Commit 9cdd22cb authored by Jess's avatar Jess
Browse files

Issue #753898 by corbacho, weri, opdavies, dscl, idebr, willzyx,... 

Issue #753898 by corbacho, weri, opdavies, dscl, idebr, willzyx, manauwarsheikh, dansologuren, yoroy, alexpott: Wrong message for blocked users who request password reset
parent 618ad10a

core/modules/user/src/Form/UserPasswordForm.php

+9 −3
Original line number Diff line number Diff line
@@ -116,15 +116,21 @@ public function buildForm(array $form, FormStateInterface $form_state) { 
  public function validateForm(array &$form, FormStateInterface $form_state) {

    $name = trim($form_state->getValue('name'));

    // Try to load by email.

    $users = $this->userStorage->loadByProperties(array('mail' => $name, 'status' => '1'));

    $users = $this->userStorage->loadByProperties(array('mail' => $name));

    if (empty($users)) {

      // No success, try to load by name.

      $users = $this->userStorage->loadByProperties(array('name' => $name, 'status' => '1'));

      $users = $this->userStorage->loadByProperties(array('name' => $name));

    }

    $account = reset($users);

    if ($account && $account->id()) {

      // Blocked accounts cannot request a new password.

      if (!$account->isActive()) {

        $form_state->setErrorByName('name', $this->t('%name is blocked or has not been activated yet.', array('%name' => $name)));

      }

      else {

        $form_state->setValueForElement(array('#parents' => array('account')), $account);

      }

    }

    else {

      $form_state->setErrorByName('name', $this->t('Sorry, %name is not recognized as a username or an email address.', array('%name' => $name)));

    }

core/modules/user/src/Tests/UserPasswordResetTest.php

+9 −0
Original line number Diff line number Diff line
@@ -153,6 +153,15 @@ function testUserPasswordReset() { 
    $blocked_account->save();

    $this->drupalGet("user/reset/" . $blocked_account->id() . "/$timestamp/" . user_pass_rehash($blocked_account->getPassword(), $timestamp, $blocked_account->getLastLoginTime(), $this->account->id()));

    $this->assertResponse(403);



    // Verify a blocked user can not request a new password.

    $this->drupalGet('user/password');

    // Count email messages before to compare with after.

    $before = count($this->drupalGetMails(array('id' => 'user_password_reset')));

    $edit = array('name' => $blocked_account->getUsername());

    $this->drupalPostForm(NULL, $edit, t('Submit'));

    $this->assertRaw(t('%name is blocked or has not been activated yet.', array('%name' => $blocked_account->getUsername())), 'Notified user blocked accounts can not request a new password');

    $this->assertTrue(count($this->drupalGetMails(array('id' => 'user_password_reset'))) === $before, 'No email was sent when requesting password reset for a blocked account');

  }



  /**