Bug 87795: Creating an account should send token and wait for confirmation (prevent user account abuse) - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat r=bkor a=myk

2 files changed, 108 insertions, 0 deletions

diff --git a/template/en/default/account/email/confirm-new.html.tmpl b/template/en/default/account/email/confirm-new.html.tmpl
new file mode 100644
index 000000000..0e9ab98e5
--- /dev/null
+++ b/template/en/default/account/email/confirm-new.html.tmpl
@@ -0,0 +1,64 @@
+[%# 1.0@bugzilla.org %]
+[%# The contents of this file are subject to the Mozilla Public
+  # License Version 1.1 (the "License"); you may not use this file
+  # except in compliance with the License. You may obtain a copy of
+  # the License at http://www.mozilla.org/MPL/
+  #
+  # Software distributed under the License is distributed on an "AS
+  # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+  # implied. See the License for the specific language governing
+  # rights and limitations under the License.
+  #
+  # The Original Code is the Bugzilla Bug Tracking System.
+  #
+  # Contributor(s): Frédéric Buclin <LpSolit@gmail.com>
+  #%]
+
+[%# INTERFACE:
+  # token: string. The token to be used in the user account creation.
+  # email: email address of the user account.
+  # date: creation date of the token.
+  #%]
+
+[% title = BLOCK %]Create a new user account for '[% email FILTER html %]'[% END %]
+[% PROCESS "global/header.html.tmpl"
+           title = title
+           onload = "document.forms['confirm_account_form'].realname.focus();" %]
+
+[% expiration_ts = date + (constants.MAX_TOKEN_AGE * 86400) %]
+<div>
+  To complete the creation of your user account, you must choose a password in the
+  form below. You can also enter your real name, which is optional.<p>
+  If you don't fill this form before
+  <u>[%+ time2str("%H:%M on the %o of %B, %Y", expiration_ts) %]</u>, the creation
+  of this account will be automatically cancelled.
+</div>
+
+<form id="confirm_account_form" method="post" action="token.cgi">
+  <input type="hidden" name="t" value="[% token FILTER html %]">
+  <input type="hidden" name="a" value="confirm_new_account">
+  <table>
+    <tr>
+      <th align="right">Email Address:</th>
+      <td>[% email FILTER html %]</td>
+    </tr>
+    <tr>
+      <th align="right"><label for="realname">Real Name</label>:</th>
+      <td><input type="text" id="realname" name="realname" value=""></td>
+    </tr>
+    <tr>
+      <th align="right"><label for="passwd1">Type your password</label>:</th>
+      <td><input type="password" id="passwd1" name="passwd1" value=""></td>
+    </tr>
+    <tr>
+      <th align="right"><label for="passwd1">Re-type your password</label>:</th>
+      <td><input type="password" id="passwd2" name="passwd2" value=""></td>
+    </tr>
+    <tr>
+      <th align="right">&nbsp;</th>
+      <td><input type="submit" id="confirm" value="Send"></td>
+    </tr>
+  </table>
+</form>
+
+[% PROCESS global/footer.html.tmpl %]
diff --git a/template/en/default/account/email/request-new.txt.tmpl b/template/en/default/account/email/request-new.txt.tmpl
new file mode 100644
index 000000000..85fdec157
--- /dev/null
+++ b/template/en/default/account/email/request-new.txt.tmpl
@@ -0,0 +1,44 @@
+[%# 1.0@bugzilla.org %]
+[%# The contents of this file are subject to the Mozilla Public
+  # License Version 1.1 (the "License"); you may not use this file
+  # except in compliance with the License. You may obtain a copy of
+  # the License at http://www.mozilla.org/MPL/
+  #
+  # Software distributed under the License is distributed on an "AS
+  # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+  # implied. See the License for the specific language governing
+  # rights and limitations under the License.
+  #
+  # The Original Code is the Bugzilla Bug Tracking System.
+  #
+  # Contributor(s): Frédéric Buclin <LpSolit@gmail.com>
+  #%]
+
+[%# INTERFACE:
+  # token: random string used to authenticate the transaction.
+  # token_ts: creation date of the token.
+  # email: email address of the new account.
+  #%]
+
+[% PROCESS global/variables.none.tmpl %]
+
+[% expiration_ts = token_ts + (constants.MAX_TOKEN_AGE * 86400) %]
+From: bugzilla-admin-daemon
+To: [% email %]
+Subject: [% terms.Bugzilla %]: confirm account creation
+
+[%+ terms.Bugzilla %] has received a request to create a user account
+using your email address ([% email %]).
+
+To confirm that you want to create an account using that email address,
+visit the following link:
+
+[%+ Param('urlbase') %]token.cgi?t=[% token FILTER url_quote %]&a=request_new_account
+
+If you are not the person who made this request, or you wish to cancel
+this request, visit the following link:
+
+[%+ Param('urlbase') %]token.cgi?t=[% token FILTER url_quote %]&a=cancel_new_account
+
+If you do nothing, the request will lapse after [%+ constants.MAX_TOKEN_AGE %] days
+(at precisely [%+ time2str("%H:%M on the %o of %B, %Y", expiration_ts) %]).