diff options
| author | Mary Umoh <umohm12@gmail.com> | 2017-08-30 20:23:56 +0200 |
|---|---|---|
| committer | Dylan William Hardison <dylan@hardison.net> | 2017-08-30 20:23:56 +0200 |
| commit | 2314495acf103fc45486a59d6543454ccd8f4363 (patch) | |
| tree | 5e62801061cf216e768742188ae7f84bc731d879 | |
| parent | 6e06bb255acdf53d2bbed3911378bd6859a0e3f0 (diff) | |
| download | bugzilla-2314495acf103fc45486a59d6543454ccd8f4363.tar.gz bugzilla-2314495acf103fc45486a59d6543454ccd8f4363.tar.xz | |
Bug 1394915- Protect against 2FA by-pass in reset_password.cgi
| -rwxr-xr-x | reset_password.cgi | 2 | ||||
| -rw-r--r-- | template/en/default/global/user-error.html.tmpl | 4 |
2 files changed, 6 insertions, 0 deletions
diff --git a/reset_password.cgi b/reset_password.cgi index fb095c27d..3b0e36849 100755 --- a/reset_password.cgi +++ b/reset_password.cgi @@ -25,6 +25,8 @@ my $user = Bugzilla->login(LOGIN_REQUIRED); my $template = Bugzilla->template; my $dbh = Bugzilla->dbh; +ThrowUserError('reset_password_denied') unless $user->password_change_required; + if ($cgi->param('do_save')) { my $token = $cgi->param('token'); check_token_data($token, 'reset_password'); diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index f9e019cb5..1aa92ead0 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1399,6 +1399,10 @@ [% title = "Password Unchanged" %] Your new password cannot be the same as your old password. + [% ELSIF error == "reset_password_denied" %] + [% title = "Reset Password Denied" %] + You cannot reset your password without administrative permission. + [% ELSIF error == "no_axes_defined" %] [% title = "No Axes Defined" %] [% docslinks = {'reporting.html' => 'Reporting'} %] |