Tests resetting a user password.
Expanded class hierarchy of UserPasswordResetTestCase
class UserPasswordResetTestCase extends DrupalWebTestCase {
protected $profile = 'standard';
public static function getInfo() {
return array(
'name' => 'Reset password',
'description' => 'Ensure that password reset methods work as expected.',
'group' => 'User',
);
}
/**
* Retrieves password reset email and extracts the login link.
*/
public function getResetURL() {
// Assume the most recent email.
$_emails = $this
->drupalGetMails();
$email = end($_emails);
$urls = array();
preg_match('#.+user/reset/.+#', $email['body'], $urls);
return $urls[0];
}
/**
* Tests password reset functionality.
*/
function testUserPasswordReset() {
// Create a user.
$account = $this
->drupalCreateUser();
$this
->drupalLogin($account);
$this
->drupalLogout();
// Attempt to reset password.
$edit = array(
'name' => $account->name,
);
$this
->drupalPost('user/password', $edit, t('E-mail new password'));
// Confirm the password reset.
$this
->assertText(t('Further instructions have been sent to your e-mail address.'), 'Password reset instructions mailed message displayed.');
// Create an image field to enable an Ajax request on the user profile page.
$field = array(
'field_name' => 'field_avatar',
'type' => 'image',
'settings' => array(),
'cardinality' => 1,
);
field_create_field($field);
$instance = array(
'field_name' => $field['field_name'],
'entity_type' => 'user',
'label' => 'Avatar',
'bundle' => 'user',
'required' => FALSE,
'settings' => array(),
'widget' => array(
'type' => 'image_image',
'settings' => array(),
),
);
field_create_instance($instance);
$resetURL = $this
->getResetURL();
$this
->drupalGet($resetURL);
// Check successful login.
$this
->drupalPost(NULL, NULL, t('Log in'));
// Make sure the Ajax request from uploading a file does not invalidate the
// reset token.
$image = current($this
->drupalGetTestFiles('image'));
$edit = array(
'files[field_avatar_und_0]' => drupal_realpath($image->uri),
);
$this
->drupalPostAJAX(NULL, $edit, 'field_avatar_und_0_upload_button');
// Change the forgotten password.
$password = user_password();
$edit = array(
'pass[pass1]' => $password,
'pass[pass2]' => $password,
);
$this
->drupalPost(NULL, $edit, t('Save'));
$this
->assertText(t('The changes have been saved.'), 'Forgotten password changed.');
}
/**
* Test user password reset while logged in.
*/
function testUserPasswordResetLoggedIn() {
$account = $this
->drupalCreateUser();
$this
->drupalLogin($account);
// Make sure the test account has a valid password.
user_save($account, array(
'pass' => user_password(),
));
// Generate one time login link.
$reset_url = user_pass_reset_url($account);
$this
->drupalGet($reset_url);
$this
->assertText('Reset password');
$this
->drupalPost(NULL, NULL, t('Log in'));
$this
->assertText('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.');
$pass = user_password();
$edit = array(
'pass[pass1]' => $pass,
'pass[pass2]' => $pass,
);
$this
->drupalPost(NULL, $edit, t('Save'));
$this
->assertText('The changes have been saved.');
}
/**
* Attempts login using an expired password reset link.
*/
function testUserPasswordResetExpired() {
// Set password reset timeout variable to 43200 seconds = 12 hours.
$timeout = 43200;
variable_set('user_password_reset_timeout', $timeout);
// Create a user.
$account = $this
->drupalCreateUser();
$this
->drupalLogin($account);
// Load real user object.
$account = user_load($account->uid, TRUE);
$this
->drupalLogout();
// To attempt an expired password reset, create a password reset link as if
// its request time was 60 seconds older than the allowed limit of timeout.
$bogus_timestamp = REQUEST_TIME - variable_get('user_password_reset_timeout', 86400) - 60;
$this
->drupalGet("user/reset/{$account->uid}/{$bogus_timestamp}/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login, $account->uid));
$this
->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.');
}
/**
* Prefill the text box on incorrect login via link to password reset page.
*/
function testUserPasswordTextboxFilled() {
$this
->drupalGet('user/login');
$edit = array(
'name' => $this
->randomName(),
'pass' => $this
->randomName(),
);
$this
->drupalPost('user', $edit, t('Log in'));
$this
->assertRaw(t('Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>', array(
'@password' => url('user/password', array(
'query' => array(
'name' => $edit['name'],
),
)),
)));
unset($edit['pass']);
$this
->drupalGet('user/password', array(
'query' => array(
'name' => $edit['name'],
),
));
$this
->assertFieldByName('name', $edit['name'], 'User name found.');
}
/**
* Make sure that users cannot forge password reset URLs of other users.
*/
function testResetImpersonation() {
// Make sure user 1 has a valid password, so it does not interfere with the
// test user accounts that are created below.
$account = user_load(1);
user_save($account, array(
'pass' => user_password(),
));
// Create two identical user accounts except for the user name. They must
// have the same empty password, so we can't use $this->drupalCreateUser().
$edit = array();
$edit['name'] = $this
->randomName();
$edit['mail'] = $edit['name'] . '@example.com';
$edit['status'] = 1;
$user1 = user_save(drupal_anonymous_user(), $edit);
$edit['name'] = $this
->randomName();
$user2 = user_save(drupal_anonymous_user(), $edit);
// The password reset URL must not be valid for the second user when only
// the user ID is changed in the URL.
$reset_url = user_pass_reset_url($user1);
$attack_reset_url = str_replace("user/reset/{$user1->uid}", "user/reset/{$user2->uid}", $reset_url);
$this
->drupalGet($attack_reset_url);
$this
->assertNoText($user2->name, 'The invalid password reset page does not show the user name.');
$this
->assertUrl('user/password', array(), 'The user is redirected to the password reset request page.');
$this
->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
// When legacy code calls user_pass_rehash() without providing the $uid
// parameter, neither password reset URL should be valid since it is
// impossible for the system to determine which user account the token was
// intended for.
$timestamp = REQUEST_TIME;
// Pass an explicit NULL for the $uid parameter of user_pass_rehash()
// rather than not passing it at all, to avoid triggering PHP warnings in
// the test.
$reset_url_token = user_pass_rehash($user1->pass, $timestamp, $user1->login, NULL);
$reset_url = url("user/reset/{$user1->uid}/{$timestamp}/{$reset_url_token}", array(
'absolute' => TRUE,
));
$this
->drupalGet($reset_url);
$this
->assertNoText($user1->name, 'The invalid password reset page does not show the user name.');
$this
->assertUrl('user/password', array(), 'The user is redirected to the password reset request page.');
$this
->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
$attack_reset_url = str_replace("user/reset/{$user1->uid}", "user/reset/{$user2->uid}", $reset_url);
$this
->drupalGet($attack_reset_url);
$this
->assertNoText($user2->name, 'The invalid password reset page does not show the user name.');
$this
->assertUrl('user/password', array(), 'The user is redirected to the password reset request page.');
$this
->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
// To verify that user_pass_rehash() never returns a valid result in the
// above situation (even if legacy code also called it to attempt to
// validate the token, rather than just to generate the URL), check that a
// second call with the same parameters produces a different result.
$new_reset_url_token = user_pass_rehash($user1->pass, $timestamp, $user1->login, NULL);
$this
->assertNotEqual($reset_url_token, $new_reset_url_token);
// However, when the duplicate account is removed, the password reset URL
// should be valid.
user_delete($user2->uid);
$reset_url_token = user_pass_rehash($user1->pass, $timestamp, $user1->login, NULL);
$reset_url = url("user/reset/{$user1->uid}/{$timestamp}/{$reset_url_token}", array(
'absolute' => TRUE,
));
$this
->drupalGet($reset_url);
$this
->assertText($user1->name, 'The valid password reset page shows the user name.');
$this
->assertUrl($reset_url, array(), 'The user remains on the password reset login page.');
$this
->assertNoText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
}
}
Name | Modifiers | Type | Description | Overrides |
---|---|---|---|---|
UserPasswordResetTestCase:: |
public static | function | ||
DrupalWebTestCase:: |
protected | function | ||
DrupalTestCase:: |
protected | property | ||
DrupalTestCase:: |
protected | property | ||
DrupalWebTestCase:: |
protected | property | Additional cURL options. | |
DrupalTestCase:: |
protected | property | Assertions thrown in that test case. | |
DrupalWebTestCase:: |
protected | function | Asserts that a checkbox field in the current page is checked. | |
DrupalWebTestCase:: |
protected | function | Asserts that a checkbox field in the current page is not checked. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field does not exist with the given ID and value. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field does not exist with the given name and value. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field does not exist with the given name or ID. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field doesn't exist or its value doesn't match, by XPath. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field exists in the current page by the given XPath. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field exists in the current page with the given ID and value. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field exists in the current page with the given name and value. | |
DrupalWebTestCase:: |
protected | function | Asserts that a field exists with the given name or ID. | |
DrupalWebTestCase:: |
protected | function | Asserts that a select option in the current page is checked. | |
DrupalWebTestCase:: |
protected | function | Asserts that a select option in the current page is not checked. | |
DrupalWebTestCase:: |
protected | function | Asserts that each HTML ID is used for just a single element. | |
DrupalWebTestCase:: |
protected | function | Asserts that the most recently sent e-mail message has the given value. | |
DrupalWebTestCase:: |
protected | function | Asserts that the most recently sent e-mail message has the pattern in it. | |
DrupalWebTestCase:: |
protected | function | Asserts that the most recently sent e-mail message has the string in it. | |
DrupalWebTestCase:: |
protected | function | Asserts the page did not return the specified response code. | |
DrupalWebTestCase:: |
protected | function | Asserts the page responds with the specified response code. | |
DrupalWebTestCase:: |
protected | function | Asserts themed output. | |
UserPasswordResetTestCase:: |
function | Attempts login using an expired password reset link. | ||
DrupalWebTestCase:: |
protected | function | Builds an XPath query. | |
DrupalWebTestCase:: |
protected | function | Changes the database connection to the prefixed one. | |
DrupalWebTestCase:: |
protected | function | Check for meta refresh tag and if found call drupalGet() recursively. This function looks for the http-equiv attribute to be set to "Refresh" and is case-sensitive. | |
DrupalWebTestCase:: |
protected | function | Check to make sure that the array of permissions are valid. | |
DrupalTestCase:: |
protected | function | Check to see if a value is false (an empty string, 0, NULL, or FALSE). | |
DrupalTestCase:: |
protected | function | Check to see if a value is not false (not an empty string, 0, NULL, or FALSE). | |
DrupalTestCase:: |
protected | function | Check to see if a value is not NULL. | |
DrupalTestCase:: |
protected | function | Check to see if a value is NULL. | |
DrupalTestCase:: |
protected | function | Check to see if two values are equal. | |
DrupalTestCase:: |
protected | function | Check to see if two values are identical. | |
DrupalTestCase:: |
protected | function | Check to see if two values are not equal. | |
DrupalTestCase:: |
protected | function | Check to see if two values are not identical. | |
DrupalWebTestCase:: |
protected | function | Close the cURL handler and unset the handler. | |
DrupalWebTestCase:: |
protected | function | Compare two files based on size and file name. | |
DrupalWebTestCase:: |
function |
Constructor for DrupalWebTestCase. Overrides DrupalTestCase:: |
1 | |
DrupalTestCase:: |
public static | function | Converts a list of possible parameters into a stack of permutations. | |
DrupalWebTestCase:: |
protected | function | Create a user with a given set of permissions. | |
DrupalWebTestCase:: |
protected | function | Creates a custom content type based on default settings. | |
DrupalWebTestCase:: |
protected | function | Creates a node based on default settings. | |
DrupalWebTestCase:: |
protected | function | Creates a role with specified permissions. | |
DrupalTestCase:: |
public | property | Current results of this test case. | |
DrupalTestCase:: |
protected | function | Cycles through backtrace until the first non-assertion method is found. | |
DrupalTestCase:: |
public static | function | Delete an assertion record by message ID. | |
DrupalWebTestCase:: |
protected | function | Delete created files and temporary files directory, delete the tables created by setUp(), and reset the database prefix. | 6 |
DrupalWebTestCase:: |
protected | function | Execute a POST request on a Drupal page. It will be done as usual POST request with SimpleBrowser. | |
DrupalWebTestCase:: |
protected | function | Execute an Ajax submission. | |
DrupalTestCase:: |
protected | function | Fire an assertion that is always negative. | |
DrupalTestCase:: |
protected | function | Fire an assertion that is always positive. | |
DrupalTestCase:: |
protected | function | Fire an error assertion. | 1 |
DrupalTestCase:: |
protected | property | Flag to indicate whether the test has been set up. | |
DrupalWebTestCase:: |
protected | function | Follows a link by name. | |
DrupalWebTestCase:: |
protected | function | Generate a token for the currently logged in user. | |
DrupalWebTestCase:: |
protected | function | Generates a database prefix for running tests. | |
DrupalTestCase:: |
public static | function | Generates a random string containing letters and numbers. | |
DrupalTestCase:: |
public static | function | Generates a random string of ASCII characters of codes 32 to 126. | |
DrupalWebTestCase:: |
protected | function | Get a list files that can be used in tests. | |
DrupalWebTestCase:: |
function | Get a node from the database based on its title. | ||
DrupalWebTestCase:: |
protected | function | Get all option elements, including nested options, in a select. | |
DrupalWebTestCase:: |
protected | function | Get the current URL from the cURL handler. | |
DrupalWebTestCase:: |
protected | function | Get the selected value from a select field. | |
DrupalWebTestCase:: |
protected | function | Gets an array containing all e-mails sent during this test case. | |
DrupalWebTestCase:: |
protected | function | Gets the current raw HTML of requested page. | |
DrupalWebTestCase:: |
protected | function | Gets the HTTP response headers of the requested page. Normally we are only interested in the headers returned by the last request. However, if a page is redirected or HTTP authentication is in use, multiple requests will be required to retrieve the… | |
DrupalWebTestCase:: |
protected | function | Gets the value of an HTTP response header. If multiple requests were required to retrieve the page, only the headers from the last request will be checked by default. However, if TRUE is passed as the second argument, all requests will be processed… | |
DrupalWebTestCase:: |
protected | function | Gets the value of the Drupal.settings JavaScript variable for the currently loaded page. | |
DrupalTestCase:: |
public | function | Handle errors during test runs. | 1 |
DrupalTestCase:: |
protected | function | Handle exceptions. | |
DrupalWebTestCase:: |
protected | function | Handle form input related to drupalPost(). Ensure that the specified fields exist and attempt to create POST data in the correct manner for the particular field type. | |
DrupalWebTestCase:: |
protected | function | Helper for assertText and assertNoText. | |
DrupalWebTestCase:: |
protected | function | Helper for assertUniqueText and assertNoUniqueText. | |
DrupalWebTestCase:: |
protected | function | Helper function: construct an XPath for the given set of attributes and value. | |
DrupalWebTestCase:: |
protected | property | HTTP authentication credentials (<username>:<password>). | |
DrupalWebTestCase:: |
protected | property | HTTP authentication method | |
DrupalWebTestCase:: |
protected | function | Initializes and executes a cURL request. | |
DrupalWebTestCase:: |
protected | function | Initializes the cURL connection. | |
DrupalTestCase:: |
protected | function | Internal helper: stores the assert. | |
DrupalWebTestCase:: |
protected | function | Log in a user with the internal browser. | |
DrupalTestCase:: |
protected | function | Logs a verbose message in a text file. | |
UserPasswordResetTestCase:: |
function | Make sure that users cannot forge password reset URLs of other users. | ||
DrupalWebTestCase:: |
protected | function | Outputs to verbose the most recent $count emails sent. | |
DrupalWebTestCase:: |
protected | function | Parse content returned from curlExec using DOM and SimpleXML. | |
DrupalWebTestCase:: |
protected | function | Pass if a link containing a given href (part) is found. | |
DrupalWebTestCase:: |
protected | function | Pass if a link containing a given href (part) is not found. | |
DrupalWebTestCase:: |
protected | function | Pass if a link with the specified label is found, and optional with the specified index. | |
DrupalWebTestCase:: |
protected | function | Pass if a link with the specified label is not found. | |
DrupalWebTestCase:: |
protected | function | Pass if the internal browser's URL matches the given path. | |
DrupalWebTestCase:: |
protected | function | Pass if the page title is not the given string. | |
DrupalWebTestCase:: |
protected | function | Pass if the page title is the given string. | |
DrupalWebTestCase:: |
protected | function | Pass if the raw text IS found on the loaded page, fail otherwise. Raw text refers to the raw HTML that the page generated. | |
DrupalWebTestCase:: |
protected | function | Pass if the raw text is NOT found on the loaded page, fail otherwise. Raw text refers to the raw HTML that the page generated. | |
DrupalWebTestCase:: |
protected | function | Pass if the text is found MORE THAN ONCE on the text version of the page. | |
DrupalWebTestCase:: |
protected | function | Pass if the text IS found on the text version of the page. The text version is the equivalent of what a user would see when viewing through a web browser. In other words the HTML has been filtered out of the contents. | |
DrupalWebTestCase:: |
protected | function | Pass if the text is found ONLY ONCE on the text version of the page. | |
DrupalWebTestCase:: |
protected | function | Pass if the text is NOT found on the text version of the page. The text version is the equivalent of what a user would see when viewing through a web browser. In other words the HTML has been filtered out of the contents. | |
DrupalWebTestCase:: |
protected | function | Perform an xpath search on the contents of the internal browser. The search is relative to the root element (HTML tag normally) of the page. | |
UserPasswordResetTestCase:: |
function | Prefill the text box on incorrect login via link to password reset page. | ||
DrupalWebTestCase:: |
protected | function | Preload the registry from the testing site. | |
DrupalWebTestCase:: |
protected | function | Prepares the current environment for running the test. | |
DrupalWebTestCase:: |
protected | function | Reads headers and registers errors received from the tested site. | |
DrupalWebTestCase:: |
protected | function | Refresh the in-memory set of variables. Useful after a page request is made that changes a variable in a different thread. | 1 |
DrupalWebTestCase:: |
protected | function | Reset all data structures after having enabled new modules. | |
DrupalWebTestCase:: |
protected | function | Retrieve a Drupal path or an absolute path and JSON decode the result. | |
DrupalWebTestCase:: |
protected | function | Retrieves a Drupal path or an absolute path. | |
DrupalWebTestCase:: |
protected | function | Retrieves only the headers for a Drupal path or an absolute path. | |
UserPasswordResetTestCase:: |
public | function | Retrieves password reset email and extracts the login link. | |
DrupalTestCase:: |
public static | function | Returns the database connection to the site running Simpletest. | |
DrupalTestCase:: |
public | function | Run all tests in this class. | |
DrupalWebTestCase:: |
protected | function | Runs cron in the Drupal installed by Simpletest. | |
DrupalWebTestCase:: |
protected | function | Sets the raw HTML content. This can be useful when a page has been fetched outside of the internal browser and assertions need to be made on the returned page. | |
DrupalWebTestCase:: |
protected | function | Sets the value of the Drupal.settings JavaScript variable for the currently loaded page. | |
DrupalWebTestCase:: |
protected | function | Sets up a Drupal site for running functional and integration tests. | 299 |
DrupalTestCase:: |
public static | function | Store an assertion from outside the testing context. | |
DrupalWebTestCase:: |
protected | function | Takes a path and returns an absolute path. | |
UserPasswordResetTestCase:: |
function | Test user password reset while logged in. | ||
UserPasswordResetTestCase:: |
function | Tests password reset functionality. | ||
DrupalWebTestCase:: |
protected | property | The content of the page currently loaded in the internal browser (plain text version). | |
DrupalWebTestCase:: |
protected | property | The content of the page currently loaded in the internal browser. | |
DrupalWebTestCase:: |
protected | property | The cookies of the page currently loaded in the internal browser. | |
DrupalWebTestCase:: |
protected | property | The current cookie file used by cURL. | |
DrupalWebTestCase:: |
protected | property | The current session ID, if available. | |
DrupalWebTestCase:: |
protected | property | The current session name, if available. | |
DrupalWebTestCase:: |
protected | property | The current user logged in using the internal browser. | |
DrupalTestCase:: |
protected | property | The database prefix of this test run. | |
DrupalWebTestCase:: |
protected | property | The handle of the current cURL connection. | |
DrupalWebTestCase:: |
protected | property | The headers of the page currently loaded in the internal browser. | |
DrupalWebTestCase:: |
protected | property | The number of redirects followed during the handling of a request. | |
DrupalTestCase:: |
protected | property | The original file directory, before it was changed for testing purposes. | |
DrupalWebTestCase:: |
protected | property | The original shutdown handlers array, before it was cleaned for testing purposes. | |
DrupalWebTestCase:: |
protected | property | The original user, before it was changed to a clean uid = 1 for testing purposes. | |
DrupalWebTestCase:: |
protected | property | The parsed version of the page. | |
UserPasswordResetTestCase:: |
protected | property |
The profile to install as a basis for testing. Overrides DrupalWebTestCase:: |
|
DrupalTestCase:: |
protected | property | The test run ID. | |
DrupalWebTestCase:: |
protected | property | The URL currently loaded in the internal browser. | |
DrupalWebTestCase:: |
protected | property | The value of the Drupal.settings JavaScript variable for the page currently loaded in the internal browser. | |
DrupalTestCase:: |
protected | property | This class is skipped when looking for the source of an assertion. | |
DrupalTestCase:: |
protected | property | Time limit for the test. | |
DrupalTestCase:: |
protected | property | URL to the verbose output file directory. | |
DrupalWebTestCase:: |
protected | property | Whether the files were copied to the test files directory. | |
DrupalWebTestCase:: |
protected | function | Will trigger a pass if the Perl regex pattern is found in the raw content. | |
DrupalWebTestCase:: |
protected | function | Will trigger a pass if the perl regex pattern is not present in raw content. |