Commit 7e702149 authored by xjm's avatar xjm

Issue #889772 by stefan.r, tuutti, opdavies, Sutharsan, joachim, das-peter,...

Issue #889772 by stefan.r, tuutti, opdavies, Sutharsan, joachim, das-peter, YesCT, Zerdiox, hussainweb, mgifford: following a password reset link while logged in leaves users unable to change their password
parent 0b1a9a3d
......@@ -93,7 +93,7 @@ public function resetPass($uid, $timestamp, $hash) {
if ($account->isAuthenticated()) {
// The current user is already logged in.
if ($account->id() == $uid) {
drupal_set_message($this->t('You are logged in as %user. <a href="@user_edit">Change your password.</a>', array('%user' => $account->getUsername(), '@user_edit' => $this->url('entity.user.edit_form', array('user' => $account->id())))));
user_logout();
}
// A different user is already logged in on the computer.
else {
......@@ -105,31 +105,31 @@ public function resetPass($uid, $timestamp, $hash) {
// Invalid one-time link specifies an unknown user.
drupal_set_message($this->t('The one-time login link you clicked is invalid.'));
}
return $this->redirect('<front>');
}
return $this->redirect('<front>');
}
else {
// The current user is not logged in, so check the parameters.
// Time out, in seconds, until login URL expires.
$timeout = $config->get('password_reset_timeout');
$current = REQUEST_TIME;
/* @var \Drupal\user\UserInterface $user */
$user = $this->userStorage->load($uid);
// Verify that the user exists and is active.
if ($user && $user->isActive()) {
// No time out for first time login.
if ($user->getLastLoginTime() && $current - $timestamp > $timeout) {
drupal_set_message($this->t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
return $this->redirect('user.pass');
}
elseif ($user->isAuthenticated() && ($timestamp >= $user->getLastLoginTime()) && ($timestamp <= $current) && ($hash === user_pass_rehash($user->getPassword(), $timestamp, $user->getLastLoginTime(), $user->id()))) {
$expiration_date = $user->getLastLoginTime() ? $this->dateFormatter->format($timestamp + $timeout) : NULL;
return $this->formBuilder()->getForm('Drupal\user\Form\UserPasswordResetForm', $user, $expiration_date, $timestamp, $hash);
}
else {
drupal_set_message($this->t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'));
return $this->redirect('user.pass');
}
// The current user is not logged in, so check the parameters.
// Time out, in seconds, until login URL expires.
$timeout = $config->get('password_reset_timeout');
$current = REQUEST_TIME;
/* @var \Drupal\user\UserInterface $user */
$user = $this->userStorage->load($uid);
// Verify that the user exists and is active.
if ($user && $user->isActive()) {
// No time out for first time login.
if ($user->getLastLoginTime() && $current - $timestamp > $timeout) {
drupal_set_message($this->t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
return $this->redirect('user.pass');
}
elseif ($user->isAuthenticated() && ($timestamp >= $user->getLastLoginTime()) && ($timestamp <= $current) && ($hash === user_pass_rehash($user->getPassword(), $timestamp, $user->getLastLoginTime(), $user->id()))) {
$expiration_date = $user->getLastLoginTime() ? $this->dateFormatter->format($timestamp + $timeout) : NULL;
return $this->formBuilder()->getForm('Drupal\user\Form\UserPasswordResetForm', $user, $expiration_date, $timestamp, $hash);
}
else {
drupal_set_message($this->t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'));
return $this->redirect('user.pass');
}
}
// Blocked or invalid user ID, so deny access. The parameters will be in the
......
......@@ -57,6 +57,7 @@ protected function setUp() {
$this->drupalLogin($account);
$this->account = User::load($account->id());
$this->account->pass_raw = $account->pass_raw;
$this->drupalLogout();
// Set the last login time that is used to generate the one-time link so
......@@ -167,6 +168,29 @@ public function getResetURL() {
return $urls[0];
}
/**
* Test user password reset while logged in.
*/
public function testUserPasswordResetLoggedIn() {
// Log in.
$this->drupalLogin($this->account);
// Reset the password by username via the password reset page.
$this->drupalGet('user/password');
$this->drupalPostForm(NULL, NULL, t('Submit'));
// Click the reset URL while logged and change our password.
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
$this->drupalPostForm(NULL, NULL, t('Log in'));
// Change the password.
$password = user_password();
$edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password);
$this->drupalPostForm(NULL, $edit, t('Save'));
$this->assertText(t('The changes have been saved.'), 'Password changed.');
}
/**
* Prefill the text box on incorrect login via link to password reset page.
*/
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment