test(architecture): drop stale actionFragmentContext mentions
Cleanup follow-up to commit 9ec10f5, which removed the unused
actionFragmentContext aggregator and its building block. Two
architecture tests still mentioned the removed aggregator in their
allowlists and recognizer regexes — patterns that now match an empty
set, harmless but misleading.
* ActionContextCsrfPairingContractTest: drop 'actionFragmentContext'
from the AGGREGATORS constant, update the docblock to list only the
two remaining aggregators, and rewrite the GET-only-allowlist
comment to no longer reference the fragment-specific case (the
guard itself stays — any future GET-only aggregator caller would
still hit it).
* DetailDrawerFragmentContractTest: drop the third alternative from
the aggregator-recognizer regex inside extractTopLevelAbility, and
trim two comments accordingly.
The historical documentation in ActionContextHelperContractTest is
deliberately kept — those comments explain to future readers why the
test only freezes 5 building blocks and 2 aggregators (instead of
the original 6/3) and why the CSRF-warning expectation is 2 instead
of 3. That is contextual documentation, not stale references.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -9,9 +9,9 @@ use RecursiveIteratorIterator;
|
||||
|
||||
/**
|
||||
* GR-SEC-001 extension: every page action that calls one of the
|
||||
* action-context aggregators (actionEditContext, actionCreateContext,
|
||||
* actionFragmentContext) AND handles POST data MUST also call
|
||||
* actionRequireCsrf() before it accesses the request body.
|
||||
* action-context aggregators (actionEditContext, actionCreateContext)
|
||||
* AND handles POST data MUST also call actionRequireCsrf() before it
|
||||
* accesses the request body.
|
||||
*
|
||||
* Closes plan-stage finding SEC-PLAN-004 from Run
|
||||
* 2026-04-25-action-context-helper. Replaces the obsolete
|
||||
@@ -39,7 +39,6 @@ class ActionContextCsrfPairingContractTest extends TestCase
|
||||
private const AGGREGATORS = [
|
||||
'actionEditContext',
|
||||
'actionCreateContext',
|
||||
'actionFragmentContext',
|
||||
];
|
||||
|
||||
/**
|
||||
@@ -106,8 +105,8 @@ class ActionContextCsrfPairingContractTest extends TestCase
|
||||
$isPostHandler = $this->hasAny($content, self::POST_PRESENCE_INDICATORS)
|
||||
|| preg_match('/->body\(/', $content) === 1;
|
||||
|
||||
// Drawer-fragment allowlist: actionFragmentContext-only callers
|
||||
// without any POST indicator are GET-only and don't need CSRF.
|
||||
// GET-only allowlist: aggregator callers without any POST
|
||||
// indicator are render-only and don't need CSRF.
|
||||
if (!$isPostHandler) {
|
||||
continue;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user