apiRoutesContainingAny(['admin', 'users', 'finance', 'inventory', 'settings', 'school-years', 'permissions']), 0, 120); foreach ($routes as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $this->actingAs($this->parent, 'api'); $response = $this->withHeaders([ 'X-Forwarded-For' => '127.0.0.1', 'X-Original-Method' => 'GET', 'X-HTTP-Method-Override' => 'GET', 'X-User-Role' => 'administrator', 'X-Admin' => 'true', 'X-Impersonate-User' => (string) $this->admin->id, ])->json($method, $this->materializePath($uri), $this->payloadFor($method, $uri)); $this->assertStatusIn($response, [401, 403, 404, 405, 419, 422], 'spoofed headers should not authorize parent at '.$method.' '.$uri); $this->assertNoServerError($response, 'header spoofing at '.$method.' '.$uri); } } }