From b121584e4a4c4dd1ca7ffd1d8cdf51b8a8551a07 Mon Sep 17 00:00:00 2001
From: "justdave%bugzilla.org" <>
Date: Mon, 25 Oct 2004 14:12:21 +0000
Subject: Bug 250897: Enforce a 10 minute waiting period between password reset
 attempts to prevent the user getting mailbombed if the form is submitted
 multiple times. Patch by Joel Peshkin <bugreport@peshkin.net> r=kiko,
 a=justdave

---
 Bugzilla/Token.pm                               | 16 ++++++++++++----
 template/en/default/global/user-error.html.tmpl |  5 +++++
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index d7d326ccc..55362d184 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -116,11 +116,19 @@ sub IssuePasswordToken {
 
     # Retrieve the user's ID from the database.
     my $quotedloginname = &::SqlQuote($loginname);
-    &::SendSQL("SELECT userid FROM profiles WHERE login_name = $quotedloginname");
-    my ($userid) = &::FetchSQLData();
+    &::SendSQL("SELECT profiles.userid, tokens.issuedate FROM profiles 
+                    LEFT JOIN tokens
+                    ON tokens.userid = profiles.userid
+                    AND tokens.tokentype = 'password'
+                    AND tokens.issuedate > DATE_SUB(NOW(), INTERVAL 10 MINUTE)
+                    WHERE login_name = $quotedloginname");
+    my ($userid, $toosoon) = &::FetchSQLData();
+
+    if ($toosoon) {
+        ThrowUserError('too_soon_for_new_token');
+    };
 
     my $token_ts = time();
-    my $issuedate = time2str("%Y-%m-%d %H:%M", $token_ts);
 
     # Generate a unique token and insert it into the tokens table.
     # We have to lock the tokens table before generating the token, 
@@ -130,7 +138,7 @@ sub IssuePasswordToken {
     my $quotedtoken = &::SqlQuote($token);
     my $quotedipaddr = &::SqlQuote($::ENV{'REMOTE_ADDR'});
     &::SendSQL("INSERT INTO tokens ( userid , issuedate , token , tokentype , eventdata )
-                VALUES      ( $userid , '$issuedate' , $quotedtoken , 'password' , $quotedipaddr )");
+                VALUES      ( $userid , NOW() , $quotedtoken , 'password' , $quotedipaddr )");
     &::SendSQL("UNLOCK TABLES");
 
     # Mail the user the token along with instructions for using it.
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 27e9ec863..9aab71a7d 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -895,6 +895,11 @@
     The token you submitted does not exist, has expired, or has
     been cancelled.
 
+  [% ELSIF error == "too_soon_for_new_token" %]
+    [% title = "Too Soon For New Token" %]
+    You have requested a password token too recently to request
+    another.  Please wait a while and try again.
+
   [% ELSIF error == "unknown_keyword" %]
     [% title = "Unknown Keyword" %]
     <code>[% keyword FILTER html %]</code> is not a known keyword.
-- 
cgit v1.2.3-24-g4f1b