From deead9fdad72854ba4387ae75b00a2e57319ba87 Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Tue, 19 Nov 2024 09:44:47 +0000
Subject: [PATCH] Issue #2855328 by danflanagan8, sourabh.singhal, Pancho,
 aarti zikre, asad_ahmed, priscarabelli, anushrikumari, ashwinparmar,
 vikashsoni, cilefen, ideaseed, Archana.Phatangare, quietone, finex, alexpott,
 catch, smustgrave, sugaroverflow: Password and confirm password should be
 mandatory fields while setting up password using one time link following by
 email

(cherry picked from commit 0b78493d29a50554f729cb382290cab97d479945)
---
 core/modules/user/src/AccountForm.php                    | 9 ++++++---
 .../user/tests/src/Functional/UserPasswordResetTest.php  | 4 ++++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/core/modules/user/src/AccountForm.php b/core/modules/user/src/AccountForm.php
index 07725a83ed7b..bd8427ecc854 100644
--- a/core/modules/user/src/AccountForm.php
+++ b/core/modules/user/src/AccountForm.php
@@ -157,9 +157,12 @@ public function form(array $form, FormStateInterface $form_state) {
         ];
         $form_state->set('user', $account);
 
-        // The user may only change their own password without their current
-        // password if they logged in via a one-time login link.
-        if (!$form_state->get('user_pass_reset')) {
+        // If logged in via a one-time login link entering a new password is
+        // required and the user does not need to enter their current password.
+        if ($form_state->get('user_pass_reset')) {
+          $form['account']['pass']['#required'] = TRUE;
+        }
+        else {
           $form['account']['current_pass']['#description'] = $this->t('Required if you want to change the <em>Email address</em> or the <em>Password</em> field below. <a href=":request_new_url" title="Send password reset instructions via email.">Reset your password</a>.', [
             ':request_new_url' => Url::fromRoute('user.pass')->toString(),
           ]);
diff --git a/core/modules/user/tests/src/Functional/UserPasswordResetTest.php b/core/modules/user/tests/src/Functional/UserPasswordResetTest.php
index 7ad09f53748b..9f1eccf6b1b5 100644
--- a/core/modules/user/tests/src/Functional/UserPasswordResetTest.php
+++ b/core/modules/user/tests/src/Functional/UserPasswordResetTest.php
@@ -138,6 +138,10 @@ public function testUserPasswordReset(): void {
     $this->assertSession()->linkExists('Log out');
     $this->assertSession()->titleEquals($this->account->getAccountName() . ' | Drupal');
 
+    // Try to save without entering password.
+    $this->submitForm([], 'Save');
+    $this->assertSession()->pageTextContains('Password field is required.');
+
     // Change the forgotten password.
     $password = \Drupal::service('password_generator')->generate();
     $edit = ['pass[pass1]' => $password, 'pass[pass2]' => $password];
-- 
GitLab