3 namespace Drupal\search\Tests;
5 use Drupal\comment\Plugin\Field\FieldType\CommentItemInterface;
6 use Drupal\comment\Tests\CommentTestTrait;
7 use Drupal\field\Entity\FieldConfig;
8 use Drupal\user\RoleInterface;
9 use Drupal\filter\Entity\FilterFormat;
12 * Tests integration searching comments.
16 class SearchCommentTest extends SearchTestBase {
25 public static $modules = ['filter', 'node', 'comment'];
28 * Test subject for comments.
32 protected $commentSubject;
35 * ID for the administrator role.
42 * A user with various administrative permissions.
44 * @var \Drupal\user\UserInterface
49 * Test node for searching.
51 * @var \Drupal\node\NodeInterface
55 protected function setUp() {
58 $full_html_format = FilterFormat::create([
59 'format' => 'full_html',
60 'name' => 'Full HTML',
64 $full_html_format->save();
66 // Create and log in an administrative user having access to the Full HTML
70 $full_html_format->getPermissionName(),
71 'administer permissions',
72 'create page content',
74 'skip comment approval',
77 $this->adminUser = $this->drupalCreateUser($permissions);
78 $this->drupalLogin($this->adminUser);
79 // Add a comment field.
80 $this->addDefaultCommentField('node', 'article');
84 * Verify that comments are rendered using proper format in search results.
86 public function testSearchResultsComment() {
87 $node_storage = $this->container->get('entity.manager')->getStorage('node');
88 // Create basic_html format that escapes all HTML.
89 $basic_html_format = FilterFormat::create([
90 'format' => 'basic_html',
91 'name' => 'Basic HTML',
94 'filter_html_escape' => ['status' => 1],
96 'roles' => [RoleInterface::AUTHENTICATED_ID],
98 $basic_html_format->save();
100 $comment_body = 'Test comment body';
102 // Make preview optional.
103 $field = FieldConfig::loadByName('node', 'article', 'comment');
104 $field->setSetting('preview', DRUPAL_OPTIONAL);
107 // Allow anonymous users to search content.
109 RoleInterface::ANONYMOUS_ID . '[search content]' => 1,
110 RoleInterface::ANONYMOUS_ID . '[access comments]' => 1,
111 RoleInterface::ANONYMOUS_ID . '[post comments]' => 1,
113 $this->drupalPostForm('admin/people/permissions', $edit, t('Save permissions'));
116 $node = $this->drupalCreateNode(['type' => 'article']);
117 // Post a comment using 'Full HTML' text format.
119 $edit_comment['subject[0][value]'] = 'Test comment subject';
120 $edit_comment['comment_body[0][value]'] = '<h1>' . $comment_body . '</h1>';
121 $full_html_format_id = 'full_html';
122 $edit_comment['comment_body[0][format]'] = $full_html_format_id;
123 $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment, t('Save'));
125 // Post a comment with an evil script tag in the comment subject and a
126 // script tag nearby a keyword in the comment body. Use the 'FULL HTML' text
127 // format so the script tag stored.
129 $edit_comment2['subject[0][value]'] = "<script>alert('subjectkeyword');</script>";
130 $edit_comment2['comment_body[0][value]'] = "nearbykeyword<script>alert('somethinggeneric');</script>";
131 $edit_comment2['comment_body[0][format]'] = $full_html_format_id;
132 $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment2, t('Save'));
134 // Post a comment with a keyword inside an evil script tag in the comment
135 // body. Use the 'FULL HTML' text format so the script tag is stored.
137 $edit_comment3['subject[0][value]'] = 'asubject';
138 $edit_comment3['comment_body[0][value]'] = "<script>alert('insidekeyword');</script>";
139 $edit_comment3['comment_body[0][format]'] = $full_html_format_id;
140 $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment3, t('Save'));
142 // Invoke search index update.
143 $this->drupalLogout();
146 // Search for the comment subject.
148 'keys' => "'" . $edit_comment['subject[0][value]'] . "'",
150 $this->drupalPostForm('search/node', $edit, t('Search'));
151 $node_storage->resetCache([$node->id()]);
152 $node2 = $node_storage->load($node->id());
153 $this->assertText($node2->label(), 'Node found in search results.');
154 $this->assertText($edit_comment['subject[0][value]'], 'Comment subject found in search results.');
156 // Search for the comment body.
158 'keys' => "'" . $comment_body . "'",
160 $this->drupalPostForm(NULL, $edit, t('Search'));
161 $this->assertText($node2->label(), 'Node found in search results.');
163 // Verify that comment is rendered using proper format.
164 $this->assertText($comment_body, 'Comment body text found in search results.');
165 $this->assertNoRaw(t('n/a'), 'HTML in comment body is not hidden.');
166 $this->assertNoEscaped($edit_comment['comment_body[0][value]'], 'HTML in comment body is not escaped.');
168 // Search for the evil script comment subject.
170 'keys' => 'subjectkeyword',
172 $this->drupalPostForm('search/node', $edit, t('Search'));
174 // Verify the evil comment subject is escaped in search results.
175 $this->assertRaw('<script>alert('<strong>subjectkeyword</strong>');');
176 $this->assertNoRaw('<script>');
178 // Search for the keyword near the evil script tag in the comment body.
180 'keys' => 'nearbykeyword',
182 $this->drupalPostForm('search/node', $edit, t('Search'));
184 // Verify that nearby script tag in the evil comment body is stripped from
186 $this->assertRaw('<strong>nearbykeyword</strong>');
187 $this->assertNoRaw('<script>');
189 // Search for contents inside the evil script tag in the comment body.
191 'keys' => 'insidekeyword',
193 $this->drupalPostForm('search/node', $edit, t('Search'));
195 // @todo Verify the actual search results.
196 // https://www.drupal.org/node/2551135
198 // Verify there is no script tag in search results.
199 $this->assertNoRaw('<script>');
202 $this->drupalLogin($this->adminUser);
203 $node->set('comment', CommentItemInterface::HIDDEN);
206 // Invoke search index update.
207 $this->drupalLogout();
210 // Search for $title.
211 $this->drupalPostForm('search/node', $edit, t('Search'));
212 $this->assertText(t('Your search yielded no results.'));
216 * Verify access rules for comment indexing with different permissions.
218 public function testSearchResultsCommentAccess() {
219 $comment_body = 'Test comment body';
220 $this->commentSubject = 'Test comment subject';
221 $roles = $this->adminUser->getRoles(TRUE);
222 $this->adminRole = $roles[0];
225 // Make preview optional.
226 $field = FieldConfig::loadByName('node', 'article', 'comment');
227 $field->setSetting('preview', DRUPAL_OPTIONAL);
229 $this->node = $this->drupalCreateNode(['type' => 'article']);
231 // Post a comment using 'Full HTML' text format.
233 $edit_comment['subject[0][value]'] = $this->commentSubject;
234 $edit_comment['comment_body[0][value]'] = '<h1>' . $comment_body . '</h1>';
235 $this->drupalPostForm('comment/reply/node/' . $this->node->id() . '/comment', $edit_comment, t('Save'));
237 $this->drupalLogout();
238 $this->setRolePermissions(RoleInterface::ANONYMOUS_ID);
239 $this->assertCommentAccess(FALSE, 'Anon user has search permission but no access comments permission, comments should not be indexed');
241 $this->setRolePermissions(RoleInterface::ANONYMOUS_ID, TRUE);
242 $this->assertCommentAccess(TRUE, 'Anon user has search permission and access comments permission, comments should be indexed');
244 $this->drupalLogin($this->adminUser);
245 $this->drupalGet('admin/people/permissions');
247 // Disable search access for authenticated user to test admin user.
248 $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID, FALSE, FALSE);
250 $this->setRolePermissions($this->adminRole);
251 $this->assertCommentAccess(FALSE, 'Admin user has search permission but no access comments permission, comments should not be indexed');
253 $this->drupalGet('node/' . $this->node->id());
254 $this->setRolePermissions($this->adminRole, TRUE);
255 $this->assertCommentAccess(TRUE, 'Admin user has search permission and access comments permission, comments should be indexed');
257 $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID);
258 $this->assertCommentAccess(FALSE, 'Authenticated user has search permission but no access comments permission, comments should not be indexed');
260 $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID, TRUE);
261 $this->assertCommentAccess(TRUE, 'Authenticated user has search permission and access comments permission, comments should be indexed');
263 // Verify that access comments permission is inherited from the
264 // authenticated role.
265 $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID, TRUE, FALSE);
266 $this->setRolePermissions($this->adminRole);
267 $this->assertCommentAccess(TRUE, 'Admin user has search permission and no access comments permission, but comments should be indexed because admin user inherits authenticated user\'s permission to access comments');
269 // Verify that search content permission is inherited from the authenticated
271 $this->setRolePermissions(RoleInterface::AUTHENTICATED_ID, TRUE, TRUE);
272 $this->setRolePermissions($this->adminRole, TRUE, FALSE);
273 $this->assertCommentAccess(TRUE, 'Admin user has access comments permission and no search permission, but comments should be indexed because admin user inherits authenticated user\'s permission to search');
277 * Set permissions for role.
279 public function setRolePermissions($rid, $access_comments = FALSE, $search_content = TRUE) {
281 'access comments' => $access_comments,
282 'search content' => $search_content,
284 user_role_change_permissions($rid, $permissions);
288 * Update search index and search for comment.
290 public function assertCommentAccess($assume_access, $message) {
291 // Invoke search index update.
292 search_mark_for_reindex('node_search', $this->node->id());
295 // Search for the comment subject.
297 'keys' => "'" . $this->commentSubject . "'",
299 $this->drupalPostForm('search/node', $edit, t('Search'));
301 if ($assume_access) {
302 $expected_node_result = $this->assertText($this->node->label());
303 $expected_comment_result = $this->assertText($this->commentSubject);
306 $expected_node_result = $this->assertText(t('Your search yielded no results.'));
307 $expected_comment_result = $this->assertText(t('Your search yielded no results.'));
309 $this->assertTrue($expected_node_result && $expected_comment_result, $message);
313 * Verify that 'add new comment' does not appear in search results or index.
315 public function testAddNewComment() {
316 // Create a node with a short body.
319 'title' => 'short title',
320 'body' => [['value' => 'short body text']],
323 $user = $this->drupalCreateUser([
325 'create article content',
330 $this->drupalLogin($user);
332 $node = $this->drupalCreateNode($settings);
333 // Verify that if you view the node on its own page, 'add new comment'
335 $this->drupalGet('node/' . $node->id());
336 $this->assertText(t('Add new comment'));
338 // Run cron to index this page.
339 $this->drupalLogout();
342 // Search for 'comment'. Should be no results.
343 $this->drupalLogin($user);
344 $this->drupalPostForm('search/node', ['keys' => 'comment'], t('Search'));
345 $this->assertText(t('Your search yielded no results'));
347 // Search for the node title. Should be found, and 'Add new comment' should
348 // not be part of the search snippet.
349 $this->drupalPostForm('search/node', ['keys' => 'short'], t('Search'));
350 $this->assertText($node->label(), 'Search for keyword worked');
351 $this->assertNoText(t('Add new comment'));