bachir/popsu-d7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

core security update

Browse Source
This commit is contained in:
Bachir Soussi Chiadmi
2016-10-13 12:11:14 +02:00
parent 747127f643
commit 1a06561593
306 changed files with 7346 additions and 2431 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/user/tests/user_form_test.info
View File

@@ -5,8 +5,8 @@ version = VERSION
core = 7.x
hidden = TRUE
; Information added by Drupal.org packaging script on 2015-04-02
version = "7.36"
; Information added by Drupal.org packaging script on 2016-10-05
version = "7.51"
project = "drupal"
datestamp = "1427943826"
datestamp = "1475694174"

18
modules/user/tests/user_form_test.module
View File

@@ -62,3 +62,21 @@ function user_form_test_current_password($form, &$form_state, $account) {
function user_form_test_current_password_submit($form, &$form_state) {
drupal_set_message(t('The password has been validated and the form submitted successfully.'));
}
/**
* Implements hook_form_FORM_ID_alter().
*/
function user_form_test_form_user_profile_form_alter(&$form, &$form_state) {
if (variable_get('user_form_test_user_profile_form_rebuild', FALSE)) {
$form['#submit'][] = 'user_form_test_user_account_submit';
}
}
/**
* Submit function for user_profile_form().
*/
function user_form_test_user_account_submit($form, &$form_state) {
// Rebuild the form instead of letting the process end. This allows us to
// test for bugs that can be triggered in contributed modules.
$form_state['rebuild'] = TRUE;
}

2
modules/user/user-picture.tpl.php
View File

@@ -17,7 +17,7 @@
*/
?>
<?php if ($user_picture): ?>
<div class="user-picture">
<div class="<?php print $classes; ?>">
<?php print $user_picture; ?>
</div>
<?php endif; ?>

22
modules/user/user.api.php
View File

@@ -123,8 +123,8 @@ function hook_user_cancel($edit, $account, $method) {
* description is NOT used for the radio button, but instead should provide
* additional explanation to the user seeking to cancel their account.
* - access: (optional) A boolean value indicating whether the user can access
* a method. If #access is defined, the method cannot be configured as default
* method.
* a method. If access is defined, the method cannot be configured as the
* default method.
*
* @param $methods
* An array containing user account cancellation methods, keyed by method id.
@@ -183,7 +183,23 @@ function hook_user_operations() {
}
/**
* Retrieve a list of user setting or profile information categories.
* Define a list of user settings or profile information categories.
*
* There are two steps to using hook_user_categories():
* - Create the category with hook_user_categories().
* - Display that category on the form ID of "user_profile_form" with
* hook_form_FORM_ID_alter().
*
* Step one builds out the category but it won't be visible on your form until
* you explicitly tell it to do so.
*
* The function in step two should contain the following code in order to
* display your new category:
* @code
* if ($form['#user_category'] == 'mycategory') {
* // Return your form here.
* }
* @endcode
*
* @return
* An array of associative arrays. Each inner array has elements:

6
modules/user/user.info
View File

@@ -9,8 +9,8 @@ required = TRUE
configure = admin/config/people
stylesheets[all][] = user.css
; Information added by Drupal.org packaging script on 2015-04-02
version = "7.36"
; Information added by Drupal.org packaging script on 2016-10-05
version = "7.51"
project = "drupal"
datestamp = "1427943826"
datestamp = "1475694174"

12
modules/user/user.install
View File

@@ -49,6 +49,9 @@ function user_schema() {
'columns' => array('uid' => 'uid'),
),
),
'indexes' => array(
'uid_module' => array('uid', 'module'),
),
);
$schema['role_permission'] = array(
@@ -910,6 +913,15 @@ function user_update_7018() {
}
}
/**
* Ensure there is a combined index on {authmap}.uid and {authmap}.module.
*/
function user_update_7019() {
// Check first in case it was already added manually.
if (!db_index_exists('authmap', 'uid_module')) {
db_add_index('authmap', 'uid_module', array('uid', 'module'));
}
}
/**
* @} End of "addtogroup updates-7.x-extra".
*/

2
modules/user/user.js
View File

@@ -93,6 +93,8 @@ Drupal.behaviors.password = {
* Returns the estimated strength and the relevant output message.
*/
Drupal.evaluatePasswordStrength = function (password, translate) {
password = $.trim(password);
var weaknesses = 0, strength = 100, msg = [];
var hasLowercase = /[a-z]+/.test(password);

62
modules/user/user.module
View File

@@ -418,13 +418,11 @@ function user_load_by_name($name) {
*
* @return
* A fully-loaded $user object upon successful save or FALSE if the save failed.
*
* @todo D8: Drop $edit and fix user_save() to be consistent with others.
*/
function user_save($account, $edit = array(), $category = 'account') {
$transaction = db_transaction();
try {
if (!empty($edit['pass'])) {
if (isset($edit['pass']) && strlen(trim($edit['pass'])) > 0) {
// Allow alternate password hashing schemes.
require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
$edit['pass'] = user_hash_password(trim($edit['pass']));
@@ -791,7 +789,7 @@ function user_role_permissions($roles = array()) {
* (optional) The account to check, if not given use currently logged in user.
*
* @return
* Boolean TRUE if the current user has the requested permission.
* Boolean TRUE if the user has the requested permission.
*
* All permission checks in Drupal should go through this function. This
* way, we guarantee consistent behavior, and ensure that the superuser
@@ -958,6 +956,8 @@ function user_search_access() {
*/
function user_search_execute($keys = NULL, $conditions = NULL) {
$find = array();
// Escape for LIKE matching.
$keys = db_like($keys);
// Replace wildcards with MySQL/PostgreSQL wildcards.
$keys = preg_replace('!\*+!', '%', $keys);
$query = db_select('users')->extend('PagerDefault');
@@ -967,13 +967,13 @@ function user_search_execute($keys = NULL, $conditions = NULL) {
// and they don't need to be restricted to only active users.
$query->fields('users', array('mail'));
$query->condition(db_or()->
condition('name', '%' . db_like($keys) . '%', 'LIKE')->
condition('mail', '%' . db_like($keys) . '%', 'LIKE'));
condition('name', '%' . $keys . '%', 'LIKE')->
condition('mail', '%' . $keys . '%', 'LIKE'));
}
else {
// Regular users can only search via usernames, and we do not show them
// blocked accounts.
$query->condition('name', '%' . db_like($keys) . '%', 'LIKE')
$query->condition('name', '%' . $keys . '%', 'LIKE')
->condition('status', 1);
}
$uids = $query
@@ -1160,7 +1160,7 @@ function user_account_form(&$form, &$form_state) {
$form['account']['roles'] = array(
'#type' => 'checkboxes',
'#title' => t('Roles'),
'#default_value' => (!$register && isset($account->roles) ? array_keys($account->roles) : array()),
'#default_value' => (!$register && !empty($account->roles) ? array_keys(array_filter($account->roles)) : array()),
'#options' => $roles,
'#access' => $roles && user_access('administer permissions'),
DRUPAL_AUTHENTICATED_RID => $checkbox_authenticated,
@@ -1230,7 +1230,7 @@ function user_validate_current_pass(&$form, &$form_state) {
// that prevent them from being empty if they are changed.
if ((strlen(trim($form_state['values'][$key])) > 0) && ($form_state['values'][$key] != $account->$key)) {
require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
$current_pass_failed = empty($form_state['values']['current_pass']) || !user_check_password($form_state['values']['current_pass'], $account);
$current_pass_failed = strlen(trim($form_state['values']['current_pass'])) == 0 || !user_check_password($form_state['values']['current_pass'], $account);
if ($current_pass_failed) {
form_set_error('current_pass', t("Your current password is missing or incorrect; it's required to change the %name.", array('%name' => $name)));
form_set_error($key);
@@ -1306,10 +1306,12 @@ function user_user_presave(&$edit, $account, $category) {
elseif (!empty($edit['picture_delete'])) {
$edit['picture'] = NULL;
}
// Prepare user roles.
if (isset($edit['roles'])) {
$edit['roles'] = array_filter($edit['roles']);
}
}
// Filter out roles with empty values to avoid granting extra roles when
// processing custom form submissions.
if (isset($edit['roles'])) {
$edit['roles'] = array_filter($edit['roles']);
}
// Move account cancellation information into $user->data.
@@ -1751,9 +1753,11 @@ function user_menu() {
$items['admin/people/create'] = array(
'title' => 'Add user',
'page callback' => 'user_admin',
'page arguments' => array('create'),
'access arguments' => array('administer users'),
'type' => MENU_LOCAL_ACTION,
'file' => 'user.admin.inc',
);
// Administration pages.
@@ -1911,13 +1915,13 @@ function user_menu_link_alter(&$link) {
// for authenticated users. Authenticated users should see "My account", but
// anonymous users should not see it at all. Therefore, invoke
// user_translated_menu_link_alter() to conditionally hide the link.
if ($link['link_path'] == 'user' && $link['module'] == 'system') {
if ($link['link_path'] == 'user' && isset($link['module']) && $link['module'] == 'system') {
$link['options']['alter'] = TRUE;
}
// Force the Logout link to appear on the top-level of 'user-menu' menu by
// default (i.e., unless it has been customized).
if ($link['link_path'] == 'user/logout' && $link['module'] == 'system' && empty($link['customized'])) {
if ($link['link_path'] == 'user/logout' && isset($link['module']) && $link['module'] == 'system' && empty($link['customized'])) {
$link['plid'] = 0;
}
}
@@ -2161,7 +2165,7 @@ function user_login_name_validate($form, &$form_state) {
*/
function user_login_authenticate_validate($form, &$form_state) {
$password = trim($form_state['values']['pass']);
if (!empty($form_state['values']['name']) && !empty($password)) {
if (!empty($form_state['values']['name']) && strlen(trim($password)) > 0) {
// Do not allow any login from the current user's IP if the limit has been
// reached. Default is 50 failed attempts allowed in one hour. This is
// independent of the per-user limit to catch attempts from one IP to log
@@ -2225,7 +2229,11 @@ function user_login_final_validate($form, &$form_state) {
}
}
else {
form_set_error('name', t('Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>', array('@password' => url('user/password', array('query' => array('name' => $form_state['values']['name']))))));
// Use $form_state['input']['name'] here to guarantee that we send
// exactly what the user typed in. $form_state['values']['name'] may have
// been modified by validation handlers that ran earlier than this one.
$query = isset($form_state['input']['name']) ? array('name' => $form_state['input']['name']) : array();
form_set_error('name', t('Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>', array('@password' => url('user/password', array('query' => $query)))));
watchdog('user', 'Login attempt failed for %user.', array('%user' => $form_state['values']['name']));
}
}
@@ -2248,7 +2256,7 @@ function user_login_final_validate($form, &$form_state) {
*/
function user_authenticate($name, $password) {
$uid = FALSE;
if (!empty($name) && !empty($password)) {
if (!empty($name) && strlen(trim($password)) > 0) {
$account = user_load_by_name($name);
if ($account) {
// Allow alternate password hashing schemes.
@@ -2488,7 +2496,9 @@ function user_cancel($edit, $uid, $method) {
}
/**
* Last batch processing step for cancelling a user account.
* Implements callback_batch_operation().
*
* Last step for cancelling a user account.
*
* Since batch and session API require a valid user account, the actual
* cancellation of a user account needs to happen last.
@@ -2536,6 +2546,8 @@ function _user_cancel($edit, $account, $method) {
}
/**
* Implements callback_batch_finished().
*
* Finished batch processing callback for cancelling a user account.
*
* @see user_cancel()
@@ -3039,6 +3051,11 @@ function user_role_delete($role) {
$role = user_role_load_by_name($role);
}
// If this is the administrator role, delete the user_admin_role variable.
if ($role->rid == variable_get('user_admin_role')) {
variable_del('user_admin_role');
}
db_delete('role')
->condition('rid', $role->rid)
->execute();
@@ -3654,12 +3671,7 @@ function user_form_process_password_confirm($element) {
);
$element['#attached']['js'][] = drupal_get_path('module', 'user') . '/user.js';
// Ensure settings are only added once per page.
static $already_added = FALSE;
if (!$already_added) {
$already_added = TRUE;
$element['#attached']['js'][] = array('data' => $js_settings, 'type' => 'setting');
}
$element['#attached']['js'][] = array('data' => $js_settings, 'type' => 'setting');
return $element;
}

61
modules/user/user.pages.inc
View File

@@ -44,6 +44,12 @@ function user_pass() {
$form['name']['#value'] = $user->mail;
$form['mail'] = array(
'#prefix' => '<p>',
// As of https://www.drupal.org/node/889772 the user no longer must log
// out (if they are still logged in when using the password reset link,
// they will be logged out automatically then), but this text is kept as
// is to avoid breaking translations as well as to encourage the user to
// log out manually at a time of their own choosing (when it will not
// interrupt anything else they may have been in the middle of doing).
'#markup' => t('Password reset instructions will be mailed to %email. You must log out to use the password reset link in the e-mail.', array('%email' => $user->mail)),
'#suffix' => '</p>',
);
@@ -54,6 +60,11 @@ function user_pass() {
return $form;
}
/**
* Form validation handler for user_pass().
*
* @see user_pass_submit()
*/
function user_pass_validate($form, &$form_state) {
$name = trim($form_state['values']['name']);
// Try to load by email.
@@ -72,6 +83,11 @@ function user_pass_validate($form, &$form_state) {
}
}
/**
* Form submission handler for user_pass().
*
* @see user_pass_validate()
*/
function user_pass_submit($form, &$form_state) {
global $language;
@@ -96,22 +112,33 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
// When processing the one-time login link, we have to make sure that a user
// isn't already logged in.
if ($user->uid) {
// The existing user is already logged in.
// The existing user is already logged in. Log them out and reload the
// current page so the password reset process can continue.
if ($user->uid == $uid) {
drupal_set_message(t('You are logged in as %user. <a href="!user_edit">Change your password.</a>', array('%user' => $user->name, '!user_edit' => url("user/$user->uid/edit"))));
// Preserve the current destination (if any) and ensure the redirect goes
// back to the current page; any custom destination set in
// hook_user_logout() and intended for regular logouts would not be
// appropriate here.
$destination = array();
if (isset($_GET['destination'])) {
$destination = drupal_get_destination();
}
user_logout_current_user();
unset($_GET['destination']);
drupal_goto(current_path(), array('query' => drupal_get_query_parameters() + $destination));
}
// A different user is already logged in on the computer.
else {
$reset_link_account = user_load($uid);
if (!empty($reset_link_account)) {
drupal_set_message(t('Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user. Please <a href="!logout">logout</a> and try using the link again.',
array('%other_user' => $user->name, '%resetting_user' => $reset_link_account->name, '!logout' => url('user/logout'))));
array('%other_user' => $user->name, '%resetting_user' => $reset_link_account->name, '!logout' => url('user/logout'))), 'warning');
} else {
// Invalid one-time link specifies an unknown user.
drupal_set_message(t('The one-time login link you clicked is invalid.'));
drupal_set_message(t('The one-time login link you clicked is invalid.'), 'error');
}
drupal_goto();
}
drupal_goto();
}
else {
// Time out, in seconds, until login URL expires. Defaults to 24 hours =
@@ -123,7 +150,7 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
if ($timestamp <= $current && $account = reset($users)) {
// No time out for first time login.
if ($account->login && $current - $timestamp > $timeout) {
drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'error');
drupal_goto('user/password');
}
elseif ($account->uid && $timestamp >= $account->login && $timestamp <= $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid)) {
@@ -151,7 +178,7 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
}
}
else {
drupal_set_message(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'));
drupal_set_message(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'), 'error');
drupal_goto('user/password');
}
}
@@ -168,6 +195,14 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
* Menu callback; logs the current user out, and redirects to the home page.
*/
function user_logout() {
user_logout_current_user();
drupal_goto();
}
/**
* Logs the current user out.
*/
function user_logout_current_user() {
global $user;
watchdog('user', 'Session closed for %name.', array('%name' => $user->name));
@@ -176,8 +211,6 @@ function user_logout() {
// Destroy the current session, and reset $user to the anonymous user.
session_destroy();
drupal_goto();
}
/**
@@ -294,14 +327,18 @@ function user_profile_form($form, &$form_state, $account, $category = 'account')
}
/**
* Validation function for the user account and profile editing form.
* Form validation handler for user_profile_form().
*
* @see user_profile_form_submit()
*/
function user_profile_form_validate($form, &$form_state) {
entity_form_field_validate('user', $form, $form_state);
}
/**
* Submit function for the user account and profile editing form.
* Form submission handler for user_profile_form().
*
* @see user_profile_form_validate()
*/
function user_profile_form_submit($form, &$form_state) {
$account = $form_state['user'];
@@ -533,7 +570,7 @@ function user_cancel_confirm($account, $timestamp = 0, $hashed_pass = '') {
batch_process('');
}
else {
drupal_set_message(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'));
drupal_set_message(t('You have tried to use an account cancellation link that has expired. Please request a new one using the form below.'), 'error');
drupal_goto("user/$account->uid/cancel");
}
}

129
modules/user/user.test
View File

@@ -480,6 +480,34 @@ class UserPasswordResetTestCase extends DrupalWebTestCase {
$this->assertText(t('Further instructions have been sent to your e-mail address.'), 'Password reset instructions mailed message displayed.');
}
/**
* Test user password reset while logged in.
*/
function testUserPasswordResetLoggedIn() {
$account = $this->drupalCreateUser();
$this->drupalLogin($account);
// Make sure the test account has a valid password.
user_save($account, array('pass' => user_password()));
// Generate one time login link.
$reset_url = user_pass_reset_url($account);
$this->drupalGet($reset_url);
$this->assertText('Reset password');
$this->drupalPost(NULL, NULL, t('Log in'));
$this->assertText('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.');
$pass = user_password();
$edit = array(
'pass[pass1]' => $pass,
'pass[pass2]' => $pass,
);
$this->drupalPost(NULL, $edit, t('Save'));
$this->assertText('The changes have been saved.');
}
/**
* Attempts login using an expired password reset link.
*/
@@ -1849,6 +1877,19 @@ class UserCreateTestCase extends DrupalWebTestCase {
$this->drupalGet('admin/people');
$this->assertText($edit['name'], 'User found in list of users');
}
// Test that the password '0' is considered a password.
$name = $this->randomName();
$edit = array(
'name' => $name,
'mail' => $name . '@example.com',
'pass[pass1]' => 0,
'pass[pass2]' => 0,
'notify' => FALSE,
);
$this->drupalPost('admin/people/create', $edit, t('Create new account'));
$this->assertText(t('Created a new user account for @name. No e-mail has been sent.', array('@name' => $edit['name'])), 'User created with password 0');
$this->assertNoText('Password field is required');
}
}
@@ -1926,6 +1967,74 @@ class UserEditTestCase extends DrupalWebTestCase {
$this->drupalLogin($user1);
$this->drupalLogout();
}
/**
* Tests setting the password to "0".
*/
public function testUserWith0Password() {
$admin = $this->drupalCreateUser(array('administer users'));
$this->drupalLogin($admin);
// Create a regular user.
$user1 = $this->drupalCreateUser(array());
$edit = array('pass[pass1]' => '0', 'pass[pass2]' => '0');
$this->drupalPost("user/" . $user1->uid . "/edit", $edit, t('Save'));
$this->assertRaw(t("The changes have been saved."));
$this->drupalLogout();
$user1->pass_raw = '0';
$this->drupalLogin($user1);
$this->drupalLogout();
}
}
/**
* Tests editing a user account with and without a form rebuild.
*/
class UserEditRebuildTestCase extends DrupalWebTestCase {
public static function getInfo() {
return array(
'name' => 'User edit with form rebuild',
'description' => 'Test user edit page when a form rebuild is triggered.',
'group' => 'User',
);
}
function setUp() {
parent::setUp('user_form_test');
}
/**
* Test user edit page when the form is set to rebuild.
*/
function testUserEditFormRebuild() {
$user1 = $this->drupalCreateUser(array('change own username'));
$this->drupalLogin($user1);
$roles = array_keys($user1->roles);
// Save the user form twice.
$edit = array();
$edit['current_pass'] = $user1->pass_raw;
$this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
$this->assertRaw(t("The changes have been saved."));
$this->drupalPost(NULL, $edit, t('Save'));
$this->assertRaw(t("The changes have been saved."));
$saved_user1 = entity_load_unchanged('user', $user1->uid);
$this->assertEqual(count($roles), count($saved_user1->roles), 'Count of user roles in database matches original count.');
$diff = array_diff(array_keys($saved_user1->roles), $roles);
$this->assertTrue(empty($diff), format_string('User roles in database match original: @roles', array('@roles' => implode(', ', $saved_user1->roles))));
// Set variable that causes the form to be rebuilt in user_form_test.module.
variable_set('user_form_test_user_profile_form_rebuild', TRUE);
$this->drupalPost("user/$user1->uid/edit", $edit, t('Save'));
$this->assertRaw(t("The changes have been saved."));
$this->drupalPost(NULL, $edit, t('Save'));
$this->assertRaw(t("The changes have been saved."));
$saved_user1 = entity_load_unchanged('user', $user1->uid);
$this->assertEqual(count($roles), count($saved_user1->roles), 'Count of user roles in database matches original count.');
$diff = array_diff(array_keys($saved_user1->roles), $roles);
$this->assertTrue(empty($diff), format_string('User roles in database match original: @roles', array('@roles' => implode(', ', $saved_user1->roles))));
}
}
/**
@@ -2095,12 +2204,16 @@ class UserRoleAdminTestCase extends DrupalWebTestCase {
$this->assertFalse(user_role_load_by_name($old_name), 'The role can no longer be retrieved from the database using its old name.');
$this->assertTrue(is_object(user_role_load_by_name($role_name)), 'The role can be retrieved from the database using its new name.');
// Test deleting a role.
// Test deleting the default administrator role.
$role_name = 'administrator';
$role = user_role_load_by_name($role_name);
$this->drupalPost("admin/people/permissions/roles/edit/{$role->rid}", NULL, t('Delete role'));
$this->drupalPost(NULL, NULL, t('Delete'));
$this->assertText(t('The role has been deleted.'), 'The role has been deleted');
$this->assertNoLinkByHref("admin/people/permissions/roles/edit/{$role->rid}", 'Role edit link removed.');
$this->assertFalse(user_role_load_by_name($role_name), 'A deleted role can no longer be loaded.');
// Make sure this role is no longer configured as the administrator role.
$this->assertNull(variable_get('user_admin_role'), 'The administrator role is no longer configured as the administrator role.');
// Make sure that the system-defined roles cannot be edited via the user
// interface.
@@ -2226,6 +2339,20 @@ class UserUserSearchTestCase extends DrupalWebTestCase {
$this->drupalPost('search/user/', $edit, t('Search'));
$this->assertText($keys);
// Verify that wildcard search works.
$keys = $user1->name;
$keys = substr($keys, 0, 2) . '*' . substr($keys, 4, 2);
$edit = array('keys' => $keys);
$this->drupalPost('search/user/', $edit, t('Search'));
$this->assertText($user1->name, 'Search for username wildcard resulted in user name on page for administrative user.');
// Verify that wildcard search works for email.
$keys = $user1->mail;
$keys = substr($keys, 0, 2) . '*' . substr($keys, 4, 2);
$edit = array('keys' => $keys);
$this->drupalPost('search/user/', $edit, t('Search'));
$this->assertText($user1->name, 'Search for email wildcard resulted in user name on page for administrative user.');
// Create a blocked user.
$blocked_user = $this->drupalCreateUser();
$edit = array('status' => 0);