class UserPasswordResetTest
Same name in this branch
- 10 core/modules/user/tests/src/FunctionalJavascript/UserPasswordResetTest.php \Drupal\Tests\user\FunctionalJavascript\UserPasswordResetTest
Same name in other branches
- 9 core/modules/user/tests/src/FunctionalJavascript/UserPasswordResetTest.php \Drupal\Tests\user\FunctionalJavascript\UserPasswordResetTest
- 9 core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest
- 8.9.x core/modules/user/tests/src/FunctionalJavascript/UserPasswordResetTest.php \Drupal\Tests\user\FunctionalJavascript\UserPasswordResetTest
- 8.9.x core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest
- 11.x core/modules/user/tests/src/FunctionalJavascript/UserPasswordResetTest.php \Drupal\Tests\user\FunctionalJavascript\UserPasswordResetTest
- 11.x core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest
Ensure that password reset methods work as expected.
@group user @group #slow
Hierarchy
- class \Drupal\Tests\BrowserTestBase extends \PHPUnit\Framework\TestCase uses \Drupal\Core\Test\FunctionalTestSetupTrait, \Drupal\Tests\UiHelperTrait, \Drupal\Core\Test\TestSetupTrait, \Drupal\Tests\block\Traits\BlockCreationTrait, \Drupal\Tests\RandomGeneratorTrait, \Drupal\Tests\node\Traits\NodeCreationTrait, \Drupal\Tests\node\Traits\ContentTypeCreationTrait, \Drupal\Tests\ConfigTestTrait, \Drupal\Tests\TestRequirementsTrait, \Drupal\Tests\user\Traits\UserCreationTrait, \Drupal\Tests\XdebugRequestTrait, \Drupal\Tests\Traits\PhpUnitWarnings, \Drupal\Tests\PhpUnitCompatibilityTrait, \Symfony\Bridge\PhpUnit\ExpectDeprecationTrait, \Drupal\Tests\ExtensionListTestTrait
- class \Drupal\Tests\user\Functional\UserPasswordResetTest extends \Drupal\Tests\BrowserTestBase uses \Drupal\Core\Test\AssertMailTrait
Expanded class hierarchy of UserPasswordResetTest
File
-
core/
modules/ user/ tests/ src/ Functional/ UserPasswordResetTest.php, line 21
Namespace
Drupal\Tests\user\FunctionalView source
class UserPasswordResetTest extends BrowserTestBase {
use AssertMailTrait {
getMails as drupalGetMails;
}
/**
* The user object to test password resetting.
*
* @var \Drupal\user\UserInterface
*/
protected $account;
/**
* Language manager object.
*
* @var \Drupal\Core\Language\LanguageManagerInterface
*/
protected $languageManager;
/**
* {@inheritdoc}
*/
protected static $modules = [
'block',
'language',
];
/**
* {@inheritdoc}
*/
protected $defaultTheme = 'stark';
/**
* {@inheritdoc}
*/
protected function setUp() : void {
parent::setUp();
// Enable page caching.
$config = $this->config('system.performance');
$config->set('cache.page.max_age', 3600);
$config->save();
$this->drupalPlaceBlock('system_menu_block:account');
// Create a user.
$account = $this->drupalCreateUser();
// Activate user by logging in.
$this->drupalLogin($account);
$this->account = User::load($account->id());
$this->account->passRaw = $account->passRaw;
$this->drupalLogout();
// Set the last login time that is used to generate the one-time link so
// that it is definitely over a second ago.
$account->login = \Drupal::time()->getRequestTime() - mt_rand(10, 100000);
Database::getConnection()->update('users_field_data')
->fields([
'login' => $account->getLastLoginTime(),
])
->condition('uid', $account->id())
->execute();
}
/**
* Tests password reset functionality.
*/
public function testUserPasswordReset() : void {
// Verify that accessing the password reset form without having the session
// variables set results in an access denied message.
$this->drupalGet(Url::fromRoute('user.reset.form', [
'uid' => $this->account
->id(),
]));
$this->assertSession()
->statusCodeEquals(403);
// Try to reset the password for a completely invalid username.
$this->drupalGet('user/password');
$long_name = $this->randomMachineName(UserInterface::USERNAME_MAX_LENGTH + 10);
$edit = [
'name' => $long_name,
];
$this->submitForm($edit, 'Submit');
$this->assertCount(0, $this->drupalGetMails([
'id' => 'user_password_reset',
]), 'No email was sent when requesting a password for an invalid user name.');
$this->assertSession()
->pageTextContains("The username or email address is invalid.");
// Try to reset the password for an invalid account.
$this->drupalGet('user/password');
$random_name = $this->randomMachineName();
$edit = [
'name' => $random_name,
];
$this->submitForm($edit, 'Submit');
$this->assertNoValidPasswordReset($random_name);
// Try to reset the password for a valid email address longer than
// UserInterface::USERNAME_MAX_LENGTH (invalid username, valid email).
// This should pass validation and print the generic message.
$this->drupalGet('user/password');
$long_name = $this->randomMachineName(UserInterface::USERNAME_MAX_LENGTH) . '@example.com';
$edit = [
'name' => $long_name,
];
$this->submitForm($edit, 'Submit');
$this->assertNoValidPasswordReset($long_name);
// Reset the password by username via the password reset page.
$this->drupalGet('user/password');
$edit = [
'name' => $this->account
->getAccountName(),
];
$this->submitForm($edit, 'Submit');
$this->assertValidPasswordReset($edit['name']);
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
// Ensure that the current URL does not contain the hash and timestamp.
$this->assertSession()
->addressEquals(Url::fromRoute('user.reset.form', [
'uid' => $this->account
->id(),
]));
$this->assertSession()
->responseHeaderDoesNotExist('X-Drupal-Cache');
// Ensure the password reset URL is not cached.
$this->drupalGet($resetURL);
$this->assertSession()
->responseHeaderDoesNotExist('X-Drupal-Cache');
// Check the one-time login page.
$this->assertSession()
->pageTextContains($this->account
->getAccountName());
$this->assertSession()
->pageTextContains('This login can be used only once.');
$this->assertSession()
->titleEquals('Reset password | Drupal');
// Check successful login.
$this->submitForm([], 'Log in');
$this->assertSession()
->linkExists('Log out');
$this->assertSession()
->titleEquals($this->account
->getAccountName() . ' | Drupal');
// Change the forgotten password.
$password = \Drupal::service('password_generator')->generate();
$edit = [
'pass[pass1]' => $password,
'pass[pass2]' => $password,
];
$this->submitForm($edit, 'Save');
$this->assertSession()
->pageTextContains('The changes have been saved.');
// Verify that the password reset session has been destroyed.
$this->submitForm($edit, 'Save');
$this->assertSession()
->pageTextContains("Your current password is missing or incorrect; it's required to change the Password.");
// Log out, and try to log in again using the same one-time link.
$this->drupalLogout();
$this->drupalGet($resetURL);
$this->assertSession()
->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Request a new one using the form below.');
$this->drupalGet($resetURL . '/login');
$this->assertSession()
->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Request a new one using the form below.');
// Request a new password again, this time using the email address.
// Count email messages before to compare with after.
$before = count($this->drupalGetMails([
'id' => 'user_password_reset',
]));
$this->drupalGet('user/password');
$edit = [
'name' => $this->account
->getEmail(),
];
$this->submitForm($edit, 'Submit');
$this->assertValidPasswordReset($edit['name']);
$this->assertCount($before + 1, $this->drupalGetMails([
'id' => 'user_password_reset',
]), 'Email sent when requesting password reset using email address.');
// Visit the user edit page without pass-reset-token and make sure it does
// not cause an error.
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
$this->submitForm([], 'Log in');
$this->drupalGet('user/' . $this->account
->id() . '/edit');
$this->assertSession()
->pageTextNotContains('Expected user_string to be a string, NULL given');
$this->drupalLogout();
// Create a password reset link as if the request time was 60 seconds older than the allowed limit.
$timeout = $this->config('user.settings')
->get('password_reset_timeout');
$bogus_timestamp = \Drupal::time()->getRequestTime() - $timeout - 60;
$_uid = $this->account
->id();
$this->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account, $bogus_timestamp));
$this->assertSession()
->pageTextContains('You have tried to use a one-time login link that has expired. Request a new one using the form below.');
$this->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account, $bogus_timestamp) . '/login');
$this->assertSession()
->pageTextContains('You have tried to use a one-time login link that has expired. Request a new one using the form below.');
// Create a user, block the account, and verify that a login link is denied.
$timestamp = \Drupal::time()->getRequestTime() - 1;
$blocked_account = $this->drupalCreateUser()
->block();
$blocked_account->save();
$this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp));
$this->assertSession()
->statusCodeEquals(403);
$this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
$this->assertSession()
->statusCodeEquals(403);
// Verify a blocked user can not request a new password.
$this->drupalGet('user/password');
// Count email messages before to compare with after.
$before = count($this->drupalGetMails([
'id' => 'user_password_reset',
]));
$edit = [
'name' => $blocked_account->getAccountName(),
];
$this->submitForm($edit, 'Submit');
$this->assertCount($before, $this->drupalGetMails([
'id' => 'user_password_reset',
]), 'No email was sent when requesting password reset for a blocked account');
// Verify a password reset link is invalidated when the user's email address changes.
$this->drupalGet('user/password');
$edit = [
'name' => $this->account
->getAccountName(),
];
$this->submitForm($edit, 'Submit');
$old_email_reset_link = $this->getResetURL();
$this->account
->setEmail("1" . $this->account
->getEmail());
$this->account
->save();
$this->drupalGet($old_email_reset_link);
$this->assertSession()
->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Request a new one using the form below.');
$this->drupalGet($old_email_reset_link . '/login');
$this->assertSession()
->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Request a new one using the form below.');
// Verify a password reset link will automatically log a user when /login is
// appended.
$this->drupalGet('user/password');
$edit = [
'name' => $this->account
->getAccountName(),
];
$this->submitForm($edit, 'Submit');
$reset_url = $this->getResetURL();
$this->drupalGet($reset_url . '/login');
$this->assertSession()
->linkExists('Log out');
$this->assertSession()
->titleEquals($this->account
->getAccountName() . ' | Drupal');
// Ensure blocked and deleted accounts can't access the user.reset.login
// route.
$this->drupalLogout();
$timestamp = \Drupal::time()->getRequestTime() - 1;
$blocked_account = $this->drupalCreateUser()
->block();
$blocked_account->save();
$this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
$this->assertSession()
->statusCodeEquals(403);
$blocked_account->delete();
$this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
$this->assertSession()
->statusCodeEquals(403);
}
/**
* Tests password reset functionality when user has set preferred language.
*/
public function testUserPasswordResetPreferredLanguage() : void {
// Set two new languages.
ConfigurableLanguage::createFromLangcode('fr')->save();
ConfigurableLanguage::createFromLangcode('zh-hant')->save();
$this->languageManager = \Drupal::languageManager();
// Set language prefixes.
$config = $this->config('language.negotiation');
$config->set('url.prefixes', [
'en' => '',
'fr' => 'fr',
'zh-hant' => 'zh',
])
->save();
$this->rebuildContainer();
foreach ($this->languagePrefixTestProvider() as $scenario) {
[
$setPreferredLangcode,
$activeLangcode,
$prefix,
$visitingUrl,
$expectedResetUrl,
$unexpectedResetUrl,
] = array_values($scenario);
$this->account->preferred_langcode = $setPreferredLangcode;
$this->account
->save();
$this->assertSame($setPreferredLangcode, $this->account
->getPreferredLangcode(FALSE));
// Test Default langcode is different from active langcode when visiting different.
if ($setPreferredLangcode !== 'en') {
$this->drupalGet($prefix . '/user/password');
$this->assertSame($activeLangcode, $this->getSession()
->getResponseHeader('Content-language'));
$this->assertSame('en', $this->languageManager
->getDefaultLanguage()
->getId());
}
// Test password reset with language prefixes.
$this->drupalGet($visitingUrl);
$edit = [
'name' => $this->account
->getAccountName(),
];
$this->submitForm($edit, 'Submit');
$this->assertValidPasswordReset($edit['name']);
$resetURL = $this->getResetURL();
$this->assertStringContainsString($expectedResetUrl, $resetURL);
$this->assertStringNotContainsString($unexpectedResetUrl, $resetURL);
}
}
/**
* Provides scenarios for testUserPasswordResetPreferredLanguage().
*
* @return array
*/
protected function languagePrefixTestProvider() {
return [
'Test language prefix set as \'\', visiting default with preferred language as en' => [
'setPreferredLangcode' => 'en',
'activeLangcode' => 'en',
'prefix' => '',
'visitingUrl' => 'user/password',
'expectedResetUrl' => 'user/reset',
'unexpectedResetUrl' => 'en/user/reset',
],
'Test language prefix set as fr, visiting zh with preferred language as fr' => [
'setPreferredLangcode' => 'fr',
'activeLangcode' => 'fr',
'prefix' => 'fr',
'visitingUrl' => 'zh/user/password',
'expectedResetUrl' => 'fr/user/reset',
'unexpectedResetUrl' => 'zh/user/reset',
],
'Test language prefix set as zh, visiting zh with preferred language as \'\'' => [
'setPreferredLangcode' => '',
'activeLangcode' => 'zh-hant',
'prefix' => 'zh',
'visitingUrl' => 'zh/user/password',
'expectedResetUrl' => 'user/reset',
'unexpectedResetUrl' => 'zh/user/reset',
],
];
}
/**
* Retrieves password reset email and extracts the login link.
*/
public function getResetURL() {
// Assume the most recent email.
$_emails = $this->drupalGetMails();
$email = end($_emails);
$urls = [];
preg_match('#.+user/reset/.+#', $email['body'], $urls);
return $urls[0];
}
/**
* Tests user password reset while logged in.
*/
public function testUserPasswordResetLoggedIn() : void {
$another_account = $this->drupalCreateUser();
$this->drupalLogin($another_account);
$this->drupalGet('user/password');
$this->submitForm([], 'Submit');
// Click the reset URL while logged and change our password.
$resetURL = $this->getResetURL();
// Log in as a different user.
$this->drupalLogin($this->account);
$this->drupalGet($resetURL);
$this->assertSession()
->pageTextContains("Another user ({$this->account->getAccountName()}) is already logged into the site on this computer, but you tried to use a one-time link for user {$another_account->getAccountName()}. Log out and try using the link again.");
$this->assertSession()
->linkExists('Log out');
$this->assertSession()
->linkByHrefExists(Url::fromRoute('user.logout')->toString());
// Verify that the invalid password reset page does not show the user name.
$attack_reset_url = "user/reset/" . $another_account->id() . "/1/1";
$this->drupalGet($attack_reset_url);
$this->assertSession()
->pageTextNotContains($another_account->getAccountName());
$this->assertSession()
->addressEquals('user/' . $this->account
->id());
$this->assertSession()
->pageTextContains('The one-time login link you clicked is invalid.');
$another_account->delete();
$this->drupalGet($resetURL);
$this->assertSession()
->pageTextContains('The one-time login link you clicked is invalid.');
// Log in.
$this->drupalLogin($this->account);
// Reset the password by username via the password reset page.
$this->drupalGet('user/password');
$this->submitForm([], 'Submit');
// Click the reset URL while logged and change our password.
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
$this->submitForm([], 'Log in');
// Change the password.
$password = \Drupal::service('password_generator')->generate();
$edit = [
'pass[pass1]' => $password,
'pass[pass2]' => $password,
];
$this->submitForm($edit, 'Save');
$this->assertSession()
->pageTextContains('The changes have been saved.');
// Logged in users should not be able to access the user.reset.login or the
// user.reset.form routes.
$timestamp = \Drupal::time()->getRequestTime() - 1;
$this->drupalGet("user/reset/" . $this->account
->id() . "/{$timestamp}/" . user_pass_rehash($this->account, $timestamp) . '/login');
$this->assertSession()
->statusCodeEquals(403);
$this->drupalGet("user/reset/" . $this->account
->id());
$this->assertSession()
->statusCodeEquals(403);
}
/**
* Tests the text box on incorrect login via link to password reset page.
*/
public function testUserResetPasswordTextboxNotFilled() : void {
$this->drupalGet('user/login');
$edit = [
'name' => $this->randomMachineName(),
'pass' => $this->randomMachineName(),
];
$this->drupalGet('user/login');
$this->submitForm($edit, 'Log in');
$this->assertSession()
->pageTextContains("Unrecognized username or password. Forgot your password?");
$this->assertSession()
->linkExists("Forgot your password?");
// Verify we don't pass the username as a query parameter.
$this->assertSession()
->linkByHrefNotExists(Url::fromRoute('user.pass', [], [
'query' => [
'name' => $edit['name'],
],
])->toString());
$this->assertSession()
->linkByHrefExists(Url::fromRoute('user.pass')->toString());
unset($edit['pass']);
// Verify the field is empty by default.
$this->drupalGet('user/password');
$this->assertSession()
->fieldValueEquals('name', '');
// Ensure the name field value is not cached.
$this->drupalGet('user/password', [
'query' => [
'name' => $edit['name'],
],
]);
$this->assertSession()
->fieldValueEquals('name', $edit['name']);
$this->drupalGet('user/password');
$this->assertSession()
->fieldValueNotEquals('name', $edit['name']);
}
/**
* Tests password reset flood control for one user.
*/
public function testUserResetPasswordUserFloodControl() : void {
\Drupal::configFactory()->getEditable('user.flood')
->set('user_limit', 3)
->save();
$edit = [
'name' => $this->account
->getAccountName(),
];
// Count email messages before to compare with after.
$before = count($this->drupalGetMails([
'id' => 'user_password_reset',
]));
// Try 3 requests that should not trigger flood control.
for ($i = 0; $i < 3; $i++) {
$this->drupalGet('user/password');
$this->submitForm($edit, 'Submit');
$this->assertValidPasswordReset($edit['name']);
}
// Ensure 3 emails were sent.
$this->assertCount($before + 3, $this->drupalGetMails([
'id' => 'user_password_reset',
]), '3 emails sent without triggering flood control.');
// The next request should trigger flood control.
$this->drupalGet('user/password');
$this->submitForm($edit, 'Submit');
// Ensure no further emails were sent.
$this->assertCount($before + 3, $this->drupalGetMails([
'id' => 'user_password_reset',
]), 'No further email was sent after triggering flood control.');
}
/**
* Tests password reset flood control for one IP.
*/
public function testUserResetPasswordIpFloodControl() : void {
\Drupal::configFactory()->getEditable('user.flood')
->set('ip_limit', 3)
->save();
// Try 3 requests that should not trigger flood control.
for ($i = 0; $i < 3; $i++) {
$this->drupalGet('user/password');
$random_name = $this->randomMachineName();
$edit = [
'name' => $random_name,
];
$this->submitForm($edit, 'Submit');
// Because we're testing with a random name, the password reset will not be valid.
$this->assertNoValidPasswordReset($random_name);
$this->assertNoPasswordIpFlood();
}
// The next request should trigger flood control.
$this->drupalGet('user/password');
$edit = [
'name' => $this->randomMachineName(),
];
$this->submitForm($edit, 'Submit');
$this->assertPasswordIpFlood();
}
/**
* Tests user password reset flood control is cleared on successful reset.
*/
public function testUserResetPasswordUserFloodControlIsCleared() : void {
\Drupal::configFactory()->getEditable('user.flood')
->set('user_limit', 3)
->save();
$edit = [
'name' => $this->account
->getAccountName(),
];
// Count email messages before to compare with after.
$before = count($this->drupalGetMails([
'id' => 'user_password_reset',
]));
// Try 3 requests that should not trigger flood control.
for ($i = 0; $i < 3; $i++) {
$this->drupalGet('user/password');
$this->submitForm($edit, 'Submit');
$this->assertValidPasswordReset($edit['name']);
}
// Ensure 3 emails were sent.
$this->assertCount($before + 3, $this->drupalGetMails([
'id' => 'user_password_reset',
]), '3 emails sent without triggering flood control.');
// Use the last password reset URL which was generated.
$reset_url = $this->getResetURL();
$this->drupalGet($reset_url . '/login');
$this->assertSession()
->linkExists('Log out');
$this->assertSession()
->titleEquals($this->account
->getAccountName() . ' | Drupal');
$this->drupalLogout();
// The next request should *not* trigger flood control, since a successful
// password reset should have cleared flood events for this user.
$this->drupalGet('user/password');
$this->submitForm($edit, 'Submit');
$this->assertValidPasswordReset($edit['name']);
// Ensure another email was sent.
$this->assertCount($before + 4, $this->drupalGetMails([
'id' => 'user_password_reset',
]), 'Another email was sent after clearing flood control.');
}
/**
* Tests user password reset flood control is cleared on admin reset.
*/
public function testUserResetPasswordUserFloodControlAdmin() : void {
$admin_user = $this->drupalCreateUser([
'administer account settings',
'administer users',
]);
\Drupal::configFactory()->getEditable('user.flood')
->set('user_limit', 3)
->save();
$edit = [
'name' => $this->account
->getAccountName(),
'pass' => 'wrong_password',
];
// Try 3 requests that should not trigger flood control.
for ($i = 0; $i < 3; $i++) {
$this->drupalGet('user/login');
$this->submitForm($edit, 'Log in');
$this->assertSession()
->pageTextNotContains('There have been more than 3 failed login attempts for this account. It is temporarily blocked.');
}
$this->drupalGet('user/login');
$this->submitForm($edit, 'Log in');
$this->assertSession()
->pageTextContains('There have been more than 3 failed login attempts for this account. It is temporarily blocked.');
$password = $this->randomMachineName();
$edit = [
'pass[pass1]' => $password,
'pass[pass2]' => $password,
];
// Log in as admin and change the user password.
$this->drupalLogin($admin_user);
$this->drupalGet('user/' . $this->account
->id() . '/edit');
$this->submitForm($edit, 'Save');
$this->drupalLogout();
$edit = [
'name' => $this->account
->getAccountName(),
'pass' => $password,
];
// The next request should *not* trigger flood control, since the
// password change should have cleared flood events for this user.
$this->account->passRaw = $password;
$this->drupalLogin($this->account);
$this->assertSession()
->pageTextNotContains('There have been more than 3 failed login attempts for this account. It is temporarily blocked.');
}
/**
* Helper function to make assertions about a valid password reset.
*
* @internal
*/
public function assertValidPasswordReset(string $name) : void {
$this->assertSession()
->pageTextContains("If {$name} is a valid account, an email will be sent with instructions to reset your password.");
$this->assertMail('to', $this->account
->getEmail(), 'Password email sent to user.');
$subject = 'Replacement login information for ' . $this->account
->getAccountName() . ' at Drupal';
$this->assertMail('subject', $subject, 'Password reset email subject is correct.');
}
/**
* Helper function to make assertions about an invalid password reset.
*
* @param string $name
* The user name.
*
* @internal
*/
public function assertNoValidPasswordReset(string $name) : void {
// This message is the same as the valid reset for privacy reasons.
$this->assertSession()
->pageTextContains("If {$name} is a valid account, an email will be sent with instructions to reset your password.");
// The difference is that no email is sent.
$this->assertCount(0, $this->drupalGetMails([
'id' => 'user_password_reset',
]), 'No email was sent when requesting a password for an invalid account.');
}
/**
* Makes assertions about a password reset triggering IP flood control.
*
* @internal
*/
public function assertPasswordIpFlood() : void {
$this->assertSession()
->pageTextContains('Too many password recovery requests from your IP address. It is temporarily blocked. Try again later or contact the site administrator.');
}
/**
* Makes assertions about a password reset not triggering IP flood control.
*
* @internal
*/
public function assertNoPasswordIpFlood() : void {
$this->assertSession()
->pageTextNotContains('Too many password recovery requests from your IP address. It is temporarily blocked. Try again later or contact the site administrator.');
}
/**
* Make sure that users cannot forge password reset URLs of other users.
*/
public function testResetImpersonation() : void {
// Create two identical user accounts except for the user name. They must
// have the same empty password, so we can't use $this->drupalCreateUser().
$edit = [];
$edit['name'] = $this->randomMachineName();
$edit['mail'] = $edit['name'] . '@example.com';
$edit['status'] = 1;
$user1 = User::create($edit);
$user1->save();
$edit['name'] = $this->randomMachineName();
$user2 = User::create($edit);
$user2->save();
// Unique password hashes are automatically generated, the only way to
// change that is to update it directly in the database.
Database::getConnection()->update('users_field_data')
->fields([
'pass' => NULL,
])
->condition('uid', [
$user1->id(),
$user2->id(),
], 'IN')
->execute();
\Drupal::entityTypeManager()->getStorage('user')
->resetCache();
$user1 = User::load($user1->id());
$user2 = User::load($user2->id());
$this->assertEquals($user2->getPassword(), $user1->getPassword(), 'Both users have the same password hash.');
// The password reset URL must not be valid for the second user when only
// the user ID is changed in the URL.
$reset_url = user_pass_reset_url($user1);
$attack_reset_url = str_replace("user/reset/{$user1->id()}", "user/reset/{$user2->id()}", $reset_url);
$this->drupalGet($attack_reset_url);
// Verify that the invalid password reset page does not show the user name.
$this->assertSession()
->pageTextNotContains($user2->getAccountName());
$this->assertSession()
->addressEquals('user/password');
$this->assertSession()
->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Request a new one using the form below.');
$this->drupalGet($attack_reset_url . '/login');
// Verify that the invalid password reset page does not show the user name.
$this->assertSession()
->pageTextNotContains($user2->getAccountName());
$this->assertSession()
->addressEquals('user/password');
$this->assertSession()
->pageTextContains('You have tried to use a one-time login link that has either been used or is no longer valid. Request a new one using the form below.');
}
/**
* Test the autocomplete attribute is present.
*/
public function testResetFormHasAutocompleteAttribute() : void {
$this->drupalGet('user/password');
$field = $this->getSession()
->getPage()
->findField('name');
$this->assertEquals('username', $field->getAttribute('autocomplete'));
}
}
Members
Title Sort descending | Deprecated | Modifiers | Object type | Summary | Member alias | Overriden Title | Overrides |
---|---|---|---|---|---|---|---|
AssertMailTrait::assertMail | protected | function | Asserts that the most recently sent email message has the given value. | ||||
AssertMailTrait::assertMailPattern | protected | function | Asserts that the most recently sent email message has the pattern in it. | ||||
AssertMailTrait::assertMailString | protected | function | Asserts that the most recently sent email message has the string in it. | ||||
AssertMailTrait::getMails | protected | function | Gets an array containing all emails sent during this test case. | Aliased as: drupalGetMails | |||
BlockCreationTrait::placeBlock | protected | function | Creates a block instance based on default settings. | Aliased as: drupalPlaceBlock | |||
BrowserHtmlDebugTrait::$htmlOutputBaseUrl | protected | property | The Base URI to use for links to the output files. | ||||
BrowserHtmlDebugTrait::$htmlOutputClassName | protected | property | Class name for HTML output logging. | ||||
BrowserHtmlDebugTrait::$htmlOutputCounter | protected | property | Counter for HTML output logging. | ||||
BrowserHtmlDebugTrait::$htmlOutputCounterStorage | protected | property | Counter storage for HTML output logging. | ||||
BrowserHtmlDebugTrait::$htmlOutputDirectory | protected | property | Directory name for HTML output logging. | ||||
BrowserHtmlDebugTrait::$htmlOutputEnabled | protected | property | HTML output enabled. | ||||
BrowserHtmlDebugTrait::$htmlOutputFile | protected | property | The file name to write the list of URLs to. | ||||
BrowserHtmlDebugTrait::$htmlOutputTestId | protected | property | HTML output test ID. | ||||
BrowserHtmlDebugTrait::formatHtmlOutputHeaders | protected | function | Formats HTTP headers as string for HTML output logging. | ||||
BrowserHtmlDebugTrait::getHtmlOutputHeaders | protected | function | Returns headers in HTML output format. | 1 | |||
BrowserHtmlDebugTrait::getResponseLogHandler | protected | function | Provides a Guzzle middleware handler to log every response received. | ||||
BrowserHtmlDebugTrait::htmlOutput | protected | function | Logs a HTML output message in a text file. | ||||
BrowserHtmlDebugTrait::initBrowserOutputFile | protected | function | Creates the directory to store browser output. | ||||
BrowserTestBase::$baseUrl | protected | property | The base URL. | ||||
BrowserTestBase::$configImporter | protected | property | The config importer that can be used in a test. | ||||
BrowserTestBase::$customTranslations | protected | property | An array of custom translations suitable for SettingsEditor::rewrite(). | ||||
BrowserTestBase::$mink | protected | property | Mink session manager. | ||||
BrowserTestBase::$minkDefaultDriverArgs | protected | property | Mink default driver params. | ||||
BrowserTestBase::$minkDefaultDriverClass | protected | property | Mink class for the default driver to use. | 1 | |||
BrowserTestBase::$originalContainer | protected | property | The original container. | ||||
BrowserTestBase::$originalShutdownCallbacks | protected | property | The original array of shutdown function callbacks. | ||||
BrowserTestBase::$preserveGlobalState | protected | property | |||||
BrowserTestBase::$profile | protected | property | The profile to install as a basis for testing. | 40 | |||
BrowserTestBase::$runTestInSeparateProcess | protected | property | Browser tests are run in separate processes to prevent collisions between code that may be loaded by tests. |
||||
BrowserTestBase::$timeLimit | protected | property | Time limit in seconds for the test. | ||||
BrowserTestBase::$translationFilesDirectory | protected | property | The translation file directory for the test environment. | ||||
BrowserTestBase::cleanupEnvironment | protected | function | Clean up the test environment. | ||||
BrowserTestBase::config | protected | function | Configuration accessor for tests. Returns non-overridden configuration. | ||||
BrowserTestBase::filePreDeleteCallback | public static | function | Ensures test files are deletable. | ||||
BrowserTestBase::getDefaultDriverInstance | protected | function | Gets an instance of the default Mink driver. | ||||
BrowserTestBase::getDrupalSettings | protected | function | Gets the JavaScript drupalSettings variable for the currently-loaded page. | 1 | |||
BrowserTestBase::getHttpClient | protected | function | Obtain the HTTP client for the system under test. | ||||
BrowserTestBase::getMinkDriverArgs | protected | function | Gets the Mink driver args from an environment variable. | 1 | |||
BrowserTestBase::getOptions | protected | function | Helper function to get the options of select field. | ||||
BrowserTestBase::getSession | public | function | Returns Mink session. | ||||
BrowserTestBase::getSessionCookies | protected | function | Get session cookies from current session. | ||||
BrowserTestBase::getTestMethodCaller | protected | function | Retrieves the current calling line in the class under test. | Overrides BrowserHtmlDebugTrait::getTestMethodCaller | |||
BrowserTestBase::initFrontPage | protected | function | Visits the front page when initializing Mink. | 3 | |||
BrowserTestBase::initMink | protected | function | Initializes Mink sessions. | 1 | |||
BrowserTestBase::installDrupal | public | function | Installs Drupal into the test site. | 2 | |||
BrowserTestBase::registerSessions | protected | function | Registers additional Mink sessions. | ||||
BrowserTestBase::setUpAppRoot | protected | function | Sets up the root application path. | ||||
BrowserTestBase::setUpBeforeClass | public static | function | 1 | ||||
BrowserTestBase::tearDown | protected | function | 3 | ||||
BrowserTestBase::translatePostValues | protected | function | Transforms a nested array into a flat array suitable for submitForm(). | ||||
BrowserTestBase::xpath | protected | function | Performs an xpath search on the contents of the internal browser. | ||||
BrowserTestBase::__get | public | function | |||||
BrowserTestBase::__sleep | public | function | Prevents serializing any properties. | ||||
ConfigTestTrait::configImporter | protected | function | Returns a ConfigImporter object to import test configuration. | ||||
ConfigTestTrait::copyConfig | protected | function | Copies configuration objects from source storage to target storage. | ||||
ContentTypeCreationTrait::createContentType | protected | function | Creates a custom content type based on default settings. | Aliased as: drupalCreateContentType | 1 | ||
ExtensionListTestTrait::getModulePath | protected | function | Gets the path for the specified module. | ||||
ExtensionListTestTrait::getThemePath | protected | function | Gets the path for the specified theme. | ||||
FunctionalTestSetupTrait::$apcuEnsureUniquePrefix | protected | property | The flag to set 'apcu_ensure_unique_prefix' setting. | 1 | |||
FunctionalTestSetupTrait::$classLoader | protected | property | The class loader to use for installation and initialization of setup. | ||||
FunctionalTestSetupTrait::$rootUser | protected | property | The "#1" admin user. | ||||
FunctionalTestSetupTrait::$usesSuperUserAccessPolicy | protected | property | Set to TRUE to make user 1 a super user. | 10 | |||
FunctionalTestSetupTrait::doInstall | protected | function | Execute the non-interactive installer. | 2 | |||
FunctionalTestSetupTrait::getDatabaseTypes | protected | function | Returns all supported database driver installer objects. | ||||
FunctionalTestSetupTrait::initConfig | protected | function | Initialize various configurations post-installation. | 1 | |||
FunctionalTestSetupTrait::initKernel | protected | function | Initializes the kernel after installation. | ||||
FunctionalTestSetupTrait::initSettings | protected | function | Initialize settings created during install. | ||||
FunctionalTestSetupTrait::initUserSession | protected | function | Initializes user 1 for the site to be installed. | ||||
FunctionalTestSetupTrait::installDefaultThemeFromClassProperty | protected | function | Installs the default theme defined by `static::$defaultTheme` when needed. | 1 | |||
FunctionalTestSetupTrait::installModulesFromClassProperty | protected | function | Install modules defined by `static::$modules`. | 1 | |||
FunctionalTestSetupTrait::installParameters | protected | function | Returns the parameters that will be used when the test installs Drupal. | 8 | |||
FunctionalTestSetupTrait::prepareEnvironment | protected | function | Prepares the current environment for running the test. | 28 | |||
FunctionalTestSetupTrait::prepareRequestForGenerator | protected | function | Creates a mock request and sets it on the generator. | ||||
FunctionalTestSetupTrait::prepareSettings | protected | function | Prepares site settings and services before installation. | 4 | |||
FunctionalTestSetupTrait::rebuildAll | protected | function | Resets and rebuilds the environment after setup. | ||||
FunctionalTestSetupTrait::rebuildContainer | protected | function | Rebuilds \Drupal::getContainer(). | ||||
FunctionalTestSetupTrait::resetAll | protected | function | Resets all data structures after having enabled new modules. | ||||
FunctionalTestSetupTrait::setContainerParameter | protected | function | Changes parameters in the services.yml file. | ||||
FunctionalTestSetupTrait::setupBaseUrl | protected | function | Sets up the base URL based upon the environment variable. | ||||
FunctionalTestSetupTrait::writeSettings | protected | function | Rewrites the settings.php file of the test site. | 1 | |||
NodeCreationTrait::createNode | protected | function | Creates a node based on default settings. | Aliased as: drupalCreateNode | |||
NodeCreationTrait::getNodeByTitle | public | function | Get a node from the database based on its title. | Aliased as: drupalGetNodeByTitle | |||
PhpUnitWarnings::$deprecationWarnings | private static | property | Deprecation warnings from PHPUnit to raise with @trigger_error(). | ||||
PhpUnitWarnings::addWarning | public | function | Converts PHPUnit deprecation warnings to E_USER_DEPRECATED. | ||||
RandomGeneratorTrait::getRandomGenerator | protected | function | Gets the random generator for the utility methods. | ||||
RandomGeneratorTrait::randomMachineName | protected | function | Generates a unique random string containing letters and numbers. | ||||
RandomGeneratorTrait::randomObject | public | function | Generates a random PHP object. | ||||
RandomGeneratorTrait::randomString | public | function | Generates a pseudo-random string of ASCII characters of codes 32 to 126. | ||||
RandomGeneratorTrait::randomStringValidate | Deprecated | public | function | Callback for random string validation. | |||
RefreshVariablesTrait::refreshVariables | protected | function | Refreshes in-memory configuration and state information. | 2 | |||
SessionTestTrait::$sessionName | protected | property | The name of the session cookie. | ||||
SessionTestTrait::generateSessionName | protected | function | Generates a session cookie name. | ||||
SessionTestTrait::getSessionName | protected | function | Returns the session name in use on the child site. | ||||
StorageCopyTrait::replaceStorageContents | protected static | function | Copy the configuration from one storage to another and remove stale items. | ||||
TestRequirementsTrait::checkModuleRequirements | Deprecated | private | function | Checks missing module requirements. | |||
TestRequirementsTrait::checkRequirements | Deprecated | protected | function | Check module requirements for the Drupal use case. | |||
TestRequirementsTrait::getDrupalRoot | protected static | function | Returns the Drupal root directory. | ||||
TestSetupTrait::$configSchemaCheckerExclusions | protected static | property | An array of config object names that are excluded from schema checking. | 2 | |||
TestSetupTrait::$container | protected | property | The dependency injection container used in the test. | ||||
TestSetupTrait::$databasePrefix | protected | property | The database prefix of this test run. | ||||
TestSetupTrait::$kernel | protected | property | The DrupalKernel instance used in the test. | ||||
TestSetupTrait::$originalSite | protected | property | The site directory of the original parent site. | ||||
TestSetupTrait::$privateFilesDirectory | protected | property | The private file directory for the test environment. | ||||
TestSetupTrait::$publicFilesDirectory | protected | property | The public file directory for the test environment. | ||||
TestSetupTrait::$root | protected | property | The app root. | ||||
TestSetupTrait::$siteDirectory | protected | property | The site directory of this test run. | ||||
TestSetupTrait::$strictConfigSchema | protected | property | Set to TRUE to strict check all configuration saved. | 4 | |||
TestSetupTrait::$tempFilesDirectory | protected | property | The temporary file directory for the test environment. | ||||
TestSetupTrait::$testId | protected | property | The test run ID. | ||||
TestSetupTrait::changeDatabasePrefix | protected | function | Changes the database connection to the prefixed one. | ||||
TestSetupTrait::getConfigSchemaExclusions | protected | function | Gets the config schema exclusions for this test. | ||||
TestSetupTrait::getDatabaseConnection | Deprecated | public static | function | Returns the database connection to the site under test. | |||
TestSetupTrait::prepareDatabasePrefix | protected | function | Generates a database prefix for running tests. | 1 | |||
UiHelperTrait::$loggedInUser | protected | property | The current user logged in using the Mink controlled browser. | ||||
UiHelperTrait::$maximumMetaRefreshCount | protected | property | The number of meta refresh redirects to follow, or NULL if unlimited. | ||||
UiHelperTrait::$metaRefreshCount | protected | property | The number of meta refresh redirects followed during ::drupalGet(). | ||||
UiHelperTrait::$useOneTimeLoginLinks | protected | property | Use one-time login links instead of submitting the login form. | 3 | |||
UiHelperTrait::assertSession | public | function | Returns WebAssert object. | 1 | |||
UiHelperTrait::buildUrl | protected | function | Builds an absolute URL from a system path or a URL object. | ||||
UiHelperTrait::checkForMetaRefresh | protected | function | Checks for meta refresh tag and if found call drupalGet() recursively. | ||||
UiHelperTrait::click | protected | function | Clicks the element with the given CSS selector. | ||||
UiHelperTrait::clickLink | protected | function | Follows a link by complete name. | ||||
UiHelperTrait::cssSelect | protected | function | Searches elements using a CSS selector in the raw content. | ||||
UiHelperTrait::cssSelectToXpath | protected | function | Translates a CSS expression to its XPath equivalent. | ||||
UiHelperTrait::drupalGet | protected | function | Retrieves a Drupal path or an absolute path. | 3 | |||
UiHelperTrait::drupalLogin | protected | function | Logs in a user using the Mink controlled browser. | ||||
UiHelperTrait::drupalLogout | protected | function | Logs a user out of the Mink controlled browser and confirms. | ||||
UiHelperTrait::drupalResetSession | protected | function | Resets the current active session back to Anonymous session. | ||||
UiHelperTrait::drupalUserIsLoggedIn | protected | function | Returns whether a given user account is logged in. | ||||
UiHelperTrait::getAbsoluteUrl | protected | function | Takes a path and returns an absolute path. | ||||
UiHelperTrait::getTextContent | protected | function | Retrieves the plain-text content from the current page. | ||||
UiHelperTrait::getUrl | protected | function | Get the current URL from the browser. | ||||
UiHelperTrait::isTestUsingGuzzleClient | protected | function | Determines if test is using DrupalTestBrowser. | ||||
UiHelperTrait::prepareRequest | protected | function | Prepare for a request to testing site. | 1 | |||
UiHelperTrait::submitForm | protected | function | Fills and submits a form. | ||||
UserCreationTrait::checkPermissions | protected | function | Checks whether a given list of permission names is valid. | ||||
UserCreationTrait::createAdminRole | protected | function | Creates an administrative role. | ||||
UserCreationTrait::createRole | protected | function | Creates a role with specified permissions. | Aliased as: drupalCreateRole | |||
UserCreationTrait::createUser | protected | function | Create a user with a given set of permissions. | Aliased as: drupalCreateUser | |||
UserCreationTrait::grantPermissions | protected | function | Grant permissions to a user role. | ||||
UserCreationTrait::setCurrentUser | protected | function | Switch the current logged in user. | ||||
UserCreationTrait::setUpCurrentUser | protected | function | Creates a random user account and sets it as current user. | ||||
UserPasswordResetTest::$account | protected | property | The user object to test password resetting. | ||||
UserPasswordResetTest::$defaultTheme | protected | property | The theme to install as the default for testing. | Overrides BrowserTestBase::$defaultTheme | |||
UserPasswordResetTest::$languageManager | protected | property | Language manager object. | ||||
UserPasswordResetTest::$modules | protected static | property | Modules to install. | Overrides BrowserTestBase::$modules | |||
UserPasswordResetTest::assertNoPasswordIpFlood | public | function | Makes assertions about a password reset not triggering IP flood control. | ||||
UserPasswordResetTest::assertNoValidPasswordReset | public | function | Helper function to make assertions about an invalid password reset. | ||||
UserPasswordResetTest::assertPasswordIpFlood | public | function | Makes assertions about a password reset triggering IP flood control. | ||||
UserPasswordResetTest::assertValidPasswordReset | public | function | Helper function to make assertions about a valid password reset. | ||||
UserPasswordResetTest::getResetURL | public | function | Retrieves password reset email and extracts the login link. | ||||
UserPasswordResetTest::languagePrefixTestProvider | protected | function | Provides scenarios for testUserPasswordResetPreferredLanguage(). | ||||
UserPasswordResetTest::setUp | protected | function | Overrides BrowserTestBase::setUp | ||||
UserPasswordResetTest::testResetFormHasAutocompleteAttribute | public | function | Test the autocomplete attribute is present. | ||||
UserPasswordResetTest::testResetImpersonation | public | function | Make sure that users cannot forge password reset URLs of other users. | ||||
UserPasswordResetTest::testUserPasswordReset | public | function | Tests password reset functionality. | ||||
UserPasswordResetTest::testUserPasswordResetLoggedIn | public | function | Tests user password reset while logged in. | ||||
UserPasswordResetTest::testUserPasswordResetPreferredLanguage | public | function | Tests password reset functionality when user has set preferred language. | ||||
UserPasswordResetTest::testUserResetPasswordIpFloodControl | public | function | Tests password reset flood control for one IP. | ||||
UserPasswordResetTest::testUserResetPasswordTextboxNotFilled | public | function | Tests the text box on incorrect login via link to password reset page. | ||||
UserPasswordResetTest::testUserResetPasswordUserFloodControl | public | function | Tests password reset flood control for one user. | ||||
UserPasswordResetTest::testUserResetPasswordUserFloodControlAdmin | public | function | Tests user password reset flood control is cleared on admin reset. | ||||
UserPasswordResetTest::testUserResetPasswordUserFloodControlIsCleared | public | function | Tests user password reset flood control is cleared on successful reset. | ||||
XdebugRequestTrait::extractCookiesFromRequest | protected | function | Adds xdebug cookies, from request setup. |
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.