Commit 29f441d3 authored by alexpott's avatar alexpott

Issue #1858486 by idebr, David_Rothstein, trawekp, MrHaroldA: Ajax call breaks Password Reset

parent 556d6807
......@@ -123,15 +123,19 @@ public function form(array $form, FormStateInterface $form_state) {
);
// To skip the current password field, the user must have logged in via a
// one-time link and have the token in the URL.
$pass_reset = isset($_SESSION['pass_reset_' . $account->id()]) && (\Drupal::request()->query->get('pass-reset-token') == $_SESSION['pass_reset_' . $account->id()]);
// one-time link and have the token in the URL. Store this in $form_state
// so it persists even on subsequent Ajax requests.
if (!$form_state->get('user_pass_reset')) {
$user_pass_reset = $pass_reset = isset($_SESSION['pass_reset_' . $account->id()]) && (\Drupal::request()->query->get('pass-reset-token') == $_SESSION['pass_reset_' . $account->id()]);
$form_state->set('user_pass_reset', $user_pass_reset);
}
$protected_values = array();
$current_pass_description = '';
// The user may only change their own password without their current
// password if they logged in via a one-time login link.
if (!$pass_reset) {
if (!$form_state->get('user_pass_reset')) {
$protected_values['mail'] = $form['account']['mail']['#title'];
$protected_values['pass'] = $this->t('Password');
$request_new = $this->l($this->t('Reset your password'), new Url('user.pass',
......
......@@ -15,6 +15,18 @@
* @group user
*/
class UserPasswordResetTest extends WebTestBase {
/**
* The profile to install as a basis for testing.
*
* This test uses the standard profile to test the password reset in
* combination with an ajax request provided by the user picture configuration
* in the standard profile.
*
* @var string
*/
protected $profile = 'standard';
/**
* The user object to test password resetting.
*
......@@ -89,6 +101,14 @@ function testUserPasswordReset() {
$this->assertLink(t('Log out'));
$this->assertTitle(t('@name | @site', array('@name' => $this->account->getUsername(), '@site' => $this->config('system.site')->get('name'))), 'Logged in using password reset link.');
// Make sure the ajax request from uploading a user picture does not
// invalidate the reset token.
$image = current($this->drupalGetTestFiles('image'));
$edit = array(
'files[user_picture_0]' => drupal_realpath($image->uri),
);
$this->drupalPostAjaxForm(NULL, $edit, 'user_picture_0_upload_button');
// Change the forgotten password.
$password = user_password();
$edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment