diff options
-rw-r--r-- | template/en/default/account/email/confirm.html.tmpl | 6 | ||||
-rw-r--r-- | template/en/default/global/user-error.html.tmpl | 4 | ||||
-rwxr-xr-x | token.cgi | 16 |
3 files changed, 16 insertions, 10 deletions
diff --git a/template/en/default/account/email/confirm.html.tmpl b/template/en/default/account/email/confirm.html.tmpl index c990e043c..5b547782d 100644 --- a/template/en/default/account/email/confirm.html.tmpl +++ b/template/en/default/account/email/confirm.html.tmpl @@ -14,7 +14,7 @@ [% PROCESS global/header.html.tmpl %] <p> - To change your email address, please enter the old email address: + To change your email address, please enter your current password: </p> <form method="post" action="token.cgi"> @@ -22,8 +22,8 @@ <input type="hidden" name="a" value="chgem"> <table> <tr> - <th align="right">Old Email Address:</th> - <td><input type="text" name="email" size="36"></td> + <th align="right">Password:</th> + <td><input type="password" name="password" size="36"></td> </tr> <tr> <th align="right"> </th> diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index 5d862aa9f..a580fdfde 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1299,8 +1299,8 @@ [% END %] [% ELSIF error == "old_password_incorrect" %] - [% title = "Incorrect Old Password" %] - You did not enter your old password correctly. + [% title = "Incorrect Password" %] + You did not enter your current password correctly. [% ELSIF error == "old_password_required" %] [% title = "Old Password Required" %] @@ -195,10 +195,18 @@ sub changeEmail { my $dbh = Bugzilla->dbh; my ($old_email, $new_email) = split(/:/,$eventdata); - # Check the user entered the correct old email address - if (lc($cgi->param('email')) ne lc($old_email)) { - ThrowUserError("email_confirmation_failed"); + $dbh->bz_start_transaction(); + + my $user = Bugzilla::User->check({ id => $userid }); + my $realpassword = $user->cryptpassword; + my $cgipassword = $cgi->param('password'); + + # Make sure the user who wants to change the email address + # is the real account owner. + if (bz_crypt($cgipassword, $realpassword) ne $realpassword) { + ThrowUserError("old_password_incorrect"); } + # The new email address should be available as this was # confirmed initially so cancel token if it is not still available if (! is_available_username($new_email,$old_email)) { @@ -207,8 +215,6 @@ sub changeEmail { ThrowUserError("account_exists", { email => $new_email } ); } - $dbh->bz_start_transaction(); - my $user = Bugzilla::User->check({ id => $userid }); # Update the user's login name in the profiles table. $user->set_login($new_email); $user->update({ keep_session => 1, keep_tokens => 1 }); |