Skip to content

bugzilla
bugzilla
Commit a5086cb7 authored by Frédéric Buclin's avatar Frédéric Buclin
Browse files
Options

Bug 553693: A new logincookie is created when changing the password or email…

Bug 553693: A new logincookie is created when changing the password or email address instead of reusing the existing one r/a=mkanat
parent 35f99bbe
Show whitespace changes
Inline Side-by-side
Showing with 25 additions and 30 deletions
template/en/default/account/prefs/account.html.tmpl
View file @ a5086cb7
......@@ -33,9 +33,8 @@
<tr>
<th align="right">Password:</th>
<td>
<input type="hidden" name="Bugzilla_login"
value="[% user.login FILTER html %]">
<input type="password" name="Bugzilla_password">
<input type="hidden" name="old_login" value="[% user.login FILTER html %]">
<input type="password" name="old_password">
</td>
</tr>
<tr>
......
userprefs.cgi
View file @ a5086cb7
......@@ -80,31 +80,28 @@ sub SaveAccount {
my $dbh = Bugzilla->dbh;
my $user = Bugzilla->user;
my $oldpassword = $cgi->param('old_password');
my $pwd1 = $cgi->param('new_password1');
my $pwd2 = $cgi->param('new_password2');
my $old_login_name = $cgi->param('old_login');
my $new_login_name = trim($cgi->param('new_login_name'));
if ($user->authorizer->can_change_password
&& ($cgi->param('Bugzilla_password') ne "" || $pwd1 ne "" || $pwd2 ne ""))
&& ($oldpassword ne "" || $pwd1 ne "" || $pwd2 ne ""))
{
my ($oldcryptedpwd) = $dbh->selectrow_array(
q{SELECT cryptpassword FROM profiles WHERE userid = ?},
undef, $user->id);
my $oldcryptedpwd = $user->cryptpassword;
$oldcryptedpwd || ThrowCodeError("unable_to_retrieve_password");
my $oldpassword = $cgi->param('Bugzilla_password');
if (bz_crypt($oldpassword, $oldcryptedpwd) ne $oldcryptedpwd)
{
if (bz_crypt($oldpassword, $oldcryptedpwd) ne $oldcryptedpwd) {
ThrowUserError("old_password_incorrect");
}
if ($pwd1 ne "" || $pwd2 ne "")
{
$cgi->param('new_password1')
|| ThrowUserError("new_password_missing");
if ($pwd1 ne "" || $pwd2 ne "") {
$pwd1 || ThrowUserError("new_password_missing");
validate_password($pwd1, $pwd2);
if ($cgi->param('Bugzilla_password') ne $pwd1) {
if ($oldpassword ne $pwd1) {
my $cryptedpassword = bz_crypt($pwd1);
$dbh->do(q{UPDATE profiles
SET cryptpassword = ?
......@@ -119,14 +116,10 @@ sub SaveAccount {
if ($user->authorizer->can_change_email
&& Bugzilla->params->{"allowemailchange"}
&& $cgi->param('new_login_name'))
&& $new_login_name)
{
my $old_login_name = $cgi->param('Bugzilla_login');
my $new_login_name = trim($cgi->param('new_login_name'));
if($old_login_name ne $new_login_name) {
$cgi->param('Bugzilla_password')
|| ThrowUserError("old_password_required");
if ($old_login_name ne $new_login_name) {
$oldpassword || ThrowUserError("old_password_required");
# Block multiple email changes for the same user.
if (Bugzilla::Token::HasEmailChangeToken($user->id)) {
......@@ -499,16 +492,19 @@ sub SaveSavedSearches {
my $cgi = Bugzilla->cgi;
# This script needs direct access to the username and password CGI variables,
# so we save them before their removal in Bugzilla->login, and delete them
# before login in case we might be in a sudo session.
my $bugzilla_login = $cgi->param('Bugzilla_login');
my $bugzilla_password = $cgi->param('Bugzilla_password');
# Delete credentials before logging in in case we are in a sudo session.
$cgi->delete('Bugzilla_login', 'Bugzilla_password') if ($cgi->cookie('sudo'));
$cgi->delete('GoAheadAndLogIn');
# First try to get credentials from cookies.
Bugzilla->login(LOGIN_OPTIONAL);
if (!Bugzilla->user->id) {
# Use credentials given in the form if login cookies are not available.
$cgi->param('Bugzilla_login', $cgi->param('old_login'));
$cgi->param('Bugzilla_password', $cgi->param('old_password'));
}
Bugzilla->login(LOGIN_REQUIRED);
$cgi->param('Bugzilla_login', $bugzilla_login);
$cgi->param('Bugzilla_password', $bugzilla_password);
$vars->{'changes_saved'} = $cgi->param('dosave');
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment