Usability: if a user has just failed a login, default their username on password reset [#1952196]

Comment	File	Size	Author
#45	1952196_easier_password_recovery_44.patch	2.55 KB	greggles
#39	1952196_easier_password_recovery_d7-no-not-test.patch	1.25 KB	greggles
#36	1952196_easier_password_recovery_36.patch	2.46 KB	greggles
#32	1952196_easier_password_recovery_32.patch	2.46 KB	greggles
#30	1952196_easier_password_recovery_30.patch	2.46 KB	greggles
#29	1952196_easier_password_recovery_26.patch	2.52 KB	greggles
#28	1952196_easier_password_recovery_26.patch	2.52 KB	greggles
#19	1952196_easier_password_recovery_19.patch	2.47 KB	greggles
#18	userpassword-reset-namefill-1952196-17.patch	4.89 KB	sandhya.m
#16	username-autofill-resetpw-1952196-16.patch	2.46 KB	sandhya.m
#13	username-autofill-resetpw-1952196-13.patch	1.13 KB	sandhya.m
#11	username-autofill-resetpw-1952196-11.patch	1.11 KB	sandhya.m
#10	1952196-username-autofill-resetpw.patch	1.11 KB	sandhya.m
#1	1952196_easier_password_recovery.patch	1.32 KB	greggles

Status	File	Size
new	1952196_easier_password_recovery.patch	1.32 KB

Comment #2

25 March 2013 at 16:04

Status:

Needs review

» Needs work

The last submitted patch, 1952196_easier_password_recovery.patch, failed testing.

Log in or register to post comments

Comment #3

greggles

he/him

English

Denver, Colorado, USA

commented 25 March 2013 at 16:21

Status:

Needs work

» Needs review

#1: 1952196_easier_password_recovery.patch queued for re-testing.

Log in or register to post comments

Comment #4

oresh commented 26 March 2013 at 07:18

Status:

Needs review

» Reviewed & tested by the community

Patch applied, works good.
Better add Usability tag to it, and talk to guys at #drupal-usability on IRC, to get your patch applied.
Thanks.

Log in or register to post comments

Comment #5

greggles

he/him

English

Denver, Colorado, USA

commented 26 March 2013 at 13:30

Issue tags:

+Usability

Log in or register to post comments

Comment #6

Bojhan commented 26 March 2013 at 15:49

Sounds good, lets get this in!

Log in or register to post comments

Comment #7

xjm

she/her

English

commented 27 March 2013 at 02:59

Status:	Reviewed & tested by the community	» Needs work
Issue tags:		+Needs tests

I think we can add a test for this?

Log in or register to post comments

Comment #8

greggles

he/him

English

Denver, Colorado, USA

commented 27 March 2013 at 03:04

Sure, a test for displaying the message or a test that the default from the url works or both?

Log in or register to post comments

Comment #9

xjm

she/her

English

commented 27 March 2013 at 14:31

For the default value. Thanks! :)

Log in or register to post comments

Status	File	Size
new	1952196-username-autofill-resetpw.patch	1.11 KB

Comment #11

sandhya.m commented 14 April 2013 at 21:53

Status:

Needs work

» Needs review

Status	File	Size
new	username-autofill-resetpw-1952196-11.patch	1.11 KB

Changed the patch file name.

Log in or register to post comments

Comment #12

14 April 2013 at 16:36

Status:

Needs review

» Needs work

The last submitted patch, username-autofill-resetpw-1952196-11.patch, failed testing.

Log in or register to post comments

Comment #13

sandhya.m commented 14 April 2013 at 21:55

Status:

Needs review

» Needs work

Status	File	Size
new	username-autofill-resetpw-1952196-13.patch	1.13 KB

Changed patch attached.

Log in or register to post comments

Comment #14

sandhya.m commented 14 April 2013 at 21:58

Status:

Needs work

» Needs review

Log in or register to post comments

Comment #15

14 April 2013 at 23:17

Status:

Needs review

» Needs work

The last submitted patch, username-autofill-resetpw-1952196-13.patch, failed testing.

Log in or register to post comments

Status	File	Size
new	username-autofill-resetpw-1952196-16.patch	2.46 KB

Comment #17

15 April 2013 at 23:58

Status:

Needs review

» Needs work

The last submitted patch, username-autofill-resetpw-1952196-16.patch, failed testing.

Log in or register to post comments

Status	File	Size
new	userpassword-reset-namefill-1952196-17.patch	4.89 KB

Comment #19

greggles

he/him

English

Denver, Colorado, USA

commented 19 April 2013 at 14:29

Status	File	Size
new	1952196_easier_password_recovery_19.patch	2.47 KB

#18 looks pretty solid to me. It adds a test for the "Sorry, unrecognized username or password" which we weren't testing before. However, it wasn't testing that the name gets added into the link and I think as long as we're going to test that message we should ensure the name is in there. So, attached is an updated patch based on #18 that uses assertRaw to look for the proper link.

@xjm - care to review/rtbc?

Log in or register to post comments

Comment #20

greggles

he/him

English

Denver, Colorado, USA

commented 19 April 2013 at 14:30

Oh, I also removed an extra * on the closing comment tag of the docblock of the test and tried to make the comment in the docblock of the test a little more descriptive.

Log in or register to post comments

Comment #21

greggles

he/him

English

Denver, Colorado, USA

commented 19 April 2013 at 19:15

One more note: in case you are curious why sandhya.m's file is about twice as large as mine - it's because it's utf16 (thanks to heine for helping me understand that).

Log in or register to post comments

Comment #22

greggles

he/him

English

Denver, Colorado, USA

commented 21 April 2013 at 04:29

Status:

Needs review

» Reviewed & tested by the community

Hey, why not just do this again...

Log in or register to post comments

Comment #23

webchick

she/they

English

Vancouver 🇨🇦

commented 21 April 2013 at 19:46

Status:

Reviewed & tested by the community

» Needs work

Since this was RTBCed by the security team lead, I assume this is not a problem, but:

+++ b/core/modules/user/user.pages.incundefined
@@ -38,6 +38,9 @@ function user_pass() {
+  else {
+    $form['name']['#default_value'] = isset($_GET['name']) ? $_GET['name'] : '';
+  }

Is that cool? Don't we need check_plain() at least?

Also, (in D8 at least, if not also D7) referencing $GET directly is a no-no. I'm not sure what the Symfonic equivalent of it is anymore... maybe Drupal::request()->getSomething?

Log in or register to post comments

Comment #24

webchick

she/they

English

Vancouver 🇨🇦

commented 21 April 2013 at 19:46

Oh, that said, this is an awesome improvement! :)

Log in or register to post comments

Comment #25

greggles

he/him

English

Denver, Colorado, USA

commented 21 April 2013 at 22:49

Is that cool? Don't we need check_plain() at least?

I don't think so, but happy to be corrected. I make mistakes. There are lots of places where we use user supplied text into a textfield's default value without any sanitizing e.g. editing of node titles, text fields etc.

Berdir said the right thing to use is "Drupal::request() if it's not within a class/service that can get it injected."

I don't know how to judge if it should get injected, so I guess it's good this is up to sandhya.m.

Log in or register to post comments

Comment #26

dawehner

German

commented 22 April 2013 at 21:08

Issue tags:

-Needs tests

That's a nice improvement!

+++ b/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.phpundefined
@@ -108,4 +108,21 @@ public function getResetURL() {
+    $this->assertFieldByName('name',$edit['name'],'User name found.');

Missing spaces after the ","

Log in or register to post comments

Comment #27

ParisLiakos commented 22 April 2013 at 21:13

+++ b/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.phpundefined
@@ -108,4 +108,21 @@ public function getResetURL() {
+    $edit = array(
+      'name' => $this->randomName(),
+      'pass' => $this->randomName(),
+      );

indent is off

+++ b/core/modules/user/user.pages.incundefined
@@ -38,6 +38,9 @@ function user_pass() {
+    $form['name']['#default_value'] = isset($_GET['name']) ? $_GET['name'] : '';

should be
$form['name']['#default_value'] = Drupal::request()->query->get('name', '');

No need for the ternary:) you can pass the default value..if NULL is appropriate here, you can omit it

Log in or register to post comments

Comment #28

greggles

he/him

English

Denver, Colorado, USA

commented 22 April 2013 at 21:25

Status:	Needs work	» Needs review
Issue tags:		+Needs tests

Status	File	Size
new	1952196_easier_password_recovery_26.patch	2.52 KB

After getting 2 incorrect answers in #drupal-contribute a shining angel came to my rescue and gave me the advice I needed. Thank you, shining angel, for the pointer to the get function in http://api.symfony.com/2.0/Symfony/Component/HttpFoundation/Request.html

Log in or register to post comments

Comment #29

greggles

he/him

English

Denver, Colorado, USA

commented 22 April 2013 at 21:27

Status	File	Size
new	1952196_easier_password_recovery_26.patch	2.52 KB

Thanks dawehener and ParisLiakos for your reviews!

Incorporated into this patch.

Log in or register to post comments

Comment #30

greggles

he/him

English

Denver, Colorado, USA

commented 22 April 2013 at 21:31

Status	File	Size
new	1952196_easier_password_recovery_30.patch	2.46 KB

Log in or register to post comments

Comment #31

ParisLiakos commented 22 April 2013 at 21:34

+++ b/core/modules/user/user.pages.incundefined
@@ -38,6 +38,9 @@ function user_pass() {
+    $form['name']['#default_value'] = Drupal::Request()->get('name', '');

Doesnt request()->query->get() work?
Right from the link you posted:
http://api.symfony.com/2.0/Symfony/Component/HttpFoundation/Request.html...

Order of precedence: GET, PATH, POST, COOKIE
Avoid using this method in controllers:
* slow
* prefer to get from a "named" source

The query property holds $_GET:)

Log in or register to post comments

Comment #32

greggles

he/him

English

Denver, Colorado, USA

commented 22 April 2013 at 22:33

Status	File	Size
new	1952196_easier_password_recovery_32.patch	2.46 KB

Indeed it does work. Thanks for the advice ParisLiakos.

Log in or register to post comments

Comment #33

ParisLiakos commented 22 April 2013 at 22:45

Status:

Needs review

» Reviewed & tested by the community

looks good to go:)

Log in or register to post comments

Comment #34

22 April 2013 at 23:38

Status:

Reviewed & tested by the community

» Needs work

The last submitted patch, 1952196_easier_password_recovery_32.patch, failed testing.

Log in or register to post comments

Comment #35

webchick

she/they

English

Vancouver 🇨🇦

commented 23 April 2013 at 05:55

+++ b/core/modules/user/user.pages.incundefined
@@ -38,6 +38,9 @@ function user_pass() {
+  else {
+    $form['name']['#default_value'] = Drupal::Request()->query->get('foo');
+  }

Erm. :) I think 'name', not 'foo' :)

Log in or register to post comments

Comment #36

greggles

he/him

English

Denver, Colorado, USA

commented 23 April 2013 at 13:17

Status:

Needs work

» Needs review

Status	File	Size
new	1952196_easier_password_recovery_36.patch	2.46 KB

Zoinks.

I was testing to see if a non existant value would throw a notice and forgot to change it back. Whoops.

Edit: Oh, and tests passed locally this time so it should be all good.

Log in or register to post comments

Comment #37

greggles

he/him

English

Denver, Colorado, USA

commented 23 April 2013 at 15:09

Status:

Needs review

» Reviewed & tested by the community

Yay tests!

Log in or register to post comments

Comment #38

klonos

he/him

English

90% Melbourne, Australia - 10% Larissa, Greece

commented 24 April 2013 at 12:40

D7?

Log in or register to post comments

Comment #39

greggles

he/him

English

Denver, Colorado, USA

commented 24 April 2013 at 13:36

Issue tags:

-Needs tests

+Needs backport to D7

Status	File	Size
new	1952196_easier_password_recovery_d7-no-not-test.patch	1.25 KB

Yes, I think a backport makes sense though it's a bit early. Here's a patch for d7 from when I first worked on this issue. It will need the tests merged in, but that should be easy.