API: Add "standard" header and hook for lacksSameOriginSecurity()

[lhc/web/wiklou.git] / tests / phpunit / includes / api / ApiMainTest.php

diff --git a/tests/phpunit/includes/api/ApiMainTest.php b/tests/phpunit/includes/api/ApiMainTest.php
index 06e7962..53554d7 100644 (file)
--- a/tests/phpunit/includes/api/ApiMainTest.php
+++ b/tests/phpunit/includes/api/ApiMainTest.php
@@ -253,4 +253,31 @@ class ApiMainTest extends ApiTestCase {
                ];
        }
 
+       /**
+        * @covers ApiMain::lacksSameOriginSecurity
+        */
+       public function testLacksSameOriginSecurity() {
+               // Basic test
+               $main = new ApiMain( new FauxRequest( array( 'action' => 'query', 'meta' => 'siteinfo' ) ) );
+               $this->assertFalse( $main->lacksSameOriginSecurity(), 'Basic test, should have security' );
+
+               // JSONp
+               $main = new ApiMain(
+                       new FauxRequest( array( 'action' => 'query', 'format' => 'xml', 'callback' => 'foo'  ) )
+               );
+               $this->assertTrue( $main->lacksSameOriginSecurity(), 'JSONp, should lack security' );
+
+               // Header
+               $request = new FauxRequest( array( 'action' => 'query', 'meta' => 'siteinfo' ) );
+               $request->setHeader( 'TrEaT-As-UnTrUsTeD', '' ); // With falsey value!
+               $main = new ApiMain( $request );
+               $this->assertTrue( $main->lacksSameOriginSecurity(), 'Header supplied, should lack security' );
+
+               // Hook
+               $this->mergeMwGlobalArrayValue( 'wgHooks', array(
+                       'RequestHasSameOriginSecurity' => array( function () { return false; } )
+               ) );
+               $main = new ApiMain( new FauxRequest( array( 'action' => 'query', 'meta' => 'siteinfo' ) ) );
+               $this->assertTrue( $main->lacksSameOriginSecurity(), 'Hook, should lack security' );
+       }
 }