Mercurial > hg > isophonics-drupal-site

annotate core/modules/rest/tests/src/Functional/AnonResourceTestTrait.php @ 0:4c8ae668cc8c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Initial import (non-working)
author Chris Cannam
date Wed, 29 Nov 2017 16:09:58 +0000
parents
children 7a779792577d
rev   line source
Chris@0 1 <?php
Chris@0 2
Chris@0 3 namespace Drupal\Tests\rest\Functional;
Chris@0 4
Chris@0 5 use Drupal\Core\Url;
Chris@0 6 use Psr\Http\Message\ResponseInterface;
Chris@0 7
Chris@0 8 /**
Chris@0 9 * Trait for ResourceTestBase subclasses testing $auth=NULL, i.e. authless/anon.
Chris@0 10 *
Chris@0 11 * Characteristics:
Chris@0 12 * - When no authentication provider is being used, there also cannot be any
Chris@0 13 * particular error response for missing authentication, since by definition
Chris@0 14 * there is not any authentication.
Chris@0 15 * - For the same reason, there are no authentication edge cases to test.
Chris@0 16 * - Because no authentication is required, this is vulnerable to CSRF attacks
Chris@0 17 * by design. Hence a REST resource should probably only allow for anonymous
Chris@0 18 * for safe (GET/HEAD) HTTP methods, and only with extreme care should unsafe
Chris@0 19 * (POST/PATCH/DELETE) HTTP methods be allowed for a REST resource that allows
Chris@0 20 * anonymous access.
Chris@0 21 */
Chris@0 22 trait AnonResourceTestTrait {
Chris@0 23
Chris@0 24 /**
Chris@0 25 * {@inheritdoc}
Chris@0 26 */
Chris@0 27 protected function assertResponseWhenMissingAuthentication(ResponseInterface $response) {
Chris@0 28 throw new \LogicException('When testing for anonymous users, authentication cannot be missing.');
Chris@0 29 }
Chris@0 30
Chris@0 31 /**
Chris@0 32 * {@inheritdoc}
Chris@0 33 */
Chris@0 34 protected function assertAuthenticationEdgeCases($method, Url $url, array $request_options) {}
Chris@0 35
Chris@0 36 }