You are here

Home » API reference » Drupal 8 » UserPasswordResetTest.php » UserPasswordResetTest

public function UserPasswordResetTest::testUserPasswordResetLoggedIn in Drupal 8

Same name and namespace in other branches
  1. 9 core/modules/user/tests/src/Functional/UserPasswordResetTest.php \Drupal\Tests\user\Functional\UserPasswordResetTest::testUserPasswordResetLoggedIn()

Test user password reset while logged in.

File

core/modules/user/tests/src/Functional/UserPasswordResetTest.php, line 224

Class

UserPasswordResetTest
Ensure that password reset methods work as expected.

Namespace

Drupal\Tests\user\Functional

Code

public function testUserPasswordResetLoggedIn() {
  $another_account = $this
    ->drupalCreateUser();
  $this
    ->drupalLogin($another_account);
  $this
    ->drupalGet('user/password');
  $this
    ->drupalPostForm(NULL, NULL, t('Submit'));

  // Click the reset URL while logged and change our password.
  $resetURL = $this
    ->getResetURL();

  // Log in as a different user.
  $this
    ->drupalLogin($this->account);
  $this
    ->drupalGet($resetURL);
  $this
    ->assertRaw(new FormattableMarkup('Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user. Please <a href=":logout">log out</a> and try using the link again.', [
    '%other_user' => $this->account
      ->getAccountName(),
    '%resetting_user' => $another_account
      ->getAccountName(),
    ':logout' => Url::fromRoute('user.logout')
      ->toString(),
  ]));
  $another_account
    ->delete();
  $this
    ->drupalGet($resetURL);
  $this
    ->assertText('The one-time login link you clicked is invalid.');

  // Log in.
  $this
    ->drupalLogin($this->account);

  // Reset the password by username via the password reset page.
  $this
    ->drupalGet('user/password');
  $this
    ->drupalPostForm(NULL, NULL, t('Submit'));

  // Click the reset URL while logged and change our password.
  $resetURL = $this
    ->getResetURL();
  $this
    ->drupalGet($resetURL);
  $this
    ->drupalPostForm(NULL, NULL, t('Log in'));

  // Change the password.
  $password = user_password();
  $edit = [
    'pass[pass1]' => $password,
    'pass[pass2]' => $password,
  ];
  $this
    ->drupalPostForm(NULL, $edit, t('Save'));
  $this
    ->assertText(t('The changes have been saved.'), 'Password changed.');

  // Logged in users should not be able to access the user.reset.login or the
  // user.reset.form routes.
  $timestamp = REQUEST_TIME - 1;
  $this
    ->drupalGet("user/reset/" . $this->account
    ->id() . "/{$timestamp}/" . user_pass_rehash($this->account, $timestamp) . '/login');
  $this
    ->assertSession()
    ->statusCodeEquals(403);
  $this
    ->drupalGet("user/reset/" . $this->account
    ->id());
  $this
    ->assertSession()
    ->statusCodeEquals(403);
}