diff --git a/core/modules/user/src/Controller/UserController.php b/core/modules/user/src/Controller/UserController.php
index 0243c33..d6f897f 100644
--- a/core/modules/user/src/Controller/UserController.php
+++ b/core/modules/user/src/Controller/UserController.php
@@ -93,7 +93,7 @@ public function resetPass($uid, $timestamp, $hash) {
if ($account->isAuthenticated()) {
// The current user is already logged in.
if ($account->id() == $uid) {
- drupal_set_message($this->t('You are logged in as %user. Change your password.', array('%user' => $account->getUsername(), '@user_edit' => $this->url('entity.user.edit_form', array('user' => $account->id())))));
+ user_logout();
}
// A different user is already logged in on the computer.
else {
@@ -105,31 +105,31 @@ public function resetPass($uid, $timestamp, $hash) {
// Invalid one-time link specifies an unknown user.
drupal_set_message($this->t('The one-time login link you clicked is invalid.'));
}
+ return $this->redirect('');
}
- return $this->redirect('');
}
- else {
- // The current user is not logged in, so check the parameters.
- // Time out, in seconds, until login URL expires.
- $timeout = $config->get('password_reset_timeout');
- $current = REQUEST_TIME;
- /* @var \Drupal\user\UserInterface $user */
- $user = $this->userStorage->load($uid);
- // Verify that the user exists and is active.
- if ($user && $user->isActive()) {
- // No time out for first time login.
- if ($user->getLastLoginTime() && $current - $timestamp > $timeout) {
- drupal_set_message($this->t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
- return $this->redirect('user.pass');
- }
- elseif ($user->isAuthenticated() && ($timestamp >= $user->getLastLoginTime()) && ($timestamp <= $current) && ($hash === user_pass_rehash($user->getPassword(), $timestamp, $user->getLastLoginTime(), $user->id()))) {
- $expiration_date = $user->getLastLoginTime() ? $this->dateFormatter->format($timestamp + $timeout) : NULL;
- return $this->formBuilder()->getForm('Drupal\user\Form\UserPasswordResetForm', $user, $expiration_date, $timestamp, $hash);
- }
- else {
- drupal_set_message($this->t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'));
- return $this->redirect('user.pass');
- }
+ // The current user is not logged in, so check the parameters.
+ // Time out, in seconds, until login URL expires.
+ $timeout = $config->get('password_reset_timeout');
+ $current = REQUEST_TIME;
+
+ /* @var \Drupal\user\UserInterface $user */
+ $user = $this->userStorage->load($uid);
+
+ // Verify that the user exists and is active.
+ if ($user && $user->isActive()) {
+ // No time out for first time login.
+ if ($user->getLastLoginTime() && $current - $timestamp > $timeout) {
+ drupal_set_message($this->t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
+ return $this->redirect('user.pass');
+ }
+ elseif ($user->isAuthenticated() && ($timestamp >= $user->getLastLoginTime()) && ($timestamp <= $current) && ($hash === user_pass_rehash($user->getPassword(), $timestamp, $user->getLastLoginTime(), $user->id()))) {
+ $expiration_date = $user->getLastLoginTime() ? $this->dateFormatter->format($timestamp + $timeout) : NULL;
+ return $this->formBuilder()->getForm('Drupal\user\Form\UserPasswordResetForm', $user, $expiration_date, $timestamp, $hash);
+ }
+ else {
+ drupal_set_message($this->t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'));
+ return $this->redirect('user.pass');
}
}
// Blocked or invalid user ID, so deny access. The parameters will be in the
diff --git a/core/modules/user/src/Tests/UserPasswordResetTest.php b/core/modules/user/src/Tests/UserPasswordResetTest.php
index 90bdee8..3db2c00 100644
--- a/core/modules/user/src/Tests/UserPasswordResetTest.php
+++ b/core/modules/user/src/Tests/UserPasswordResetTest.php
@@ -57,6 +57,7 @@ protected function setUp() {
$this->drupalLogin($account);
$this->account = User::load($account->id());
+ $this->account->pass_raw = $account->pass_raw;
$this->drupalLogout();
// Set the last login time that is used to generate the one-time link so
@@ -168,6 +169,29 @@ public function getResetURL() {
}
/**
+ * Test user password reset while logged in.
+ */
+ public function testUserPasswordResetLoggedIn() {
+ // Log in.
+ $this->drupalLogin($this->account);
+
+ // Reset the password by username via the password reset page.
+ $this->drupalGet('user/password');
+ $this->drupalPostForm(NULL, NULL, t('Submit'));
+
+ // Click the reset URL while logged and change our password.
+ $resetURL = $this->getResetURL();
+ $this->drupalGet($resetURL);
+ $this->drupalPostForm(NULL, NULL, t('Log in'));
+
+ // Change the password.
+ $password = user_password();
+ $edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password);
+ $this->drupalPostForm(NULL, $edit, t('Save'));
+ $this->assertText(t('The changes have been saved.'), 'Password changed.');
+ }
+
+ /**
* Prefill the text box on incorrect login via link to password reset page.
*/
public function testUserResetPasswordTextboxFilled() {