summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Pott2015-01-12 14:30:36 (GMT)
committerAlex Pott2015-01-12 14:30:36 (GMT)
commit29f441d3c20245d7f63cabe2b0fa6fc99f7c2048 (patch)
tree89e329db9734c29be577102ee03d14951cc61ca3
parent556d680743ad3675794d1d2e75d20ba30d0babc6 (diff)
Issue #1858486 by idebr, David_Rothstein, trawekp, MrHaroldA: Ajax call breaks Password Reset
-rw-r--r--core/modules/user/src/AccountForm.php10
-rw-r--r--core/modules/user/src/Tests/UserPasswordResetTest.php20
2 files changed, 27 insertions, 3 deletions
diff --git a/core/modules/user/src/AccountForm.php b/core/modules/user/src/AccountForm.php
index 7cf5ad6..7ed3cbd 100644
--- a/core/modules/user/src/AccountForm.php
+++ b/core/modules/user/src/AccountForm.php
@@ -123,15 +123,19 @@ abstract class AccountForm extends ContentEntityForm {
);
// To skip the current password field, the user must have logged in via a
- // one-time link and have the token in the URL.
- $pass_reset = isset($_SESSION['pass_reset_' . $account->id()]) && (\Drupal::request()->query->get('pass-reset-token') == $_SESSION['pass_reset_' . $account->id()]);
+ // one-time link and have the token in the URL. Store this in $form_state
+ // so it persists even on subsequent Ajax requests.
+ if (!$form_state->get('user_pass_reset')) {
+ $user_pass_reset = $pass_reset = isset($_SESSION['pass_reset_' . $account->id()]) && (\Drupal::request()->query->get('pass-reset-token') == $_SESSION['pass_reset_' . $account->id()]);
+ $form_state->set('user_pass_reset', $user_pass_reset);
+ }
$protected_values = array();
$current_pass_description = '';
// The user may only change their own password without their current
// password if they logged in via a one-time login link.
- if (!$pass_reset) {
+ if (!$form_state->get('user_pass_reset')) {
$protected_values['mail'] = $form['account']['mail']['#title'];
$protected_values['pass'] = $this->t('Password');
$request_new = $this->l($this->t('Reset your password'), new Url('user.pass',
diff --git a/core/modules/user/src/Tests/UserPasswordResetTest.php b/core/modules/user/src/Tests/UserPasswordResetTest.php
index c8a1f4b..3d89581 100644
--- a/core/modules/user/src/Tests/UserPasswordResetTest.php
+++ b/core/modules/user/src/Tests/UserPasswordResetTest.php
@@ -15,6 +15,18 @@ use Drupal\simpletest\WebTestBase;
* @group user
*/
class UserPasswordResetTest extends WebTestBase {
+
+ /**
+ * The profile to install as a basis for testing.
+ *
+ * This test uses the standard profile to test the password reset in
+ * combination with an ajax request provided by the user picture configuration
+ * in the standard profile.
+ *
+ * @var string
+ */
+ protected $profile = 'standard';
+
/**
* The user object to test password resetting.
*
@@ -89,6 +101,14 @@ class UserPasswordResetTest extends WebTestBase {
$this->assertLink(t('Log out'));
$this->assertTitle(t('@name | @site', array('@name' => $this->account->getUsername(), '@site' => $this->config('system.site')->get('name'))), 'Logged in using password reset link.');
+ // Make sure the ajax request from uploading a user picture does not
+ // invalidate the reset token.
+ $image = current($this->drupalGetTestFiles('image'));
+ $edit = array(
+ 'files[user_picture_0]' => drupal_realpath($image->uri),
+ );
+ $this->drupalPostAjaxForm(NULL, $edit, 'user_picture_0_upload_button');
+
// Change the forgotten password.
$password = user_password();
$edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password);