diff options
| author | Dylan William Hardison <dylan@hardison.net> | 2017-10-03 15:27:34 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-10-03 15:27:34 +0200 |
| commit | 0519e93504760529d16d5a84d6dbe531593e0e47 (patch) | |
| tree | 9dd4151fa0dd66e109bda38fb400711423bc43d0 /Bugzilla.pm | |
| parent | 7f37b220582422b33dd327015e4c213121dd31f9 (diff) | |
| download | bugzilla-0519e93504760529d16d5a84d6dbe531593e0e47.tar.gz bugzilla-0519e93504760529d16d5a84d6dbe531593e0e47.tar.xz | |
Bug 1402982 - Can't log out during mfa-lockout or password-reset state
Diffstat (limited to 'Bugzilla.pm')
| -rw-r--r-- | Bugzilla.pm | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/Bugzilla.pm b/Bugzilla.pm index a539616e9..fba1a4172 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -384,8 +384,10 @@ sub login { # Check if a password reset is required my $cgi = Bugzilla->cgi; - if ( $authenticated_user->password_change_required ) { + my $script_name = $cgi->script_name; + my $do_logout = $cgi->param('logout'); + if ( $authenticated_user->password_change_required ) { # We cannot show the password reset UI for API calls, so treat those as # a disabled account. if ( i_am_webservice() ) { @@ -395,7 +397,7 @@ sub login { # only allow the reset-password and token pages to handle requests # (tokens handles the 'forgot password' process) # otherwise redirect user to the reset-password page. - if ( $ENV{SCRIPT_NAME} !~ m#/(?:reset_password|token)\.cgi$# ) { + if ( $script_name !~ m#/(?:reset_password|token)\.cgi$# && !$do_logout ) { my $self_url = trim($cgi->self_url); my $sig_type = 'prev_url:' . $authenticated_user->id; my $self_url_sig = issue_hash_sig($sig_type, $self_url); @@ -408,18 +410,18 @@ sub login { elsif ( !i_am_webservice() && $authenticated_user->in_mfa_group && !$authenticated_user->mfa ) { # decide if the user needs a warning or to be blocked. - my $date = $authenticated_user->mfa_required_date('UTC'); - my $grace_period = Bugzilla->params->{mfa_group_grace_period}; - my $expired = defined $date && $date < DateTime->now; - my $on_mfa_page = $cgi->script_name eq '/userprefs.cgi' && $cgi->param('tab') eq 'mfa'; - my $on_token_page = $cgi->script_name eq '/token.cgi'; + my $date = $authenticated_user->mfa_required_date('UTC'); + my $grace_period = Bugzilla->params->{mfa_group_grace_period}; + my $expired = defined $date && $date < DateTime->now; + my $on_mfa_page = $script_name eq '/userprefs.cgi' && $cgi->param('tab') eq 'mfa'; + my $on_token_page = $script_name eq '/token.cgi'; Bugzilla->request_cache->{mfa_warning} = 1; Bugzilla->request_cache->{mfa_grace_period_expired} = $expired; Bugzilla->request_cache->{on_mfa_page} = $on_mfa_page; if ( $grace_period == 0 || $expired) { - if ( !( $on_mfa_page || $on_token_page ) ) { + if ( !( $on_mfa_page || $on_token_page || $do_logout ) ) { print Bugzilla->cgi->redirect("userprefs.cgi?tab=mfa"); exit; } |