Repeatable: Always
Steps to repeat:
1. Log out of any Drupal 7.x package
2. Try to navigate to an invalid one-time login URL, e.g. yoursite.com/user/reset/{non-existing-uid}/1209839/asdfasdfasdf

Expected Results:
Some information (e.g. a Drupal Message and/or an Access Denied Page) about invalid request.

Actual Results:
An Access Denied Page AND another page render with, most of the times, a somewhat broken CSS-layout decorated with the following Drupal error message:

Warning: Cannot modify header information - headers already sent by (output started at {drupal-root-dir}/includes/common.inc:2613) in drupal_send_headers() (line 1243 of {my-drupal-root-dir}/includes/bootstrap.inc).

CommentFileSizeAuthor
DO_invalid_user_reset_20121113.png158.72 KBandroidi

Comments

androidi’s picture

This can be fixed by checking the return value of user_load_multiple() call in modules/user/user.pages.inc at row 121, e.g. by adding a check after the call:

if (count($users) < 1) {
  drupal_set_message(t('The one-time login link you clicked is invalid.'));
  drupal_goto('user/password');
  return;
}
androidi’s picture

Issue summary: View changes

Fixed a typo and quoted the Drupal warning message.

aditya.ghan’s picture

Issue summary: View changes

Hi androidi,

I believe this issue is fixed long time back.

I'm not able to reproduce this issue on the latest drupal 7 or in Drupal-7.19

COuld you please close this issue?

cilefen’s picture

Status: Active » Closed (cannot reproduce)