Skip to content

bugzilla
bugzilla
Commit a5086cb7 authored by Frédéric Buclin's avatar Frédéric Buclin
Browse files
Options

Bug 553693: A new logincookie is created when changing the password or email…

Bug 553693: A new logincookie is created when changing the password or email address instead of reusing the existing one r/a=mkanat
parent 35f99bbe
Show whitespace changes
Inline Side-by-side
Showing with 25 additions and 30 deletions
template/en/default/account/prefs/account.html.tmpl
View file @ a5086cb7
...@@ -33,9 +33,8 @@ ...@@ -33,9 +33,8 @@
<tr> <tr>
<th align="right">Password:</th> <th align="right">Password:</th>
<td> <td>
<input type="hidden" name="Bugzilla_login" <input type="hidden" name="old_login" value="[% user.login FILTER html %]">
value="[% user.login FILTER html %]"> <input type="password" name="old_password">
<input type="password" name="Bugzilla_password">
</td> </td>
</tr> </tr>
<tr> <tr>
......
userprefs.cgi
View file @ a5086cb7
...@@ -80,31 +80,28 @@ sub SaveAccount { ...@@ -80,31 +80,28 @@ sub SaveAccount {
my $dbh = Bugzilla->dbh; my $dbh = Bugzilla->dbh;
my $user = Bugzilla->user; my $user = Bugzilla->user;
my $oldpassword = $cgi->param('old_password');
my $pwd1 = $cgi->param('new_password1'); my $pwd1 = $cgi->param('new_password1');
my $pwd2 = $cgi->param('new_password2'); my $pwd2 = $cgi->param('new_password2');
my $old_login_name = $cgi->param('old_login');
my $new_login_name = trim($cgi->param('new_login_name'));
if ($user->authorizer->can_change_password if ($user->authorizer->can_change_password
&& ($cgi->param('Bugzilla_password') ne "" || $pwd1 ne "" || $pwd2 ne "")) && ($oldpassword ne "" || $pwd1 ne "" || $pwd2 ne ""))
{ {
my ($oldcryptedpwd) = $dbh->selectrow_array( my $oldcryptedpwd = $user->cryptpassword;
q{SELECT cryptpassword FROM profiles WHERE userid = ?},
undef, $user->id);
$oldcryptedpwd || ThrowCodeError("unable_to_retrieve_password"); $oldcryptedpwd || ThrowCodeError("unable_to_retrieve_password");
my $oldpassword = $cgi->param('Bugzilla_password'); if (bz_crypt($oldpassword, $oldcryptedpwd) ne $oldcryptedpwd) {
if (bz_crypt($oldpassword, $oldcryptedpwd) ne $oldcryptedpwd)
{
ThrowUserError("old_password_incorrect"); ThrowUserError("old_password_incorrect");
} }
if ($pwd1 ne "" || $pwd2 ne "") if ($pwd1 ne "" || $pwd2 ne "") {
{ $pwd1 || ThrowUserError("new_password_missing");
$cgi->param('new_password1')
|| ThrowUserError("new_password_missing");
validate_password($pwd1, $pwd2); validate_password($pwd1, $pwd2);
if ($cgi->param('Bugzilla_password') ne $pwd1) { if ($oldpassword ne $pwd1) {
my $cryptedpassword = bz_crypt($pwd1); my $cryptedpassword = bz_crypt($pwd1);
$dbh->do(q{UPDATE profiles $dbh->do(q{UPDATE profiles
SET cryptpassword = ? SET cryptpassword = ?
...@@ -119,14 +116,10 @@ sub SaveAccount { ...@@ -119,14 +116,10 @@ sub SaveAccount {
if ($user->authorizer->can_change_email if ($user->authorizer->can_change_email
&& Bugzilla->params->{"allowemailchange"} && Bugzilla->params->{"allowemailchange"}
&& $cgi->param('new_login_name')) && $new_login_name)
{ {
my $old_login_name = $cgi->param('Bugzilla_login'); if ($old_login_name ne $new_login_name) {
my $new_login_name = trim($cgi->param('new_login_name')); $oldpassword || ThrowUserError("old_password_required");
if($old_login_name ne $new_login_name) {
$cgi->param('Bugzilla_password')
|| ThrowUserError("old_password_required");
# Block multiple email changes for the same user. # Block multiple email changes for the same user.
if (Bugzilla::Token::HasEmailChangeToken($user->id)) { if (Bugzilla::Token::HasEmailChangeToken($user->id)) {
...@@ -499,16 +492,19 @@ sub SaveSavedSearches { ...@@ -499,16 +492,19 @@ sub SaveSavedSearches {
my $cgi = Bugzilla->cgi; my $cgi = Bugzilla->cgi;
# This script needs direct access to the username and password CGI variables, # Delete credentials before logging in in case we are in a sudo session.
# so we save them before their removal in Bugzilla->login, and delete them
# before login in case we might be in a sudo session.
my $bugzilla_login = $cgi->param('Bugzilla_login');
my $bugzilla_password = $cgi->param('Bugzilla_password');
$cgi->delete('Bugzilla_login', 'Bugzilla_password') if ($cgi->cookie('sudo')); $cgi->delete('Bugzilla_login', 'Bugzilla_password') if ($cgi->cookie('sudo'));
$cgi->delete('GoAheadAndLogIn');
# First try to get credentials from cookies.
Bugzilla->login(LOGIN_OPTIONAL);
if (!Bugzilla->user->id) {
# Use credentials given in the form if login cookies are not available.
$cgi->param('Bugzilla_login', $cgi->param('old_login'));
$cgi->param('Bugzilla_password', $cgi->param('old_password'));
}
Bugzilla->login(LOGIN_REQUIRED); Bugzilla->login(LOGIN_REQUIRED);
$cgi->param('Bugzilla_login', $bugzilla_login);
$cgi->param('Bugzilla_password', $bugzilla_password);
$vars->{'changes_saved'} = $cgi->param('dosave'); $vars->{'changes_saved'} = $cgi->param('dosave');
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment