线索页筛选:透传安全 back(补测试)
This commit is contained in:
萝卜
@@ -72,6 +72,9 @@
|
|||||||
<div class="card mb-20">
|
<div class="card mb-20">
|
||||||
<h3>筛选</h3>
|
<h3>筛选</h3>
|
||||||
<form method="get" action="/admin/platform-leads" class="grid-3">
|
<form method="get" action="/admin/platform-leads" class="grid-3">
|
||||||
|
@if($safeBack)
|
||||||
|
<input type="hidden" name="back" value="{!! $safeBack !!}">
|
||||||
|
@endif
|
||||||
<select name="status">
|
<select name="status">
|
||||||
<option value="">全部状态</option>
|
<option value="">全部状态</option>
|
||||||
@foreach(($statusLabels ?? []) as $v => $label)
|
@foreach(($statusLabels ?? []) as $v => $label)
|
||||||
|
|||||||
@@ -0,0 +1,35 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Tests\Feature;
|
||||||
|
|
||||||
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||||
|
use Tests\TestCase;
|
||||||
|
|
||||||
|
class AdminPlatformLeadIndexFilterFormDropsUnsafeBackTest extends TestCase
|
||||||
|
{
|
||||||
|
use RefreshDatabase;
|
||||||
|
|
||||||
|
protected function loginAsPlatformAdmin(): void
|
||||||
|
{
|
||||||
|
$this->seed();
|
||||||
|
|
||||||
|
$this->post('/admin/login', [
|
||||||
|
'email' => 'platform.admin@demo.local',
|
||||||
|
'password' => 'Platform@123456',
|
||||||
|
])->assertRedirect('/admin');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_index_filter_form_should_not_keep_back_when_back_is_unsafe(): void
|
||||||
|
{
|
||||||
|
$this->loginAsPlatformAdmin();
|
||||||
|
|
||||||
|
$unsafeBack = '/admin/platform-orders?status=pending&back=/admin/plans';
|
||||||
|
|
||||||
|
$res = $this->get('/admin/platform-leads?back=' . urlencode($unsafeBack));
|
||||||
|
$res->assertOk();
|
||||||
|
|
||||||
|
// unsafe back 不应被写入隐藏字段(避免 nested back 膨胀/绕过)
|
||||||
|
$res->assertDontSee('name="back"', false);
|
||||||
|
$res->assertDontSee($unsafeBack, false);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,34 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Tests\Feature;
|
||||||
|
|
||||||
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||||
|
use Tests\TestCase;
|
||||||
|
|
||||||
|
class AdminPlatformLeadIndexFilterFormKeepsSafeBackTest extends TestCase
|
||||||
|
{
|
||||||
|
use RefreshDatabase;
|
||||||
|
|
||||||
|
protected function loginAsPlatformAdmin(): void
|
||||||
|
{
|
||||||
|
$this->seed();
|
||||||
|
|
||||||
|
$this->post('/admin/login', [
|
||||||
|
'email' => 'platform.admin@demo.local',
|
||||||
|
'password' => 'Platform@123456',
|
||||||
|
])->assertRedirect('/admin');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_index_filter_form_should_keep_safe_back_as_hidden_input(): void
|
||||||
|
{
|
||||||
|
$this->loginAsPlatformAdmin();
|
||||||
|
|
||||||
|
$back = '/admin/platform-orders?lead_id=1&status=pending';
|
||||||
|
|
||||||
|
$res = $this->get('/admin/platform-leads?back=' . urlencode($back));
|
||||||
|
$res->assertOk();
|
||||||
|
|
||||||
|
// 过滤表单应透传 back,避免“应用筛选”后丢上下文
|
||||||
|
$res->assertSee('name="back" value="' . $back . '"', false);
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user