079a2e0061
Following MDL-61880 you could turn on "Authenticate token requests via HTTP headers" but not turn this off again. This change fixes this and adds a Behat scenario to test toggling this checkbox is saved correctly.