From 0519e93504760529d16d5a84d6dbe531593e0e47 Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Tue, 3 Oct 2017 09:27:34 -0400
Subject: Bug 1402982 - Can't log out during mfa-lockout or password-reset
 state

---
 Bugzilla.pm | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

(limited to 'Bugzilla.pm')

diff --git a/Bugzilla.pm b/Bugzilla.pm
index a539616e9..fba1a4172 100644
--- a/Bugzilla.pm
+++ b/Bugzilla.pm
@@ -384,8 +384,10 @@ sub login {
 
     # Check if a password reset is required
     my $cgi = Bugzilla->cgi;
-    if ( $authenticated_user->password_change_required ) {
+    my $script_name = $cgi->script_name;
+    my $do_logout   = $cgi->param('logout');
 
+    if ( $authenticated_user->password_change_required ) {
         # We cannot show the password reset UI for API calls, so treat those as
         # a disabled account.
         if ( i_am_webservice() ) {
@@ -395,7 +397,7 @@ sub login {
         # only allow the reset-password and token pages to handle requests
         # (tokens handles the 'forgot password' process)
         # otherwise redirect user to the reset-password page.
-        if ( $ENV{SCRIPT_NAME} !~ m#/(?:reset_password|token)\.cgi$# ) {
+        if ( $script_name !~ m#/(?:reset_password|token)\.cgi$# && !$do_logout ) {
             my $self_url     = trim($cgi->self_url);
             my $sig_type     = 'prev_url:' . $authenticated_user->id;
             my $self_url_sig = issue_hash_sig($sig_type, $self_url);
@@ -408,18 +410,18 @@ sub login {
     elsif ( !i_am_webservice() && $authenticated_user->in_mfa_group && !$authenticated_user->mfa ) {
 
         # decide if the user needs a warning or to be blocked.
-        my $date         = $authenticated_user->mfa_required_date('UTC');
-        my $grace_period = Bugzilla->params->{mfa_group_grace_period};
-        my $expired      = defined $date && $date < DateTime->now;
-        my $on_mfa_page  = $cgi->script_name eq '/userprefs.cgi' && $cgi->param('tab') eq 'mfa';
-        my $on_token_page = $cgi->script_name eq '/token.cgi';
+        my $date          = $authenticated_user->mfa_required_date('UTC');
+        my $grace_period  = Bugzilla->params->{mfa_group_grace_period};
+        my $expired       = defined $date && $date < DateTime->now;
+        my $on_mfa_page   = $script_name eq '/userprefs.cgi' && $cgi->param('tab') eq 'mfa';
+        my $on_token_page = $script_name eq '/token.cgi';
 
         Bugzilla->request_cache->{mfa_warning} = 1;
         Bugzilla->request_cache->{mfa_grace_period_expired} = $expired;
         Bugzilla->request_cache->{on_mfa_page} = $on_mfa_page;
 
         if ( $grace_period == 0 || $expired) {
-            if ( !( $on_mfa_page || $on_token_page ) ) {
+            if ( !( $on_mfa_page || $on_token_page || $do_logout ) ) {
                 print Bugzilla->cgi->redirect("userprefs.cgi?tab=mfa");
                 exit;
             }
-- 
cgit v1.2.3-24-g4f1b