diff --git a/core/modules/rest/lib/Drupal/rest/EventSubscriber/RouteSubscriber.php b/core/modules/rest/lib/Drupal/rest/EventSubscriber/RouteSubscriber.php index fde2679..4b9f9fb 100644 --- a/core/modules/rest/lib/Drupal/rest/EventSubscriber/RouteSubscriber.php +++ b/core/modules/rest/lib/Drupal/rest/EventSubscriber/RouteSubscriber.php @@ -72,7 +72,8 @@ public function dynamicRoutes(RouteBuildEvent $event) { $collection->add("rest.$name", $route); continue; } - // Check authentication. + // Check if there are authentication provider restrictions in the + // configuration and apply them to the route. if (is_array($enabled_methods[$method]['supported_auth']) && !empty($enabled_methods[$method]['supported_auth'])) { $route->setOption('_auth', $enabled_methods[$method]['supported_auth']); } diff --git a/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php b/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php index 3618931..316fcd5 100644 --- a/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php +++ b/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php @@ -33,13 +33,20 @@ public static function getInfo() { * Tests reading from an authenticated resource. */ public function testRead() { - // @todo once EntityNG is implemented for other entity types expand this at - // least to nodes and users. // Define the entity types we want to test. $entity_types = array('entity_test'); foreach ($entity_types as $entity_type) { $this->enableService('entity:' . $entity_type, 'GET', NULL, array('http_basic')); - //$this->enableService('entity:' . $entity_type, 'GET'); + + // Create an entity programmatically. + $entity = $this->entityCreate($entity_type); + $entity->save(); + + // Try to read the resource as an anonymous user, which should not work. + $response = $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'GET', NULL, $this->defaultMimeType); + $this->assertResponse('401', 'HTTP response code is 401 when the request is not authenticated and the user is anonymous.'); + $this->assertText(t('A fatal error occurred: No authentication credentials provided.')); + // Create a user account that has the required permissions to read // resources via the REST API, but the request is not authenticated. $permissions = $this->entityPermissions($entity_type, 'view'); @@ -47,21 +54,20 @@ public function testRead() { $account = $this->drupalCreateUser($permissions); $this->drupalLogin($account); - // Create an entity programmatically. - $entity = $this->entityCreate($entity_type); - $entity->save(); - - // Attempt to read it over the REST API. + // Try to read the resource with session cookie authentication, which is + // not enabled and should not work. $response = $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'GET', NULL, $this->defaultMimeType); $this->assertResponse('403', 'HTTP response code is 403 when the request is not authenticated.'); - // Now read it authenticating the request. + + // Now read it with the Basic authentication which is enabled and should + // work. $response = $this->basicAuthGet('entity/' . $entity_type . '/' . $entity->id(), $account->getUsername(), $account->pass_raw); $this->assertResponse('200', 'HTTP response code is 200 for successfuly authenticated requests.'); } } /** - * Does HTTP basic auth request. + * Performs a HTTP request with Basic authentication. * * We do not use \Drupal\simpletest\WebTestBase::drupalGet because we need to * set curl settings for basic authentication.