summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNathaniel Catchpole2016-04-04 23:52:07 (GMT)
committerNathaniel Catchpole2016-04-04 23:52:07 (GMT)
commitbfd7cc23f73e9436cae049e4d880df8361858a9c (patch)
treee647dc7ff5b428e5f2186cc1ea1e316e07812b33
parentafac08a64a62047bf9430b3f02cf314df4edb7a7 (diff)
Issue #2624986 by Arla, heykarthikwithu, bradjones1, kristofferwiklund: Fix regression from #2400197, user edit form expects password reset hash
-rw-r--r--core/modules/user/src/AccountForm.php5
-rw-r--r--core/modules/user/src/Tests/UserPasswordResetTest.php9
2 files changed, 12 insertions, 2 deletions
diff --git a/core/modules/user/src/AccountForm.php b/core/modules/user/src/AccountForm.php
index 8b0149e..9199c73 100644
--- a/core/modules/user/src/AccountForm.php
+++ b/core/modules/user/src/AccountForm.php
@@ -127,8 +127,9 @@ abstract class AccountForm extends ContentEntityForm {
// To skip the current password field, the user must have logged in via a
// one-time link and have the token in the URL. Store this in $form_state
// so it persists even on subsequent Ajax requests.
- if (!$form_state->get('user_pass_reset')) {
- $user_pass_reset = isset($_SESSION['pass_reset_' . $account->id()]) && Crypt::hashEquals($_SESSION['pass_reset_' . $account->id()], \Drupal::request()->query->get('pass-reset-token'));
+ if (!$form_state->get('user_pass_reset') && ($token = $this->getRequest()->get('pass-reset-token'))) {
+ $session_key = 'pass_reset_' . $account->id();
+ $user_pass_reset = isset($_SESSION[$session_key]) && Crypt::hashEquals($_SESSION[$session_key], $token);
$form_state->set('user_pass_reset', $user_pass_reset);
}
diff --git a/core/modules/user/src/Tests/UserPasswordResetTest.php b/core/modules/user/src/Tests/UserPasswordResetTest.php
index 420b97a..1b415fa 100644
--- a/core/modules/user/src/Tests/UserPasswordResetTest.php
+++ b/core/modules/user/src/Tests/UserPasswordResetTest.php
@@ -140,6 +140,15 @@ class UserPasswordResetTest extends PageCacheTagsTestBase {
$this->drupalPostForm(NULL, $edit, t('Submit'));
$this->assertTrue( count($this->drupalGetMails(array('id' => 'user_password_reset'))) === $before + 1, 'Email sent when requesting password reset using email address.');
+ // Visit the user edit page without pass-reset-token and make sure it does
+ // not cause an error.
+ $resetURL = $this->getResetURL();
+ $this->drupalGet($resetURL);
+ $this->drupalPostForm(NULL, NULL, t('Log in'));
+ $this->drupalGet('user/' . $this->account->id() . '/edit');
+ $this->assertNoText('Expected user_string to be a string, NULL given');
+ $this->drupalLogout();
+
// Create a password reset link as if the request time was 60 seconds older than the allowed limit.
$timeout = $this->config('user.settings')->get('password_reset_timeout');
$bogus_timestamp = REQUEST_TIME - $timeout - 60;