Describe the bug
The password reset form doesn't actually set a url_invalid variable when the request doesn't contain the user and code parameters.
The docs say it should:
Visiting the URL containing this form directly will set a url_invalid invalid variable you can use to check if they’ve actually come from the form in their previous request.
To Reproduce
Steps to reproduce the behavior:
Add a password reset form to a page
Visit the page directly
Expected behavior
Always return the url_invalid variable when visiting a page with the form
Potential Fix
This fixed the problem for me:
// UserTags.php
if (! $user = User::find($id)) {
// dd('Invalid user'); // @todo make better.
return $this->parse(['url_invalid' => true]);
}
Environment details (please complete the following information):
Describe the bug The password reset form doesn't actually set a
url_invalidvariable when the request doesn't contain theuserandcodeparameters.The docs say it should:
To Reproduce Steps to reproduce the behavior:
Expected behavior Always return the
url_invalidvariable when visiting a page with the formPotential Fix This fixed the problem for me:
Environment details (please complete the following information):