diff options
| -rw-r--r-- | template/en/default/account/auth/login-small.html.tmpl | 7 | ||||
| -rw-r--r-- | template/en/default/account/auth/login.html.tmpl | 1 | ||||
| -rwxr-xr-x | token.cgi | 5 |
3 files changed, 10 insertions, 3 deletions
diff --git a/template/en/default/account/auth/login-small.html.tmpl b/template/en/default/account/auth/login-small.html.tmpl index fbe40fb43..cb4335466 100644 --- a/template/en/default/account/auth/login-small.html.tmpl +++ b/template/en/default/account/auth/login-small.html.tmpl @@ -36,8 +36,8 @@ [% IF cgi.request_method == "GET" AND cgi.query_string %] [% connector = "&" %] [% END %] - [% script_name = login_target _ connector _ "GoAheadAndLogIn=1" %] - <a id="login_link[% qs_suffix %]" href="[% script_name FILTER html %]" + [% script_url = login_target _ connector _ "GoAheadAndLogIn=1" %] + <a id="login_link[% qs_suffix %]" href="[% script_url FILTER html %]" onclick="return show_mini_login_form('[% qs_suffix %]')">Log In</a> [% Hook.process('additional_methods') %] @@ -114,7 +114,7 @@ </li> <li id="forgot_container[% qs_suffix %]"> <span class="separator">| </span> - <a id="forgot_link[% qs_suffix %]" href="[% script_name FILTER html %]#forgot" + <a id="forgot_link[% qs_suffix %]" href="[% script_url FILTER html %]#forgot" onclick="return show_forgot_form('[% qs_suffix %]')">Forgot Password</a> <form action="token.cgi" method="post" id="forgot_form[% qs_suffix %]" class="mini_forgot bz_default_hidden"> @@ -123,6 +123,7 @@ <input id="forgot_button[% qs_suffix %]" value="Reset Password" type="submit"> <input type="hidden" name="a" value="reqpw"> + <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]"> <a href="#" onclick="return hide_forgot_form('[% qs_suffix %]')">[x]</a> </form> </li> diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl index 122ef6f7c..3de52b6a0 100644 --- a/template/en/default/account/auth/login.html.tmpl +++ b/template/en/default/account/auth/login.html.tmpl @@ -115,6 +115,7 @@ enter your login name below and submit a request to change your password.<br> <input size="35" name="loginname"> + <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]"> <input type="submit" id="request" value="Reset Password"> </form> [% END %] @@ -108,6 +108,11 @@ if ( $action eq 'reqpw' ) { ThrowUserError("password_change_requests_not_allowed"); } + # Check the hash token to make sure this user actually submitted + # the forgotten password form. + my $token = $cgi->param('token'); + check_hash_token($token, ['reqpw']); + validate_email_syntax($login_name) || ThrowUserError('illegal_email_address', {addr => $login_name}); |