订阅筛选表单:仅透传安全back(补测试)
This commit is contained in:
萝卜
@@ -126,6 +126,9 @@
|
|||||||
<div class="card mb-20">
|
<div class="card mb-20">
|
||||||
<h3>筛选条件</h3>
|
<h3>筛选条件</h3>
|
||||||
<form method="get" action="/admin/site-subscriptions" class="grid-4">
|
<form method="get" action="/admin/site-subscriptions" class="grid-4">
|
||||||
|
@if($safeBackForLinks !== '')
|
||||||
|
<input type="hidden" name="back" value="{!! $safeBackForLinks !!}">
|
||||||
|
@endif
|
||||||
<select name="status">
|
<select name="status">
|
||||||
<option value="">全部状态</option>
|
<option value="">全部状态</option>
|
||||||
@foreach(($filterOptions['statuses'] ?? []) as $value => $label)
|
@foreach(($filterOptions['statuses'] ?? []) as $value => $label)
|
||||||
|
|||||||
@@ -0,0 +1,35 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Tests\Feature;
|
||||||
|
|
||||||
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||||
|
use Tests\TestCase;
|
||||||
|
|
||||||
|
class AdminSiteSubscriptionIndexFilterFormDropsUnsafeBackTest extends TestCase
|
||||||
|
{
|
||||||
|
use RefreshDatabase;
|
||||||
|
|
||||||
|
protected function loginAsPlatformAdmin(): void
|
||||||
|
{
|
||||||
|
$this->seed();
|
||||||
|
|
||||||
|
$this->post('/admin/login', [
|
||||||
|
'email' => 'platform.admin@demo.local',
|
||||||
|
'password' => 'Platform@123456',
|
||||||
|
])->assertRedirect('/admin');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_index_filter_form_should_drop_unsafe_back_as_hidden_input(): void
|
||||||
|
{
|
||||||
|
$this->loginAsPlatformAdmin();
|
||||||
|
|
||||||
|
// nested back=:必须丢弃
|
||||||
|
$back = '/admin/platform-orders?back=/admin/site-subscriptions';
|
||||||
|
|
||||||
|
$res = $this->get('/admin/site-subscriptions?back=' . urlencode($back));
|
||||||
|
$res->assertOk();
|
||||||
|
|
||||||
|
$res->assertDontSee('name="back"', false);
|
||||||
|
$res->assertDontSee('value="' . $back . '"', false);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,33 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Tests\Feature;
|
||||||
|
|
||||||
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||||
|
use Tests\TestCase;
|
||||||
|
|
||||||
|
class AdminSiteSubscriptionIndexFilterFormKeepsSafeBackTest extends TestCase
|
||||||
|
{
|
||||||
|
use RefreshDatabase;
|
||||||
|
|
||||||
|
protected function loginAsPlatformAdmin(): void
|
||||||
|
{
|
||||||
|
$this->seed();
|
||||||
|
|
||||||
|
$this->post('/admin/login', [
|
||||||
|
'email' => 'platform.admin@demo.local',
|
||||||
|
'password' => 'Platform@123456',
|
||||||
|
])->assertRedirect('/admin');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_index_filter_form_should_keep_safe_back_as_hidden_input(): void
|
||||||
|
{
|
||||||
|
$this->loginAsPlatformAdmin();
|
||||||
|
|
||||||
|
$back = '/admin/platform-orders?merchant_id=2&status=pending';
|
||||||
|
|
||||||
|
$res = $this->get('/admin/site-subscriptions?back=' . urlencode($back));
|
||||||
|
$res->assertOk();
|
||||||
|
|
||||||
|
$res->assertSee('name="back" value="' . $back . '"', false);
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user