.');
// Delete the second revision and check that the file is kept (since it is
// still being used by the third revision).
$this
->drupalPost('node/' . $nid . '/revisions/' . $node_vid_r2 . '/delete', array(), t('Delete'));
$this
->assertFileExists($node_file_r3, 'Second file is still available after deleting second revision, since it is being used by the third revision.');
$this
->assertFileEntryExists($node_file_r3, 'Second file entry is still available after deleting second revision, since it is being used by the third revision.');
$this
->assertFileIsPermanent($node_file_r3, 'Second file entry is still permanent after deleting second revision, since it is being used by the third revision.');
// Attach the second file to a user.
$user = $this
->drupalCreateUser();
$edit = (array) $user;
$edit[$field_name][LANGUAGE_NONE][0] = (array) $node_file_r3;
user_save($user, $edit);
$this
->drupalGet('user/' . $user->uid . '/edit');
// Delete the third revision and check that the file is not deleted yet.
$this
->drupalPost('node/' . $nid . '/revisions/' . $node_vid_r3 . '/delete', array(), t('Delete'));
$this
->assertFileExists($node_file_r3, 'Second file is still available after deleting third revision, since it is being used by the user.');
$this
->assertFileEntryExists($node_file_r3, 'Second file entry is still available after deleting third revision, since it is being used by the user.');
$this
->assertFileIsPermanent($node_file_r3, 'Second file entry is still permanent after deleting third revision, since it is being used by the user.');
// Delete the user and check that the file is also deleted.
user_delete($user->uid);
// TODO: This seems like a bug in File API. Clearing the stat cache should
// not be necessary here. The file really is deleted, but stream wrappers
// doesn't seem to think so unless we clear the PHP file stat() cache.
clearstatcache();
$this
->assertFileNotExists($node_file_r3, 'Second file is now deleted after deleting third revision, since it is no longer being used by any other nodes.');
$this
->assertFileEntryNotExists($node_file_r3, 'Second file entry is now deleted after deleting third revision, since it is no longer being used by any other nodes.');
// Delete the entire node and check that the original file is deleted.
$this
->drupalPost('node/' . $nid . '/delete', array(), t('Delete'));
$this
->assertFileNotExists($node_file_r1, 'Original file is deleted after deleting the entire node with two revisions remaining.');
$this
->assertFileEntryNotExists($node_file_r1, 'Original file entry is deleted after deleting the entire node with two revisions remaining.');
}
}
/**
* Tests that formatters are working properly.
*/
class FileFieldDisplayTestCase extends FileFieldTestCase {
public static function getInfo() {
return array(
'name' => 'File field display tests',
'description' => 'Test the display of file fields in node and views.',
'group' => 'File',
);
}
/**
* Tests normal formatter display on node display.
*/
function testNodeDisplay() {
$field_name = strtolower($this
->randomName());
$type_name = 'article';
$field_settings = array(
'display_field' => '1',
'display_default' => '1',
'cardinality' => FIELD_CARDINALITY_UNLIMITED,
);
$instance_settings = array(
'description_field' => '1',
);
$widget_settings = array();
$this
->createFileField($field_name, $type_name, $field_settings, $instance_settings, $widget_settings);
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
// Create a new node *without* the file field set, and check that the field
// is not shown for each node display.
$node = $this
->drupalCreateNode(array(
'type' => $type_name,
));
$file_formatters = array(
'file_default',
'file_table',
'file_url_plain',
'hidden',
);
foreach ($file_formatters as $formatter) {
$edit = array(
"fields[{$field_name}][type]" => $formatter,
);
$this
->drupalPost("admin/structure/types/manage/{$type_name}/display", $edit, t('Save'));
$this
->drupalGet('node/' . $node->nid);
$this
->assertNoText($field_name, format_string('Field label is hidden when no file attached for formatter %formatter', array(
'%formatter' => $formatter,
)));
}
$test_file = $this
->getTestFile('text');
// Create a new node with the uploaded file.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
$this
->drupalGet('node/' . $nid . '/edit');
// Check that the default formatter is displaying with the file name.
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$default_output = theme('file_link', array(
'file' => $node_file,
));
$this
->assertRaw($default_output, 'Default formatter displaying correctly on full node view.');
// Turn the "display" option off and check that the file is no longer displayed.
$edit = array(
$field_name . '[' . LANGUAGE_NONE . '][0][display]' => FALSE,
);
$this
->drupalPost('node/' . $nid . '/edit', $edit, t('Save'));
$this
->assertNoRaw($default_output, 'Field is hidden when "display" option is unchecked.');
// Test that fields appear as expected during the preview.
// Add a second file.
$name = 'files[' . $field_name . '_' . LANGUAGE_NONE . '_1]';
$edit[$name] = drupal_realpath($test_file->uri);
// Uncheck the display checkboxes and go to the preview.
$edit[$field_name . '[' . LANGUAGE_NONE . '][0][display]'] = FALSE;
$edit[$field_name . '[' . LANGUAGE_NONE . '][1][display]'] = FALSE;
$this
->drupalPost('node/' . $nid . '/edit', $edit, t('Preview'));
$this
->assertRaw($field_name . '[' . LANGUAGE_NONE . '][0][display]', 'First file appears as expected.');
$this
->assertRaw($field_name . '[' . LANGUAGE_NONE . '][1][display]', 'Second file appears as expected.');
}
/**
* Tests default display of File Field.
*/
function testDefaultFileFieldDisplay() {
$field_name = strtolower($this
->randomName());
$type_name = 'article';
$field_settings = array(
'display_field' => '1',
'display_default' => '0',
);
$instance_settings = array(
'description_field' => '1',
);
$widget_settings = array();
$this
->createFileField($field_name, $type_name, $field_settings, $instance_settings, $widget_settings);
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
$test_file = $this
->getTestFile('text');
// Create a new node with the uploaded file.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
$this
->drupalGet('node/' . $nid . '/edit');
$this
->assertFieldByXPath('//input[@type="checkbox" and @name="' . $field_name . '[und][0][display]"]', NULL, 'Default file display checkbox field exists.');
$this
->assertFieldByXPath('//input[@type="checkbox" and @name="' . $field_name . '[und][0][display]" and not(@checked)]', NULL, 'Default file display is off.');
}
}
/**
* Tests various validations.
*/
class FileFieldValidateTestCase extends FileFieldTestCase {
protected $field;
protected $node_type;
public static function getInfo() {
return array(
'name' => 'File field validation tests',
'description' => 'Tests validation functions such as file type, max file size, max size per node, and required.',
'group' => 'File',
);
}
/**
* Tests the required property on file fields.
*/
function testRequired() {
$type_name = 'article';
$field_name = strtolower($this
->randomName());
$this
->createFileField($field_name, $type_name, array(), array(
'required' => '1',
));
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
$test_file = $this
->getTestFile('text');
// Try to post a new node without uploading a file.
$langcode = LANGUAGE_NONE;
$edit = array(
"title" => $this
->randomName(),
);
$this
->drupalPost('node/add/' . $type_name, $edit, t('Save'));
$this
->assertRaw(t('!title field is required.', array(
'!title' => $instance['label'],
)), 'Node save failed when required file field was empty.');
// Create a new node with the uploaded file.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
$this
->assertTrue($nid !== FALSE, format_string('uploadNodeFile(@test_file, @field_name, @type_name) succeeded', array(
'@test_file' => $test_file->uri,
'@field_name' => $field_name,
'@type_name' => $type_name,
)));
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$this
->assertFileExists($node_file, 'File exists after uploading to the required field.');
$this
->assertFileEntryExists($node_file, 'File entry exists after uploading to the required field.');
// Try again with a multiple value field.
field_delete_field($field_name);
$this
->createFileField($field_name, $type_name, array(
'cardinality' => FIELD_CARDINALITY_UNLIMITED,
), array(
'required' => '1',
));
// Try to post a new node without uploading a file in the multivalue field.
$edit = array(
'title' => $this
->randomName(),
);
$this
->drupalPost('node/add/' . $type_name, $edit, t('Save'));
$this
->assertRaw(t('!title field is required.', array(
'!title' => $instance['label'],
)), 'Node save failed when required multiple value file field was empty.');
// Create a new node with the uploaded file into the multivalue field.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$this
->assertFileExists($node_file, 'File exists after uploading to the required multiple value field.');
$this
->assertFileEntryExists($node_file, 'File entry exists after uploading to the required multipel value field.');
// Remove our file field.
field_delete_field($field_name);
}
/**
* Tests the max file size validator.
*/
function testFileMaxSize() {
$type_name = 'article';
$field_name = strtolower($this
->randomName());
$this
->createFileField($field_name, $type_name, array(), array(
'required' => '1',
));
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
$small_file = $this
->getTestFile('text', 131072);
// 128KB.
$large_file = $this
->getTestFile('text', 1310720);
// 1.2MB
// Test uploading both a large and small file with different increments.
$sizes = array(
'1M' => 1048576,
'1024K' => 1048576,
'1048576' => 1048576,
);
foreach ($sizes as $max_filesize => $file_limit) {
// Set the max file upload size.
$this
->updateFileField($field_name, $type_name, array(
'max_filesize' => $max_filesize,
));
$instance = field_info_instance('node', $field_name, $type_name);
// Create a new node with the small file, which should pass.
$nid = $this
->uploadNodeFile($small_file, $field_name, $type_name);
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$this
->assertFileExists($node_file, format_string('File exists after uploading a file (%filesize) under the max limit (%maxsize).', array(
'%filesize' => format_size($small_file->filesize),
'%maxsize' => $max_filesize,
)));
$this
->assertFileEntryExists($node_file, format_string('File entry exists after uploading a file (%filesize) under the max limit (%maxsize).', array(
'%filesize' => format_size($small_file->filesize),
'%maxsize' => $max_filesize,
)));
// Check that uploading the large file fails (1M limit).
$nid = $this
->uploadNodeFile($large_file, $field_name, $type_name);
$error_message = t('The file is %filesize exceeding the maximum file size of %maxsize.', array(
'%filesize' => format_size($large_file->filesize),
'%maxsize' => format_size($file_limit),
));
$this
->assertRaw($error_message, format_string('Node save failed when file (%filesize) exceeded the max upload size (%maxsize).', array(
'%filesize' => format_size($large_file->filesize),
'%maxsize' => $max_filesize,
)));
}
// Turn off the max filesize.
$this
->updateFileField($field_name, $type_name, array(
'max_filesize' => '',
));
// Upload the big file successfully.
$nid = $this
->uploadNodeFile($large_file, $field_name, $type_name);
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$this
->assertFileExists($node_file, format_string('File exists after uploading a file (%filesize) with no max limit.', array(
'%filesize' => format_size($large_file->filesize),
)));
$this
->assertFileEntryExists($node_file, format_string('File entry exists after uploading a file (%filesize) with no max limit.', array(
'%filesize' => format_size($large_file->filesize),
)));
// Remove our file field.
field_delete_field($field_name);
}
/**
* Tests file extension checking.
*/
function testFileExtension() {
$type_name = 'article';
$field_name = strtolower($this
->randomName());
$this
->createFileField($field_name, $type_name);
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
$test_file = $this
->getTestFile('image');
list(, $test_file_extension) = explode('.', $test_file->filename);
// Disable extension checking.
$this
->updateFileField($field_name, $type_name, array(
'file_extensions' => '',
));
// Check that the file can be uploaded with no extension checking.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$this
->assertFileExists($node_file, 'File exists after uploading a file with no extension checking.');
$this
->assertFileEntryExists($node_file, 'File entry exists after uploading a file with no extension checking.');
// Enable extension checking for text files.
$this
->updateFileField($field_name, $type_name, array(
'file_extensions' => 'txt',
));
// Check that the file with the wrong extension cannot be uploaded.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
$error_message = t('Only files with the following extensions are allowed: %files-allowed.', array(
'%files-allowed' => 'txt',
));
$this
->assertRaw($error_message, 'Node save failed when file uploaded with the wrong extension.');
// Enable extension checking for text and image files.
$this
->updateFileField($field_name, $type_name, array(
'file_extensions' => "txt {$test_file_extension}",
));
// Check that the file can be uploaded with extension checking.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$this
->assertFileExists($node_file, 'File exists after uploading a file with extension checking.');
$this
->assertFileEntryExists($node_file, 'File entry exists after uploading a file with extension checking.');
// Remove our file field.
field_delete_field($field_name);
}
}
/**
* Tests that files are uploaded to proper locations.
*/
class FileFieldPathTestCase extends FileFieldTestCase {
public static function getInfo() {
return array(
'name' => 'File field file path tests',
'description' => 'Test that files are uploaded to the proper location with token support.',
'group' => 'File',
);
}
/**
* Tests the normal formatter display on node display.
*/
function testUploadPath() {
$field_name = strtolower($this
->randomName());
$type_name = 'article';
$field = $this
->createFileField($field_name, $type_name);
$test_file = $this
->getTestFile('text');
// Create a new node.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
// Check that the file was uploaded to the file root.
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$this
->assertPathMatch('public://' . $test_file->filename, $node_file->uri, format_string('The file %file was uploaded to the correct path.', array(
'%file' => $node_file->uri,
)));
// Change the path to contain multiple subdirectories.
$field = $this
->updateFileField($field_name, $type_name, array(
'file_directory' => 'foo/bar/baz',
));
// Upload a new file into the subdirectories.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
// Check that the file was uploaded into the subdirectory.
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
$this
->assertPathMatch('public://foo/bar/baz/' . $test_file->filename, $node_file->uri, format_string('The file %file was uploaded to the correct path.', array(
'%file' => $node_file->uri,
)));
// Check the path when used with tokens.
// Change the path to contain multiple token directories.
$field = $this
->updateFileField($field_name, $type_name, array(
'file_directory' => '[current-user:uid]/[current-user:name]',
));
// Upload a new file into the token subdirectories.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
// Check that the file was uploaded into the subdirectory.
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
// Do token replacement using the same user which uploaded the file, not
// the user running the test case.
$data = array(
'user' => $this->admin_user,
);
$subdirectory = token_replace('[user:uid]/[user:name]', $data);
$this
->assertPathMatch('public://' . $subdirectory . '/' . $test_file->filename, $node_file->uri, format_string('The file %file was uploaded to the correct path with token replacements.', array(
'%file' => $node_file->uri,
)));
}
/**
* Asserts that a file is uploaded to the right location.
*
* @param $expected_path
* The location where the file is expected to be uploaded. Duplicate file
* names to not need to be taken into account.
* @param $actual_path
* Where the file was actually uploaded.
* @param $message
* The message to display with this assertion.
*/
function assertPathMatch($expected_path, $actual_path, $message) {
// Strip off the extension of the expected path to allow for _0, _1, etc.
// suffixes when the file hits a duplicate name.
$pos = strrpos($expected_path, '.');
$base_path = substr($expected_path, 0, $pos);
$extension = substr($expected_path, $pos + 1);
$result = preg_match('/' . preg_quote($base_path, '/') . '(_[0-9]+)?\\.' . preg_quote($extension, '/') . '/', $actual_path);
$this
->assertTrue($result, $message);
}
}
/**
* Tests the file token replacement in strings.
*/
class FileTokenReplaceTestCase extends FileFieldTestCase {
public static function getInfo() {
return array(
'name' => 'File token replacement',
'description' => 'Generates text using placeholders for dummy content to check file token replacement.',
'group' => 'File',
);
}
/**
* Creates a file, then tests the tokens generated from it.
*/
function testFileTokenReplacement() {
global $language;
$url_options = array(
'absolute' => TRUE,
'language' => $language,
);
// Create file field.
$type_name = 'article';
$field_name = 'field_' . strtolower($this
->randomName());
$this
->createFileField($field_name, $type_name);
$field = field_info_field($field_name);
$instance = field_info_instance('node', $field_name, $type_name);
$test_file = $this
->getTestFile('text');
// Coping a file to test uploads with non-latin filenames.
$filename = drupal_dirname($test_file->uri) . '/текстовый файл.txt';
$test_file = file_copy($test_file, $filename);
// Create a new node with the uploaded file.
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name);
// Load the node and the file.
$node = node_load($nid, NULL, TRUE);
$file = file_load($node->{$field_name}[LANGUAGE_NONE][0]['fid']);
// Generate and test sanitized tokens.
$tests = array();
$tests['[file:fid]'] = $file->fid;
$tests['[file:name]'] = check_plain($file->filename);
$tests['[file:path]'] = check_plain($file->uri);
$tests['[file:mime]'] = check_plain($file->filemime);
$tests['[file:size]'] = format_size($file->filesize);
$tests['[file:url]'] = check_plain(file_create_url($file->uri));
$tests['[file:timestamp]'] = format_date($file->timestamp, 'medium', '', NULL, $language->language);
$tests['[file:timestamp:short]'] = format_date($file->timestamp, 'short', '', NULL, $language->language);
$tests['[file:owner]'] = check_plain(format_username($this->admin_user));
$tests['[file:owner:uid]'] = $file->uid;
// Test to make sure that we generated something for each token.
$this
->assertFalse(in_array(0, array_map('strlen', $tests)), 'No empty tokens generated.');
foreach ($tests as $input => $expected) {
$output = token_replace($input, array(
'file' => $file,
), array(
'language' => $language,
));
$this
->assertEqual($output, $expected, format_string('Sanitized file token %token replaced.', array(
'%token' => $input,
)));
}
// Generate and test unsanitized tokens.
$tests['[file:name]'] = $file->filename;
$tests['[file:path]'] = $file->uri;
$tests['[file:mime]'] = $file->filemime;
$tests['[file:size]'] = format_size($file->filesize);
foreach ($tests as $input => $expected) {
$output = token_replace($input, array(
'file' => $file,
), array(
'language' => $language,
'sanitize' => FALSE,
));
$this
->assertEqual($output, $expected, format_string('Unsanitized file token %token replaced.', array(
'%token' => $input,
)));
}
}
}
/**
* Tests file access on private nodes.
*/
class FilePrivateTestCase extends FileFieldTestCase {
public static function getInfo() {
return array(
'name' => 'Private file test',
'description' => 'Uploads a test to a private node and checks access.',
'group' => 'File',
);
}
function setUp() {
parent::setUp(array(
'node_access_test',
'field_test',
));
node_access_rebuild();
variable_set('node_access_test_private', TRUE);
}
/**
* Tests file access for file uploaded to a private node.
*/
function testPrivateFile() {
// Use 'page' instead of 'article', so that the 'article' image field does
// not conflict with this test. If in the future the 'page' type gets its
// own default file or image field, this test can be made more robust by
// using a custom node type.
$type_name = 'page';
$field_name = strtolower($this
->randomName());
$this
->createFileField($field_name, $type_name, array(
'uri_scheme' => 'private',
));
// Create a field with no view access - see field_test_field_access().
$no_access_field_name = 'field_no_view_access';
$this
->createFileField($no_access_field_name, $type_name, array(
'uri_scheme' => 'private',
));
$test_file = $this
->getTestFile('text');
$nid = $this
->uploadNodeFile($test_file, $field_name, $type_name, TRUE, array(
'private' => TRUE,
));
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$field_name}[LANGUAGE_NONE][0];
// Ensure the file can be downloaded.
$this
->drupalGet(file_create_url($node_file->uri));
$this
->assertResponse(200, 'Confirmed that the generated URL is correct by downloading the shipped file.');
$this
->drupalLogOut();
$this
->drupalGet(file_create_url($node_file->uri));
$this
->assertResponse(403, 'Confirmed that access is denied for the file without the needed permission.');
// Test with the field that should deny access through field access.
$this
->drupalLogin($this->admin_user);
$nid = $this
->uploadNodeFile($test_file, $no_access_field_name, $type_name, TRUE, array(
'private' => TRUE,
));
$node = node_load($nid, NULL, TRUE);
$node_file = (object) $node->{$no_access_field_name}[LANGUAGE_NONE][0];
// Ensure the file cannot be downloaded.
$this
->drupalGet(file_create_url($node_file->uri));
$this
->assertResponse(403, 'Confirmed that access is denied for the file without view field access permission.');
// Attempt to reuse the existing file when creating a new node, and confirm
// that access is still denied.
$edit = array();
$edit['title'] = $this
->randomName(8);
$edit[$field_name . '[' . LANGUAGE_NONE . '][0][fid]'] = $node_file->fid;
$this
->drupalPost('node/add/page', $edit, t('Save'));
$new_node = $this
->drupalGetNodeByTitle($edit['title']);
$this
->assertTrue(!empty($new_node), 'Node was created.');
$this
->assertUrl('node/' . $new_node->nid);
$this
->assertNoRaw($node_file->filename, 'File without view field access permission does not appear after attempting to attach it to a new node.');
$this
->drupalGet(file_create_url($node_file->uri));
$this
->assertResponse(403, 'Confirmed that access is denied for the file without view field access permission after attempting to attach it to a new node.');
// As an anonymous user, create a temporary file with no references and
// confirm that only the session that uploaded it may view it.
$this
->drupalLogout();
user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array(
"create {$type_name} content",
'access content',
));
$test_file = $this
->getTestFile('text');
$this
->drupalGet('node/add/' . $type_name);
$edit = array(
'files[' . $field_name . '_' . LANGUAGE_NONE . '_0]' => drupal_realpath($test_file->uri),
);
$this
->drupalPost(NULL, $edit, t('Upload'));
$files = file_load_multiple(array(), array(
'uid' => 0,
));
$this
->assertEqual(1, count($files), 'Loaded one anonymous file.');
$file = end($files);
$this
->assertNotEqual($file->status, FILE_STATUS_PERMANENT, 'File is temporary.');
$usage = file_usage_list($file);
$this
->assertFalse($usage, 'No file usage found.');
$file_url = file_create_url($file->uri);
$this
->drupalGet($file_url);
$this
->assertResponse(200, 'Confirmed that the anonymous uploader has access to the temporary file.');
// Close the prior connection and remove the session cookie.
$this
->curlClose();
$this->cookies = array();
$this
->drupalGet($file_url);
$this
->assertResponse(403, 'Confirmed that another anonymous user cannot access the temporary file.');
// As an anonymous user, create a permanent file that is referenced by a
// published node and confirm that all anonymous users may view it.
$test_file = $this
->getTestFile('text');
$this
->drupalGet('node/add/' . $type_name);
$edit = array();
$edit['title'] = $this
->randomName();
$edit['files[' . $field_name . '_' . LANGUAGE_NONE . '_0]'] = drupal_realpath($test_file->uri);
$this
->drupalPost(NULL, $edit, t('Save'));
$new_node = $this
->drupalGetNodeByTitle($edit['title']);
$file = file_load($new_node->{$field_name}[LANGUAGE_NONE][0]['fid']);
$this
->assertEqual($file->status, FILE_STATUS_PERMANENT, 'File is permanent.');
$usage = file_usage_list($file);
$this
->assertTrue($usage, 'File usage found.');
$file_url = file_create_url($file->uri);
$this
->drupalGet($file_url);
$this
->assertResponse(200, 'Confirmed that the anonymous uploader has access to the permanent file that is referenced by a published node.');
// Close the prior connection and remove the session cookie.
$this
->curlClose();
$this->cookies = array();
$this
->drupalGet($file_url);
$this
->assertResponse(200, 'Confirmed that another anonymous user also has access to the permanent file that is referenced by a published node.');
// As an anonymous user, create a permanent file that is referenced by an
// unpublished node and confirm that no anonymous users may view it (even
// the session that uploaded the file) because they cannot view the
// unpublished node.
$test_file = $this
->getTestFile('text');
$this
->drupalGet('node/add/' . $type_name);
$edit = array();
$edit['title'] = $this
->randomName();
$edit['files[' . $field_name . '_' . LANGUAGE_NONE . '_0]'] = drupal_realpath($test_file->uri);
$this
->drupalPost(NULL, $edit, t('Save'));
$new_node = $this
->drupalGetNodeByTitle($edit['title']);
$new_node->status = NODE_NOT_PUBLISHED;
node_save($new_node);
$file = file_load($new_node->{$field_name}[LANGUAGE_NONE][0]['fid']);
$this
->assertEqual($file->status, FILE_STATUS_PERMANENT, 'File is permanent.');
$usage = file_usage_list($file);
$this
->assertTrue($usage, 'File usage found.');
$file_url = file_create_url($file->uri);
$this
->drupalGet($file_url);
$this
->assertResponse(403, 'Confirmed that the anonymous uploader cannot access the permanent file when it is referenced by an unpublished node.');
// Close the prior connection and remove the session cookie.
$this
->curlClose();
$this->cookies = array();
$this
->drupalGet($file_url);
$this
->assertResponse(403, 'Confirmed that another anonymous user cannot access the permanent file when it is referenced by an unpublished node.');
}
}
/**
* Confirm that file field submissions work correctly for anonymous visitors.
*/
class FileFieldAnonymousSubmission extends FileFieldTestCase {
public static function getInfo() {
return array(
'name' => 'File form anonymous submission',
'description' => 'Test anonymous form submission.',
'group' => 'File',
);
}
function setUp() {
parent::setUp();
// Allow node submissions by anonymous users.
user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array(
'create article content',
'access content',
));
}
/**
* Tests the basic node submission for an anonymous visitor.
*/
function testAnonymousNode() {
$bundle_label = 'Article';
$node_title = 'Test page';
// Load the node form.
$this
->drupalGet('node/add/article');
$this
->assertResponse(200, 'Loaded the article node form.');
$this
->assertText(strip_tags(t('Create @name', array(
'@name' => $bundle_label,
))));
$edit = array(
'title' => $node_title,
'body[und][0][value]' => 'Test article',
'body[und][0][format]' => 'filtered_html',
);
$this
->drupalPost(NULL, $edit, t('Save'));
$this
->assertResponse(200);
$t_args = array(
'@type' => $bundle_label,
'%title' => $node_title,
);
$this
->assertText(strip_tags(t('@type %title has been created.', $t_args)), 'The node was created.');
$matches = array();
if (preg_match('@node/(\\d+)$@', $this
->getUrl(), $matches)) {
$nid = end($matches);
$this
->assertNotEqual($nid, 0, 'The node ID was extracted from the URL.');
$node = node_load($nid);
$this
->assertNotEqual($node, NULL, 'The node was loaded successfully.');
}
}
/**
* Tests file submission for an anonymous visitor.
*/
function testAnonymousNodeWithFile() {
$bundle_label = 'Article';
$node_title = 'Test page';
// Load the node form.
$this
->drupalGet('node/add/article');
$this
->assertResponse(200, 'Loaded the article node form.');
$this
->assertText(strip_tags(t('Create @name', array(
'@name' => $bundle_label,
))));
// Generate an image file.
$image = $this
->getTestImage();
// Submit the form.
$edit = array(
'title' => $node_title,
'body[und][0][value]' => 'Test article',
'body[und][0][format]' => 'filtered_html',
'files[field_image_und_0]' => drupal_realpath($image->uri),
);
$this
->drupalPost(NULL, $edit, t('Save'));
$this
->assertResponse(200);
$t_args = array(
'@type' => $bundle_label,
'%title' => $node_title,
);
$this
->assertText(strip_tags(t('@type %title has been created.', $t_args)), 'The node was created.');
$matches = array();
if (preg_match('@node/(\\d+)$@', $this
->getUrl(), $matches)) {
$nid = end($matches);
$this
->assertNotEqual($nid, 0, 'The node ID was extracted from the URL.');
$node = node_load($nid);
$this
->assertNotEqual($node, NULL, 'The node was loaded successfully.');
$this
->assertEqual($node->field_image[LANGUAGE_NONE][0]['filename'], $image->filename, 'The image was uploaded successfully.');
}
}
/**
* Tests file submission for an anonymous visitor with a missing node title.
*/
function testAnonymousNodeWithFileWithoutTitle() {
$this
->drupalLogout();
$this
->_testNodeWithFileWithoutTitle();
}
/**
* Tests file submission for an authenticated user with a missing node title.
*/
function testAuthenticatedNodeWithFileWithoutTitle() {
$admin_user = $this
->drupalCreateUser(array(
'bypass node access',
'access content overview',
'administer nodes',
));
$this
->drupalLogin($admin_user);
$this
->_testNodeWithFileWithoutTitle();
}
/**
* Helper method to test file submissions with missing node titles.
*/
protected function _testNodeWithFileWithoutTitle() {
$bundle_label = 'Article';
$node_title = 'Test page';
// Load the node form.
$this
->drupalGet('node/add/article');
$this
->assertResponse(200, 'Loaded the article node form.');
$this
->assertText(strip_tags(t('Create @name', array(
'@name' => $bundle_label,
))));
// Generate an image file.
$image = $this
->getTestImage();
// Submit the form but exclude the title field.
$edit = array(
'body[und][0][value]' => 'Test article',
'body[und][0][format]' => 'filtered_html',
'files[field_image_und_0]' => drupal_realpath($image->uri),
);
$this
->drupalPost(NULL, $edit, t('Save'));
$this
->assertResponse(200);
$t_args = array(
'@type' => $bundle_label,
'%title' => $node_title,
);
$this
->assertNoText(strip_tags(t('@type %title has been created.', $t_args)), 'The node was created.');
$this
->assertText(t('!name field is required.', array(
'!name' => t('Title'),
)));
// Submit the form again but this time with the missing title field. This
// should still work.
$edit = array(
'title' => $node_title,
);
$this
->drupalPost(NULL, $edit, t('Save'));
// Confirm the final submission actually worked.
$t_args = array(
'@type' => $bundle_label,
'%title' => $node_title,
);
$this
->assertText(strip_tags(t('@type %title has been created.', $t_args)), 'The node was created.');
$matches = array();
if (preg_match('@node/(\\d+)$@', $this
->getUrl(), $matches)) {
$nid = end($matches);
$this
->assertNotEqual($nid, 0, 'The node ID was extracted from the URL.');
$node = node_load($nid);
$this
->assertNotEqual($node, NULL, 'The node was loaded successfully.');
$this
->assertEqual($node->field_image[LANGUAGE_NONE][0]['filename'], $image->filename, 'The image was uploaded successfully.');
}
}
/**
* Generates a test image.
*
* @return stdClass
* A file object.
*/
function getTestImage() {
// Get a file to upload.
$file = current($this
->drupalGetTestFiles('image'));
// Add a filesize property to files as would be read by file_load().
$file->filesize = filesize($file->uri);
return $file;
}
}
Name | Description |
---|---|
FileFieldAnonymousSubmission | Confirm that file field submissions work correctly for anonymous visitors. |
FileFieldDisplayTestCase | Tests that formatters are working properly. |
FileFieldPathTestCase | Tests that files are uploaded to proper locations. |
FileFieldRevisionTestCase | Tests file handling with node revisions. |
FileFieldTestCase | Provides methods specifically for testing File module's field handling. |
FileFieldValidateTestCase | Tests various validations. |
FileFieldWidgetTestCase | Tests file field widget. |
FileManagedFileElementTestCase | Tests the 'managed_file' element type. |
FilePrivateTestCase | Tests file access on private nodes. |
FileTaxonomyTermTestCase | Tests adding a file to a non-node entity. |
FileTokenReplaceTestCase | Tests the file token replacement in strings. |