Commit 24d57a0a authored by webchick's avatar webchick

Issue #1939132 by lauriii, Albert Volkman, trawekp, David_Rothstein: Password...

Issue #1939132 by lauriii, Albert Volkman, trawekp, David_Rothstein: Password reset token is never deleted from the user's session after the password is changed.
parent 85170c95
......@@ -289,7 +289,7 @@ public function buildEntity(array $form, array &$form_state) {
}
/**
* Overrides Drupal\Core\Entity\EntityFormController::submit().
* {@inheritdoc}
*/
public function validate(array $form, array &$form_state) {
parent::validate($form, $form_state);
......@@ -354,4 +354,17 @@ public function validate(array $form, array &$form_state) {
}
}
/**
* {@inheritdoc}
*/
public function submit(array $form, array &$form_state) {
parent::submit($form, $form_state);
$user = $this->getEntity($form_state);
// If there's a session set to the users id, remove the password reset tag
// since a new password was saved.
if (isset($_SESSION['pass_reset_'. $user->id()])) {
unset($_SESSION['pass_reset_'. $user->id()]);
}
}
}
......@@ -83,6 +83,16 @@ function testUserPasswordReset() {
$this->assertLink(t('Log out'));
$this->assertTitle(t('@name | @site', array('@name' => $this->account->getUsername(), '@site' => \Drupal::config('system.site')->get('name'))), 'Logged in using password reset link.');
// Change the forgotten password.
$password = user_password();
$edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password);
$this->drupalPostForm(NULL, $edit, t('Save'));
$this->assertText(t('The changes have been saved.'), 'Forgotten password changed.');
// Verify that the password reset session has been destroyed.
$this->drupalPostForm(NULL, $edit, t('Save'));
$this->assertText(t('Your current password is missing or incorrect; it\'s required to change the Password.'), 'Password needed to make profile changes.');
// Log out, and try to log in again using the same one-time link.
$this->drupalLogout();
$this->drupalGet($resetURL);
......@@ -92,7 +102,7 @@ function testUserPasswordReset() {
$this->drupalGet('user/password');
// Count email messages before to compare with after.
$before = count($this->drupalGetMails(array('id' => 'user_password_reset')));
$edit['name'] = $this->account->getEmail();
$edit = array('name' => $this->account->getEmail());
$this->drupalPostForm(NULL, $edit, t('E-mail new password'));
$this->assertTrue( count($this->drupalGetMails(array('id' => 'user_password_reset'))) === $before + 1, 'E-mail sent when requesting password reset using e-mail address.');
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment