diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2010-03-29 23:40:58 +0200 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2010-03-29 23:40:58 +0200 |
| commit | a5086cb7ddc55dd8422c85bbb9e251cb1a2c7f8e (patch) | |
| tree | f21b50ec0655ae1171d1f75f28b8996def3e5f2f /userprefs.cgi | |
| parent | 35f99bbebf22b711ba24d15377f2de2a73eff2c4 (diff) | |
| download | bugzilla-a5086cb7ddc55dd8422c85bbb9e251cb1a2c7f8e.tar.gz bugzilla-a5086cb7ddc55dd8422c85bbb9e251cb1a2c7f8e.tar.xz | |
Bug 553693: A new logincookie is created when changing the password or email address instead of reusing the existing one
r/a=mkanat
Diffstat (limited to 'userprefs.cgi')
| -rwxr-xr-x | userprefs.cgi | 50 |
1 files changed, 23 insertions, 27 deletions
diff --git a/userprefs.cgi b/userprefs.cgi index 194469a00..f95ddb3e3 100755 --- a/userprefs.cgi +++ b/userprefs.cgi @@ -80,31 +80,28 @@ sub SaveAccount { my $dbh = Bugzilla->dbh; my $user = Bugzilla->user; + my $oldpassword = $cgi->param('old_password'); my $pwd1 = $cgi->param('new_password1'); my $pwd2 = $cgi->param('new_password2'); + my $old_login_name = $cgi->param('old_login'); + my $new_login_name = trim($cgi->param('new_login_name')); + if ($user->authorizer->can_change_password - && ($cgi->param('Bugzilla_password') ne "" || $pwd1 ne "" || $pwd2 ne "")) + && ($oldpassword ne "" || $pwd1 ne "" || $pwd2 ne "")) { - my ($oldcryptedpwd) = $dbh->selectrow_array( - q{SELECT cryptpassword FROM profiles WHERE userid = ?}, - undef, $user->id); + my $oldcryptedpwd = $user->cryptpassword; $oldcryptedpwd || ThrowCodeError("unable_to_retrieve_password"); - my $oldpassword = $cgi->param('Bugzilla_password'); - - if (bz_crypt($oldpassword, $oldcryptedpwd) ne $oldcryptedpwd) - { + if (bz_crypt($oldpassword, $oldcryptedpwd) ne $oldcryptedpwd) { ThrowUserError("old_password_incorrect"); } - if ($pwd1 ne "" || $pwd2 ne "") - { - $cgi->param('new_password1') - || ThrowUserError("new_password_missing"); + if ($pwd1 ne "" || $pwd2 ne "") { + $pwd1 || ThrowUserError("new_password_missing"); validate_password($pwd1, $pwd2); - if ($cgi->param('Bugzilla_password') ne $pwd1) { + if ($oldpassword ne $pwd1) { my $cryptedpassword = bz_crypt($pwd1); $dbh->do(q{UPDATE profiles SET cryptpassword = ? @@ -119,14 +116,10 @@ sub SaveAccount { if ($user->authorizer->can_change_email && Bugzilla->params->{"allowemailchange"} - && $cgi->param('new_login_name')) + && $new_login_name) { - my $old_login_name = $cgi->param('Bugzilla_login'); - my $new_login_name = trim($cgi->param('new_login_name')); - - if($old_login_name ne $new_login_name) { - $cgi->param('Bugzilla_password') - || ThrowUserError("old_password_required"); + if ($old_login_name ne $new_login_name) { + $oldpassword || ThrowUserError("old_password_required"); # Block multiple email changes for the same user. if (Bugzilla::Token::HasEmailChangeToken($user->id)) { @@ -499,16 +492,19 @@ sub SaveSavedSearches { my $cgi = Bugzilla->cgi; -# This script needs direct access to the username and password CGI variables, -# so we save them before their removal in Bugzilla->login, and delete them -# before login in case we might be in a sudo session. -my $bugzilla_login = $cgi->param('Bugzilla_login'); -my $bugzilla_password = $cgi->param('Bugzilla_password'); +# Delete credentials before logging in in case we are in a sudo session. $cgi->delete('Bugzilla_login', 'Bugzilla_password') if ($cgi->cookie('sudo')); +$cgi->delete('GoAheadAndLogIn'); + +# First try to get credentials from cookies. +Bugzilla->login(LOGIN_OPTIONAL); +if (!Bugzilla->user->id) { + # Use credentials given in the form if login cookies are not available. + $cgi->param('Bugzilla_login', $cgi->param('old_login')); + $cgi->param('Bugzilla_password', $cgi->param('old_password')); +} Bugzilla->login(LOGIN_REQUIRED); -$cgi->param('Bugzilla_login', $bugzilla_login); -$cgi->param('Bugzilla_password', $bugzilla_password); $vars->{'changes_saved'} = $cgi->param('dosave'); |