Mercurial > hg > isophonics-drupal-site
view core/modules/rest/tests/src/Functional/BasicAuthResourceTestTrait.php @ 13:5fb285c0d0e3
Update Drupal core to 8.4.7 via Composer. Security update; I *think* we've
been lucky to get away with this so far, as we don't support self-registration
which seems to be used by the so-called "drupalgeddon 2" attack that 8.4.5
was vulnerable to.
| author | Chris Cannam |
|---|---|
| date | Mon, 23 Apr 2018 09:33:26 +0100 |
| parents | 7a779792577d |
| children | 1fec387a4317 |
line wrap: on
line source
<?php namespace Drupal\Tests\rest\Functional; use Drupal\Core\Url; use Psr\Http\Message\ResponseInterface; /** * Trait for ResourceTestBase subclasses testing $auth=basic_auth. * * Characteristics: * - Every request must send an Authorization header. * - When accessing a URI that requires authentication without being * authenticated, a 401 response must be sent. * - Because every request must send an authorization, there is no danger of * CSRF attacks. */ trait BasicAuthResourceTestTrait { /** * {@inheritdoc} */ protected function getAuthenticationRequestOptions($method) { return [ 'headers' => [ 'Authorization' => 'Basic ' . base64_encode($this->account->name->value . ':' . $this->account->passRaw), ], ]; } /** * {@inheritdoc} */ protected function assertResponseWhenMissingAuthentication(ResponseInterface $response) { $this->assertResourceErrorResponse(401, 'No authentication credentials provided.', $response); } /** * {@inheritdoc} */ protected function assertAuthenticationEdgeCases($method, Url $url, array $request_options) { } }