diff options
| author | Koosha Khajeh Moogahi <koosha.khajeh@gmail.com> | 2012-05-28 15:44:28 +0200 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-05-28 15:44:28 +0200 |
| commit | ef279711cea60d1ee999a6b74a6d5f0fa8552cf4 (patch) | |
| tree | 4bf3f2dd590d88123f28952dbc8441aa87cb28f0 /token.cgi | |
| parent | 022510ad4a5e17b7322709d173535c230b572b09 (diff) | |
| download | bugzilla-ef279711cea60d1ee999a6b74a6d5f0fa8552cf4.tar.gz bugzilla-ef279711cea60d1ee999a6b74a6d5f0fa8552cf4.tar.xz | |
Bug 355596: Your password should be requested to confirm your email address change
r/a=LpSolit
Diffstat (limited to 'token.cgi')
| -rwxr-xr-x | token.cgi | 16 |
1 files changed, 11 insertions, 5 deletions
@@ -195,10 +195,18 @@ sub changeEmail { my $dbh = Bugzilla->dbh; my ($old_email, $new_email) = split(/:/,$eventdata); - # Check the user entered the correct old email address - if (lc($cgi->param('email')) ne lc($old_email)) { - ThrowUserError("email_confirmation_failed"); + $dbh->bz_start_transaction(); + + my $user = Bugzilla::User->check({ id => $userid }); + my $realpassword = $user->cryptpassword; + my $cgipassword = $cgi->param('password'); + + # Make sure the user who wants to change the email address + # is the real account owner. + if (bz_crypt($cgipassword, $realpassword) ne $realpassword) { + ThrowUserError("old_password_incorrect"); } + # The new email address should be available as this was # confirmed initially so cancel token if it is not still available if (! is_available_username($new_email,$old_email)) { @@ -207,8 +215,6 @@ sub changeEmail { ThrowUserError("account_exists", { email => $new_email } ); } - $dbh->bz_start_transaction(); - my $user = Bugzilla::User->check({ id => $userid }); # Update the user's login name in the profiles table. $user->set_login($new_email); $user->update({ keep_session => 1, keep_tokens => 1 }); |