diff --git a/core/modules/user/src/Controller/MailChangeController.php b/core/modules/user/src/Controller/MailChangeController.php index 623a49b64f..91dc4ff940 100644 --- a/core/modules/user/src/Controller/MailChangeController.php +++ b/core/modules/user/src/Controller/MailChangeController.php @@ -61,9 +61,7 @@ public function page(UserInterface $user, $new_mail, $timestamp, $hash) { $timeout = $this->config('user.settings')->get('mail_change_timeout'); /** @var \Drupal\Core\Session\AccountProxyInterface $current_user */ $current_user = $this->currentUser(); - // Use the request time with microsecond precision for comparision, ensuring - // that, if the link is reused within a second, the link becomes expired. - $request_microtime = $this->dateTime->getRequestMicroTime(); + $request_time = $this->dateTime->getRequestTime(); $messenger = $this->messenger(); // Other user is authenticated. @@ -75,14 +73,13 @@ public function page(UserInterface $user, $new_mail, $timestamp, $hash) { $messenger->addError($this->t('You are currently logged in as %user, and are attempting to confirm an email address change for another account. Please log out and try using the link again.', $arguments)); } // The link has expired. - elseif ($request_microtime - $timestamp > $timeout) { + elseif ($request_time - $timestamp > $timeout) { $messenger->addError($this->t('You have tried to use an email address change link that has expired. Please visit your account and change your email again.')); } // The link is valid. - elseif ($timestamp <= $request_microtime && $timestamp >= $user->getLastLoginTime() && Crypt::hashEquals($hash, user_pass_rehash($user, $timestamp, $new_mail))) { + elseif ($timestamp <= $request_time && $timestamp >= $user->getLastLoginTime() && Crypt::hashEquals($hash, user_pass_rehash($user, $timestamp, $new_mail))) { // Save the new email but refresh also the last login time so that this // mail change link gets expired. - $request_time = $this->dateTime->getRequestTime(); $user->setEmail($new_mail)->setLastLoginTime($request_time)->save(); /** @var \Drupal\user\UserStorageInterface $user_storage */ $user_storage = $this->entityTypeManager()->getStorage('user'); diff --git a/core/modules/user/tests/src/Functional/UserMailChangeTest.php b/core/modules/user/tests/src/Functional/UserMailChangeTest.php index 8cd7c1dd5a..bd5d0e6aad 100644 --- a/core/modules/user/tests/src/Functional/UserMailChangeTest.php +++ b/core/modules/user/tests/src/Functional/UserMailChangeTest.php @@ -52,10 +52,10 @@ public function testMailChange() { // is posted. A human cannot login, edit the account and post the changes // within the same second. But tests occasionally are running all steps in // the same timestamp, so that the mail change URL timestamp equals the user - // last login timestamp. Later, in this test, when we try to reuse the - // expired link, we're still within the timestamp when the user last has - // logged in and we cannot experience a time difference as the user last - // login time has seconds as granularity. + // last login timestamp. Later, in this test, when the user tries to reuse + // the expired link, the test is still within the timestamp when the user + // has logged in and a time difference cannot be experienced a because the + // user last login time has seconds as granularity. sleep(1); // Change the user email address.