diff options
| -rw-r--r-- | Bugzilla/Constants.pm | 5 | ||||
| -rw-r--r-- | Bugzilla/Token.pm | 6 | ||||
| -rw-r--r-- | template/en/default/global/user-error.html.tmpl | 3 |
3 files changed, 10 insertions, 4 deletions
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index 279405c74..e4d32d435 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -140,6 +140,7 @@ use Memoize; MAX_SUDO_TOKEN_AGE MAX_LOGIN_ATTEMPTS LOGIN_LOCKOUT_INTERVAL + ACCOUNT_CHANGE_INTERVAL MAX_STS_AGE SAFE_PROTOCOLS @@ -409,6 +410,10 @@ use constant MAX_LOGIN_ATTEMPTS => 5; # account is locked. use constant LOGIN_LOCKOUT_INTERVAL => 30; +# The time in minutes a user must wait before he can request another email to +# create a new account or change his password. +use constant ACCOUNT_CHANGE_INTERVAL => 10; + # The maximum number of seconds the Strict-Transport-Security header # will remain valid. Default is one week. use constant MAX_STS_AGE => 604800; diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm index a9d9b3bd8..feb707e70 100644 --- a/Bugzilla/Token.pm +++ b/Bugzilla/Token.pm @@ -46,7 +46,7 @@ sub issue_new_user_account_token { # Is there already a pending request for this login name? If yes, do not throw # an error because the user may have lost his email with the token inside. # But to prevent using this way to mailbomb an email address, make sure - # the last request is at least 10 minutes old before sending a new email. + # the last request is old enough before sending a new email (default: 10 minutes). my $pending_requests = $dbh->selectrow_array( 'SELECT COUNT(*) @@ -54,7 +54,7 @@ sub issue_new_user_account_token { WHERE tokentype = ? AND ' . $dbh->sql_istrcmp('eventdata', '?') . ' AND issuedate > ' - . $dbh->sql_date_math('NOW()', '-', 10, 'MINUTE'), + . $dbh->sql_date_math('NOW()', '-', ACCOUNT_CHANGE_INTERVAL, 'MINUTE'), undef, ('account', $login_name)); ThrowUserError('too_soon_for_new_token', {'type' => 'account'}) if $pending_requests; @@ -122,7 +122,7 @@ sub IssuePasswordToken { 'SELECT 1 FROM tokens WHERE userid = ? AND tokentype = ? AND issuedate > ' - . $dbh->sql_date_math('NOW()', '-', 10, 'MINUTE'), + . $dbh->sql_date_math('NOW()', '-', ACCOUNT_CHANGE_INTERVAL, 'MINUTE'), undef, ($user->id, 'password')); ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon; diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index 57fa180e7..21fb68141 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1618,7 +1618,8 @@ [% ELSIF type == "account" %] an account [% END %] - token too recently to request another. Please wait a while and try again. + token too recently to request another. + Please wait [% constants.ACCOUNT_CHANGE_INTERVAL %] minutes then try again. [% ELSIF error == "unknown_action" %] [% IF action %] |