UserPasswordResetTestCase::testUserPasswordResetLoggedIn | user.test | Drupal 7

Test user password reset while logged in.

1 call to UserPasswordResetTestCase::testUserPasswordResetLoggedIn()

UserPasswordResetTestCase::testUserDirectLogin in modules/user/user.test: Test direct login link that bypasses the password reset form.

File

modules/user/user.test, line 738: Tests for user.module.

Class

UserPasswordResetTestCase: Tests resetting a user password.

Code

function testUserPasswordResetLoggedIn($use_direct_login_link = FALSE) {
  $another_account = $this
    ->drupalCreateUser();
  $account = $this
    ->drupalCreateUser();
  $this
    ->drupalLogin($account);

  // Make sure the test account has a valid password.
  user_save($account, array(
    'pass' => user_password(),
  ));

  // Try to use the login link while logged in as a different user.
  // Generate one time login link.
  $reset_url = $this
    ->generateResetURL($another_account, $use_direct_login_link);
  $this
    ->drupalGet($reset_url);
  $this
    ->assertRaw(t('Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user. Please <a href="!logout">logout</a> and try using the link again.', array(
    '%other_user' => $account->name,
    '%resetting_user' => $another_account->name,
    '!logout' => url('user/logout'),
  )));

  // Verify that the invalid password reset page does not show the user name.
  $attack_reset_url = "user/reset/" . $another_account->uid . "/1/1";
  $this
    ->drupalGet($attack_reset_url);
  $this
    ->assertNoText($another_account->name);
  $this
    ->assertText('The one-time login link you clicked is invalid.');

  // Test the link for a deleted user while logged in.
  user_delete($another_account->uid);
  $this
    ->drupalGet($reset_url);
  $this
    ->assertText('The one-time login link you clicked is invalid.');

  // Generate a one time login link for the logged-in user.
  $fapi_action = $use_direct_login_link ? 'build' : 'submit';
  variable_del("user_test_pass_reset_form_{$fapi_action}_{$account->uid}");
  $reset_url = $this
    ->generateResetURL($account, $use_direct_login_link);
  $this
    ->drupalGet($reset_url);
  if ($use_direct_login_link) {

    // The form is never fully built; user is logged out (session destroyed)
    // and redirected to the same URL, then logged in again and redirected
    // during form build.
    $form_built = variable_get("user_test_pass_reset_form_build_{$account->uid}", FALSE);
    $this
      ->assertTrue(!$form_built, 'The password reset form was never fully built.');
  }
  else {
    $this
      ->assertUrl($this
      ->getConfirmURL($reset_url), array(), 'The user is redirected to the reset password confirm form.');
    $this
      ->assertText('Reset password');
    $this
      ->drupalPost(NULL, NULL, t('Log in'));

    // The form was fully processed before redirecting.
    $form_submit_handled = variable_get("user_test_pass_reset_form_submit_{$account->uid}", FALSE);
    $this
      ->assertTrue($form_submit_handled, 'A custom submit handler executed.');
  }
  $this
    ->assertText('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.');

  // The user can change the forgotten password on the page they are
  // redirected to.
  $pass = user_password();
  $edit = array(
    'pass[pass1]' => $pass,
    'pass[pass2]' => $pass,
  );
  $this
    ->drupalPost(NULL, $edit, t('Save'));
  $this
    ->assertText('The changes have been saved.');
}

function UserPasswordResetTestCase::testUserPasswordResetLoggedIn

File

Class

Code

Search Drupal 7

News items

Our community

Documentation

Drupal code base

Governance of community