diff options
author | David Rothstein <drothstein@gmail.com> | 2012-07-30 01:10:01 -0400 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2012-07-30 01:10:01 -0400 |
commit | 14b23a6e29883c12746b3233116a68b1d0f11f05 (patch) | |
tree | e89c7712ee265b7a53568e7714ba113dbafdf300 /modules | |
parent | 5a76cc4bbe9b31947ec45d9dff58e3390626adee (diff) | |
download | brdo-14b23a6e29883c12746b3233116a68b1d0f11f05.tar.gz brdo-14b23a6e29883c12746b3233116a68b1d0f11f05.tar.bz2 |
Issue #246029 by zserno, rjgoldsborough, blisteringherb, rfay, Alan Evans, kgoel | izmeez: Added Use a variable for the timeout/expiration of user password reset links.
Diffstat (limited to 'modules')
-rw-r--r-- | modules/user/user.pages.inc | 5 | ||||
-rw-r--r-- | modules/user/user.test | 52 |
2 files changed, 55 insertions, 2 deletions
diff --git a/modules/user/user.pages.inc b/modules/user/user.pages.inc index dc696d7fd..c4b68b9f6 100644 --- a/modules/user/user.pages.inc +++ b/modules/user/user.pages.inc @@ -113,8 +113,9 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a drupal_goto(); } else { - // Time out, in seconds, until login URL expires. 24 hours = 86400 seconds. - $timeout = 86400; + // Time out, in seconds, until login URL expires. Defaults to 24 hours = + // 86400 seconds. + $timeout = variable_get('user_password_reset_timeout', 86400); $current = REQUEST_TIME; // Some redundant checks for extra security ? $users = user_load_multiple(array($uid), array('status' => '1')); diff --git a/modules/user/user.test b/modules/user/user.test index 9413ed5ee..b53db0769 100644 --- a/modules/user/user.test +++ b/modules/user/user.test @@ -452,6 +452,58 @@ class UserLoginTestCase extends DrupalWebTestCase { } /** + * Tests resetting a user password. + */ +class UserPasswordResetTestCase extends DrupalWebTestCase { + protected $profile = 'standard'; + + public static function getInfo() { + return array( + 'name' => 'Reset password', + 'description' => 'Ensure that password reset methods work as expected.', + 'group' => 'User', + ); + } + + /** + * Tests password reset functionality. + */ + function testUserPasswordReset() { + // Create a user. + $account = $this->drupalCreateUser(); + $this->drupalLogin($account); + $this->drupalLogout(); + // Attempt to reset password. + $edit = array('name' => $account->name); + $this->drupalPost('user/password', $edit, t('E-mail new password')); + // Confirm the password reset. + $this->assertText(t('Further instructions have been sent to your e-mail address.'), 'Password reset instructions mailed message displayed.'); + } + + /** + * Attempts login using an expired password reset link. + */ + function testUserPasswordResetExpired() { + // Set password reset timeout variable to 43200 seconds = 12 hours. + $timeout = 43200; + variable_set('user_password_reset_timeout', $timeout); + + // Create a user. + $account = $this->drupalCreateUser(); + $this->drupalLogin($account); + // Load real user object. + $account = user_load($account->uid, TRUE); + $this->drupalLogout(); + + // To attempt an expired password reset, create a password reset link as if + // its request time was 60 seconds older than the allowed limit of timeout. + $bogus_timestamp = REQUEST_TIME - variable_get('user_password_reset_timeout', 86400) - 60; + $this->drupalGet("user/reset/$account->uid/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login)); + $this->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.'); + } +} + +/** * Test cancelling a user. */ class UserCancelTestCase extends DrupalWebTestCase { |