Commit 9a0cea22 authored by alexpott's avatar alexpott
Browse files

Issue #2461105 by cilefen, Wim Leers: One-time password reset page should never be cached

parent 94af7651
......@@ -10,6 +10,7 @@
use Drupal\Component\Utility\Xss;
use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\Datetime\DateFormatter;
use Drupal\Core\PageCache\ResponsePolicy\KillSwitch;
use Drupal\user\UserDataInterface;
use Drupal\user\UserInterface;
use Drupal\user\UserStorageInterface;
......@@ -42,6 +43,13 @@ class UserController extends ControllerBase {
*/
protected $userData;
/**
* The page cache killswitch.
*
* @var \Drupal\Core\PageCache\ResponsePolicy\KillSwitch
*/
protected $pageCacheKillSwitch;
/**
* Constructs a UserController object.
*
......@@ -51,11 +59,14 @@ class UserController extends ControllerBase {
* The user storage.
* @param \Drupal\user\UserDataInterface $user_data
* The user data service.
* @param \Drupal\Core\PageCache\ResponsePolicy\KillSwitch $page_cache_kill_switch
* The page cache killswitch.
*/
public function __construct(DateFormatter $date_formatter, UserStorageInterface $user_storage, UserDataInterface $user_data) {
public function __construct(DateFormatter $date_formatter, UserStorageInterface $user_storage, UserDataInterface $user_data, KillSwitch $page_cache_kill_switch) {
$this->dateFormatter = $date_formatter;
$this->userStorage = $user_storage;
$this->userData = $user_data;
$this->pageCacheKillSwitch = $page_cache_kill_switch;
}
/**
......@@ -65,7 +76,8 @@ public static function create(ContainerInterface $container) {
return new static(
$container->get('date.formatter'),
$container->get('entity.manager')->getStorage('user'),
$container->get('user.data')
$container->get('user.data'),
$container->get('page_cache_kill_switch')
);
}
......@@ -86,6 +98,9 @@ public static function create(ContainerInterface $container) {
* If the login link is for a blocked user or invalid user ID.
*/
public function resetPass($uid, $timestamp, $hash) {
// Don't cache the password reset page.
$this->pageCacheKillSwitch->trigger();
$account = $this->currentUser();
$config = $this->config('user.settings');
// When processing the one-time login link, we have to make sure that a user
......
......@@ -7,7 +7,7 @@
namespace Drupal\user\Tests;
use Drupal\simpletest\WebTestBase;
use Drupal\system\Tests\Cache\PageCacheTagsTestBase;
use Drupal\user\Entity\User;
/**
......@@ -15,7 +15,7 @@
*
* @group user
*/
class UserPasswordResetTest extends WebTestBase {
class UserPasswordResetTest extends PageCacheTagsTestBase {
/**
* The profile to install as a basis for testing.
......@@ -92,6 +92,11 @@ function testUserPasswordReset() {
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
$this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
// Ensure the password reset URL is not cached.
$this->drupalGet($resetURL);
$this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
// Check the one-time login page.
$this->assertText($this->account->getUsername(), 'One-time login page contains the correct username.');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment