Updated to Drupal 8.5. Core Media not yet in use.

[yaffs-website] / web / core / modules / rest / tests / modules / rest_test / src / PageCache / RequestPolicy / DenyTestAuthRequests.php

diff --git a/web/core/modules/rest/tests/modules/rest_test/src/PageCache/RequestPolicy/DenyTestAuthRequests.php b/web/core/modules/rest/tests/modules/rest_test/src/PageCache/RequestPolicy/DenyTestAuthRequests.php
new file mode 100644 (file)
index 0000000..17be647
--- /dev/null
+++ b/web/core/modules/rest/tests/modules/rest_test/src/PageCache/RequestPolicy/DenyTestAuthRequests.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace Drupal\rest_test\PageCache\RequestPolicy;
+
+use Drupal\Core\PageCache\RequestPolicyInterface;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Cache policy for pages requested with REST Test Auth.
+ *
+ * This policy disallows caching of requests that use the REST Test Auth
+ * authentication provider for security reasons (just like basic_auth).
+ * Otherwise responses for authenticated requests can get into the page cache
+ * and could be delivered to unprivileged users.
+ *
+ * @see \Drupal\rest_test\Authentication\Provider\TestAuth
+ * @see \Drupal\rest_test\Authentication\Provider\TestAuthGlobal
+ * @see \Drupal\basic_auth\PageCache\DisallowBasicAuthRequests
+ */
+class DenyTestAuthRequests implements RequestPolicyInterface {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function check(Request $request) {
+    if ($request->headers->has('REST-test-auth') || $request->headers->has('REST-test-auth-global')) {
+      return self::DENY;
+    }
+  }
+
+}