diff options
author | Koosha Khajeh Moogahi <koosha.khajeh@gmail.com> | 2012-05-28 15:44:28 +0200 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-05-28 15:44:28 +0200 |
commit | ef279711cea60d1ee999a6b74a6d5f0fa8552cf4 (patch) | |
tree | 4bf3f2dd590d88123f28952dbc8441aa87cb28f0 | |
parent | 022510ad4a5e17b7322709d173535c230b572b09 (diff) | |
download | bugzilla-ef279711cea60d1ee999a6b74a6d5f0fa8552cf4.tar.gz bugzilla-ef279711cea60d1ee999a6b74a6d5f0fa8552cf4.tar.xz |
Bug 355596: Your password should be requested to confirm your email address change
r/a=LpSolit
-rw-r--r-- | template/en/default/account/email/confirm.html.tmpl | 6 | ||||
-rw-r--r-- | template/en/default/global/user-error.html.tmpl | 4 | ||||
-rwxr-xr-x | token.cgi | 16 |
3 files changed, 16 insertions, 10 deletions
diff --git a/template/en/default/account/email/confirm.html.tmpl b/template/en/default/account/email/confirm.html.tmpl index c990e043c..5b547782d 100644 --- a/template/en/default/account/email/confirm.html.tmpl +++ b/template/en/default/account/email/confirm.html.tmpl @@ -14,7 +14,7 @@ [% PROCESS global/header.html.tmpl %] <p> - To change your email address, please enter the old email address: + To change your email address, please enter your current password: </p> <form method="post" action="token.cgi"> @@ -22,8 +22,8 @@ <input type="hidden" name="a" value="chgem"> <table> <tr> - <th align="right">Old Email Address:</th> - <td><input type="text" name="email" size="36"></td> + <th align="right">Password:</th> + <td><input type="password" name="password" size="36"></td> </tr> <tr> <th align="right"> </th> diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index 5d862aa9f..a580fdfde 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1299,8 +1299,8 @@ [% END %] [% ELSIF error == "old_password_incorrect" %] - [% title = "Incorrect Old Password" %] - You did not enter your old password correctly. + [% title = "Incorrect Password" %] + You did not enter your current password correctly. [% ELSIF error == "old_password_required" %] [% title = "Old Password Required" %] @@ -195,10 +195,18 @@ sub changeEmail { my $dbh = Bugzilla->dbh; my ($old_email, $new_email) = split(/:/,$eventdata); - # Check the user entered the correct old email address - if (lc($cgi->param('email')) ne lc($old_email)) { - ThrowUserError("email_confirmation_failed"); + $dbh->bz_start_transaction(); + + my $user = Bugzilla::User->check({ id => $userid }); + my $realpassword = $user->cryptpassword; + my $cgipassword = $cgi->param('password'); + + # Make sure the user who wants to change the email address + # is the real account owner. + if (bz_crypt($cgipassword, $realpassword) ne $realpassword) { + ThrowUserError("old_password_incorrect"); } + # The new email address should be available as this was # confirmed initially so cancel token if it is not still available if (! is_available_username($new_email,$old_email)) { @@ -207,8 +215,6 @@ sub changeEmail { ThrowUserError("account_exists", { email => $new_email } ); } - $dbh->bz_start_transaction(); - my $user = Bugzilla::User->check({ id => $userid }); # Update the user's login name in the profiles table. $user->set_login($new_email); $user->update({ keep_session => 1, keep_tokens => 1 }); |