3 namespace Drupal\Tests\rest\Functional;
6 use Psr\Http\Message\ResponseInterface;
9 * Trait for ResourceTestBase subclasses testing $auth=NULL, i.e. authless/anon.
12 * - When no authentication provider is being used, there also cannot be any
13 * particular error response for missing authentication, since by definition
14 * there is not any authentication.
15 * - For the same reason, there are no authentication edge cases to test.
16 * - Because no authentication is required, this is vulnerable to CSRF attacks
17 * by design. Hence a REST resource should probably only allow for anonymous
18 * for safe (GET/HEAD) HTTP methods, and only with extreme care should unsafe
19 * (POST/PATCH/DELETE) HTTP methods be allowed for a REST resource that allows
22 trait AnonResourceTestTrait {
27 protected function assertResponseWhenMissingAuthentication(ResponseInterface $response) {
28 throw new \LogicException('When testing for anonymous users, authentication cannot be missing.');
34 protected function assertAuthenticationEdgeCases($method, Url $url, array $request_options) {}