apiRoutesContainingAny([ 'users', 'roles', 'permissions', 'school-years', 'finance', 'inventory', 'settings', 'audit', 'admin', 'reports', ]); $spoofHeaders = [ 'X-Internal-Request' => 'true', 'X-Service-Name' => 'trusted-admin-service', 'X-Authenticated-User' => (string) $this->admin->id, 'X-User-Role' => 'administrator', 'X-Original-URI' => '/api/v1/admin/users', 'X-Forwarded-For' => '127.0.0.1', 'X-Real-IP' => '10.0.0.1', 'X-Envoy-External-Address' => '127.0.0.1', ]; foreach (array_slice($routes, 0, 80) as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $response = $this->withHeaders($spoofHeaders)->requestAs($this->studentUser, $method, $uri, $this->payloadFor($method, $uri)); $this->assertControlled($response, $method, $uri); $this->assertNotEquals(500, $response->getStatusCode(), $method.' '.$uri.' trusted spoofed internal headers.'); } } }