summaryrefslogtreecommitdiffstats
path: root/Bugzilla/Token.pm
diff options
context:
space:
mode:
Diffstat (limited to 'Bugzilla/Token.pm')
-rw-r--r--Bugzilla/Token.pm83
1 files changed, 42 insertions, 41 deletions
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 2f911fca1..157cc0622 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -34,6 +34,7 @@ use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::Mailer;
use Bugzilla::Util;
+use Bugzilla::User;
use Date::Format;
use Date::Parse;
@@ -80,20 +81,24 @@ sub issue_new_user_account_token {
$template->process('account/email/request-new.txt.tmpl', $vars, \$message)
|| ThrowTemplateError($template->error());
+ # In 99% of cases, the user getting the confirmation email is the same one
+ # who made the request, and so it is reasonable to send the email in the same
+ # language used to view the "Create a New Account" page (we cannot use his
+ # user prefs as the user has no account yet!).
MessageToMTA($message);
}
sub IssueEmailChangeToken {
- my ($userid, $old_email, $new_email) = @_;
+ my ($user, $old_email, $new_email) = @_;
my $email_suffix = Bugzilla->params->{'emailsuffix'};
- my ($token, $token_ts) = _create_token($userid, 'emailold', $old_email . ":" . $new_email);
+ my ($token, $token_ts) = _create_token($user->id, 'emailold', $old_email . ":" . $new_email);
- my $newtoken = _create_token($userid, 'emailnew', $old_email . ":" . $new_email);
+ my $newtoken = _create_token($user->id, 'emailnew', $old_email . ":" . $new_email);
# Mail the user the token along with instructions for using it.
- my $template = Bugzilla->template;
+ my $template = Bugzilla->template_inner($user->settings->{'lang'}->{'value'});
my $vars = {};
$vars->{'oldemailaddress'} = $old_email . $email_suffix;
@@ -118,38 +123,34 @@ sub IssueEmailChangeToken {
$template->process("account/email/change-new.txt.tmpl", $vars, \$message)
|| ThrowTemplateError($template->error());
+ Bugzilla->template_inner("");
MessageToMTA($message);
}
# Generates a random token, adds it to the tokens table, and sends it
# to the user with instructions for using it to change their password.
sub IssuePasswordToken {
- my $loginname = shift;
+ my $user = shift;
my $dbh = Bugzilla->dbh;
- my $template = Bugzilla->template;
- my $vars = {};
- # Retrieve the user's ID from the database.
- trick_taint($loginname);
- my ($userid, $too_soon) =
- $dbh->selectrow_array('SELECT profiles.userid, tokens.issuedate
- FROM profiles
- LEFT JOIN tokens
- ON tokens.userid = profiles.userid
- AND tokens.tokentype = ?
- AND tokens.issuedate > NOW() - ' .
- $dbh->sql_interval(10, 'MINUTE') . '
- WHERE ' . $dbh->sql_istrcmp('login_name', '?'),
- undef, ('password', $loginname));
+ my $too_soon =
+ $dbh->selectrow_array('SELECT 1 FROM tokens
+ WHERE userid = ?
+ AND tokentype = ?
+ AND issuedate > NOW() - ' .
+ $dbh->sql_interval(10, 'MINUTE'),
+ undef, ($user->id, 'password'));
ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon;
- my ($token, $token_ts) = _create_token($userid, 'password', $::ENV{'REMOTE_ADDR'});
+ my ($token, $token_ts) = _create_token($user->id, 'password', $::ENV{'REMOTE_ADDR'});
# Mail the user the token along with instructions for using it.
- $vars->{'token'} = $token;
- $vars->{'emailaddress'} = $loginname . Bugzilla->params->{'emailsuffix'};
+ my $template = Bugzilla->template_inner($user->settings->{'lang'}->{'value'});
+ my $vars = {};
+ $vars->{'token'} = $token;
+ $vars->{'emailaddress'} = $user->email;
$vars->{'max_token_age'} = MAX_TOKEN_AGE;
$vars->{'token_ts'} = $token_ts;
@@ -158,6 +159,7 @@ sub IssuePasswordToken {
$vars, \$message)
|| ThrowTemplateError($template->error());
+ Bugzilla->template_inner("");
MessageToMTA($message);
}
@@ -205,31 +207,28 @@ sub GenerateUniqueToken {
return $token;
}
-# Cancels a previously issued token and notifies the system administrator.
+# Cancels a previously issued token and notifies the user.
# This should only happen when the user accidentally makes a token request
# or when a malicious hacker makes a token request on behalf of a user.
sub Cancel {
my ($token, $cancelaction, $vars) = @_;
my $dbh = Bugzilla->dbh;
- my $template = Bugzilla->template;
$vars ||= {};
# Get information about the token being canceled.
trick_taint($token);
- my ($issuedate, $tokentype, $eventdata, $loginname) =
+ my ($issuedate, $tokentype, $eventdata, $userid) =
$dbh->selectrow_array('SELECT ' . $dbh->sql_date_format('issuedate') . ',
- tokentype, eventdata, login_name
+ tokentype, eventdata, userid
FROM tokens
- LEFT JOIN profiles
- ON tokens.userid = profiles.userid
WHERE token = ?',
undef, $token);
- # If we are cancelling the creation of a new user account, then there
+ # If we are canceling the creation of a new user account, then there
# is no entry in the 'profiles' table.
- $loginname ||= $eventdata;
- $vars->{'emailaddress'} = $loginname . Bugzilla->params->{'emailsuffix'};
- $vars->{'maintainer'} = Bugzilla->params->{'maintainer'};
+ my $user = new Bugzilla::User($userid);
+
+ $vars->{'emailaddress'} = $userid ? $user->email : $eventdata;
$vars->{'remoteaddress'} = $::ENV{'REMOTE_ADDR'};
$vars->{'token'} = $token;
$vars->{'tokentype'} = $tokentype;
@@ -238,11 +237,13 @@ sub Cancel {
$vars->{'cancelaction'} = $cancelaction;
# Notify the user via email about the cancellation.
+ my $template = Bugzilla->template_inner($user->settings->{'lang'}->{'value'});
my $message;
$template->process("account/cancel-token.txt.tmpl", $vars, \$message)
|| ThrowTemplateError($template->error());
+ Bugzilla->template_inner("");
MessageToMTA($message);
# Delete the token from the database.
@@ -391,8 +392,8 @@ Bugzilla::Token - Provides different routines to manage tokens.
use Bugzilla::Token;
Bugzilla::Token::issue_new_user_account_token($login_name);
- Bugzilla::Token::IssueEmailChangeToken($user_id, $old_email, $new_email);
- Bugzilla::Token::IssuePasswordToken($login_name);
+ Bugzilla::Token::IssueEmailChangeToken($user, $old_email, $new_email);
+ Bugzilla::Token::IssuePasswordToken($user);
Bugzilla::Token::DeletePasswordTokens($user_id, $reason);
Bugzilla::Token::Cancel($token, $cancelaction, $vars);
@@ -422,26 +423,26 @@ Bugzilla::Token - Provides different routines to manage tokens.
Returns: Nothing. It throws an error if the same user made the same
request in the last few minutes.
-=item C<sub IssueEmailChangeToken($user_id, $old_email, $new_email)>
+=item C<sub IssueEmailChangeToken($user, $old_email, $new_email)>
Description: Sends two distinct tokens per email to the old and new email
addresses to confirm the email address change for the given
- user ID. These tokens remain valid for the next MAX_TOKEN_AGE days.
+ user. These tokens remain valid for the next MAX_TOKEN_AGE days.
- Params: $user_id - The user ID of the user account requesting a new
- email address.
+ Params: $user - User object of the user requesting a new
+ email address.
$old_email - The current (old) email address of the user.
$new_email - The new email address of the user.
Returns: Nothing.
-=item C<IssuePasswordToken($login_name)>
+=item C<IssuePasswordToken($user)>
- Description: Sends a token per email to the given login name. This token
+ Description: Sends a token per email to the given user. This token
can be used to change the password (e.g. in case the user
cannot remember his password and wishes to enter a new one).
- Params: $login_name - The login name of the user requesting a new password.
+ Params: $user - User object of the user requesting a new password.
Returns: Nothing. It throws an error if the same user made the same
request in the last few minutes.