function UserPasswordResetTest::testUserPasswordResetLoggedIn
Same name in other branches
- 9 core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordResetLoggedIn()
- 8.9.x core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordResetLoggedIn()
- 10 core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordResetLoggedIn()
Tests user password reset while logged in.
File
-
core/
modules/ user/ tests/ src/ Functional/ UserPasswordResetTest.php, line 328
Class
- UserPasswordResetTest
- Ensure that password reset methods work as expected.
Namespace
Drupal\Tests\user\FunctionalCode
public function testUserPasswordResetLoggedIn() : void {
$another_account = $this->drupalCreateUser();
$this->drupalLogin($another_account);
$this->drupalGet('user/password');
$this->submitForm([], 'Submit');
// Click the reset URL while logged and change our password.
$resetURL = $this->getResetURL();
// Log in as a different user.
$this->drupalLogin($this->account);
$this->drupalGet($resetURL);
$this->assertSession()
->pageTextContains("Another user ({$this->account->getAccountName()}) is already logged into the site on this computer, but you tried to use a one-time link for user {$another_account->getAccountName()}. Log out and try using the link again.");
$this->assertSession()
->linkExists('Log out');
$this->assertSession()
->linkByHrefExists(Url::fromRoute('user.logout')->toString());
// Verify that the invalid password reset page does not show the user name.
$attack_reset_url = "user/reset/" . $another_account->id() . "/1/1";
$this->drupalGet($attack_reset_url);
$this->assertSession()
->pageTextNotContains($another_account->getAccountName());
$this->assertSession()
->addressEquals('user/' . $this->account
->id());
$this->assertSession()
->pageTextContains('The one-time login link you clicked is invalid.');
$another_account->delete();
$this->drupalGet($resetURL);
$this->assertSession()
->pageTextContains('The one-time login link you clicked is invalid.');
// Log in.
$this->drupalLogin($this->account);
// Reset the password by username via the password reset page.
$this->drupalGet('user/password');
$this->submitForm([], 'Submit');
// Click the reset URL while logged and change our password.
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
$this->submitForm([], 'Log in');
// Change the password.
$password = \Drupal::service('password_generator')->generate();
$edit = [
'pass[pass1]' => $password,
'pass[pass2]' => $password,
];
$this->submitForm($edit, 'Save');
$this->assertSession()
->pageTextContains('The changes have been saved.');
// Logged in users should not be able to access the user.reset.login or the
// user.reset.form routes.
$timestamp = \Drupal::time()->getRequestTime() - 1;
$this->drupalGet("user/reset/" . $this->account
->id() . "/{$timestamp}/" . user_pass_rehash($this->account, $timestamp) . '/login');
$this->assertSession()
->statusCodeEquals(403);
$this->drupalGet("user/reset/" . $this->account
->id());
$this->assertSession()
->statusCodeEquals(403);
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.