protected function assertResponseWhenMissingAuthentication($method, ResponseInterface
$response) { // Requests needing cookie authentication but missing it results in a 403
// response. The cookie authentication mechanism sets no response message.
// Hence, effectively, this is just the 403 response that one gets as the
// anonymous user trying to access a certain REST resource.
// @see \Drupal\user\Authentication\Provider\Cookie
// @todo https://www.drupal.org/node/2847623
if ($method === 'GET'
) { $expected_cookie_403_cacheability =
$this->
getExpectedUnauthorizedAccessCacheability() // @see \Drupal\Core\EventSubscriber\AnonymousUserResponseSubscriber::onRespond()
->
addCacheableDependency($this->
getExpectedUnauthorizedEntityAccessCacheability(FALSE
));
// - \Drupal\Core\EventSubscriber\AnonymousUserResponseSubscriber applies
// to cacheable anonymous responses: it updates their cacheability.
// - A 403 response to a GET request is cacheable.
// Therefore we must update our cacheability expectations accordingly.
if (in_array('user.permissions',
$expected_cookie_403_cacheability->
getCacheContexts(), TRUE
)) { $expected_cookie_403_cacheability->
addCacheTags(['config:user.role.anonymous'
]);
} // @todo Fix \Drupal\block\BlockAccessControlHandler::mergeCacheabilityFromConditions() in https://www.drupal.org/node/2867881
if (static::
$entityTypeId === 'block'
) { $expected_cookie_403_cacheability->
setCacheTags(str_replace('user:2', 'user:0',
$expected_cookie_403_cacheability->
getCacheTags()));
}