Loading data/nginx/server.conf +14 −0 Original line number Diff line number Diff line Loading @@ -78,6 +78,20 @@ server { include cache-bust.conf; } location = /wp-comments-post.php { error_page 403 = @post-only; limit_except POST { deny all; } include fastcgi-script.conf; include cache-bust.conf; } location @post-only { add_header Allow "POST" always; return 405; } location /wp-admin/ { try_files $uri $uri/index.php; Loading tests/script-access.feature +16 −1 Original line number Diff line number Diff line Loading @@ -29,7 +29,6 @@ Feature: Script Access and Restrictions | path | result | | /wp-activate.php | Not Found | | /wp-blog-header.php | Not Found | | /wp-comments-post.php | Not Found | | /wp-config.php | Not Found | | /wp-cron.php | Not Found | | /wp-load.php | Not Found | Loading @@ -47,8 +46,24 @@ Feature: Script Access and Restrictions | /wp-login.php | OK | | /wp-admin/ | 302 | | /wp-admin/index.php | 302 | | /wp-comments-post.php | 405 | Scenario: Check the JSON API is accessible When /wp-json/wp/v2/ is requested Then OK is returned And the response body is JSON Scenario: "GET /wp-comments-post.php" is not allowed When /wp-comments-post.php is requested Then 405 is returned And the "Allow" header's value is "POST" Scenario: "POST /wp-contents-post.php" accepts content Given a blank post exists When data is sent with POST to /wp-comments-post.php """ comment_post_id={context.post[ID]}&author=John+Smith&email=j.smith@example.com&comment=First+%F0%9F%8D%86 """ Then OK is returned # (Why 200 instead of 201? Probably the same reason 200 is returned when # there are missing values?! It's WordPress.) tests/steps/request_steps.py +40 −0 Original line number Diff line number Diff line Loading @@ -20,6 +20,17 @@ from utils import URL from utils import PatternEnum class Method(PatternEnum): """ HTTP methods """ GET = "GET" POST = "POST" PUT = "PUT" # add more methods as needed… class ResponseCode(int, PatternEnum): """ HTTP response codes Loading @@ -32,11 +43,13 @@ class ResponseCode(int, PatternEnum): temporary_redirect = 307 permanent_redirect = 308 not_found = 404 method_not_allowed = 405 # Aliases for the above codes, for mapping natural language in feature files to enums ALIASES = { "OK": 200, "Not Found": 404, "Method Not Allowed": 405, } @staticmethod Loading Loading @@ -67,6 +80,21 @@ def get_request(context: Context, url: URL) -> None: context.response = context.session.get(context.site.url / url, allow_redirects=False) @when("data is sent with {method:Method} to {url:URL}") def post_request(context: Context, method: Method, url: URL) -> None: """ Send context text to a URL endpoint and assign the response to the context """ if context.text is None: raise ValueError("Missing data, please add as text to step definition") context.response = context.session.request( method.value, context.site.url / url, data=context.text.strip().format(context=context).encode("utf-8"), allow_redirects=False, ) @when("the homepage is requested") def get_homepage(context: Context) -> None: """ Loading @@ -87,6 +115,18 @@ def assert_response(context: Context, response: ResponseCode) -> None: f"Expected response {response}: got {context.response.status_code}" @then('''the "{header_name}" header's value is "{header_value}"''') def assert_header(context: Context, header_name: str, header_value: str) -> None: """ Assert that an expected header was received during a previous step """ headers = context.response.headers assert header_name in headers, \ f"Expected header not found in response: {header_name!r}" assert headers[header_name] == header_value, \ f"Expected header value not found: got {headers[header_name]!r}" @then("the response body is JSON") def assert_is_json(context: Context) -> None: """ Loading Loading
data/nginx/server.conf +14 −0 Original line number Diff line number Diff line Loading @@ -78,6 +78,20 @@ server { include cache-bust.conf; } location = /wp-comments-post.php { error_page 403 = @post-only; limit_except POST { deny all; } include fastcgi-script.conf; include cache-bust.conf; } location @post-only { add_header Allow "POST" always; return 405; } location /wp-admin/ { try_files $uri $uri/index.php; Loading
tests/script-access.feature +16 −1 Original line number Diff line number Diff line Loading @@ -29,7 +29,6 @@ Feature: Script Access and Restrictions | path | result | | /wp-activate.php | Not Found | | /wp-blog-header.php | Not Found | | /wp-comments-post.php | Not Found | | /wp-config.php | Not Found | | /wp-cron.php | Not Found | | /wp-load.php | Not Found | Loading @@ -47,8 +46,24 @@ Feature: Script Access and Restrictions | /wp-login.php | OK | | /wp-admin/ | 302 | | /wp-admin/index.php | 302 | | /wp-comments-post.php | 405 | Scenario: Check the JSON API is accessible When /wp-json/wp/v2/ is requested Then OK is returned And the response body is JSON Scenario: "GET /wp-comments-post.php" is not allowed When /wp-comments-post.php is requested Then 405 is returned And the "Allow" header's value is "POST" Scenario: "POST /wp-contents-post.php" accepts content Given a blank post exists When data is sent with POST to /wp-comments-post.php """ comment_post_id={context.post[ID]}&author=John+Smith&email=j.smith@example.com&comment=First+%F0%9F%8D%86 """ Then OK is returned # (Why 200 instead of 201? Probably the same reason 200 is returned when # there are missing values?! It's WordPress.)
tests/steps/request_steps.py +40 −0 Original line number Diff line number Diff line Loading @@ -20,6 +20,17 @@ from utils import URL from utils import PatternEnum class Method(PatternEnum): """ HTTP methods """ GET = "GET" POST = "POST" PUT = "PUT" # add more methods as needed… class ResponseCode(int, PatternEnum): """ HTTP response codes Loading @@ -32,11 +43,13 @@ class ResponseCode(int, PatternEnum): temporary_redirect = 307 permanent_redirect = 308 not_found = 404 method_not_allowed = 405 # Aliases for the above codes, for mapping natural language in feature files to enums ALIASES = { "OK": 200, "Not Found": 404, "Method Not Allowed": 405, } @staticmethod Loading Loading @@ -67,6 +80,21 @@ def get_request(context: Context, url: URL) -> None: context.response = context.session.get(context.site.url / url, allow_redirects=False) @when("data is sent with {method:Method} to {url:URL}") def post_request(context: Context, method: Method, url: URL) -> None: """ Send context text to a URL endpoint and assign the response to the context """ if context.text is None: raise ValueError("Missing data, please add as text to step definition") context.response = context.session.request( method.value, context.site.url / url, data=context.text.strip().format(context=context).encode("utf-8"), allow_redirects=False, ) @when("the homepage is requested") def get_homepage(context: Context) -> None: """ Loading @@ -87,6 +115,18 @@ def assert_response(context: Context, response: ResponseCode) -> None: f"Expected response {response}: got {context.response.status_code}" @then('''the "{header_name}" header's value is "{header_value}"''') def assert_header(context: Context, header_name: str, header_value: str) -> None: """ Assert that an expected header was received during a previous step """ headers = context.response.headers assert header_name in headers, \ f"Expected header not found in response: {header_name!r}" assert headers[header_name] == header_value, \ f"Expected header value not found: got {headers[header_name]!r}" @then("the response body is JSON") def assert_is_json(context: Context) -> None: """ Loading
