diff options
| author | lpsolit%gmail.com <> | 2006-08-20 03:11:59 +0200 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2006-08-20 03:11:59 +0200 |
| commit | 59285f71c6ed0d4db7d4b0455902130a2d7c83bd (patch) | |
| tree | 49e2e47a53bb4ac31c10d3225b5e0a66edc5c126 /token.cgi | |
| parent | 9dfdfd787ff4c0afac28b66e67082712ec2a3d92 (diff) | |
| download | bugzilla-59285f71c6ed0d4db7d4b0455902130a2d7c83bd.tar.gz bugzilla-59285f71c6ed0d4db7d4b0455902130a2d7c83bd.tar.xz | |
Bug 87795: Creating an account should send token and wait for confirmation (prevent user account abuse) - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat r=bkor a=myk
Diffstat (limited to 'token.cgi')
| -rwxr-xr-x | token.cgi | 87 |
1 files changed, 87 insertions, 0 deletions
@@ -19,6 +19,7 @@ # Rights Reserved. # # Contributor(s): Myk Melez <myk@mozilla.org> +# Frédéric Buclin <LpSolit@gmail.com> ############################################################################ # Script Initialization @@ -36,6 +37,8 @@ use Bugzilla::Error; use Bugzilla::Token; use Bugzilla::User; +use Date::Parse; + my $dbh = Bugzilla->dbh; local our $cgi = Bugzilla->cgi; local our $template = Bugzilla->template; @@ -87,6 +90,12 @@ if ($cgi->param('t')) { Bugzilla::Token::Cancel($::token, "wrong_token_for_confirming_email_change"); ThrowUserError("wrong_token_for_confirming_email_change"); } + if (($::action =~ /^(request|confirm|cancel)_new_account$/) + && ($tokentype ne 'account')) + { + Bugzilla::Token::Cancel($::token, 'wrong_token_for_creating_account'); + ThrowUserError('wrong_token_for_creating_account'); + } } @@ -147,6 +156,12 @@ if ($::action eq 'reqpw') { cancelChangeEmail(); } elsif ($::action eq 'chgem') { changeEmail(); +} elsif ($::action eq 'request_new_account') { + request_create_account(); +} elsif ($::action eq 'confirm_new_account') { + confirm_create_account(); +} elsif ($::action eq 'cancel_new_account') { + cancel_create_account(); } else { # If the action that the user wants to take (specified in the "a" form field) # is none of the above listed actions, display an error telling the user @@ -333,3 +348,75 @@ sub cancelChangeEmail { || ThrowTemplateError($template->error()); } +sub request_create_account { + my (undef, $date, $login_name) = Bugzilla::Token::GetTokenData($::token); + $vars->{'token'} = $::token; + $vars->{'email'} = $login_name . Bugzilla->params->{'emailsuffix'}; + $vars->{'date'} = str2time($date); + + # We require a HTTPS connection if possible. + if (Bugzilla->params->{'sslbase'} ne '' + && Bugzilla->params->{'ssl'} ne 'never') + { + $cgi->require_https(Bugzilla->params->{'sslbase'}); + } + print $cgi->header(); + + $template->process('account/email/confirm-new.html.tmpl', $vars) + || ThrowTemplateError($template->error()); +} + +sub confirm_create_account { + my (undef, undef, $login_name) = Bugzilla::Token::GetTokenData($::token); + + (defined $cgi->param('passwd1') && defined $cgi->param('passwd2')) + || ThrowUserError('new_password_missing'); + validate_password($cgi->param('passwd1'), $cgi->param('passwd2')); + + my $realname = $cgi->param('realname'); + my $password = $cgi->param('passwd1'); + + $dbh->bz_lock_tables('profiles WRITE', 'profiles_activity WRITE', + 'email_setting WRITE', 'user_group_map WRITE', + 'groups READ', 'tokens READ', 'fielddefs READ'); + + # The email syntax may have changed since the initial creation request. + validate_email_syntax($login_name) + || ThrowUserError('illegal_email_address', {addr => $login_name}); + # Also, maybe that this user account has already been created meanwhile. + is_available_username($login_name) + || ThrowUserError('account_exists', {email => $login_name}); + + # Login and password are validated now, and realname is allowed to + # contain anything. + trick_taint($realname); + trick_taint($password); + + my $otheruser = insert_new_user($login_name, $realname, $password); + $dbh->bz_unlock_tables(); + + # Now delete this token. + Bugzilla::Token::DeleteToken($::token); + + # Let the user know that his user account has been successfully created. + $vars->{'message'} = 'account_created'; + $vars->{'otheruser'} = $otheruser; + $vars->{'login_info'} = 1; + + print $cgi->header(); + + $template->process('global/message.html.tmpl', $vars) + || ThrowTemplateError($template->error()); +} + +sub cancel_create_account { + my (undef, undef, $login_name) = Bugzilla::Token::GetTokenData($::token); + + $vars->{'message'} = 'account_creation_cancelled'; + $vars->{'account'} = $login_name; + Bugzilla::Token::Cancel($::token, $vars->{'message'}); + + print $cgi->header(); + $template->process('global/message.html.tmpl', $vars) + || ThrowTemplateError($template->error()); +} |