diff --git a/core/modules/user/src/Controller/UserController.php b/core/modules/user/src/Controller/UserController.php index 0243c33690a..14e0a0997c7 100644 --- a/core/modules/user/src/Controller/UserController.php +++ b/core/modules/user/src/Controller/UserController.php @@ -10,6 +10,7 @@ namespace Drupal\user\Controller; use Drupal\Component\Utility\Xss; use Drupal\Core\Controller\ControllerBase; use Drupal\Core\Datetime\DateFormatter; +use Drupal\Core\PageCache\ResponsePolicy\KillSwitch; use Drupal\user\UserDataInterface; use Drupal\user\UserInterface; use Drupal\user\UserStorageInterface; @@ -42,6 +43,13 @@ class UserController extends ControllerBase { */ protected $userData; + /** + * The page cache killswitch. + * + * @var \Drupal\Core\PageCache\ResponsePolicy\KillSwitch + */ + protected $pageCacheKillSwitch; + /** * Constructs a UserController object. * @@ -51,11 +59,14 @@ class UserController extends ControllerBase { * The user storage. * @param \Drupal\user\UserDataInterface $user_data * The user data service. + * @param \Drupal\Core\PageCache\ResponsePolicy\KillSwitch $page_cache_kill_switch + * The page cache killswitch. */ - public function __construct(DateFormatter $date_formatter, UserStorageInterface $user_storage, UserDataInterface $user_data) { + public function __construct(DateFormatter $date_formatter, UserStorageInterface $user_storage, UserDataInterface $user_data, KillSwitch $page_cache_kill_switch) { $this->dateFormatter = $date_formatter; $this->userStorage = $user_storage; $this->userData = $user_data; + $this->pageCacheKillSwitch = $page_cache_kill_switch; } /** @@ -65,7 +76,8 @@ class UserController extends ControllerBase { return new static( $container->get('date.formatter'), $container->get('entity.manager')->getStorage('user'), - $container->get('user.data') + $container->get('user.data'), + $container->get('page_cache_kill_switch') ); } @@ -86,6 +98,9 @@ class UserController extends ControllerBase { * If the login link is for a blocked user or invalid user ID. */ public function resetPass($uid, $timestamp, $hash) { + // Don't cache the password reset page. + $this->pageCacheKillSwitch->trigger(); + $account = $this->currentUser(); $config = $this->config('user.settings'); // When processing the one-time login link, we have to make sure that a user diff --git a/core/modules/user/src/Tests/UserPasswordResetTest.php b/core/modules/user/src/Tests/UserPasswordResetTest.php index 5b61fda76f6..c48199a9d9c 100644 --- a/core/modules/user/src/Tests/UserPasswordResetTest.php +++ b/core/modules/user/src/Tests/UserPasswordResetTest.php @@ -7,7 +7,7 @@ namespace Drupal\user\Tests; -use Drupal\simpletest\WebTestBase; +use Drupal\system\Tests\Cache\PageCacheTagsTestBase; use Drupal\user\Entity\User; /** @@ -15,7 +15,7 @@ use Drupal\user\Entity\User; * * @group user */ -class UserPasswordResetTest extends WebTestBase { +class UserPasswordResetTest extends PageCacheTagsTestBase { /** * The profile to install as a basis for testing. @@ -92,6 +92,11 @@ class UserPasswordResetTest extends WebTestBase { $resetURL = $this->getResetURL(); $this->drupalGet($resetURL); + $this->assertFalse($this->drupalGetHeader('X-Drupal-Cache')); + + // Ensure the password reset URL is not cached. + $this->drupalGet($resetURL); + $this->assertFalse($this->drupalGetHeader('X-Drupal-Cache')); // Check the one-time login page. $this->assertText($this->account->getUsername(), 'One-time login page contains the correct username.');