From bfd7cc23f73e9436cae049e4d880df8361858a9c Mon Sep 17 00:00:00 2001
From: Nathaniel Catchpole <catch@35733.no-reply.drupal.org>
Date: Tue, 5 Apr 2016 08:52:07 +0900
Subject: [PATCH] Issue #2624986 by Arla, heykarthikwithu, bradjones1,
 kristofferwiklund: Fix regression from #2400197, user edit form expects
 password reset hash

---
 core/modules/user/src/AccountForm.php                 | 5 +++--
 core/modules/user/src/Tests/UserPasswordResetTest.php | 9 +++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/core/modules/user/src/AccountForm.php b/core/modules/user/src/AccountForm.php
index 8b0149ebd5..9199c73fc0 100644
--- a/core/modules/user/src/AccountForm.php
+++ b/core/modules/user/src/AccountForm.php
@@ -127,8 +127,9 @@ public function form(array $form, FormStateInterface $form_state) {
       // To skip the current password field, the user must have logged in via a
       // one-time link and have the token in the URL. Store this in $form_state
       // so it persists even on subsequent Ajax requests.
-      if (!$form_state->get('user_pass_reset')) {
-        $user_pass_reset = isset($_SESSION['pass_reset_' . $account->id()]) && Crypt::hashEquals($_SESSION['pass_reset_' . $account->id()], \Drupal::request()->query->get('pass-reset-token'));
+      if (!$form_state->get('user_pass_reset') && ($token = $this->getRequest()->get('pass-reset-token'))) {
+        $session_key = 'pass_reset_' . $account->id();
+        $user_pass_reset = isset($_SESSION[$session_key]) && Crypt::hashEquals($_SESSION[$session_key], $token);
         $form_state->set('user_pass_reset', $user_pass_reset);
       }
 
diff --git a/core/modules/user/src/Tests/UserPasswordResetTest.php b/core/modules/user/src/Tests/UserPasswordResetTest.php
index 420b97a480..1b415faad7 100644
--- a/core/modules/user/src/Tests/UserPasswordResetTest.php
+++ b/core/modules/user/src/Tests/UserPasswordResetTest.php
@@ -140,6 +140,15 @@ function testUserPasswordReset() {
     $this->drupalPostForm(NULL, $edit, t('Submit'));
     $this->assertTrue( count($this->drupalGetMails(array('id' => 'user_password_reset'))) === $before + 1, 'Email sent when requesting password reset using email address.');
 
+    // Visit the user edit page without pass-reset-token and make sure it does
+    // not cause an error.
+    $resetURL = $this->getResetURL();
+    $this->drupalGet($resetURL);
+    $this->drupalPostForm(NULL, NULL, t('Log in'));
+    $this->drupalGet('user/' . $this->account->id() . '/edit');
+    $this->assertNoText('Expected user_string to be a string, NULL given');
+    $this->drupalLogout();
+
     // Create a password reset link as if the request time was 60 seconds older than the allowed limit.
     $timeout = $this->config('user.settings')->get('password_reset_timeout');
     $bogus_timestamp = REQUEST_TIME - $timeout - 60;
-- 
GitLab