Commit bfd7cc23 authored by catch's avatar catch

Issue #2624986 by Arla, heykarthikwithu, bradjones1, kristofferwiklund: Fix...

Issue #2624986 by Arla, heykarthikwithu, bradjones1, kristofferwiklund: Fix regression from #2400197, user edit form expects password reset hash
parent afac08a6
......@@ -127,8 +127,9 @@ public function form(array $form, FormStateInterface $form_state) {
// To skip the current password field, the user must have logged in via a
// one-time link and have the token in the URL. Store this in $form_state
// so it persists even on subsequent Ajax requests.
if (!$form_state->get('user_pass_reset')) {
$user_pass_reset = isset($_SESSION['pass_reset_' . $account->id()]) && Crypt::hashEquals($_SESSION['pass_reset_' . $account->id()], \Drupal::request()->query->get('pass-reset-token'));
if (!$form_state->get('user_pass_reset') && ($token = $this->getRequest()->get('pass-reset-token'))) {
$session_key = 'pass_reset_' . $account->id();
$user_pass_reset = isset($_SESSION[$session_key]) && Crypt::hashEquals($_SESSION[$session_key], $token);
$form_state->set('user_pass_reset', $user_pass_reset);
}
......
......@@ -140,6 +140,15 @@ function testUserPasswordReset() {
$this->drupalPostForm(NULL, $edit, t('Submit'));
$this->assertTrue( count($this->drupalGetMails(array('id' => 'user_password_reset'))) === $before + 1, 'Email sent when requesting password reset using email address.');
// Visit the user edit page without pass-reset-token and make sure it does
// not cause an error.
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
$this->drupalPostForm(NULL, NULL, t('Log in'));
$this->drupalGet('user/' . $this->account->id() . '/edit');
$this->assertNoText('Expected user_string to be a string, NULL given');
$this->drupalLogout();
// Create a password reset link as if the request time was 60 seconds older than the allowed limit.
$timeout = $this->config('user.settings')->get('password_reset_timeout');
$bogus_timestamp = REQUEST_TIME - $timeout - 60;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment