Commit 9a0cea22 authored by alexpott's avatar alexpott
Browse files

Issue #2461105 by cilefen, Wim Leers: One-time password reset page should never be cached

parent 94af7651
...@@ -10,6 +10,7 @@ ...@@ -10,6 +10,7 @@
use Drupal\Component\Utility\Xss; use Drupal\Component\Utility\Xss;
use Drupal\Core\Controller\ControllerBase; use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\Datetime\DateFormatter; use Drupal\Core\Datetime\DateFormatter;
use Drupal\Core\PageCache\ResponsePolicy\KillSwitch;
use Drupal\user\UserDataInterface; use Drupal\user\UserDataInterface;
use Drupal\user\UserInterface; use Drupal\user\UserInterface;
use Drupal\user\UserStorageInterface; use Drupal\user\UserStorageInterface;
...@@ -42,6 +43,13 @@ class UserController extends ControllerBase { ...@@ -42,6 +43,13 @@ class UserController extends ControllerBase {
*/ */
protected $userData; protected $userData;
/**
* The page cache killswitch.
*
* @var \Drupal\Core\PageCache\ResponsePolicy\KillSwitch
*/
protected $pageCacheKillSwitch;
/** /**
* Constructs a UserController object. * Constructs a UserController object.
* *
...@@ -51,11 +59,14 @@ class UserController extends ControllerBase { ...@@ -51,11 +59,14 @@ class UserController extends ControllerBase {
* The user storage. * The user storage.
* @param \Drupal\user\UserDataInterface $user_data * @param \Drupal\user\UserDataInterface $user_data
* The user data service. * The user data service.
* @param \Drupal\Core\PageCache\ResponsePolicy\KillSwitch $page_cache_kill_switch
* The page cache killswitch.
*/ */
public function __construct(DateFormatter $date_formatter, UserStorageInterface $user_storage, UserDataInterface $user_data) { public function __construct(DateFormatter $date_formatter, UserStorageInterface $user_storage, UserDataInterface $user_data, KillSwitch $page_cache_kill_switch) {
$this->dateFormatter = $date_formatter; $this->dateFormatter = $date_formatter;
$this->userStorage = $user_storage; $this->userStorage = $user_storage;
$this->userData = $user_data; $this->userData = $user_data;
$this->pageCacheKillSwitch = $page_cache_kill_switch;
} }
/** /**
...@@ -65,7 +76,8 @@ public static function create(ContainerInterface $container) { ...@@ -65,7 +76,8 @@ public static function create(ContainerInterface $container) {
return new static( return new static(
$container->get('date.formatter'), $container->get('date.formatter'),
$container->get('entity.manager')->getStorage('user'), $container->get('entity.manager')->getStorage('user'),
$container->get('user.data') $container->get('user.data'),
$container->get('page_cache_kill_switch')
); );
} }
...@@ -86,6 +98,9 @@ public static function create(ContainerInterface $container) { ...@@ -86,6 +98,9 @@ public static function create(ContainerInterface $container) {
* If the login link is for a blocked user or invalid user ID. * If the login link is for a blocked user or invalid user ID.
*/ */
public function resetPass($uid, $timestamp, $hash) { public function resetPass($uid, $timestamp, $hash) {
// Don't cache the password reset page.
$this->pageCacheKillSwitch->trigger();
$account = $this->currentUser(); $account = $this->currentUser();
$config = $this->config('user.settings'); $config = $this->config('user.settings');
// When processing the one-time login link, we have to make sure that a user // When processing the one-time login link, we have to make sure that a user
......
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
namespace Drupal\user\Tests; namespace Drupal\user\Tests;
use Drupal\simpletest\WebTestBase; use Drupal\system\Tests\Cache\PageCacheTagsTestBase;
use Drupal\user\Entity\User; use Drupal\user\Entity\User;
/** /**
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* *
* @group user * @group user
*/ */
class UserPasswordResetTest extends WebTestBase { class UserPasswordResetTest extends PageCacheTagsTestBase {
/** /**
* The profile to install as a basis for testing. * The profile to install as a basis for testing.
...@@ -92,6 +92,11 @@ function testUserPasswordReset() { ...@@ -92,6 +92,11 @@ function testUserPasswordReset() {
$resetURL = $this->getResetURL(); $resetURL = $this->getResetURL();
$this->drupalGet($resetURL); $this->drupalGet($resetURL);
$this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
// Ensure the password reset URL is not cached.
$this->drupalGet($resetURL);
$this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
// Check the one-time login page. // Check the one-time login page.
$this->assertText($this->account->getUsername(), 'One-time login page contains the correct username.'); $this->assertText($this->account->getUsername(), 'One-time login page contains the correct username.');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment