function UserPasswordResetTest::testUserPasswordResetLoggedIn

Same name in other branches
  1. 9 core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordResetLoggedIn()
  2. 8.9.x core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordResetLoggedIn()
  3. 11.x core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordResetLoggedIn()

Tests user password reset while logged in.

File

core/modules/user/tests/src/Functional/UserPasswordResetTest.php, line 329

Class

UserPasswordResetTest
Ensure that password reset methods work as expected.

Namespace

Drupal\Tests\user\Functional

Code

public function testUserPasswordResetLoggedIn() : void {
    $another_account = $this->drupalCreateUser();
    $this->drupalLogin($another_account);
    $this->drupalGet('user/password');
    $this->submitForm([], 'Submit');
    // Click the reset URL while logged and change our password.
    $resetURL = $this->getResetURL();
    // Log in as a different user.
    $this->drupalLogin($this->account);
    $this->drupalGet($resetURL);
    $this->assertSession()
        ->pageTextContains("Another user ({$this->account->getAccountName()}) is already logged into the site on this computer, but you tried to use a one-time link for user {$another_account->getAccountName()}. Log out and try using the link again.");
    $this->assertSession()
        ->linkExists('Log out');
    $this->assertSession()
        ->linkByHrefExists(Url::fromRoute('user.logout')->toString());
    // Verify that the invalid password reset page does not show the user name.
    $attack_reset_url = "user/reset/" . $another_account->id() . "/1/1";
    $this->drupalGet($attack_reset_url);
    $this->assertSession()
        ->pageTextNotContains($another_account->getAccountName());
    $this->assertSession()
        ->addressEquals('user/' . $this->account
        ->id());
    $this->assertSession()
        ->pageTextContains('The one-time login link you clicked is invalid.');
    $another_account->delete();
    $this->drupalGet($resetURL);
    $this->assertSession()
        ->pageTextContains('The one-time login link you clicked is invalid.');
    // Log in.
    $this->drupalLogin($this->account);
    // Reset the password by username via the password reset page.
    $this->drupalGet('user/password');
    $this->submitForm([], 'Submit');
    // Click the reset URL while logged and change our password.
    $resetURL = $this->getResetURL();
    $this->drupalGet($resetURL);
    $this->submitForm([], 'Log in');
    // Change the password.
    $password = \Drupal::service('password_generator')->generate();
    $edit = [
        'pass[pass1]' => $password,
        'pass[pass2]' => $password,
    ];
    $this->submitForm($edit, 'Save');
    $this->assertSession()
        ->pageTextContains('The changes have been saved.');
    // Logged in users should not be able to access the user.reset.login or the
    // user.reset.form routes.
    $timestamp = \Drupal::time()->getRequestTime() - 1;
    $this->drupalGet("user/reset/" . $this->account
        ->id() . "/{$timestamp}/" . user_pass_rehash($this->account, $timestamp) . '/login');
    $this->assertSession()
        ->statusCodeEquals(403);
    $this->drupalGet("user/reset/" . $this->account
        ->id());
    $this->assertSession()
        ->statusCodeEquals(403);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.