Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #1858486 by idebr, David_Rothstein, trawekp, MrHaroldA: Ajax call breaks Password Reset

8.0.x
Alex Pott 2015-01-12 14:30:36 +00:00
parent 556d680743
commit 29f441d3c2
2 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
core/modules/user/src/AccountForm.php
View File

@ -123,15 +123,19 @@ abstract class AccountForm extends ContentEntityForm {
); );
// To skip the current password field, the user must have logged in via a // To skip the current password field, the user must have logged in via a
// one-time link and have the token in the URL. // one-time link and have the token in the URL. Store this in $form_state
$pass_reset = isset($_SESSION['pass_reset_' . $account->id()]) && (\Drupal::request()->query->get('pass-reset-token') == $_SESSION['pass_reset_' . $account->id()]); // so it persists even on subsequent Ajax requests.
if (!$form_state->get('user_pass_reset')) {
$user_pass_reset = $pass_reset = isset($_SESSION['pass_reset_' . $account->id()]) && (\Drupal::request()->query->get('pass-reset-token') == $_SESSION['pass_reset_' . $account->id()]);
$form_state->set('user_pass_reset', $user_pass_reset);
}
$protected_values = array(); $protected_values = array();
$current_pass_description = ''; $current_pass_description = '';
// The user may only change their own password without their current // The user may only change their own password without their current
// password if they logged in via a one-time login link. // password if they logged in via a one-time login link.
if (!$pass_reset) { if (!$form_state->get('user_pass_reset')) {
$protected_values['mail'] = $form['account']['mail']['#title']; $protected_values['mail'] = $form['account']['mail']['#title'];
$protected_values['pass'] = $this->t('Password'); $protected_values['pass'] = $this->t('Password');
$request_new = $this->l($this->t('Reset your password'), new Url('user.pass', $request_new = $this->l($this->t('Reset your password'), new Url('user.pass',

20
core/modules/user/src/Tests/UserPasswordResetTest.php
View File

@ -15,6 +15,18 @@ use Drupal\simpletest\WebTestBase;
* @group user * @group user
*/ */
class UserPasswordResetTest extends WebTestBase { class UserPasswordResetTest extends WebTestBase {
/**
* The profile to install as a basis for testing.
*
* This test uses the standard profile to test the password reset in
* combination with an ajax request provided by the user picture configuration
* in the standard profile.
*
* @var string
*/
protected $profile = 'standard';
/** /**
* The user object to test password resetting. * The user object to test password resetting.
* *
@ -89,6 +101,14 @@ class UserPasswordResetTest extends WebTestBase {
$this->assertLink(t('Log out')); $this->assertLink(t('Log out'));
$this->assertTitle(t('@name | @site', array('@name' => $this->account->getUsername(), '@site' => $this->config('system.site')->get('name'))), 'Logged in using password reset link.'); $this->assertTitle(t('@name | @site', array('@name' => $this->account->getUsername(), '@site' => $this->config('system.site')->get('name'))), 'Logged in using password reset link.');
// Make sure the ajax request from uploading a user picture does not
// invalidate the reset token.
$image = current($this->drupalGetTestFiles('image'));
$edit = array(
'files[user_picture_0]' => drupal_realpath($image->uri),
);
$this->drupalPostAjaxForm(NULL, $edit, 'user_picture_0_upload_button');
// Change the forgotten password. // Change the forgotten password.
$password = user_password(); $password = user_password();
$edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password); $edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password);