diff options
-rw-r--r-- | template/en/default/account/prefs/account.html.tmpl | 5 | ||||
-rwxr-xr-x | userprefs.cgi | 50 |
2 files changed, 25 insertions, 30 deletions
diff --git a/template/en/default/account/prefs/account.html.tmpl b/template/en/default/account/prefs/account.html.tmpl index 15f0702a7..0457ff892 100644 --- a/template/en/default/account/prefs/account.html.tmpl +++ b/template/en/default/account/prefs/account.html.tmpl @@ -33,9 +33,8 @@ <tr> <th align="right">Password:</th> <td> - <input type="hidden" name="Bugzilla_login" - value="[% user.login FILTER html %]"> - <input type="password" name="Bugzilla_password"> + <input type="hidden" name="old_login" value="[% user.login FILTER html %]"> + <input type="password" name="old_password"> </td> </tr> <tr> diff --git a/userprefs.cgi b/userprefs.cgi index 194469a00..f95ddb3e3 100755 --- a/userprefs.cgi +++ b/userprefs.cgi @@ -80,31 +80,28 @@ sub SaveAccount { my $dbh = Bugzilla->dbh; my $user = Bugzilla->user; + my $oldpassword = $cgi->param('old_password'); my $pwd1 = $cgi->param('new_password1'); my $pwd2 = $cgi->param('new_password2'); + my $old_login_name = $cgi->param('old_login'); + my $new_login_name = trim($cgi->param('new_login_name')); + if ($user->authorizer->can_change_password - && ($cgi->param('Bugzilla_password') ne "" || $pwd1 ne "" || $pwd2 ne "")) + && ($oldpassword ne "" || $pwd1 ne "" || $pwd2 ne "")) { - my ($oldcryptedpwd) = $dbh->selectrow_array( - q{SELECT cryptpassword FROM profiles WHERE userid = ?}, - undef, $user->id); + my $oldcryptedpwd = $user->cryptpassword; $oldcryptedpwd || ThrowCodeError("unable_to_retrieve_password"); - my $oldpassword = $cgi->param('Bugzilla_password'); - - if (bz_crypt($oldpassword, $oldcryptedpwd) ne $oldcryptedpwd) - { + if (bz_crypt($oldpassword, $oldcryptedpwd) ne $oldcryptedpwd) { ThrowUserError("old_password_incorrect"); } - if ($pwd1 ne "" || $pwd2 ne "") - { - $cgi->param('new_password1') - || ThrowUserError("new_password_missing"); + if ($pwd1 ne "" || $pwd2 ne "") { + $pwd1 || ThrowUserError("new_password_missing"); validate_password($pwd1, $pwd2); - if ($cgi->param('Bugzilla_password') ne $pwd1) { + if ($oldpassword ne $pwd1) { my $cryptedpassword = bz_crypt($pwd1); $dbh->do(q{UPDATE profiles SET cryptpassword = ? @@ -119,14 +116,10 @@ sub SaveAccount { if ($user->authorizer->can_change_email && Bugzilla->params->{"allowemailchange"} - && $cgi->param('new_login_name')) + && $new_login_name) { - my $old_login_name = $cgi->param('Bugzilla_login'); - my $new_login_name = trim($cgi->param('new_login_name')); - - if($old_login_name ne $new_login_name) { - $cgi->param('Bugzilla_password') - || ThrowUserError("old_password_required"); + if ($old_login_name ne $new_login_name) { + $oldpassword || ThrowUserError("old_password_required"); # Block multiple email changes for the same user. if (Bugzilla::Token::HasEmailChangeToken($user->id)) { @@ -499,16 +492,19 @@ sub SaveSavedSearches { my $cgi = Bugzilla->cgi; -# This script needs direct access to the username and password CGI variables, -# so we save them before their removal in Bugzilla->login, and delete them -# before login in case we might be in a sudo session. -my $bugzilla_login = $cgi->param('Bugzilla_login'); -my $bugzilla_password = $cgi->param('Bugzilla_password'); +# Delete credentials before logging in in case we are in a sudo session. $cgi->delete('Bugzilla_login', 'Bugzilla_password') if ($cgi->cookie('sudo')); +$cgi->delete('GoAheadAndLogIn'); + +# First try to get credentials from cookies. +Bugzilla->login(LOGIN_OPTIONAL); +if (!Bugzilla->user->id) { + # Use credentials given in the form if login cookies are not available. + $cgi->param('Bugzilla_login', $cgi->param('old_login')); + $cgi->param('Bugzilla_password', $cgi->param('old_password')); +} Bugzilla->login(LOGIN_REQUIRED); -$cgi->param('Bugzilla_login', $bugzilla_login); -$cgi->param('Bugzilla_password', $bugzilla_password); $vars->{'changes_saved'} = $cgi->param('dosave'); |