diff --git a/core/modules/user/lib/Drupal/user/Tests/UserEditTest.php b/core/modules/user/lib/Drupal/user/Tests/UserEditTest.php index 6bf60bc..0a5fcd5 100644 --- a/core/modules/user/lib/Drupal/user/Tests/UserEditTest.php +++ b/core/modules/user/lib/Drupal/user/Tests/UserEditTest.php @@ -99,4 +99,30 @@ class UserEditTest extends WebTestBase { $this->drupalPost("user/$user1->uid/edit", array('mail' => ''), t('Save')); $this->assertRaw(t("The changes have been saved.")); } + + /** + * Check that existing users whose username matches another user's email + * address or vice versa are not forced to update their username or email + * address. + */ + function testUserEditWithConflicts() { + $user_with_email = $this->drupalCreateUser(); + $user_with_name = $this->drupalCreateUser(); + + // Change the second user's username to the same value as the first user's + // email address. + $user_with_name->name = $user_with_email->mail; + $user_with_name->save(); + + // Test that the first user can save their account with no errors. + $this->drupalLogin($user_with_email); + $this->drupalPost("user/$user_with_email->uid/edit", array(), t('Save')); + $this->assertText(t("The changes have been saved."), "The user does not need to change their username if it matches another user's email address."); + $this->drupalLogout(); + + // Test that the second user can save their account with no errors. + $this->drupalLogin($user_with_name); + $this->drupalPost("user/$user_with_name->uid/edit", array(), t('Save')); + $this->assertText(t("The changes have been saved."), "The user does not need to change their email address if it matches another user's username."); + } } diff --git a/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php b/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php index 575409f..85a95ef 100644 --- a/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php +++ b/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php @@ -24,6 +24,60 @@ class UserPasswordResetTest extends WebTestBase { } /** + * Attempts to reset a password when an email address matches two accounts. + */ + function testUserPasswordResetDuplicateUsers() { + // Don't require email validation for new accounts. + variable_set('user_email_verification', FALSE); + + // Don't require admin approval for new accounts. + variable_set('user_register', USER_REGISTER_VISITORS); + + // Create two users. + $user_with_email = $this->drupalCreateUser(); + $user_with_name = $this->drupalCreateUser(); + + // Change the second user's username to the same value as the first user's + // email address. + $user_with_name->name = $user_with_email->mail; + $user_with_name->save(); + + // Try and reset based on the duplicated email. + $edit = array(); + $edit['name'] = $user_with_email->mail; + $this->drupalPost('user/password', $edit, t('E-mail new password')); + // There should be a field prompting the user to pick and account. + $this->assertField('choose_account', 'User is prompted to pick an account when email matches two accounts.'); + // We should be sure to not expose another user's email to the user. + $this->assertNoText($user_with_name->mail, "Duplicated user's email is not exposed to the other user."); + + // Select the account with the username matching the entered email. + $edit = array(); + $edit['choose_account'] = drupal_hash_base64(drupal_get_hash_salt() . $user_with_email->uid); + $this->drupalPost(NULL, $edit, t('E-mail new password')); + $this->assertText(t('Further instructions have been sent to your e-mail address.'), 'User is notified that password reset was sent.'); + + // Make sure that right user was sent a reset email. + $this->assertEqual(count($this->drupalGetMails(array('key' => 'password_reset', 'to' => $user_with_email->mail))), 1, 'The right user was sent a password reset mail.'); + // Make sure that the other user was not sent an email. + $this->assertEqual(count($this->drupalGetMails(array('key' => 'password_reset', 'to' => $user_with_name->mail))), 0, 'The other user was not sent a password reset mail.'); + + // If the user is logged in, they should not have to choose an account to + // reset their password. + $this->drupalLogin($user_with_name); + $this->drupalGet('user/password'); + // There should not be a form element for name. + $this->assertNoField('name', 'Duplicate user is not asked for a name when resetting password while logged in.'); + $this->drupalPost(NULL, array(), t('E-mail new password')); + // Make sure the user with the matching username was sent an email. + $this->assertText(t('Further instructions have been sent to your e-mail address.'), 'User is notified that password reset was sent when logged in.'); + $this->assertEqual(count($this->drupalGetMails(array('key' => 'password_reset', 'to' => $user_with_name->mail))), 1, 'The right user was sent a password reset mail when logged in.'); + // Make sure that the user with the matching email address was not sent an + // email. (An email was already sent to this user earlier.) + $this->assertEqual(count($this->drupalGetMails(array('key' => 'password_reset', 'to' => $user_with_email->mail))), 1, 'The other user was not sent a password reset mail when logged in.'); + } + + /** * Tests password reset functionality. */ function testUserPasswordReset() { diff --git a/core/modules/user/lib/Drupal/user/Tests/UserRegistrationTest.php b/core/modules/user/lib/Drupal/user/Tests/UserRegistrationTest.php index 56ad9a0..b51d941 100644 --- a/core/modules/user/lib/Drupal/user/Tests/UserRegistrationTest.php +++ b/core/modules/user/lib/Drupal/user/Tests/UserRegistrationTest.php @@ -137,6 +137,43 @@ class UserRegistrationTest extends WebTestBase { $this->assertText(t('The e-mail address @email is already registered.', array('@email' => $duplicate_user->mail)), t('Supplying a duplicate email address with added whitespace displays an error message')); } + /** + * Ensure that a new account cannot be created when the username matches an + * existing user's email address, or when the email address matches an + * existing user's username. + */ + function testRegistrationConflicts() { + // Don't require e-mail verification. + variable_set('user_email_verification', FALSE); + + // Allow registration by site visitors without administrator approval. + variable_set('user_register', USER_REGISTER_VISITORS); + + // Set up a user to check for duplicates. + $duplicate_user = $this->drupalCreateUser(); + + $edit = array(); + $edit['name'] = $duplicate_user->mail; + $edit['mail'] = $this->randomName() . '@example.com'; + + // Attempt to create a new account using a username that matches an + // existing email. + $this->drupalPost('user/register', $edit, t('Create new account')); + $this->assertText(t('The name @name is already taken.', array('@name' => $edit['name'])), "A user cannot be created when their username matches an existing user's email address."); + + // Change the username to an email address. + $duplicate_user->name = $name = $this->randomName() . '@example.com'; + $duplicate_user->save(); + + $edit['name'] = $this->randomName(); + $edit['mail'] = $name; + + // Attempt to create a new account using an email that matches an existing + // username. + $this->drupalPost('user/register', $edit, t('Create new account')); + $this->assertText(t('The e-mail address @email is already registered.', array('@email' => $edit['mail'])), "A user cannot be created when their email address matches an existing username."); + } + function testRegistrationDefaultValues() { // Allow registration by site visitors without administrator approval. variable_set('user_register', USER_REGISTER_VISITORS);