function UserPasswordResetTest::testUserPasswordReset
Same name and namespace in other branches
- 9 core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordReset()
- 10 core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordReset()
- 11.x core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordReset()
Tests password reset functionality.
File
-
core/
modules/ user/ tests/ src/ Functional/ UserPasswordResetTest.php, line 76
Class
- UserPasswordResetTest
- Ensure that password reset methods work as expected.
Namespace
Drupal\Tests\user\FunctionalCode
public function testUserPasswordReset() {
// Verify that accessing the password reset form without having the session
// variables set results in an access denied message.
$this->drupalGet(Url::fromRoute('user.reset.form', [
'uid' => $this->account
->id(),
]));
$this->assertSession()
->statusCodeEquals(403);
// Try to reset the password for an invalid account.
$this->drupalGet('user/password');
$edit = [
'name' => $this->randomMachineName(),
];
$this->drupalPostForm(NULL, $edit, t('Submit'));
$this->assertNoValidPasswordReset($edit['name']);
// Reset the password by username via the password reset page.
$this->drupalGet('user/password');
$edit = [
'name' => $this->account
->getAccountName(),
];
$this->drupalPostForm(NULL, $edit, t('Submit'));
$this->assertValidPasswordReset($edit['name']);
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
// Ensure that the current url does not contain the hash and timestamp.
$this->assertUrl(Url::fromRoute('user.reset.form', [
'uid' => $this->account
->id(),
]));
$this->assertNull($this->drupalGetHeader('X-Drupal-Cache'));
// Ensure the password reset URL is not cached.
$this->drupalGet($resetURL);
$this->assertNull($this->drupalGetHeader('X-Drupal-Cache'));
// Check the one-time login page.
$this->assertText($this->account
->getAccountName(), 'One-time login page contains the correct username.');
$this->assertText(t('This login can be used only once.'), 'Found warning about one-time login.');
$this->assertTitle('Reset password | Drupal');
// Check successful login.
$this->drupalPostForm(NULL, NULL, t('Log in'));
$this->assertSession()
->linkExists(t('Log out'));
$this->assertTitle($this->account
->getAccountName() . ' | Drupal');
// Change the forgotten password.
$password = user_password();
$edit = [
'pass[pass1]' => $password,
'pass[pass2]' => $password,
];
$this->drupalPostForm(NULL, $edit, t('Save'));
$this->assertText(t('The changes have been saved.'), 'Forgotten password changed.');
// Verify that the password reset session has been destroyed.
$this->drupalPostForm(NULL, $edit, t('Save'));
$this->assertText(t("Your current password is missing or incorrect; it's required to change the Password."), 'Password needed to make profile changes.');
// Log out, and try to log in again using the same one-time link.
$this->drupalLogout();
$this->drupalGet($resetURL);
$this->drupalPostForm(NULL, NULL, t('Log in'));
$this->assertText(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'), 'One-time link is no longer valid.');
// Request a new password again, this time using the email address.
// Count email messages before to compare with after.
$before = count($this->drupalGetMails([
'id' => 'user_password_reset',
]));
$this->drupalGet('user/password');
$edit = [
'name' => $this->account
->getEmail(),
];
$this->drupalPostForm(NULL, $edit, t('Submit'));
$this->assertValidPasswordReset($edit['name']);
$this->assertCount($before + 1, $this->drupalGetMails([
'id' => 'user_password_reset',
]), 'Email sent when requesting password reset using email address.');
// Visit the user edit page without pass-reset-token and make sure it does
// not cause an error.
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
$this->drupalPostForm(NULL, NULL, t('Log in'));
$this->drupalGet('user/' . $this->account
->id() . '/edit');
$this->assertNoText('Expected user_string to be a string, NULL given');
$this->drupalLogout();
// Create a password reset link as if the request time was 60 seconds older than the allowed limit.
$timeout = $this->config('user.settings')
->get('password_reset_timeout');
$bogus_timestamp = REQUEST_TIME - $timeout - 60;
$_uid = $this->account
->id();
$this->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account, $bogus_timestamp));
$this->drupalPostForm(NULL, NULL, t('Log in'));
$this->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.');
// Create a user, block the account, and verify that a login link is denied.
$timestamp = REQUEST_TIME - 1;
$blocked_account = $this->drupalCreateUser()
->block();
$blocked_account->save();
$this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp));
$this->assertSession()
->statusCodeEquals(403);
// Verify a blocked user can not request a new password.
$this->drupalGet('user/password');
// Count email messages before to compare with after.
$before = count($this->drupalGetMails([
'id' => 'user_password_reset',
]));
$edit = [
'name' => $blocked_account->getAccountName(),
];
$this->drupalPostForm(NULL, $edit, t('Submit'));
$this->assertRaw(t('%name is blocked or has not been activated yet.', [
'%name' => $blocked_account->getAccountName(),
]), 'Notified user blocked accounts can not request a new password');
$this->assertCount($before, $this->drupalGetMails([
'id' => 'user_password_reset',
]), 'No email was sent when requesting password reset for a blocked account');
// Verify a password reset link is invalidated when the user's email address changes.
$this->drupalGet('user/password');
$edit = [
'name' => $this->account
->getAccountName(),
];
$this->drupalPostForm(NULL, $edit, t('Submit'));
$old_email_reset_link = $this->getResetURL();
$this->account
->setEmail("1" . $this->account
->getEmail());
$this->account
->save();
$this->drupalGet($old_email_reset_link);
$this->drupalPostForm(NULL, NULL, t('Log in'));
$this->assertText(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'), 'One-time link is no longer valid.');
// Verify a password reset link will automatically log a user when /login is
// appended.
$this->drupalGet('user/password');
$edit = [
'name' => $this->account
->getAccountName(),
];
$this->drupalPostForm(NULL, $edit, t('Submit'));
$reset_url = $this->getResetURL();
$this->drupalGet($reset_url . '/login');
$this->assertSession()
->linkExists(t('Log out'));
$this->assertTitle($this->account
->getAccountName() . ' | Drupal');
// Ensure blocked and deleted accounts can't access the user.reset.login
// route.
$this->drupalLogout();
$timestamp = REQUEST_TIME - 1;
$blocked_account = $this->drupalCreateUser()
->block();
$blocked_account->save();
$this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
$this->assertSession()
->statusCodeEquals(403);
$blocked_account->delete();
$this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp) . '/login');
$this->assertSession()
->statusCodeEquals(403);
}Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.