Issue #992540 by valthebald, ndobromirov, jec006, kid_icarus, rickmanelius,... (10a0113c) · Commits · project / drupal

core/modules/user/src/Controller/UserController.php

+11 −0

Original line number	Diff line number	Diff line
		@@ -235,6 +235,17 @@ public function resetPassLogin($uid, $timestamp, $hash, Request $request) {
		return $redirect;
		}

		$flood_config = $this->config('user.flood');
		if ($flood_config->get('uid_only')) {
		$identifier = $user->id();
		}
		else {
		$identifier = $user->id() . '-' . $request->getClientIP();
		}

		$this->flood->clear('user.failed_login_user', $identifier);
		$this->flood->clear('user.http_login', $identifier);

		user_login_finalize($user);
		$this->logger->notice('User %name used one-time login link at time %timestamp.', ['%name' => $user->getDisplayName(), '%timestamp' => $timestamp]);
		$this->messenger()->addStatus($this->t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please set your password.'));

core/modules/user/tests/src/Functional/UserLoginTest.php

+39 −1

Original line number	Diff line number	Diff line
		@@ -2,6 +2,7 @@

		namespace Drupal\Tests\user\Functional;

		use Drupal\Core\Test\AssertMailTrait;
		use Drupal\Core\Url;
		use Drupal\Tests\BrowserTestBase;
		use Drupal\user\Entity\User;
		@@ -14,6 +15,10 @@
		*/
		class UserLoginTest extends BrowserTestBase {

		use AssertMailTrait {
		getMails as drupalGetMails;
		}

		/**
		* {@inheritdoc}
		*/
		@@ -75,6 +80,13 @@ public function testGlobalLoginFloodControl() {
		// A login with the correct password should also result in a flood error
		// message.
		$this->assertFailedLogin($user1, 'ip');

		// A login attempt after resetting the password should still fail, since the
		// IP-based flood control count is not cleared after a password reset.
		$this->resetUserPassword($user1);
		$this->drupalLogout();
		$this->assertFailedLogin($user1, 'ip');
		$this->assertSession()->responseContains('Too many failed login attempts from your IP address.');
		}

		/**
		@@ -98,7 +110,8 @@ public function testPerUserLoginFloodControl() {
		$this->assertFailedLogin($incorrect_user1);
		}

		// A successful login will reset the per-user flood control count.
		// We're not going to test resetting the password which should clear the
		// flood table and allow the user to log in again.
		$this->drupalLogin($user1);
		$this->drupalLogout();

		@@ -115,6 +128,12 @@ public function testPerUserLoginFloodControl() {
		// Try one more attempt for user 1, it should be rejected, even if the
		// correct password has been used.
		$this->assertFailedLogin($user1, 'user');
		$this->resetUserPassword($user1);
		$this->drupalLogout();

		// Try to log in as user 1, it should be successful.
		$this->drupalLogin($user1);
		$this->assertSession()->responseContains('Member for');
		}

		/**
		@@ -300,4 +319,23 @@ public function assertFailedLogin(User $account, string $flood_trigger = NULL):
		}
		}

		/**
		* Reset user password.
		*
		* @param object $user
		* A user object.
		*/
		public function resetUserPassword($user) {
		$this->drupalGet('user/password');
		$edit['name'] = $user->getDisplayName();
		$this->submitForm($edit, 'Submit');
		$_emails = $this->drupalGetMails();
		$email = end($_emails);
		$urls = [];
		preg_match('#.+user/reset/.+#', $email['body'], $urls);
		$resetURL = $urls[0];
		$this->drupalGet($resetURL);
		$this->submitForm([], 'Log in');
		}

		}