/**
* Tests password reset functionality.
*/
function testUserPasswordReset()
{
// Try to reset the password for an invalid account.
$this->drupalGet('user/password');
$edit = array('name' => $this->randomMachineName(32));
$this->drupalPostForm(NULL, $edit, t('Email new password'));
$this->assertText(t('Sorry, @name is not recognized as a username or an email address.', array('@name' => $edit['name'])), 'Validation error message shown when trying to request password for invalid account.');
$this->assertEqual(count($this->drupalGetMails(array('id' => 'user_password_reset'))), 0, 'No email was sent when requesting a password for an invalid account.');
// Reset the password by username via the password reset page.
$edit['name'] = $this->account->getUsername();
$this->drupalPostForm(NULL, $edit, t('Email new password'));
// Verify that the user was sent an email.
$this->assertMail('to', $this->account->getEmail(), 'Password email sent to user.');
$subject = t('Replacement login information for @username at @site', array('@username' => $this->account->getUsername(), '@site' => \Drupal::config('system.site')->get('name')));
$this->assertMail('subject', $subject, 'Password reset email subject is correct.');
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
// Check the one-time login page.
$this->assertText($this->account->getUsername(), 'One-time login page contains the correct username.');
$this->assertText(t('This login can be used only once.'), 'Found warning about one-time login.');
// Check successful login.
$this->drupalPostForm(NULL, NULL, t('Log in'));
$this->assertLink(t('Log out'));
$this->assertTitle(t('@name | @site', array('@name' => $this->account->getUsername(), '@site' => \Drupal::config('system.site')->get('name'))), 'Logged in using password reset link.');
// Change the forgotten password.
$password = user_password();
$edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password);
$this->drupalPostForm(NULL, $edit, t('Save'));
$this->assertText(t('The changes have been saved.'), 'Forgotten password changed.');
// Verify that the password reset session has been destroyed.
$this->drupalPostForm(NULL, $edit, t('Save'));
$this->assertText(t('Your current password is missing or incorrect; it\'s required to change the Password.'), 'Password needed to make profile changes.');
// Log out, and try to log in again using the same one-time link.
$this->drupalLogout();
$this->drupalGet($resetURL);
$this->assertText(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'), 'One-time link is no longer valid.');
// Request a new password again, this time using the email address.
$this->drupalGet('user/password');
// Count email messages before to compare with after.
$before = count($this->drupalGetMails(array('id' => 'user_password_reset')));
$edit = array('name' => $this->account->getEmail());
$this->drupalPostForm(NULL, $edit, t('Email new password'));
$this->assertTrue(count($this->drupalGetMails(array('id' => 'user_password_reset'))) === $before + 1, 'Email sent when requesting password reset using email address.');
// Create a password reset link as if the request time was 60 seconds older than the allowed limit.
$timeout = \Drupal::config('user.settings')->get('password_reset_timeout');
$bogus_timestamp = REQUEST_TIME - $timeout - 60;
$_uid = $this->account->id();
$this->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account->getPassword(), $bogus_timestamp, $this->account->getLastLoginTime()));
$this->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.');
// Create a user, block the account, and verify that a login link is denied.
$timestamp = REQUEST_TIME - 1;
$blocked_account = $this->drupalCreateUser()->block();
$blocked_account->save();
$this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account->getPassword(), $timestamp, $blocked_account->getLastLoginTime()));
$this->assertResponse(403);
}
/**
* Verifies that you can disable individual search plugins.
*/
function testSearchModuleDisabling()
{
// Array of search plugins to test: 'keys' are the keywords to search for,
// and 'text' is the text to assert is on the results page.
$plugin_info = array('node_search' => array('keys' => 'pizza', 'text' => $this->searchNode->label()), 'user_search' => array('keys' => $this->searchUser->getUsername(), 'text' => $this->searchUser->getEmail()), 'dummy_search_type' => array('keys' => 'foo', 'text' => 'Dummy search snippet to display'));
$plugins = array_keys($plugin_info);
/** @var $entities \Drupal\search\SearchPageInterface[] */
$entities = entity_load_multiple('search_page');
// Disable all of the search pages.
foreach ($entities as $entity) {
$entity->disable()->save();
}
// Test each plugin if it's enabled as the only search plugin.
foreach ($entities as $entity_id => $entity) {
// Set this as default.
$this->drupalGet("admin/config/search/pages/manage/{$entity_id}/set-default");
// Run a search from the correct search URL.
$info = $plugin_info[$entity_id];
$this->drupalGet('search/' . $entity->getPath(), array('query' => array('keys' => $info['keys'])));
$this->assertResponse(200);
$this->assertNoText('no results', $entity->label() . ' search found results');
$this->assertText($info['text'], 'Correct search text found');
// Verify that other plugin search tab labels are not visible.
foreach ($plugins as $other) {
if ($other != $entity_id) {
$label = $entities[$other]->label();
$this->assertNoText($label, $label . ' search tab is not shown');
}
}
// Run a search from the search block on the node page. Verify you get
// to this plugin's search results page.
$terms = array('keys' => $info['keys']);
$this->submitGetForm('node', $terms, t('Search'));
$current = $this->getURL();
$expected = \Drupal::url('search.view_' . $entity->id(), array(), array('query' => array('keys' => $info['keys']), 'absolute' => TRUE));
$this->assertEqual($current, $expected, 'Block redirected to right search page');
// Try an invalid search path, which should 404.
$this->drupalGet('search/not_a_plugin_path');
$this->assertResponse(404);
$entity->disable()->save();
}
// Test with all search plugins enabled. When you go to the search
// page or run search, all plugins should be shown.
foreach ($entities as $entity) {
$entity->enable()->save();
}
// Set the node search as default.
$this->drupalGet('admin/config/search/pages/manage/node_search/set-default');
$paths = array(array('path' => 'search/node', 'options' => array('query' => array('keys' => 'pizza'))), array('path' => 'search/node', 'options' => array()));
foreach ($paths as $item) {
$this->drupalGet($item['path'], $item['options']);
foreach ($plugins as $entity_id) {
$label = $entities[$entity_id]->label();
$this->assertText($label, format_string('%label search tab is shown', array('%label' => $label)));
}
}
}
/**
* {@inheritdoc}
*/
public function submit(array $form, FormStateInterface $form_state)
{
// Cancel account immediately, if the current user has administrative
// privileges, no confirmation mail shall be sent, and the user does not
// attempt to cancel the own account.
if ($this->currentUser()->hasPermission('administer users') && empty($form_state['values']['user_cancel_confirm']) && $this->entity->id() != $this->currentUser()->id()) {
user_cancel($form_state['values'], $this->entity->id(), $form_state['values']['user_cancel_method']);
$form_state->setRedirect('user.admin_account');
} else {
// Store cancelling method and whether to notify the user in
// $this->entity for user_cancel_confirm().
$this->entity->user_cancel_method = $form_state['values']['user_cancel_method'];
$this->entity->user_cancel_notify = $form_state['values']['user_cancel_notify'];
$this->entity->save();
_user_mail_notify('cancel_confirm', $this->entity);
drupal_set_message($this->t('A confirmation request to cancel your account has been sent to your email address.'));
$this->logger('user')->notice('Sent account cancellation request to %name %email.', array('%name' => $this->entity->label(), '%email' => '<' . $this->entity->getEmail() . '>'));
$form_state->setRedirect('user.view', array('user' => $this->entity->id()));
}
}
/**
* {@inheritdoc}
*/
public function submitForm(array &$form, FormStateInterface $form_state)
{
// Cancel account immediately, if the current user has administrative
// privileges, no confirmation mail shall be sent, and the user does not
// attempt to cancel the own account.
if (!$form_state->isValueEmpty('access') && $form_state->isValueEmpty('user_cancel_confirm') && $this->entity->id() != $this->currentUser()->id()) {
user_cancel($form_state->getValues(), $this->entity->id(), $form_state->getValue('user_cancel_method'));
$form_state->setRedirectUrl($this->entity->urlInfo('collection'));
} else {
// Store cancelling method and whether to notify the user in
// $this->entity for
// \Drupal\user\Controller\UserController::confirmCancel().
$this->entity->user_cancel_method = $form_state->getValue('user_cancel_method');
$this->entity->user_cancel_notify = $form_state->getValue('user_cancel_notify');
$this->entity->save();
_user_mail_notify('cancel_confirm', $this->entity);
drupal_set_message($this->t('A confirmation request to cancel your account has been sent to your email address.'));
$this->logger('user')->notice('Sent account cancellation request to %name %email.', array('%name' => $this->entity->label(), '%email' => '<' . $this->entity->getEmail() . '>'));
$form_state->setRedirect('entity.user.canonical', array('user' => $this->entity->id()));
}
}
/**
* Tests access to the personal contact form.
*/
function testPersonalContactAccess()
{
// Test allowed access to admin user's contact form.
$this->drupalLogin($this->webUser);
$this->drupalGet('user/' . $this->adminUser->id() . '/contact');
$this->assertResponse(200);
// Check the page title is properly displayed.
$this->assertRaw(t('Contact @username', array('@username' => $this->adminUser->getDisplayName())));
// Test denied access to admin user's own contact form.
$this->drupalLogout();
$this->drupalLogin($this->adminUser);
$this->drupalGet('user/' . $this->adminUser->id() . '/contact');
$this->assertResponse(403);
// Test allowed access to user with contact form enabled.
$this->drupalLogin($this->webUser);
$this->drupalGet('user/' . $this->contactUser->id() . '/contact');
$this->assertResponse(200);
// Test that there is no access to personal contact forms for users
// without an email address configured.
$original_email = $this->contactUser->getEmail();
$this->contactUser->setEmail(FALSE)->save();
$this->drupalGet('user/' . $this->contactUser->id() . '/contact');
$this->assertResponse(404, 'Not found (404) returned when visiting a personal contact form for a user with no email address');
// Test that the 'contact tab' does not appear on the user profiles
// for users without an email address configured.
$this->drupalGet('user/' . $this->contactUser->id());
$contact_link = '/user/' . $this->contactUser->id() . '/contact';
$this->assertResponse(200);
$this->assertNoLinkByHref($contact_link, 'The "contact" tab is hidden on profiles for users with no email address');
// Restore original email address.
$this->contactUser->setEmail($original_email)->save();
// Test denied access to the user's own contact form.
$this->drupalGet('user/' . $this->webUser->id() . '/contact');
$this->assertResponse(403);
// Test always denied access to the anonymous user contact form.
$this->drupalGet('user/0/contact');
$this->assertResponse(403);
// Test that anonymous users can access the contact form.
$this->drupalLogout();
user_role_grant_permissions(RoleInterface::ANONYMOUS_ID, array('access user contact forms'));
$this->drupalGet('user/' . $this->contactUser->id() . '/contact');
$this->assertResponse(200);
// Test that anonymous users can access admin user's contact form.
$this->drupalGet('user/' . $this->adminUser->id() . '/contact');
$this->assertResponse(200);
$this->assertCacheContext('user');
// Revoke the personal contact permission for the anonymous user.
user_role_revoke_permissions(RoleInterface::ANONYMOUS_ID, array('access user contact forms'));
$this->drupalGet('user/' . $this->contactUser->id() . '/contact');
$this->assertResponse(403);
$this->assertCacheContext('user');
$this->drupalGet('user/' . $this->adminUser->id() . '/contact');
$this->assertResponse(403);
// Disable the personal contact form.
$this->drupalLogin($this->adminUser);
$edit = array('contact_default_status' => FALSE);
$this->drupalPostForm('admin/config/people/accounts', $edit, t('Save configuration'));
$this->assertText(t('The configuration options have been saved.'), 'Setting successfully saved.');
$this->drupalLogout();
// Re-create our contacted user with personal contact forms disabled by
// default.
$this->contactUser = $this->drupalCreateUser();
// Test denied access to a user with contact form disabled.
$this->drupalLogin($this->webUser);
$this->drupalGet('user/' . $this->contactUser->id() . '/contact');
$this->assertResponse(403);
// Test allowed access for admin user to a user with contact form disabled.
$this->drupalLogin($this->adminUser);
$this->drupalGet('user/' . $this->contactUser->id() . '/contact');
$this->assertResponse(200);
// Re-create our contacted user as a blocked user.
$this->contactUser = $this->drupalCreateUser();
$this->contactUser->block();
$this->contactUser->save();
// Test that blocked users can still be contacted by admin.
$this->drupalGet('user/' . $this->contactUser->id() . '/contact');
$this->assertResponse(200);
// Test that blocked users cannot be contacted by non-admins.
$this->drupalLogin($this->webUser);
$this->drupalGet('user/' . $this->contactUser->id() . '/contact');
$this->assertResponse(403);
// Test enabling and disabling the contact page through the user profile
// form.
$this->drupalGet('user/' . $this->webUser->id() . '/edit');
$this->assertNoFieldChecked('edit-contact--2');
$this->assertFalse(\Drupal::service('user.data')->get('contact', $this->webUser->id(), 'enabled'), 'Personal contact form disabled');
$this->drupalPostForm(NULL, array('contact' => TRUE), t('Save'));
$this->assertFieldChecked('edit-contact--2');
$this->assertTrue(\Drupal::service('user.data')->get('contact', $this->webUser->id(), 'enabled'), 'Personal contact form enabled');
// Test with disabled global default contact form in combination with a user
// that has the contact form enabled.
$this->config('contact.settings')->set('user_default_enabled', FALSE)->save();
$this->contactUser = $this->drupalCreateUser();
\Drupal::service('user.data')->set('contact', $this->contactUser->id(), 'enabled', 1);
$this->drupalGet('user/' . $this->contactUser->id() . '/contact');
$this->assertResponse(200);
}
/**
* {@inheritdoc}
*/
public function getEmail()
{
return $this->subject->getEmail();
}
/**
* Form constructor for the personal contact form.
*
* @param \Drupal\user\UserInterface $user
* The account for which a personal contact form should be generated.
*
* @return array
* The personal contact form as render array as expected by drupal_render().
*
* @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
* Exception is thrown when user tries to access a contact form for a
* user who does not have an e-mail address configured.
*/
public function contactPersonalPage(UserInterface $user)
{
// Do not continue if the user does not have an e-mail address configured.
if (!$user->getEmail()) {
throw new NotFoundHttpException();
}
$message = $this->entityManager()->getStorage('contact_message')->create(array('contact_form' => 'personal', 'recipient' => $user->id()));
$form = $this->entityFormBuilder()->getForm($message);
$form['#title'] = $this->t('Contact @username', array('@username' => $user->getUsername()));
$form['#cache']['contexts'][] = 'user.permissions';
return $form;
}
/**
* Tests password reset functionality.
*/
function testUserPasswordReset()
{
// Try to reset the password for an invalid account.
$this->drupalGet('user/password');
$edit = array('name' => $this->randomMachineName(32));
$this->drupalPostForm(NULL, $edit, t('Submit'));
$this->assertText(t('@name is not recognized as a username or an email address.', array('@name' => $edit['name'])), 'Validation error message shown when trying to request password for invalid account.');
$this->assertEqual(count($this->drupalGetMails(array('id' => 'user_password_reset'))), 0, 'No email was sent when requesting a password for an invalid account.');
// Reset the password by username via the password reset page.
$edit['name'] = $this->account->getUsername();
$this->drupalPostForm(NULL, $edit, t('Submit'));
// Verify that the user was sent an email.
$this->assertMail('to', $this->account->getEmail(), 'Password email sent to user.');
$subject = t('Replacement login information for @username at @site', array('@username' => $this->account->getUsername(), '@site' => $this->config('system.site')->get('name')));
$this->assertMail('subject', $subject, 'Password reset email subject is correct.');
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
$this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
// Ensure the password reset URL is not cached.
$this->drupalGet($resetURL);
$this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
// Check the one-time login page.
$this->assertText($this->account->getUsername(), 'One-time login page contains the correct username.');
$this->assertText(t('This login can be used only once.'), 'Found warning about one-time login.');
$this->assertTitle(t('Reset password | Drupal'), 'Page title is "Reset password".');
// Check successful login.
$this->drupalPostForm(NULL, NULL, t('Log in'));
$this->assertLink(t('Log out'));
$this->assertTitle(t('@name | @site', array('@name' => $this->account->getUsername(), '@site' => $this->config('system.site')->get('name'))), 'Logged in using password reset link.');
// Make sure the ajax request from uploading a user picture does not
// invalidate the reset token.
$image = current($this->drupalGetTestFiles('image'));
$edit = array('files[user_picture_0]' => drupal_realpath($image->uri));
$this->drupalPostAjaxForm(NULL, $edit, 'user_picture_0_upload_button');
// Change the forgotten password.
$password = user_password();
$edit = array('pass[pass1]' => $password, 'pass[pass2]' => $password);
$this->drupalPostForm(NULL, $edit, t('Save'));
$this->assertText(t('The changes have been saved.'), 'Forgotten password changed.');
// Verify that the password reset session has been destroyed.
$this->drupalPostForm(NULL, $edit, t('Save'));
$this->assertText(t('Your current password is missing or incorrect; it\'s required to change the Password.'), 'Password needed to make profile changes.');
// Log out, and try to log in again using the same one-time link.
$this->drupalLogout();
$this->drupalGet($resetURL);
$this->assertText(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'), 'One-time link is no longer valid.');
// Request a new password again, this time using the email address.
$this->drupalGet('user/password');
// Count email messages before to compare with after.
$before = count($this->drupalGetMails(array('id' => 'user_password_reset')));
$edit = array('name' => $this->account->getEmail());
$this->drupalPostForm(NULL, $edit, t('Submit'));
$this->assertTrue(count($this->drupalGetMails(array('id' => 'user_password_reset'))) === $before + 1, 'Email sent when requesting password reset using email address.');
// Visit the user edit page without pass-reset-token and make sure it does
// not cause an error.
$resetURL = $this->getResetURL();
$this->drupalGet($resetURL);
$this->drupalPostForm(NULL, NULL, t('Log in'));
$this->drupalGet('user/' . $this->account->id() . '/edit');
$this->assertNoText('Expected user_string to be a string, NULL given');
$this->drupalLogout();
// Create a password reset link as if the request time was 60 seconds older than the allowed limit.
$timeout = $this->config('user.settings')->get('password_reset_timeout');
$bogus_timestamp = REQUEST_TIME - $timeout - 60;
$_uid = $this->account->id();
$this->drupalGet("user/reset/{$_uid}/{$bogus_timestamp}/" . user_pass_rehash($this->account, $bogus_timestamp));
$this->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.');
// Create a user, block the account, and verify that a login link is denied.
$timestamp = REQUEST_TIME - 1;
$blocked_account = $this->drupalCreateUser()->block();
$blocked_account->save();
$this->drupalGet("user/reset/" . $blocked_account->id() . "/{$timestamp}/" . user_pass_rehash($blocked_account, $timestamp));
$this->assertResponse(403);
// Verify a blocked user can not request a new password.
$this->drupalGet('user/password');
// Count email messages before to compare with after.
$before = count($this->drupalGetMails(array('id' => 'user_password_reset')));
$edit = array('name' => $blocked_account->getUsername());
$this->drupalPostForm(NULL, $edit, t('Submit'));
$this->assertRaw(t('%name is blocked or has not been activated yet.', array('%name' => $blocked_account->getUsername())), 'Notified user blocked accounts can not request a new password');
$this->assertTrue(count($this->drupalGetMails(array('id' => 'user_password_reset'))) === $before, 'No email was sent when requesting password reset for a blocked account');
// Verify a password reset link is invalidated when the user's email address changes.
$this->drupalGet('user/password');
$edit = array('name' => $this->account->getUsername());
$this->drupalPostForm(NULL, $edit, t('Submit'));
$old_email_reset_link = $this->getResetURL();
$this->account->setEmail("1" . $this->account->getEmail());
$this->account->save();
$this->drupalGet($old_email_reset_link);
$this->assertText(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'), 'One-time link is no longer valid.');
}
/**
* Form constructor for the personal contact form.
*
* @param \Drupal\user\UserInterface $user
* The account for which a personal contact form should be generated.
*
* @return array
* The personal contact form as render array as expected by drupal_render().
*
* @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
* Exception is thrown when user tries to access a contact form for a
* user who does not have an e-mail address configured.
*/
public function contactPersonalPage(UserInterface $user)
{
// Do not continue if the user does not have an e-mail address configured.
if (!$user->getEmail()) {
throw new NotFoundHttpException();
}
// Check if flood control has been activated for sending emails.
if (!$this->currentUser()->hasPermission('administer contact forms') && !$this->currentUser()->hasPermission('administer users')) {
$this->contactFloodControl();
}
$message = $this->entityManager()->getStorage('contact_message')->create(array('contact_form' => 'personal', 'recipient' => $user->id()));
$form = $this->entityFormBuilder()->getForm($message);
$form['#title'] = $this->t('Contact @username', array('@username' => $user->getUsername()));
return $form;
}
