lockHttpClientToFixtures(); } /** * {@inheritdoc} */ protected function initConfig(ContainerInterface $container) { parent::initConfig($container); // Enable twig debugging to make testing template usage easy. $parameters = $container->getParameter('twig.config'); $parameters['debug'] = TRUE; $this->setContainerParameter('twig.config', $parameters); } /** * Tests the oembed media source. */ public function testMediaOEmbedVideoSource() { $media_type_id = 'test_media_oembed_type'; $provided_fields = [ 'type', 'title', 'default_name', 'author_name', 'author_url', 'provider_name', 'provider_url', 'cache_age', 'thumbnail_uri', 'thumbnail_width', 'thumbnail_height', 'url', 'width', 'height', 'html', ]; $session = $this->getSession(); $page = $session->getPage(); $assert_session = $this->assertSession(); $this->doTestCreateMediaType($media_type_id, 'oembed:video', $provided_fields); // Create custom fields for the media type to store metadata attributes. $fields = [ 'field_string_width' => 'string', 'field_string_height' => 'string', 'field_string_author_name' => 'string', ]; $this->createMediaTypeFields($fields, $media_type_id); // Hide the name field widget to test default name generation. $this->hideMediaTypeFieldWidget('name', $media_type_id); $this->drupalGet("admin/structure/media/manage/$media_type_id"); // Only accept Vimeo videos. $page->checkField("source_configuration[providers][Vimeo]"); $assert_session->selectExists('field_map[width]')->setValue('field_string_width'); $assert_session->selectExists('field_map[height]')->setValue('field_string_height'); $assert_session->selectExists('field_map[author_name]')->setValue('field_string_author_name'); $assert_session->buttonExists('Save')->press(); $this->hijackProviderEndpoints(); $video_url = 'https://vimeo.com/7073899'; ResourceController::setResourceUrl($video_url, $this->getFixturesDirectory() . '/video_vimeo.json'); // Create a media item. $this->drupalGet("media/add/$media_type_id"); $assert_session->fieldExists('Remote video URL')->setValue($video_url); $assert_session->buttonExists('Save')->press(); $assert_session->addressEquals('admin/content/media'); // Get the media entity view URL from the creation message. $this->drupalGet($this->assertLinkToCreatedMedia()); /** @var \Drupal\media\MediaInterface $media */ $media = Media::load(1); // The thumbnail should have been downloaded. $thumbnail = $media->getSource()->getMetadata($media, 'thumbnail_uri'); $this->assertFileExists($thumbnail); // Ensure the iframe exists and that its src attribute contains a coherent // URL with the query parameters we expect. $iframe_url = $assert_session->elementExists('css', 'iframe')->getAttribute('src'); $iframe_url = parse_url($iframe_url); $this->assertStringEndsWith('/media/oembed', $iframe_url['path']); $this->assertNotEmpty($iframe_url['query']); $query = []; parse_str($iframe_url['query'], $query); $this->assertSame($video_url, $query['url']); $this->assertNotEmpty($query['hash']); // Make sure the thumbnail is displayed from uploaded image. $assert_session->elementAttributeContains('css', '.image-style-thumbnail', 'src', '/oembed_thumbnails/' . basename($thumbnail)); // Load the media and check that all fields are properly populated. $media = Media::load(1); $this->assertSame('Drupal Rap Video - Schipulcon09', $media->getName()); $this->assertSame('480', $media->field_string_width->value); $this->assertSame('360', $media->field_string_height->value); // Try to create a media asset from a disallowed provider. $this->drupalGet("media/add/$media_type_id"); $assert_session->fieldExists('Remote video URL')->setValue('http://www.collegehumor.com/video/40003213/grant-and-katie-are-starting-their-own-company'); $page->pressButton('Save'); $assert_session->pageTextContains('The CollegeHumor provider is not allowed.'); // Test anonymous access to media via iframe. $this->drupalLogout(); // Without a hash should be denied. $no_hash_query = array_diff_key($query, ['hash' => '']); $this->drupalGet('media/oembed', ['query' => $no_hash_query]); $assert_session->pageTextNotContains('By the power of Greyskull, Vimeo works!'); $assert_session->pageTextContains('Access denied'); // A correct query should be allowed because the anonymous role has the // 'view media' permission. $this->drupalGet('media/oembed', ['query' => $query]); $assert_session->pageTextContains('By the power of Greyskull, Vimeo works!'); $this->assertRaw('core/themes/stable/templates/content/media-oembed-iframe.html.twig'); $this->assertNoRaw('core/modules/media/templates/media-oembed-iframe.html.twig'); // Test themes not inheriting from stable. \Drupal::service('theme_handler')->install(['stark']); $this->config('system.theme')->set('default', 'stark')->save(); $this->drupalGet('media/oembed', ['query' => $query]); $assert_session->pageTextContains('By the power of Greyskull, Vimeo works!'); $this->assertNoRaw('core/themes/stable/templates/content/media-oembed-iframe.html.twig'); $this->assertRaw('core/modules/media/templates/media-oembed-iframe.html.twig'); // Remove the 'view media' permission to test that this restricts access. $role = Role::load(AccountInterface::ANONYMOUS_ROLE); $role->revokePermission('view media'); $role->save(); $this->drupalGet('media/oembed', ['query' => $query]); $assert_session->pageTextNotContains('By the power of Greyskull, Vimeo works!'); $assert_session->pageTextContains('Access denied'); } /** * Test that a security warning appears if iFrame domain is not set. */ public function testOEmbedSecurityWarning() { $media_type_id = 'test_media_oembed_type'; $source_id = 'oembed:video'; $session = $this->getSession(); $page = $session->getPage(); $assert_session = $this->assertSession(); $this->drupalGet('admin/structure/media/add'); $page->fillField('label', $media_type_id); $this->getSession() ->wait(5000, "jQuery('.machine-name-value').text() === '{$media_type_id}'"); // Make sure the source is available. $assert_session->fieldExists('Media source'); $assert_session->optionExists('Media source', $source_id); $page->selectFieldOption('Media source', $source_id); $result = $assert_session->waitForElementVisible('css', 'fieldset[data-drupal-selector="edit-source-configuration"]'); $this->assertNotEmpty($result); $assert_session->pageTextContains('It is potentially insecure to display oEmbed content in a frame'); $this->config('media.settings')->set('iframe_domain', 'http://example.com')->save(); $this->drupalGet('admin/structure/media/add'); $page->fillField('label', $media_type_id); $this->getSession() ->wait(5000, "jQuery('.machine-name-value').text() === '{$media_type_id}'"); // Make sure the source is available. $assert_session->fieldExists('Media source'); $assert_session->optionExists('Media source', $source_id); $page->selectFieldOption('Media source', $source_id); $result = $assert_session->waitForElementVisible('css', 'fieldset[data-drupal-selector="edit-source-configuration"]'); $this->assertNotEmpty($result); $assert_session->pageTextNotContains('It is potentially insecure to display oEmbed content in a frame'); } }