summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwebchick2014-01-24 06:04:10 (GMT)
committerwebchick2014-01-24 06:04:10 (GMT)
commit24d57a0aa400c3e24fc13c1d56b36c75927a430f (patch)
tree5f87de90f5036b14b5a6aa99f251a86d1c9dc5a9
parent85170c9570a5de17a5e251c4f44d874089cf766a (diff)
Issue #1939132 by lauriii, Albert Volkman, trawekp, David_Rothstein: Password reset token is never deleted from the user's session after the password is changed.
-rw-r--r--core/modules/user/lib/Drupal/user/AccountFormController.php15
-rw-r--r--core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php12
2 files changed, 25 insertions, 2 deletions
diff --git a/core/modules/user/lib/Drupal/user/AccountFormController.php b/core/modules/user/lib/Drupal/user/AccountFormController.php
index e67520b..c1c3735 100644
--- a/core/modules/user/lib/Drupal/user/AccountFormController.php
+++ b/core/modules/user/lib/Drupal/user/AccountFormController.php
@@ -289,7 +289,7 @@ abstract class AccountFormController extends ContentEntityFormController {
}
/**
- * Overrides Drupal\Core\Entity\EntityFormController::submit().
+ * {@inheritdoc}
*/
public function validate(array $form, array &$form_state) {
parent::validate($form, $form_state);
@@ -354,4 +354,17 @@ abstract class AccountFormController extends ContentEntityFormController {
}
}
+ /**
+ * {@inheritdoc}
+ */
+ public function submit(array $form, array &$form_state) {
+ parent::submit($form, $form_state);
+
+ $user = $this->getEntity($form_state);
+ // If there's a session set to the users id, remove the password reset tag
+ // since a new password was saved.
+ if (isset($_SESSION['pass_reset_'. $user->id()])) {
+ unset($_SESSION['pass_reset_'. $user->id()]);
+ }
+ }
}
diff --git a/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php b/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php
index f8635fd..8b4da13 100644
--- a/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php
+++ b/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php
@@ -83,6 +83,16 @@ class UserPasswordResetTest extends WebTestBase {
$this->assertLink(t('Log out'));
$this->assertTitle(t('@name | @site', array('@name' => $this->account->getUsername(), '@site' => \Drupal::config('system.site')->get('name'))), 'Logged in using password reset link.');
+ // Change the forgotten password.
+ $password = user_password();
+ $edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password);
+ $this->drupalPostForm(NULL, $edit, t('Save'));
+ $this->assertText(t('The changes have been saved.'), 'Forgotten password changed.');
+
+ // Verify that the password reset session has been destroyed.
+ $this->drupalPostForm(NULL, $edit, t('Save'));
+ $this->assertText(t('Your current password is missing or incorrect; it\'s required to change the Password.'), 'Password needed to make profile changes.');
+
// Log out, and try to log in again using the same one-time link.
$this->drupalLogout();
$this->drupalGet($resetURL);
@@ -92,7 +102,7 @@ class UserPasswordResetTest extends WebTestBase {
$this->drupalGet('user/password');
// Count email messages before to compare with after.
$before = count($this->drupalGetMails(array('id' => 'user_password_reset')));
- $edit['name'] = $this->account->getEmail();
+ $edit = array('name' => $this->account->getEmail());
$this->drupalPostForm(NULL, $edit, t('E-mail new password'));
$this->assertTrue( count($this->drupalGetMails(array('id' => 'user_password_reset'))) === $before + 1, 'E-mail sent when requesting password reset using e-mail address.');