diff --git a/core/modules/system/src/Tests/Session/MultipleAuthenticationSessionTest.php b/core/modules/system/src/Tests/Session/MultipleAuthenticationSessionTest.php index 628ca37..e51eeb0 100644 --- a/core/modules/system/src/Tests/Session/MultipleAuthenticationSessionTest.php +++ b/core/modules/system/src/Tests/Session/MultipleAuthenticationSessionTest.php @@ -48,20 +48,32 @@ protected function setUp() { * @see https://www.drupal.org/node/2468873 */ public function testSessionFromBasicAuthenticationDoesNotLeak() { - // This page is authorized through basic_auth only, not cookie. - $url = Url::fromRoute('session_test.get_session'); + // This route is authorized through basic_auth only, not cookie. + $protected_url = Url::fromRoute('session_test.get_session'); + + // This route is not protected. + $unprotected_url = Url::fromRoute('session_test.get_session_no_auth'); // Test that the route is not accessible as an anonymous user. - $this->drupalGet($url); + $this->drupalGet($protected_url); $this->assertResponse(401, 'An anonymous user cannot access a route protected with basic authentication.'); // We should be able to access the route with basic authentication. - $this->basicAuthGet($url); + $this->basicAuthGet($protected_url); $this->assertResponse(200, 'A route protected with basic authentication can be accessed by an authenticated user.'); - // If we now try to access the page again without basic authentication then - // we should no longer be authorized. - $this->drupalGet($url); + // Check that the correct user is logged in. + $this->assertEqual($this->user->id(), json_decode($this->getRawContent())->user, 'The correct user is authenticated on a route with basic authentication.'); + + // If we now try to access a page without basic authentication then we + // should no longer be logged in. + $this->drupalGet($unprotected_url); + $this->assertResponse(200, 'An unprotected route can be accessed without basic authentication.'); + $this->assertFalse(json_decode($this->getRawContent())->user, 'The user is no longer authenticated after visiting a page without basic authentication.'); + + // If we access the protected page again without basic authentication we + // should get 401 Unauthorized. + $this->drupalGet($protected_url); $this->assertResponse(401, 'A subsequent request to the same route without basic authentication is not authorized.'); } @@ -72,29 +84,18 @@ public function testSessionFromBasicAuthenticationDoesNotLeak() { * Drupal path or URL to load into the internal browser. * @param array $options * Options to be forwarded to the url generator. - * @param array $headers - * An array containing additional HTTP request headers, each formatted as - * "name: value". * * @return string * The retrieved HTML string, also available as $this->getRawContent(). */ - protected function basicAuthGet($path, array $options = array(), array $headers = array()) { + protected function basicAuthGet($path, array $options = array()) { // Set up Curl to use basic authentication with the test user's credentials. - $this->additionalCurlOptions = [ - CURLOPT_HTTPAUTH => CURLAUTH_BASIC, - CURLOPT_USERPWD => $this->user->getUsername() . ':' . $this->user->pass_raw, - ]; - - $output = $this->drupalGet($path, $options, $headers); - - // Reset the Curl options. - $this->additionalCurlOptions = [ - CURLOPT_HTTPAUTH => NULL, - CURLOPT_USERPWD => NULL, + $headers = [ + 'Accept: */*', + 'Authorization: Basic ' . base64_encode($this->user->getUsername() . ':' . $this->user->pass_raw), ]; - return $output; + return $this->drupalGet($path, $options, $headers); } } diff --git a/core/modules/system/tests/modules/session_test/session_test.routing.yml b/core/modules/system/tests/modules/session_test/session_test.routing.yml index 6dbf85c..ea59385 100644 --- a/core/modules/system/tests/modules/session_test/session_test.routing.yml +++ b/core/modules/system/tests/modules/session_test/session_test.routing.yml @@ -99,3 +99,11 @@ session_test.get_session: _auth: ['basic_auth'] requirements: _permission: 'administer site configuration' + +session_test.get_session_no_auth: + path: '/session-test/get-session-no-auth' + defaults: + _title: 'Get session information' + _controller: '\Drupal\session_test\Controller\SessionTestController::getSession' + requirements: + _access: 'TRUE'