Issue #2461105 by cilefen, Wim Leers: One-time password reset page should never be cached
Alex Pott
parent
94af765142
commit
9a0cea2229
|
|
@ -10,6 +10,7 @@ namespace Drupal\user\Controller;
|
|||
use Drupal\Component\Utility\Xss;
|
||||
use Drupal\Core\Controller\ControllerBase;
|
||||
use Drupal\Core\Datetime\DateFormatter;
|
||||
use Drupal\Core\PageCache\ResponsePolicy\KillSwitch;
|
||||
use Drupal\user\UserDataInterface;
|
||||
use Drupal\user\UserInterface;
|
||||
use Drupal\user\UserStorageInterface;
|
||||
|
|
@ -42,6 +43,13 @@ class UserController extends ControllerBase {
|
|||
*/
|
||||
protected $userData;
|
||||
|
||||
/**
|
||||
* The page cache killswitch.
|
||||
*
|
||||
* @var \Drupal\Core\PageCache\ResponsePolicy\KillSwitch
|
||||
*/
|
||||
protected $pageCacheKillSwitch;
|
||||
|
||||
/**
|
||||
* Constructs a UserController object.
|
||||
*
|
||||
|
|
@ -51,11 +59,14 @@ class UserController extends ControllerBase {
|
|||
* The user storage.
|
||||
* @param \Drupal\user\UserDataInterface $user_data
|
||||
* The user data service.
|
||||
* @param \Drupal\Core\PageCache\ResponsePolicy\KillSwitch $page_cache_kill_switch
|
||||
* The page cache killswitch.
|
||||
*/
|
||||
public function __construct(DateFormatter $date_formatter, UserStorageInterface $user_storage, UserDataInterface $user_data) {
|
||||
public function __construct(DateFormatter $date_formatter, UserStorageInterface $user_storage, UserDataInterface $user_data, KillSwitch $page_cache_kill_switch) {
|
||||
$this->dateFormatter = $date_formatter;
|
||||
$this->userStorage = $user_storage;
|
||||
$this->userData = $user_data;
|
||||
$this->pageCacheKillSwitch = $page_cache_kill_switch;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -65,7 +76,8 @@ class UserController extends ControllerBase {
|
|||
return new static(
|
||||
$container->get('date.formatter'),
|
||||
$container->get('entity.manager')->getStorage('user'),
|
||||
$container->get('user.data')
|
||||
$container->get('user.data'),
|
||||
$container->get('page_cache_kill_switch')
|
||||
);
|
||||
}
|
||||
|
||||
|
|
@ -86,6 +98,9 @@ class UserController extends ControllerBase {
|
|||
* If the login link is for a blocked user or invalid user ID.
|
||||
*/
|
||||
public function resetPass($uid, $timestamp, $hash) {
|
||||
// Don't cache the password reset page.
|
||||
$this->pageCacheKillSwitch->trigger();
|
||||
|
||||
$account = $this->currentUser();
|
||||
$config = $this->config('user.settings');
|
||||
// When processing the one-time login link, we have to make sure that a user
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
|
||||
namespace Drupal\user\Tests;
|
||||
|
||||
use Drupal\simpletest\WebTestBase;
|
||||
use Drupal\system\Tests\Cache\PageCacheTagsTestBase;
|
||||
use Drupal\user\Entity\User;
|
||||
|
||||
/**
|
||||
|
|
@ -15,7 +15,7 @@ use Drupal\user\Entity\User;
|
|||
*
|
||||
* @group user
|
||||
*/
|
||||
class UserPasswordResetTest extends WebTestBase {
|
||||
class UserPasswordResetTest extends PageCacheTagsTestBase {
|
||||
|
||||
/**
|
||||
* The profile to install as a basis for testing.
|
||||
|
|
@ -92,6 +92,11 @@ class UserPasswordResetTest extends WebTestBase {
|
|||
|
||||
$resetURL = $this->getResetURL();
|
||||
$this->drupalGet($resetURL);
|
||||
$this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
|
||||
|
||||
// Ensure the password reset URL is not cached.
|
||||
$this->drupalGet($resetURL);
|
||||
$this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
|
||||
|
||||
// Check the one-time login page.
|
||||
$this->assertText($this->account->getUsername(), 'One-time login page contains the correct username.');
|
||||
|
|
|
|||
Loading…
Reference in New Issue