Unverified Commit a6e7eeef authored by alexpott's avatar alexpott

Issue #3109109 by andypost, Hardik_Patel_12, vijaycs85, kkalashnikov,...

Issue #3109109 by andypost, Hardik_Patel_12, vijaycs85, kkalashnikov, alexpott: AccountForm should read pass-reset-token only from query string

(cherry picked from commit 361ae1cb)
parent 8e53c1ce
......@@ -130,7 +130,7 @@ public function form(array $form, FormStateInterface $form_state) {
// To skip the current password field, the user must have logged in via a
// one-time link and have the token in the URL. Store this in $form_state
// so it persists even on subsequent Ajax requests.
if (!$form_state->get('user_pass_reset') && ($token = $this->getRequest()->get('pass-reset-token'))) {
if (!$form_state->get('user_pass_reset') && ($token = $this->getRequest()->query->get('pass-reset-token'))) {
$session_key = 'pass_reset_' . $account->id();
$user_pass_reset = isset($_SESSION[$session_key]) && hash_equals($_SESSION[$session_key], $token);
$form_state->set('user_pass_reset', $user_pass_reset);
......
<?php
namespace Drupal\Tests\user\Kernel;
use Drupal\KernelTests\KernelTestBase;
use Drupal\user\Entity\User;
/**
* Verifies that the password reset behaves as expected with form elements.
*
* @group user
*/
class UserAccountFormPasswordResetTest extends KernelTestBase {
/**
* Modules to enable.
*
* @var array
*/
protected static $modules = ['system', 'user'];
/**
* User object.
*
* @var \Drupal\user\UserInterface
*/
protected $user;
/**
* {@inheritdoc}
*/
protected function setUp(): void {
parent::setUp();
// Install default configuration; required for AccountFormController.
$this->installConfig(['user']);
$this->installSchema('system', ['sequences']);
$this->installEntitySchema('user');
// Create an user to login.
$this->user = User::create(['name' => 'test']);
$this->user->save();
// Set current user.
$this->container->set('current_user', $this->user);
// Install the router table and then rebuild.
\Drupal::service('router.builder')->rebuild();
}
/**
* Tests the reset token used only from query string.
*/
public function testPasswordResetToken() {
$token = 'VALID_TOKEN';
$_SESSION['pass_reset_1'] = $token;
/** @var \Symfony\Component\HttpFoundation\Request $request */
$request = $this->container->get('request_stack')->getCurrentRequest();
// Set token in query string.
$request->query->set('pass-reset-token', $token);
$form = $this->buildAccountForm('default');
// User shouldn't see current password field.
$this->assertFalse($form['account']['current_pass']['#access']);
$request->query->set('pass-reset-token', NULL);
$request->attributes->set('pass-reset-token', $token);
$form = $this->buildAccountForm('default');
$this->assertTrue($form['account']['current_pass']['#access']);
}
/**
* Builds the user account form for a given operation.
*
* @param string $operation
* The entity operation; one of 'register' or 'default'.
*
* @return array
* The form array.
*/
protected function buildAccountForm($operation) {
// @see HtmlEntityFormController::getFormObject()
$entity_type = 'user';
$fields = [];
if ($operation != 'register') {
$fields['uid'] = $this->user->id();
}
$entity = $this->container->get('entity_type.manager')
->getStorage($entity_type)
->create($fields);
// @see EntityFormBuilder::getForm()
return $this->container->get('entity.form_builder')->getForm($entity, $operation);
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment